As if knowing the basics about your customer weren’t difficult enough, how about knowing a lot more, verifying what you think you know, and doing the same when it comes to the customer’s direct and indirect investors and controlling parties.
That is what European regulators will eventually require from financial institutions doing business in the US and continent. Like its US peer, the Financial Crimes Enforcement Network (FinCEN), they want financial firms to be even more diligent in unearthing all they can about their customer — and their customer’s associates — before onboarding them. They also want the information to be updated regularly, although no specific frequency is offered.
The fourth European AML directive, published in the Official Journal of the European Union on June 22, must be implemented by European member countries in two years. It applies to a wide range of businesses, from banks and other financial entities to auditors and accountants. The most severe penalty for non-compliance will be a fine of at least €5 million or a fee of 10 percent of a firm’s annual revenue, which spells big bucks for large global banks with revenues in the billions of dollars. Anti-money laundering officers also risk jail time. Likewise, last year FinCEN came up with extra requirements to track down beneficial owners of a client firm, but so far has not set deadline for compliance.
Financial firms are already expected to be verifying the identities of their customers and monitoring changes in customer profiles. Now, the fourth European AML directive wants them to go the extra mile.
“For the first time, financial firms will have to fulfill more clearly defined steps. Instead of relying on simplified due diligence, they must adopt a risk-based approach to classifying and monitoring all of their clients, verify whether domestic customers are politically-exposed persons, and document whether the customer has any investors which own more than a 25 percent stake or have control,” explains Steve Goldstein, chief executive of Alacra, a business information and compliance software provider in New York. “As a rule of thumb, the same firm which holds more than 25 percent of a firm’s shares would also have control, but the phrase control could also be interpreted to mean an executive board member or another firm in the case of a trust.”
Risk under the Microscope
Adopting the required risk-based approach means ranking customers by their country of origin, their business activities with the bank and the sources of their money. The financial firm can no longer rely on the fact that the client already falls under the jurisdiction of another “equivalent third country,” says Goldstein.
The risk category will determine how frequently the financial firm must monitor the status of a client, or even whether or not they choose to accept the client’s business in the first place. Should the financial firm decide it is willing to take a chance and accept a high-risk customer — one which they reckon might engage in criminal activity such as money laundering or financing of terrorist activities — it will need to document its reasons why. One possible reason: the likelihood that such a classification might change in the future.
To calculate a risk profile of its customer, the financial firm must look beyond whatever documentation the customer provided. Further scrutiny includes searching for any negative news about the company, its C-level executives or board members — especially if any executives have been accused of wrongdoing or are under the microscope of a regulatory agency.
Just because a customer may be the located in financial firm’s back yard doesn’t mean the client has no exposure to potential criminal activity. Global banks, broker-dealers and fund management shops sometimes neglect to check if any of the C-level executives, board members, and even families or close associates are politically exposed persons (PEPs) — such as heads of state, government and parliament members, members of the judiciary, and directors of state-owned enterprises. These individuals are seen to represent a higher risk for financial crime due to their positions and influence.
The fourth European AML directive now wants them to ask about any C-level executives or board members which might either be PEPs or affiliated with PEPs, no matter where the customer is located. Such an expansion of the inquiry for PEP status will likely spell a lot more paperwork for KYC onboarding specialists.
Control Matters
If trying to keep track of just who customers are and who they are affiliated with weren’t tough enough, the fourth European AML directive widens the definition of a beneficial owner from individuals who own more than a 25 percent stake to include those who assert control over a company. Practically speaking, that means financial institutions will also have to collect information about board members and senior management, performing the necessary screening for PEPs and for violations of government sanctions.
“Such a scenario will add to the already challenging work identifying holders of the 25 percent stake, particularly since financial firms cannot accept the word of their clients at face value,” says Anders Rodenberg, a director at Bureau van Dijk (BVD), a global provider of company and hierarchy information. “It is fair to assume a client with criminal intent will not provide the correct information. Even more importantly, customers might not know the identities of their beneficial owners holding a stake of over 25 percent directly, let alone indirectly.”
Even if a customer of a financial institution can provide the necessary information, ownership structures seldom remain constant. Case in point: over the past two months more than 9.3 million companies changed their ownership structure, Rodenberg estimates. In some cases, the changes could easily alter their AML risk profile.
The fourth European AML directive attempts to ease the compliance pain by requiring European member countries to establish interlinked local registries which could be accessed by financial firms. All companies would be required to input their beneficial ownership structures into such local registries. Theoretically, financial institutions could then look up their potential customer’s names in its local registry and have all the necessary information at its fingertips.
Good idea, but will it work? Not all the time, according to Rodenberg. “This initiative by the member countries could provide a false sense of security as information would be provided by companies themselves,” he says.
A better idea, he says, is for member countries to require all entities to register their first-level owners using unique entity identifiers, such as legal entity identifiers (LEIs). Using unique entity identifiers ensures that all of the ownership data can then be correctly linked across national registries.
Financial firms relying on national European registries would satisfy the fourth AML directive’s requirement for verification, however it is unclear just when those registries will be launched. Last year, the US FinCEN proposed that financial firms would only have to verify information provided by their clients that beneficial owners of a customer firm that held more than a 25 percent stake if the financial firms had reason to believe the disclosure was wrong. However, FinCEN never clarified what it meant by reason to believe.
Consistency Counts
Given that most large financial firms rely on multiple KYC onboarding departments — depending on the business line or geography — inconsistencies can easily happen. Developing enterprisewide rules for how a customer’s risk profile should be determined, what additional information will be required from customers who are listed companies. and just how to verify customer data about ownership can reduce these errors. Likewise, financial firms are expected to have policies for how often the information must be updated and who will be responsible for doing the work. Regulators won’t turn a blind eye to stale data.
Consistent policies don’t necessarily translate into a single know-your-customer department. Multiple KYC departments could still coexist as long as they operate under the same overarching policies for how the client is classified and monitored.
In the event that a client is shared by multiple business lines, should a single risk rating apply and if so which one? The answer to that question causes compliance departments plenty of headaches, say legal experts. “Some depend on multiple ratings, which would require different levels of ongoing monitoring, while others take the ‘better safe than sorry’ approach and use the most conservative ranking,” one European AML compliance manager tells FinOps Report. “Regardless, should one department’s monitoring of the customer’s transaction result in a red flag, it should notify all the other affected units and the AML compliance department.”
Verifying beneficial ownership or control of a firm may be the hardest bit of research to manage. Its execution depends on just how much work the financial firm is willing to do. As a start, KYC analysts can check local and national registries to find information on direct ownership, if available. However, such information may need to be cross-referenced and verified among national registries, which don’t necessarily operate in the same language or format. Alternatively, they can rely on global hierarchy data from a company such as BVD, especially if the ownership picture is multi-national. to understand the ownership picture.
Unfortunately, the process isn’t foolproof. US public companies are required to disclose their ownership structure to the Securities and Exchange Commission, but disclosure among private companies differs by country and individual US states. As a result, the data could be less than complete.
Rodenberg acknowledges that BVD can only rely on all the information it gets from the registries across the globe along with its proprietary data. In nations where companies are not forced to disclose their ownership structures, the data may be questionable or incomplete. However, using BVD’s service, he insists, will help KYC analysts at financial firms save countless hours trying to track down the same information from various registries, translate multiple languages, then link the data and harmonize it in visual ownership graphs.
For large global banks, broker-dealers and fund managers with customers across the globe, the task of complying with the fourth European directive might appear to be overwhelming. However, the biggest firms have deep pockets to fund additional staff and technology, as well a likely head start in risk-based customer profiling and monitoring policies.
Not so with small to mid-tier financial firms which will have to meet the same requirements with less resources. “The AML directive is going to translate into a lot of additional operational work, but I’m hoping we can leverage some of our US efforts,” says a AML compliance manager of a mid-sized wealth management firm with global operations. “Our US and European KYC teams will likely be spending a lot more time together.”
Leave a Comment
You must be logged in to post a comment.