The US Treasury’s new rules on how financial firms must handle their responsibilities to know their customers and prevent money-laundering will be operationally challenging to follow, but perhaps not entirely effective in identifying the bad guys.
The most controversial aspect of the new requirements — finding out the identities of the beneficial owners of the customers — has been watered down from the initial version in 2014 to give financial firms some compliance relief.
“Financial firms agree that the rules to combat money-laundering and tax evasion are long overdue, because there was no understanding of who was involved in complex corporate structures such as limited liability partnerships and limited liability corporations,” says Gary Swiman, head of regulatory compliance for BDO Consulting in New York.”However, the definition of beneficial owner is murky, leaving some room for clients not to disclose who has an ownership interest.”
Effective in May 2018, the new rules represent the climax of years of contentious debates with the financial industry about just how far they should go to prevent and track down potential criminal conduct. Russia, Hong Kong, Australia and the European Union have already adopted similar policies based on recommendations made in 2012 by the Financial Action Task Force, an inter-governmental policymaking body. The Treasury was finally forced to take action after the April leak of more than 11 million records from a Panamanian law firm indicated that leaders of foreign governments, corporations and even celebrities have used shell companies for money laundering and tax evasion.
Most of what the Treasury wants isn’t novel, but the rules are a bit more detailed than current practice defined by the US Patriot Act of 2001. “It is the more rigorous customer due diligence provisions that create the new fifth pillar of an effective AML program,” says Micah Willbrand, director of global AML product marketing for NICE Actimize, a financial crimes and compliance technology firm headquartered in New York and London. The USA Patriot Act requires financial firms appointing an AML compliance officer, hiring trained staff, and using processes and procedures to pick up potential criminal transactions. The idea of checking out clients and their investors isn’t as clearly defined.
Financial firms typically ask their customers for information about themselves before accepting them and onboarding their names onto their applications. The identification includes identifying details, the categorization of the client and the type of business activity involved. The financial organization will check the names against government databases and other terrorist databases to sift out potential offenders. Some — such as the largest global banks — might already be asking for the beneficial ownership structure depending on the business unit involved. However, small to mid-sized banks typically don’t, say AML experts. They don’t anticipate being targets for illegal activity.
If nothing negative crops up and the client is accepted, the financial firm will then assign the customer a risk-ranking which dictates just how closely it will monitor its transactions and the thresholds for outlier behavior. As a rule of thumb, the higher the risk rating the more frequently the customer updates and reviews will occur.
“The Treasury’s new rules represent best practice which mandates continual monitoring of customer information to update risk profiles,” says Debra Geister, manager of Navigator Consulting Group, a St. Cloud, Minnesota-based regulatory compliance and operations consultancy. “Financial firms need to take into account an additional element when creating and amending a risk profile — the beneficial ownership structure of the customer.” The inclusion of the new factor also means that financial organizations have to change the risk profile of a client for more reasons than just suspicious activity. Those causes include a change in ownership or control.
Understanding just who the direct customers are and keeping track of their activities is hard enough, but knowing their beneficial ownership — or just who owns the customer firm is an entirely different matter. The Treasury now wants financial firms to find out whether any of their customers have investors owning a 25 percent stake or anyone exerting “control.” If no investor owns a 25 percent share of the client firm, then only the “control factor” test applies. The financial firm can ask its client to identify one individual who has significant responsibility to control or manage the company on a day-to-day basis.
“The Treasury rules still allow banks to open accounts for customers without having any idea of the person who ultimately owns or controls that company,” says Heather Lowe, legal counsel for Global Financial Integrity, a Washington, D.C. research and advisory firm. “Without this information, banks can’t determine whether the people behind a company are on a sanctions list, a drug kingpin list or are public officials who may be sealing from their countries’ treasury or trying to stash their bribe money in a US bank.”
Even if a client discloses the identifies of those who have at least a 25 percent stake, the financial firm isn’t obligated to verify that the information on ownership interest is accurate unless it has reason to believe otherwise. The only data point that must be checked out is the actual existence of a reported individual investor. Financial firms can accept the client’s word on the rest of the information through either a standard identification form provided by the Treasury or other document created by the financial firm as long as it includes names, addresses, dates of birth and relevant tax ID numbers.
The leeway on verification comes as a relief to the banking and brokerage communities which argued that it would be too difficult and costly to check out all data provided. The US does not have a single centralized database to store beneficial ownership and control. It only requires that firms that have to register with the Securities and Exchange Commission to cough up more information about who owns a stake in the firm. That leaves thousands of other firms that only have to comply with their local country requirements or diverse US state requirements for registration, leaving financial firms with fewer information resources than they might need to comply with verification requirements.
Last but not least, the Treasury’s rule on identifying beneficial owners doesn’t apply for every customer. The list of exemptions is pretty extensive. In a nutshell, if the customer just happens to be a bank, investment company and adviser or public accounting firm, the ID rule doesn’t apply. Non-profit companies and pooled investment vehicles controlled or advised by a financial institution that is not excluded from the definition of legal entity customer must only provide the name of a controlling person. The Treasury has also set exemptions from identification of investors for accounts opened for “low-risk” business activities as long as the payments are transferred directly from the client to the service provider. Those include accounts designed to finance the purchase of postage, insurance premiums or equipment leasing.
How much of a hassle will the Treasury’s new rules be to follow? For most financial firms the biggest change to their AML policies might just be to keep track of beneficial ownership of their customers — a scenario which will require them to alter their account opening procedures and technology. “Customer databases currently do allow financial firms to include the names of individual clients and business entities, but might not allow the names to be tied to the name of the client in which they have a stake,” says Geister.
By requiring that beneficial ownership be identified, the Treasury is also implying that the business activities of the beneficial owners must be tracked. Any disconnect in linking the client names with beneficial ownership could make it difficult to track down suspicious conduct. Therefore, financial firms may need to add a new shared internal identification code for the client and all of its beneficial owners so the activities of the two can be reconciled. Willbrand says that NICE Actimize’s integrated AML onboarding and transaction monitoring platforms allows financial organizations to tie the business activities of the beneficial owners of their clients with the business activities of the transactions of the clients.
The compliance challenge faced by firms in following the requirement for disclosure of beneficial ownership will likely depend on just how many accounts they must address. It is unclear to what extent financial firms must go to track down information on beneficial ownership for pre-existing clients — or those which opened their accounts before the effective date of the Treasury’s rules. “On the one hand, the Treasury didn’t impose a categorical requirement to collect and verify beneficial ownership information for accounts opened before May 11, 2018,” says Jay Baris, a partner at Morrison & Foerster in New York. “However, the rule does not preclude firms from deciding to collect beneficial ownership on some customers on a risk-basis during the course of transaction monitoring.”
While the new regulatory landscape is two years off, preparing early will go a long way to ensuring successful compliance. Revisiting the procedures of its existing AML program is a good idea, recommends Baris. Financial institutions should ensure they have established clear guidelines that address the requirements for opening client accounts, creating risk profiles, updating information and investigating suspicious activities for possible reporting if necessary.
“The likely immediate effect of the Treasury’s rules will be hiring more trained account opening and transaction monitoring staff to handle customer onboarding and activities,” says Daniel Viola, a partner with Sadis & Goldberg in New York. The reason: customer information will need to take into account the beneficial or controlling executive data and updated more frequently for changes in beneficial ownership. The result could be a greater number of transaction alerts to review, particularly if beneficial owners are included in transaction monitoring.
Bank compliance specialists contacted by FinOps Report say they are the most concerned about how narrowly they should interpret the Treasury’s language on verification. What happens if one business unit has information about a client that another doesn’t? The Treasury might not buy the argument of ignorance and consider the financial firm lax. “Business units often don’t share information due to technological, policy, or data privacy constraints,” said the compliance manager at a New York bank. Regarding seeking more information on pre-existing clients,”It is more likely that a suspicious activity alert will trigger an investigation into the beneficial ownership,” says another.
Even the largest financial organizations have faced troubles with inadequate know-your-customer procedures and inconsistent policies across business lines. Such was the case with Raymond James, which was recently fined US$17 million by the Financial Industry Regulatory Authority, the self-regulatory agency for broker-dealers.
The best preventative medicine is to developing a single documented enterprisewide policy for customer onboarding, recommends NICE Actimize’s Willbrand. “In most cases, the same customer information needs to be collected regardless of the business unit which has signed up the client and the same processes should apply for when to update the customer data and onboarding information.” Each business unit of a financial organization is still free to create its own risk profile of the client which will determine how often it will monitor its transactions.
Barring the anticipated operational angst for compliance specialists and uncertain outcome for catching criminal activity, the Treasury’s new rules might bring, tax experts point to one comforting factor. Foreign governments who want the US to catch their tax evaders might feel appeased. The US Foreign Account Tax Compliance Act (FATCA) requires non-US financial institutions to keep track of American “persons” dodging their tax obligations and share what they know about their accounts with local foreign tax authorities to communicate with the US.
The US has promised it will reciprocate but couldn’t fulfill any commitments because of the lack of necessary data on beneficial owners. Still, it is unknown when the US will fork over any data to foreign governments and how useful it will be. FATCA does require disclosure of beneficial ownership of corporate investors, but the threshold is 10 percent — a figure the Treasury vetoed in the final draft of the rules. The FATCA legislation also mandates that non-US financial firms review all accountholders, not just new ones. “In trying to satisfy its own financial institutions, the US might have missed the boat on reciprocity,” says one tax compliance director at a New York bank.