Implementing the Fifth Pillar of BSA: The Role of the Third Line of Defense

After lingering in regulatory limbo for the last four years, the Financial Crimes Enforcement Network (FinCEN) published the new customer due diligence (CDD) beneficial ownership final ruling in 2016, creating the “fifth pillar” of the Bank Secrecy Act (BSA).1 Regulators were always clear that formalizing prior guidance and enhancing requirements related to CDD expectations was not a matter of if, but when. The Federal Register states that “FinCEN views the fifth pillar as nothing more than an explicit codification of existing expectations; as these expectations should already be taken into account in a bank’s internal controls.”2 A bank’s Bank Secrecy Act/anti-money laundering (BSA/AML) program should be designed to meet the requirements of the four pillars, while also incorporating the new expanded fifth pillar.

With the implementation of this new Rule, a robust customer identification/customer due diligence (CIP/CDD) program is more important than ever. According to FinCEN, the following are the four elements of CDD:

  1. Customer identification and verification
  2. Beneficial ownership identification and verification
  3. Understanding the nature and purpose of customer relationships to develop a customer risk profile
  4. Ongoing monitoring to report suspicious transactions and emphasis added for “maintaining”customer information on a risk basis

Current CIP requirements address the collection and verification of customer identity information; however, “the new CDD Rule specifically addresses the second, third and fourth elements. The second element related to beneficial ownership identification and verification, is now a regulatory requirement.” The third and fourth elements expand BSA/AML program requirements and now fall under the new fifth pillar.

The requirements set forth by FinCEN in the new Rule were created to mitigate risks associated with a lack of transparency of beneficial ownership of business entities and risks associated with shell companies3 and anonymous companies (e.g., usage of these entities for laundering illicit proceeds due to vulnerabilities with company formation requirements in the U.S.). In addition, the U.S. had long been criticized by the Financial Action Task Force and the G84 for their lack of sufficient CDD regulatory requirements, particularly with regard to capturing beneficial ownership under company formation laws. The new Rule is intended to clarify, consolidate, harmonize and strengthen CDD requirements for “covered financial institutions,” which includes banks, brokers-dealers, mutual funds, futures commission merchants and commodities brokers. Although the Rule went into effect in 2016, “covered institutions” were given a mandatory date of May 11, 2018 to attain complete compliance.

The beneficial ownership aspect of the Rule identifies two types of beneficial owners—those who meet the 25 percent or more of a legal entity’s equity interest (whether direct or indirect) and individuals who meet the control threshold in having significant authority to control, manage or direct the legal entity customer.

Each covered financial institution has to consider the impact of the new Rule and other things such as:

  • What constitutes an account;
  • Whether the beneficial ownership threshold should be lower than the minimum of 25 percent;
  • What would trigger an event to collect beneficial ownership information; and
  • How customers already designated as high risk be treated.

Not All Institutions Are Created Equal

In an effort to promote know your customer (KYC) and managing the money laundering risks of entities where the individual ownership of business entities is not always transparent, the new Rule presents many underlying challenges for implementation. Audit should review the analysis conducted by compliance and legal staff when scoping the impact it has on the financial institution. The institution may also offer products and services that do not fit the traditional banking model and require additional research in understanding how the Rule may or may not apply. For example, banking institutions may offer financial services for automotive dealerships that may range from purchasing retail-only contracts to a full array of services to financing wholesale floor plans, wholesale loans, real estate loans, secondary market lending activities, physical or online vehicle auction activities, transportation and equipment financing and many more. Financial institutions who offer nontraditional commercial banking services may find differing opinions on defining what products and services constitute an account. At the end of the day, it is critical that financial institutions fully understand their customers, products and services to make risk-based decisions that are reasonable and ensure compliance for the institution’s business model. Internal audit’s role is to independently and objectively evaluate and report on the effectiveness of the institution’s risk management, internal controls and governance processes for the implementation of the new CDD Rule.

As regulators continue to add more scrutiny to financial institutions and their affiliates, the CDD Rule adds another layer of complexity for “knowing your customer.” Although banks have been working toward compliance of the new Rule for the last 18 months or longer, the clock is quickly approaching the May 11, 2018 deadline.

Audit’s Role Pre-Implementation

As institutions are implementing CDD, audit should be engaged and have a seat at the table of the enterprise project. Internal audit contributes to the success of implementation by providing stakeholders with relevant, independent and objective enterprise-level perspectives regarding governance, risk and internal controls as implementation unfolds for each business unit.

Audit’s role pre-implementation should include the following:

  • Engage with lines of business (LOB) and enterprise function’s compliance partners
  • Attend CCD project stakeholder meetings
  • Obtain and maintain audit team expertise in understanding the new Rule through industry conferences, seminars and other audit training venues
  • Incorporate the new CDD Rule requirements with areas of focus, as part of their annual audit plan
  • Complete an enterprise CDD risk assessment to include each business unit to understand the impact of the Rule based on customer types, products and services
  • Focus on CDD risk framework and controls
  • Engage audit industry professional groups and peers

Audit Engagement

Audit should be engaged regularly with AML compliance and the institution’s legal team when discussing the inclusion of new regulatory requirements in the AML program. Although the elements of the Rule are clear, there are risk-based decisions that institutions will need to make for the execution of the new Rule.

  • What constitutes an account for each LOB in considering products and services?
  • The beneficial ownership threshold is 25 percent, as required by the CDD Rule. Is that threshold adequate for the institution’s risk model or are there circumstances or certain customers who would lower the threshold for applying CDD requirements?
  • What are appropriate customer refresh processes and time frames for the LOB or institutional customer risk?
  • How will the institution treat existing customers that are not high risk for KYC refresh?
  • What criteria would generate an event (e.g., “trigger event”)?
  • Is there any subset of high-risk customers that the institution would apply a look-back approach to collect beneficial ownership information?
  • What is a reasonable time frame for identity verification or for customers to respond to requests?
  • Will there be additional screening (i.e., 314[a]) and monitoring processes put in place (i.e., aggregation of cash transactions for currency transaction reporting)?

Audit’s awareness and understanding of the risk decisions that an institution makes are invaluable. The institution’s AML program should not be written up and sent to the board or board committees without vetting with senior business line and audit.

In addition to engagement with corporate AML compliance, internal audit should be represented at the enterprise stakeholder or project meetings. It is during these meetings where knowledge is often gained in understanding the concerns and challenges the business lines face with implementation.

Audit should have a good understanding of where the enterprise is in the implementation process as well as if there are any “at risk” areas in where compliance may not be met.

Just as important is the auditor’s subject-matter expertise on the new Rule, so that they can effectively audit compliance to the new Rule. Audit should be looking externally for opportunities to train on the new CDD rule requirements and how the rule will apply to your institution.

Knowledge is Power

As a general practice, financial institutions’ internal audit programs will include an independent AML risk assessment in order to understand AML risk within their institution. Like the wise saying of Socrates, “To know thyself is the beginning of wisdom.” Many institutions most likely began by conducting an enterprise business impact analysis (BIA) including the customer types, products/services, source systems, IT capabilities, policy and procedures, training and budget. Several important items may come out of BIAs, such as:

  • Compliance learned what they did not know about their lines of business, enterprise functions, products and services by conducting a thorough self-diagnosis for implementing the new CDD Rule.
  • Banks noted that the account level of implementing CDD is much more complex than implementing CIP at a relationship level.

Audit should review those business impact assessments when performing their independent risk assessment of risk related to the new CDD Rule.

Risk-Based Trigger Events

During the last 18 months, you may have experienced that there are as many differing opinions on what is a “trigger event” to collect beneficial ownership information as there are on “what makes an account.” While some institutions may appear to be “trigger happy” at this phase, there has to be a reasonable assessment about risk and, financial institutions should manage the process according to that exposure of risk.

The pendulum swings far and wide. Some banks have stated that a trigger event would be an institution filing a suspicious activity report (SAR). This single risk factor would seem to make a strong case that if anything is a triggering event, a SAR would be. However, filing a SAR initiates a 90-day account activity review and may result in a second SAR, a third SAR, etc. If that single factor was a trigger, you would be collecting beneficial ownership every 90 days while the activity risk remains the same. Some institutions have made the decision of a 10 percent threshold to collect beneficial ownership information across the board and some have decided on the 25 percent threshold, except they go down to 10 percent on high-risk customers. Other institutions are looking to take an even more conservative approach, saying a trigger will occur if additional services for wires or Automated Clearing House origination are added or if any change to a profile is made, such as a change in address or phone number. While the Rule does not require a look-back, there are institutions that are going back and collecting information on their high-risk customers or taking other refresh steps on business customers in general.

At the end of the day, each institution will make risk-based decisions that internal audit should have a strong understanding of and, the mitigants that support those decisions. Audit should raise concerns about AML policy decisions, so they are addressed before policy approvals and implementation of the Rule within the institutions. The last thing you want to hear is that audit sat passively by as the enterprise implemented the new Rule with a weak program to support CDD compliance. The process of implementing the new Rule and every risk decision made must be documented and should include the rationale and justification of risk-based decisions.

After Implementation

Audit’s real work begins after the Rule has been implemented. Audit will need to carefully review processes, controls and systems to identify any gaps that may exist. While regulators may treat 2018 as a discovery phase during regulatory examinations of institutions, audit should be ready to review CDD implementation full on so that institutions can remediate any deficiencies before a regulatory examination.

Audit should have educated AML auditors who are well-versed on the new CDD Rule by the institution’s set implementation date. The annual audit plan should include an outline of whom and when they will audit a line of business with a risk-based approach of CDD implementation. Although regulators are stating Federal Financial Institutions Examination Council exam procedures will be updated before the mandatory date of May 11, 2018, auditors should already be preparing the audit plan for the CDD Rule and the key elements that should be tested.

In preparation, the audit team should review the business line’s implementation plan to bring more thorough awareness of the business response to execute compliance. This awareness will add to the auditor’s knowledge of the LOB customer types, products and services impacted by the Rule and assist in building out the audit scope for independent testing of the effectiveness of processes and procedures. Audit will follow its same program mandate that it already has in place, which may include the following:

  • Conduct a risk assessment and consider input from management for CDD risk and control functions to define the audit plan
  • Form conclusions by inspecting records, observing business processes, testing transactions, examining procedures and other means, including continuous monitoring results
  • Provide independent assessments as to whether the institution’s process, products, operations and activities:
    • Conform to laws and regulations
    • Support sound governance, risk management and internal controls
    • Support accurate reporting
    • Are effective
  • Provide audit committee insight into effectiveness of governance, risk management and internal controls
  • Advise management on the design of internal controls, provided such consultation does not impair audit’s independence and objectivity

Independent testing or internal auditors are the third and last line of defense for BSA/AML compliance. Effective and qualified auditors are critical to the success of an institution’s BSA/AML program for multiple reasons. One of the most valuable contributions that internal audit makes to an AML program is that regulatory examiners may leverage the work of internal audit in conducting their ongoing supervision (provided they can obtain comfort with the organizational independence, competence, objectivity, and quality of the audit staff and its work). Regulatory examiners will assess audit work papers for effectiveness and findings as well as the effectiveness of audit to track issues to resolution. If examiners determine that the institution’s independent testing is effective, they will feel more confident to rely on internal audit’s results and this can impact the scope of the regulatory examination.

Although independent auditing can be stressful, effective audit teams will identify deficiencies and gaps of the implementation of the new CDD Rule in the AML program. This will allow institutions to develop action plans to begin to remediate issues before examinations are conducted. In addition to ensuring effective and qualified auditors, some common mistakes to avoid include:

  • Not incorporating the minimum testing requirements outlined in the FFIEC manual that would be applicable to the institution;
  • Not utilizing the institution’s risk assessment in the scope of the BSA/AML audit;
  • Failing to test and validate the assessment specific to the new CDD Rule risk;
  • Not utilizing the institution’s monitoring and testing program results (if available on the new CDD Rule);
  • Not testing the accuracy of management information systems reports, AML system functionality or data integrity; and
  • Not reviewing available monitoring and testing reports by the second line of defense.

An effective audit program should incorporate the following elements:

  • A well-written audit plan and defined audit scope;
  • A risk base appropriate to the institution’s BSA/AML risk (identify high-risk areas for testing);
  • A “living” test plan;
  • Allocation of appropriate time and resources;
  • Adequate transaction testing;
  • An organized audit report; and
  • Open and timely communication with the business line and AML compliance leadership.

Audit has a very specific and critical role to play pre- and post-implementation of the regulatory requirements set forth in FinCEN’s new CDD Rule. If your internal audit group has not been actively engaged to date, it is not too late to engage them.

Joyce Broome, CAMS-Audit, senior director of enterprise enhanced due diligence and sanctions, Charlotte, NC, USA,

  1. “Customer Due Diligence Requirements for Financial Institutions,” Federal Register, May 11, 2016,
  2. Drew Young, “New Rule Regulates Beneficial Ownership and Customer Due Diligence.” Kraft CPAs, August 7, 2017,
  3. “Potential Money Laundering Risks Related to Shell Companies,” FinCEN, November 9, 2006,
  4. The Group of Eight (G8) refers to the group of eight highly industrialized nations—France, Germany, Italy, the United Kingdom, Japan, the United States, Canada, and Russia—that hold an annual meeting to foster consensus on global issues like economic growth and crisis management, global security, energy, and terrorism.

Leave a Reply