Regulators have yet to spell out exactly how they will implement the new customer due diligence (CDD) rule for financial institutions that the U.S. Treasury Department and the Financial Crimes Enforcement Network finalized on May 11, 2016.
However, this does not mean there should be delays in planning for compliance with the rule on the part of banks, credit unions, securities firms, money services business and casinos. In fact, the rule’s preamble suggests that many of them should already be applying some of its new and more stringent due diligence standards.
The rule, to take effect in 2018, adds a “fifth pillar” of CDD. Institutions will now not only need to designate a compliance officer; establish policies, procedures and controls; train employees and undergo independent testing, but they will also need to identify individuals owning 25 percent or more of an entity holding an account and an individual with “significant responsibility” to control it, with some exceptions. The rule applies to all new customers and implies that banks may wish to apply it to existing customers sooner rather than later.
It recognizes that control over an entity may not rest with the beneficial owners, and when it does not, there is a need to understand the relationship between beneficial ownership and control. Common situations where the two might diverge include control through a power of attorney or control of trusts by the trustees rather than the beneficiaries. Take, for example, an account being established for an entity owned by three trusts. Each of the three trusts are in turn held by three additional trusts; thereby creating an ownership structure that is not fully transparent. To further complicate matters, trustees in many states can demonstrate that a trust in the U.S. is a stand-alone legal entity. The individual trustee at the top three trusts can be the same individual; however, they will argue that the trusts are not related.
The new rule may create uncertainty for financial institutions that focus on complex structures or provide accounts with various controlling persons. Take, for example, a fund of funds with control spread amongst the many holdings—the rule requires due diligence for only one controller. In addition, in the case of the bifurcation of control between a lawyer, accountant or investment advisor, prudence calls for evaluating all “gatekeepers”—not just a single person as required by the regulation.
Given the uncertainties surrounding the rule, perhaps the first question for executives to address is how to proceed when there are conflicting views within the institution as to how to interpret the new standards it sets and to adopt them in an effective way.
In conducting that analysis and planning, executives can start by focusing, at a minimum, on the following five areas.
- Target business model—Executives need to evaluate the new rule in light of their overall business focus and target market. They should consider their risk appetite as it pertains to the firm’s product lines, geographical focus and types of customers served.
- Policies and procedures—Organizations will need to change or amend policies and procedures in order to obtain the newly required information effectively and within a reasonable time frame. This might start with a fresh look at how they break down client types. It is likely that they will find parties who have been asserting control over accounts that they did not know about or that they did not perform due diligence on. They should identify how they will respond to problematic outcomes of the additional analysis of customers they will be performing, such as the types of exceptions they will allow. It is important not to maintain so many of them that the organization is managed as much by exception as by the rule.
- Culture and training—The new rule calls not just for changes in policies and procedures, but in some sense a cultural shift. Clients that had been viewed as low risk will be required to provide more extensive information. That means new training and communications plans targeting employees who cultivate and onboard new clients. They will need to know how to respond to questions from those clients who have not had to provide as much information in the past, and to the refusal of some of them to do so. These employees will also need to know more about privacy rules in the various jurisdictions in which they operate and be vigilant in referring certain customers to their BSA/AML officer for refusal to respond to requests for information.
- Technology—Firm-wide executives, not just compliance professionals, need to take a much closer look at the technology side too. They should examine whether they have the means of capturing the newly required data. This includes identifying and correcting deficiencies in software, including data depositories, and in related policies such as the frequency of reviewing and refreshing data. It will be a significant undertaking for large, global financial institutions. Let us not forget all the great uses of this newly created data set, particularly in the AML investigation process!
- Reliance—One of the biggest challenges in implementing the new rule will come in the area of an institution’s reliance on others for due diligence through contractual arrangements. Currently this practice typically extends only to the five basic data points of customer identification programs. The rule does not address extension and modification of these agreements—which are still paper based and often negotiated on a case-by-case basis—to identification of beneficial ownership and control. Organizations can expect to have to renegotiate their reliance contracts. Reliance programs are already complicated and they will become more so. Executives need to consider whether they want to invest the time and resources to meet the new standards on their own, or to assume the risk that their counterparties can do so, and do it effectively and expeditiously.
Begin with an inventory of your universe and realize that uncertainties exist, but know that now is the time to plan. Make sure to plan in light of your business model. Examine policies and procedures for collecting information, consider the need for new communications and training, and possibly a cultural shift, along with enhancements to your technology and due diligence procedures. Preparation at this time will ease the process, regardless of how regulators decide to implement the CDD rule.