The Customer Due Diligence (CDD) Final Rule, issued by the Financial Crimes Enforcement Network in 2016, will take effect on May 11, 2018. The Rule codified many of the existing regulatory expectations already associated with a sound due diligence compliance program and established a fifth pillar, which requires financial institutions to identify and verify beneficial ownership (BO) information on legal entity customers. While banks have begun implementing the new fifth pillar for anti-money laundering programs, there are additional topics to consider prior to the Rule’s go-live date:
- Customer awareness – Privacy has become a major concern for most people; therefore, it is in the bank’s best interest to proactively inform current and potential customers of the Rule. In the age of rampant identity theft and frequent news reports of businesses being hacked, customers are understandably reluctant to provide personal information. The public is generally unaware of the federal regulations so current customers may be hesitant to provide information that was not previously required when setting up an account while new customers may be reluctant to provide information they feel is intrusive. By educating customers, banks can help avoid upsetting customers and losing business based on having to exit a customer that refuses to provide the information. Having the relationship managers meet in person with customers to help complete the form and discuss the importance of complying with the new federal regulation may help ease concerns.
- Training for bank staff – Training on the Rule and organizational changes associated with it are to be expected with its implementation, but additional staff training will be required for the changes to be implemented effectively. Relying on customers to provide the information on their own will likely result in incorrect forms and a second outreach for corrections. In addition, the intricacies of the Rule require that bank staff are well-versed on the Rule and know what information is required in each situation, including complex ownership structures. Another example would be the collection of information for trusts. The Rule does not require the collection of a beneficial owner for trusts (that are not statutory trusts) based on existing guidance that banks should take a risk-based approach to identifying individuals associated with the trust (grantors, settlors, trustees, etc.) in order to know their customer. However, the Rule does require that a beneficial owner is collected for trusts that own 25 percent or more of the customer, typically the trustee. Banks will need to train staff on how and when the difference applies so that the correct information is collected. Therefore, targeted training will be required to enable effective execution of the Rule.
- Ongoing updates/ownership changes – The Rule does not require the routine updating of information during periodic review, but it does require the updating of information for new accounts or when new information becomes available. The technology to update information for existing customers goes beyond the onboarding process and banks will likely need to enhance systems to ensure information gets updated throughout the entire know your customer (KYC) process, including customer risk rating and transaction monitoring applications.
- Beyond verification – Banks are well aware of the impending implementation of the Rule and the requirement to collect and verify BO information. While the Rule explicitly requires the collection of BO information, there is also an expectation within the Rule’s guidance that the collected information is linked across accounts and available for aggregation of currency transaction report and suspicious activity report filings as well as sanctions screening. Banks need to have the technology in place to meet this expectation.
- Single record for beneficial owners – Beneficial owners may have more than one account under different legal entity names, and may open accounts at various points in time. Multiple customer records and bad data quality have been obstacles for many financial institutions in the past and steps should be taken to prevent further data quality issues. Banks should consider having a strategy in place to prevent typos or other data entry errors, which cause multiple beneficial owner records for the same individual, to ensure accurate application of KYC processes and procedures.
The May 11, 2018 applicability date is fast approaching. Many banks are actively discerning how to show regulators a proactive approach in implementing the Rule, while reducing its impact on customers. Reviewing the recent technical amendments1 and FAQs2 can help determine that all information is incorporated into programs prior to the applicability date.
- FinCEN, “Customer Due Diligence Requirements for Financial Institutions; Correction,” Federal Register, September 28, 2017, https://www.federalregister.gov/documents/2017/09/28/2017-20777/customer-due-diligence-requirements-for-financial-institutions-correction
- FinCEN, “Frequently Asked Questions Regarding Customer Due Diligence Requirements for Financial Institutions,” July 19, 2016, https://www.ffiec.gov/bsa_aml_infobase/documents/FAQs_for_CDD_Final_Rule_%287_15_16%29.pdf