On 11 May 2016, the US Financial Crimes Enforcement Network (FinCEN) published its long-awaited final rule on customer due diligence (CDD) requirements for financial institutions, as a result of a 4-year drafting and consultation process started in the wake of the Financial Action Task Force’s (FATF) 2012 revision of its 40 Recommendations.
The requirements focus on the areas of beneficial ownership and purpose and nature of the relationship of FATF Recommendation 10, while customer identification and ongoing monitoring requirements are already a core component of the existing framework.
Surprisingly, there is, however, no mention in the final rule of the requirements finding their origin in the international efforts of the FATF. On the other hand, the publication of the final rule shortly following the release of the Panama papers makes it very timely.
The rule further establishes CDD as a ‘fifth pillar’ to the requirements of an anti money laundering (AML) programme (supplementing the Bank Secrecy Act requirements of internal policies and controls, independent testing of the AML programme, a designated compliance officer and staff training),recognising the critical importance of CDD as the foundation of effective money laundering prevention.
While the actual amendments to the Code of Federal Regulations is just eight pages, the final rule of 62 pages covers the entire history of this rule-making process and provides useful insights into the US regulatory formulation process, including the interesting impact assessment for the new regulation.
Also apparent in this text is the ongoing collective uneasiness of the US financial community and its regulator with the transition to a risk-based approach to AML: the risk-based approach to CDD is mentioned numerous times but largely as a matter of existing practice by financial institutions and without reference to specifics. The US regulator is here clearly seen challenged to reconcile the traditional, rules-based approach to regulation suited to the domestic market with the evolution of international standards, as adopted by prominent international US firms.
Similarly, the rule brings to light the dichotomy within the US financial system between large, multinational US institutions resourced to perform CDD to globally recognised standards and the vast number of local or state-level domestic institutions operating to simpler standards. By FinCEN’s admission, the new rules are designed in part to limit the cost impact to the US domestic banking system.
In doing so, the new rules – while addressing an existing gap with international standards – leave significant differences with EU requirements and practices in the area of beneficial ownership. This can be traced to two reasons:
- the impact of the new requirements on the majority of US domestic firms as mentioned above
- the emphasis of the regulation on making customer data available to law enforcement where required, rather than placing broad due diligence and verification duties on financial institutions. This constitutes a significant difference in the approach to AML between the US and the EU.
Beneficial ownership requirements
The concept of beneficial ownership is separated into an ‘ownership prong’ and a ‘control prong’ and features:
- beneficial ownership defined at a 25% threshold
- no requirement to independently verify the ownership of the customer – the information can be collected from the customer, including via a standard form provided in the rule
- a requirement for verification of the identity of beneficial owners, by means consistent with customer identification programme (CIP) rules
- under the control prong, identification of only one senior management member or controller
- beneficial ownership definition for trusts limited to the trustee
- regulated and listed firms are exempt from the requirement, in effect perpetuating the historical approach to SDD (simplified due diligence).
These are materially different, and lighter, requirements than those in force in Europe, and will leave many wondering whether the US is doing enough (in the 4th EU Directive 25% threshold is only indicative; verification of ownership is standard; approach to beneficial ownership is comprehensive through combination of ownership and control; broad identification of controllers is required; trustee, beneficiary, settlor and protector of trusts are all defined as beneficial owners; critically, no systematic entitlement to SDD for listed and regulated firms applies anymore).
Conversely, the focus on the collection of information supporting law enforcement inquiries, and the explicit attention to the financial costs to the industry by FinCEN, may provide an incentive to European institutions to question more forcefully the cost-benefit balance of the EU’s Fourth Money Laundering Directive.
Finally, the exemption also applies to regulated foreign financial institutions provided they are ‘established in a jurisdiction where the regulator of such institution maintains beneficial ownership information regarding such institution’, which will undoubtedly raise challenges with the practical implementation of this test.
Nature and purpose of the relationship and customer profiles
FinCEN positions the rules as the formalisation of existing expectations and practices designed to support the effective detection of suspicious activity through establishing a customer risk profile. This rule is addressed in a generic manner in that:
- the requirement is mentioned as forming part of the fifth pillar of AML programmes of risk-based CDD procedures, and
- FinCEN defers for requirements to the existing rules established by federal functional regulators.
Even though the notion of customer profile is here primarily about establishing ‘information gathered about a customer to develop the baseline against which customer activity is assessed for suspicious transaction reporting’, the recognition by FinCEN that adequate CDD requires a structured set of customer information, embodied in a customer profile, is a welcome formalisation of industry standards long known to know your customer practitioners.
How will the rule come into force?
All covered institutions – from which hedge funds are still notably absent – must comply with the final rule by May 2018, leaving two years for implementation.
There is no systematic look back requirement nor an expectation of carrying out periodic reviews of CDD information. Instead, existing customer relationships should be reassessed only based on trigger events, including detection of unusual or suspicious activity.
The rules are positioned as a minimum set of requirements and federal functional regulators will be able to impose further requirements, removing any prospect of an end to the regulatory proliferation typical of the US landscape.
The creation of a codified set of regulatory requirements for beneficial ownership will clearly support a more level playing field for US institutions in the way they apply CDD.
Many will find the requirements a step up from their current practices (so far, beneficial ownership requirements have been in the form of general guidance and largely confined to enhanced due diligence (EDD) measures for private and correspondent banking) and will need to improve capabilities.
This includes systems and controls but also adequate training to ensure the information gathered is of the required quality and used to support effective identification of risks.
From a regulatory perspective, we would expect the new fifth pillar of CDD to serve as the springboard for further rule-making in the area of risk assessment, the risk-based approach to CDD and EDD. We would in particular expect FinCEN to start addressing the current absence of language around the treatment of high-risk relationships, politically exposed persons (PEPs), source of funds and source of wealth.
With regards to the customer risk profile, the notion is still only loosely defined at this stage and we would also expect federal regulators to influence how such profiles takes shape as an industry standard in their respective sectors. At the minimum the stated desire to move towards a risk-based approach would require a broader a definition of customer risk factors, standardisation of approach to risk rating and the development of a culture of risk assessment within organisations. For the sake of global consistency, may we suggest that the recently issued draft Guidelines on CDD risk factors by the European Supervisory Authorities would offer a useful starting point.
Share YOUR views on FinCEN’s new CDD rules and the difference with their European counterparts by submitting your comments below.
Get ahead with the ICA
The ICA Advanced Certificate in Practical Customer Due Diligence provides practical and comprehensive training in customer due diligence.
This intermediate-level course focuses on the core outcomes of CDD and, in particular, the risk-based assessment of the acceptability of customer relationships.
It provides a hands-on learning journey through all key CDD disciplines of identification and verification, understanding the customer’s profile and the purpose of the relationship, beneficial ownership and control, screening on sanctions, PEPs and adverse media.
For further information on this innovative qualification, click here.
To stay updated on the latest developments in governance,risk and compliance, anti money laundering and financial crime prevention, please follow us on either LinkedIn, Facebook and Twitter where you are guaranteed to be notified when our next blog post goes live!