The CDD Final Rule, FinCEN’s latest Customer Due Diligence Requirements, has been in full effect for over a year now. What changes might be necessary and what are regulators or legislators proposing? What deficiencies have become apparent? What can compliance teams do to implement procedures to help make sure the program is effective?
Gaps: Ultimate Beneficial Ownership (UBO) regulations
The big change under the Final Rule was the requirement for obliged entities to collect, maintain and report beneficial ownership information of business customers. This requirement applied to any new account opening and if any event-driven trigger changed the risk level. In terms of preventing money laundering, the new rules were an improvement over previous regulations, but there are still sizable gaps. As Steven D’Antuono, Section Chief of the FBI’s Financial Crimes Section, stated, “the [current] lack of an obligation to collect beneficial ownership information at the time of company formation is a significant gap.”
This is not the first time that loopholes in the collection of beneficial ownership have been noted. The 2016 FATF Mutual Evaluation Report wrote:
Risk mitigation through the regulatory framework is less well-developed and has some significant gaps, including minimal coverage of investment advisers, lawyers, accountants, real estate agents, trust and company service providers (other than trust companies) … The Federal authorities have a good understanding of the risks of complex structures of legal persons and arrangements being used to hide ownership and launder money. However, serious gaps in the legal framework prevent access to accurate beneficial ownership information in a timely manner. Fundamental improvements are needed in these areas.
Various legislators have made attempts to include more robust beneficial ownership requirements in various federal legislative pieces, but many industry players oppose such a move as being too onerous. The most recent legislative attempt, The Improving Laundering Laws and Increasing Comprehensive Information Tracking of Criminal Activity in Shell Holdings (ILLICIT CASH) Act, was introduced on June 10, 2019. The ILLICIT CASH Act would require entities to file beneficial ownership with FinCEN at the time of incorporation. Entities that are already incorporated would have to file within two years of the Act becoming law.
Last year, similar requirements in the Counter Terrorism and Illicit Finance Act (CTIFA) were amended out of that bill. As the ILLICIT CASH Act is currently only a discussion draft, it faces a long journey for that requirement to make its way into law.
Confusion around reasonable compliance practices
There were several areas of confusion for obliged entities implementing the Final Rule. A few weeks before the effective data, FinCEN released guidance regarding the customer due diligence requirements. Guidance like this is generally looked at as a way to clarify and simplify complex requirements.
However, according to Brian Monroe of the Association of Certified Financial Crime Specialists, in this case “[the guidance] in some ways contrasted with perceived expectations and current regulations —forcing the financial sector to choose between which one to follow.”
The question is, what is a reasonable compliance practice? For example, what is reasonable in the case of account rollover, renewal, modification or extension? The guidance stated that these cases required obtaining information on the beneficial owners, as they are considered new accounts. In practice though, these are fairly straight-forward activities and the account information is not changed. In response to the confusion, FinCEN issued a 90-day temporary and limited exceptive relief, then a further 30-day extension and finally a ruling making the exception permanent for certain types of account actions.
FinCEN also reminded obliged entities that “unlike a law or regulation, supervisory guidance does not have the force and effect of law, and the agencies do not take enforcement actions based on supervisory guidance.” While technically true, as legal firm Arnold & Porter stated, “for an industry such as the banking industry which is governed by amorphous ‘safety and soundness’ obligations, departing from agency guidance may nevertheless pose a risk of being deemed an unsafe or unsound banking practice.”
UBO best practices
Any confusion or contradictory information about requirements is bound to cause consternation in the compliance team; after all, the risk of fines or sanctions is a significant risk. Fortunately, there hasn’t been any news of major fines or noncompliance to date. Perhaps regulators are, at this point, focusing on making sure that processes are being implemented and any shortcomings are being pointed out in regulatory reviews for further attention.
In terms of recommendations, what can organizations do to safeguard their UBO compliance procedures? Thomson Reuters, “the world's leading source of intelligent information for businesses and professionals” suggests ten ways to ensure your organization is UBO-compliant:
- Run pilot tests
- Do a gap analysis
- Keep an eye on regulators
- Determine your thresholds
- Document, document, document
- Get external communications going
- Do internal training
- Establish lines of communication
- Make sure vendors properly managed the work
- Prepare for worst-case scenarios
These are practical steps that can help make your compliance program robust and scalable, and they sync up with what we suggest in our Enhanced Due Diligence Procedures post. Compliance is ever-changing, and more demanding EDD requirements are becoming more and more the norm. Implementing a systematic approach that has smart and adaptable technology, communications and controls will help provide the necessary strategic and operational insight to deliver a UBO program that is strong now and into the future.
Learn More: Trulioo Whitepaper: Who Are You Doing Business With?
Download our comprehensive guide to business verification and ultimate beneficial owners (UBOs). Learn the importance of verifying the identity of businesses that you interact with, and how advancements in digital technologies and virtual data sets can assist in solving verification challenges.