Tue, Aug 7, 2018

FinCEN CDD Rule: Are You Compliant?

Financial Crimes Enforcement Network's (FinCEN’s) Customer Due Diligence Rule ("CDD Rule") went into effect May 11, 2018; as a result, beneficial ownership and customer due diligence are top of mind for many covered financial institutions. How is your organization planning to comply? Following is an action plan we developed, based on FinCEN’s Frequently Asked Questions, that provides you with immediate and long-term strategies for intrinsic, sustainable program compliance.

Covered financial institutions must ensure their due diligence programs are in line with FinCEN’s guidance on core elements of a customer due diligence program:

  • Customer identification and validation

  • Beneficial ownership identification and verification

  • Understanding the nature and purpose of customer relationships to develop a customer risk profile

  • Ongoing monitoring for reporting suspicious transactions and, on a risk-basis, maintaining and updating customer information.

Here are five key plan components that will help you comply with FinCEN’s most recent guidance:

1. Identify customers and validate identifications.

This process helps you know your customers and vendor base. It may involve the vetting and/or a re-vetting of new and existing customers/vendors to help ensure data integrity and consistency for regulatory reporting.

Interestingly, while FinCEN advises that “FIs are not required to conduct retroactive reviews to obtain beneficial ownership information from customers with accounts opened prior to May 11, 2018”, it goes on to note: “The obligation to obtain or update beneficial ownership information on legal entity customers with accounts established before May 11, 2018, is triggered when a financial institution becomes aware of information about the customer during the course of normal monitoring relevant to assessing or reassessing the risk posed by the customer, and such information indicates a possible change of beneficial ownership.” Special situations outlined in FinCEN’s recent FAQs include:

  • Trusts:
  • “If a trust owns directly or indirectly […] 25 percent or more of the equity interests of a legal entity customer, the beneficial owner […] is the trustee, regardless of whether the trustee is a natural person or a legal entity.”
  • “Where there are multiple trustees or co-trustees, financial institutions are expected to collect and verify the identity of, at a minimum, one co-trustee of a multi-trustee trust…”.
  • Sole proprietorships and unincorporated associations:
  • “Sole proprietorships […] and unincorporated associations are not legal entity customers as defined by the Rule, even though such businesses may file with the Secretary of State in order to register a trade name or establish a tax account. This is because neither a sole proprietorship nor an unincorporated association is a separate legal entity from the associated individual(s), and therefore beneficial ownership is not inherently obscured.”

2. Identify beneficial owners and verify identification.

Authenticate and validate your business to meet the regulatory expectation of identifying all individuals who maintain a 25 percent or greater equity interest or possess the ability to control any business entity you partner with. FinCEN recommends a 25 percent beneficial ownership threshold, but you may choose to go lower. You may also decide to focus on individuals with managerial control if they are different from the ultimate beneficial owner.

FinCEN advises that the covered financial institution “may rely on [third party provided] information, provided that it has no knowledge of facts that would reasonably call into question the reliability of such information.”. However, depending on your risk threshold, you may choose to independently re-vet your partners and identify intermediary and ultimate ownership information, as well as any state ownership and/or political exposure. Additionally, once beneficial ownership is established, confirm the individual’s source of wealth to ensure they meet regulatory standards. Be sure to have in place a predetermined escalation path for atypical research results.

3. Establish a risk profile.

Evaluate due diligence and screening results, as well as consider utilizing questionnaires that allow for risk-ranking to enhance your understanding of customer profiles. Run screening and due diligence to establish a baseline score for your third party universe. Through this workflow process you can identify potential risk within your relationships. Again, create an escalation plan to mitigate the risk associated with your third parties.

4. Monitor, update, and maintain information.

Leverage technology solutions to facilitate the monitoring of changes in beneficial ownership, to evaluate in a timely fashion alerts and red flags that are identified, and to maintain an audit trail. Consider implementing a process for the regular refresh of records.

5. Streamline your process.

Partner with a vendor who can help scale your research efforts using a variety of tools, including desktop research tools as well as in-country document retrieval. Develop, implement, and validate a systematic process for data collection. In the event of a potential third party risk, have an established path for escalation and decision-making within your organization.

Whether you have a regulatory requirement to identify shareholders with a 25 percent or greater stake in your company, or an in-house rule to establish full details of the ownership structure of a third party, Kroll can help. Kroll’s Ultimate Beneficial Owner Identification provides information on the first three layers of ownership. As with all Kroll Compliance reports, however, we can expand and tailor the scope of this research to meet your organization’s specific needs.

Please do not hesitate to contact me for more information regarding ultimate beneficial ownership or any of your additional screening, due diligence, or compliance workflow needs.

John Arvanitis is an Associate Managing Director of Kroll based in New York City. He joined Kroll after a 27-year career with the U.S. Justice Department, Drug Enforcement Administration. He can be contacted here. Information on Kroll’s screening and due diligence solution can be found here.

Cyber Risk

Incident response, digital forensics, breach notification, managed detection services, penetration testing, cyber assessments and advisory.

Intelligence, Transactions and Due Diligence

When organizations worldwide need intelligence, insight and clarity to take decisive action, they rely on Kroll.