FinCEN: Know Your Customer Requirements

Dan Ryan is Leader of the Financial Services Advisory Practice at PricewaterhouseCoopers LLP. This post is based on a PwC publication by Mr. Ryan, Sean Joyce, Joseph Nocera, Jeff Lavine, Didier Lavion, and Armen Meyer.

In recent years, authorities in the US and abroad have increased their focus on modernizing and enforcing anti-money laundering and terrorism financing (AML) regulations. As part of these efforts, the US’s Financial Crimes Enforcement Network (FinCEN) proposed Know Your Customer (KYC) requirements in 2014, which we expect to be finalized this year. [1]

FinCEN’s KYC requirements were proposed as part of a broader regulation setting out the core elements of a customer due diligence program. [2] Taken together, these elements are intended to help financial institutions avoid illicit transactions by improving their view of their clients’ identities and business relationships.

Importantly, the proposed requirements establish only a baseline for performing customer due diligence, which should be supplemented by the institution’s own assessment of each client’s risk profile. [3] While the proposal clearly outlines its baseline requirements, criteria for internal customer risk assessments are largely left open to interpretation. This lack of clarity has caused some confusion within the industry, especially with respect to identifying “beneficial owners” of customers that are legal entities (i.e., identifying people who own a large portion of the legal entity customer) because the ownership threshold that triggers the proposed KYC requirements is determined in part based on the institution’s internal customer risk assessment.

Performing internal AML risk assessments and collecting the required customer information will no doubt be operationally challenging. While institutions can rely on third parties to provide needed information in certain cases, the ultimate compliance responsibility rests with the financial institutions themselves.

Given the consequences of non-compliance (evidenced by unprecedented AML-related penalties levied against the industry in the past few years), institutions should begin their implementation efforts as soon as possible, based on the proposed requirements and industry best practices. This is particularly important for global institutions that are subject to similar requirements in other jurisdictions (e.g., the EU’s AML Directive IV) [4] that will need to reconcile regulatory differences across jurisdictions, and for institutions that are currently undertaking remediation in response to regulatory scrutiny.

This post provides our view of (a) the risk-based approach to establishing beneficial ownership thresholds, (b) factors to consider when relying on customer information provided by third parties, and (c) what institutions should be doing now.

Risk-based approach for establishing ownership

As part of an effective customer due diligence program, FinCEN’s proposal requires that financial institutions verify the identity of the beneficial owner of a customer that is a legal entity. The proposal’s baseline definition of beneficial owner is a person who has at least a 25% equity interest in the legal entity. [5] However, financial institutions should lower this threshold for customers with high levels of AML risk. Although the proposal does not prescribe a specific ownership threshold for these customers, our observations of industry best practices and regulatory expectations indicate that a 10% threshold is generally appropriate. [6]

While FinCEN’s proposal does not specify risk factors that must be considered in assessing a customer-entity’s AML risk, we believe financial institutions should at a minimum consider the following questions:

  • How complex is the customer’s ownership structure?
  • Is the customer operating in a heavily regulated industry?
  • Is the customer’s home jurisdiction (or any of its neighboring jurisdictions) subject to sanctions, or home to terrorist organizations?
  • Does the customer’s home jurisdiction lack effective AML regulations or have high levels of corruption?
  • To what extent is the customer’s business cash-based?
  • Has the customer taken any measures to mask the identity of its shareholders (e.g., via nominee shareholders or bearer shares)? [7]
  • Is the institution’s relationship with the customer face-to-face?

This risk-based process to establish an institution’s thresholds will be resource intensive and challenging, especially for institutions that need to build the required policies and procedures from the ground up. Furthermore, implementing this process will inevitably lead to lowered ownership thresholds for some customers, necessitating the collection and verification of additional ownership information.

Therefore, institutions must plan ahead to redirect sufficient resources to functions that are most impacted by these efforts. These include the compliance function that devises and governs the needed policies and procedures, the first line of defense functions that carry out the assessments, and business lines that collect additional customer ownership information.

The silver lining: Reliance on third parties

Recognizing the challenges associated with collecting and verifying customer ownership information, US regulators allow financial institutions to somewhat rely on customer information provided by specified third parties. Among other benefits, this reliance expedites the customer onboarding process and improves the customer experience.

Using third parties, however, does not reduce the amount of customer information that needs to be collected, which remains the same regardless of whether it is obtained directly by an institution or via third parties. Furthermore, reliance on third parties is not always appropriate or permitted.

First, institutions should ensure that the third party itself has the appropriate risk controls and governance in place. To do so, institutions are required to receive annual AML and customer identification program (CIP) certifications from third parties.

Second, the decision to rely on third parties should be made based on the institution’s risk appetite [8] and its own assessment of customer risk. For example, with respect to certain high risk customers, an institution may decide to only rely on information provided by other regulated financial institutions, or not to rely on third parties at all.

Although our market surveys indicate that reliance is permitted in all major jurisdictions, [9] jurisdictional differences exist. Therefore, institutions with a global footprint should consider relevant regulatory requirements in each of their operating jurisdictions before relying on third party information.

In the US, for example, FinCEN does not allow blanket reliance on the information provided by a third party. Instead, an institution must obtain a certification form that is signed and dated by the third party which explicitly identifies all layers of the customer’s beneficial ownership up to and including the ultimate beneficial owner and one “controller.” [10] Further jurisdictional differences exist with respect to the type of third party institution that may provide the information (e.g., regulated versus unregulated). Additionally, privacy laws may prevent or limit sharing of certain customer information with entities that are outside of a jurisdiction.

What should institutions be doing now?

Financial institutions should act now in order to have the required policies, procedures, and practices in place. Institutions that operate globally have a particularly long road ahead, as they need to account for jurisdictional variances in KYC requirements. Our observations indicate that efforts are well underway at most of these institutions, but much remains to be done, especially with respect to consolidating compliance efforts across borders to the extent possible.

Furthermore, we recommend that institutions go beyond the minimum industry standards in order to be sure they are meeting regulatory expectations. For example, while current industry standards in the US require that ultimate beneficial owners be identified by name and ownership percentage, we recommend that institutions collect other biographical information including date of birth, address, and identification number.

Finally, institutions that are currently undertaking remediation efforts should not wait for the finalization of FinCEN’s KYC requirements before implementing them. A proactive approach to compliance will send a positive message to regulators that these institutions are prioritizing their AML risk management, which will improve the institution’s regulatory standing.

Endnotes:

[1] See FinCEN’s Notice of Proposed Rulemaking, Customer Due Diligence Requirements for Financial Institutions (August 2014).
(go back)

[2] These four elements are: (a) identifying and verifying the identity of customers, (b) identifying and verifying the identity of “beneficial owners” of customers that are legal entities, (c) understanding the nature and purpose of customer relationships, and (d) conducting ongoing monitoring to maintain and update customer information and identify suspicious transactions.
(go back)

[3] This risk-based approach is generally consistent with the guidance of regulators in other major jurisdictions, including the EU. See PwC’s Regulatory brief, AML global alignment: Two steps forward, one step back (June 2015).
(go back)

[4] See Regulatory brief in prior note.
(go back)

[5] Besides this equity threshold, beneficial ownership can also be established by significant ability to control, manage, or direct the legal entity.
(go back)

[6] Risks associated with certain customer entities (e.g., special purpose vehicles) and relationships (e.g., foreign correspondent banking) may warrant a lower 5% threshold.
(go back)

[7] A nominee shareholder is a third party that is registered to hold shares of an entity which it does not own, in order to keep the identity of the actual owner private. Similarly, bearer shares do not reveal the identity of the owner, and are considered “owned” by any person who is in physical possession of the stock certificates.
(go back)

[8] The institution’s risk appetite in this context is usually determined based on operational footprint, products and services, customer base, account types, and regulatory obligation.
(go back)

[9] Our study of 33 jurisdictions across the Americas, EMEA, and Asia Pacific indicated that all of these jurisdictions permit a form of reliance on customer information provided by third parties, and a majority have issued detailed guidance on the topic.
(go back)

[10] See note 5.
(go back)

Both comments and trackbacks are currently closed.