Skip to main content

Resources

Review: FFIEC Issues New Customer Due Diligence and Beneficial Ownership Requirements

Review: FFIEC Issues New Customer Due Diligence and Beneficial Ownership Requirements

On May 11, 2018, the FFIEC issued a press release in correlation with the final rule on “Customer Due Diligence Requirements for Financial Institutions," issued by the Financial Crimes Enforcement Network (FinCEN) on May 11, 2016. This press release clarifies, as well as adds to, previous policies and examination procedures in association with the “Customer Due Diligence – Overview and Examination Procedures” section of the FFIEC’s Bank Secrecy Act/Anti-Money Laundering Examination Manual. This release not only clarifies Customer Due Diligence but includes a new requirement that will require institutions to “identify and verify the identity of beneficial owners of certain legal entity customers.” Ultimately, these new procedures will require legal entity customers who wish to gain access to institutions to disclose identifying information which can include the name, date of birth, and the Social Security number of the natural person who wishes to be added as the beneficiary. These new policies and procedures are being enacted in an attempt to make entities more transparent, which in turn will hopefully make them less attractive to criminals as well as those who assist. According to the new guidance, “Legal entities, whether domestic or foreign, can be used to facilitate money laundering and other crimes because their true ownership can be concealed.” These new procedures, policies, and rules are expected to be complied with by financial institutions starting on May 11, 2018.


 

Customer Due Diligence Clarification and Procedures

Customer Due Diligence is a process that financial institutions use to rank customers based on risk. The guidance states, “As a result, due diligence policies, procedures, and processes should define both when and what additional customer information will be collected based on the customer risk profile and the specific risks posed.” Procedures established by the institution should include criteria for when, how, and by whom customer relationships and risk profiles will be reviewed. These procedures should also include updating customer information and reassessing the customer’s risk profile in the future.


Updating customer information is event-driven and will occur during normal monitoring procedures. If during customer monitoring, the institution becomes aware that material information including, but not limited to, Beneficial Ownership has changed, the institution should update the customer information accordingly. Furthermore, if the customer information is material and relevant to assessing the risk of a customer relationship, the institution should reassess the customer risk profile and/or rating.


By performing proper Customer Due Diligence in correlation with appropriate risk-based rankings of customers, financial institutions can expect to reduce risk within their organization. For example, with proper rankings, financial institutions can determine higher risk profiles, which can help institutions determine how much more risk they face associated with money laundering or terrorist financing.


 

Beneficial Ownership Rule

Under the FFIEC regulatory requirement, regardless of the customer’s risk profile, institutions are required to collect Beneficial Ownership information at the 25 percent ownership threshold.


To obtain identifying information for the beneficial owner(s) of legal entity customers, institutions may obtain the information through a certification form from the individual opening the account on behalf of the legal entity customer. A template form can be found on page four of the following link: https://www.fincen.gov/sites/default/files/federal_register_notices/2017-09-29/CDD_Technical_Amendement_17-20777.pdf.


At a minimum, financial institutions must obtain the following identifying information for each beneficial owner of a legal entity customer:

  • Name
  • Date of birth
  • Address
  • Identification Number


According to the FFIEC, an institution “may rely on the information supplied by the individual opening the account on behalf of the legal entity customer regarding the identity of its beneficial owner(s), provided that it has no knowledge of facts that would reasonably call into question the reliability of such information.” The FFIEC also permits an institution to rely on pre-existing Beneficial Ownership records it maintains for that customer if a legal entity customer opens multiple accounts. This method is only applicable if the institution confirms (verbally or in writing) that the information in question is accurate and up-to-date at the time each account is opened.


However, if institution employees “suspect, or have reason to suspect that equity holders are attempting to avoid the reporting threshold, the institution may, depending on the circumstances, be required to file a SAR.” Verification procedures must contain the elements required for verifying the identity of customers. Guidance on documentary and non-documentary verification methods may be found in the core overview section “Customer Identification Program,” of the FFIEC BSA/AML Examination Manual.


 

Understanding Beneficial Ownership

Legal entities can assign beneficial owners who can act on behalf of the entity holder and have the responsibility to control, manage, or direct the entity. Beneficial Ownership under the FFIEC is determined under both a control prong and an ownership prong.


According to the FFIEC, “The control prong is where a beneficial owner is a single individual with significant responsibility to control, manage, or direct a legal entity customer.” The control prong will typically include an executive officer, senior manager, or anyone else who performs similar functions. In a control prong, one beneficiary must be identified for each legal entity.


Regarding the ownership prong, the FFIEC states “a beneficial owner is each individual, if any, who, directly or indirectly, through any contract, arrangement, understanding, relationship or otherwise, owns 25 percent or more of the equity interests of a legal entity customer.” If no individual owns 25 percent or more a legal entity customer, identification of the beneficial owner is not required.


Under the control prong and ownership prong, all legal entity customers can have a total of between one and five beneficial owner(s). The control prong would include one beneficial owner, and under the ownership prong, an entity could have zero to four individuals.


Regarding a trust owned directly or indirectly, whether through contract, arrangement, understanding, relationship or otherwise, if 25 percent or more of the equity interest is associated with a legal entity customer, the beneficial owner would be the trustee. Exclusions to this law can be found in Appendix 1 of the Beneficial Ownership Requirements for Legal Entity Customers.


 

SBS Recommendation

SBS recommends that institutions develop and maintain policies and procedures that address both Customer Due Diligence and Beneficial Ownership requirements in compliance with the FFIEC’s and FinCEN’s requirements. This policy should be inserted between the CIP and EDD BSA Policy. Furthermore, institutions should provide a customer form at the opening of an account (either manually or in electronic format) that will aid in performing Beneficial Ownership verification. Lastly, procedures within both the Customer Due Diligence and Beneficial Ownership policy should ensure the changing of a customer’s increased risk rating or other major events triggers a reporting process in which the institution gathers information on the current customer in question. By performing proper risk ratings on customers, institutions are able to make decisions based on risk level which in turns allows the institution to become more efficient and less risky.


Written by: Ronald Tortorello and Patrick Brown
SBS CyberSecurity, LLC


Sources


Hacker Hour webinars are a series of free webinars hosted by SBS CyberSecurity. Unlike paid webinars, Hacker Hours are aimed to meet on a monthly basis to discuss cybersecurity issues and trends in an open format. Attendees are encouraged to join the conversation and get their questions answered. SBS will also offer products and services to help financial institutions with these specific issues.

Posted: Tuesday, July 24, 2018
Categories: Blog, In the News