Weakest link in Fincen's AML rule? Bank customers
After a two-year implementation period, the Financial Crimes Enforcement Network’s customer due diligence rule goes into effect today.
The objective of the rule is to make it easier for law enforcement to follow illegitimate money trails — but the question is whether financial institutions are able to follow the rule’s myriad new requirements, which require significant levels of customer cooperation.
For legal entity customers, financial institutions now will have to identify and verify the identities of at least one control party as well as any individuals with a 25% or more ownership stake in a legal entity (so-called “ultimate beneficial owners”). Many banks had been identifying beneficial owners in practice for customers that are susceptible to being used for money laundering or terrorist financing, but there was no uniform method of doing it. In addition to identification of beneficial owners, banks also must develop customer risk profiles and keep close tabs on changes in customer ownership and control.
Yet the big hurdle for financial institutions will be getting customers to comply. Canadian banks have had a similar rule for some time, and there has been difficulty obtaining and verifying detailed personal information on parties who are not directly involved in establishing or using the banking relationship.
Under Fincen’s rule, personal information must be obtained on all parties identified as beneficial owners, including names, Social Security numbers, dates of birth and addresses. Problems are likely to surface when beneficial owners balk at providing this information to the employee opening the account. Collecting this type of information on non-U.S. citizens could be particularly tricky.
Financial institutions won’t be able to use traditional means of obtaining ownership information on customers, such as legitimate third-party or public databases. Similarly, in cases where existing customers open new accounts, banks can’t rely on previously gathered information, which, according to the final rulemaking, Fincen considers outdated and uncertified. Further, financial institutions will have to ask the employee of a legal entity to personally certify ownership information.
In addition to personal information, financial institutions must verify the identity of beneficial owners and control parties, which may be the most difficult hurdle of the rule. This means that banks must either see a piece of personal identification such as a driver’s license (or a copy) or confirm information against a consumer bureau. The latter may not viable because federal laws prohibit a consumer reporting agency from providing a consumer report unless it’s in connection with a business transaction initiated by the consumer. And this verification has to happen every time the customer opens a new account. Despite requests in public comments on the CDD rule that the verification requirement be eliminated entirely, Fincen held its ground, saying this provision “will reduce illicit actors’ opportunities to slip into the financial system by masking their legal entities with markers indicative of a low risk profile.”
But what happens when people who may not even know about the effort to establish the account don’t want to hand over copies of their driver’s license or passport, and they don’t want to come to the financial institution in person?
A Fincen “frequently asked questions” document also said financial institutions must have their legal entity customers certify the beneficial owners during a loan renewal or a certificate of deposit rollover. The certification can be limited to the first renewal as long as the product remains the same and the customer agrees to notify the financial institution of any change. Typically, auto-renewals are not considered a new account and are mechanized, making this a significant hurdle. Historically, know-your-customer standards had been more holistic, focused on the entirety of the business relationship with the customer versus obtaining a certification of ownership and verification of identities each time a new account is opened.
The stakes for financial institutions are high: If they don’t get their CDD program right, they could face citations from examiners or be prompted to close accounts for otherwise low-risk customers who disregard or are unable to provide the required information.
As this rule takes effect, banks had better get their CDD houses in order in a hurry — especially when it comes to educating customers on the new requirements.