A Quarter-by-Quarter Timeline for Implementing FinCEN’s CDD Final Rule
Arguments for greater transparency in legal entity ownership have been stacking up for some time. In 2014, the G20 issued its High-Level Principles on Beneficial Ownership Transparency, a pact amongst member countries to improve such transparency and recognize its importance in protecting the global financial system.
As part of that effort, the Financial Crimes Enforcement Network (FinCEN) recently took an official stand on the issue with its Customer Due Diligence (CDD) Final Rule, the culmination of four years of discussion between the agency and the industry. Despite its efforts to curb the rule’s burden, financial institutions must accept that they can’t stop this fast-moving train toward transparency in legal entity ownership; they can only get on board.
FinCEN Finally Takes Its Stand
FinCEN’s CDD Final Rule does for certain legal entity accounts what the USA PATRIOT Act’s implementation of a Customer Identification Program (CIP) did for consumer accounts. Institutions must now perform enhanced due diligence on any covered legal entity’s beneficial owner with 25 percent or more ownership (the ownership prong), as well as for one individual with significant control of the entity (the control prong).
Identifying and Verifying Beneficial Owners
When a new account for a covered legal entity is opened, financial institutions, including banks and credit unions, must collect the following information on up to five individuals: name, date of birth, address and social security number. FinCEN provides a certification form for collecting this data, and while the rule states that its use is not required as long as the necessary information is collected, using the form will likely yield the best results. One other difference between this and consumer due diligence—institutions can rely on copies of identifying documents rather than originals.
FinCEN says this requirement will close the current gap in our financial system, since failure to identify such owners “enables criminals, kleptocrats, and others looking to hide ill-gotten proceeds to access the financial system anonymously.” Business groups like The B Team, a nonprofit comprising global business leaders, argue that legal entity transparency will increase competitiveness while reducing risk.
Adding a Fifth Pillar to Anti-Money Laundering Programs
Speaking of risk, there is much more to this rule than beneficial ownership, despite the fact it has garnered most of the press. The CDD Final Rule also adds a fifth pillar to anti-money laundering (AML) programs: institutions are now explicitly required to understand the nature and purpose of customer relationships, including legal entity customers, to develop a customer risk profile for ongoing monitoring and reporting of suspicious activity. Although this hasn’t received much publicity, it’s likely the more burdensome rule aspect for institutions.
A Quarter-by-Quarter Timeline for Implementation
FinCEN provides two major dates for this rule: the effective date (July 11, 2016), when institutions should begin making progress to implement the rule, and the mandatory compliance date (May 11, 2018), when it must be fully incorporated. Think of it this way, an institution with a BSA exam between July 11, 2016 and May 11, 2018 needs to show a good-faith effort in reaching that compliant state.
Use the following timeline to help you develop your plan of attack and assure examiners and your board of your preparedness.
Now through Third Quarter 2016
First things first: assign someone to lead this effort, preferably who has BSA/AML compliance and project management experience, or a team of persons combining that knowledge. Next, understand exactly what you’re dealing with in terms of beneficial ownership and the fifth pillar, which means a thorough reading of the final rule. Then you can begin identifying affected areas and assigning a representative from each to sit on the project team. Think senior management, compliance, risk management, marketing, corporate communications and employee training.
Hold your first project team meeting by the end of this time period, and discuss how this rule differs from what your institution is doing now. A key task that should be assigned at this meeting is an inventory of your current legal entity customer database, in order to estimate the rule’s full impact on your institution. Remember, even though current accounts are grandfathered under this rule, any time an existing legal entity customer wants to open a new account, this due diligence will need to be performed.
Third through Fourth Quarter 2016
Here, identify the policies, processes and systems that will require changes. If you have a change management office, get this project and the anticipated changes on its radar as soon as you’ve identified them. In addition, if you use a third-party provider to handle your OFAC watch list screening, 314a requests, or CTR and SAR aggregation, connect with them to understand their timeline for incorporating any needed changes to systems or software.
Then it’s time to update policies. The BSA requires board approval of any policy updates, so shoot for having all rewrites ready for board approval before 2016’s end. At a minimum, address the following:
- BSA/AML Policy:
- Overview/Purpose: Specifically address the scope of the rule, including customer and account type exemptions, as well as the addition of the fifth pillar to your AML program.
- CIP: Explicitly define the risk-based approach your institution will use to conduct beneficial owner due diligence and identify the nature of that relationship.
- Suspicious Activity: Explain how your bank will compile its customer risk profiles and use them to identify and report suspicious activity.
- Recordkeeping: Ensure that identifying records are kept for five years after the account is closed, and verification records for five years after the record is made.
- OFAC Policy: Plan to run all identified beneficial owners through watch list screening, because even though opening an account for someone on a watch list is not an OFAC violation, it becomes one when they conduct their first transaction.
These steps will get you through to the end of 2016. For more information on the quarter-by-quarter timeline for compliance with FinCEN’s CDD final rule, read part two of this blog series.
Keith Monson serves as CSI’s chief risk officer. In this role, Monson maintains an enterprisewide compliance framework for risk assessment and reporting, as well as other key components of CSI’s corporate compliance program. With nearly 25 years of banking experience, he has a wide range of expertise in the compliance arena, having served as chief compliance officer for both large and small financial institutions.