Financial institutions are working to comply with new federal regulations on customer data collection, but many are frustrated about the opacity that remains as to how the guidelines will be implemented, with the deadline quickly approaching.
Starting in May 2018, complying with the Customer Due Diligence (CDD) rule will require a financial institution to change how it collects customer data. Yet as of October 2017, there’s still no updated regulatory guidance, such as a FAQ document, from Treasury’s Financial Crimes Enforcement Network (FinCEN) to enable financial institutions to know precisely what will be required of them for compliance.
This lingering ambiguity means there’s still potential for late-breaking changes in expectations, which could derail financial institutions’ compliance plans. For example, in late September, an official from the Federal Reserve Board of Governors surprised bankers at an anti-money laundering conference by suggesting they could need to dig more deeply into “high-risk” accounts.
The CDD rule entails financial institutions collecting information about the “ultimate beneficial owners” (UBOs) of their clients. The industry has generally assumed since the rule was issued 16 months ago that only the identities of those owning 25% or more of a legal entity will need to be verified and recorded.
However, Suzanne Williams, a senior official with the Federal Reserve Board of Governors, said bankers may be required to drill below 25% for “high-risk” customers. Further, banks that have historically collected at a 10% threshold can’t “roll back” requirements and slide to the rule’s 25% figure, she told attendees. Andrea Sharrin, a FinCEN policy official on the same panel, expressed agreement with Williams’ interpretation but declined further specifics.
“The point about to what degree you have to delve below 25% is a huge deal,” says Brett Wolf, anti-money-laundering analyst at Thomson Reuters Regulatory Intelligence. “To spring that on bankers at this point leaves them uncertain as to how to move forward in developing their programs.”
This is why the lack of regulatory clarity is frustrating to many bankers. “The regulators have promised more guidance and specifics,” he says. “All they’ll say is that it will come out before the implementation date, but obviously that doesn’t do financial institutions much good if it comes out a month before they’re supposed to be ready.”
Without more specificity beyond these conference remarks, some banks are still planning their compliance efforts with the original figure in mind. “We’ve decided 25 percent is where we’re going to go,” said Joe Soniat, AML Officer at Union Bank and Trust, during a panel at the Las Vegas event held by the Association of Certified AntiMoney Laundering Specialists (ACAMS), as per Thomson Reuters’ coverage of the event. Other bankers on the same panel agreed their firms would stick with 25% until they get definitive written guidance telling them that they have to go 10%.
What’s created the ambiguity is that in the preamble to the UBO rule, FinCEN seems to commit to 25% being the adequate figure. “The idea that FinCEN wasn’t taking risk into account when it was going through this lengthy preamble doesn’t quite make sense,” Wolf says.
Further, there’s potential for the rule to create a lack of uniformity in financial industry UBO reporting. Some banks that have faced regulatory enforcement actions in the past over Bank Secrecy Act lapses have already transitioned to 10% UBO collection as part of their remediation processes.
But if other banks are allowed to remain at 25%, there’s an obvious competitive imbalance. “If I were a corporate entity and I really didn’t want anyone digging into my business, I probably would go to the bank that would ask for less information,” Wolf says.
Other areas of compliance require more regulatory clarity. Exemptions, for example, remains a cloudy area. There’s also the question of what will qualify as a “trigger event” that will require a financial institution to identify UBOs at the 10% level. Currently, banks generally assume the new rule won’t apply to existing customer accounts, only new ones. But is that really the case? Will financial institutions have to make existing customers comply if these customers set off a “trigger”?
The issue is that regulators haven’t specified what such a trigger event could be—whether it’s an existing customer trying to open new accounts, or a client engaging in a financial transaction that doesn’t fit its past credit profile. Unsurprisingly, this is a challenge for marketing officials. Banks need to decide whether to send out notices to existing clients to tell them such information requests may be required. They want to spare their clients surprises, but that’s difficult when the banks themselves aren’t entirely sure. Some banks are hedging their bets—collecting information on UBOs down to 10%, but only documenting owners in their system at the 25% level.
Another unanswered question concerns the CDD rule’s Appendix A, which is essentially the template for how a financial institution should collect information from clients. According to FinCEN, financial institutions may comply by obtaining information on a standard certification form or “by any other means that comply with the substantive requirements of this obligation.” Some banks are using Appendix A outright in their compliance efforts, but others are having their legal departments rewrite it, “putting things into their own phraseologies,” Wolf says. “They’re hitting on the same points. But there’s some ambiguity as to what degree regulators will be happy with banks interpreting this questionnaire and making it their own. It might be wiser to use as is.”
Meanwhile, financial institutions wait for these unanswered questions to be cleared up before their compliance efforts move into high gear. Given past trends, however, the lack of clarity could persist well into the New Year.
Thomson Reuters is not a consumer reporting agency and none of its services or the data contained therein constitute a ‘consumer report’ as such term is defined in the Federal Fair Credit Reporting Act (FCRA), 15 U.S.C. sec. 1681 et seq. The data provided to you may not be used as a factor in consumer debt collection decisioning, establishing a consumer’s eligibility for credit, insurance, employment, government benefits, or housing, or for any other purpose authorized under the FCRA. By accessing one of our services, you agree not to use the service or data for any purpose authorized under the FCRA or in relation to taking an adverse action relating to a consumer application.