The global regulatory response to last April’s Panama Papers leak has disrupted customer due diligence (CDD) conventions for banks worldwide. With 2.6 terabytes of documents linked to Panamanian law firm Mossack Fonseca exposed to the public by the International Consortium of Investigative Journalists (ICIJ), the scandal represents the biggest leak in whistleblower history, according to Wired. The ICIJ documents reveal an intricate web of offshore corporate structures and shell companies, the majority of which are domiciled in the British Virgin Islands, Panama and the Bahamas. Overall, the leak identifies 210 thousand Mossack Fonseca-incorporated entities in 21 offshore jurisdictions.
Through the use of anonymous “bearer” shares and foreign intermediaries, some of these legal entities enabled tax evasion, corruption, stock market manipulation and money laundering. In fact, the documents revealed 33 people and companies blacklisted by the U.S. due to evidence of criminal involvement with Mexican drug cartels, Middle Eastern terrorist groups and rogue nations like North Korea and Iran. Fallout from the document-dump has accelerated the U.S. Financial Crimes Enforcement Network’s enactment of sweeping Bank Secrecy Act reforms on financial institutions.
After languishing in regulatory limbo for the last four years, FinCEN’s final rules were finally green-lighted on May 5th, 2016. The new measures aim to enhance CDD for banks, broker-dealers, mutual funds, futures commission merchants and commodities brokers. FinCEN’s final rules target the identification and verification the beneficial owners of legal entities, along with the adoption of risk-based procedures for CDD. These provisions signify a “fifth pillar” for anti-money-laundering programs. The ruling identifies two types of beneficial owners – those who satisfy an ownership threshold, where they directly or indirectly own 25 percent or more of the legal entity’s equity interests; and those who satisfy a control threshold, where the beneficial owner is an individual who has significant authority to control, manage, or direct the legal entity customer.
Although the new rules went into effect on July 11th, financial institutions have two years to achieve full compliance with CDD regulations. Nevertheless, the implementation of new CDD standards presents various challenges for institutions. But, organizations that become early adopters of the new rules may enjoy competitive advantages that mitigate reputational risks and drive revenue growth.
The primary obstacles to successful CDD implementation involve the following: evolving complexities of corporate and legal entity structures; disparities in data integrity; and asymmetric bank secrecy regimes in foreign jurisdictions. The latter creates incongruities, which can obstruct the collection of true beneficial ownership records.
To overcome these compliance hurdles, institutions must first be proactive and forecast modes for shell structure adaptation, with a close eye on suspicious geographies and exempted entities. Additionally, institutions must begin exploring automated regulatory technology, or regtech, solutions.
With the right strategy, financial institutions can mitigate the confusion, inefficiencies, costs and growing legal penalties imposed by regulators. The following overview will highlight best practices for the implementation of new CDD, BSA and international bank-compliance regulations. The key considerations for banks to comply with the new beneficial-ownership diligence regime entail the anticipation of CDD loophole exploitation schemes; the selection of suitable regtech assets; and the rigorous self-assessment and diagnosis of counterparty risks.
In today’s regulatory climate, “checkbox compliance,” or doing the bare minimum, is no longer a suitable response to legislative reform. The ingenuity of white-collar criminal conspiracies and transnational money laundering schemes ensure that adverse elements will always find weak points to exploit. Given the new regulatory landscape, banks need to perform self-diagnostics to see which of their unique legal entity customers expose them to newly articulated beneficial owner risks. Institutions should tailor their risk-scoring and monitoring mechanisms to reflect the geographies, lines of business, and ownership structures most likely to threaten their specific organizations and branches. In short, compliance officers must adopt a risk-based approach that addresses the unique challenges and conditions facing their organizations.
And while risk parameters now specify 25 percent equity ownership as the cut-off, suspicious activity reporting must adjust to account for reactive criminal BO smurfing schemes. In the same way smurfs aim to avoid detection by structuring bank transactions in sums that fall below the $10,000 currency-transaction-report limit, offshore launderers may restructure legal entities so that no stakeholder owns 25 percent or more of a shell company. New risk controls need to apply the same type of SAR mechanisms deployed in retail bank transactions towards the analysis of equity interests in offshore LLCs and other legal entity customers.
Lastly, financial institutions should also take the initiative to devise risk-monitoring controls that track unusual flows towards exempted entities. With the latest rules, banks have no obligation to collect beneficial ownership records for nonprofits, pooled investment vehicles, certain trusts and legal entities that are at the point of sale for the purchase of retail goods. Because they are not subject to new BSA reforms, financial criminals may find that these structures afford them more breathing room to operate under the radar.
According to ex-U.S. Customs Agent Robert Mazur, who worked undercover in several high-profile money-laundering stings in the 80s and 90s, one scheme that continues to be effective, despite FinCEN’s final rules, is a scenario where launderers structure accounts to look like European mutual funds. This tactic continues to work because mutual funds generally have highly diversified ownership profiles, where no single investor holds or comes close to holding 25 percent ownership in the pooled vehicle. As such, financial institutions must be aware of pooled investment schemes involving multitudinous nominee owners and straw men, used to obscure the true account beneficiary.
In 2016, new bank secrecy reforms are unenforceable without the right regtech solution. Every financial institution is different and has its own unique customers, vendor relationships, technology infrastructures and risk exposures. As such, a regtech asset that makes sense for one bank may be unsuitable for a different depository institution for a whole number of reasons. The only constant factors that every compliance executive must prioritize above all else are the vendor’s data quality and data integrity.
When evaluating new regtech vendor partnerships, compliance decision makers must ask themselves five key questions:
- Where is the vendor sourcing the data?
- Is the vendor data current & accurate?
- Is the solution dynamic, does it update in real-time?
- Is the technology intuitive or will I have to exhaust significant resources training staff?
- How easily does the solution integrate with all of my pre-existing and prospective workflow software and data feeds?
Additionally, in the same way institutions are starting to allocate enhanced due diligence resources towards the screening of vendor prospects, subsidiaries and other third parties, compliance officers must ensure that their regtech partners have no willful blind spots. Decision makers must satisfy themselves that their regtech providers, from risk-scoring and monitoring, to incident flagging and reporting and background screening, are leveraging all essential customer, jurisdictional, organizational and transactional data. For example, an institution facing heightened risks of Latin American drug-money laundering, cannot select an investigative solution with porous LatAm recordkeeping and law enforcement data.
Beyond the unanimous importance of data quality and data integrity, compliance decision makers can agree on the importance of investigative technology. The solutions of today offer law-enforcement-grade database search capabilities, with records that adjust in real-time. Optimal for the enhanced CDD regime, investigative regtech assets help mitigate and avoid risk, before adverse counterparties and legal entities metastasize into regulatory tumors. These compliance assets also possess multidimensional infographic features that generate rich visual displays, mapping suspicious business connections and activities, so compliance analysts can see the whole picture.
Just like Socrates’s old adage, “to know thyself is the beginning of wisdom,” the same principle can be applied to BSA and CDD compliance. Before financial institutions can properly implement FinCEN’s latest reforms they need to have a clear view of their strengths and weaknesses. Beyond reviewing existing legal entity clientele and offshore business customers, banks need to carefully assess their third- party vendor and subsidiary relationships.
With regulators holding banks more accountable for the transgressions of their affiliates, new CDD rules add another layer of complexity. As such, institutions must rigorously audit and review the legal entity customers, partnerships and jurisdictions that impact their subsidiaries, vendors and other third parties. This added layer of diligence is a necessary response to the regulatory shift initiated by a 2015 Department of Justice memo, titled “Individual Accountability for Corporate Wrongdoing.” Authored by Deputy Attorney General Sally Yates, the memo empowers prosecutors to seek criminal penalties against individual employees who break the law.
While banks typically have the advantage of standardized IT and data networks within their core infrastructures, subsidiary and vendor recordkeeping systems are often alien to the parent company. The inherent lack of transparency with 3rd party networks presents the most glaring risk exposure for financial institutions. The addition of a fifth pillar to AML compliance means that risk managers must now factor reformed beneficial ownership standards in their review of non-customer counterparties. This undertaking cannot be taken lightly. The reassessment of business counterparties may seem resource-intensive at the start, but in the long run, institutions will find that this precaution will be a less of a cost center and more of a revenue driver.
Bank Secrecy Moves Onshore
While FinCEN’s expedited passage of the new BSA rules is a direct response to murky offshore financial structures, the U.S. has quietly become one of the world’s most desirable tax havens, according to an Economist article from last February. Ranked in the same category as Hong Kong and Switzerland, the U.S. has shunned global information sharing initiatives like the Common Reporting Standard, stifling international efforts to identify the beneficial owners of legal entity depositors on American soil. The irony is that, per Foreign Account Tax Compliance Act rules, the U.S. forces foreign financial institutions to reveal the account details of their American customers or face punitive withholding taxes on U.S.-sourced payments.
According to a Financial Times article from May (paywall), U.S. states like South Dakota have become magnets for offshore wealth through permissive trust laws. Trusts are fiduciary arrangements that allow a third party, or trustee, to hold assets in the name of a beneficiary or beneficiaries, according to Fidelity. South Dakota’s secrecy-friendly state laws promote the registration of a financial vehicle that is still exempted from beneficial owner reporting under FinCEN’s new CDD rules. In this climate, South Dakota’s trust assets have grown from $32.8 billion to $226 billion, in the period between 2006 and 2014, according to the article. And with the Boston Consulting Group reporting in 2015 that offshore wealth will grow at a clip of six percent a year, behind only Hong Kong and Singapore, it’s no wonder sources quoted in the FT article are referring to America as the new Switzerland.
With this paradox in mind, financial institutions would be wise to scrutinize their trust business practices more closely. Although the financial incentives of gathering large deposits and assets are compelling for many bank account managers, the long-term benefits of compliance pose a better value proposition, both financially and legally. Still, for the implementation of fifth-pillar AML practices to succeed, institutions must find a way to financially reward their employees for integrity and the avoidance of adverse selection. When the benefits of doing the right thing are tangible and immediate, employees are less likely to cut corners down the road.
Thomson Reuters is not a consumer reporting agency and none of its services or the data contained therein constitute a ‘consumer report’ as such term is defined in the Federal Fair Credit Reporting Act (FCRA), 15 U.S.C. sec. 1681 et seq. The data provided to you may not be used as a factor in consumer debt collection decisioning, establishing a consumer’s eligibility for credit, insurance, employment, government benefits, or housing, or for any other purpose authorized under the FCRA. By accessing one of our services, you agree not to use the service or data for any purpose authorized under the FCRA or in relation to taking an adverse action relating to a consumer application.