Article

Preparing IT to address ultimate beneficial ownership/customer due diligence rules

The U.S. Treasury Department’s new rules requiring financial institutions to request information on any parties qualifying as ultimate beneficial owners (UBOs) will go into effect in May 2018. So a critical question for financial professionals today is whether your firm is fully prepared for what the new rules will require from you, in terms of information technology.

“One of the biggest challenges for banks is just getting the IT portion of this done, so that come May, they can roll it out and have their representatives at various locations start collecting this information,” says Brett Wolf, anti-money laundering analyst at Thomson Reuters Regulatory Intelligence.

Complying with the Customer Due Diligence (CDD) rule may require a bank to alter how it collects, organizes, and protects customer data. Financial institutions may need costly upgrades to current IT systems to be compliant. Further, it will require a level of cross-department coordination that many banks haven’t had before.

Ironically, some smaller banks could have fewer headaches in terms of IT compliance than medium-sized or large banks. “Smaller banks often tend to rely on outside vendors to supply their software,” says Rob Rowe, vice president and associate chief counsel, regulatory compliance, for the American Bankers Association. That puts some of the burden on vendors for making data collection and integration upgrades. By contrast, “some regional larger banks with in-house legacy systems are going to find their adjustments to be more challenging.”

Ultimate beneficial ownership rule

Financial institutions, starting next May, need to verify the identity of all beneficial owners with 25% or more equity interest in their legal entity clients. They may comply by obtaining required information on a standard certification form or “by any other means that comply with the substantive requirements of this obligation,” according to the U.S. Treasury Department’s Financial Crimes Enforcement Network (FinCEN).

New identification and verification procedures for beneficial owners will be similar to those now used for individual customers, “except that for beneficial owners, the institution may rely on copies of identity documents.” Financial institutions will have to keep records of all 
beneficial ownership information they obtain.

Preparing IT to address UBO rule

What do these obligations mean for an IT department? First, it will have to determine how to compile client data to meet the new obligations. If a bank has a standard form for new clients, it will have to be amended to get contact information for beneficial owners in addition to other connections, such as officers and directors or parties with power of attorney. If it’s currently a paper form, it may be wise for a bank to move to an electronic form – which is easier to incorporate into a central database and amend to address further changes in information requirements.

It’s possible a bank may have to completely rework its information collection procedures to meet new requirements. Wolf says that was one of the huge concerns when the rules were announced in 2016. “Many banks had already been collecting this information in one way or another, but now Treasury was forcing them into a common framework. They couldn’t necessarily use the systems they already had, so they’d have to come up with a more uniform system as prescribed by the regulations. Many had to go back to the drawing board.”

Along with altering data collection procedures, another critical point for a financial institution is how to access and verify data. Banks will need to conduct Office of Foreign Assets Control (OFAC) scans on all beneficial owners, run 314(a) scans, and do an array of other searches. This may require changes in a company’s matching and sorting software to handle the increased complexity. These searches will need to be run on all new accounts, across systems and business lines, looking for red flags like parties on the “Politically Exposed Persons” list or tagged in “adverse news” searches.

Coordination will be essential. As Rowe notes, many banks already collect UBO data from clients when creating new accounts. Yet this information is often kept in local databases, such as those of each bank branch. “The customer’s name could be in the system, but the actual beneficial ownership information could be in someone’s file, because previously there was no need to have it all in the system,” he says. “Now [financial institutions] have the challenge of incorporating all of it.”

This could require a new across-the-board policy for data entry and management, in which client representatives are trained in how to request and input data, with a step-by-step process through which the data is verified, processed, double-checked, and maintained. It means more communication between IT, sales, and regulatory compliance officials. Any ad hoc procedures will likely have to become codified, with various parties needing to sign off on all new accounts.

Data privacy risks

Then there’s the issue of database privacy. As financial institutions ask for confidential information from clients and beneficial owners, they’ll need to provide reassurance that the information will be protected, at a time when colossal hacks are a seemingly everyday occurrence (Equifax being the latest example). So a bank may need to heighten data encryption efforts or invest in greater physical protections for servers. For the latter, moving to a secure cloud-based platform could be a more cost-effective option than making substantial new investments in hardware.

With the clock ticking down for banks to comply with the new regulations, much will depend on how each institution’s IT department responds to the challenge.