The continuing global regulatory focus on anti-money laundering (AML) and countering the financing of terrorism (CFT) has led governments to strengthen regulatory regimes around the world. In the European Union (EU), the Fourth Anti-Money Laundering Directive 2015/849/EU (4th AMLD) — the UK implementation of which came into effect in June 2017 — has brought about a number of changes to the way firms and regulators deal with AML/CFT issues. In the United States, the Financial Crimes Enforcement Network’s (FinCEN’s) new Customer Due Diligence Requirements for Financial Institutions Rule (CDD Rule) effective July 11, 2016, became applicable on May 11, 2018. The CDD Rule will require firms to look again at their approach to customer due diligence and has the potential to lead to increased regulatory scrutiny in this area.
Navigant Consulting, Inc. compares the key parts of the 4th AMLD and the CDD Rule; discusses their impact on financial institutions subject to both sets of requirements; and offers recommendations to align with regulatory expectations.
EU 4th AMLD
All EU member states were required to implement the 4th AMLD (which replaced the previous Third Directive) by June 26, 2017. The purpose of the Directive is to remove ambiguities in the previous legislation, and improve consistency of AML and CFT rules across all EU member states. The primary areas of change relate to:
- Beneficial ownership
- Customer due diligence
- The risk-based approach
- Ongoing monitoring
- Politically exposed persons
- Third-party equivalence
FinCEN CDD Rule
On May 11, 2016, FinCEN issued its long-awaited final rule on customer due diligence and beneficial ownership information requirements. To allow financial institutions sufficient time to incorporate any necessary changes, the compliance date was set for May 11, 2018, two years from the issuance of the final rule.
FinCEN issued the CDD Rule to clarify and strengthen CDD requirements for covered financial institutions.1 The CDD Rule has two parts. First, the rule requires the financial institution to collect beneficial ownership and control person information on its customers, subject to some exclusions and exemptions. Second, the CDD Rule amended the AML program requirements, adding to the existing four pillars a new fifth pillar requiring financial institutions to design risk-based procedures for conducting ongoing customer due diligence. The procedures must include developing a customer risk profile, and using that profile to conduct ongoing monitoring to update and maintain customer information, as well as identify and report suspicious activity. While a significant part of the new rule is framed by FinCEN as a clarification of existing regulatory expectations rather than new requirements, the key changes relate to:
- Beneficial ownership
- Creating and maintaining a customer risk profile
Implications for Financial Institutions
There are a number of implications for financial institutions subject to both regulatory regimes, including:
- An increase in de-risking. Under the 4th AMLD, there is potential to increase de-risking practices of existing customers that fall outside the risk appetite of the financial institution based on beneficial ownership information held in public registers. The CDD Rule may also lead some financial institutions to terminate relationships with certain customers whose information is not easily obtainable, or from which the financial institution cannot obtain the required certification of beneficial ownership, regardless of whether the customer falls within the financial institution’s risk appetite. Financial institutions subject to both regimes will need to clearly articulate the processes for rejecting and exiting customers in their CDD procedures.
- New processes and procedures for beneficial owners. As a result of the 4th AMLD, obliged entities must have auditable processes and procedures that can identify and verify beneficial owners or those with ultimate control, and ensure that their information on beneficial ownership is accurate and up-to-date. As a result, firms must also review customer risk rating and transaction monitoring based on beneficial ownership information held in public registers.
The CDD Rule standardizes the approach for collecting beneficial ownership information on legal entity customers at account opening, and requires updating that information if, in the course of normal monitoring, the financial institution determines that information may have changed. With respect to products and services that automatically roll over or renew creating a new account such as CDs or loan renewals, financial institutions should use the 90-day period granted by FinCEN Administrative Ruling FIN-2018-R002 to review and update their existing processes in order to flag those accounts as requiring certification to be collected, and request at the time of certification that legal entity customers agree to notify the financial institution of any change in such information. In this way, they avoid being noncompliant with beneficial ownership requirements for legal entity customers after the 90-day limited exceptive relief expires on Aug. 9, 2018.
The CDD Rule is prescriptive on which customers require collection of beneficial ownership information. For example, importantly for entities operating in both regimes, legal entities publicly traded on non-U.S. exchanges are not categorically excluded from the beneficial ownership requirements. Covered institutions should review controls to ensure that the beneficial ownership information collected is used, for example, to inform ongoing monitoring investigations, or to avoid opening or maintaining an account involving individuals or entities subject to Office of Foreign Asset Control-administered sanctions.
- Updates to customer information using a risk-based approach. The 4th AMLD requires obliged entities to consider various risk factors (e.g., ownership, location of customer) before applying simplified due diligence (SDD) and EDD. Current AML/CTF processes and procedures must be reviewed to identify updates required to SDD/EDD, and systems and controls assessed to ensure that firms can apply SDD/EDD. Covered institutions under the CDD Rule will need to review and identify the trigger events that will require the firm to update customer information in the risk profile, including instances in which a new certification of beneficial ownership and control person information must be obtained. In addition, financial institutions may need to review and update identification and verification processes and procedures, systems, and controls to ensure that the rationale for the risk score assigned to customers incorporates information known about the beneficial owners.
- Updates to training programs to ensure consistent application of new regulatory requirements. Covered institutions should also update training programs for first and second line of defense to ensure consistent understanding of beneficial ownership and CDD requirements under the 4th AMLD and the CDD Rule.
The extent to which a financial institution operating on both sides of the Atlantic will be impacted by the two regulatory frameworks will to a large extent depend on the institution’s size, inherent risks, and customer base. Financial institutions should consider:
- Performing a holistic review of the demands of the 4th AMLD and the CDD Rule versus current practices to evaluate the extent of change required across the organization to comply with regulatory obligations.
- Communicating the areas of similarity and difference between the 4th AMLD and the CDD Rule, and considering the extent to which to review policies and procedures to meet regulatory demands (including whether there is a need to work to the higher of the two standards).
- Assessing systems and controls changes to ensure that updates required as a result of both regulatory frameworks are implemented in a coordinated manner and improve the organizations’ operational efficiency.
- Assessing the impact of updating customer information in one jurisdiction on the rules in other jurisdictions. For example, new information revealed as a result of a periodic refresh in Europe following the 4th AMLD may itself be a trigger event under the CDD Rule. Therefore, firms should consider whether they need new systems, controls, or processes to ensure compliance with both regulatory frameworks.
1. On Nov. 21, 2017, FINRA issued Regulatory Notice 17-40: FinCEN’s Customer Due Diligence Requirements for Financial Institutions and FINRA Rule 3310.