A Quarter-by-Quarter Timeline for Implementing FinCEN’s Customer Due Diligence Final Rule
In our last Compliance Advisor blog, we began our discussion regarding the tasks banks must complete as they prepare for the 2018 compliance deadline for the Financial Crimes Enforcement Network’s (FinCEN) Customer Due Diligence (CDD) Final Rule. The rule calls for greater transparency in legal entity ownership.
To help ease the burden, we presented a step-by-step list of actions your bank should complete by the end of 2016. Below is the remainder of our quarter-by-quarter timeline—through the deadline date of May 11, 2018—to help your institution build its plan of attack and ensure preparedness.
First through Third Quarter 2017
In 2017, turn your focus to updating your processes and procedures, because they will be tremendously important in reaching that compliant state. And while the rule is specific about beneficial ownership due diligence, it is far hazier about that fifth pillar. Unfortunately, institutions haven’t the luxury of being vague in their procedures. They must provide specific guidance to frontline staff on conducting this enhanced due diligence. Here are some items to think about as you make updates:
Beneficial Ownership Identification and Verification:
- Decide whether you will use FinCEN’s certification form. If so, remember that you can add to it, but not subtract from it. And if using your own form, it must capture the same data.
- Determine what additional information, if any, you want to collect beyond the certification form’s four data points, like noting the percentage of ownership for each beneficial owner.
- Identify who is allowed to open a legal entity account (i.e., an officer, owner or partner).
- Outline how all beneficial owner information should be collected, including how you will obtain social security numbers, which are not included on many forms of identification.
- Decide when beneficial owner information should be obtained. If within a set period after account opening, develop procedures for closing the account if it’s not collected within that time.
- Determine whether legal entity accounts can be opened via phone or online, and if so, identify procedures for collecting the identifying information and verification documentation.
- Understand who is exempt—and how—and explain that in your procedures. For instance, nonprofit corporations are exempt from the ownership prong but not the control prong.
- Determine what happens if a beneficial owner refuses to provide the required information.
Fifth Pillar: Understanding the Relationship and Developing the Risk Profile:
- Identify any other data you deem necessary for creating a risk profile. This might include verifying the entity’s legal status through the Secretary of State or its equivalent. State laws vary, so you must develop procedures for any states (or countries) in which you do business or from which you will accept customers. As part of this, remember that general partnerships are covered under the rule, but many states don’t require them to register as legal entities.
- Outline any additional questions to ask the beneficial owner(s) in order to form an adequate baseline for identifying unusual activity during ongoing suspicious activity monitoring. For example, an international wire transfer for a customer who has never indicated the need for one.
- Determine how to monitor legal entity customer relationships so that any subsequent changes to its beneficial ownership, control, mission or banking needs are appropriately accounted for.
Fourth Quarter 2017 through First Quarter 2018
This is the human resources stage, where employees and customers need to be educated about the enhanced due diligence. For employees, ensure their training identifies the rule’s full impact and their role in fulfilling your institution’s compliance. Customer education may be trickier, especially because legal entity customers are not accustomed to providing this type of information when opening an account. To help ensure they aren’t caught off guard, begin an information campaign ahead of the mandatory compliance date and equate the change to the consumer due diligence requirements that followed 9/11.
First Quarter 2018 through May 11, 2018
At the start of 2018, your institution should be ready to conduct final testing, which will allow enough time to make adjustments and fully implement prior to the mandatory compliance date.
Don’t Limit Your Understanding of This Rule—or Limit Your Legal Entity Accounts
I fear one of two things as a result of this rule: that either institutions will fail to adequately incorporate the fifth pillar portion of it, or conversely, they will choose to de-risk as a consequence of the fifth pillar. But limiting legal entity account openings for your existing or new customers is not the answer. In addition to thwarting your own growth, it could potentially hurt the overall business marketplace. Instead, ensure your understanding of this rule includes the fifth pillar, and then use the extended time given by FinCEN to determine how much risk you are willing to take and exactly how you will manage that risk.
Keith Monson serves as CSI’s chief risk officer. In this role, Monson maintains an enterprisewide compliance framework for risk assessment and reporting, as well as other key components of CSI’s corporate compliance program. With nearly 25 years of banking experience, he has a wide range of expertise in the compliance arena, having served as chief compliance officer for both large and small financial institutions.