WIXLIB

White PaperANTI-MONEY LAUNDERINGIN THE POST-CDD RULE ERAH O W T H E N E W C U S TO M E R D U E D I L I G E N C E R U L E I M PAC T SA N T I - M O N E Y L AU N D E R I N G PR O G R A M S I N T H E Y E A R S TO CO M E riskCanvas 2019riskCanvas.com

Tens of thousands of hours of preparation have gone into the policies, procedures, and technologies needed to effectively respond tothe Financial Crimes Enforcement Network’s (FinCEN) Customer DueDiligence (CDD) Rule. Since the rule was announced in May 2016, everyanti-money laundering (AML) industry conference, peer working group,and compliance department planning meeting has focused extensivelyon CDD Rule preparations. Now that the rule is in effect as of May 2018,what comes next will require AML programs to have a solid plan to “operationalize” this data to improve overall compliance.

THE CDD RULE: E X AMINEDThe CDD Rule lays out for the first time the four “coreelements” of customer due diligence that FinCEN saysshould be requirements of all AML programs at institutionscovered by the rule, which include federally regulated banksand federally insured credit unions, mutual funds, brokers ordealers in securities, futures commission merchants, andintroducing brokers in commodities.Of the four elements, FinCEN notes that the first is alreadyan explicit AML program requirement, while the second isnew and the last two are both implicit requirements nowbeing made explicit. As a whole, the rule has two majorrequirements: collecting reliable information on customerswhile also using that customer information to evaluate riskand improve AML processes.These elements are: Customer identification and verification, which has longbeen a standard part of “know your customer”programs but will likely involve increased collection ofidentification documents and growing reliance on thirdparty data providers for verification services. Beneficial ownership identification and verification,which is an expansion over previous requirements. Thissomewhat controversial element significantly expandsdata collection and research needs of financial institutions with regard to legal entity customers. An understanding of the nature and purpose ofcustomer relationships to develop a customer riskprofile. This necessitates the development of a riskmatrix for use in evaluating customer risk that incorporates reliable customer data along with other financialactivity information. Monitoring and reporting suspicious activity and alsoupdating customer information on a risk basis. Thislongstanding requirement ties together the other threeelements by requiring that the first and second areupdated based on the results of the third.In order to maintain regulatory compliance and reduce negative customerimpacts, firms should consider ways inwhich they can automate manual duediligence processes and implement a CDDapproach that allows for increased agilityand responsiveness to change.-ACAMStoday.org““(Magazine for AML Professionals)1

WHAT TO DO WITH ALL THE DATA?GOING BEYOND COMPLIANCE BY UNDERSTANDING HOW TO LEVERAGE NEW DATA TO ENABLE AUTOMATION FORYOUR AML PROGRAMSo much time has been spent focusing on the “new” part ofthe CDD Rule—the beneficial ownership requirement tocollect previously uncollected information—that manyfinancial institution AML programs view the rule as a “newdata collection requirement.” While this is certainly true,collecting information is only half of the rule—and arguablynot the important half. The more pivotal part of the rule inthe eyes of FinCEN and other agencies is how that information is ultimately used.To FinCEN, having the correct information is not the goal ofAML, though proper record keeping does support lawenforcement investigations; the goal of AML is instead toproperly detect risky customers conducting suspiciousactivity. The information collection is only a means to anend—better information collection means better customerrisk profiles, which means better transaction monitoring andbetter suspicious activity reporting. The end result is ameans for better leads for law enforcement and regulators.All this is to say that while all covered financial institutionslikely have sophisticated (or at least, hopefully, passable)plans to comply with the data collection portion of the CDDRule as of May 2018, certainly fewer have a solid plan for“operationalizing” this data to improve AML compliance.Given its explicit inclusion in the rule, the most prominentuse is likely through some form of customer risk profiling.On one end of this spectrum is a simple methodology thatcompiles a risk profile manually using a small number ofdefined risk indicators, like account type, Politically ExposedPerson status, and previous Suspicious Activity Reportfilings. On the other end of the spectrum is an automatedcustomer risk scoring algorithm that accounts for dozens ofrisk indicators and dynamically updates with changes tocustomer information or behavior. The former is probablysufficient for now but the latter will likely become theexpectation of regulators as new data is collected—giventhe focus of the rule on information collection and updatingcustomer risk profiles based on changing behavior.Manual vs. AutomatedBeyond risk profiling, how else will covered financialinstitutions be expected to operationalize this new datacollection? Whereas a manual option, may allow a financialinstitution to establish basic compliance, truly “operationalizing” the full force of the CDD Rule is unlikely to be donewithout the proper tools and technology designed toenhance automation. At a basic level, leveraging the righttools and technology will provide the capacity to ingestavailable data in a timely manner more so than with amanual approach. If more cutting-edge options, such as BigData technologies, are also applied, this data ingestion canalso be done even more quickly and efficiently as therewould not be a requirement to structure the data before it’singested.More important than establishing a more complete andmore easily ingested data set, automation also allows forthe ability to conduct value-added analysis. For example,the data set could be enriched with risk ratings based oncustomer profiles that could be used to striate and tunetransaction monitoring sensitivities. Taken a step further, byusing advanced analytics and/or machine learning, transaction monitoring alerts could then be prioritized to focuslimited human analytical resources on the most-risky alertsfirst. This way, an economy of effort is achieved and operational effectiveness is enhanced.THE NE W “FIF TH” PILL AR OF THE BANK SECREC Y AC T (BSA)INTERNALDESIGNATEDINDEPENDENTBSA /AMLCONTROL SBSA OFFICERTES TINGTR AINING2RISK- BA SEDCDDPRO CEDURES

“ M A K I N G A N O N Y M O U S C O M PA N I E SA R E L I C O F T H E PA S T W I L L H E L PC R E AT E A G L O B A L F I N A N C I A LS Y S T E M T H AT ’ S T R A N S PA R E N T A N DA C C O U N TA B L E A N D T H AT W O R K SF O R E V E R Y O N E .”- T H E F I N A N C I A L T R A N S PA R E N C Y C O A L I T I O N3

NEW DATA - NEW EXPECTATIONSUNDERSTANDING THE NEW EXPECTATIONS FROM YOUR AML PROGRAMS IN THE COMING YEARSBeyond “operationalizing” data, what other post-CDDexpectations will be placed on covered financialinstitutions?The most likely impact will be increased law enforcementrequests for beneficial ownership information of legalentities. FinCEN and other agencies are essentially using theCDD Rule as a back-door way to improve transparency ofbusiness ownership without having to battle legislativelywith states like Delaware and Nevada that benefit fromcorporate opacity.While other data sources will likely catch up in time after theCDD Rule goes into effect, for a period, covered financialinstitutions will likely be the best source of beneficialownership information for law enforcement. This will meanmore subpoenas and other requests simply to gather legalentity information. The ability to quickly and accuratelyconsolidate data to respond to these requests will be afurther impediment to a long-term manual solution tomaintain compliance.Another AML responsibility quickly impacted by increasedbeneficial ownership information will be sanctionsscreening. New ownership information will not only meanadditional parties to screen but also the possibility ofpreviously unknown ownership stakes by sanctionedparties. While minority ownership stakes by sanctionedentities do not necessarily make a business sanctioned, theOffice of Foreign Assets Control’s (OFAC) 50 percent ruledoes state that a legal entity that is owned 50 percent ormore by one or more sanctioned entities is itself sanctioned,even if the legal entity is not explicitly on the SpeciallyDesignated Nationals and Blocked Persons list. Further,OFAC has recommended that financial institutions considerthe potential sanctions risk of entities that are controlled byspecialty designated nationals that only hold a minoritystake—adding yet another level of nuance to the responsibilities of sanctions screening programs. So far, enforcementof the 50 percent rule has been very limited, but increasedawareness of beneficial ownership stakes will likely exposeadditional avenues for sanctions enforcement violations.The enhanced clarity around beneficial ownership willrequire AML programs to potentially revisit their policiesand risk assessments, as well as potentially tune theirscreening rules.Finally, clarity on beneficial ownership may increase thefocus on tax evasion, and bring about more successfulprosecution, by more clearly linking owners to assets andtherefore tax responsibilities etc. The CDD Rule provides acritical data point, owner identity, to enable U.S. efforts toincrease financial transparency and combat financial crimessuch as money laundering and tax evasion. The CDD Rulewill provide additional force to many international agreements with a greater ability to identify absconders early on,presumably reducing the time, cost, and resources required.In this regard, the CDD Rule’s timing is impeccable considering the U.K. recently announced it would also requireenhanced beneficial ownership reporting in its overseasterritories, such as the Cayman Islands and British VirginIslands. The ability to have a robust, single view of thecustomer—one that enriches transaction monitoring andscreening systems with customer profile data, transactionand external data such as negative news, will become moreimportant than ever.CONCLUSIONThe U.S. is entering a new phase of AML compliance now that the CDD Rule has gone into effect as ofMay 2018, with new expectations from regulators and law enforcement. Two years have been spentpreparing to comply with the rule and its specific elements; however, far less time has been spent identifying what comes next now that FinCEN has defined these four core elements of AML compliance. With avast amount of new data coming in and the complexity of the requirements, technology will be key forboth managing data and responding to it effectively and efficiently.4