New Beneficial Ownership Regulation Is Not the Entire Message
Ken Golliher
Changes to the Bank Secrecy Act(BSA) regulation require all banks to revise their BSA programs on or before May 11, 2018. Board involvement is necessary as compliance necessitates amendment of the mandatory board adopted BSA/AML policy.
The new regulation adds another column to what has traditionally been called the “pillars” of BSA compliance. Taken from agency regulations that took effect in April, 1987 the four pillars are:
- internal controls
- independent testing
- individual responsible for compliance and
- training
The fifth pillar is “due diligence.” Generally, due diligence is about gathering information that allows a bank to predict customer activity; i.e. create a “crystal ball” wherein the bank can see what type of activities are expected. However, “due diligence” is not just building the crystal ball, it is about looking at the actual activity that occurs after the account is opened and comparing it to the expected activity. The message is: Banks are required to look for suspicious activity, but a bank cannot possibly tell what is suspicious unless it has firm knowledge of what is normal.
The regulation is specifically focused on customers that have a higher risk of being involved in money laundering.
Banks in the U.S. have made due diligence part of their BSA/AML culture for decades. The new regulation is prompted by U.S. interests in compliance with international standards promulgated by the Financial Action Task Force (FATF). FATF Recommendation #10 is that due diligence should be a legal requirement, not just a “best practice” or regulatory expectation. So, due diligence is now a legal requirement just like having a customer identification program is a legal requirement.
Part of the due diligence process is a specific requirement to identify “beneficial owners” of legal entity customers; e.g. corporations, partnerships, LLC’s, etc. When a legal entity customer opens a new account, the bank is required to identify all individuals owning 25% or more, as well as one person who has significant management or control responsibility for the legal entity. Then, the bank is to verify each of those individual’s identity using what will probably be less stringent methods than it uses for its actual customers.
While it’s the beneficial ownership portion of the regulation that is drawing the most questions, compliance with that requirement is relatively easy and objective. It is the gathering of information and the monitoring of activity that involves the more subjective elements.