Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
FATF updates standards to prevent misuse of virtual assets; reviews progress on jurisdictions with AML/CFT deficiencies
On October 19, the Financial Action Task Force (FATF) issued a statement urging all countries to take measures to prevent virtual assets and cryptocurrencies from being used to finance crime and terrorism. FATF updated The FATF Recommendations to add new definitions for “virtual assets” and “virtual asset service providers” and to clarify how the recommendations apply to financial activities involving virtual assets and cryptocurrencies. FATF also stated that virtual asset service providers are subject to Anti-Money Laundering/Combating the Financing of Terrorism (AML/CFT) regulations, which require conducting customer due diligence, such as ongoing monitoring, record-keeping, and suspicious transaction reporting, and commented that virtual asset service providers should be licensed or registered and will be subject to compliance monitoring. However, FATF noted that its recommendations “require monitoring or supervision only for purposes of AML/CFT, and do not imply that virtual asset service providers are (or should be) subject to stability or consumer/investor protection safeguards.”
The same day, FATF announced that several countries made “high-level political commitment[s]” to address AML/CFT strategic deficiencies through action plans developed to strengthen compliance with FATF standards. These jurisdictions are the Bahamas, Botswana, Ethiopia, Ghana, Pakistan, Serbia, Sri Lanka, Syria, Trinidad and Tobago, Tunisia, and Yemen. FATF also issued a public statement calling for continued counter-measures against the Democratic People's Republic of Korea due to significant AML/CFT deficiencies and the threats posed to the integrity of the international financial system, and enhanced due diligence measures with respect to Iran. However, FATF will continue its suspension of counter-measures due to Iran’s political commitment to address its strategic AML/CFT deficiencies.
On August 28, the OCC issued Bulletin 2018-25, which provides guidance regarding the role of informal or implied expressions of support from foreign governments (implied sovereign support) in determining a borrower’s obligor and facility credit risk ratings. The Bulletin expands on Appendix E of the “Rating Credit Risk” booklet of the Comptroller’s Handbook and encourages banks to analyze, among other things, the sovereign’s legal and financial obligations and the relationship between the obligor and the sovereign. The OCC notes that the obligor’s importance to the sovereign’s local economy does not necessarily demonstrate “willingness to provide an obligor with financial support.” Additionally, the Bulletin provides guidance regarding bank policies regarding the use and application of implied sovereign support to determine a final regulatory risk rating. The OCC states that a sound policy would incorporate the following three elements: (i) defined criteria on how a risk rating may be changed for an obligor due to recognition of implied sovereign support; (ii) methods for determining whether implied sovereign support will be considered in the risk rating decision, including periodic reevaluations of the assessment; and (iii) appropriate documentation standards, including a tracking process that promotes “consistent and appropriate” application of the defined criteria.
FinCEN issues extension to continue suspension of beneficial ownership requirements for automatic renewal products
On August 8, the Financial Crimes Enforcement Network (FinCEN) issued a notice to provide an additional 30 days of limited exceptive relief for covered financial institutions that are required to obtain and verify the identity of beneficial owners of legal entity customers with respect to certificate of deposit rollovers and loans that renew automatically. As previously covered in InfoBytes, the extension—which was set to expire August 9 and applies to qualified products and services that were established before the Beneficial Ownership Rule’s May 11 compliance date—will now continue until September 8. FinCEN noted it will continue to evaluate the requirement to determine whether additional relief is needed.
Find continuing InfoBytes coverage on beneficial ownership and customer due diligence requirements here.
On May 3, FINRA issued a Regulatory Notice 18-19 amending Rule 3310—Anti-Money Laundering (AML) Compliance Program rule—to reflect the Financial Crimes Enforcement Network’s final rule concerning customer due diligence requirements for covered financial institutions (CDD rule), which becomes applicable on May 11. According to Regulatory Notice 18-19, member firms should ensure that their AML programs are updated to include, among other things, appropriate risk-based procedures for conducting ongoing customer due diligence including (i) “understanding the nature and purpose of customer relationships for the purpose of developing a customer risk profile,” and (ii) “conducting ongoing monitoring to identify and report suspicious transactions and, on a risk basis, to maintain and update customer information.” The announcement also makes reference to FINRA’s Regulatory Notice 17-40, issued last November, which provides additional guidance for member firms complying with the CDD rule. (See previous InfoBytes coverage here.). The notice further states that the “provisions are not new and merely codify existing expectations for firms.”
On April 27, the House Financial Services Committee’s Subcommittee on Financial Institutions and Consumer Credit held a hearing entitled “Implementation of FinCEN's Customer Due Diligence Rule—Financial Institution Perspective” to discuss challenges facing financial institutions when complying with FinCEN’s Customer Due Diligence Rule (CDD Rule). As previously covered in InfoBytes, the CDD Rule takes effect May 11, and imposes standardized customer due diligence (CDD) requirements under the Bank Secrecy Act (BSA) for covered financial institutions, including the identification and verification of the beneficial owners of legal entity customers. The hearing’s four witnesses expressed certain concerns regarding the effects of implementation on financial institutions, as well as the timing of additional guidance released April 3 in the form of frequently asked questions.
In prepared remarks, Executive Director of The Financial Accounting and Corporate Transparency (FACT) Coalition, Gary Kalman, commented that the CDD Rule, which calls for additional AML requirements, is a “positive step forward but falls short of what is needed to protect the integrity of [the] financial system”—particularly in terms of what defines a “beneficial owner.” Greg Baer, President of The Clearing House Association, expressed concerns that the CDD Rule (i) requires financial institutions to verify beneficial owners for each account that is opened, instead of verifying on a per-customer basis; and (ii) does not explicitly state in its preamble that FinCEN possesses sole authority to set CDD standards, which may present opportunities for examiners to make ad hoc interpretations.
Additionally, Executive Vice President of the International Bank of Commerce Dalia Martinez, observed, among other things, that compliance with the CDD Rule is costly and burdensome, and that banks have not been provided with the tools or guidance to determine whether the information provided by legal entity customers is accurate when verifying beneficial owners. The “gray areas” within the CDD Rule, Martinez noted, present challenges for compliance. A fourth witness, Carlton Green, a partner at Crowell & Morning, expressed concerns with the relationship between FinCEN and the federal functional regulators, stating that because FinCEN has delegated examination authority to these regulators, there is a chance regulators will “create and enforce their own interpretations of or additions to BSA rules” that may “diverge from FinCEN’s priorities.”
On April 19, the Federal Reserve Board (Fed) issued a cease and desist order against a Taiwanese bank and its New York agency in connection with alleged Bank Secrecy Act and anti-money laundering (BSA/AML) violations. According to the Fed’s order, a recent examination conducted by the Federal Reserve Bank of New York (Reserve Bank) and the NYDFS identified “significant deficiencies” in the agency’s BSA/AML compliance and risk management controls. The order requires, among other things, that the bank and agency submit within 60 days: (i) a written governance plan to strengthen the board of director’s oversight of BSA/AML compliance; (ii) a written program to achieve compliance with BSA/AML requirements; (iii) an enhanced, written customer due diligence program plan; and (iv) a revised program to ensure compliant suspicious activity monitoring and reporting. The bank and agency are further required to engage an independent third party acceptable to the Reserve Bank to conduct a review of certain wire transactions to determine whether “suspicious activity involving high risk customers or transactions” was properly identified and reported in accordance with applicable regulations. The order imposes no financial penalty.
On April 4, the Financial Industry Regulatory Authority (FINRA) released a revised template to assist FINRA-registered small firms in developing and implementing risk-based anti-money laundering (AML) programs as required by the Bank Secrecy Act and FINRA Rule 3310. Changes to the template reflect FinCEN’s final rule concerning customer due diligence requirements for covered financial institutions (CDD rule), which goes into effect May 11. (See previous InfoBytes coverage on the CDD rule here.) The CDD rule requires covered financial institutions, including FINRA-registered firms, to identify the beneficial owners of legal entity customers who open new accounts.
Buckley Sandler Insights: FinCEN updates FAQs regarding customer due diligence requirements for financial institutions
On April 3, the Financial Crimes Enforcement Network released an update to its FAQs in advance of the upcoming Customer Due Diligence Requirements for Financial Institutions final rule (issued in 2016 and amended last September for various technical corrections) that goes into effect May 11. As previously covered in InfoBytes, the final rule imposes standardized customer due diligence (CDD) requirements under the Bank Secrecy Act for covered financial institutions and requires financial institutions to identify and verify beneficial owners of legal entity customers, subject to certain exclusions and exemptions. The supplemental FAQs (see InfoBytes coverage on an earlier set of FAQs issued in 2016) assist covered financial institutions in understanding the scope of their CDD requirements, as well as the CDD rule’s impact on broader anti-money laundering (AML) program obligations, and cover a broad range of interpretations including the following:
- Question 1 specifies covered financial institutions will satisfy the requirements to identify and verify beneficial owners of legal entity customers by collecting and verifying the identity of individuals who directly or indirectly own 25 percent or more of the equity interests in a legal entity customer, as well as “one individual who has managerial control of a legal entity customer.” However, they may choose to implement stricter written internal policies and procedures and expand their information collection to include more than one individual with managerial control or persons owning a lower percentage of equity interests.
- Question 3 clarifies that covered financial institutions may reasonably rely on a legal entity customer to provide the identities of individuals who satisfy the definition of beneficial ownership, whether indirectly or directly, and “need not independently investigate the legal entity customer’s ownership structure.”
- Question 7 states that for existing customers, a covered financial institution may rely on information in its possession subject to its Customer Identification Program (CIP) to fulfill the beneficial ownership identification and verification requirements, “provided the existing information is up-to-date, accurate, and the legal entity customer’s representative certifies or confirms (verbally or in writing) the accuracy of the pre-existing CIP information.”
- Question 10 states that if a legal entity customer opens multiple accounts, the covered financial institution may rely on information obtained from a previously issued certification form (or equivalent), provided the legal entity customer certifies or confirms—verbally or in writing—that such information is up-to-date and accurate at the time each subsequent account is opened. Records of such certification or confirmation must also be maintained.
- Question 12 confirms that covered financial institutions seeking to renew a loan or roll over a certificate of deposit must treat these as new accounts and require their legal entities customers to certify or confirm beneficial owners, “even if the legal entity is an existing customer.”
- Question 18 stipulates that covered financial institutions are not required to identify and verify the identity of beneficial owners that own 25 percent or more of the equity interests of a pooled investment vehicle, whether or not such vehicle is managed by a “financial institution,” due to the typical fluctuation of ownership. However, Question 18 notes that covered financial entities must collect beneficial ownership information for an individual who has significant control or management over the vehicle as required under the control prong to comply with the CDD rule.
- Question 19 concerns trusts overseen by multiple trustees and states that in circumstances where a trust owns 25 percent or more of the equity interests of a legal entity customer, covered financial institutions are required, at a minimum, to collect beneficial ownership information on a single trustee but may choose to identify additional co-trustees based on risk assessment or a risk profile.
- Question 21 specifies that a covered financial institution may rely on information provided by a legal entity customer to determine eligibility for exclusion from the definition of a legal entity customer, provided the financial institution has no knowledge of facts that would reasonably call into question the reliability of such information. Covered financial institutions should also ensure that their risk-based written policies and procedures address and specify the type of information to be used when reasonably determining exclusion eligibility.
- Question 28 stipulates which non-U.S. governmental entities qualify for exclusion from the definition of a legal entity customer. It specifies that state-owned enterprises that engage in profit-seeking activities, such as sovereign wealth funds, airlines, and oil companies, are not excluded from the definition of a legal entity.
- Questions 29-31 provide guidance on account level beneficial owner exceptions related to (i) point of sale products for certain low-risk retail credit accounts; and (ii) certain equipment finance and lease accounts with low money laundering risks. Question 31 also stipulates that an equipment lease and purchase exemption would apply in circumstances where a customer leases necessary equipment directly from a covered financial institution.
- Questions 32-33 provide guidance on circumstances where beneficial ownership information should be aggregated for purposes of complying with Currency Transaction Report (CTR) requirements, and state that “absent indications that the businesses are not operating independently . . . , financial institutions should not aggregate transactions involving those businesses with those of each other or with those of the common owner for CTR filing.” Furthermore, covered financial institutions are generally not required to list beneficial owners on a CTR.
- Question 35 specifies what information covered financial institutions should collect and consider as part of on-going CDD when developing customer risk profiles. Specifically, covered financial institutions should develop an understanding of the “nature and purpose of a customer relationship,” and review information obtained at the opening of an account such as type of customer, account, service, or product.
On March 16, the OCC released a list of recent enforcement actions taken against national banks, federal savings associations, and individuals currently and formerly affiliated with such parties. The new enforcement actions include a cease and desist order, a civil money penalty order, notices filed, and recently terminated enforcement actions. Two notable actions are as follows:
Cease and Desist Consent Order. On February 12, the OCC issued a consent order against a New Jersey-based bank for deficiencies related to its Bank Secrecy Act/Anti-Money Laundering (BSA/AML) rules and regulations. Among other things, the consent order requires the bank to (i) appoint an independent third-party consultant to conduct a review of the bank’s BSA/AML compliance program; (ii) review and update a comprehensive BSA/AML compliance action plan and monitoring system; (iii) create a comprehensive training program for “appropriate operational and supervisory personnel, and the Board of Directors, to ensure their awareness of their responsibility for compliance with” the BSA; (iv) develop policies and procedures related to the collection of customer due diligence and enhanced due diligence when opening accounts; (v) appoint a BSA officer; (vi) develop and conduct ongoing BSA/AML risk assessments to monitor accounts for “high-risk customers”; and (vii) conduct a “Look-Back” plan to determine whether suspicious activity was timely identified and reported by the bank and whether additional SARs should be filed for previously unreported suspicious activity. Furthermore, the bank is prohibited from opening new accounts for commercial customers designated as “medium risk or higher” in areas such as “money services businesses, foreign or domestic correspondent banks, payment processors, or cash-intensive businesses” without prior authorization. The bank, while agreeing to the terms of the consent order, has neither admitted nor denied any wrongdoing.
Termination of enforcement action. On February 14, the OCC terminated a 2002 consent order issued against a Texas-based payday lender after determining that “the safe and sound operation of the banking system does not require the continued existence of” previously issued restrictions. In 2002, the OCC claimed the payday lender engaged in “unsafe and unsound” practices, including violations of ECOA and TILA for failing to safeguard customers’ loan files. Among other things, the consent order fined the payday lender a $250,000 civil money penalty, imposed record-keeping requirements, and prohibited it from “entering into any kind of written or oral agreement to provide any services, including payday lending, to any national bank or its subsidiaries without the prior approval of the OCC.”
On March 12, the Federal Reserve Board (Fed) entered into a consent order with a Chinese bank (bank) and its New York branch (branch) in connection with alleged Bank Secrecy Act and anti-money laundering (BSA/AML) violations. According to the Fed’s order, a recent examination identified “significant deficiencies” in the branch’s BSA/AML compliance and risk management controls. The consent order requires, among other things, the bank and branch submit within 60 days: (i) a written governance plan to achieve compliance with BSA/AML requirements; (ii) a system to identify and assess risks associated with all products and customers, including “politically exposed persons”; (iii) an enhanced customer due diligence program plan; and (iv) a compliance program to ensure accurate suspicious activity monitoring and reporting. The bank and branch are further required to engage an independent third party acceptable to the Fed to review their dollar-clearing transaction activity in the second half of 2016 “to determine whether suspicious activity involving high-risk customers or transactions” was properly flagged. The order imposes no financial penalty.