Summary: FinCEN has released new FAQs tied to its “beneficial ownership” rule that has a key deadline next month. But even as the bureau has brought bright-line-boundaries to light, some believe there are still “fatal flaws” related to the amorphous “reasonable” ownership and control thresholds, which could leave institutions open to regulatory second guessing.

Read length: 8-10 minutes.

Even in its quest to add clarity to new beneficial ownership requirements coming online next month, the U.S. Treasury has also added fresh uncertainty hinging on whether federal examiners deem compliance practices and decision-making as “reasonable.”

Those are just some of the conclusions related to an updated Frequently Asked Questions (FAQ) sheet released by the Financial Crimes Enforcement Network (FinCEN) last week to offer more bright line boundaries for the new customer due diligence (CDD) rule – which the financial crime compliance industry has colloquially dubbed the “beneficial ownership rule.”

The original final rule, released in May of 2016, requires financial institutions to capture beneficial ownership details on certain legal entity customers down to the 25 percent level, or more on a “risk-based basis,” and list a top-level person who exercises managerial control. Institutions can chiefly rely on what companies provide about their flesh-and-blood owners on a self-certification form.

Though the rule is mainly geared to address an outstanding vulnerability in U.S. financial crime defenses, it also enshrined two compliance best practices: customer risk ranking and transaction monitoring. These are two bedrock anti-money laundering (AML) processes given significant ink in the interagency exam manual – unlike the beneficial ownership rule.

Through nearly 40 questions across 24 pages, FinCEN tackled a bevy of issues related to the rule, including everything from intermediated securities relationships to reliance on international, public beneficial ownership lists, from what renewal products trip new customer thresholds, to potential pitfalls when nominating notorious nominees.

To read the latest FAQs, click here. To read FAQs from 2016, click here. To read the original final rules, click here.  To read prior ACFCS coverage of the rule, click here.

Here are some snapshots of issues covered and some examples of where the latest FAQ could cause flack:

  • Drawn and quartered: Is the 25 percent ownership level a “floor or ceiling?” Well, that depends on the risk of the firm, transparency of its ownership structures and believability of its self-certification responses. Analysis: Still ambiguous.
  • Man O’ Manual: While regulators can argue banks have known about the proposal since 2012 and had since 2016 to meet the May 11, 2018 deadline, institutions still don’t know what examiners will be looking for because agencies haven’t yet released an updated interagency exam manual. Analysis: Still ambiguous.
  • Remote control: When it comes to picking someone for the control piece, it’s still unclear when, how, if, or what news could constitute a reason for a bank to doubt the sworn statements of someone saying they have “managerial control” over a legal entity. Analysis: Still ambiguous.
  • Renewable energy: One area rife with potential conflict is bank products that renewal annually, such as a certificate of deposit (CD). Due to other prior bank customer identification rules, when a CD comes up for a re-up, that constitutes a new “account.” But if the bank attempts to contact the customer to ensure no ownership details changed, and the person rebuffs, it could leave the bank vulnerable to regulatory knuckle-rapping. Analysis: Not ambiguous, but challenging to implement.

FAQs can’t correct ‘fatal flaw’ in rules

The system that FinCEN has set up, allowing a bank to “reasonably rely” on the customer’s self-certification is “fatally flawed from the outset,” said Ross Delston, a Washington, D.C.-based attorney, financial crime consultant and expert witness.

For instance, because a bank won’t really know what an examiner considers reasonable, some institutions are preemptively capturing details down to the 10 percent level for riskier companies or owners and only sticking to 25 percent for clearly low-risk legal entities.

“The current system puts banks in a very difficult position,” Delston said. “On the one hand, banks are allowed to rely on the certification if that reliance is reasonable. But on the other hand, in some cases it won’t be known if the reliance is reasonable until something bad has happened.”

Similarly, he said, when a bank is dealing with a high-risk customer “like a shell company in an offshore financial center that is using a bank from that offshore financial center or another poorly regulated jurisdiction, it may not be reasonable to rely on the putative owner’s self-certification.”

Another worry for banks is institutions may need to conduct some degree of customer due diligence on the putative owner to “determine if the signatory is in the kind of business that would lend itself to being a nominee,” such as if the signatory is an attorney, company formation agent or trustee – or even a relative of a much more senior, hidden figure, Delston said.

Which came first: the risk, or not knowing the riskiness of the risk?

The FAQs are helpful but still don’t clear up a foundational dilemma in the very superstructure of the rules, which can be summed up in a very chicken and egg argument that goes like this:

How deep does a bank have to look to ensure a legal entity or owner is truly at such a low risk level…that the bank doesn’t have to do more extensive due diligence…to feel secure it didn’t have to do more due diligence in the first place to reinforce its original low-risk assessment – by collecting lower ownership levels?

In short, does a bank always have to collect details at lower ownership levels to justify lower risk scores, even though it had to engage in enhanced due diligence to calculate the risks.

The ownership bar could slide lower as banks attempt to imagine how regulators will score their efforts, said Jorge Guerrero, a founding member and former president of the National Money Transmitters Association (NMTA).

“When FinCEN advises that financial institutions must use a risk-based approach to the application of the new CDD rule, it is reasonable to infer that the 25 percent is a floor, not the ceiling in terms of the beneficial ownership identification requirements,” said Guerrero, owner of Optima Compass Inc., a financial crime consultancy.

“In point of fact, some states require identification of owners of 10 percent or more when issuing licenses to certain financial institutions,” he said.

In that same vein, when a bank finally gets responses from the self-certification queries, how deep does it have to look to feel comfortable the person is being truthful and accurate and isn’t a high-risk person masquerading as a low-risk relative or nominee?

Another consideration: That the person simply didn’t want to include any negative news about themselves that might be floating in cyberspace – and is playing a roulette game with the bank in hopes compliance checks and balances will fail and they will melt into the general population.

The nebulous areas of the new rule also extend to the second prong of the beneficial ownership piece beyond ownership, the “control” piece, where the bank must list someone at a top executive or chief officer level.

The issue: a person can easily assert on a form they exercise “managerial control,” but without more bank scrutiny to verify that, it’s impossible to know if they are a truly truthful low-risk executive functionary or a patsy nominee acting as a shield for duplicitous denizens using ownership opacity as a bastion to hide from justice.

Shifting risk perceptions lead to rise of ‘urban legend’ ownership onus

While a Q and A is meant to bring clarity, there are still some vagaries in the document worrying compliance officers and even perpetuating an “urban legend” that 25 percent is not the firm threshold it’s made out to be, said Rob Rowe, vice president and associate chief counsel for the American Bankers Association, the industry’s main lobbying group.

In discussions between regulators and compliance officers at industry conferences, dozens of people have become convinced of an “urban legend the 25 percent is not 25 percent,” he said, noting other fears hovering around how bank rules define when a new account is opened.

Whispers in compliance circles are rising to a cacophonous chorus fearing that examiners on the ground will require more scrutiny of legal entities based on their interpretation of risk – a subjective conclusion that could be radically different from what the bank has assessed.

In a bit of good news buried in the FAQs: FinCEN did address a major industry fear that will help quell some fretting compliance staffers had related to aggregating duties for customer transaction report (CTR) purposes.

At issue: Some banks stated that it would be too expensive and burdensome to catalogue the beneficial owners of certain businesses – for instance, when one owner has two separate, independent businesses doing completely different things – and be required now to cross-check and aggregate every transaction for both businesses as if they are linked.

FinCEN agreed.

“Thus, absent indications that the businesses are not operating independently (e.g., the businesses are staffed by the same employees and are located at the same address, the accounts of one business are repeatedly used to pay the expenses of another business or of the common owner), financial institutions should not aggregate transactions involving those businesses with those of each other or with those of the common owner for CTR filing,” according to FinCEN.

Moreover, banks broadly don’t have to include beneficial ownership details when filing CTRs unless they know for sure that a series of transactions breaches the $10,000 threshold is tied to a specific beneficial owner, and not just the person’s businesses.

Another potentially challenging area in the Q and A is question 12, related to CDD rule product renewals, such as certificates of deposit (CDs). How, you ask? Due to a 2004 “Frequently Asked Questions,” FinCEN stated that a CD rolling over annually equates to a new account.

Now, a bank could skirt this with simply getting the CD customer to respond to mail, email or a phone call getting confirmation that no beneficial ownership information has changed.

But many customers, when getting unsolicited mail from their bank, will simply “forget the notice and rip it up,” Rowe said. “Trying to collect updated CDD information on existing accounts will be difficult.”

In CDD rule, proactive risk ranking or reactive action scoring

At the same time, collecting information on new customers after the deadline has its own foibles and pitfalls, including a persnickety term saying banks may need to “reasonably” drill down more than 25 percent if the legal entity is considered very risky, such as a shell company in an offshore secrecy jurisdiction.

The CDD requirements also don’t end after a bank finally gets a self-certification as the institution could, at any time, encounter “knowledge of facts that would reasonably call into question the reliability of such information” provided on the self-certification form, Rowe said.

Moreover, if banks simply deem a customer too risky or think the self-certification threadbare or false, that frustration may start a new wave of risk pruning he said, adding that one of the impacts of the new CDD rule could be an “uptick in-derisking,” a term denoting when banks shed customers, products or regions due to compliance costs or real or perceived regulatory pressure.

“We have told law enforcement and FinCEN this could push more companies out of the banking industry,” Rowe said, particularly if examiners are enforcement-heavy over early missteps. “Then, all of a sudden, those transactions will still keep going on, but will happen outside the formal banking sector and law enforcement won’t know a thing about it.”

That scenario is a real possibility simply because, currently, banks will start being graded on updates to their AML programs, without being able to rely on an updated interagency exam manual, he said.

A key concern of banks is that they “have not seen the examination procedures and the FAQ has come out just over a month before the mandatory compliance date,” Rowe said, adding that banks can only hope examiners will take a conciliatory, collegial approach to compliance.

“There is no written affirmation from regulators, that over the first six months or year, they will not use the sledgehammer on banks,” he said. “That’s because they could be thinking, well, you banks have had two years to prepare. But the reality is the exam procedures are not out and the latest FAQs are hot off the presses.”