The 5 Fundamentals of identifying the "Ultimate Beneficial Owners"
Beirut 9 July, 2017 08.20
Revised by Bachir El Nakib, (CAMS) Senior Consultant, Compliance Alert (LLC)
Banks are asking for trouble from regulators if they get caught screening for PEPs without having policies that address PEPs or worse if they do a gap analysis and find a PEP hit in one of your transactions without having them addressed in policy. You must have alignment between policies and procedures. Keep in mind, not all PEPs are equal. These must be separately designated level of risk. For instance, the president and the president's cousin are both PEPs, but they are not equal PEPs by any stretch of imagination.
Validating the "Ultimate Beneficial Ownership (UBO)" is of great importance to the MLRO, AML Officers, a hot topic that have been highlighted over the years and still understated. Late 2014 The Financial Action Task Force (FATF) made their recommendations for member countries, also the U.S. FinCEN continued to rely on it's proposed rule, leaving many MLR Officers struggling with implementation of UBO Validation. Below are the basis three (3) fundamentals to ensure the MLRO program benefits from Beneficial Ownership Validation:
1. Understanding the Signs of Right and Wrong
Understanding the traits and triggers that indicate the "right" kind of owner versus the "wrong" kind are paramount to identifying the real UBO, allowing for a meaningful AML analysis and risk mitigation. Look for whoever ultimately controls, manages and directs the funds of the account, and you have found your UBO. You will find that person is actually the most important individual of all when it comes to Know Your Customer (KYC), as that individual has the ability to facilitate transactions and ultimately benefit from any legal or illegal gains, which is for your AML/CFT Department (and law enforcement) to decide. One tip for identifying the true UBO is to always validate all information provided by the customer with documentary and other external means, and ensure your QA Team has the required skill set to review the quality and completeness of the UBO due diligence. If something appears or sounds potentially suspicious, refer it to AML/CFT Investigations.
2. Look for Complexity
Complex and multi-layered offshore entities involving private trusts and foundations designed for estate planning and/or wealth management are completely legal. Unfortunately, money launderers, drug & human traffickers, along with financiers of global terrorism have also found these structures to be highly desirable. Nearly impossible to unravel, these structures helps them realize their ultimate goal - anonymity. When you see complex structures, view them as a red flags. Build internal expertise that understands the ins and outs of legal offshore entities. By expanding your knowledge base and bench of expertise in this area, you’ll be better able to identify illicit activity.
3. Step Up Your Game
Mastering the complexities of UBO Validation does not happen overnight. Start now by understanding and becoming intimately familiar with your target customer base. Next,[inlinetweet] build your AML/CFT compliance program to align with the strategic goals and vision of your organization. [/inlinetweet] Ensure that your internal expertise is sufficient to address the UBO complexities that exist within your institution’s customer base. Keep your finger on the pulse as it relates to your growth strategy and/or acquisitions to stay ahead of the curve on this one; it’ll be a doozie if you don’t.
UBO Validation is not a walk in the park. Don’t be intimidated. Dive in and don’t be afraid to ask for help from other colleagues or business units that specialize in things like Corporate Structures, International Law, or Trusts. Establish these basic 3 fundamentals and soon you’ll see the benefit of the 5 Beneficial Ownership Validation Fundamentals.
How Financial Institutions handle business customers with complex, multi-layered, offshore structures (e.g. foreign trusts, foundations) remains an on-going challenge from a AML/CFT perspective, but it can be done successfully if you get the fundamentals right.
The following are 5 Steps to validate the "ÜBO" safely in complex persons/entities:
1. Use CIP/CDD information to identify the required information to gather at account opening
Accurate CIP/CDD information will assist your organization in identifying the documents required to open and maintain these types of accounts. (e.g. a Foreign Entity that has a trust in it’s ownership structure is going to require at minimum:
- the Trust Agreement/Certification,
- the Foreign Entity’s Formation and Ownership Validation documents,
- Certificate of Good Standing, and
- Proof/Source of Wealth and Income).
2. Perform upfront Enhanced Due Diligence (EDD) and Beneficial Ownership Validation
Perform Enhanced Due Diligence (EDD) on these customers that are inherently High Risk, based solely on their structure, to gain a complete picture of the customer and their true identity; who owns them, who their major counter-parties are, the types of transactions they will be making, and with what jurisdictions/countries they will transact or do business in/with. This will produce the proper upfront customer risk rating and the corresponding frequency and parameters for ongoing transaction monitoring. In order to accurately perform Beneficial Ownership Validation, all layers of ownership must be fully vetted and verified until all beneficial owners are accounted for and the proper validating documentation is received.
3. Request any necessary additional documentation and/or clarification from the customer as quickly as possible
This is an easy step that is very often skipped. Most front-line, sales-driven relationship managers don’t want to bother a new customer with additional requests for information just days after they “on-boarded” them. But, I assure you that it will be better received at the beginning of the relationship than months or years down the road. The initial EDD assessment will produce the gaps that exist in required documentation, creating the most opportune time to ask questions and explain what documents are going to be required and why; along with any clarifying questions from internal/external research.
4. Perform an initial High Risk 90-day review, looking at an anticipated vs. actual transaction analysis
There is a great deal of information that can be seen in the first 90 days of account opening. Based on the information provided regarding expected transaction types and levels, counter-parties, expected balances, etc., a High Risk 90-day Transactional Review can be performed to ensure the customer is transacting the way that they informed the bank they would, and there is nothing potentially suspicious that needs to be addressed or referred to the AML/CFT Compliance Investigations Department.
5. Perform Annual EDD, Ownership Validation and On-going High Risk Monitoring
Given the inherent risk level of complex, multi-layered off-shore entities, annual EDD must be performed to re-evaluate the overall relationship and ensure that nothing has changed. These changes could be from a beneficial ownership standpoint (re-validate), changes to the business structure or counter-parties. Additionally, an accompanying transaction based review to analyze a full year of “expected” verses “anticipated” transactions by type can highlight new types or locations of transactions. Ongoing Transaction Monitoring should be in place for all customers, and with even tighter and more targeted parameters for these types of complex entities, given the inherent risk. This will identify suspect or out of the ordinary transactions (in near real-time) and prevent any of the USA "OFAC/SDN" type violations.
Each of these steps is likely a piece of your overall any AML Program, or an upcoming addition, but the breadth and depth of each step will vary dramatically from one institution to the next. Given the risk appetite of your institution, along with the mix of your customer base and their business dealings, a one-size-fits-all approach is simply not feasible. A risk-based approach is the new industry expectation, resulting in each Financial Institution’s AML/CFT Program looking a little different, as long at it meets the stated requirements. For those Financial Institutions that are looking to grow, through acquisition or otherwise, you must be extra nimble in your approach, and maintain the ability to transform to meet today’s regulatory needs.
Incorporating these five (5) steps in your plan of action will ensure a solid foundation in managing these High Risk relationships, and reduce your Institutions’s overall AML/CFT risk exposure. Your team of analysts and investigators will also be better prepared to perform a meaningful analysis. Of course, the alignment of your Anti-Money Laundering Program with your Institution’s vision and growth strategy will allow your AML environment to be proactive, not reactive, a perfect example why most of the "Banks and Firms" are getting into trouble with the regulatory bodies/agencies, is their behavior; they treat these risk assessments as merely "check-the-box"exercises, then they go and conduct all of these other tranastions. The Transactions are being conducted in silos, separated so that they are not being run through the filter of the risk assessment on an annual basis.
The Importance of Customer Risk Assessment (CRA) Individual Customer Risk Assessment are critical to truly Knowing Your Customer (KYC). CRAs can preemtively mitigate the risk of new customers before any damage is done, as well as update of the risk imposed by these customers that hav been in your institution for decades. Additionally, CRAs build an accurate customer profile that shall be used for due diligence requirements, transactions monitoring thresholds and high-risk review schedules. Individuals attempting to use the banking system to facilitate illicit transactions for the benefit of drug trafficking, terrorist financing or other criminal behaviour can be quite savvy. Their sophistication and speed enable them to cause major damage in a very short period of time. Therefore, the most important work, from a risk perspective, must be done on the front-end, before the FI engages in business with a customer.
Let's examine to to set up a CRA to defend against the AML/CFT threats, why it's important and the challenges that a financial institution may face. Here are fine critical steps to build an effective CRA that shall aid in keeping bad guys from ever getting the chance to use the financial institution for illicit and criminal behavior:
1- Developping a "Risk-Based-Scroring System"
Prior to account opening, develop a risk-based system for scoring your customers in near real-time, based on pertinent regulations and parameters specific to your institution.
This requires developing a risk matrix that scores due-diligence questions, producing a Customer Risk Score. The risk matrix, to produce a customer risk score, must be integrated into your FI’s on-boarding system to create a seamless customer experience and a near real-time response. This score will indicate whether the customer should be treated as prohibited, high-risk, moderate-risk or low-risk. The specific questions that your FI will ask must be developed by your AML/CFT Management and signed-off on by the Board of Directors. The following are just some of the factors used in a thorough qualitative and quantitative risk matrix:
Geographical Data (e.g. do they operate in HIDTA/HIFCA)
Purpose of the Account
Source of Wealth
Source of Income
Country of Incorporation
Country of Residency
Ultimate Beneficial Ownership Structure
Controlling Parties (UBO or not)
Expected Transaction Volumes and Types
Products and Services being Sought
Additional questions that are relevant to your existing and target customer base
2 - Address existing customers
Re-evaluating your existing customer base is a must, given the constant changes to regulations, as well as the introduction of new or changing business structures, operations, counter parties, etc. since the beginning of the banking relationship. Businesses change. Your customer profile should stay up to speed with the customer’s actual business. It can be especially challenging when dealing with customers in good-standing that have been loyal to your FI for years. A satisfactory risk matrix requires a level of due-diligence information that is most likely not on-file for customers of five or more years. This lack of vital information is due to data retention regulations and drastic changes made in CDD requirements in the last five to ten years. Although the process may be labor intensive and somewhat unwelcome by the customer, updating existing customer information is imperative.
3 - Categories are important
Based on the resulting score from your risk matrix, your FI must put in place a set of controls applicable to each customer type (High, Medium, Low-Risk and other categorcially specific requirements). Some customers will fall out of the high-risk category and only have the basic CIP/CDD performed, along with continuous transaction monitoring. High-risk customers will trigger the need for enhanced due-diligence and more stringent transaction monitoring.
4 - Collect before you open
Collect all pertinent documentation needed to safely bank your customer, prior to account opening. This will prevent the extremely savvy launderers and terrorist groups from taking advantage of your FI while you are still assessing the risk. Up-front data collection prevents rework, duplicative requests from the front-line and the customer, and ensures that your FI has the documentation to support the risk-rating of each customer.
5 - Review the "right" customers
Make sure that you are conducting EDD and High-Risk reviews on the “right” customers. This is not always a numbers game. The number of high-risk customers your FI has designated does not correlate to how well your CRA or BSA Program is doing. You can have thousands of customers in EDD, as high-risk, but if they are the “wrong” customers, then all you have done is put a subset of your customers through due-diligence that benefits neither your maxed out team nor the irritated customer.
The importance of CRAs
A CRA allows your FI to evaluate each customer individually, based on their specific characteristics, expected behavior and their peers. Understanding how a customer’s peers are formed, transact and behave is one of the best baselines you can get. This will make the detection of potentially suspicious activity much easier by taking some of the strain off of your investigations and filing units.
An accurate CRA will allow your FI to dedicate the right amount of time, money and resources to the highest risk individuals/entities before they even become a customer. When a CRA results in a score of high-risk or even moderate-risk, your FI can allocate the necessary resources to successfully gather and analyze the CDD and EDD information and documentation. Depending on the risk, size and complexity of the customer, you may need two resources, or a team of resources, to implement the controls to reduce that specific customer’s risk, which will all be driven by the CRA.
Too many existing customers (five years or more) were never subjected to the BSA regulations of today (CDD especially). This can be a huge risk. Just because a customer has been with your FI for a decade, doesn’t mean that they are automatically okay. You must understand your entire customer base, and that includes all those customers you already serve. Applying a standardized risk matrix methodology to both new and existing customers will prove to the regulators that you are embracing the "risk-based approach"to AML/CFT. Not all customers are created equal when it comes to compliance. Being targeted and intentional is the only way to stay ahead in this rapid, ever-changing industry.
What are the challenges?
Customers, especially those with malicious intent, are not going to offer up information that they know will produce “red flags" or subject them to additional scrutiny. The most sophisticated criminals know as much and sometimes more than both FIs and regulators. Remember, this is their full-time job. These criminals could have a full team of people that focus on AML/CFT security loopholes, some of which may be working inside your FI. They don’t have to go to meetings, answer email, attend HR functions, etc. They have one duty…beat your systems.
Authenticating the information gathered before account opening can be difficult without the proper internal and external resources. "Benefiacial Ownership Validation" is one of the hottest topics in AML/CFT, and there are still a lot of unanswered questions as to how to satisfactorily validate beneficial owners. Whether it’s 10 or 25 percent ownership to be validated is really a moot point. The only thing a threshold creates is the exact line we are providing to criminals, so that they can make sure they avoid it. If a criminal sees that only beneficial owners of 10 percent or more are going to
to require EDD and validation documentations.
The same documents (e.g. share registry, meeting minutes, formation documents, etc.) that show you 10 or 25 percent owners will also show you the .01 percent owner. Sometimes, it’s the .01 percent that needs the most looking into. Threshold percentages are fine for requiring signed ownership validation documentation, IDs, etc., but these thresholds should not preclude knowing the names and basic CIP information of any owners or controlling parties.
How do our FIs gather all of this information in a timely manner, validate it, and monitor it, while still allowing the medical student, running on two hours of sleep, to open a simple checking account? On-boarding systems with automated decision trees, and hard stops for an “unanswered questions” will allow for quick on-boarding of low risk customers, like the medical student. An effective CRA will produce an immediate score that indicates low-risk, and require no follow up documentation or information.
Remember, transaction monitoring and investigations serve your entire FI’s customer base, so let these functions work the one-off situations where the medical student starts wiring money to Iran.
A complete and well-thought-out CRA is not something that you simply develop overnight. There is a great deal of data analysis, peer and industry analytics, internal expertise, and strategic thinking that must happen to produce the risk matrix that will facilitate an accurate risk score. And that's just the beginning. Integrating your risk matrix into your on-boarding system allows for the near real-time aspect of a CRA. There is a strategic approach to developing CRAs and what you will require from the various levels of customers, based on their risk score. Understand your existing and target customers, and you will be on your way to developing the right questions for your CRA to indicate when a customer poses a potential risk.
Sources: http://www.autoaml.com/blog/a-case-for-customer-risk-assessments, Nick Guest, CAMS on Nov 12, 2015 11:11:00 AM