The 5 Fundamentals of identifying the Ultimate Beneficial Owner
Beirut 9 July, 2017 08.20
Re-edited by Bachir El Nakib, (CAMS) Senior Consultant, Compliance Alert (LLC)
It is difficult to find the ultimate beneficial owner in cases of sophisticated legal and corporate structures like complex and multilayer ownership structures helps criminals to conceal their identity. When you find a case with this complexity you need to request the customer the chart that provide you the ownership structure listing the names of the UBO's, percentage of ownership and jurisdictions involved. This gives you a general idea about the enhanced due diligence you will require and later you need to validate who are the individuals who controls at least 10 percent or more of the entire structure and those who owns 25 percent of the company with the information provided by the customer. Any inconsistence should be considered a red flag.
Establishing effective policy and processes to identify an ultimate beneficial owner (UBO) is essential in combating money laundering and terrorist financing. All UBOs should be identified, declared, verified (where applicable) for all new and changes to existing accountholder accounts and financial services and products provided to occasional (walk-in) accountholders. These procedures must require proper due diligence and may identify unusual transactions, and possibly report the suspicious transactions. International AML standards and regulations (i.e., the Financial Action Task Force [FATF] Recommendations, the Financial Crimes Enforcement Network [FinCEN] and the Basel Committee principles), and local regulatory requirements impose legal and regulatory obligations on financial institutions (FIs) to identify UBOs, these obligations will be discussed in this white paper.
FATF defines1 UBOs as natural person(s) who ultimately owns or controls an accountholder and/or the person on whose behalf a transaction is being conducted. It also incorporates those persons who exercise ultimate effective control over a legal person or arrangement.
(1) Reference to “ultimately owns or controls” and “ultimate effective control” refer to situations in which ownership/control is exercised through a chain of ownership or by means of control other than direct control.
(2) This definition should also apply to a beneficial owner of a life or other investment linked insurance policy. Money launders, terrorists and sanctioned parties try to access the financial system by hiding their existence (i.e., true identity) during account opening and service request processes, through using individual or non-individual accounts opened by their association’s or family members’ names, or opening accounts for legal entities with complex ownership structure, or any other tactics to avoid detection.
UBO identification and verification can be very difficult due to a lot of challenges, for example:
1. Complex ownership structures of the legal entities
2. Legal entities established in high secrecy jurisdiction (i.e., Samoa, Cayman Islands, Panama)
3. False accountholder’s declarations on UBOs
4. Limited information available on offshore accountholders
5. Unqualified staff
FIs have the ultimate responsibility to identify UBOs and verify them (where applicable). It is worth to mention that UBO verification for individual accounts is not possible in most cases, as FI’s depend on the accountholder’s declaration only. On the other hand, FIs could be verified the identified UBO for non-individual accountholders, through reviewing the client’s know your customer (KYC) documentation. Therefore, appropriate policy, procedures and controls must be established to comply and mitigate the legal, compliance and regulatory risks. The methodologies of identifying UBOs vary among FIs. Some identify UBOs through obtaining a Declaration Form specifying the UBO and signed by the accountholder. Others verify the UBO through obtaining formal documents that identify the UBO.
The identification and verification process for UBOs should be performed during account opening, while updating KYC information, when obtaining banking services/products forms. Policy, procedures and processes must clearly ask the accountholder to declare the UBO, with imposing an obligation on the accountholder to update the FI, if the declared UBO is changed.
The following must be obtained, before providing the financial service, activating the account, or issuing banking self-services to the accountholder for individual and non-individual accounts:
1. Reason of having a third party as a UBO and the relationship between the accountholder and the declared UBO.
2. Full KYC documentation and information (full name, nationality, resident address, source of funds/wealth, etc.)
3. If the accountholder is a citizen of the U.S., it is required that they complete the appropriate form, to comply with Foreign Account Tax Compliance Act (FATCA) requirements, for individual accounts only.
Banks are asking for trouble from regulators if they get caught screening for PEPs without having policies that address PEPs or worse if they do a gap analysis and find a PEP hit in one of your transactions without having them addressed in policy. You must have alignment between policies and procedures. Keep in mind, not all PEPs are equal. These must be separately designated level of risk. For instance, the president and the president's cousin are both PEPs, but they are not equal PEPs by any stretch of imagination.
Validating the "Ultimate Beneficial Ownership (UBO)" is of great importance to the MLRO, AML Officers, a hot topic that have been highlighted over the years and still understated. Late 2014 The Financial Action Task Force (FATF) made their recommendations for member countries, also the U.S. FinCEN continued to rely on it's proposed rule, leaving many MLR Officers struggling with implementation of UBO Validation. Below are the basis three (3) fundamentals to ensure the MLRO program benefits from Beneficial Ownership Validation:
1. Understanding the Signs of Right and Wrong
Understanding the traits and triggers that indicate the "right" kind of owner versus the "wrong" kind are paramount to identifying the real UBO, allowing for a meaningful AML analysis and risk mitigation. Look for whoever ultimately controls, manages and directs the funds of the account, and you have found your UBO. You will find that person is actually the most important individual of all when it comes to Know Your Customer (KYC), as that individual has the ability to facilitate transactions and ultimately benefit from any legal or illegal gains, which is for your AML/CFT Department (and law enforcement) to decide. One tip for identifying the true UBO is to always validate all information provided by the customer with documentary and other external means, and ensure your QA Team has the required skill set to review the quality and completeness of the UBO due diligence. If something appears or sounds potentially suspicious, refer it to AML/CFT Investigations.
2. Look for Complexity
Complex and multi-layered offshore entities involving private trusts and foundations designed for estate planning and/or wealth management are completely legal. Unfortunately, money launderers, drug & human traffickers, along with financiers of global terrorism have also found these structures to be highly desirable. Nearly impossible to unravel, these structures helps them realize their ultimate goal - anonymity. When you see complex structures, view them as a red flags. Build internal expertise that understands the ins and outs of legal offshore entities. By expanding your knowledge base and bench of expertise in this area, you’ll be better able to identify illicit activity.
3. Step Up Your Game
Mastering the complexities of UBO Validation does not happen overnight. Start now by understanding and becoming intimately familiar with your target customer base. Next,[inlinetweet] build your AML/CFT compliance program to align with the strategic goals and vision of your organization. [/inlinetweet] Ensure that your internal expertise is sufficient to address the UBO complexities that exist within your institution’s customer base. Keep your finger on the pulse as it relates to your growth strategy and/or acquisitions to stay ahead of the curve on this one; it’ll be a doozie if you don’t.
UBO Validation is not a walk in the park. Don’t be intimidated. Dive in and don’t be afraid to ask for help from other colleagues or business units that specialize in things like Corporate Structures, International Law, or Trusts. Establish these basic 3 fundamentals and soon you’ll see the benefit of the 5 Beneficial Ownership Validation Fundamentals.
How Financial Institutions handle business customers with complex, multi-layered, offshore structures (e.g. foreign trusts, foundations) remains an on-going challenge from a AML/CFT perspective, but it can be done successfully if you get the fundamentals right.
The following are 5 Steps to validate the "ÜBO" safely in complex persons/entities:
1. Use CIP/CDD information to identify the required information to gather at account opening
Accurate CIP/CDD information will assist your organization in identifying the documents required to open and maintain these types of accounts. (e.g. a Foreign Entity that has a trust in it’s ownership structure is going to require at minimum:
- the Trust Agreement/Certification,
- the Foreign Entity’s Formation and Ownership Validation documents,
- Certificate of Good Standing, and
- Proof/Source of Wealth and Income).
2. Perform upfront Enhanced Due Diligence (EDD) and Beneficial Ownership Validation
Perform Enhanced Due Diligence (EDD) on these customers that are inherently High Risk, based solely on their structure, to gain a complete picture of the customer and their true identity; who owns them, who their major counter-parties are, the types of transactions they will be making, and with what jurisdictions/countries they will transact or do business in/with. This will produce the proper upfront customer risk rating and the corresponding frequency and parameters for ongoing transaction monitoring. In order to accurately perform Beneficial Ownership Validation, all layers of ownership must be fully vetted and verified until all beneficial owners are accounted for and the proper validating documentation is received.
3. Request any necessary additional documentation and/or clarification from the customer as quickly as possible
This is an easy step that is very often skipped. Most front-line, sales-driven relationship managers don’t want to bother a new customer with additional requests for information just days after they “on-boarded” them. But, I assure you that it will be better received at the beginning of the relationship than months or years down the road. The initial EDD assessment will produce the gaps that exist in required documentation, creating the most opportune time to ask questions and explain what documents are going to be required and why; along with any clarifying questions from internal/external research.
4. Perform an initial High Risk 90-day review, looking at an anticipated vs. actual transaction analysis
There is a great deal of information that can be seen in the first 90 days of account opening. Based on the information provided regarding expected transaction types and levels, counter-parties, expected balances, etc., a High Risk 90-day Transactional Review can be performed to ensure the customer is transacting the way that they informed the bank they would, and there is nothing potentially suspicious that needs to be addressed or referred to the AML/CFT Compliance Investigations Department.
5. Perform Annual EDD, Ownership Validation and On-going High Risk Monitoring
Given the inherent risk level of complex, multi-layered off-shore entities, annual EDD must be performed to re-evaluate the overall relationship and ensure that nothing has changed. These changes could be from a beneficial ownership standpoint (re-validate), changes to the business structure or counter-parties. Additionally, an accompanying transaction based review to analyze a full year of “expected” verses “anticipated” transactions by type can highlight new types or locations of transactions. Ongoing Transaction Monitoring should be in place for all customers, and with even tighter and more targeted parameters for these types of complex entities, given the inherent risk. This will identify suspect or out of the ordinary transactions (in near real-time) and prevent any of the USA "OFAC/SDN" type violations.
Each of these steps is likely a piece of your overall any AML Program, or an upcoming addition, but the breadth and depth of each step will vary dramatically from one institution to the next. Given the risk appetite of your institution, along with the mix of your customer base and their business dealings, a one-size-fits-all approach is simply not feasible. A risk-based approach is the new industry expectation, resulting in each Financial Institution’s AML/CFT Program looking a little different, as long at it meets the stated requirements. For those Financial Institutions that are looking to grow, through acquisition or otherwise, you must be extra nimble in your approach, and maintain the ability to transform to meet today’s regulatory needs.
Incorporating these five (5) steps in your plan of action will ensure a solid foundation in managing these High Risk relationships, and reduce your Institutions’s overall AML/CFT risk exposure. Your team of analysts and investigators will also be better prepared to perform a meaningful analysis. Of course, the alignment of your Anti-Money Laundering Program with your Institution’s vision and growth strategy will allow your AML environment to be proactive, not reactive, a perfect example why most of the "Banks and Firms" are getting into trouble with the regulatory bodies/agencies, is their behavior; they treat these risk assessments as merely "check-the-box"exercises, then they go and conduct all of these other tranastions. The Transactions are being conducted in silos, separated so that they are not being run through the filter of the risk assessment on an annual basis.
The Importance of Customer Risk Assessment (CRA) Individual Customer Risk Assessment are critical to truly Knowing Your Customer (KYC). CRAs can preemtively mitigate the risk of new customers before any damage is done, as well as update of the risk imposed by these customers that hav been in your institution for decades. Additionally, CRAs build an accurate customer profile that shall be used for due diligence requirements, transactions monitoring thresholds and high-risk review schedules. Individuals attempting to use the banking system to facilitate illicit transactions for the benefit of drug trafficking, terrorist financing or other criminal behaviour can be quite savvy. Their sophistication and speed enable them to cause major damage in a very short period of time. Therefore, the most important work, from a risk perspective, must be done on the front-end, before the FI engages in business with a customer.
Let's examine to to set up a CRA to defend against the AML/CFT threats, why it's important and the challenges that a financial institution may face. Here are fine critical steps to build an effective CRA that shall aid in keeping bad guys from ever getting the chance to use the financial institution for illicit and criminal behavior:
1- Developping a "Risk-Based-Scroring System"
Prior to account opening, develop a risk-based system for scoring your customers in near real-time, based on pertinent regulations and parameters specific to your institution.
This requires developing a risk matrix that scores due-diligence questions, producing a Customer Risk Score. The risk matrix, to produce a customer risk score, must be integrated into your FI’s on-boarding system to create a seamless customer experience and a near real-time response. This score will indicate whether the customer should be treated as prohibited, high-risk, moderate-risk or low-risk. The specific questions that your FI will ask must be developed by your AML/CFT Management and signed-off on by the Board of Directors. The following are just some of the factors used in a thorough qualitative and quantitative risk matrix:
- Geographical Data (e.g. do they operate in HIDTA/HIFCA)
- Purpose of the Account
- Source of Wealth
- Source of Income
- Country of Incorporation
- Country of Residency
- Ultimate Beneficial Ownership Structure
- Controlling Parties (UBO or not)
- Expected Transaction Volumes and Types
- Anticipated Balances
- Products and Services being Sought
- PEP Status
- NAICS Code(s)
- Additional questions that are relevant to your existing and target customer base
The same documents (e.g. share registry, meeting minutes, formation documents, etc.) that show you 10 or 25 percent owners will also show you the .01 percent owner. Sometimes, it’s the .01 percent that needs the most looking into. Threshold percentages are fine for requiring signed ownership validation documentation, IDs, etc., but these thresholds should not preclude knowing the names and basic CIP information of any owners or controlling parties.