Overview - ABA Flipbook PDF

October 3, 2014 . Policy Division . Financial Crimes Enforcement Network . P. O. Box 39 . Vienna, VA 22183 . Customer Du

---

99 Views
88 Downloads
FLIP PDF 218.25KB

DOWNLOAD FLIP

REPORT DMCA

October 3, 2014 Policy Division Financial Crimes Enforcement Network P. O. Box 39 Vienna, VA 22183 Customer Due Diligence Requirements for Financial Institutions, RIN 1506-AB25 Dear Sir or Madam: The American Bankers Association (ABA) 1 and BAFT 2 (the Associations) appreciate the opportunity to comment on the proposal by the Financial Crimes Enforcement Network (FinCEN) to clarify and strengthen customer due diligence (CDD) requirements. 3 Overview This process initially started in March 2010 when FinCEN and the prudential regulators4 issued guidance 5 “to clarify and consolidate existing regulatory expectations for obtaining beneficial ownership information for certain accounts and customer relationships.” Because that guidance raised so many questions, FinCEN issued an advanced notice of proposed rulemaking (ANPR) 6 in March 2012 to help further clarify and formalize regulatory expectations. Due to the significance of the ANPR and the concerns raised, FinCEN also held a series of five regional meetings in conjunction with other officials of the U. S. Treasury Department to discuss the proposal with interested parties. Following the comments and the outreach meetings, FinCEN modified the proposal to respond to concerns raised. The Associations appreciate the effort that FinCEN has put into the proposal. The proposal has made some significant changes from the ANPR and reflects understanding of concerns raised by our members during that comment period and the outreach meetings. Nevertheless, the proposal continues to impose substantial new costs on lawful American businesses—and the banks that seek to serve them—without 1

The American Bankers Association represents banks of all sizes and charters and is the voice for the nation’s $15 trillion banking industry and its 2 million employees. Learn more at aba.com. 2 BAFT, the leading global financial services association for international transaction banking, helps bridge solutions across financial institutions, service providers and the regulatory community that promote sound financial practices enabling innovation, efficiency, and commercial growth. BAFT engages on a wide range of topics affecting transaction banking, including trade finance, payments, and compliance. The association website is www.baft.org. 3 https://www.federalregister.gov/articles/2014/08/04/2014-18036/customer-due-diligence-requirements-for-financialinstitutions 4 The prudential regulators were the Board of Governors of the Federal Reserve System, the Federal Deposit Insurance Corporation, the National Credit Union Administration, the Office of the Comptroller of the Currency, the Office of Thrift Supervision (now merged with the OCC), and the Securities and Exchange Commission. 5 http://www.fincen.gov/statutes_regs/guidance/html/fin-2010-g001.html 6 http://www.fincen.gov/news_room/nr/html/20120229.html

a demonstration of compensating benefits that could not be more efficiently achieved by alternative means. Despite more than four years of effort, the proposal contains no cost/benefit analysis. In particular, it fails to compare and evaluate the costs of imposing a universal data collection requirement upon the hundreds of thousands of small and medium sized family owned businesses against the sole purpose of providing state and federal law enforcement unfettered surveillance access to the details of the ownership structure of these businesses, without individualized prior notice of such access. This is all advanced in the name of international standards of transparency that are being applied in a way that supersedes American state corporation law filing requirements, and without any congressionally expressed statutory authorization or mandate. In doing so, this new level of government imposed financial surveillance through executive fiat is generally hidden from the average American business men, women, and families who are being presumptively treated as criminal shell companies until certified to the contrary. The Associations believe, moreover, that despite FinCEN’s good faith efforts to make improvements to the proposal, there remain substantial gaps between the proposal and effective implementation of the policy goals sought to be achieved. Among the steps that need to be taken are the following: • • • • • •

Further significantly reduce the number of legal entities subject to beneficial ownership data collection so that the burden falls on risky entities and not indiscriminately on average businessmen and women. Confirm that trusts, both documented and non-documented, are excluded from coverage. Similarly, exclude pension plans which are subject to Employee Retirement and Income Security Act (ERISA) 7 requirements. Confirm that financial institutions subject to the requirement are only obligated to collect the data in the certification form as well as suitable alternative formats, and that the most recent form may be accepted as current information. Permit financial institutions to maintain data at the customer relationship level and identify account opening as simply a trigger to collect the information. Clearly permit financial institutions to maintain the data in any format as long as it is available when requested by law enforcement in keeping with overall BSA compliance. 8 Before finalizing or re-proposing the rule, conduct a thorough cost/benefit analysis of the necessarily revised framework that clearly and fully evaluates its net benefit, including consideration of the costs of private sector implementation,

7The

Employee Retirement and Income Security Act of 1974, subject to oversight by the Department of Labor, provides a series of protections which make AML/CFT unnecessary and superfluous. See, e.g., http://webapps.dol.gov/dolfaq/go-dol-faq.asp?faqid=225 8 The Bank Secrecy Act, technically the Currency and Foreign Transactions Reporting Act of 1970, requires financial institutions to keep records of cash purchases of negotiable instruments, file reports of cash transactions exceeding $10,000 (daily aggregate amount), and to report suspicious activity that might signify money laundering, tax evasion, or other criminal activities.

2

•

and demonstrates its superiority to direct government collection requirements, and then separately publish this analysis for public notice and comment. Do not add a new fifth pillar to Anti-Money Laundering/Countering the Financing of Terrorism (AML/CFT) requirements or otherwise amend 31 CFR 1010.210 or its related regulatory provisions to articulate program standards that are not proposed and adopted jointly by the federal prudential regulators. 9

Given the persistent and substantial deficiencies in the current proposal, the Associations strongly urge FinCEN to withdraw the proposal, conduct the necessary cost/benefit analysis and comparison with alternative data collection mechanisms at government disposal, and address the extensive compliance problems, such as those raised in this comment. The Associations recommend that the proposal be a jumping-off point for continued substantive dialogue. To be effective, the discussion should involve the financial institutions that are directly impacted by the proposal, the federal prudential regulators that are charged with enforcing any rules that are adopted, and businesses that are customers of the financial institutions that must supply the information. Doing so will facilitate FinCEN’s efforts to achieve a satisfactory outcome. Foundation for the Proposal According to FinCEN, the proposed rule is intended to clarify and strengthen due diligence requirements for banks, brokers or dealers in securities, mutual funds, and future commission merchants and introducing brokers in commodities. If adopted, the proposal would establish a new regulatory obligation to collect from business customers their beneficial ownership information and to conduct identification of those owners using standard Customer Identification Program (CIP) procedures (what the Associations will refer to as “follow-on CIP”). While the proposal would address the need to collect information on the natural persons behind legal entities and would make CDD requirements explicit, FinCEN estimates that the proposal would not increase or otherwise change existing obligations for financial institutions. Although FinCEN has not identified specific flaws in the existing regime, which has applied to depository institutions for more than 25 years, FinCEN asserts that clarifying and strengthening CDD requirements will advance the purpose of BSA in a number of ways: (1) enhance the ability of law enforcement to access beneficial ownership information; (2) increase the ability of various stakeholders to identify assets associated with criminals and terrorists which will help strengthen compliance with sanctions programs; (3) assist financial institutions to assess and mitigate potential risks and comply with legal requirements; (4) facilitate tax compliance, especially as it relates to the Foreign Account Tax Compliance Act (FATCA) and reciprocity with other jurisdictions; and (5) promote consistency in implementing and enforcing CDD 9The

provision for depository institutions, 31 CFR 1020.210, provides that a depository institution satisfies the antimoney laundering program requirements “if it implements and maintains an anti-money laundering program that complies with…the regulations of its Federal functional regulator governing such programs.”

3

regulatory expectations across financial sectors. However, FinCEN does not provide anything to substantiate these claims. Scope of Covered Entities FinCEN asserts that its beneficial ownership requirement is predicated on the abuse by criminals exploiting the anonymity of “legal entities”—in summary, suspect shell companies. Despite this premise, FinCEN proposes a vast data collection rule that claws within its ambit every business entity, and then paring away publicly listed companies. This leaves small, medium, and many larger businesses to bear the brunt of a rule whose supposed targets must number in fact far fewer than 1 percent of the universe of companies subject to the collection. FinCEN has not substantiated a rationale for this over inclusiveness. Contrary to the Financial Action Task Force (FATF) recommendations, FinCEN fails to eliminate from the data collection the overwhelming number of entities that are not at risk of being suspect shell companies. Consequently, the scope of covered entities would need to be reduced by several orders of magnitude before the rule could realistically and cost-effectively apply to the real targets at issue. Definition of Legal Entity Needs Refinement The Associations appreciate FinCEN’s focusing the proposal on legal entities, where a legal entity would be defined in the proposal as a corporation, limited liability company, partnership, or other similar business entity. It is appropriate to look at businesses, particularly since that is one area where additional information about the entity may be available, such as registration with the state’s Secretary of State, which permits financial institutions to confirm information about the entity. However, the definition needs further refinement. As proposed, it is too open-needed, and “similar business entity” is too vague to be useful. It creates uncertainty for financial institutions to deal with operationally while at the same time it creates unnecessary regulatory risk by leaving too much discretion to examiners to ‘second-guess’ decisions. While the conceptual focus on business enterprises is consistent with reservations about shell corporations, we recommend the definition be given additional focus. For example, it should be clear that the definition should not include sole proprietorships which are, by their very nature, owned by a single proprietor subject to direct CIP, leaving negligible room for “shell” ownership arrangements. In addition the definition should restrict the application of the rule to entities that are chartered under applicable state law and registered with the chartering state that creates the entity. The Associations believe this would be a workable first step for coverage, since it is, after all, the cornerstone of business entity CIP. 10

10

Under the current expectations set forth for depository institutions in the FFIEC Bank Secrecy Act/Anti Money Laundering Examination Manual, April 2010, at page 55, it states that, “For a ‘person’ other than an individual…the bank should obtain documents showing the legal existence of the entity, such as certified articles of incorporation, an unexpired government-issued business license, a partnership agreement, or trust instrument.”

4

Exemptions Must be Significantly Expanded Clarify proposed exemptions By starting with an expansive definition of legal entities, it is immediately necessary to pare down the scope. This reality is not lost on FinCEN, which presciently exempts entities that are exempt from CIP, 11 a point recommended by ABA in its March 2012 comment. In addition FinCEN’s proposal correctly exempts the following as having little risk of being the sought after criminal shell companies: • •

Federally regulated banks and other federally regulated financial entities; Tax-exempt charities and non-profits.

The Associations suggest refinements to both of these exemptions, as explained below. In the preamble, the proposal describes as exempt “financial institutions regulated by a federal functional regulator (i.e., federally regulated banks,…)” We understand this parenthetical to cover all nationally chartered, federally chartered and state chartered banks or savings associations as well as other financial institutions that have a federal functional regulator. This includes all federally insured depository institutions. The Associations understand that the proposed actual rule text at 1010.230(d)(2)(i) which excludes from the definition of legal entity customer “a financial institution regulated by a Federal functional regulator or a bank regulated by a State bank regulator” is not using “bank” to exclude state chartered savings associations. Clarification of this usage is requested. The Associations also urge revision to the proposed exclusion that applies to charities and non-profits. As a general rule, few financial institutions have the necessary expertise to determine whether a charity has in fact been denied tax-exempt status or has filed its most recent tax return, and front-line personnel opening accounts will be challenged to satisfy these expectations. In addition, FinCEN should recognize that this will impact many small charities maintained by local branch offices of depository institutions, such as funds for the local book drive, a small account established to collect proceeds from a Girl Scout cookie sale, a checking account for the local Little League team, and so forth. Therefore, the Associations urge FinCEN to make two changes to this exception to make it workable. First, there should be a threshold to eliminate small accounts (under $3,000) or accounts established and operated locally. Second, the financial institution should not be expected to verify that the charity is compliant with IRS regulations. Bear in mind that under its general responsibilities a financial institution would be concerned about the validity of an account and has a duty to be wary of suspicious activities, but that is not the same as hardening it as part of the beneficial

11

The excluded entities would be: a United States financial institution; federal or state government entity; entities established by federal or state governments that exercise government authority; entities whose common stocks are publicly traded; and any subsidiary of a publicly-traded company that is 51% or more owned by the publicly-traded company. The proposal cross-references existing regulations by citation. Other excluded entities include investment companies, investment advisers, an exchange or clearing agency, other entities registered with the SEC, public accounting firms, or charities or non-profits subject to certain qualifications.

5

ownership rule, a fixed requirement that will operate to discourage many worthwhile community activities. Further expand exempt entities. The Associations also recommend that FinCEN expand the list of exemptions. When FATF updated The FATF Recommendations12 in February 2012, one of the key elements was to encourage greater international cooperation to combat financial crime, money laundering, and terrorist financing. In keeping with The FATF Recommendations, the Associations urge FinCEN to adopt an approach used in other jurisdictions and exclude entities that may be organized under foreign law but that are subject to comparable oversight in their home countries. At a minimum, the list should include foreign financial institutions subject to comparable AML/CFT requirements in their home jurisdiction as well as foreign government entities, such as embassies and consulates. Using the premise that certain entities have the necessary information available, FinCEN also should exempt the following: • • • • • • • •

issuers of securities under certain Securities and Exchange Commission (SEC) rules; any majority-owned domestic subsidiary of a company listed on a U.S. stock exchange; an investment company; a registered investment adviser; an exchange or clearing company or other entity registered with the SEC; certain Commodities Future Trading Commission registered entities; a public accounting firm; or a charity or nonprofit entity.

Along the same lines, FinCEN should provide an exemption for any business accountholder organized under the laws of a jurisdiction that obtains, and makes available to law enforcement, beneficial ownership information upon incorporation or registration of the entity. In keeping with The FATF Recommendations, 13 the Associations also urge FinCEN to identify customer relationships that are low-risk that should be exempted. Among those businesses would be customers already exempt for currency transaction reporting purposes. 14 Some examples of relationships that present minimal risk – if any – for money laundering are credit cards opened by small businesses at retailers, commercial 12

http://www.fatf-gafi.org/topics/fatfrecommendations/documents/fatf-recommendations.html In the Interpretive Note to Recommendation 10 (Customer Due Diligence) of The FATF Recommendations, Item 16, p. 64 states that, “There are circumstances where the risk of money laundering or terrorist financing may be lower. In such circumstances, and provided there has been an adequate analysis of the risk by the country or by the financial institution, it could be reasonable for a country to allow its financial institutions to apply simplified CDD measures.” 14 The FFIEC BSA/AML Examination Manual, http://www.ffiec.gov/bsa_aml_infobase/documents/BSA_AML_Man_2010.pdf, pp. 90-94 13

6

leasing arrangements and pension plans governed by ERISA or comparable state statutes. Indeed, any duly state licensed business entity should also be exempt as being extremely unlikely of being a suspect shell entity. By including these and other appropriate exemptions from beneficial ownership data collection, FinCEN would eliminate worthless compliance burden and help focus resources on a much smaller universe of business entities that may have a greater likelihood of material money-laundering or financial crime risk. The Associations Support Exclusion of Trust Relationships The Associations strongly support FinCEN’s exclusion of trust relationships from the definition of legal entities, a step ABA recommended in our 2012 comments. However, while the preamble indicates that the definition of “legal entity” “does not include trusts other than those that might be created through a filing with a state (e.g., statutory business trusts),” the final rule does not incorporate that language. This exclusion must be confirmed in the text of the final rule. While FinCEN asserts this is not meant to imply that a trust is low-risk, it is equally important to recognize two critical factors. First, trusts are subject to stringent state laws that require trusts and trustees to adhere to established fiduciary standards. Trusts are also subject to IRS requirements that impose an additional control on their activities. Second, by excluding trusts, FinCEN avoids capturing the many informal arrangements that are often non-documented, such as Payable on Death accounts, small accounts that pose virtually no risk of money laundering. 15 As an aside, it is important for FinCEN to understand that, unless it serves as trustee or investment advisor, many financial institutions do not retain copies of trust instruments, a step to avoid being inappropriately identified as a fiduciary. The Associations recommend that FinCEN clarify in the final rule that all trusts are exempt from the rule, with the recognition that financial institutions will take appropriate steps with respect to the activities of a trust as they would with any customer. Second, along the lines of the trust exemption, we recommend that FinCEN exclude pension plans. While many are set up in the form of trust arrangements, not all pension plans follow that structure. We believe they present little danger of money laundering, because they are established under state and federal laws, similar to ERISA, 16 that impose strict controls that minimize or eliminate the risk of money laundering. The Associations Support Exclusion of Intermediate Accounts and Pooled Accounts When developing the proposal, FinCEN assessed third-party and intermediate relationships where the customer of the bank is maintaining the account for the primary 15

The Associations urge FinCEN to recognize that many trusts do not require documentation or registration under state law. We urge FinCEN to work with the Uniform Law Commission to understand trusts better. http://www.uniformlawcommission.com/

16

Employee Retirement Income Security Act of 1974. (Pub.L. 93–406, 29 U.S.C. 18). The statute sets minimum standards for pension plans and is designed to protect employees and their beneficiaries.

7

benefit of others, such as correspondent accounts and omnibus accounts. The industry and others raised serious concerns about detrimental impacts if a financial institution were required to collect beneficial ownership information from the underlying clients. Therefore, the proposal treats the intermediary and not the underlying clients as the customer that is subject to the requirements of the proposal. The Associations fully support this approach, again with the recognition that these accounts are subject to the same type of review and monitoring as other accounts as part of an overall AML/CFT compliance program. Treating the intermediary and not the intermediary’s clients as the customer makes sense. This result should be confirmed in the rule text. FinCEN is reviewing expectations for nonexempt pooled investment vehicles operated or advised by financial institutions. Again, the Associations recommend that these vehicles be exempt from coverage under the beneficial ownership rule. If FinCEN is aware of problems associated with these accounts, those problems need to be identified. If nothing else, identification of specific problems is critical to enable financial institutions to manage the risks. Since these accounts do not operate in a vacuum, and since all account relationships are subject to general BSA and AML compliance requirements, exempting them from the beneficial ownership rule does not equate with exemption from BSA and AML standards. Beneficial Ownership Definitions – the Two Prongs There remains a series of further interpretive and other compliance issues. We discuss these below. The definition of “beneficial owner” would have two components: an ownership prong and a control prong. Each prong would be an independent test. Under the ownership prong, a beneficial owner would be an individual who, directly or indirectly, owns 25% or more of the equity interests of the legal entity. As defined by the proposal, there would never be more than four individuals who could be identified as beneficial owners. The control prong would apply to an individual with significant responsibility to control, manage, or direct a legal entity customer, such as an executive officer, senior manager, or an individual who performs similar functions. A financial institution would only need to identify a single individual, a point the Associations urge FinCEN to articulate clearly in the final rule. While there may be complex structures and ownerships, FinCEN expects financial institutions to identify the natural person who exercises control. However, FinCEN does not expect financial institutions to analyze whether individuals are acting in concert to exercise control. To respond to industry concerns and to streamline the process, financial institutions could rely on the customer’s representations to determine the beneficial owners of a legal entity. The Associations appreciate this element of the proposal, since it recognizes the serious concerns about the lack of ability to verify the status of an 8

individual as a beneficial owner, inasmuch as neither the states nor the federal government maintain registries that can be used to confirm the information. Moreover, it is not clear how the collection of information will benefit law enforcement since the information is unverified and, even if accurate, subject to change after it is collected, with no practical way for the financial institution to know it has changed. As many our members have noted, the likelihood that a criminal would provide accurate information is low. Keep the Ownership Prong and the 25% Threshold The Associations believe the proposed 25% trigger to determine whether an individual is a “beneficial owner” strikes the right balance. While some may argue that the threshold should be lower, if sufficient evidence is presented to demonstrate that a lower threshold is needed, then FinCEN can issue a notice of proposed rulemaking to lower the threshold. Where other statutes, such as the United States securities laws, rely on a lower threshold, the rationale for those thresholds is completely different and distinct from the foundations underlying the AML/CFT compliance regime. The proposal emphasizes that the proposed standards are a minimum and, for the purposes of assessing ownership, implies that financial institutions “may” want to use a 10% threshold. The Associations urge FinCEN to eliminate the alternative 10%. While we agree that, on a risk-based approach, financial institutions may – at their discretion and as part of their own risk management programs – use a level other than 25%, implying a specific alternative will be seen as an invitation for examiners and other authorities to make it a de facto expectation, only serving to confuse the actual threshold. Any reference to a specific number other than the actual threshold should be eliminated. It is also important to recognize that a 10% threshold is important for enhanced due diligence. For example, under 31 CFR 1010.610(b), the 10% threshold is applied to foreign banks as a trigger for enhanced due diligence, not customer due diligence. Moreover, international standards accept the 25% ownership threshold: the Interpretive Notes to the FATF Recommendation 10, footnote 30, uses a 25% threshold for determining controlling ownership interests. At the same time, smaller, closely-held companies are those which will be most heavily impacted by the proposed rule, and there has been nothing demonstrated to indicate the need to identify all the owners where application of the rule may be unwieldy and costly while producing little benefit. Many smaller companies, which are widely recognized as important to economic growth, and which pose virtually no danger of criminal activity, would be impacted under the rule as proposed. Overall, the Associations believe that using 10% as a threshold would be excessive. FinCEN has not demonstrated a clear need, nor articulated a valid rationale, to impose a lower threshold. At the same time, it is important to demonstrate the problems from the 25% threshold before using a lower one. Here, as so often transpires with AML/CFT expectations, the clearly demonstrated need is not presented to justify the expectations imposed on the financial sector. 9

It is important to recognize that the threshold also is associated with expectations about what financial institutions must do with the information collected. The lower the threshold, the more individuals there will be to identify and the more difficult it will be to collect necessary information. If missing information leads to an expectation to deny financial services or to increase the intrusiveness of the account opening process, this will subvert opening accounts or maintaining banking relationships, driving transactions to less efficient providers, or even off-shore or underground. Within the context of the 25% threshold, the Associations also recommend that FinCEN clarify in the final rule that financial institutions are not expected to investigate what customers may be doing to “manage” their thresholds or otherwise endeavor to stay below the 25% threshold. It would be difficult for a financial institution to determine the organizational appropriateness or “validity” of the ownership percentages. That type of investigation is much better delegated to law enforcement forensic auditors who have the expertise and the resources to make such a determination. In any event, based on the premise in the proposal that financial institutions may accept the information in the certification “as is,” representations made to the bank should be sufficient. The Associations are also concerned about the expectation that banks investigate complex corporate ownership structures to identify the individual who is the natural person behind the enterprise. Where a financial institution has reservations about the structure or the overall relationship, it will not maintain accounts or conduct business. However, as with pooled accounts, the focus should be the relationship between the entity and the bank. Going beyond that, especially when information is in other jurisdictions and not available in the United States, will be burdensome and complex. In many instances, we suspect the additional red tape will serve to drive businesses underground or off-shore. Instead, the Associations urge FinCEN to permit financial institutions to apply a risk-based approach and determine whether missing information beyond the initial customer relationship raises sufficient red flags to deny the account or transaction. 17 Here it is important to address another issue arising from the proposal. If one operates on the premise that there can be up to four owners and one control person, it means that there would be up to five individuals to subject to “follow-on” CIP per legal entity. However, if the threshold decreases to 10%, there could be as many as 11 persons subject to CIP, which adds to the effort to collect the information. The more required to identify beneficial owners, the more chances that something will be missing, increasing the costs of doing business and the potential barriers to opening an account. In either case, if a financial institution must perform “follow-on” CIP on all beneficial owners, which may not be the best use of resources, and if it cannot collect all that information

17

The Associations believe that it will be rare that a financial institution establishes an account relationship when it is not comfortable with the information available about the client. However, under the risk-based approach, and within the parameters of overall AML/CFT compliance, we recommend flexibility to allow financial institutions to make their own determination and not be constrained by a mechanical restriction.

10

at account opening, then the incorrect implication in the proposal is that the account cannot be opened or the relationship cannot be maintained. The Associations believe that this false impression must be corrected. First, the beneficial ownership data collection obligation and the “follow-on” CIP of such owners does not legally override the standards for business entity CIP. As long as a legal entity accountholder satisfies entity level CIP (or the guidance that applies to its implementation), the account is not barred from being opened. As is the case today, the financial institution going forward may still exercise discretion to decline to serve customers under its risk assessment process. But opening or maintaining an account without obtaining all beneficial ownership data and “follow-on” CIP would not be a regulatory violation of entity level CIP, and examiners should be instructed clearly that is the case. The rule should make clear that as long as financial institutions adopt reasonable procedures using a risk-based approach, accounts may be established even without complete beneficial ownership information. It would be unwarranted to disrupt established financial relationships due to an inconsequential lack of data or gap in a merely ministerial collection requirement. FinCEN must recognize that the beneficial ownership expectations do not operate in a vacuum and should not be allowed to elevate form over substance. Self-Identification of the Control Prong The Associations believe that any final rule should clearly articulate that a business entity accountholder need only identify one control person as a general proposition and that the financial institution can accept and record that self-identification as compliance with the rule. We suggest that FinCEN identify factors which should be supplied to a prospective accountholder for identifying the single control person to be reported to the financial institution. We believe that any guidance must be published for comment so that businesses and financial institutions can provide relevant input before the guidance is finalized for distribution. We also strongly recommend that the final rule specify that a determination of control is not based on title alone, although title can be used as the chief basis for initially identifying a control individual. There must be no requirement for the collecting financial institution to verify or second-guess the accountholder’s control designation. Existing Accounts The proposal would not apply to existing accounts but would only apply to new accounts that are opened after the proposal is finalized. The Associations fully support this step when implementing a new data collection system, and it should remain part of any future-revised proposal. First, this would be consistent with the CIP rules that provide the foundation for the proposal and where the current beneficial ownership expectations are found.

11

It would be extremely difficult to cover the millions of existing accounts, which fact was clearly recognized when the CIP rules were adopted under the USA PATRIOT Act and which is one of the reasons that Treasury applied CIP requirements only prospectively. It also is important to remember that existing customers have an established history with the financial institution and an established track record of minimal or effectively managed risk. FinCEN suggests, however, that financial institutions may want to obtain a certificate from existing customers when the customer’s risk profile is updated. The Associations point out that, while this may be helpful, there are several flaws with this concept. First, it sets out a vague expectation that is not clear for examiners or financial institutions as to when it is appropriate to obtain the information. Second, it is not clear how suggesting that financial institutions should obtain a certification on beneficial ownership from existing customers from time-to-time will address AML/CFT concerns or how this would repair unidentified flaws in the current risk management system. Clearly, financial institutions take steps to understand their clients and their operations, not only to prevent fraud and illicit activity, but also to serve their clients better. As presented, “encouraging” this step will only lead to confrontations between examiners and auditors and financial institutions. Therefore, we recommend that, since existing accounts have already been subjected to due diligence, any final rule apply only prospectively. New Accounts As proposed, the requirement to obtain beneficial ownership information would apply when a new account is opened. When an account is opened, a financial institution would have the customer execute a standardized Certification Form. The Certification Form would require the individual opening an account to certify, to the best of his or her knowledge, on behalf of the entity, that the information is complete and correct. The financial institution would then verify the identity of the person or persons who have been identified as the beneficial owners, using standard CIP practices. During discussions about the advanced notice of proposed rulemaking, a primary concern raised by the industry was that nothing currently exists to let a financial institution verify information about an individual’s status as beneficial owner. For example, unlike other countries, there are no registries of owners for legal entities. As a result, the proposal would not require financial institutions to verify an individual’s status as a beneficial owner. We commend FinCEN for not requiring financial institutions to achieve what is clearly beyond their information. While using a new account as a trigger for obtaining beneficial ownership information appears logical, better detail would be needed to determine what constitutes a new account. There may be many different types of relationships between a financial institution and a customer, and each may have entirely different account opening procedures tailored to the specific customer relationship. In some instances, there may 12

be a master agreement that covers the account relationship and varying sub-accounts under that relationship. For example, a bank may set up a master loan agreement with a customer to cover a variety of different needs for a commercial customer and then memorialize each draw under that with an individual sub-account that is tracked separately on the bank’s commercial loan system. Instead, we recommend a revised approach. Since the fundamental concern is the beneficial ownership of the entity and not the account, we recommend that FinCEN change the rule so that account opening or creation of a new account acts as a trigger that causes a financial institution to obtain a certification from a client, but leaves the focus on the customer relationship. For legal entity customers, this would have a number of benefits. First, commercial customers may establish a number of accounts on any given day, and collecting a certification form for each account would be timeconsuming, burdensome and provide little – if any – benefit for law enforcement. Second, in keeping with FinCEN’s concerns about existing account relationships, focusing on the relationship where a new account is a trigger to obtain the certification simplifies the process without undermining FinCEN’s goal and would also collect information on existing relationships. Certification Form The Associations appreciate the efforts FinCEN undertook to develop a model form that financial institutions can use to collect the necessary beneficial ownership information. It is especially important for the introductory language of the Certification Form to explain in plain and simple terms that this requirement is under federal regulation. The introductory language should also clearly explain that the information is collected about the beneficial owners of a legal entity that is or may be a customer of the financial institution, even though the beneficial owner has no direct relation to the financial institution. It is important to clarify the latter since many beneficial owners may not have any direct relationship with the financial institution, and it will be important that the mandate and the reason the information is required are clearly stated. To facilitate understanding of this new requirement, we also strongly encourage FinCEN to reach out to the public to explain what is being done and why it is being done to help the general public understand that this is designed to combat money laundering and terrorist financing as well as ensure the safety of the United States financial system. We also recommend that FinCEN make several adjustments to make the form more useful and to ensure it can serve the necessary purpose. We encourage FinCEN to provide an electronic version of the form or authorize financial institutions to convert the form to an electronic version to use and retain. An electronic version will let financial institutions easily circulate the form to beneficial owners who may not be present when an account is opened to collect the required information.

13

Second, it is important to recognize that application of the CIP requirements to beneficial owners will present problems that FinCEN may have overlooked. For example, one of the most common methods used by financial institutions to verify the identity of a customer using non-documentary means is to obtain a credit report on that person. However, under the Fair Credit Reporting Act, 18 to pull a credit report requires a permissible purpose. For a customer, there is a permissible purpose, but that permission does not exist for a non-customer. Therefore, in most instances, a financial institution would have to rely on documentary evidence to verify the identity of the beneficial owner. When using the Certification Form, the Associations urge FinCEN to incorporate flexibility in the final rule and let financial institutions incorporate the information required on the form into master account agreements. While the form itself is useful and a helpful compliance aid, particularly for smaller financial institutions, where there are master account relationships, a separate form does not make sense. And, if the information itself is the most important element to the beneficial ownership proposal, then financial institutions should be allowed to satisfy the requirement through information in its own databases, as long as all required information is present in bank records. To that end, we recommend that FinCEN extract from the proposed model form a list of the information that is needed to comply and make the list readily available, either as part of the final rule or posted on the FinCEN website. That will ensure that financial institutions and others have access to a list of required data, ensuring no misunderstandings about the beneficial ownership information to be collected. We urge FinCEN to recognize that alternative forms, such as the IRS Form W-8BEN, that collect much of the same information can serve as a substitute. Limit Expected Use of Information Provided by the Model Certification Form One reason that we question whether the proposal is ripe for finalization is that it does not explain what is expected for financial institutions to do with the information provided. Such unspecified elements associated with the proposal are causing significant angst for financial institution staff, especially because they anticipate that auditors and examiners will begin to fill that vacuum with their own expectations, interpretations, and steps that have not been properly vetted or discussed and that may undermine FinCEN’s goals to protect the financial system and detect and stop criminal activity. There is a very real danger that those expectations would further erode the ability of a financial institution to use judgment with respect to its customers and instead be caught in a trap of robotic compliance, contrary to the goals of the Delta Team, undermining the quality of service that banks are able to offer to their customers. For example, once a financial institution has collected the information about a beneficial owner, the guidance should clarify how OFAC regulations apply. Since the financial institution’s customer, the legal entity, is distinct from the beneficial owner, when a beneficial owner is identified on the OFAC Specially Designated Nationals (SDN) list, 18

Fair Credit Reporting Act section 604(a) – 15 USC 1681b.

14

the entity is not affected unless the beneficial owner holds greater than a 50% interest, but a match presumably heightens expectations for the financial institution to increase the risk-profile of the entity. This should be clarified in the final rule. Similarly, because the relationship is with the entity and not the beneficial owner, FinCEN should also clarify that beneficial owners per se are outside the scope of USA PATRIOT ACT section 314(a) requirements. Questions also have arisen about how information about a beneficial owner must be integrated into aggregation programs for CTR purposes. Given the complexity this will entail, we recommend that FinCEN confirm that beneficial owners are excluded from expectations for aggregating transactions for CTR purposes to the extent that beneficial owners are not also customers. FinCEN will also need to coordinate the expectations under the proposal with the prudential regulators to issue notices for comment about how this proposal will align with other regulatory compliance, such as expectations associated with legal lending limits 19 and Regulation O. 20 The Associations recommend that this be the subject of supplemental guidance through the form of Frequently Asked Questions jointly issued with the prudential regulators for comment. Tracking Beneficial Ownership Information Will Require New Systems One of the most significant changes that the proposal will impose on financial institutions, but which does not seem to be reflected in the proposal, is that financial institutions currently do not have means to track beneficial ownership information. While the information may be collected and held in some format, the type of information contemplated by the proposal is not maintained in any uniform way. During conversations with our members we have verified anecdotally that financial institutions do not have systems that track beneficial ownership, especially since many of those individuals may have no other relationship with the financial institution. At the outset, then, all financial institutions will need to upgrade systems by creating new beneficial ownership tracking systems. For many financial institutions, that will require reliance on vendors before they can implement such a system. This alone will be a significant exercise. Second, there are the actual steps needed to collect beneficial ownership information, whether through the model form or by other means. FinCEN worked collaboratively with the financial sector in developing the CIP rules, creating a workable system that has served the industry and the government. Under that approach, there are different levels of due diligence based on different account structures and relationships used for CIP, and it should be the same for the beneficial ownership rule. Similarly, the 19

See 12 CFR Part 32. “Regulation O governs any extension of credit by a member bank to an executive officer, director, or principal shareholder of that bank, of a bank holding company of which the member bank is a subsidiary, and of any other subsidiary of that bank holding company. The regulation also applies to any extension of credit by a member bank to a company controlled by a bank official and to a political or campaign committee that benefits or is controlled by an executive of the financial institution.” http://www.federalreserve.gov/bankinforeg/regocg.htm 20

15

application of the use of the form and the collection of the data from the form should not only reflect variances in different customer relationships but should also adhere to the standard risk-based approach used in so many other areas of AML/CFT compliance and be related as appropriate to factors such as a financial institution’s size, charter, and type of business. Therefore, we recommend the final rule incorporate this flexibility with respect to beneficial ownership information. Recommended Changes to the Form We also have several suggestions that we believe will help improve the form and the data collected. First, the form should include a box to identify a beneficial owner’s title; while not determinative, it is useful information to have. Second, there should be a box or line to collect the name and addresses of the entity. When collecting an address for the entity, it should be clear that it be a physical address and not a Post Office Box, consistent with the requirements of CIP. Conducting Follow-on CIP of Beneficial Owners Again, we greatly appreciate that FinCEN recognizes in the proposal that financial institutions have no means readily accessible to verify the status of beneficial ownership. This is primarily due to the fact that, unlike other countries, the United States does not have registries at either the state or federal level that maintain lists and information about the beneficial owners of legal entities. That said, we believe that the most important element for a beneficial ownership proposal to function properly and to meet the recommendations of FATF is to have such registries available. Clearly, creating such registries will require significant changes not only by the federal government but also by every state government that creates legal entities. Fundamentally, we believe as ABA pointed out in its 2012 comments on the Advanced Notice of Proposed Rulemaking21 that the obligation to provide beneficial ownership information properly belongs with the states that create these entities. 22 Alternatively, we reiterate a suggestion made in the 2012 letter: as businesses, these entities must file tax returns with the IRS, and so the IRS should be the source for the information. It is worth noting that one pending legislative proposal 23 would address the problem by granting law enforcement simple access to IRS records. While the change to state laws will be a complicated and long process, allowing law enforcement access to IRS data would be simple, straightforward, and a more effective way to obtain the information and to obtain information which is more accurate and more current. Although FinCEN has not required “verification of status” of a person named as beneficial owner, the proposal does impose a requirement for “verification of identity” of 21

http://www.aba.com/Advocacy/commentletters/Documents/CustomerDueDiligenceComments.pdf It is worth noting that this is not a new concept and has existed for well over 100 years. In August 1902, President Theodore Roosevelt pointed out the importance to maintain authority over corporations and other business entities, concluding that it should be the national government, even if that required a constitutional amendment. http://www.theodore-roosevelt.com/images/research/txtspeeches/16.txt 23 http://www.levin.senate.gov/newsroom/press/release/levin-grassley-feinstein-harkin-introduce-bill-to-combat-uscorporations-with-hidden-owners 22

16

those who are named as beneficial owners, which relies on existing CIP standards. This is what we refer to in this letter as “follow-on CIP.” While conducting follow-on CIP of a beneficial owner sounds simple in concept, as discussed previously the person may not be present at account opening, which makes obtaining identifying information challenging. However, if the primary goal is to collect the information, and since the beneficial owner is not the customer of the financial institution, we recommend that verification be applied using a risk-based approach. This is a step that also would be consistent with the FATF Recommendations. Similarly, since there is no customer relationship and since a significant percentage of customers may be foreign-based and not present at account opening, we recommend that the information collection requirement also be more flexible than CIP requirements. While obtaining a name and address for a beneficial owner should be simple, the identification number is likely to be challenging because the person is not present and that is the piece of data that will be the most vexing to collect and verify. Therefore, instead of collecting an identification number in every instance, FinCEN should let financial institutions collect this information on a reasonable basis using a risk-based approach. Limit of Customer Responsibility to Provide Valid Information It has been suggested that one of the most important reasons to conduct this exercise is that an individual supplying the information would be liable for providing false information. However, we question whether this is a useful exercise. First, at the time a prosecutor seeks to penalize the person signing the form, it may not be a simple matter to track down that individual, especially if much time has elapsed since the time the form was executed and a criminal investigation is started. Moreover, the individual executing the form may not be the primary target of a legal investigation and may only be a minor player or not even be a part of a criminal enterprise. A criminal seeking to conceal information from law enforcement and the bank is unlikely to use a key player in the criminal enterprise but is more apt to find an innocent party, a “mule,” to execute the form. Even so, and assuming the person who executed the form can be located, he or she may be able to justify the information that was provided when the Certification Form was executed and have a valid reason for certifying what he did. As a result, while the exercise will be an expensive proposition for the financial sector, the comparable benefits for law enforcement through focusing on invalid information on a Certification Form may be minimal if they exist at all. Allow Reliance among Institutions When Fulfilling CIP like Responsibilities Under CIP rules, financial institutions may rely on another financial institution for CIP compliance as long as the reliance is reasonable, as long as the second financial institution is subject to AML requirements and regulated by a federal functional regulator, and as long as the second financial institution is under contract and annually 17

certifies compliance with AML and CIP. FinCEN proposes to permit similar reliance for compliance with the beneficial ownership rule. This is a step we support. The FATF Recommendations clearly recognize the importance of reliance as a valid and viable means to identify customers and customer information. We also encourage FinCEN to explore ways to make better use of this approach to allow financial institutions to focus energies and resources more appropriately. Additional Program Challenges Updating Information While FinCEN is not proposing a requirement to update beneficial ownership information, the proposal points out that financial institutions should keep CDD information as current as possible and “update as appropriate on a risk-basis.” Financial institutions do strive to keep information current, but the vague nature of this statement in the proposal is guaranteed to engender confusion. The current expectations for beneficial ownership are part of the existing CIP rule, 24 which states that, “based on its risk assessment of a new account opened by a customer that is not an individual, the bank will obtain information about individuals with authority or control over such accounts…” The Associations are concerned that the proposal about “should update” is the epitome of the type of vague expectation that leads to “understood best practices” which in turn causes examiners and auditors to second guess what a financial institution is doing, eventually producing check-the-box compliance. It needlessly consumes resources that would be better spent focusing on detecting and deterring criminal enterprises. This raises the risk of rulemaking by examination process, which should be discouraged. Overall, though, it is a step-by-step process that moves compliance away from risk assessment and management. Past experience demonstrates that our concerns are not ill-founded. When the 2010 interagency Guidance on Obtaining and Retaining Beneficial Ownership Information 25 was published, many financial institutions reported that examiners determined that the issuance of new guidance implied that financial institutions must revise and update existing procedures. This was an expectation that grew through informal channels and became quite widespread, even though the headquarters offices of the prudential regulators assured industry that the Guidance was merely “clarification” of existing expectations. These concerns were particularly significant for the securities industry. This potential expansion of regulatory expectations by examiners and auditors by fiat has the industry much concerned. Any future re-proposed rule, therefore, must be specific about expectations and must establish parameters that avoid confusion and mission creep not vetted through notice-and-comment.

24 25

31 CFR 1020.220(a)(2)(ii)(C) http://www.fincen.gov/statutes_regs/guidance/pdf/fin-2010-g001.pdf

18

Record Retention Under the proposal, financial institutions would be expected to incorporate procedures to maintain records of all information obtained in connection with the identification and verification under these rules. Generally, information would have to be retained for a period of five years after the account has been closed. We urge FinCEN to confirm that records may be retained electronically. This would eliminate the misapprehension that the proposal implies that the Certification Form is required for each and every new account and that it must be maintained in paper format. We also urge FinCEN to let financial institutions incorporate the information into existing databases as part of their overall customer management files. As long as the information is available and accessible, that should be sufficient. Regulatory Burden The White House has identified cost-benefit analysis as a key component of any rulemaking, and there are bills in Congress that would incorporate that expectation into the U. S. Code. 26 Therefore, accurate cost-benefit calculations are important. According to FinCEN, the proposal merely clarifies existing expectations and would not add costs, and the only increase would come from the new certification requirement for new accounts. In the proposal, FinCEN estimates the following: • • • •

One hour to develop and maintain beneficial ownership procedures Twenty minutes per customer for customer certification and verification Average number of accounts opened for legal entities, industry-wide: 368 per institution per year or 1.5 per day Average cost, based on $20 per hour and 20 minutes to do the certification, would be just under $6.70 per account

However, our members have universally said that the cost estimates in the proposal are woefully inaccurate and significantly understate the costs that would result from the proposal. One member suggested that it would take four hours just to read the proposal. Only if the proposal were based on the presumption that a financial institution would merely collect the certification from a customer’s representative and do nothing further with that information would the estimated costs even approach being reasonable. To begin with, the estimates need to reflect the fact that beneficial ownership tracking will require the creation of entirely new systems to track/monitor beneficial owners, since current systems do not currently track nor do they generally have the capability of tracking beneficial ownership data. As noted, for many institutions this will require

26

See, e.g., https://www.govtrack.us/congress/bills/113/hr2593

19

reliance on vendor capabilities to develop new software programs, entailing significant service acquisition and maintenance costs. Related to the need to develop new software programs to track beneficial owners, the new systems that are developed will have to be integrated into other systems, such as case management programs, customer databases, sanctions screening programs, CTR aggregation processes, and so forth. These will require significant outlays of time and resources. A significant challenge to this is that programmers are not readily available to do the work, since many are handling other complex systems changes under provisions of the Dodd-Frank Act. 27 At the same time, it can be anticipated that as financial institutions make changes to systems to comply with the requirements, questions will arise that need quick response to meet the effective date of the proposal. Therefore, we find the estimated costs must be substantially and significantly updated to reflect realistic assumptions. Anti-Competitive and Anti-Transparency Impact FinCEN should realize that the obligation to collect and maintain beneficial ownership data falls differentially on federally insured depository institutions versus non-bank creditors and other non-bank competitors such as in the commercial leasing market. The more information that bank creditors must collect from business customers that their competitors do not works to the competitive disadvantage of those with AML compliance obligations. Customers don’t want the hassle and will look to creditors that do not ask invasive questions. Not only does this have a significant adverse business impact on our members, but it also undermines the overall transparency of the system. This is another reason to keep the data collection obligation as narrow as possible. It also reinforces why we believe that the authority chartering the legal entity should have the obligation to collect the data. Only in this manner will the playing field be level. Effective Date Since most of the changes FinCEN proposes are consistent with current practices, FinCEN believes that an effective date one year after a final rule is published gives sufficient time for financial institutions to adjust to the changes by updating procedures and systems. We do not agree with this premise. This proposal will significantly alter how financial institutions manage relations with customers and non-customers. While it is true that financial institutions do assess the risks and track customer information, imposing a standardized format means that all systems and procedures must be changed to conform to the new regulation. At a minimum, account opening procedures will have to be completely revised to take into account the need to collect beneficial ownership information—which can include customers and non-customers. While it may be collected currently in some form, the proposal applies a mandated standard. 27

The Dodd–Frank Wall Street Reform and Consumer Protection Act, Pub.L. 111–203

20

Second, as noted, the changes will require financial institutions to create new software systems for tracking beneficial ownership information. Due to the demands on programmers and the limited availability of qualified programmers, a minimum of 18 months will be needed for that alone. We suspect, though, that an 18-month timeframe is highly optimistic. In addition, the proposal does not make clear how extensively financial institutions will need to integrate these programs into other tracking systems, such as CTR aggregation tracking, sanctions screening, case management systems for suspicious activity tracking, and so forth. If existing accounts are added into the mix, the time needed to upgrade systems alone will expand exponentially. The challenges will be especially vexing for smaller institutions that rely on third party processors to provide the needed upgrades. It is important that FinCEN understand that this is not a simple change. As noted above, European financial institutions have found it particularly vexing and burdensome to adapt to comparable changes in their own countries, and based on their experience the expectations for implementation here should be much longer that what FinCEN proposes. The Associations believe that a realistic time needed to implement the proposed changes would be 24 months, and even that is likely to be optimistic in the current environment where there are so many competing system changes arising from other new regulatory requirements. De-Risking Currently, there is a very real phenomenon of “de-risking,” where financial institutions have closed account relationships and exited lines of business due to perceived or real AML/CFT risks or uncertainty. The Associations believe that FinCEN should take that into consideration when finalizing this proposal. If financial institutions do not have flexibility in how they implement these requirements, instances where information cannot be collected or where it cannot be verified are likely to lead to further “derisking,” despite admonitions from regulators. 28 Another aspect of “de-risking” that should be taken into account is the ability of law enforcement officials to open accounts for undercover purposes. Under existing expectations, law enforcement agents have faced challenges because they cannot provide valid information. With this proposal, and the renewed attention to collecting and obtaining beneficial ownership information, undercover accounts are likely to be closed for failure to meet the standards – if they are even allowed to be opened. At a larger institution, the employee who closes the account could do so in compliance with standard account procedures without knowing the true purpose of the account. Segregating accounts for special handling will not solve the problem, since that will put a spotlight on undercover accounts, to the detriment of maintaining an undercover 28

See http://www.fincen.gov/news_room/speech/pdf/20140812.pdf and http://www.occ.gov/newsissuances/speeches/2014/pub-speech-2014-39.pdf

21

operation. Although this issue has been discussed for some time without successful resolution, we believe that one significant unintended consequence of the proposal will make it much more difficult for law enforcement to establish and maintain undercover accounts. The Fifth Pillar The proposal would address the third and fourth elements of CDD 29 by amending the anti-money laundering program rules. Frequently, the specter of recent enforcement actions is raised as the reason to expand the regulatory requirements for financial institutions. However, where there has been the need to bring an enforcement action, it has almost always been a problem inherent in compliance with an existing pillar of an AML/CFT compliance program. 30 The fact that there was a failure in compliance does not compel the conclusion that there is a problem in the regulatory regime. In fact, we believe that the existing four pillars when managed properly are well-understood and, with some exceptions, have served well for many years. Without a clear and compelling need to change this system, adding new expectations only adds to burden and will create confusion. At this time we do not believe that the need has been clearly demonstrated. We therefore oppose the proposal to amend section 1020.210 and to recite standards that are independent from and not issued jointly with the prudential regulators. Proposal Covering Understanding Customer Relationships & Ongoing Monitoring The third element of the proposed CDD regulation requires financial institutions to understand the nature and purpose of customer relationships to develop a customer risk profile. FinCEN understands this takes place under current industry practices and does not intend to require modifications to existing practice. Rather, the proposal is intended to clarify existing expectations. As stated in the proposal, “FinCEN believes that in some circumstances an understanding of the nature and purpose of a customer relationship can also be developed by inherent or self-evident information about the product or customer type, or basic information about the customer.” Each case will depend on the facts and circumstances of both the institution and the customer. The fourth element of the proposed CDD regulation identified by FinCEN requires financial institutions to conduct ongoing monitoring to maintain and update customer information and identify and report suspicious activity. As with the third element, this is intended to be consistent with a financial institution’s current suspicious activity reporting and AML program requirements. However, codifying these regulatory and supervisory expectations as explicit requirements in FinCEN’s rules is asserted as 29 As set forth in the proposal, the third element of CDD is to understand the nature and purpose of a customer relationship, while the fourth element is conducting ongoing monitoring to maintain and update customer information and identify and report suspicious activity. 30 According to the FFIEC BSA/AML Examination Manual, a BSA/AML compliance program must provide for the following minimum requirements: (1) a system of internal controls to ensure ongoing compliance; (2) independent testing of BSA/AML compliance; (3) designation of an individual or individuals responsible for managing BSA compliance (BSA compliance officer); and (4) training for appropriate personnel. http://www.ffiec.gov/bsa_aml_infobase/documents/BSA_AML_Man_2010.pdf, pp. 32-37

22

necessary to clarify that the minimum standards for CDD includes ongoing monitoring of all transactions. FinCEN expects financial institutions to continue their current practices but also recognize the formalized provisions in the proposal as minimum standards. According to FinCEN, the changes explicitly include these components in applicable program rules, noting that they have been “understood as necessary facets of other regulatory requirements.” However, FinCEN goes on to state that nothing should be seen as changing any existing guidance. The Associations’ Concerns & Mission Creep The Associations believe that the structure of the proposal has taken elements of enhanced due diligence (EDD) that are expected for higher risk customers and applied those expectations to standard due diligence that applies to all customers. If nothing else, there has been a steady tendency to blur the distinctions between the different steps needed for standard CDD and EDD. In fact, this tendency to blur the distinctions is the very problem that has made it difficult for money services businesses, embassies, and others to maintain relationships with financial institutions. It also contradicts the FATF expectation that there are varying levels of risk. There must be clear distinctions between risks so as to avoid slipping into the counter-productive approach of treating all customers as high risk. Unless FinCEN and the prudential regulators make it clear, examiners and auditors will err on the side of caution and apply high risk expectations to all customers. This has been an ongoing problem with money services businesses for over ten years, and, despite efforts by money services businesses and the financial sector, the problems continue because the distinctions are not made clear. Similarly, the issuance of new guidance also creates a presumption that there is a new expectation, and it is disingenuous to believe otherwise. When the 2010 interagency guidance on beneficial ownership was issued, the same expectation that the guidance was only meant to clarify existing practices was made. As happened then, and as we expect will recur, issuing a new rule will lead to expectations that there must be changes in procedures and systems. Changes to the AML/CFT Program The proposal would amend the existing FinCEN AML/CFT program rules by adding customer due diligence to the existing core requirements of existing AML program expectations, often referred to as the four pillars of an AML program; namely, (i) development of internal policies, procedures and controls; (ii) designation of a compliance officer; (iii) ongoing employee training; and (iv) an independent audit function. These four pillars are statutorily memorialized at 31 U.S.C. 5318(h) (1) and provide the foundation for the supervisory obligations of prudential regulators as recited in 12 U.S.C.1818(s). Creating a fifth pillar exceeds the statutory minimum established by Congress pertaining to the supervision of insured depository institutions. From a policy perspective, the Associations are concerned that this step will prove to be counter-productive. Currently, the elements of CDD are incorporated into the internal controls that have long served as one of the existing four pillars. Segregating it into a 23

new fifth pillar will create a host of challenges and revisions to existing systems and programs that will consume resources that could be better allocated to detecting and deterring financial crime. For example, if FinCEN creates a new fifth pillar, those elements will complicate how existing internal controls are identified and managed. Then, training programs and audit systems may have to be overhauled to identify this new fifth pillar separate from the existing four pillars in order to be certain that compliance can be documented and demonstrated. Overall, the costs associated with this exercise for financial institutions is the kind of effort that leads financial institutions to question the value of the AML/CFT efforts, because they are devoting a great deal of resources without seeing a real rationale in terms of fighting crime and terrorism, the purposes of the whole AML/CFT regime. It may seem to many compliance professionals that the new fifth pillar is an exercise in change solely for the sake of change. At this point, it is also worth noting that, to a certain extent, there is an anomaly in the expectations for monitoring that further serves to illustrate the steadily creeping expectation that financial institutions conduct law enforcement-like investigations. Generally, under existing procedures, when and if a financial institution detects something unusual during the course of normal operations it is expected to report that to FinCEN and let the government proceed to consider further enforcement effort. The proposal, as set forth, would change monitoring into active surveillance and investigation by the financial sector. Over time, there has been a steady erosion of the expectation that financial institutions maintain records to a new and inappropriate expectation that financial institutions would act in loco parentis for customers and actively investigate their activities. This proposal would be a good point to stop blurring the lines between financial institutions and law enforcement and let each sector conduct activities as they are best suited. As FinCEN has noted in other circumstances, the financial industry may not have sufficient information to conduct an independent investigation or to make a determination that something is criminal in nature. For example, one of the points that FinCEN made in discussing the feasibility of the collection of data on cross-border wire transfers was that the information on cross-border wires from financial institutions would supplement information held by law enforcement that was not available to the financial sector. 31 Expecting the financial sector to carry out the role more properly assigned to law enforcement places unnecessary burdens on the industry to operate with less than the full information, tools, and authority available to law enforcement, frustrating to both financial institutions and law enforcement officials. At the same time, especially in a time when so much attention is being given to data security and privacy, flexibility must be incorporated to recognize the restrictions those laws may place on financial institutions. For example, beneficial ownership information may not be available from certain foreign individuals under the legal regimes of their own countries. Does that automatically mean that any entity associated with those individuals is banned from the United States financial system? 31

http://www.gpo.gov/fdsys/pkg/FR-2010-09-30/pdf/2010-24417.pdf

24

Adding a new fifth pillar unilaterally also places FinCEN at odds with the prudential regulators. The Associations are concerned about the impact this will have and the confusion it will engender by creating regulatory inconsistencies. For many years, the regulatory requirements for an AML/CFT program have been consistent across agencies. Whenever a step like this is contemplated, it is done uniformly to ensure consistent treatment and common understanding. Moreover, the existing expectations and the four pillars are memorialized in statute, 32 and it is not entirely clear that FinCEN has the authority to depart from the statute by creating a new fifth pillar by regulation. The long-standing compliance by depository institutions with the existing four pillars has generally worked well. When the prudential regulators were implementing the provisions of the USA PATRIOT Act section 352, the federal banking agencies recognized that the program rules that depository institutions had in place since 1987 were working fine. FinCEN and the Treasury Department acknowledged that programs run by depository institutions were sufficient and did not need to be revised to comply with the new USA PATRIOT Act provision, since they reflected what they had been doing for well over ten years. 33 Given the confusion and the lack of demonstration how this significant change to more than 30 years of compliance with the existing expectations would improve achievement of the goals of the AML program, and given that the addition of a fifth pillar is not intended to change expectations significantly, the Associations oppose a final rule unilaterally imposed and without joint agency promulgation that would alter the current articulation of the current “four pillar” standards. Conclusion The banking industry, as it has demonstrated for decades, stands ready to work with FinCEN and the Treasury to determine whether a proper proposal on limited beneficial ownership data collection can be tailored as a workable alternative to government record-keeping. While having information about the creators and beneficial owners of business entities may be important in some instances, we believe that requiring financial institutions to collect information as proposed is premature. We also question whether relying on financial institutions, which neither create nor have authority over these legal entities, is the best solution to collect the information. Until there are registries readily available, whether state or federal, the information collection as proposed will gravitate toward a check-the-box compliance exercise producing data that will be quickly outdated and that are more rote compliance than a meaningful AML/CFT exercise. It will simply be a burden on honest law-abiding business men, women, and families and an inconsequential hurdle for the criminal element to circumvent.

32 33

31 US Code Section 5318(h) https://www.sec.gov/about/offices/ocie/aml2007/67fr21110.pdf

25

Although the full extent of the burden for American business and U.S. financial institutions cannot be calibrated without more intensive government study, it is clear that it will be extensive, while the marginal benefits to law enforcement are in considerable doubt. Until registries are available, a far better source for the information would be the Internal Revenue Service. At the same time, we are concerned that the proposal might have serious unintended consequences, particularly by causing financial institutions to “de-risk” and drive financial transactions underground or off-shore where even less data are available to law enforcement than is the case now. It is critically important when discussing anything associated with AML/CFT issues to recognize that the ability to make judgments is extremely important. Overall, the riskbased approach must be continually stressed and incorporated into all elements of AML/CFT compliance. There must be standards respecting its exercise upon which institutions can rely and that examiners will observe and not avoid by second-guessing permissible risk management judgments and the discretion necessary to make them. We reiterate our members’ interest in working with all interested stakeholders in improving on the proposal so that legitimate goals can be cost effectively achieved without undue burdens on, or invasion of, the legitimate interests of American businesses. Thank you for the opportunity to comment. Sincerely,

Robert G. Rowe, III Vice President & Associate Chief Counsel, Regulatory Compliance ABA

Tod R. Burwell President & Chief Executive Officer BAFT

26