Legal Solutions | USA
Financial institutions will soon need to comply with new U.S. Treasury Department rules applying to any parties qualifying as “ultimate beneficial owners” (UBOs). Still unknown, however, is how these new reporting obligations will affect existing client relations and how high a hurdle they could present for new clients, particularly those located overseas.
Starting in May 2018, complying with the Customer Due Diligence (CDD) rule will require a financial institution to change how it collects customer data. Financial institutions will need to verify identities of all beneficial owners with 25% or more equity interest in legal entity clients. According to the Treasury’s Financial Crimes Enforcement Network (FinCEN), financial institutions can obtain the information on a standard certification form or “by any other means that comply with the substantive requirements of this obligation.”
However, many beneficial owners could turn out to have no connection with the financial institution. “The UBO may or may not be a customer of the bank,” says Rob Rowe, Vice President and Associate Chief Counsel, Regulatory Compliance, at the American Bankers Association. “Now you’ve got a new name that’s popped up, and is connected to your customer.”
“The challenge is – how do you track that? Now that you’ve got a name, what do you do with it?” he adds. Banks will have to conduct Office of Foreign Assets Control (OFAC) scans on all beneficial owners as well as many other searches. “What happens if you find the name is on the SDN [Specially Designated Nationals and Blocked Persons] List? What happens if this UBO is involved in some type of crime ring? What happens to your client relationship then? Those are questions that haven’t been answered yet.”
Complying with the new Treasury rules should help banks resolve issues they may have been ignoring. “It has been an issue – the [information] on some legal entity accounts has been pretty bad,” says Brett Wolf, Anti-Money-Laundering Analyst at Thomson Reuters Regulatory Intelligence. One regulatory source told Wolf that they knew of banks whose customer files sometimes “had nothing but a phone number, not even a name. That could make for an interesting conversation when you dialed the number.”
“There were problems that needed to be addressed. The banks needed to clean up their data anyway,” he adds.
The issue of privacy could strain client relationships, as a client may find the greater depth of questioning obtrusive.
While compliance with FinCEN rules will be a multi-departmental task, it will present particular challenges for a bank’s customer relations and marketing departments next year. The issue of privacy, for example, could strain client relationships, as a client may find the greater depth of questioning obtrusive. “Say there’s a person who comes in to open an account for a commercial enterprise,” Rowe says. “Now they’ll need to provide all of this information that we always tell people not to give out, because of identity theft concerns.”
It’s a good idea for financial institutions to be open with customers about the new obligations and empathize with their frustrations, he adds. “Banks need to explain to customers that ‘we’re not doing this to annoy you or to make your life difficult, we’re doing this because the government requires us to.’” Warning clients as early as possible about impending changes in documentation is a good strategy, rather than blindsiding them when they try to open a new account after next May.
A bank should be ready to demonstrate in detail to prospective clients what it will do to preserve their data privacy. If a bank has rolled out new measures such as heightened encryption or greater server protections, that should be highlighted in marketing materials and mentioned early in conversations with prospective clients, for example.
Clients domiciled overseas pose a unique problem. While domestic companies may find the “kind of questions they get asked by banks to be a little more intrusive and comprehensive than they used to be, usually the pushback will come from overseas companies, because they may not be familiar with our requirements,” Rowe asks. Also, countries such as Canada or France have strict rules concerning how data can be transferred and shared. Cloud server providers have to maintain multiple backups in such countries because they legally can’t transfer their data across the country’s border if they’re hit by a data breach.
“What happens when the headquarters of a company is based in a country where they cannot give out that kind of information? If the local law prohibits it, what do you do then?” Rowe says. “Theoretically, the bank would then have to tell the client, ‘we can’t open the account.’ That question has not really been answered.”
One possible upside is that compiling more accurate and detailed information on clients will enable financial institutions to serve them in improved ways. “If there’s a silver lining, it’s that they will know their customers better, so they could up-sell or cross-sell them, possibly make some use of the information that they’re collecting,” Rowe says. “But I think the overall mood is still a negative one. No one’s happy about having to do this.”
Thomson Reuters is not a consumer reporting agency and none of its services or the data contained therein constitute a ‘consumer report’ as such term is defined in the Federal Fair Credit Reporting Act (FCRA), 15 U.S.C. sec. 1681 et seq. The data provided to you may not be used as a factor in consumer debt collection decisioning, establishing a consumer’s eligibility for credit, insurance, employment, government benefits, or housing, or for any other purpose authorized under the FCRA. By accessing one of our services, you agree not to use the service or data for any purpose authorized under the FCRA or in relation to taking an adverse action relating to a consumer application.