By Daniel Bethencourt, ACAMS
November 4, 2016

Several of the world’s largest financial institutions have moved quickly to limit risks posed by their corporate clients in the six months since U.S. officials finalized a long-anticipated customer due diligence rule, while smaller lenders have treaded a rougher path towards implementation.

The measure, first pitched by the U.S. Treasury Department in 2012, establishes a fifth “pillar” in anti-money laundering compliance, explicitly requiring covered institutions to take steps to identify persons owning 25 percent or more of firms that open accounts from May 2018 onward, then verify the accuracy of data they subsequently obtain from those deemed higher-risk.

Motivated by the approaching deadline and fear of regulatory and possibly legal pitfalls, many, if not most large financial institutions are proceeding as if the rule has already taken effect, with some upgrading their compliance programs well beyond its minimum standards, an attorney who spoke on condition of anonymity told ACAMS

“They are de-banking certain entities, even before the final rule is live,” the attorney said, citing discussions with clients and other industry participants.

Fears of personal liability follow several congressional hearings and other public forums during which federal and state officials outlined their plans to more frequently target individual employees involved in regulatory and legal misconduct at their respective institutions.

In September 2015, U.S. Deputy Attorney General Sally Yates issued a memorandum instructing federal prosecutors to obtain a list of all individuals “involved in or responsible for” alleged misconduct of their employers before offering leniency to companies for cooperating with their investigations.

The apparent trend towards personal liability and more onerous risk-management expectations has motivated some institutions to implement upgrades and revisions they deem necessary to get into compliance with the rule long before May 2018, even as much remains unclear about how it will be enforced.

The federal AML examination manual hasn’t been updated to account for the new rule yet, leaving bankers and other covered institutions to guess which provisions regulators will prioritize for enforcement, said Rob Rowe, vice president and associate chief counsel with the American Bankers Association.

Compliance officers also remain unclear as to how frequently and thoroughly they must monitor existing corporate clients and identify their beneficial owners, which isn’t as clearly defined as it is for new accounts, Rowe said.

According to the rule, legal-entity holders of accounts opened before the cutoff date are technically exempted from having to identify any of their owners unless their financial institutions already require the data on a voluntary basis, as some do, or detect unusual account activity “in the course of…normal monitoring.”

In short, rather than conduct a “categorical lookback” of all existing corporate-client accounts, covered institutions should determine and vet their beneficiaries in response to certain “events,” said Sarah Runge, director of department’s Office of Strategic Policy Terrorist Financing and Financial Crimes.

“There are triggering events that will require updating of beneficial ownership information,” Runge said during a Sept. 27 panel at the ACAMS AML & Financial Crime Conference in Las Vegas.

The rule includes several hypothetical events that may trigger vetting procedures, including a change in a corporate client’s ownership or a “significant and unexplained change in customer activity” such as a sudden transfer of all funds to a previously unknown recipient based overseas.

Actual assurances and hypothetical examples aside, the rule invariably will require a “blanket review” of all existing accounts to mitigate the likelihood of an inadvertent violation, few, if any will hire additional staff to account for the heavier compliance burden, a senior compliance officer at a credit union in the Midwest said.

“The lookback is not risk-based whatsoever…it is not ambiguous, it is not gray. I think that’s where most people are going to get tripped up.”

Industry guesswork has also followed the department’s decision to allow financial institutions to rely on beneficial ownership data supplied by seemingly low to medium-risk customers absent “knowledge of facts that would reasonably call into question the reliability of the information.”

On first glance, the policy seems to provide institutions more flexibility in planning their particular approaches to complying with the rule. A more skeptical interpretation potentially sets the stage for retroactive, potentially aggressive scrutiny and second-guessing.

“The concern is there’s going to be a hindsight attack, where you don’t notice the problem up front…or nothing’s recognized until you do some Monday-morning quarterbacking,” said Lilly Thomas, senior vice president and senior regulatory counsel for the Independent Community Bankers of America, or ICBA, which represents roughly 6,000 banks.

Amid the confusion, thousands of smaller banks are now in the beginning stages of implementation and finding that training frontline staff to obtain the right details and gauge corporate-customer risk in broader terms represent the most difficult challenges, Thomas said.

“It’s not as simple as [saying] “fill this form out and be done with it,”” Thomas said.

Attempts to gauge the cost of IT upgrades required by the rule have also defied consensus. FinCEN estimated in May that the costs for small institutions “could be expected to generally be less than $10,000,” and characterized a $70,000 estimate made by one credit union as “aberrant.”

One of the smaller entities gearing up to undertake the required compliance upgrades is Canandaigua National Bank & Trust, a community lender based in Upstate New York.

The bulk of the bank’s compliance overhaul will begin in January, during which about half of the its 500 or so employees will undergo new training, said Linda Thompson, who supervises the institution’s AML program. The new rule will add five to 10 minutes to the bank’s customer-onboarding process, which currently averages 30 minutes, Thompson said.