On February 7, 2018, the U.S. Securities and Exchange Commission’s (“SEC”) Office of Compliance and Inspections (“OCIE”) issued its National Examination Program Examination Priorities (“Exam Priorities Report”). The Exam Priorities Report confirms that the SEC will continue to focus on anti-money laundering (“AML”) programs in 2018. Two out of the three areas of focus are areas which OCIE typically reviews: (a) timely, complete and accurate SAR filings; and (b) robustness and timeliness of independent testing. The third area of focus is new and relates to the fifth pillar AML program requirement established by the Department of Treasury’s Financial Crimes Enforcement Network’s (“FinCen”) Final Rule on Customer Due Diligence for Financial Institutions (“CDD Rule”). Firms are required to implement the CDD Rule by May 11, 2018.[1]
The New Fifth Pillar
There are currently four AML program pillars: (a) development of internal policies, procedures and controls; (b) designation of a compliance officer; (c) an ongoing employee training program; and (d) an independent audit. Beginning on May 11, 2018, firms’ AML programs must include a fifth pillar which consists of the implementation and maintenance of appropriate risk-based procedures for conducting ongoing customer due diligence that include, but are not limited to: (a) understanding the nature and purpose of a customer relationship for the purpose of developing a customer risk profile; and (b) conducting ongoing monitoring to maintain and update customer information and to identify and report suspicious transactions. Regulators view AML program pillars as critical and fundamental to an effective AML program.
The Fifth Pillar’s Customer Risk Rating and Nature and Purpose Requirement
The new fifth pillar requires that firms have an understanding as to the nature and purpose of a customer relationship to establish a customer risk profile. A customer’s risk profile is used to develop a baseline against which customer activity may be assessed for the purpose of detecting and reporting suspicious activity. FinCen has indicated that an understanding of the type of transactions in which a particular customer would normally be expected to engage necessarily requires an understanding of the nature and purpose of the customer relationship.
The CDD Rule itself does not indicate how firms should establish a customer’s risk rating or the nature and purpose of a customer relationship. The federal register commentary indicates that a customer’s risk profile could include basic information about the customer such as annual income, net worth, domicile and principal occupation or business, as well as, in the case of longstanding customers, the customer’s history of activity. The federal register commentary further states that in some cases the nature and purpose of a customer relationship can be based on self-evident information about the type of customer, type of account and types of products and services. As of February 8, 2018, no other guidance has been issued.
The Fifth Pillar’s Updating Customer Information and Risk Profile Requirement
The fifth pillar formalizes firms’ obligations to update customer information, including changes in beneficial ownership, when the firm detects information relevant to updating the risk profile and re-evaluating the risk during ordinary monitoring. This requirement is not a categorical requirement to update a customer’s beneficial ownership information on a continuous and ongoing basis. Instead, the obligation to update a customer’s information is event driven and trigger based. The federal register commentary provides examples of events or triggers which should prompt firms to review a customer, update their information if needed, and reassess the risk. One example is a significant and unexplained change in a customer’s activity such as executing cross-border wire-transfers for no apparent reason. Another example is a significant change in the volume of activity without explanation and the unexpected transfer of all funds in a legal entity customer’s account to a previously unknown individual. As of February 8, 2018, no other guidance has been issued.
Regulatory Risk Associated with Fifth Pillar Implementation and Mitigating that Risk
Unlike other aspects of the CDD Rule,[2] the fifth pillar requirement is not prescriptive and is subject to interpretation. As a result, firms and their regulators could have markedly different views on how to comply with the fifth pillar. To mitigate regulatory risk, firms should be prepared to demonstrate to OCIE and other examiners that their implementation of the fifth pillar was reasonable even if there are differences in opinion as to how it should have been implemented. In particular, firms should be in a position to demonstrate that there was a strong governance framework relating to the implementation project, key decisions were made by senior management and the rationale behind any implementation decisions. All of the foregoing should be fully documented in anticipation of providing it to OCIE or other examiners.
[1] Customer Due Diligence Requirements for Financial Institutions, 81 Fed. Reg. 29,398 (May 11, 2016), https://www.gpo.gov/fdsys/pkg/FR-2016-05-11/pdf/2016-10567.pdf.
[2] The other aspect of the CDD Rule is more prescriptive. Specifically, Firms must also comply with the identification and verification of zero to four natural person beneficial owners of legal entity customers as well as a natural person control person with significant responsibility to control, manage, or direct a legal entity customer, including executive officers and senior managers.