Regulators expect financial institutions to become the gatekeepers for preventing the misuse of the financial system for activities like money laundering and terrorist financing. Therefore compliance-risk, as well as controlling integrity-risks, has become one of the most significant ongoing concerns for financial-institution executives. Tighter compliance regulations have challenged financial institutions in a variety of ways.
With global banks being hit with multi-billion Euro fines in recent years, there has certainly been a lot of indirect pressure from regulators for increased expenditure on compliance. Some believe that the surge in demand for bank-compliance-officers is a rapid, reactionary response as banks scramble to fill the gap in knowledge, expertise, and also manpower. The continuously changing regulatory landscape adds even more complexity.
When it comes to compliance aimed at anti-money laundering (AML) and countering the funding of terrorism (CFT), banks are facing increasing pressure on multiple fronts. On the one hand, the regulators that have raised the bar and their expectations when it comes to the measures applied by banks to detect, prevent and report suspicious transactions. On the other hand, the shareholders and stakeholders that are ever-mindful about profit margins and return on investment. The fact that the landscape continues to evolve under guidance of for example the Financial Action Task Force of Money Laundering (FATF), the Basel Committee on Banking Supervision (BCBS), but also other regional and local legislation, complicates matters considerably. Last but not least, it is the customer that needs to undergo rigorous examination in order to see if it can withstand the test of compliance, in processes known as Customer Due Diligence (CDD) and Know Your Customer (KYC).
This could come across as if banks suddenly stopped trusting their customers, and have adopted a regime of disbelief due to a lack of trust and faith. Though understandable if perceived as such, this is absolutely not the case. The context sketched below is intended to help understanding the challenges your bank probably faces.
Know your customer: customer due diligence.
It is essential that banks know with whom they are conducting business and whom they are effecting a business transaction for. Regulations therefore impose an obligation on banks to operate an adequate CDD. Customer due diligence standards are relevant not only for ensuring the integrity of the business operations of banks as a whole, but also specifically for combating money laundering and terrorist financing. Therefore, in general, banks will need to prove to the regulators they have identified and verified the identity of customers as well as assessed and accepted the consequent risk of customers and their business. Furthermore, ongoing monitoring of customers, accounts and transactions needs to occur.
Banks find themselves caught in the middle between (i) regulators that expect them to apply wisdom and focus on the quality of compliance expenditures and (ii) cautious shareholders and stakeholders that raise concerns about controlling costs, as well as (iii) customers that may feel their privacy is invaded. It seems impossible to strike the right balance.
Yet those who adapt best may enjoy a distinct advantage. With diligent processes and screening in place, banks avoid risks that potentially have indirect adverse consequences for all customers in general. Banks that mitigate their reputational, financial and non-financial risk are less likely to have severe losses that might ultimately jeopardize services provided to their entire client base. Another advantage can be found in expediting the account opening and transaction approval process. In other words: prepare and work together with your bank, don’t try to resist it.
Insights that will help you prepare for, and master, the inevitable compliance queries.
Put in more context; customer due diligence enables banks to identify the customer, verify their identity, identify the ultimate beneficial owner of the customer and verify the ownership and control structure of the group to which a customer belongs, determine the purpose and the envisaged nature of the business relationship and investigate the source of the assets used in the business relationship or transaction. The banks look at whether the customer is acting for itself or on another party’s behalf, and whether the person concerned is the authorised representative. At the inception of a customer relationship, the banks will have to have gathered sufficient information to be able to accept the customer on the right grounds. The banks also monitor the customer’s activities during the relationship and check periodically whether the customer still meets the risk profile that was established at the commencement of services. The latter is why banks raise the same questions again, that were ready answered some time ago.
So what is the special focus?
Clearly the first authentication that takes places is verifying the legal existence and duly establishment of the customer. Besides the obvious copies passports, extracts chamber of commerce, extract companies house and/or articles of incorporation – which was seen as more than sufficient in the past – there now is a distinct focus on trying to understand and document the business relationship as a whole, and assess risk accordingly. So, for those that wish to prepare in order to expedite transactions, reviews or account openings, please give the following areas of attention some thought;
Ultimate beneficial owner.
An ultimate beneficial owner (UBO) is always a natural person. Performing a customer due diligence for the UBO is a statutory requirement since criminals often use schemes involving (foreign) legal persons as a means of concealing the criminal source of funds. This requirement can be met by having the customer state who the ultimate beneficial owner is. The bank will takes adequate risk-based measures to verify the identity of the customer based on independent and reliable documents. This does not mean that the bank has a choice as to whether or not to verify the identity of the UBO depending on the risk involved: his/her identity must always be verified, but the way in which the verification is carried out will be risk-based. This means that more measures are taken with respect to high-risk customers than to low-risk customers.
The verification measures should enable the bank to obtain sufficient information to convince itself of the identity of the ultimate beneficial owner. The bank also checks whether the UBO is a Politically Exposed Person (PEP) – see the relevant section below.
Source of funds.
When entering into a relationship, the bank is required to understand the source of the funds that will be used in the business relationship or transaction. To determine the plausibility that the funds originate from a legal source, the bank may be required to perform an in depth review and request evidence.
Where a natural person purports to act as a representative of a customer, the bank must also ensure whether this person is authorised to represent the customer, for example where a natural person purports to act as the director of a legal person. Where a natural person claims to not directly but indirectly represent a legal person (whereby the legal person is the banks customer), the chain of representative authority needs to established by the bank by means of proof of this representation. If the representative is not seen in person, the bank usually develops a procedure to establish with certainty who acts for the customer and to verify that the person concerned is duly authorised. The institution could require a declaration of identity from the officers of the customer with whom it has direct contact.
Representatives can also be referred to as principals (and the consequent subset: main principals). Principals are members of a group of persons chosen to control or govern the affairs of a legal person, including CEO, CFO or treasurer. For a corporate entity, these are the members of the board of directors; For a partnership, these are all managing partners and other persons authorised to manage the partnership; For any other entity, these are the members of the managing board. In general; the CEO or Chairman of the managing board and CFO or treasurer are considered main principals.
Politically Exposed Persons (PEP’s).
Business relationships with and providing services to PEP’s require additional measures as they entail a higher risk of reputational damage and other risks for banks. PEP’s are understood as individuals who are or have been entrusted with prominent public functions. The definition of PEP is not just limited to individuals themselves, but also includes the immediate family members or close associates of these individuals. A review is carried out during acceptance but also during periodical reviews. During these review the focus will be on representatives and ultimate beneficial owner.
International sanction regulations (especially those of the United Nations and the European Union ) are transposed into local law. Infringement against these standards is deemed an offence under the relevant local law (In the Netherlands “The Economic Offences Act”). The emphasis is on making it a criminal offence to contravene provisions that have been laid down in European Regulations. There are two types of financial sanctions: (i) an order to freeze assets and (ii) a ban or restrictions on providing financial services. These sanctions are intended to prevent undesirable transactions (embargoes) and to combat terrorism. Banks take measures to ensure that they can identify relationships who correspond with legal or natural persons as referred to in the sanctions regulations (sanction lists etc.). Banks subsequently ensure that they do not provide financial resources or services to those relationships. This is done as follows:
- Monitoring transactions against sanctions-lists and black-lists, resulting in either refusing transactions or requesting additional transaction details (background, underlying documentation etc.)
- Perform a sanction risk assessment (SRA) for customers with a – so called – UHCR (Ultra High Risk Country) Nexus. Customers that conduct business in countries like Iran, Sudan, Cuba, North-Korea and Syria will be subject to additional research, whereby the bank will try to establish the customers’ business vis-a-vis those countries. Banks will refuse to conduct business directly with UHRC’s, unless the licenses and approvals issued by the relevant authorities can be produced.
- Perform an assessment based on the type of industry. So called “High Risk Industries” like for example gambling, real-estate and (uncut) diamond trade will be researched in-depth . This could also apply to so called “Sanction Sensitive Industries” like for example oil and automotive.
- Perform an assessment based on the portfolio of products offered by the bank. Trade finance is for example seen as a product that leads to more scrutiny and increased requirements on documentation.
- Last but not least the nature of the underlying products the customer produces will be assessed. Especially so called “Dual Goods”. Goods, software and technology that can be used for both civilian and military applications and/or can contribute to the proliferation of Weapons of Mass Destruction.
Focus on special incorporation forms like Trusts.
A Trust is a foreign legal form that cannot be incorporated under any and all laws. For example, incorporation under Netherlands Law is impossible. However a Trust established outside the Netherlands is recognised by the Netherlands Law. A trust does not possess legal personality and is therefore not the party with which a business relationship is entered into or that has a transaction effected. Consequently, a trust does not qualify as a customer. The trustee is regarded as the customer. In the case of a trust, the usual steps must be taken in respect of customer due diligence, but the founders of the trust, the trustees, the protector and the beneficiaries must also be known to the bank. The customer is requested to submit a statement of their identity and the bank must be able verify to these stated identities.
In conclusion – How strict is the framework applied?
The answer short and simple: very strict. Nowadays banks are prohibited to enter into (or continue) a business relationship or carry out a transaction if no customer due diligence has been performed or if the customer due diligence, including the review of the ultimate beneficial owner, has not produced the intended result. There is a statutory obligation to terminate the business relationship. Furthermore banks may be required to report these instances to the appropriate authorities for further investigation by relevant agencies. Failure to comply will result in regulator imposed sanctions, that range from severe penalties to suspension of banking licenses (banks losing their ability to operate).
But there is a delicate balance. If compliance measures go too far (beyond regulatory requirements), it could most likely damage the relationship. It does not make sense to apply policies and regulations more rigid than intended by the regulator. The bank will therefore most likely try to ensure as much process flexibility as possible within the regulatory framework. The bank should also apply common sense in the given – specific – context. This means that the relationship manager plays an important role as trusted advisor, whereby detailed knowledge of the customer, its business and industry, is paramount in facilitating the CDD process (towards customer as well as internally within the bank). The trusted advisor will also be able to explain towards the customer in detail what criteria have led to the applied risk profile and elaborate on the background of the CDD requirements. Maintaining an open and honest dialog is probably the most sensible advice yet.