Point of View

What the new FinCEN ultimate beneficial ownership requirements really entail

  • Facebook
  • Twitter
  • Linkedin
  • Email

In May 2018, the Financial Crimes Enforcement Network's (FinCEN) ultimate beneficial ownership (UBO) rule finally went into effect. Its new requirements, which are similar to those already in place in the European Union as the result of the EU's Third and Fourth Anti-Money Laundering (AML) Directives, are centered around using customer-provided information to identify UBOs and collect the same basic customer identification program (CIP) data for them obtained from individual customers and/or signers. These new obligations for covered financial institutions (banks, credit unions, broker-dealers, futures commission merchants, mutual funds, etc.) appear to be straight-forward and non-burdensome – a mere adjunct to existing customer identification and due diligence requirements.

But the UBO requirements are in fact deep and complex – and meeting them will pose significant challenges. Moreover, as is always the case, the regulatory expectations surrounding them are likely to grow. While there are numerous issues and concerns that must be thought through, covered institutions need to address eight key considerations.

1. Verification

The FinCEN rule provides that a covered institution may rely on the information on beneficial ownership status given by its customer “provided it has no knowledge of facts that would reasonably call into question the reliability of the information.” It is wise to interpret FinCEN’s caveat regarding independent verification conservatively by carefully defining the conditions under which the institution may have reason to doubt the veracity of the information and therefore need to verify the information on its own. These circumstances include apparent reluctance to provide CIP/customer due diligence (CDD) information; non-face-to-face interaction; unusual or suspicious identification documents; concern regarding a possible shell company; a private trust account or an account with major shareholding held by a trust; an account known informally to be controlled by a politically exposed person; or an account for a highly complex organization or a company based in a high-risk jurisdiction.

Additionally, when verification of identity is called for, covered institutions must determine the best means of doing so. This will require choosing from a variety of documentary, non-documentary, or combined methods – a process that should be designed and documented thoughtfully.

Take a copy for yourself

Download PDF

2. Data management

Data management is potentially the most difficult UBO challenge. In situations where verification is required, the covered institution must determine the source and method of obtaining data to identify UBOs and collect basic information on them. These data searches must be sophisticated enough to be performed globally and continuously, and include the tracking of transfers of ownership interests between jurisdictions. As no single central, comprehensive source of global UBO information exists today, an efficient and effective data search for verification will be challenging. Furthermore, many governments do not even require this information to be captured when a company is registered, and most countries, including the US, do not yet have comprehensive, authoritative public registries.

While some of the required data is available in government-sponsored and company registries, databases, or websites, these sources are large in number (for example, 50 states for just the US), potentially incomplete and inaccurate, and burdensome and costly to access on an individual basis. Other data may be available through public search engines and unstructured data sources such as Google, but the effort to obtain and integrate this data into the CDD database is challenging.

Additionally, covered institutions may need new input screens for data entry and an upgraded database structure to accommodate additional information. They must conduct data mapping, testing, and ongoing governance to make certain their systems are properly pulling down and scrubbing UBO information. The time needed for the required data enrichment, which typically leverages numerous internal and external systems, will ratchet up for an analyst, whose search for foundational documents may be further complicated by taxonomy differences across jurisdictions.

While it may be useful to identify a reputable global know your customer data collection company to help obtain the necessary UBO information, covered institutions can benefit from using advanced digital solutions to comprehensively scour worldwide public and non-public sources. These solutions should not only perform data quality and assurance checks, but also effectively identify, filter, and analyze massive amounts of information to reach meaningful conclusions and make results available in a user-friendly manner. One example of this type of digital innovation is cloud computing, which facilitates aggregating and enriching the required data.

Another key AML innovation is computer vision, which uses neural networks that mimic the processing architecture of the brain to help computers gain high-level understanding from digital images. The extension of this capability to UBO requirements can be profound in enabling the data enrichment required to extract the key attributes of a legal entity client. Computer vision allows the CDD system to perform a rapid, customized search based on government and company seals and other official indices, which are a defining visual feature of foundational documents. Moreover, this image-based strategy can be coupled with text-based methods, combining “hearing” and “seeing” for maximum performance.

3. Data analysis

Once the necessary data is obtained, it must be evaluated against the UBO requirements, including an understanding of financial ownership and control structures, and calculating ownership percentages. This may require sophisticated analysis, given the complex, multi-layered organizational structures of many legal entities. Parsing through layers of legal ownership can be difficult, particularly for shell companies, trusts, partnerships, special purpose vehicles, and other entities with complex structures.

An integral component of the data analysis process is the integration and use of modern artificial intelligence tools. One innovation that is indispensable in solving the beneficial ownership puzzle is graph analytics, a powerful method of exploring relationships between individuals, entities, and myriad other data points. Graph analytics can discern patterns in highly complex and interconnected relationships that human study alone cannot readily detect – particularly when those patterns are circular, not linear.

A clear benefit of graph analytics is its mapping capability, which allows an organization to represent its links in graphs, simplifying the process of understanding the relationships between affiliates and related entities. Storing an organizational structure in a graph database allows for deeper quantitative analytics that answer the question, “Are these two (or more) different people or entities interconnected for purposes of determining ownership or control?” This is especially valuable in situations where data is limited, such as offshore jurisdictions with restricted disclosure, recordkeeping requirements, and registries.

4. Development of risk-based procedures

Regulatory requirements must be interpreted and tailored to the unique businesses, structures, and risks of each organization. A covered institution may need to dramatically bolster its CDD risk-based procedures to account for the new UBO requirements. In doing so, there are numerous subjective judgments that need to be made, some of which are explicitly suggested by FinCEN. These include:

  • When is an account “opened”?
  • What constitutes a “new” account, such as rollover of a certificate of deposit?
  • Should UBO information be obtained or refreshed for certain existing high-risk clients?
  • Should the UBO threshold be lowered from 25% for certain high-risk clients (perhaps to 10%, which is the Foreign Account Tax Compliance Act “substantial owner” threshold)?
  • How is “control person” best identified, given the potential ambiguity of the “significant responsibility” designation?
  • How many control persons will routinely be identified?
  • What will be the terms under which a customer may use an account while the institution attempts to verify the customer’s identity?
  • When will an account be closed after attempts to verify a customer’s identity have failed?
  • How often should customers, especially those rated “high risk,” be required to provide information about changes in beneficial ownership?
  • FinCEN stated that it did not intend to impose “a categorical requirement to update customer information on a continuing basis.” Nonetheless, will a covered institution need to determine the risk-based triggers for updating, such as change in signer/owner information, material change in the nature of business or the size, volume or nature of transactions, and results of monitoring sanctions, PEPs, negative news, suspicious activity report (SAR) filings, and 314a requests?
  • What non-documentary methods will be used and under what circumstances?
  • Under what circumstances will a financial institution rely on existing UBO information when a new account is opened?
  • When will the institution allow reliance on another financial institution’s UBO information?

5. Onboarding

FinCEN’s new rule poses the potential for friction at account opening, as CIP information on UBOs must be obtained within a reasonable timeframe. To minimize this, all staff should be trained in the basics of the new requirements, with heightened focus on AML compliance, operations, and front-line staff. Also, customers must be educated on the new requirements and rationale for information collection and verification, as well as the documentation needed and non-documentary checks that may be used.

6. Case management

In situations where verification is required, the new UBO requirements may present a challenge to an institution’s internal work flow, reporting processes, and ability to maintain ongoing monitoring for legal entity customers and accounts. For some covered institutions, the rule entails new modules covering exception handling procedures, data sources and types, and system capture. At some point in the process, there may be a handoff to an analyst to review and certify the UBO data or to escalate determination of whether to open the account or keep it open. A strong case management system is needed to capture all UBO information in a single client profile, including related documents, and display a complete audit trail history.

7. Integration into a CDD database

UBO information does not exist in a vacuum. Covered institutions must use this data in the same way as they use other CIP information, such as for Office of Foreign Asset Control (OFAC) and other sanctions screening, currency transaction report aggregation, and customer risk ratings. UBO data needs to be integrated into the overall CDD database. The covered institution should also develop the capability to share and obtain UBO knowledge across the enterprise and its associated affiliates.

8. Pillar requirements

UBO requirements must be set within an AML program that adheres to the traditional four pillars. (CDD is now the fifth pillar.) Compliance with the FinCEN rule must be independently tested, including internal audit review. In addition to the training mentioned above, the covered institution’s control processes – including its enabling technology, and roles and responsibilities – must be updated comprehensively to incorporate the new requirements, while taking into account OFAC scanning, suspicious activity monitoring, and SAR filings. A centralized internal risk assessment and review should be conducted to identify gaps and ensure proper controls are in place to identify required form updates and tracking of their completion.

The organization must also ensure that the Bank Secrecy Act /AML officer has sufficient expertise and resources regarding UBO requirements. Furthermore, it needs to update its AML risk assessment to cover its new UBO processes, including providing a comprehensive understanding of how beneficial ownership risk is being managed and controlled throughout the entire organization.

Visit our risk and compliance page

Learn More

FinCEN has made it clear that the new UBO requirements are a floor, not a ceiling, and covered financial institutions should do more in circumstances of heightened risk. This warning must be taken seriously to avoid future financial and reputational harm.

This point of view is authored by Jeff Ingber, AML Consultant at Genpact and former Fed executive.