The heading of this piece may sound like it was ripped from the pages of the latest James Bond adventure. But with recent data breaches, shell companies, pending new regulations on data privacy and new regulations which impact financial institutions globally and the companies who serve them, there is a lot coming down the pipe in 2018.
Financial services and the vendors which support them work in a global economy. Data aggregators seemingly have non-public personal information (NPPI) data on citizens of most nations. The push to pay fintech, housing data, credit cards, securities and even luxury real estate sales all trigger a number of red flag risk concerns.
More recently, there has been huge strides to embracing blockchain technology in the movement of money. The goal to be able to move money as quickly as you can save a word document on your laptop with no middle processor in the way certainly offers some relief for those needing cash in a hurry. Therefore, with the movement of money, there will be the data components which are the digital footprints that are left behind in the tracks. The security of these footprints is of utmost concern since cybersecurity is reported as one of the key risks facing the financial services industry today.
Knowing Your Customer Is Vital
Much has been said in the last few years around Knowing Your Customer (KYC). A financial institution must have a robust Customer Information Program (CIP) in place as part of their overall compliance management system. The approach is to help combat the transfer of funds into monetary vehicles to launder money made by illegal gains.
This year, as recently as January 12th, Treasury Secretary, Steven Mnuchin, stated that he was extremely concerned with the cyber and money laundering risk presented by the use of Bitcoin and emphasized that digital wallets had the same requirement to KYC in the use of Bitcoin transactions as a bank would conduct KYC Customer Due Diligence (CDD) on account opening activities.
KYC has been at the core of sound risk management principles for a long time. Obtaining and validating information by way of fraud reports, online sources, financial statements and state-issued identification has been a common best practice in account opening for mortgage transactions since I was in short pants.
Why the Concept of “Knowing Your Vendor” Is Equally as Important in Third Party Risk Management
Ask yourself these questions to prove why it’s important to know your vendor.
- Can the vendor support your organization?
- Do they have a sound compliance infrastructure to help prevent federal consumer compliance law violations?
- Do they have experience at the executive level to lead the organization?
- Who has beneficial ownership of the third party?
- What level of risk does the use of the vendor present to your firm? Is it reputational, strategic, litigation, operational or financial?
Beneficial Ownership Rule Beginning May 11th
The Department of Treasury updated its Final Rules relating to the Bank Secrecy Act. The rules were updated to bolster CDD requirements in May 2016. The new beneficial ownership rule becomes effective on May 11th, 2018 so while this may be mainly focused on the term “Customer” this could bleed over into vendor customers or business customers of a specific service. You can read more regarding the latest update at the Fincen website.
Examples of When Beneficial Ownership Should Be Researched
- B2B Financing - Does the financial institution really know who they are lending to?
- Luxury Real Estate Transactions - There have been numerous reports of luxury real estate being sold to shell companies making the risk of money laundering significant.
- Offshore Sales - In 2017, a well-known US-based mortgage insurance company agreed to be sold to an offshore China based Conglomerate. Despite numerous hearings, this sale has not been finalized. Certainly, a review of beneficial ownership would be worthwhile given the potential access to NPPI data of US Citizens and the relationship the two nations maintain. In this example, beneficial ownership vetting would play a part in the decision-making process of engaging with this vendor.
- Private Companies - For publicly traded companies, ownership interests are usually easily identifiable, and the ownership interest trigger has been set at 25% which requires validation and further research. This becomes interesting with private organizations though, who oftentimes are reluctant to share financial statements. Under beneficial ownership, this request and denial to comply with the question may likely result in failure to be approved for account opening or deal transaction.
Key Terms to Understand Within the Beneficial Ownership Rule
Make sure you understand these terms/components related to this updated rule:
- Accounts are deemed as Checking, Savings, Certificates and Loans.
- Rule applies to Account Opening at the time of the effective date.
- The rule is not retroactive. Official guidance indicates that Beneficial Ownership is encouraged as part of ongoing monitoring should there be cause for concern but is no
- OFAC checks are required on beneficial owners. At Venminder, we check OFAC on all executive leadership regardless of beneficial ownership or control percentages.
The Importance of Understanding the Panama Papers Event
The Panama Papers event highlighted the fact that shell companies are used to hide cash, and often the identity of the true owner. The leaked documents identified more than 214,000 offshore entities and identified heads of state, known and suspected terror organizations and even famous musicians and movie stars who were involved. While some of these individuals may be looking for tax loopholes there is also a darker side to this when it applies to money laundering. While a link hasn’t been made to the beneficial ownership rule and the events leading up to the reported leak of the panama papers, it does highlight the need to look deeper in your due diligence efforts. Being associated with Panama Papers could only be perceived in a negative light.
This also highlights the importance of data security. The law firm identified for holding this data claimed that they had been hacked but the person “John Doe”, who is known to have leaked the information, claims to have been a disgruntled employee.
How Does This All Tie to Third Party Risk Management?
It’s no surprise that as risk increases new rules and best practices will emerge to help strengthen and clarify the changing regulatory compliance landscape. While the BSA/AML (Bank Secrecy Act/Anti-Money Laundering) policies are managed within the general compliance framework it’s apparent that the liaison between third party risk management and compliance can make great strides in improving the 4 pillars of AML compliance and further strengthen the CDD program.