May 2018: D-Day for FinCEN Customer Due Diligence and EU’s General Data Privacy Regulations
Chief compliance officers for financial institutions are going to have a rough May 2018.
First, on May 11, 2018, the new CDD Rule for beneficial ownership becomes effective. Two weeks later, on May 25, 2018, the EU’s General Data Protection Regulation becomes effective.
FinCEN CDD Rule
FinCEN’s new Customer Due Diligence rules will have a significant impact on the collection of beneficial ownership information and AML enforcement. Many have suggested that these rules are a welcome step to a significant problem in the United States – hiding and disguising illicit funds is relatively easy in the United States. When it comes to beneficial ownership regulations, the US is far behind the EU and member states, including the UK which recently started a corporate ownership registry.
Under the new regulations, certain financial institutions have to identify and verify the beneficial owners of legal entity customers. See Here for FinCEN Guidance.
The CDD Rule applies to all federally regulated banks, federally insured credit unions, mutual funds, brokers or dealers in securities, futures commission merchants and brokers in commodities. The intent behind the rules is for financial entities to identify the ultimate beneficial owner, not the nominee or straw owner.
Covered institutions are required to establish and maintain written procedures reasonably designed to identify and verify the beneficial owners of legal entity owners. Banks are required to implement procedures to identify natural person owners of bank accounts when the account is opened (subject to certain exceptions).
A beneficial owner is defined to include each individual who, directly or indirectly, owns 25 percent or more of the equity interests of a legal entity customer, and a single individual with significant responsibility to control, manage or direct a legal entity customer.
The CDD Rule requires covered financial institutions to amend their existing Anti-Money Laundering programs to include risk-based procedures for conducting ongoing due diligence to include: understanding the nature and purpose of the customer relationships; and conducting ongoing monitoring to identify and report suspicious transactions; and conducting ongoing monitoring to identify and report suspicious transactions and, on a risk basis, to maintain and update customer information.
A covered institutions’ AML program has to include at a minimum: (1) a system of internal controls; (2) independent testing; (3) designation of a compliance officer or individual(s) responsible for day-to-day compliance; (4) training for appropriate personnel; and (5) appropriate risk-based procedures for conducting ongoing CDD to understand the nature and purpose of customer relationships and to conduct ongoing monitoring to identify and report suspicious transactions, and, on a risk basis, to maintain and update customer information.
Global Data Protection Regulation
The EU’s new General Data Protection Regulation (or GDPR), which is effective May 25, 2018, sets out a new and rigorous set of data privacy requirements. If your company conducts business in the EU, you are almost certain to fall under the GDPR requirements. Global companies that collect information from EU citizens are required to comply with the GDPR regulations.
Listen Here to our recent Corruption, Crime & Compliance Podcast on GDPR.
The definition of personal information is broad, and includes name, address, photos, email addresses, bank information, medical information, social media information. A company that conducts business with EU citizens likely collects at least some personal information – for example mailing addresses and credit card information.
Companies have to implement data protection systems, including policies and procedures for managing and protecting data. In some cases, the GDPR even requires the appointment of a senior executive, board-level position titled a “Data Protection Officer,” whose responsibilities may be similar to a Chief Information Security Officer, or “CISO.”
While consent from EU citizens is an appropriate compliance mechanism, such consent must be affirmatively obtained and freely given, specific, informed and unambiguous. With respect to breach notifications, the new regulations require reporting within 72 hours.
The GDPR regulations require companies to pass along the GDPR requirements to third parties, including vendors and suppliers. Companies have to ensure that their third parties are in compliance with GDPR requirements.
The GDPR imposes a number of compliance program requirements on those companies that operate in the EU. A global company will have to conduct a risk assessment and implement processes and procedures designed to protect personal data through encryption or other mechanisms to remove/mask sensitive information.
Companies should address the GDPR compliance issue by focusing on:
- Who is responsible for data security at your organization?
- What types of information does your company collect and what types of information are actually needed to conduct business? How is that information stored and deleted?
- What types of security, both physical and software-based, has your company implemented to control access to information? For example, your company likely maintains sensitive personal data about its employees – some of whom may be EU citizens. Who can access that data? If someone makes a copy of that data, can your organization detect that?
These are the types of questions that you need to be asking – and working closely with your senior leadership and technology department to answer.
The potential fines for violations are significant. For improper international transfers or violation of basic processing requirements, the higher of 4 percent of worldwide turnover or EUR 20 million; for less significant infringements, the higher of 2 percent worldwide turnover or EUR 10 million.