FinCEN CDD Rule, sometimes called the Fifth Pillar of AML, became effective on May 11, 2018.

The CDD Rule has four core requirements. It requires covered financial institutions to establish and maintain written policies and procedures that are reasonably designed to (1) identify and verify the identity of customers; (2) identify and verify the identity of the beneficial owners of companies opening accounts; (3) understand the nature and purpose of customer relationships to develop customer risk profiles; and (4) conduct ongoing monitoring to identify and report suspicious transactions and, on a risk basis, to maintain and update customer information. – FinCEN New Release

To clarify compliance and implementation of the rule, FinCEN provided two sets of FAQs.  The first was in July of 2016.  The second was in April of 2018.

There were two exemptions.  The first was on May 11, 2018, the guts of which is as follows:

The Beneficial Ownership Rule currently exempts covered financial institutions from the requirements to identify and verify the identity of the beneficial owner of legal entity customers at account opening to the extent that the legal entity customer opens the account for the purpose of financing insurance premiums and for which payments are remitted directly by the financial institution to the insurance provider or broker unless there is a possibility of cash refunds. This ruling provides exceptive relief to covered financial institutions from the requirements to collect and verify the beneficial owner of a legal entity customer opening such premium financing account when there is a possibility of a cash refund.

The second was a temporary relief announced on May 16, 2018, the guts of that is as follows:

… up to and including August 9, 2018… exceptive relief to covered financial institutions from the obligations of the Beneficial Ownership Requirements for Legal Entity Customers (31 CFR § 1010.230) (Beneficial Ownership Rule) with respect to certain financial products and services that automatically rollover or renew (i.e., certificate of deposit (CD) or loan accounts) and were established before the Beneficial Ownership Rule’s Applicability Date, May 11, 2018.

At the time of this writing, many large banks went through a review of the rule implementation recently, are in review, or will soon be in review by the Office of the Comptroller of the Currency, but these are not a coordinated horizontal industry-wide review.  Banks are eager to find out how well they have done and how practical the reviews will be.  The second relief is one of great concern for all banks, not just the big banks, because many products have automatic rollover or renewal, for which banks do not normally consider to be a new financial product or even a new account.

GDPR Means General Data Protection Regulation

If you have been seeing Cookie Acceptance Notifications pop up on many global websites lately, it is precisely because this 2016 EU law, which goes into effect on May 25, 2018.  The law is broad in scope, but the notifications require the site user to accept the cookies being used, which is to document the site-user of opting in to the cookie tracking.  The sites are require to be able to evidence this opt-in.

The major requirement is in the title: Data Protection.  The foundational principle is that the website user owns his or her personal data that the site is collecting, so, as long as the site receives acceptance to use the data, the site also is responsible for protecting the data from data breaches.  Considering the ever-growing prowess of Black Hat Hackers, many sites are opting to purge the user data.  Major social networking site are probably coming up with ways to anonymize user data.

This principle that the user owns the data that is being collected has other ramifications.  The user can request erasure of his or her data.  The user will likely be able to request all users of his or her data, however removed from the originating data collector, to provide how the data was used.  All of the rights of ownership are attached to the data.

This is quite contrary to the American legal principle of privacy, which requires sites to keep the data private, but since the site owns the user’s data, it can do what it can do with any other asset it owns.  The defense of the American legal principle is that much of the data collected are actually intellectual property.  Take, for example, demographic information.  One site may analyze my personal data and conclude that I am a social conservative while another a social liberal; the conclusion is the result of the site’s work.

The EU legal principle suggests that such work may indeed be owned by the site, but if it is derived from the user, then user has derivative ownership of those conclusions.  Essentially, it recognizes that the user’s information has economic value and, therefore, the site will have to have a valid contract to use that data.

Since the law protects all EU citizens and residents and their data, it is global in nature.  Also, if an American tourist logs in from the EU jurisdiction, the American is protected as well.  For that matter, the American would be protected if the data is harvested from the United States but it is stored or passes through the EU jurisdiction.

Some questions remain, at least for me.  Would a company legally headquartered in Ireland but its activities are in Menlo Park, California, is the company treated as an EU company, and, therefore, require data protection to all user information going through Menlo Park because the financial results of that information is reported to the Irish tax authorities?

How about counter-terrorism efforts?

Or, does the public figure have an economic right to his or biography published by a traditional publisher of hardcover books?

FinCEN Final CDD Rule… For Now

FinCEN CDD Rule is the shorthand for Customer Due Diligence Requirements for Financial Institutions, which FIs were supposed to have implemented by May 11, 2018.  The requirement is to obtain beneficial ownership information, financial institutions will have to identify and verify the identity of any individual who owns 25 percent or more of a legal entity, and an individual who controls the legal entity, among others.  At the time of this publication, May 16, 2018, the requirement also includes the collection of beneficial ownership information during product or service renewals, such as loan renewals and certificates of deposit rollovers. FIN-2018-G001 FAQ Regarding CDD Requirement for FIs, pages 9 and 10.  This is the most controversial definition of a new product or service.  Practically speaking, it means a short term 1-month CD will trigger the need to collect a certification of beneficial ownership, which also includes the work of due diligence to support the certification.  There is no provision to apply this on a risk basis, which means the pensioner in Wichita and a Middle Eastern correspondent bank will be treated the same for the purposes of this requirement.  Obviously, FIs as awaiting any guidance on the enforcement strategy from regulators.

Update:  On May 16, 2018, at around 6pm, FinCEN delayed the enforcement of this rule. Due to the unexpected interpretation by FinCEN, FIs were not ready to consider rollovers as purchase of a new financial product.  Realizing that they provided guide far too late for FIs to comply, FinCEN is providing a 90-day limited exceptive relief.  Also, as, what seems to be, a jab at FIs sounding the alarm, FinCEN added:

Consistent with the definition of “account” in the Customer Identification Program
(CIP) rules and subsequent interagency guidance, each time a loan is renewed or
a certificate of deposit is rolled over, the bank establishes another formal banking
relationship and a new account is created…

FinCEN understands that some covered institutions have not treated such rollovers or renewals as new accounts and have established automatic processes to continue the banking relationship with the customer.


Blog status update

Dear Reader,

You have noticed that this blog has been relatively quiet in the past year. I had ambitious plans for this blog but the demands of my work dealing with the real world problems, that are the subject of this blog, has kept me from providing valuable and quality new content. Even still, this blog gets quite a bit of traffic. That is because this site has been primarily focused on educating new Anti-Money Laundering Specialists. The broader topic is Financial Crimes, which would also include Fraud, Bribery, and Sanctions. In terms of quality, I tried to provide the most important aspect of a term, laying aside nuances. This method has been very successful in educating the newly initiated Compliance Officer.

However, there has been a need to improve all aspects of this blog. I decided early on to focus on the educational aspect over all others. This meant that I would avoid nuances and technical correctness. Even with this reduced scope in audience, I have not been able to keep up.

Here is where the community can help each other. If you like sharing your knowledge, and like the idea of creating posts that answer questions people ask search engines, please, contact me. You can be part of the solution.

In the meantime, I will think about what I can do to either improve this blog or do something else with this content that will be of value.

Congratulations to those of you who have become certified or awarded degrees in the Financial Crimes Compliance field in the past year.

Yours Truly,

M. C. Maltempo, Editor-in-chief

CECL Means Current Expected Credit Loss 

On June 16, 2016, the US financial regulators, who refer to themselves as the Agencies, finalized an industry-wide implementation plan for a new accounting method for Credit Losses. The implementation is in stages and the first set of institution are to have implemented it by January 1, 2018. The first set is made up of the largest financial institutions with a presence in the United States.

More on CECL Implementation.

Fingerprints to be tested as ‘currency’


Source: The Yomiuri Shimbun

The Japanese government started testing a system to allow foreign tourists to use their finger prints to verify their identy and use it to make purchases. This is supposed to relieve tourists of the stresses of having to carry local currency during the 2020 Olympics. Tourists will be able to register their information at the airport. When making purchases, the tourist will be able to places two fingers onto a special scanner installed at stores. This scanner will also allow for tourist to bypass the need for showing their passports when they check in to hotels, a a legal requirement in Japan. The hope is that this system will help increase tourism in the country to 40 Million people per year. 

Obvious questions about safety of the data and the willingness of tourists to subject themselves to something that even the locals do not have to subject themselves to is a huge impediment to this programs success. 

However, Japan has been making a concerted effort to entice it’s people to adopt this technology. Some Japanese banks have signed on. But it has competition on other new paymentech from Apple Pay, Samsung Pay, and Google Wallet. 

Deliberately misleading, albeit technically accurate

Politico reports that three of the 21 prisoners President Obama exchanged for 5 American prisoners in last year’s deal with Iran were allegedly 

… part of an illegal procurement network supplying Iran with US-made microelectronics with applications I surface-to-air and cruise missiles… 

If you, my reader, recall from last year, the Obama Administration described as “civilians” and “businessmen”, is might ne true not completely misleading because the reason they were prisoners were because of their connections to terrorism. 

Since they were not convicted of such crimes, I can understand a possible reluctance to label them according to their allegations, but that is a legal approach, not a national security approach. And this was/is a national security issue. 

I don’t know what the Trump Administration is planning to do about this, but the first I would have to consider is who and what we got back in exchange. Let’s remember that we did not just give them back people but also hundreds of millions of dollars. 

I really hope we embedded RFID tags on them. It isn’t as convenient as GPS but it wouldn’t require any batteries and it wouldn’t necessarily set off any alarms. Also, maybe we somehow turned these people, making their release more valuable than their capture. 

I know this issue is not specifically an issue of financial crimes, but part of financial crimes work deals with counter-terrorism. In isolation, from the outside, the Obama Administration seems to have misled the public and possibly put us in greater danger. But there are plenty of unknowns and also the Administration’s track record of making relatively good calculations about the deals it makes. I’m hopeful, if not pleased. 

What does the budget say about our priorities?

President Trump has a budget. Many people are dissatisfied with the cuts to various agencies. The most concerning in terms of anti money laundering and counter terrorism is the reduction in soft power funding by way of decreasing the State Department budget. Many people are coupling this reduction with increase is military spending. I choose not the couple it because our ability to combat money laundering and terrorism require both hard power and soft power. The problem the US has had since 2003, when we went into Iraq, is a heavy reliance on hard power. The inability to negotiate has put the country in a position where it has to spend more on military action as negotiating strategy. 

This is a terrible mistake. The Cold War told us that spending a greater portion of the national budget will bankrupt the spender and provide the upper hand to the weaker nation. 

I won’t go through how history played out. I will just give you the end, the overspender, Russia, lost. The roles have reversed, it seems. The US is increasing spending even though it already spends more than the next… Five nations? Ten nations? Instead of trying to win economically, the US will continue to let Asia climb to dominate the world stage. 

Time for a shift in defense spending

The United States is in turmoil because of an incompetent administration and an impotent congress. It does not help that the Supreme has become more outwardly political, choosing to be the arbiter of elections (Bush v Gore) and negotiator of legislations (classifying the Affordable Care Act as taxation). But let us remember that this is of our own making. 

And both the Russians and the Chinese are quickly taking notice of our weaknesses. While we fight amongst ourselves whether we have a de facto Muslim ban in medium-high risk countries, allowing free flow of people in high-high risk countries, our infrastructure is slowly being dissected for inspection. Simply put, our energy systems are at threat from cyber attacks. 

By now, my audience already knows this. However, I want to point out a sliver of light in the darkness; our financial sector is well fortified. It is not perfect, as the last few years have shown. But because our banks are quite profitable, regulations and concerns of adequate spending on cyber defense systems is being addressed. 

What we need is cyber police and cyber defense. The latter is something President Obama wanted to tackle but the long campaign trail he had to participate in derailed him from much of his agenda. It is, however, much more likely to be higher on President Trump’s agenda, if for no other reason, there is sign that he wants to be aggressive about defense. The concern right now is that this administration intends to be aggressive without permanent advice of the top Defense officer and the top Intelligence officer. That means this administration prefers intimidation abd bullying over actual defense, which requires the constant involvement of Defense and Intelligence. 

The former, however, is being overlooked. We don’t have very thoughtfully implemented cyberpolicing. We rely on an outdated litigation system to resolve disputes and prosecute cyber crimes. President Obama would have been a great leader to tackle this issue since he has a background in constitutional law. Sadly, we leave it to the Trump administration, which, if it’s approach to the security of our nation is of any indication, will favor large brand name corporations over justice. 

If the new administration has not been sufficiently offended by this concerned compliance professional, then I suggest an overhaul of the defense organization. As we move toward robotic forces, human resources could be better served in the use and management of the robotic forces. The robotic forces will communicate with human resources through cyber technology. We will need a secure cyber communications system and even a cyber offensive to demobilize opponents. 

Right now is not an opportunity to get ahead. We are far behind. We spend more on our defense than the next 10 top defenses combined and yet they are moving ahead of us in this regard because we have had two administration’s that were too concerned with now and not concerned enough about the future. 

A year after Bangladesh

A year ago, Bangladesh Central Bank was attacked. Its SWIFT networking credentials were stolen by malware specifically designed to do so. SWIFT is the messaging sytem is used between banks to transfer money and other assets. The attackers were able to get away with $81 million dollars.

The details are much more troubling. The malware had information about the spcific brand of printer the bank used. Thi meant the malware not only was targeting the SWIFT’S logging system but the BCB itself. And it was doing so with likely help from insiders.

Even more troubling is the context. This happened to in Vietnam and Ecuador as well. It is believed to be part of broader campaign to attack the biggest institutions.

The saving grace was that the Federal Reserve Bank of New York did not process all of the 35 payments because it could only confirm five. But this still meant $101 million was transferred. Had all of them process through, $951 million would have been taken out. Then, $81 million were sent to Philippine casinoes and $20 million to Pan Asia Bank in Sri Lanka, the latter having found the funds to be suspicious and did not release it. Less than a tenth of the originally stolen funds were actually stolen. The thing is, the denominator is so large that this theft still goes in history as being one of the largest bank robberies in history.

The consulting firms are all trying to provide actionable advice, but it is pretty clear has to get done: improve controls around insider information and communications, centralize financial crimes units, centralize data, improve cybersecurity, and develop transaction approval standards. Much easier said than done, though. Imagine trying to control the insider information flows while centralizing the data improve oversight across the data. The key to all of this is the one thing consulting firns are not really saying probably because it isn’t an area where they can compete: people. Training and education of the workforce for skills, awareness, experience, and encouraging action is where trust and competence is built. With it, everything else can be built.