Performing due diligence on third parties can be hard. When you discover that your third party is still in diapers, however — that’s pretty much a surefire sign something is amiss.
The diaper scenario isn’t made up. Earlier this year the watchdog group Global Witness reported that 4,000 toddlers are listed as beneficial owners of companies registered in the United Kingdom.
Five individuals in the UK Companies House registry are listed as owning more than 6,000 corporate entities.
Filing a bogus corporate registration is easy to do, complete with fictional executives, fictional funding, and fictional names.
The United States is little better. Corporate ownership is registered at the state level, with Delaware leading the country in registrations specifically because creating a new legal entity is so quick and easy. We could say the same for registries in Panama, the Bahamas, and elsewhere.
Such stories are all the more unsettling to compliance professionals these days, as the May 11 deadline draws near for new customer due diligence (CDD) rules to go into effect in the United States. Those rules will require financial firms to identify and verify the beneficial owners and controllers of legal entities doing business with the firm.
At the preliminary level, companies can rely on evidence supplied by the customer about beneficial owners and controllers. That is, the person opening the account can supply the documentation you need, and that can suffice provided that your firm “has no knowledge of facts that would reasonably call into question the reliability of such information.”
That provision alone can be a big if. Other parts of the CDD rules specify that a firm must perform enough due diligence to develop a risk profile of the customer, so you can implement effective monitoring after the account is opened and detect suspicious transactions.
All of that means firms will need to perform better due diligence on customers. And as we see from the 4,000 toddlers supposedly running businesses in Britain, while screening beneficial ownership data against corporate registries is a useful first step, by no means should it be the only step.
Effective customer due diligence must be able to withstand the scrutiny of hindsight. After an adverse incident happens, somebody — a regulator, the board, an auditor, an angry public on social media — will ask, “How did this legal entity become a customer? What did your firm do to try to determine that this customer was legitimate?”
Questions in hindsight can be painful, and not always fair. Compliance officers need to answer them anyway.
First, your employees will gather that ownership information from the customer opening the account. You will also need to collect more information about, as the rules say, “the nature and purpose of customer relationships.”
Should any of that information raise suspicions, more due diligence will be required. Corporate registries are slowly becoming more useful to answer those questions, but more in-depth screens and investigations will still be part of the toolkit — probably until long after those 4,000 toddlers are grown adults in the corporate world themselves.
Eric Lochner, pictured above, @ELochner1 is the President and CEO of global intelligence and software firm Steele Compliance Solutions, Inc. | @SteeleGlobal. Steele provides comprehensive third-party due diligence, software-as-a-service (SaaS) solutions that help organizations comply with regulatory third-party compliance requirements, and engaging compliance training. Eric has more than two decades of experience building successful global technology companies.
Steele’s Whitepaper, “5 Steps to Implementing a Risk-Based Due Diligence Program,” can be requested here.