James Cummans

Vice President, BSA/AML Operations

TCF Bank

Sarah K. Runge

Director, Office of Strategic Policy,

Terrorist Financing and Financial Crimes

U.S. Department of the Treasury

James D. Stubbs

Managing Director, Deputy Head of AML

Citigroup

FIBA 2014 AML Compliance Conference

Customer Due Diligence and Beneficial Ownership: Almost Two Years

After the Advance Notice of Proposed Rulemaking

Miami, Florida

February 21, 2014

Kimberly Rhodes

SVP, Director AML Compliance

SunTrust Bank

Alfredo Aguila

Head of Compliance for Global Private Banking,

Asset Management and Insurance

Santander Group, Spain

Amy G. Rudnick

Partner

Gibson, Dunn & Crutcher LLP

Overview – Part I

• The Current Regulatory Framework and Risk-Based Approach to Customer Due Diligence

• The Approaches of Different Banking Organizations

• Compliance Organizational Structures

• CDD Policies and Programs

• Risk Scoring and Assessments

• Due Diligence Processes and Procedures

• Beneficial Ownership and Controlling Persons

2

Overview – Part II

• The Advanced Notice of Proposed Rulemaking

• Current Status and Process

• Take-Aways from Comment Letters and the Regional Roundtable Meetings

• Key Issues and Challenges

• A Risk-Based and/or A One-Size-Fits-All Approach

• Beneficial Ownership

• Definition

• Verification: Ownership vs. Identity

• Self Certifications

• Exemptions

3

Customer Due Diligence &

Beneficial Ownership

James Cummans

VP-BSA/AML Operations

Minneapolis, MN

TCF National Bank Overview

• $18.4 Billion in assets

• Eight States (Minnesota, Illinois, Michigan, Colorado, Wisconsin,

Indiana, South Dakota, Arizona)

• 430 Branches

• Provide commercial leasing and equipment finance in 50 states,

commercial inventory finance in the U.S. and Canada and indirect

auto finance in 40+ states

• 2.6 million customers (TCF and subsidiaries)

5

TCF Financial Intelligence Unit Structure

• Financial Crimes Control Services (Loss Prevention)

• Anti-Money Laundering Investigations

• Customer Due Diligence (OFAC, BSA Closure List, PEP, 314(a),

etc.)

• Enhanced Due Diligence (High Risk Monitoring)

• BSA Program Governance

• Quality Control

• New Account Screening (CIP Validation)

• BSA Technology

• LE Team

6

Executive Vice President

Chief Risk Officer

TCF Bank

Financial Intelligence Unit

Senior Vice President

BSA/AML/OFAC Officer

Vice President

FCCS Operations

Vice President

BSA/AML Operations

Manager CDD, EDD, New Acct Openings

Manager

Program Governance

Manager

Program Governance

Trainer

Program Governance

Manager

Law Enforcement & Closure

Executive Assistant

Manager

FCCS

Manager

BSA Investigations

Vice President

Program Governance

7

Manager

Technology & Projects

VP BSA/AML Operations

TCF Bank

Financial Intelligence Unit

Customer & Enhanced Due Diligence

Manager Customer & Enhanced Due Diligence

Supervisor

EDD Stage 2

Supervisor

CDD / CTRs

Supervisor

New Account Screening

Supervisor

EDD Stage 1

NAS Investigator

12 Analysts

CDD

Team Lead

7 Analysts

CTRs

4 Analysts

CTR Quality Control

1 QC

Document Retrieval

1 Analysts

AML SAR Team

2 QC

EDD Stage 1

10 Analysts

EDD Stage 2

10 Analysts

EDD Quality Control

2 QC

8

CDD & Managing Customer Risk

• CIP verification through independent sources & tools

• Individual and account level questions scored = combined score

• List screening (OFAC, BSA Closure list, PEP, 314(a), etc.)

• Review of risk scoring (individual and account level)

• Closure team, monitoring after determination of risk level,

downgrade, escalation to AML, questionnaire

• Deposit and non-deposit risk ranking

CDD Process

• Alert Verification

• Banking profile

10

- CIP

- ID Type

- Citizenship/Country

- Wealth & Occupation

- CTR Exemption

- Primary reason for escalation (review of

scoring template)

- Geography (do not bank transactional

accounts outside our profile, include

HIDTA/HIFCA scoring)

- Occupation

- Source of wealth

- Purpose of the account

- Scoring of all individuals affiliated with the

account(s)

- Prohibited account questions (ends acct.

opening – TPPP, MSB, international car

shipping, medical marijuana)

- Place of business

- Type of Business Formation

- Length of business establishment

- Anticipated activity questions

- Account Titles

- Type

- Balance

- Opening Dates

- Line of Business

- Purpose

- Signers/ Borrowers/ Guarantors/ Beneficial Owners

- Conducted for open and closed relationships

CDD Process continued

• Customer profile – reputational risk/negative news screening

• Product/Account – anticipated activity analysis and analyst narrative

• Questionnaires (specific or product based)

• Analyst decision

• QC – Management review

• Risk level and review intervals assigned

• Ongoing due diligence of downgraded customers (medium or low)

• Closure process

• Map scoring to suspicious account monitoring systems

11

CDD/EDD Alert types

• System – new account opening

• Upgrade, downgrade

• Internal referral (SAR, list screening, >2 SAR report, etc)

• Law enforcement (314a match, GJS, NSL, request to maintain

relationship)

• Ongoing monitoring report

• Interval reviews

12

Risk Levels and Review Intervals

• Low actual activity reviewed every 6 months via ongoing monitoring report

• Mod actual activity reviewed every 6 months via ongoing monitoring report

• High Low annual comprehensive review

• High Mod annual comprehensive review and 6 month periodic review (periodic may be limited or comprehensive depending upon analysis)

• High High annual comprehensive review, 4 month periodic review (periodic may be limited or comprehensive depending upon analysis)

13

Beneficial Ownership

• Utilizing the proposed rule making definition: “…an individual who

has a level of control over, or entitlement to, the funds or assets in

the account that, as a practical matter, enables the individual,

directly or indirectly, to control, manage or direct the account.”

• Shareholders at 25% or >

• Account owners/signers/controllers at 100%

• High risk customers (as defined by TCF) at 100%

• For all “beneficial owners” we plan to apply a CIP standard

• Differentiate in our customer databases/mainframe to identify who

has release of information rights, mailing, disclosures and

transaction rights

• Go forward or maintenance interaction only at this time

• 30 day response request letter to “beneficial owner” to provide full

CIP w/ account restriction until supplied

14

SunTrust Bank – Customer Due Diligence Beneficial Ownership 2 years after ANPR, FIBA Conference 20-21 February 2014

Kimberly Rhodes

BSA/AML Director

SunTrust Bank

303 Peachtree Street, N.E.

Atlanta, Ga. 30308

‹#›

About SunTrust

SunTrust Banks, Inc. (the “Company”) is a

regional financial institution, servicing a broad

range of consumer, commercial, corporate and

institutional clients. As of December 31, 2013,

SunTrust had total assets of approximately

$175 billion and total deposits of

approximately $130 billion. Through its

flagship subsidiary, SunTrust Bank, the

Company operates an extensive branch and

ATM network throughout the Southeastern and

Mid-Atlantic United States and a full array of

technology-based, 24-hour delivery channels.

The Company also serves clients in selected

markets nationally. Its primary businesses

include deposit, credit, and trust and

investment management services. Through

various subsidiaries, the Company provides

mortgage banking, insurance, brokerage,

equipment leasing, and capital markets

services.

‹#›

AML Compliance Organizational Structure

While establishing policies and broad procedures for conducting customer

due diligence is the responsibility of the central AML function in the

institution, execution of the customer due diligence is accomplished by

each line of business and, specifically, each relationship manager

overseeing the relationship with that customer. Procedures differ from

sub-line to sub-line, depending upon the level of risk involved. There are

several common elements, including gathering basic CIP information and

verifying that information; however, requirements for due diligence

beyond this depend, in large part, on the product or service being used,

the client type and the geographies in which the client operates or the

product and service are used. Questionnaires, certifications and, in some

cases, indemnities are tailored to meet many different situations.

Examples: CIP Checklist for Global Trade Solutions far more extensive

than the Know Your Customer Form for personal accounts in retail.

‹#›

Risk Factors used in Risk Scoring

Current Risk Factors –

• Geography – physical and permanent residence geographies, headquarters

geography, parent company geography, geographies of business

activity/operation

• Products/Services – including volumes of expected foreign transaction activity

and assets held at SunTrust

• Client information – occupation/industry, length of relationship with the bank,

residency status, parent company, entity type, political exposure

Future Risk Factors –

• Geography – physical and permanent residence geographies, headquarters

geography, parent company geography, geographies of business

activity/operation

• Products/Services – including expected transaction activity in high risk

products & services, and assets held at SunTrust

• Client information – occupation/industry, length of relationship with the bank,

residency status, parent company, entity type, political exposure, channel of

opening

‹#›

Risk Scoring and Risk Assessment

Maintain a low risk, high risk, automatic high risk and prohibited

scale of categorizing clients, products, services and geographies

Prohibited customer types include:

• Any listed SDN or Blocked Person

• Any entity or individual that is otherwise the target of an economic

sanctions program administered by OFAC

• A shell bank

• Money Services Businesses (“MSBs”)

• Politically Exposed Persons (“PEPs”)

• Casas de Cambio and Exchange Houses

• Foreign Embassies and Consulates or Foreign Government/Agencies

• Foreign Financial Institutions located in automatic high risk or

prohibited jurisdictions

• Corporations with bearer shares

• Telemarketers with accounts through which their customer

transactions are processed

‹#›

Beneficial Ownership

Currently, SunTrust uses a risk based methodology for determining levels

of beneficial ownership of juridical persons. For example, third party

payment processors are an automatic high risk client type and require

identification of beneficial ownership at the 5% ownership level.

Beneficial ownership information gathered consists of name, country of

permanent residence and, if available, physical address. Other automatic

high risk client types include foreign financial institutions, non-resident

aliens with assets on deposit or managed in excess of $500k and Private

Investment Companies.

High risk accounts, due to risk scoring, by contrast only require

identification of beneficial ownership at the 15% level of equity

ownership, but require name, country of permanent residence and, if

available, physical address.

Future state: SunTrust is automating the RAF/EDD collection process,

which will enable SunTrust to begin collecting beneficial ownership for all

clients at all risk levels at the 10% beneficial ownership level, with

exceptions for those riskier clients that will require beneficial ownership

information at lower levels (e.g. third party payment processors, as

described above).

‹#›

Beneficial Ownership – Use of Information

Verification of Information. The value of beneficial ownership

information is, largely, dependent upon the honesty of the person

giving you the information. With respect to private companies,

the books and records of the company are maintained by the

company and may be changed at any time. Even with publicly

traded companies, absent expensive surveys, verification of

ownership is of transitory value. There is no repository whereby

assertions about ownership may be verified or authenticated.

Diligence conducted with Beneficial Ownership Information

• Current state: Scan information against OFAC list and list service to

identify PEPs, etc., based on risk level

• Future state: Scan all information against OFAC list and eventually a

list service to identify PEPs, etc.

‹#›

Controlling Parties and Frequency of Review

Controlling parties are considered those that fund an organization.

Controlling party information is gathered on a risk basis, e.g. with

respect to Non-Governmental Organizations (“NGOs”), due

diligence requires identification and review of the top five

contributors or grantors to the NGO. Review of the information

includes OFAC and World-Check review.

Reviews of Due Diligence:

• Current State: Reviews are done on a periodic (at least annual) basis

with respect to high risk clients. Transaction activity can trigger an

earlier review for high risk clients or an initial review for low risk

clients.

• Future State: Reviews will be done the earlier of (a) whenever a

client uses a new product or service or (b) a predetermined schedule.

The schedule for review will be shorter for those clients, products,

services or geographies with greater risk; longer for lower risk.

‹#›

Risk Rating and Transaction Monitoring

Current State: Increased scrutiny is given to events and deviations

in transaction value and volume monitoring of high risk clients.

Future state: Anticipate transaction activity will also trigger out-

of-cycle due diligence reviews if deviating from the expected

activity information gathered from the client at on-boarding.

Concern we will monitor: Clients seldom accurately predict

expected activity, not for nefarious reasons, but because clients

pay little attention to such detail. Concerns that future state

monitoring will require excessive infrastructure not commensurate

with the risk involved.

‹#›

Concerns with ANPR

Capturing Beneficial Ownership is of very limited benefit

• As previously mentioned, independent verification of beneficial

ownership of juridical entities is an impossibility. There is no public

registry of ownership against which to test information received.

Books and records are managed by the company itself and, even if the

information you review are all the books and records of the company,

nothing prevents the company from changing ownership of the

company the next day

• The value of the information is dependent upon the honesty of the

person giving the information. Our experience is that those seeking to

abuse the financial system tend to be the least honest.

• Absent a universal rule applicable to banks, those undertaking

methods to capture this information are perceived publicly as less

customer friendly and those seeking to abuse the system find the path

of least resistance.

Global OneKYC Program Citi’s global bank for consumers and businesses represents Citi’s core franchises.

Citi provides products and services to approximately 200 million customers leveraging

Citigroup’s global network, including many of the world’s emerging economies.

Citicorp is physically present in approximately 100 countries, many for over 100 years,

and offers services in over 160 countries and jurisdictions.

Citi serves the broad financial services needs of its large multinational clients and as

well as retail, private banking, commercial, public sector and institutional clients

around the world.

At December 31, 2012, Citicorp had $1.7 trillion of assets and $863 billion of deposits,

representing 92% of Citi’s total assets and 93% of its deposits.

Global KYC Policy

OneKYC

OneKYC Program

Key: Compliance Business Operations Technology Internal Audit Other

Program Design & Maintenance

BAU Program Execution

Program Reporting1

Framework Tools / Tech Training Management

& Oversight

Issue ID &

Resolution

Threshold

Maintenance

CIP CDD / EDD Sanctions

Screening

Name

Screening

Periodic

Review

Risk

Evaluation

CAPS / Reporting / Metrics

Control /

Oversight

QA

Compliance

Testing

Audit

Program

Management

Project

Management

1 “Program Reporting” represents tasks for

each function in “Program Execution”, but is

called out separately to illustrate interaction

with other categories

Note:

Accountability represented for each function

is approximated based on the accountability

across all tasks within the subgroup

1. Policy/Standards, etc are drafted and maintained.

2. Using items defined in Step 1, programs are developed and maintained by the function.

3. Tasks are executed with support from functions.

4. CAPS, reports, and metrics inform Policy, etc.

5. Testing is performed against each function with results informing Program Design & Maintenance and CAPS.

6. Continuous Program monitoring and communication across business sector. Track and resolve issues across Business, functions, regions, escalate as appropriate.

1

2

3

4

5

6

Program Standards

Policy Control Standards Global AML Training

1

2

3

4

5 6

The OneKYC operating model identifies the types of participation across functions in completing the component

pieces of Citi’s AML Program.

Program Overview

OneKYC

The central guiding principle of the program is to move from current Sector-centric KYC processes and systems to a Client-

centric, “One-Bank” approach where clients of the same type are treated consistently regardless of which business services them:

Today, AML client types are addressed differently based on which business/region owns the client.

Client risk-ratings may be different in various countries or business units.

Commercial Banking

Client Categories

Private Bank

Retail

International Personal Banking

Capital Markets

Global Banking

Transaction Services ICG

G

CB

Consum

er

Mass M

ark

et

Individuals

Wealth-h

old

ing V

ehic

les

Ultra

Hig

h N

et

Wort

h P

rivate

Clie

nt

Private

Clie

nt U

SD

10M

M -

1M

M,

RM

Hig

her

Afflu

ence

Private

Clie

nt

Corp

. N

ot-

For-

Pro

fit

Corp

. X

larg

e >

US

D100M

M R

evenues

Corp

. Larg

e U

SD

100M

M -

25M

M R

evenues

Govern

ment

Em

bassy

Corporations

Corp

. M

ediu

m U

SD

25M

M -

2M

M R

evenues

Corp

. S

mall

< U

SD

2M

M R

evenues

Fin

ancia

l In

stitu

tions -

Bank

Fin

ancia

l In

stitu

tions -

non-B

ank

Funds

MS

B /

Corp

s.

Pro

vid

ing R

em

itta

nce S

erv

ices

FIs Governments

Global OneKYC Policy

Guiding Principle

Global KYC Policy

OneKYC

Global OneKYC Policy

Individuals

Mass Market Retail

Higher Affluence

Private Client

Ultra High Net Worth PC

Wealth-Holding Vehicles

Corporations

Small

Medium

Large

Extra Large

Not-for-Profits

Financial Institutions

Banks

Non-Banks

MSBs

Funds

Govts./Embassies

Governments

Embassies

Global KYC Policy

AML Risk of Citigroup Customer Base

Across all lines of Business

Customer Categories A

Batch Name Screening

Material Changes

High-Risk Account Classification

Feedback

Loop

G

1 Yr.

2 Yr.

3 Yr.*

4 Yr.* Low

Medium

High H-H

H-M

H-L

Risk-Scoring

Risk-Ratings

E

AML Review of Clients’ Profiles

Compliance Advisement J

Due Diligence Standards Forms

Special Customer Handling

I

Includes: Entities with effective Supervision | Closely-related and Related Parties | WHVs | Funds | Beneficial Ownership | FCBS | MSBs | Embassy | SPFs | Bearer Shares

Country Appendices

Impact to Global Standards due to local law

Information Collection Risk-Rating Periodic Review

H

C

Client Profiling

Customer Identification

Customer Due Diligence

Enhanced Due Diligence

Screening

Product Profile (PP)

- Specific Risk Attributes - Risk-Rating

Driven by:

- Transaction Account

- Pre-Product Profile

- Product Profile

- High-Risk Product Usage [ Y / N ]

[ Y / N ]

- Anticipated Activity

- Cash

- Monetary Instruments

- Wires

- Purpose

D

B

Periodic Review

Refresh

F

Global KYC Policy

OneKYC

Customer Due Diligence

Global OneKYC Policy

customer’s address

location,

place of business

Geography

Client Information

Reputation

Political Profile

Product/Account

name

date of birth

government ID

citizenship

The results of screening for negative news.

Senior Public Figure status

Affiliations with government (via approvals or revenue derived from government sources)

use of high risk products or engage in high risk transactions

transactional activity that is significantly out of the norm for client’s peer group

Third-Party Customer Related Data (beneficiary, spouse, corporate officers, etc.)

some third party customer-related information may be requested, including:

address, date of birth, government-issued ID number, occupation and source of wealth.

Individuals

Entities

Information on the Individual’s

assets and personal investments.

Information on the locations of the

business and the history (source)

of the finances.

source of wealth/funds (business entity, business owner, employee, retiree, or other)

net worth/annual revenue

availability of audited financial statements

information such as co-signors, beneficial owners

location of wealth

planned locations for establishing and conducting banking activity with Citi

5 main due diligence sections:

Global KYC Policy

OneKYC 30. 30.

Global OneKYC Policy

Global KYC Policy

Customer

Population

Customer Population Risk-Rating Profile Control Events

Client

Information

Geography

Political

Profile

Reputation

Product/

Account

Risk-Score

High-Risk

Account

Identification

(Product/

Account)

Batch

Name-

Screening

(Political

Profile/

Sanctions)

Material

Changes

(Geography/

Client

Information)

High

Low

Review Requirements

Review Frequency

Greater

Lesser

More

Frequent

Less

Frequent

KYC Profile – CDD, EDD and Product Profile KYC Profile Maintenance

1 2 3 4 7 6 8

Risk Score

Attributes

Advisement

More

Levels

Less

Levels

5

1

2

3

4

5

6

7

Citi’s customer base

subject to KYC program’s

Risk Scoring framework.

Information provided as

part of a customer’s due

diligence record feeds the

Customer Risk Model.

Risk Model produces a

customer risk score.

Override rules mandate

that certain attributes will

automatically be high risk.

Risk score converted into

risk-rating (High-High ,

High-Medium, High-Low,

Medium, Low).

Risk-rating drives the level

of content in the review

required for the client record.

Risk-rating drives how

often the client record is

reviewed.

Risk-rating also drives the

level of AML advisement or

approvals of the customer

record to be provided by

Compliance at onboarding.

8 In addition, customer

base is subject to controls

that manually or automatically

prompt reviews and updates

of customer records as

necessary.

KYC Program Framework The output of the customer risk model-5 customer risk-ratings-impacts Periodic Review frequency and requirements,

among other controls within the bank’s AML Program such as Transaction Monitoring and Risk Assessment.

OneKYC

Global OneKYC Program

31.

Customer Risk Model

Low

Medium

High 1 Yr.

H-M

H-L 2 Yr.

3 Yr.*

4 Yr.*

*Not applicable to Mass Market Individuals

H-H

Risk-Ratings Review Frequency

Geography

Client Information

Reputation

Political Profile

Product/Account

Model Sections: Tier 1

n

n

n

n

n

n

** RM-Managed & $1MM+ Affluence.

0 100

Risk Score 0-100 Scales:

Low Med. High

Tier 1 Tier 2

Geography

Client Information

Reputation

Political Profile

Product/Account

n

n

n

n

n

n

n

n

n

n

n

n

n

n

n

n n

n

n

n

n

n n

n n

0 100

Low Med. High

Tier 1

Geography

Client Information

Product/Account

n

n

n

n

n

n

0 100

Low Med. High

Tier 1 Tier 2

Geography

Client Information

Reputation

Political Profile

Product/Account

n

n

n

n

n

n

n

n

n n

n

n

n

n

n

n

n

n

n

n

n n

n n

0 100

Low Med. High

Associated Individual(s)

Tier 1

Geography

Client Information

n

n

n

n

n

n

(Risk-Rating of)

0 100

Low Med. High

Individuals

Client Types:

Retail

High Net Worth

Private Client

UHNW

n

n

n

n

Client Types:

Banks

Non-Banks

MSBs

Funds

n

n

n

n

Client Types:

Governments

Embassies

n

n

Financial Institutions Governments/Embassies Wealth-Holding

Vehicles Corporations

Client Types:

Corps. S ($0-2MM)

Corps. M ($2-25MM)

Corps. L ($25-100MM)

Corps. XL ($100MM+)

n

n

n

n

Not-for-Profits n

Client Types:

WHVs (e.g. Trusts, PICs)

n

Five Risk Models under the OneKYC Program, the output being a risk-rating at the customer-level on a five-point scale: Low | Medium | High-Low | High-Medium | High-High Risk Models:

n

n

n

n

n

n

n

n

n

n

n

n

Tier 2

Beneficial Ownership

Industry Type

Length of Relationship

Entity Type

Share Type

Year of Incorporation

7.7%

7.7%

5.7%

6.7%

6.7%

3.3%

Tier 2

Length of Relationship

has an 8.62% weighting

(8.62 – 5) x 2 = 3.45 pts :

Overrides:

Money Service Business

Embassies

Senior Public Figures

Correspondent Banks

Private Banking Clients**

Bearer Shares

OneKYC 32. 32.

Global OneKYC Policy

Global KYC Policy

Beneficial Ownership

A beneficial owner is any person, including a natural person or

an entity, that can exercise some level of control, directly or

indirectly through influence or other means, over an account or a

non-account product or service (collectively “account”) and is not

necessarily the same as the named accountholder. For the

purposes of this Standard, the term “accountholder” also

includes individuals who are non-accountholders but to whom

Citi provides products or services. The Ultimate Beneficial

Owner (UBO) of an account is the natural person with actual

(i.e., explicit) or effective (i.e., implicit) control over the account

1. Actual control is derived from explicit authority over the

account and its assets

2. Effective control may be derived from an individual’s role

with respect to the account or the accountholder entity, or

from a level of ownership in the account assets or

accountholder entity that confers such control

Effective Control UBO

2(a) Roles that establish actual control through a formal

mandate of authority.

Executive

management

2(b) Roles that may carry no formal mandate of authority

but confer effective control through authority of a significant

portion of the assets of the entity.

Shareholders at

10% or greater

ownership

2(c) Roles that carry no formal mandate of authority over,

or entitlement to, the assets of an account or accountholder

entity, but may still permit the exercise of effective control

through influence and other indirect means.

Chairman of the

Board

OneKYC

UBOs OBOs

Full Legal Name Entity name

Percentage ownership Percentage ownership

or company title

Residential Address or

Date of Birth

Registered or official

office including country

Country of Residence Country of incorporation

or affiliation

Country of Citizenship Role (e.g. trustee)

Role (e.g. signatory) Evidence of govt. entity

or listed status

33. 33.

Determine UBO Based Upon Actual

Control

Determine Other BO

(OBO)

Collect Identification Information

& EDD

Verify Structure

% Effective Ownership

10% All customers

5% S.311 Country / Banks with offshore-banking license

0% Wealth Holding Vehicles

0-10% if required by local laws and regulations

Existing Low and Medium Clients Grandfathered (25%)

Any other entities that

exercises a level of

control other than the

UBO (chain owners)

Documented via a legal document that

lists beneficial owner(s) and their ownership percentages Or For medium and low risk entities: information

Provided by executive officer, senior compliance

officer or legal representative

Global OneKYC Policy

Determining Beneficial Ownership

For 50% UBOs, is a citizen of, resides in a high risk jurisdiction, client is rated high risk and the individuals country of residence differs from the entities formation: UBO’s total net worth; Liquid net worth; Total annual income; and Source of wealth.

Determine UBO Based

Upon Effective Control

Client Type Actual Effective

PICS Controller of

assets

Owner, provider

of funds

Trusts/

Estates

Trustee,

protector and

executor

Grantor/settlor,

beneficiaries,

Corps Management

control &

authorized

signors

Equity owner,

holder of voting

rights and/or

exercises

Partnerships Managing

Partners

Limited or equity

partners with a

vested, not

contingent,

interest in at

least or

accountholder

entity.

Government May includes

signatories

n/a

Listed Entity

(or majority-

owned subs.)

n/a n/a *

except when the subsidiary is in a high-

risk jurisdiction different than the parent *

Global KYC Policy

Customer Due Diligence and

Beneficial Ownership

February 21, 2014

Alfredo Aguila

Compliance Director for Global Private

Banking, Asset Management and

Insurance

35

Santander, a leading financial Group

Headcount 184,786 Branches 14,561

9M'13 Attributable Profit (EUR million) 3,310

Shareholders (million) 3.28

9M'13

Customers(1) (million) 103

Total Assets (EUR trillion) 1.19

Eurozone largest banks

by market capitalisation(2) (EUR bn.)

(1) Latest available customer data

(2) Data as of October 22, 2013. Source: Bloomberg

36

Santander Group´s Main Markets

(1) Loans (2) Including SCF business (3) Installment consumer loans (4) Including total mortgages, UPLs and SMEs (5) Unrestricted loans (6) In addition, 100 agencies

n Mkt. Share1: 14% n Branches: 1,229 n Customers: 10.5 mill.

n Mkt. Share4: 11% n Branches: 1,191 n Customers: 25.9 mill.

UK2

n Mkt. Share5: 11% n Branches: 3,661 n Customers: 28.8 mill.

Mexico

Brazil

n Branches: 706 n Customers: 1.7

mill.

USA

n Mkt. Share1: 9% n Branches: 377 n Customers: 2.4 mill.

Argentina

n Mkt. Share1: 19% n Branches: 488 n Customers: 3.3 mill.

Chile

n Mkt. Share1: 13% n Branches: 4,642 n Customers: 14.9

mill.

Spain2

n Mkt. Share1: 10% n Branches: 651 n Customers: 2.3 mill.

Portugal2

n Mkt. Share3: 14% n Branches: 265 n Customers: 6.3 mill.

Germany

n Mkt. Share: 9% n Branches6: 1,021 n Customers: 5.2 mill.

Poland2

Note: data as of 30/09/2013 except customer data (latest available)

37

Compliance Governance

Board of

Directors

Secretary General of the

Board

Global Compliance Director

Country Compliance Directors

Spain

UK

Germany

Brazil

Mexico

…

Division Compliance Directors

Global Banking and Markets

Consumer Finance

Private Banking, Asset

Management & Insurance

Retail Banking

...

Unit Compliance Directors

38

Compliance Governance

• Santander Group has a Corporate Compliance and AML Department in

Madrid.

• It establishes the global policies

• Ensures policies are adequately implemented in all units

• Supervises the ongoing compliance and AML programs worldwide

• Visits all units to verify the AML program.

• Each country and division has a compliance director and team in charge of

managing the compliance programs in their countries and business lines.

• Tailor the global policy to their jurisdiction and lines of business

• Each unit within the country and line of business also has a Compliance

Director and team in charge of compliance for their specific unit.

39

AML Policy

Global Policy: applies worldwide and is more general.

• Based on EU AML Directives, FATF and Bank of Spain requirements.

Country and Business Line (Division) policies:

• Tailored to the specific country regulatory requirements.

• Whenever possible, the highest standards apply.

• Example: USA and Private Banking.

• Based on BSA requirements.

Unit policies:

• Tailored to the specific unit line(s) of business.

• Example: BSI-Miami and International Private Banking.

• Based on BSA requirements.

40

AML Policy Global Program

Each Unit has a written anti-money laundering / terrorism financing program that includes

policies, procedures and internal controls designed to comply with the applicable laws and

the Group policy.

Gg

a b

c

d e

f g

a

b

c

d

e

f

g

Know your customer

requirements. Designation of personnel responsible for AML/TF

compliance . Compliance with regulatory requirements regarding client

documentation, record-keeping and reporting of transactions.

Development and implementation of appropriate methods of controls

to detect suspicious activity by customers.

Reporting of suspicious activity to government authorities in

accordance with applicable legislation.

Training programs.

Implementation of quality control systems and internal audit with

respect to the AML/TF program.

41

Regulators Internal Audit

Capital Markets

Institutional Banking

SMEs

Corporate Banking

Private Banking

Global Banking

Retail Banking

Asset Management

In 2013, Santander Mexico developed its own Operating Model for AML/FT.

Transaction

Monitoring

Analysis of

suspicious

transactions

AML Controls

Strategy and

Intelligence

Supervisory

Team

AML / TF UCIF

Compliance Division

Control

Room

Other Group banks

Performs periodic visits to units

to review AML controls e

a c f

b

d

e

g h i

Perform preventive and reactive

controls to enhance the AML

functions

d

Defines strategy and shares

relevante AML/TF information c

Performs comprehensive

analysis to identify and report

suspicious activities to the

authorities

b

Performs monitoring of clients to

identify signs of suspicious

transactions

a

Shares information to strengthen

controls in other Group banks. i

Implements internal audit

recommendations.

h

Manages communication with

regulators.

g

Performs monitoring and

controls of the AML / FT function.

f

AML Function Santander´s Operating Model The Santander Group has a Corporate AML/TF Operating Model that it tries to replicate in its largest

banks.

42

AML Unit Risk

The risk of ML/TF activity is directly related to the type of business carried out

by its units and the products and services they offer.

Santander classifies its units and business lines by ML/TF risk, enabling the

Bank to tailor policies, procedures and controls to better mitigate such risks.

For example: • Consumer Finance Low Risk

• Insurance Low Risk

• Retail Banking Medium to Low Risk

• Domestic Private Banking Medium to High Risk

• International Private Banking High Risk

Santander also classifies the countries of jurisdiction of its units by AML/TF

risk. • At the Corporate level a country may be considered High Risk, but that doesn´t

mean that the bank in that country has to consider all of its clients as High Risk.

• For example: Mexico, Colombia…

43

Know Your Customer Core

All Santander Group units have policies, procedures, and internal controls aimed at

obtaining effective and complete knowledge of their customers and their activities, following

a risk-based approach.

Collection and analysis of basic identity information (“Due Diligence”).

Name matching against lists of “PEPs” and international sanctions lists (EU, OFAC, Bank of England, etc.).

Identification of accountholders, POAs and ultimate beneficial owners.

Determination of the customer's AML/TF risk.

Creation of customer´s expected transactional behavior.

Monitoring of customer's transactions against their expected behavior, their recorded profile as well as that of their peers.

44

Know Your Customer Risk Rating

Customer risk rating is based on various static and dynamic attributes

Name Official ID

Source of wealth/funds

(business entity, business

owner, employee, retiree,

or other)

Economic

activity Date of birth Citizenship

Customer

Information

Geography

Customer’s address

Location Location of wealth)

Customer

Segmentation

Lines of Business in Santander Mexico

Poliitical Profile Senior public figure status Affiliations with government (via approvals or

revenue derived from government sources)

Product/

Transactionality

Use of high risk products or engage in high risk

transactions

Transactional activity that is significantly out of

the norm for client’s peer group (payments and

withdrawals)

For corporations, other legal entities and some third party customer-related , the deed of

incorporation must be presented, including information concerning the customer’s name, legal form,

address, directors, and the corporate bylaws, powers of attorney, entry in the appropriate register

or other reliable identifying information.

Third-Party

Customer

Related Data

Names Official

valid ID Source of wealth

Economic

activity

Date of

birth

Country

of

Citizenshi

p

Customer

Information

Geography

Customer

Segmentation

Political

Connections

Products,

Transactionalit

yand AUMs

Country of residence /

Customer’s address

Location of client´s

business Sources of funds

Retail, Corporate, Private Banking, Select Banking, etc.

PEPs Government / Public Sector contracts

Type of accountholder

(Individual, Corporate,

Trust, PIC…)

Transactions risk & AUMs

Public media searches, background checks, enhanced due diligence information,

reputation…

Media

searches and

reputation

Types of products

(savings, checking,

investments, international

wires, etc.)

High Risk

Medium

Risk

Low Risk

45

The Santander corporate policy requires that all Group entities identify and verify identity

of all individuals who own or control, directly or indirectly, more than 25% of the equity

interest in an entity or that effectively manage or control the entity.

Santander applies a risk-based approach:

• Minimum 25% equity interest for all lines of business, with the exception of:

• Domestic Private Banking: minimum 25% equity interest for Medium and Low

risk clients; 10% for High Risk clients.

• International Private Banking: 10% equity interest for all clients, regardless of

their risk rating. For widely held entities with shareholders who own less than

10%, we´ll identify up to 60% of ownership or the top 10 shareholders.

• We analyze and apply CIP to all entities up the chain.

Gradual phase in for Group entities that don´t currently comply with these requirements.

Tailored to country-specific regulatory requirements.

Beneficial Owner Global Model

46