fiba 2014 aml compliance conference · scoring template) - geography (do not bank transactional...
TRANSCRIPT
James Cummans
Vice President, BSA/AML Operations
TCF Bank
Sarah K. Runge
Director, Office of Strategic Policy,
Terrorist Financing and Financial Crimes
U.S. Department of the Treasury
James D. Stubbs
Managing Director, Deputy Head of AML
Citigroup
FIBA 2014 AML Compliance Conference
Customer Due Diligence and Beneficial Ownership: Almost Two Years
After the Advance Notice of Proposed Rulemaking
Miami, Florida
February 21, 2014
Kimberly Rhodes
SVP, Director AML Compliance
SunTrust Bank
Alfredo Aguila
Head of Compliance for Global Private Banking,
Asset Management and Insurance
Santander Group, Spain
Amy G. Rudnick
Partner
Gibson, Dunn & Crutcher LLP
Overview – Part I
• The Current Regulatory Framework and Risk-Based Approach to Customer Due Diligence
• The Approaches of Different Banking Organizations
• Compliance Organizational Structures
• CDD Policies and Programs
• Risk Scoring and Assessments
• Due Diligence Processes and Procedures
• Beneficial Ownership and Controlling Persons
2
Overview – Part II
• The Advanced Notice of Proposed Rulemaking
• Current Status and Process
• Take-Aways from Comment Letters and the Regional Roundtable Meetings
• Key Issues and Challenges
• A Risk-Based and/or A One-Size-Fits-All Approach
• Beneficial Ownership
• Definition
• Verification: Ownership vs. Identity
• Self Certifications
• Exemptions
3
TCF National Bank Overview
• $18.4 Billion in assets
• Eight States (Minnesota, Illinois, Michigan, Colorado, Wisconsin,
Indiana, South Dakota, Arizona)
• 430 Branches
• Provide commercial leasing and equipment finance in 50 states,
commercial inventory finance in the U.S. and Canada and indirect
auto finance in 40+ states
• 2.6 million customers (TCF and subsidiaries)
5
TCF Financial Intelligence Unit Structure
• Financial Crimes Control Services (Loss Prevention)
• Anti-Money Laundering Investigations
• Customer Due Diligence (OFAC, BSA Closure List, PEP, 314(a),
etc.)
• Enhanced Due Diligence (High Risk Monitoring)
• BSA Program Governance
• Quality Control
• New Account Screening (CIP Validation)
• BSA Technology
• LE Team
6
Executive Vice President
Chief Risk Officer
TCF Bank
Financial Intelligence Unit
Senior Vice President
BSA/AML/OFAC Officer
Vice President
FCCS Operations
Vice President
BSA/AML Operations
Manager CDD, EDD, New Acct Openings
Manager
Program Governance
Manager
Program Governance
Trainer
Program Governance
Manager
Law Enforcement & Closure
Executive Assistant
Manager
FCCS
Manager
BSA Investigations
Vice President
Program Governance
7
Manager
Technology & Projects
VP BSA/AML Operations
TCF Bank
Financial Intelligence Unit
Customer & Enhanced Due Diligence
Manager Customer & Enhanced Due Diligence
Supervisor
EDD Stage 2
Supervisor
CDD / CTRs
Supervisor
New Account Screening
Supervisor
EDD Stage 1
NAS Investigator
12 Analysts
CDD
Team Lead
7 Analysts
CTRs
4 Analysts
CTR Quality Control
1 QC
Document Retrieval
1 Analysts
AML SAR Team
2 QC
EDD Stage 1
10 Analysts
EDD Stage 2
10 Analysts
EDD Quality Control
2 QC
8
CDD & Managing Customer Risk
• CIP verification through independent sources & tools
• Individual and account level questions scored = combined score
• List screening (OFAC, BSA Closure list, PEP, 314(a), etc.)
• Review of risk scoring (individual and account level)
• Closure team, monitoring after determination of risk level,
downgrade, escalation to AML, questionnaire
• Deposit and non-deposit risk ranking
CDD Process
• Alert Verification
• Banking profile
10
- CIP
- ID Type
- Citizenship/Country
- Wealth & Occupation
- CTR Exemption
- Primary reason for escalation (review of
scoring template)
- Geography (do not bank transactional
accounts outside our profile, include
HIDTA/HIFCA scoring)
- Occupation
- Source of wealth
- Purpose of the account
- Scoring of all individuals affiliated with the
account(s)
- Prohibited account questions (ends acct.
opening – TPPP, MSB, international car
shipping, medical marijuana)
- Place of business
- Type of Business Formation
- Length of business establishment
- Anticipated activity questions
- Account Titles
- Type
- Balance
- Opening Dates
- Line of Business
- Purpose
- Signers/ Borrowers/ Guarantors/ Beneficial Owners
- Conducted for open and closed relationships
CDD Process continued
• Customer profile – reputational risk/negative news screening
• Product/Account – anticipated activity analysis and analyst narrative
• Questionnaires (specific or product based)
• Analyst decision
• QC – Management review
• Risk level and review intervals assigned
• Ongoing due diligence of downgraded customers (medium or low)
• Closure process
• Map scoring to suspicious account monitoring systems
11
CDD/EDD Alert types
• System – new account opening
• Upgrade, downgrade
• Internal referral (SAR, list screening, >2 SAR report, etc)
• Law enforcement (314a match, GJS, NSL, request to maintain
relationship)
• Ongoing monitoring report
• Interval reviews
12
Risk Levels and Review Intervals
• Low actual activity reviewed every 6 months via ongoing monitoring report
• Mod actual activity reviewed every 6 months via ongoing monitoring report
• High Low annual comprehensive review
• High Mod annual comprehensive review and 6 month periodic review (periodic may be limited or comprehensive depending upon analysis)
• High High annual comprehensive review, 4 month periodic review (periodic may be limited or comprehensive depending upon analysis)
13
Beneficial Ownership
• Utilizing the proposed rule making definition: “…an individual who
has a level of control over, or entitlement to, the funds or assets in
the account that, as a practical matter, enables the individual,
directly or indirectly, to control, manage or direct the account.”
• Shareholders at 25% or >
• Account owners/signers/controllers at 100%
• High risk customers (as defined by TCF) at 100%
• For all “beneficial owners” we plan to apply a CIP standard
• Differentiate in our customer databases/mainframe to identify who
has release of information rights, mailing, disclosures and
transaction rights
• Go forward or maintenance interaction only at this time
• 30 day response request letter to “beneficial owner” to provide full
CIP w/ account restriction until supplied
14
SunTrust Bank – Customer Due Diligence Beneficial Ownership 2 years after ANPR, FIBA Conference 20-21 February 2014
Kimberly Rhodes
BSA/AML Director
SunTrust Bank
303 Peachtree Street, N.E.
Atlanta, Ga. 30308
‹#›
About SunTrust
SunTrust Banks, Inc. (the “Company”) is a
regional financial institution, servicing a broad
range of consumer, commercial, corporate and
institutional clients. As of December 31, 2013,
SunTrust had total assets of approximately
$175 billion and total deposits of
approximately $130 billion. Through its
flagship subsidiary, SunTrust Bank, the
Company operates an extensive branch and
ATM network throughout the Southeastern and
Mid-Atlantic United States and a full array of
technology-based, 24-hour delivery channels.
The Company also serves clients in selected
markets nationally. Its primary businesses
include deposit, credit, and trust and
investment management services. Through
various subsidiaries, the Company provides
mortgage banking, insurance, brokerage,
equipment leasing, and capital markets
services.
‹#›
AML Compliance Organizational Structure
While establishing policies and broad procedures for conducting customer
due diligence is the responsibility of the central AML function in the
institution, execution of the customer due diligence is accomplished by
each line of business and, specifically, each relationship manager
overseeing the relationship with that customer. Procedures differ from
sub-line to sub-line, depending upon the level of risk involved. There are
several common elements, including gathering basic CIP information and
verifying that information; however, requirements for due diligence
beyond this depend, in large part, on the product or service being used,
the client type and the geographies in which the client operates or the
product and service are used. Questionnaires, certifications and, in some
cases, indemnities are tailored to meet many different situations.
Examples: CIP Checklist for Global Trade Solutions far more extensive
than the Know Your Customer Form for personal accounts in retail.
‹#›
Risk Factors used in Risk Scoring
Current Risk Factors –
• Geography – physical and permanent residence geographies, headquarters
geography, parent company geography, geographies of business
activity/operation
• Products/Services – including volumes of expected foreign transaction activity
and assets held at SunTrust
• Client information – occupation/industry, length of relationship with the bank,
residency status, parent company, entity type, political exposure
Future Risk Factors –
• Geography – physical and permanent residence geographies, headquarters
geography, parent company geography, geographies of business
activity/operation
• Products/Services – including expected transaction activity in high risk
products & services, and assets held at SunTrust
• Client information – occupation/industry, length of relationship with the bank,
residency status, parent company, entity type, political exposure, channel of
opening
‹#›
Risk Scoring and Risk Assessment
Maintain a low risk, high risk, automatic high risk and prohibited
scale of categorizing clients, products, services and geographies
Prohibited customer types include:
• Any listed SDN or Blocked Person
• Any entity or individual that is otherwise the target of an economic
sanctions program administered by OFAC
• A shell bank
• Money Services Businesses (“MSBs”)
• Politically Exposed Persons (“PEPs”)
• Casas de Cambio and Exchange Houses
• Foreign Embassies and Consulates or Foreign Government/Agencies
• Foreign Financial Institutions located in automatic high risk or
prohibited jurisdictions
• Corporations with bearer shares
• Telemarketers with accounts through which their customer
transactions are processed
‹#›
Beneficial Ownership
Currently, SunTrust uses a risk based methodology for determining levels
of beneficial ownership of juridical persons. For example, third party
payment processors are an automatic high risk client type and require
identification of beneficial ownership at the 5% ownership level.
Beneficial ownership information gathered consists of name, country of
permanent residence and, if available, physical address. Other automatic
high risk client types include foreign financial institutions, non-resident
aliens with assets on deposit or managed in excess of $500k and Private
Investment Companies.
High risk accounts, due to risk scoring, by contrast only require
identification of beneficial ownership at the 15% level of equity
ownership, but require name, country of permanent residence and, if
available, physical address.
Future state: SunTrust is automating the RAF/EDD collection process,
which will enable SunTrust to begin collecting beneficial ownership for all
clients at all risk levels at the 10% beneficial ownership level, with
exceptions for those riskier clients that will require beneficial ownership
information at lower levels (e.g. third party payment processors, as
described above).
‹#›
Beneficial Ownership – Use of Information
Verification of Information. The value of beneficial ownership
information is, largely, dependent upon the honesty of the person
giving you the information. With respect to private companies,
the books and records of the company are maintained by the
company and may be changed at any time. Even with publicly
traded companies, absent expensive surveys, verification of
ownership is of transitory value. There is no repository whereby
assertions about ownership may be verified or authenticated.
Diligence conducted with Beneficial Ownership Information
• Current state: Scan information against OFAC list and list service to
identify PEPs, etc., based on risk level
• Future state: Scan all information against OFAC list and eventually a
list service to identify PEPs, etc.
‹#›
Controlling Parties and Frequency of Review
Controlling parties are considered those that fund an organization.
Controlling party information is gathered on a risk basis, e.g. with
respect to Non-Governmental Organizations (“NGOs”), due
diligence requires identification and review of the top five
contributors or grantors to the NGO. Review of the information
includes OFAC and World-Check review.
Reviews of Due Diligence:
• Current State: Reviews are done on a periodic (at least annual) basis
with respect to high risk clients. Transaction activity can trigger an
earlier review for high risk clients or an initial review for low risk
clients.
• Future State: Reviews will be done the earlier of (a) whenever a
client uses a new product or service or (b) a predetermined schedule.
The schedule for review will be shorter for those clients, products,
services or geographies with greater risk; longer for lower risk.
‹#›
Risk Rating and Transaction Monitoring
Current State: Increased scrutiny is given to events and deviations
in transaction value and volume monitoring of high risk clients.
Future state: Anticipate transaction activity will also trigger out-
of-cycle due diligence reviews if deviating from the expected
activity information gathered from the client at on-boarding.
Concern we will monitor: Clients seldom accurately predict
expected activity, not for nefarious reasons, but because clients
pay little attention to such detail. Concerns that future state
monitoring will require excessive infrastructure not commensurate
with the risk involved.
‹#›
Concerns with ANPR
Capturing Beneficial Ownership is of very limited benefit
• As previously mentioned, independent verification of beneficial
ownership of juridical entities is an impossibility. There is no public
registry of ownership against which to test information received.
Books and records are managed by the company itself and, even if the
information you review are all the books and records of the company,
nothing prevents the company from changing ownership of the
company the next day
• The value of the information is dependent upon the honesty of the
person giving the information. Our experience is that those seeking to
abuse the financial system tend to be the least honest.
• Absent a universal rule applicable to banks, those undertaking
methods to capture this information are perceived publicly as less
customer friendly and those seeking to abuse the system find the path
of least resistance.
Global OneKYC Program Citi’s global bank for consumers and businesses represents Citi’s core franchises.
Citi provides products and services to approximately 200 million customers leveraging
Citigroup’s global network, including many of the world’s emerging economies.
Citicorp is physically present in approximately 100 countries, many for over 100 years,
and offers services in over 160 countries and jurisdictions.
Citi serves the broad financial services needs of its large multinational clients and as
well as retail, private banking, commercial, public sector and institutional clients
around the world.
At December 31, 2012, Citicorp had $1.7 trillion of assets and $863 billion of deposits,
representing 92% of Citi’s total assets and 93% of its deposits.
Global KYC Policy
OneKYC
OneKYC Program
Key: Compliance Business Operations Technology Internal Audit Other
Program Design & Maintenance
BAU Program Execution
Program Reporting1
Framework Tools / Tech Training Management
& Oversight
Issue ID &
Resolution
Threshold
Maintenance
CIP CDD / EDD Sanctions
Screening
Name
Screening
Periodic
Review
Risk
Evaluation
CAPS / Reporting / Metrics
Control /
Oversight
QA
Compliance
Testing
Audit
Program
Management
Project
Management
1 “Program Reporting” represents tasks for
each function in “Program Execution”, but is
called out separately to illustrate interaction
with other categories
Note:
Accountability represented for each function
is approximated based on the accountability
across all tasks within the subgroup
1. Policy/Standards, etc are drafted and maintained.
2. Using items defined in Step 1, programs are developed and maintained by the function.
3. Tasks are executed with support from functions.
4. CAPS, reports, and metrics inform Policy, etc.
5. Testing is performed against each function with results informing Program Design & Maintenance and CAPS.
6. Continuous Program monitoring and communication across business sector. Track and resolve issues across Business, functions, regions, escalate as appropriate.
1
2
3
4
5
6
Program Standards
Policy Control Standards Global AML Training
1
2
3
4
5 6
The OneKYC operating model identifies the types of participation across functions in completing the component
pieces of Citi’s AML Program.
Program Overview
OneKYC
The central guiding principle of the program is to move from current Sector-centric KYC processes and systems to a Client-
centric, “One-Bank” approach where clients of the same type are treated consistently regardless of which business services them:
Today, AML client types are addressed differently based on which business/region owns the client.
Client risk-ratings may be different in various countries or business units.
Commercial Banking
Client Categories
Private Bank
Retail
International Personal Banking
Capital Markets
Global Banking
Transaction Services ICG
G
CB
Consum
er
Mass M
ark
et
Individuals
Wealth-h
old
ing V
ehic
les
Ultra
Hig
h N
et
Wort
h P
rivate
Clie
nt
Private
Clie
nt U
SD
10M
M -
1M
M,
RM
Hig
her
Afflu
ence
Private
Clie
nt
Corp
. N
ot-
For-
Pro
fit
Corp
. X
larg
e >
US
D100M
M R
evenues
Corp
. Larg
e U
SD
100M
M -
25M
M R
evenues
Govern
ment
Em
bassy
Corporations
Corp
. M
ediu
m U
SD
25M
M -
2M
M R
evenues
Corp
. S
mall
< U
SD
2M
M R
evenues
Fin
ancia
l In
stitu
tions -
Bank
Fin
ancia
l In
stitu
tions -
non-B
ank
Funds
MS
B /
Corp
s.
Pro
vid
ing R
em
itta
nce S
erv
ices
FIs Governments
Global OneKYC Policy
Guiding Principle
Global KYC Policy
OneKYC
Global OneKYC Policy
Individuals
Mass Market Retail
Higher Affluence
Private Client
Ultra High Net Worth PC
Wealth-Holding Vehicles
Corporations
Small
Medium
Large
Extra Large
Not-for-Profits
Financial Institutions
Banks
Non-Banks
MSBs
Funds
Govts./Embassies
Governments
Embassies
Global KYC Policy
AML Risk of Citigroup Customer Base
Across all lines of Business
Customer Categories A
Batch Name Screening
Material Changes
High-Risk Account Classification
Feedback
Loop
G
1 Yr.
2 Yr.
3 Yr.*
4 Yr.* Low
Medium
High H-H
H-M
H-L
Risk-Scoring
Risk-Ratings
E
AML Review of Clients’ Profiles
Compliance Advisement J
Due Diligence Standards Forms
Special Customer Handling
I
Includes: Entities with effective Supervision | Closely-related and Related Parties | WHVs | Funds | Beneficial Ownership | FCBS | MSBs | Embassy | SPFs | Bearer Shares
Country Appendices
Impact to Global Standards due to local law
Information Collection Risk-Rating Periodic Review
H
C
Client Profiling
Customer Identification
Customer Due Diligence
Enhanced Due Diligence
Screening
Product Profile (PP)
- Specific Risk Attributes - Risk-Rating
Driven by:
- Transaction Account
- Pre-Product Profile
- Product Profile
- High-Risk Product Usage [ Y / N ]
[ Y / N ]
- Anticipated Activity
- Cash
- Monetary Instruments
- Wires
- Purpose
D
B
Periodic Review
Refresh
F
Global KYC Policy
OneKYC
Customer Due Diligence
Global OneKYC Policy
customer’s address
location,
place of business
Geography
Client Information
Reputation
Political Profile
Product/Account
name
date of birth
government ID
citizenship
The results of screening for negative news.
Senior Public Figure status
Affiliations with government (via approvals or revenue derived from government sources)
use of high risk products or engage in high risk transactions
transactional activity that is significantly out of the norm for client’s peer group
Third-Party Customer Related Data (beneficiary, spouse, corporate officers, etc.)
some third party customer-related information may be requested, including:
address, date of birth, government-issued ID number, occupation and source of wealth.
Individuals
Entities
Information on the Individual’s
assets and personal investments.
Information on the locations of the
business and the history (source)
of the finances.
source of wealth/funds (business entity, business owner, employee, retiree, or other)
net worth/annual revenue
availability of audited financial statements
information such as co-signors, beneficial owners
location of wealth
planned locations for establishing and conducting banking activity with Citi
5 main due diligence sections:
Global KYC Policy
OneKYC 30. 30.
Global OneKYC Policy
Global KYC Policy
Customer
Population
Customer Population Risk-Rating Profile Control Events
Client
Information
Geography
Political
Profile
Reputation
Product/
Account
Risk-Score
High-Risk
Account
Identification
(Product/
Account)
Batch
Name-
Screening
(Political
Profile/
Sanctions)
Material
Changes
(Geography/
Client
Information)
High
Low
Review Requirements
Review Frequency
Greater
Lesser
More
Frequent
Less
Frequent
KYC Profile – CDD, EDD and Product Profile KYC Profile Maintenance
1 2 3 4 7 6 8
Risk Score
Attributes
Advisement
More
Levels
Less
Levels
5
1
2
3
4
5
6
7
Citi’s customer base
subject to KYC program’s
Risk Scoring framework.
Information provided as
part of a customer’s due
diligence record feeds the
Customer Risk Model.
Risk Model produces a
customer risk score.
Override rules mandate
that certain attributes will
automatically be high risk.
Risk score converted into
risk-rating (High-High ,
High-Medium, High-Low,
Medium, Low).
Risk-rating drives the level
of content in the review
required for the client record.
Risk-rating drives how
often the client record is
reviewed.
Risk-rating also drives the
level of AML advisement or
approvals of the customer
record to be provided by
Compliance at onboarding.
8 In addition, customer
base is subject to controls
that manually or automatically
prompt reviews and updates
of customer records as
necessary.
KYC Program Framework The output of the customer risk model-5 customer risk-ratings-impacts Periodic Review frequency and requirements,
among other controls within the bank’s AML Program such as Transaction Monitoring and Risk Assessment.
OneKYC
Global OneKYC Program
31.
Customer Risk Model
Low
Medium
High 1 Yr.
H-M
H-L 2 Yr.
3 Yr.*
4 Yr.*
*Not applicable to Mass Market Individuals
H-H
Risk-Ratings Review Frequency
Geography
Client Information
Reputation
Political Profile
Product/Account
Model Sections: Tier 1
n
n
n
n
n
n
** RM-Managed & $1MM+ Affluence.
0 100
Risk Score 0-100 Scales:
Low Med. High
Tier 1 Tier 2
Geography
Client Information
Reputation
Political Profile
Product/Account
n
n
n
n
n
n
n
n
n
n
n
n
n
n
n
n n
n
n
n
n
n n
n n
0 100
Low Med. High
Tier 1
Geography
Client Information
Product/Account
n
n
n
n
n
n
0 100
Low Med. High
Tier 1 Tier 2
Geography
Client Information
Reputation
Political Profile
Product/Account
n
n
n
n
n
n
n
n
n n
n
n
n
n
n
n
n
n
n
n
n n
n n
0 100
Low Med. High
Associated Individual(s)
Tier 1
Geography
Client Information
n
n
n
n
n
n
(Risk-Rating of)
0 100
Low Med. High
Individuals
Client Types:
Retail
High Net Worth
Private Client
UHNW
n
n
n
n
Client Types:
Banks
Non-Banks
MSBs
Funds
n
n
n
n
Client Types:
Governments
Embassies
n
n
Financial Institutions Governments/Embassies Wealth-Holding
Vehicles Corporations
Client Types:
Corps. S ($0-2MM)
Corps. M ($2-25MM)
Corps. L ($25-100MM)
Corps. XL ($100MM+)
n
n
n
n
Not-for-Profits n
Client Types:
WHVs (e.g. Trusts, PICs)
n
Five Risk Models under the OneKYC Program, the output being a risk-rating at the customer-level on a five-point scale: Low | Medium | High-Low | High-Medium | High-High Risk Models:
n
n
n
n
n
n
n
n
n
n
n
n
Tier 2
Beneficial Ownership
Industry Type
Length of Relationship
Entity Type
Share Type
Year of Incorporation
7.7%
7.7%
5.7%
6.7%
6.7%
3.3%
Tier 2
Length of Relationship
has an 8.62% weighting
(8.62 – 5) x 2 = 3.45 pts :
Overrides:
Money Service Business
Embassies
Senior Public Figures
Correspondent Banks
Private Banking Clients**
Bearer Shares
OneKYC 32. 32.
Global OneKYC Policy
Global KYC Policy
Beneficial Ownership
A beneficial owner is any person, including a natural person or
an entity, that can exercise some level of control, directly or
indirectly through influence or other means, over an account or a
non-account product or service (collectively “account”) and is not
necessarily the same as the named accountholder. For the
purposes of this Standard, the term “accountholder” also
includes individuals who are non-accountholders but to whom
Citi provides products or services. The Ultimate Beneficial
Owner (UBO) of an account is the natural person with actual
(i.e., explicit) or effective (i.e., implicit) control over the account
1. Actual control is derived from explicit authority over the
account and its assets
2. Effective control may be derived from an individual’s role
with respect to the account or the accountholder entity, or
from a level of ownership in the account assets or
accountholder entity that confers such control
Effective Control UBO
2(a) Roles that establish actual control through a formal
mandate of authority.
Executive
management
2(b) Roles that may carry no formal mandate of authority
but confer effective control through authority of a significant
portion of the assets of the entity.
Shareholders at
10% or greater
ownership
2(c) Roles that carry no formal mandate of authority over,
or entitlement to, the assets of an account or accountholder
entity, but may still permit the exercise of effective control
through influence and other indirect means.
Chairman of the
Board
OneKYC
UBOs OBOs
Full Legal Name Entity name
Percentage ownership Percentage ownership
or company title
Residential Address or
Date of Birth
Registered or official
office including country
Country of Residence Country of incorporation
or affiliation
Country of Citizenship Role (e.g. trustee)
Role (e.g. signatory) Evidence of govt. entity
or listed status
33. 33.
Determine UBO Based Upon Actual
Control
Determine Other BO
(OBO)
Collect Identification Information
& EDD
Verify Structure
% Effective Ownership
10% All customers
5% S.311 Country / Banks with offshore-banking license
0% Wealth Holding Vehicles
0-10% if required by local laws and regulations
Existing Low and Medium Clients Grandfathered (25%)
Any other entities that
exercises a level of
control other than the
UBO (chain owners)
Documented via a legal document that
lists beneficial owner(s) and their ownership percentages Or For medium and low risk entities: information
Provided by executive officer, senior compliance
officer or legal representative
Global OneKYC Policy
Determining Beneficial Ownership
For 50% UBOs, is a citizen of, resides in a high risk jurisdiction, client is rated high risk and the individuals country of residence differs from the entities formation: UBO’s total net worth; Liquid net worth; Total annual income; and Source of wealth.
Determine UBO Based
Upon Effective Control
Client Type Actual Effective
PICS Controller of
assets
Owner, provider
of funds
Trusts/
Estates
Trustee,
protector and
executor
Grantor/settlor,
beneficiaries,
Corps Management
control &
authorized
signors
Equity owner,
holder of voting
rights and/or
exercises
Partnerships Managing
Partners
Limited or equity
partners with a
vested, not
contingent,
interest in at
least or
accountholder
entity.
Government May includes
signatories
n/a
Listed Entity
(or majority-
owned subs.)
n/a n/a *
except when the subsidiary is in a high-
risk jurisdiction different than the parent *
Global KYC Policy
Customer Due Diligence and
Beneficial Ownership
February 21, 2014
Alfredo Aguila
Compliance Director for Global Private
Banking, Asset Management and
Insurance
35
Santander, a leading financial Group
Headcount 184,786 Branches 14,561
9M'13 Attributable Profit (EUR million) 3,310
Shareholders (million) 3.28
9M'13
Customers(1) (million) 103
Total Assets (EUR trillion) 1.19
Eurozone largest banks
by market capitalisation(2) (EUR bn.)
(1) Latest available customer data
(2) Data as of October 22, 2013. Source: Bloomberg
36
Santander Group´s Main Markets
(1) Loans (2) Including SCF business (3) Installment consumer loans (4) Including total mortgages, UPLs and SMEs (5) Unrestricted loans (6) In addition, 100 agencies
n Mkt. Share1: 14% n Branches: 1,229 n Customers: 10.5 mill.
n Mkt. Share4: 11% n Branches: 1,191 n Customers: 25.9 mill.
UK2
n Mkt. Share5: 11% n Branches: 3,661 n Customers: 28.8 mill.
Mexico
Brazil
n Branches: 706 n Customers: 1.7
mill.
USA
n Mkt. Share1: 9% n Branches: 377 n Customers: 2.4 mill.
Argentina
n Mkt. Share1: 19% n Branches: 488 n Customers: 3.3 mill.
Chile
n Mkt. Share1: 13% n Branches: 4,642 n Customers: 14.9
mill.
Spain2
n Mkt. Share1: 10% n Branches: 651 n Customers: 2.3 mill.
Portugal2
n Mkt. Share3: 14% n Branches: 265 n Customers: 6.3 mill.
Germany
n Mkt. Share: 9% n Branches6: 1,021 n Customers: 5.2 mill.
Poland2
Note: data as of 30/09/2013 except customer data (latest available)
37
Compliance Governance
Board of
Directors
Secretary General of the
Board
Global Compliance Director
Country Compliance Directors
Spain
UK
Germany
Brazil
Mexico
…
Division Compliance Directors
Global Banking and Markets
Consumer Finance
Private Banking, Asset
Management & Insurance
Retail Banking
...
Unit Compliance Directors
38
Compliance Governance
• Santander Group has a Corporate Compliance and AML Department in
Madrid.
• It establishes the global policies
• Ensures policies are adequately implemented in all units
• Supervises the ongoing compliance and AML programs worldwide
• Visits all units to verify the AML program.
• Each country and division has a compliance director and team in charge of
managing the compliance programs in their countries and business lines.
• Tailor the global policy to their jurisdiction and lines of business
• Each unit within the country and line of business also has a Compliance
Director and team in charge of compliance for their specific unit.
39
AML Policy
Global Policy: applies worldwide and is more general.
• Based on EU AML Directives, FATF and Bank of Spain requirements.
Country and Business Line (Division) policies:
• Tailored to the specific country regulatory requirements.
• Whenever possible, the highest standards apply.
• Example: USA and Private Banking.
• Based on BSA requirements.
Unit policies:
• Tailored to the specific unit line(s) of business.
• Example: BSI-Miami and International Private Banking.
• Based on BSA requirements.
40
AML Policy Global Program
Each Unit has a written anti-money laundering / terrorism financing program that includes
policies, procedures and internal controls designed to comply with the applicable laws and
the Group policy.
Gg
a b
c
d e
f g
a
b
c
d
e
f
g
Know your customer
requirements. Designation of personnel responsible for AML/TF
compliance . Compliance with regulatory requirements regarding client
documentation, record-keeping and reporting of transactions.
Development and implementation of appropriate methods of controls
to detect suspicious activity by customers.
Reporting of suspicious activity to government authorities in
accordance with applicable legislation.
Training programs.
Implementation of quality control systems and internal audit with
respect to the AML/TF program.
41
Regulators Internal Audit
Capital Markets
Institutional Banking
SMEs
Corporate Banking
Private Banking
Global Banking
Retail Banking
Asset Management
In 2013, Santander Mexico developed its own Operating Model for AML/FT.
Transaction
Monitoring
Analysis of
suspicious
transactions
AML Controls
Strategy and
Intelligence
Supervisory
Team
AML / TF UCIF
Compliance Division
Control
Room
Other Group banks
Performs periodic visits to units
to review AML controls e
a c f
b
d
e
g h i
Perform preventive and reactive
controls to enhance the AML
functions
d
Defines strategy and shares
relevante AML/TF information c
Performs comprehensive
analysis to identify and report
suspicious activities to the
authorities
b
Performs monitoring of clients to
identify signs of suspicious
transactions
a
Shares information to strengthen
controls in other Group banks. i
Implements internal audit
recommendations.
h
Manages communication with
regulators.
g
Performs monitoring and
controls of the AML / FT function.
f
AML Function Santander´s Operating Model The Santander Group has a Corporate AML/TF Operating Model that it tries to replicate in its largest
banks.
42
AML Unit Risk
The risk of ML/TF activity is directly related to the type of business carried out
by its units and the products and services they offer.
Santander classifies its units and business lines by ML/TF risk, enabling the
Bank to tailor policies, procedures and controls to better mitigate such risks.
For example: • Consumer Finance Low Risk
• Insurance Low Risk
• Retail Banking Medium to Low Risk
• Domestic Private Banking Medium to High Risk
• International Private Banking High Risk
Santander also classifies the countries of jurisdiction of its units by AML/TF
risk. • At the Corporate level a country may be considered High Risk, but that doesn´t
mean that the bank in that country has to consider all of its clients as High Risk.
• For example: Mexico, Colombia…
43
Know Your Customer Core
All Santander Group units have policies, procedures, and internal controls aimed at
obtaining effective and complete knowledge of their customers and their activities, following
a risk-based approach.
Collection and analysis of basic identity information (“Due Diligence”).
Name matching against lists of “PEPs” and international sanctions lists (EU, OFAC, Bank of England, etc.).
Identification of accountholders, POAs and ultimate beneficial owners.
Determination of the customer's AML/TF risk.
Creation of customer´s expected transactional behavior.
Monitoring of customer's transactions against their expected behavior, their recorded profile as well as that of their peers.
44
Know Your Customer Risk Rating
Customer risk rating is based on various static and dynamic attributes
Name Official ID
Source of wealth/funds
(business entity, business
owner, employee, retiree,
or other)
Economic
activity Date of birth Citizenship
Customer
Information
Geography
Customer’s address
Location Location of wealth)
Customer
Segmentation
Lines of Business in Santander Mexico
Poliitical Profile Senior public figure status Affiliations with government (via approvals or
revenue derived from government sources)
Product/
Transactionality
Use of high risk products or engage in high risk
transactions
Transactional activity that is significantly out of
the norm for client’s peer group (payments and
withdrawals)
For corporations, other legal entities and some third party customer-related , the deed of
incorporation must be presented, including information concerning the customer’s name, legal form,
address, directors, and the corporate bylaws, powers of attorney, entry in the appropriate register
or other reliable identifying information.
Third-Party
Customer
Related Data
Names Official
valid ID Source of wealth
Economic
activity
Date of
birth
Country
of
Citizenshi
p
Customer
Information
Geography
Customer
Segmentation
Political
Connections
Products,
Transactionalit
yand AUMs
Country of residence /
Customer’s address
Location of client´s
business Sources of funds
Retail, Corporate, Private Banking, Select Banking, etc.
PEPs Government / Public Sector contracts
Type of accountholder
(Individual, Corporate,
Trust, PIC…)
Transactions risk & AUMs
Public media searches, background checks, enhanced due diligence information,
reputation…
Media
searches and
reputation
Types of products
(savings, checking,
investments, international
wires, etc.)
High Risk
Medium
Risk
Low Risk
45
The Santander corporate policy requires that all Group entities identify and verify identity
of all individuals who own or control, directly or indirectly, more than 25% of the equity
interest in an entity or that effectively manage or control the entity.
Santander applies a risk-based approach:
• Minimum 25% equity interest for all lines of business, with the exception of:
• Domestic Private Banking: minimum 25% equity interest for Medium and Low
risk clients; 10% for High Risk clients.
• International Private Banking: 10% equity interest for all clients, regardless of
their risk rating. For widely held entities with shareholders who own less than
10%, we´ll identify up to 60% of ownership or the top 10 shareholders.
• We analyze and apply CIP to all entities up the chain.
Gradual phase in for Group entities that don´t currently comply with these requirements.
Tailored to country-specific regulatory requirements.
Beneficial Owner Global Model