Vendor Management of Investor Data
As the U.S. moves closer to the internationally accepted Anti-Money Laundering (“AML”) and Know Your Client (“KYC”) standards, investors are left with the questions about what happens to their personal confidential information.
Historically, non-bank-affiliated financial institutions, such as administrators, have not been subject to specific AML regulations. Instead, most non-financial institutions in the United States have relied on best practices. Foreign countries often have more stringent requirements than the United States.
However, the U.S. regulatory environment is changing at a rapid pace. The new Financial Crimes Enforcement Network (“FinCEN”) proposed regulations attest to this change. The recently proposed rulings by FinCEN further require financial firms to identify Ultimate Beneficial Owners (“UBOs”), to create risk profiles and to track business activities. Investor identification and UBOs have been subject to changing global and local reporting standards for decades.
Past attempts by non-bank-affiliated financial institutions to enforce revised AML and KYC compliance policies and procedures were often met with client resistance. Recently, however, clients such as fund investors, for example, have become increasingly concerned about the safety and safekeeping of their personal and confidential data.
Non-bank affiliated financial firms are required to ensure their current procedures for acquiring, validating and storing client information from custodial accounts meet market standards. In addition, the firms must update the information where necessary and comply with revised regulations that are more aligned with internationally accepted standards. The key challenges of the newly proposed AML-KYC rules and regulations are the implementation of technology, the expansion of account opening procedures, the authentication of existing client data, and client education. The process of ongoing digitalization of records and rapidly improving technology is both an asset and potential liability where there is an ineffective internal cybersecurity program and/or a weak governance framework to manage cybersecurity risks.
In 2015 and 2016, the SEC’s Office of Compliance Inspections and Examinations (“OCIE”) underscored the importance of vendor management, risk assessment processes and cybersecurity as their top priority. The industry now needs to be prepared for its attention to cybersecurity, compliance and controls during regular OCIE examinations. Investor identification, verification and data protection for the beneficial owner accounts held at broker-dealers and investment advisors are targeted specifically. Although non-bank-affiliated institutions may not be subject to these examinations, these firms will be held to the same standards.
COLLECTION, VERIFICATION AND SAFE-KEEPING
The purpose of the AML and KYC collection processes is to confirm assets are received from legitimate sources, prevent money laundering and deter terrorist financing. Service providers/vendors responsible for collecting client information must ensure qualified staff is assigned to handle and secure client data, and that the procedures and systems in place are tailored to provide for ongoing client data monitoring. The client (ultimate beneficial owner or “UBO”) identification procedures must drill down to the level of a natural person or persons, and verification of the information validity and consistency should be checked against the lists issued by U.S. Office of Foreign Asset Control (“OFAC”) and databases such as WorldCheck and WorldCompliance for criminal records and politically exposed persons.
Storage of all printed and digital information should be subject to restricted access for authorized and supervisory personnel only. Printed materials containing personal tax information and social security numbers should be illegible/blocked prior to saving/storing the files. The files should be encrypted when stored digitally. After working hours, confidential client information should be securely stored and locked. With senior management oversight and approval, different levels of access can be established to safeguard investor profiles and activity. With respect to client/investor information, whether electronic or in physical form, access should be limited to a minimal number of users on a “need to know” basis.
Encryption of sensitive data adds an additional layer of security. Though it’s not foolproof, it presents added hurdles in case of a security breach. With the various encryption technologies available in today’s market, data encryption can present potential operational challenges such as the restoration of encrypted backed-up files when dealing with outdated encryption software. Organizations will need to evaluate all possible consequences of encryption and consider the long holding periods required to retain client records.
In light of the current compliance environment, the various layers of security and proper risk governance allow for peace of mind and mutual benefits to all parties involved. With or without an enforced regulatory framework, safeguarding of sensitive information has become a priority to the financial services industry.
Asset Management Intelligence - Q3 2016