FIBA 2014 AML Compliance Conference

Transcription

1 FIBA 2014 AML Compliance Conference Customer Due Diligence and Beneficial Ownership: Almost Two Years After the Advance Notice of Proposed Rulemaking Miami, Florida February 21, 2014 James Cummans Vice President, BSA/AML Operations TCF Bank Sarah K. Runge Director, Office of Strategic Policy, Terrorist Financing and Financial Crimes U.S. Department of the Treasury James D. Stubbs Managing Director, Deputy Head of AML Citigroup Kimberly Rhodes SVP, Director AML Compliance SunTrust Bank Alfredo Aguila Head of Compliance for Global Private Banking, Asset Management and Insurance Santander Group, Spain Amy G. Rudnick Partner Gibson, Dunn & Crutcher LLP

2 2 Overview Part I The Current Regulatory Framework and Risk-Based Approach to Customer Due Diligence The Approaches of Different Banking Organizations Compliance Organizational Structures CDD Policies and Programs Risk Scoring and Assessments Due Diligence Processes and Procedures Beneficial Ownership and Controlling Persons

3 3 Overview Part II The Advanced Notice of Proposed Rulemaking Current Status and Process Take-Aways from Comment Letters and the Regional Roundtable Meetings Key Issues and Challenges A Risk-Based and/or A One-Size-Fits-All Approach Beneficial Ownership Definition Verification: Ownership vs. Identity Self Certifications Exemptions

4 Customer Due Diligence & Beneficial Ownership James Cummans VP-BSA/AML Operations Minneapolis, MN

5 TCF National Bank Overview $18.4 Billion in assets Eight States (Minnesota, Illinois, Michigan, Colorado, Wisconsin, Indiana, South Dakota, Arizona) 430 Branches Provide commercial leasing and equipment finance in 50 states, commercial inventory finance in the U.S. and Canada and indirect auto finance in 40+ states 2.6 million customers (TCF and subsidiaries) 5

6 TCF Financial Intelligence Unit Structure Financial Crimes Control Services (Loss Prevention) Anti-Money Laundering Investigations Customer Due Diligence (OFAC, BSA Closure List, PEP, 314(a), etc.) Enhanced Due Diligence (High Risk Monitoring) BSA Program Governance Quality Control New Account Screening (CIP Validation) BSA Technology LE Team 6

7 TCF Bank Financial Intelligence Unit Executive Vice President Chief Risk Officer Senior Vice President BSA/AML/OFAC Officer Executive Assistant Vice President BSA/AML Operations Vice President FCCS Operations Vice President Program Governance Manager CDD, EDD, New Acct Openings Manager FCCS Manager Program Governance Manager BSA Investigations Manager Program Governance Manager Law Enforcement & Closure Trainer Program Governance Manager Technology & Projects 7

8 TCF Bank Financial Intelligence Unit Customer & Enhanced Due Diligence VP BSA/AML Operations Manager Customer & Enhanced Due Diligence Supervisor New Account Screening Supervisor CDD / CTRs Supervisor EDD Stage 1 Supervisor EDD Stage 2 NAS Investigator 12 Analysts CDD Team Lead 7 Analysts CTRs 4 Analysts CTR Quality Control 1 QC Document Retrieval 1 Analysts AML SAR Team 2 QC EDD Stage 1 10 Analysts EDD Stage 2 10 Analysts EDD Quality Control 2 QC 8

9 CDD & Managing Customer Risk CIP verification through independent sources & tools Individual and account level questions scored = combined score List screening (OFAC, BSA Closure list, PEP, 314(a), etc.) Review of risk scoring (individual and account level) Closure team, monitoring after determination of risk level, downgrade, escalation to AML, questionnaire Deposit and non-deposit risk ranking

10 CDD Process Alert Verification - CIP - ID Type - Citizenship/Country - Wealth & Occupation - CTR Exemption - Primary reason for escalation (review of scoring template) - Geography (do not bank transactional accounts outside our profile, include HIDTA/HIFCA scoring) - Occupation - Source of wealth - Purpose of the account - Scoring of all individuals affiliated with the account(s) - Prohibited account questions (ends acct. opening TPPP, MSB, international car shipping, medical marijuana) - Place of business - Type of Business Formation - Length of business establishment - Anticipated activity questions Banking profile - Account Titles - Type - Balance - Opening Dates - Line of Business - Purpose - Signers/ Borrowers/ Guarantors/ Beneficial Owners - Conducted for open and closed relationships 10

11 CDD Process continued Customer profile reputational risk/negative news screening Product/Account anticipated activity analysis and analyst narrative Questionnaires (specific or product based) Analyst decision QC Management review Risk level and review intervals assigned Ongoing due diligence of downgraded customers (medium or low) Closure process Map scoring to suspicious account monitoring systems 11

12 CDD/EDD Alert types System new account opening Upgrade, downgrade Internal referral (SAR, list screening, >2 SAR report, etc) Law enforcement (314a match, GJS, NSL, request to maintain relationship) Ongoing monitoring report Interval reviews 12

13 Risk Levels and Review Intervals Low actual activity reviewed every 6 months via ongoing monitoring report Mod actual activity reviewed every 6 months via ongoing monitoring report High Low annual comprehensive review High Mod annual comprehensive review and 6 month periodic review (periodic may be limited or comprehensive depending upon analysis) High High annual comprehensive review, 4 month periodic review (periodic may be limited or comprehensive depending upon analysis) 13

14 Beneficial Ownership Utilizing the proposed rule making definition: an individual who has a level of control over, or entitlement to, the funds or assets in the account that, as a practical matter, enables the individual, directly or indirectly, to control, manage or direct the account. Shareholders at 25% or > Account owners/signers/controllers at 100% High risk customers (as defined by TCF) at 100% For all beneficial owners we plan to apply a CIP standard Differentiate in our customer databases/mainframe to identify who has release of information rights, mailing, disclosures and transaction rights Go forward or maintenance interaction only at this time 30 day response request letter to beneficial owner to provide full CIP w/ account restriction until supplied 14

15 SunTrust Bank Customer Due Diligence Beneficial Ownership 2 years after ANPR, FIBA Conference February 2014 Kimberly Rhodes BSA/AML Director SunTrust Bank 303 Peachtree Street, N.E. Atlanta, Ga

16 About SunTrust SunTrust Banks, Inc. (the Company ) is a regional financial institution, servicing a broad range of consumer, commercial, corporate and institutional clients. As of December 31, 2013, SunTrust had total assets of approximately $175 billion and total deposits of approximately $130 billion. Through its flagship subsidiary, SunTrust Bank, the Company operates an extensive branch and ATM network throughout the Southeastern and Mid-Atlantic United States and a full array of technology-based, 24-hour delivery channels. The Company also serves clients in selected markets nationally. Its primary businesses include deposit, credit, and trust and investment management services. Through various subsidiaries, the Company provides mortgage banking, insurance, brokerage, equipment leasing, and capital markets services. #

17 AML Compliance Organizational Structure While establishing policies and broad procedures for conducting customer due diligence is the responsibility of the central AML function in the institution, execution of the customer due diligence is accomplished by each line of business and, specifically, each relationship manager overseeing the relationship with that customer. Procedures differ from sub-line to sub-line, depending upon the level of risk involved. There are several common elements, including gathering basic CIP information and verifying that information; however, requirements for due diligence beyond this depend, in large part, on the product or service being used, the client type and the geographies in which the client operates or the product and service are used. Questionnaires, certifications and, in some cases, indemnities are tailored to meet many different situations. Examples: CIP Checklist for Global Trade Solutions far more extensive than the Know Your Customer Form for personal accounts in retail. #

18 Risk Factors used in Risk Scoring Current Risk Factors Geography physical and permanent residence geographies, headquarters geography, parent company geography, geographies of business activity/operation Products/Services including volumes of expected foreign transaction activity and assets held at SunTrust Client information occupation/industry, length of relationship with the bank, residency status, parent company, entity type, political exposure Future Risk Factors Geography physical and permanent residence geographies, headquarters geography, parent company geography, geographies of business activity/operation Products/Services including expected transaction activity in high risk products & services, and assets held at SunTrust Client information occupation/industry, length of relationship with the bank, residency status, parent company, entity type, political exposure, channel of opening #

19 Risk Scoring and Risk Assessment Maintain a low risk, high risk, automatic high risk and prohibited scale of categorizing clients, products, services and geographies Prohibited customer types include: Any listed SDN or Blocked Person Any entity or individual that is otherwise the target of an economic sanctions program administered by OFAC A shell bank Money Services Businesses ( MSBs ) Politically Exposed Persons ( PEPs ) Casas de Cambio and Exchange Houses Foreign Embassies and Consulates or Foreign Government/Agencies Foreign Financial Institutions located in automatic high risk or prohibited jurisdictions Corporations with bearer shares Telemarketers with accounts through which their customer transactions are processed #

20 Beneficial Ownership Currently, SunTrust uses a risk based methodology for determining levels of beneficial ownership of juridical persons. For example, third party payment processors are an automatic high risk client type and require identification of beneficial ownership at the 5% ownership level. Beneficial ownership information gathered consists of name, country of permanent residence and, if available, physical address. Other automatic high risk client types include foreign financial institutions, non-resident aliens with assets on deposit or managed in excess of $500k and Private Investment Companies. High risk accounts, due to risk scoring, by contrast only require identification of beneficial ownership at the 15% level of equity ownership, but require name, country of permanent residence and, if available, physical address. Future state: SunTrust is automating the RAF/EDD collection process, which will enable SunTrust to begin collecting beneficial ownership for all clients at all risk levels at the 10% beneficial ownership level, with exceptions for those riskier clients that will require beneficial ownership information at lower levels (e.g. third party payment processors, as described above). #

21 Beneficial Ownership Use of Information Verification of Information. The value of beneficial ownership information is, largely, dependent upon the honesty of the person giving you the information. With respect to private companies, the books and records of the company are maintained by the company and may be changed at any time. Even with publicly traded companies, absent expensive surveys, verification of ownership is of transitory value. There is no repository whereby assertions about ownership may be verified or authenticated. Diligence conducted with Beneficial Ownership Information Current state: Scan information against OFAC list and list service to identify PEPs, etc., based on risk level Future state: Scan all information against OFAC list and eventually a list service to identify PEPs, etc. #

22 Controlling Parties and Frequency of Review Controlling parties are considered those that fund an organization. Controlling party information is gathered on a risk basis, e.g. with respect to Non-Governmental Organizations ( NGOs ), due diligence requires identification and review of the top five contributors or grantors to the NGO. Review of the information includes OFAC and World-Check review. Reviews of Due Diligence: Current State: Reviews are done on a periodic (at least annual) basis with respect to high risk clients. Transaction activity can trigger an earlier review for high risk clients or an initial review for low risk clients. Future State: Reviews will be done the earlier of (a) whenever a client uses a new product or service or (b) a predetermined schedule. The schedule for review will be shorter for those clients, products, services or geographies with greater risk; longer for lower risk. #

23 Risk Rating and Transaction Monitoring Current State: Increased scrutiny is given to events and deviations in transaction value and volume monitoring of high risk clients. Future state: Anticipate transaction activity will also trigger outof-cycle due diligence reviews if deviating from the expected activity information gathered from the client at on-boarding. Concern we will monitor: Clients seldom accurately predict expected activity, not for nefarious reasons, but because clients pay little attention to such detail. Concerns that future state monitoring will require excessive infrastructure not commensurate with the risk involved. #

24 Concerns with ANPR Capturing Beneficial Ownership is of very limited benefit As previously mentioned, independent verification of beneficial ownership of juridical entities is an impossibility. There is no public registry of ownership against which to test information received. Books and records are managed by the company itself and, even if the information you review are all the books and records of the company, nothing prevents the company from changing ownership of the company the next day The value of the information is dependent upon the honesty of the person giving the information. Our experience is that those seeking to abuse the financial system tend to be the least honest. Absent a universal rule applicable to banks, those undertaking methods to capture this information are perceived publicly as less customer friendly and those seeking to abuse the system find the path of least resistance. #

25 Global OneKYC Program Citi s global bank for consumers and businesses represents Citi s core franchises. Citi provides products and services to approximately 200 million customers leveraging Citigroup s global network, including many of the world s emerging economies. Citicorp is physically present in approximately 100 countries, many for over 100 years, and offers services in over 160 countries and jurisdictions. Citi serves the broad financial services needs of its large multinational clients and as well as retail, private banking, commercial, public sector and institutional clients around the world. At December 31, 2012, Citicorp had $1.7 trillion of assets and $863 billion of deposits, representing 92% of Citi s total assets and 93% of its deposits. Global KYC Policy

26 OneKYC Program The OneKYC operating model identifies the types of participation across functions in completing the component pieces of Citi s AML Program. 6 Program Management 1 Program Standards Policy Control Standards Global AML Training 5 Control / Oversight Project Management QA 2 Program Design & Maintenance Framework Tools / Tech Training Management & Oversight Issue ID & Resolution Threshold Maintenance Compliance Testing 3 BAU Program Execution CIP CDD / EDD Sanctions Screening Name Screening Periodic Review Risk Evaluation Audit 4 Program Reporting 1 CAPS / Reporting / Metrics Key: Compliance Business Operations Technology Internal Audit Other 1. Policy/Standards, etc are drafted and maintained. 2. Using items defined in Step 1, programs are developed and maintained by the function. 3. Tasks are executed with support from functions. 4. CAPS, reports, and metrics inform Policy, etc. 5. Testing is performed against each function with results informing Program Design & Maintenance and CAPS. 6. Continuous Program monitoring and communication across business sector. Track and resolve issues across Business, functions, regions, escalate as appropriate. OneKYC Program Overview 1 Program Reporting represents tasks for each function in Program Execution, but is called out separately to illustrate interaction with other categories Note: Accountability represented for each function is approximated based on the accountability across all tasks within the subgroup

27 Global OneKYC Policy ICG GCB Consumer Mass Market Higher Affluence Private Client USD10MM - 1MM, RM Ultra High Net Worth Private Client Wealth-holding Vehicles Corp. Not-For-Profit Corp. Xlarge > USD100MM Revenues Corp. Large USD100MM - 25MM Revenues Corp. Medium USD25MM - 2MM Revenues Corp. Small < USD2MM Revenues Financial Institutions - Bank Financial Institutions - non-bank Funds MSB / Corps. Providing Remittance Services Government Embassy Guiding Principle The central guiding principle of the program is to move from current Sector-centric KYC processes and systems to a Clientcentric, One-Bank approach where clients of the same type are treated consistently regardless of which business services them: Today, AML client types are addressed differently based on which business/region owns the client. Client risk-ratings may be different in various countries or business units. Client Categories Individuals Corporations FIs Governments Capital Markets Global Banking Transaction Services Private Bank Retail International Personal Banking Commercial Banking OneKYC Global KYC Policy

28 Global OneKYC Policy AML Risk of Citigroup Customer Base Global KYC Policy Individuals Mass Market Retail Higher Affluence A Customer Categories Across all lines of Business Corporations Small Medium Financial Institutions Banks Non-Banks Govts./Embassies Governments Embassies I Special Customer Handling Includes: Entities with effective Supervision Closely-related and Related Parties WHVs Funds Beneficial Ownership FCBS MSBs Embassy SPFs Bearer Shares Periodic Review Refresh F Private Client Ultra High Net Worth PC Wealth-Holding Vehicles Large Extra Large Not-for-Profits MSBs Funds H Country Appendices Impact to Global Standards due to local law Information Collection Risk-Rating Periodic Review Batch Name Screening Material Changes High-Risk Account Classification G Feedback Loop Due Diligence Standards 1 Yr. 2 Yr. Risk-Scoring Risk-Ratings High E H-H H-M H-L Forms Client Profiling Customer Identification Customer Due Diligence Enhanced Due Diligence Driven by: - Specific Risk Attributes - Risk-Rating Screening B C OneKYC Global KYC Policy 3 Yr.* Medium 4 Yr.* Low Compliance Advisement AML Review of Clients Profiles J Product Profile (PP) - Pre-Product Profile - Transaction Account - High-Risk Product Usage [ Y / N ] - Product Profile - Anticipated Activity - Cash - Monetary Instruments - Wires - Purpose D [ Y / N ]

29 Global OneKYC Policy Customer Due Diligence 5 main due diligence sections: Geography customer s address location, place of business location of wealth planned locations for establishing and conducting banking activity with Citi Client Information name date of birth government ID citizenship source of wealth/funds (business entity, business owner, employee, retiree, or other) net worth/annual revenue availability of audited financial statements information such as co-signors, beneficial owners Reputation The results of screening for negative news. Political Profile Senior Public Figure status Affiliations with government (via approvals or revenue derived from government sources) Product/Account use of high risk products or engage in high risk transactions transactional activity that is significantly out of the norm for client s peer group Third-Party Customer Related Data (beneficiary, spouse, corporate officers, etc.) some third party customer-related information may be requested, including: address, date of birth, government-issued ID number, occupation and source of wealth. Individuals Information on the Individual s assets and personal investments. Entities Information on the locations of the business and the history (source) of the finances. OneKYC Global KYC Policy

30 Global OneKYC Policy The output of the customer risk model-5 customer risk-ratings-impacts Periodic Review frequency and requirements, KYC Program Framework among other controls within the bank s AML Program such as Transaction Monitoring and Risk Assessment. KYC Profile CDD, EDD and Product Profile KYC Profile Maintenance Customer Population Profile Risk Score Risk-Rating Advisement Review Frequency Review Requirements Control Events Client Information Geography High More Levels More Frequent Greater Material Changes (Geography/ Client Information) Citi s customer base subject to KYC program s Risk Scoring framework. Information provided as part of a customer s due diligence record feeds the Customer Risk Model. Risk Model produces a customer risk score. Override rules mandate that certain attributes will automatically be high risk. Customer Population Attributes Political Profile Risk-Score Batch Name- Screening (Political Profile/ Sanctions) 4 5 Risk score converted into risk-rating (High-High, High-Medium, High-Low, Medium, Low). Risk-rating also drives the level of AML advisement or approvals of the customer record to be provided by Compliance at onboarding. Reputation High-Risk Account Identification (Product/ Account) 6 7 Risk-rating drives how often the client record is reviewed. Risk-rating drives the level of content in the review required for the client record. Product/ Account Low Less Levels Less Frequent Lesser 8 In addition, customer base is subject to controls that manually or automatically prompt reviews and updates of customer records as necessary. OneKYC Global KYC Policy 30.

31 Global OneKYC Program Customer Risk Model Risk Models: Five Risk Models under the OneKYC Program, the output being a risk-rating at the customer-level on a five-point scale: Low Medium High-Low High-Medium High-High Individuals Wealth-Holding Vehicles Corporations Financial Institutions Governments/Embassies Client Types: Retail High Net Worth Private Client UHNW Model Sections: Tier 1 Tier 2 Client Types: WHVs (e.g. Trusts, PICs) Tier 1 Client Types: Corps. S ($0-2MM) Corps. M ($2-25MM) Corps. L ($25-100MM) Corps. XL ($100MM+) Not-for-Profits Tier 1 Tier 2 Client Types: Banks Non-Banks MSBs Funds Tier 1 Tier 2 Client Types: Governments Embassies Tier 1 Geography Geography Geography Geography Geography Client Information Client Information Client Information Client Information Client Information Reputation (Risk-Rating of) Associated Individual(s) Reputation Reputation Political Profile Political Profile Political Profile Product/Account Product/Account Product/Account Product/Account Risk Score Scales: Beneficial Low Ownership Med. High Industry Type Length of Relationship Entity Type Share Type Year of Incorporation Tier 2 7.7% 7.7% 5.7% 6.7% 6.7% 3.3% Low Med. High Length of Relationship has an 8.62% weighting Low Med. High Risk-Ratings Review Frequency High Medium H-H H-M H-L Low Med. High 1 Yr. 2 Yr. 3 Yr.* Overrides: Money Service Business Embassies Senior Public Figures Low Med. High Correspondent Banks Private Banking Clients** Bearer Shares OneKYC (8.62 : 5) x 2 = 3.45 pts Low 4 Yr.* *Not applicable to Mass Market Individuals ** RM-Managed & $1MM+ Affluence. 31.

32 Global OneKYC Policy Beneficial Ownership A beneficial owner is any person, including a natural person or an entity, that can exercise some level of control, directly or indirectly through influence or other means, over an account or a non-account product or service (collectively account ) and is not necessarily the same as the named accountholder. For the purposes of this Standard, the term accountholder also includes individuals who are non-accountholders but to whom Citi provides products or services. The Ultimate Beneficial Owner (UBO) of an account is the natural person with actual (i.e., explicit) or effective (i.e., implicit) control over the account 1. Actual control is derived from explicit authority over the account and its assets 2. Effective control may be derived from an individual s role with respect to the account or the accountholder entity, or from a level of ownership in the account assets or accountholder entity that confers such control Effective Control 2(a) Roles that establish actual control through a formal mandate of authority. UBO Executive management 2(b) Roles that may carry no formal mandate of authority but confer effective control through authority of a significant portion of the assets of the entity. Shareholders at 10% or greater ownership 2(c) Roles that carry no formal mandate of authority over, or entitlement to, the assets of an account or accountholder entity, but may still permit the exercise of effective control through influence and other indirect means. Chairman of the Board OneKYC Global KYC Policy 32.

33 Global OneKYC Policy Determining Beneficial Ownership Determine UBO Based Upon Actual Control Client Type Actual Effective PICS Trusts/ Estates Controller of assets Trustee, protector and executor Owner, provider of funds Grantor/settlor, beneficiaries, Documented via a legal document that lists beneficial owner(s) and their ownership percentages Or For medium and low risk entities: information Provided by executive officer, senior compliance officer or legal representative UBOs Full Legal Name OBOs Entity name Verify Structure Collect Identification Information & EDD Determine Other BO (OBO) Determine UBO Based Upon Effective Control Corps Partnerships Government Management control & authorized signors Managing Partners May includes signatories Equity owner, holder of voting rights and/or exercises Limited or equity partners with a vested, not contingent, interest in at least or accountholder entity. n/a Percentage ownership Residential Address or Date of Birth Country of Residence Country of Citizenship Role (e.g. signatory) OneKYC Percentage ownership or company title Registered or official office including country Country of incorporation or affiliation Role (e.g. trustee) Evidence of govt. entity or listed status For 50% UBOs, is a citizen of, resides in a high risk jurisdiction, client is rated high risk and the individuals country of residence differs from the entities formation: UBO s total net worth; Liquid net worth; Total annual income; and Source of wealth. Global KYC Policy Any other entities that exercises a level of control other than the UBO (chain owners) Listed Entity (or majorityowned subs.) * % Effective Ownership 10% All customers 5% S.311 Country / Banks with offshore-banking license n/a 0% Wealth Holding Vehicles n/a * except when the subsidiary is in a highrisk jurisdiction different than the parent 0-10% if required by local laws and regulations Existing Low and Medium Clients Grandfathered (25%) 33.

34 Customer Due Diligence and Beneficial Ownership Alfredo Aguila Compliance Director for Global Private Banking, Asset Management and Insurance February 21, 2014

35 Santander, a leading financial Group 35 9M'13 Total Assets (EUR trillion) 1.19 Shareholders (million) 3.28 Headcount 184,786 Branches 14,561 Customers (1) (million) 103 9M'13 Attributable Profit (EUR million) 3,310 Eurozone largest banks by market capitalisation (2) (EUR bn.) (1) Latest available customer data (2) Data as of October 22, Source: Bloomberg

36 Santander Group s Main Markets 36 USA Branches: 706 Customers: 1.7 mill. Mexico Mkt. Share 1 : 14% Branches: 1,229 Customers: 10.5 mill. Brazil Mkt. Share 5 : 11% Branches: 3,661 Customers: 28.8 mill. UK 2 Mkt. Share 4 : 11% Branches: 1,191 Customers: 25.9 mill. Spain 2 Mkt. Share 1 : 13% Branches: 4,642 Customers: 14.9 mill. Poland 2 Mkt. Share: 9% Branches 6 : 1,021 Customers: 5.2 mill. Chile Mkt. Share 1 : 19% Branches: 488 Customers: 3.3 mill. Argentina Mkt. Share 1 : 9% Branches: 377 Customers: 2.4 mill. Germany Portugal 2 Mkt. Share 1 : 10% Mkt. Share 3 : 14% Branches: 651 Branches: 265 Customers: 2.3 mill. Customers: 6.3 mill. (1) Loans (2) Including SCF business (3) Installment consumer loans (4) Including total mortgages, UPLs and SMEs (5) Unrestricted loans (6) In addition, 100 agencies Note: data as of 30/09/2013 except customer data (latest available)

37 Compliance Governance 37 Board of Directors Secretary General of the Board Global Compliance Director Country Compliance Directors Spain UK Germany Brazil Mexico Division Compliance Directors Global Banking and Markets Consumer Finance Private Banking, Asset Management & Insurance Retail Banking... Unit Compliance Directors

38 Compliance Governance 38 Santander Group has a Corporate Compliance and AML Department in Madrid. It establishes the global policies Ensures policies are adequately implemented in all units Supervises the ongoing compliance and AML programs worldwide Visits all units to verify the AML program. Each country and division has a compliance director and team in charge of managing the compliance programs in their countries and business lines. Tailor the global policy to their jurisdiction and lines of business Each unit within the country and line of business also has a Compliance Director and team in charge of compliance for their specific unit.

39 AML Policy 39 Global Policy: applies worldwide and is more general. Based on EU AML Directives, FATF and Bank of Spain requirements. Country and Business Line (Division) policies: Tailored to the specific country regulatory requirements. Whenever possible, the highest standards apply. Example: USA and Private Banking. Based on BSA requirements. Unit policies: Tailored to the specific unit line(s) of business. Example: BSI-Miami and International Private Banking. Based on BSA requirements.

40 AML Policy Global Program 40 Each Unit has a written anti-money laundering / terrorism financing program that includes policies, procedures and internal controls designed to comply with the applicable laws and the Group policy. a b a b c d Know your customer requirements. Designation of personnel responsible for AML/TF compliance. Compliance with regulatory requirements regarding client documentation, record-keeping and reporting of transactions. Development and implementation of appropriate methods of controls to detect suspicious activity by customers. Gg c d g f e e Reporting of suspicious activity to government authorities in accordance with applicable legislation. f Training programs. g Implementation of quality control systems and internal audit with respect to the AML/TF program.

41 AML Function Santander s Operating Model 41 a b c d e f In 2013, The Santander Group Mexico has developed a Corporate its own AML/TF Operating Operating Model for Model AML/FT. that it tries to replicate in its largest banks. Performs monitoring of clients to identify signs of suspicious transactions Performs comprehensive analysis to identify and report suspicious activities to the authorities Defines strategy and shares relevante AML/TF information Perform preventive and reactive controls to enhance the AML functions Performs periodic visits to units to review AML controls Performs monitoring and controls of the AML / FT function. Institutional Banking SMEs Private Banking Corporate Banking Global Banking Retail Banking Asset Management Capital Markets a c f Strategy and Transaction Intelligence Monitoring b Analysis of suspicious transactions Compliance Division AML / TF UCIF d AML Controls e Supervisory Team Control Room g Manages communication with regulators. h Implements internal audit recommendations. g h i i Shares information to strengthen controls in other Group banks. Regulators Internal Audit Other Group banks

42 AML Unit Risk 42 The risk of ML/TF activity is directly related to the type of business carried out by its units and the products and services they offer. Santander classifies its units and business lines by ML/TF risk, enabling the Bank to tailor policies, procedures and controls to better mitigate such risks. For example: Consumer Finance Low Risk Insurance Low Risk Retail Banking Medium to Low Risk Domestic Private Banking Medium to High Risk International Private Banking High Risk Santander also classifies the countries of jurisdiction of its units by AML/TF risk. At the Corporate level a country may be considered High Risk, but that doesn t mean that the bank in that country has to consider all of its clients as High Risk. For example: Mexico, Colombia

43 Know Your Customer Core 43 All Santander Group units have policies, procedures, and internal controls aimed at obtaining effective and complete knowledge of their customers and their activities, following a risk-based approach. Collection and analysis of basic identity information ( Due Diligence ). Name matching against lists of PEPs and international sanctions lists (EU, OFAC, Bank of England, etc.). Identification of accountholders, POAs and ultimate beneficial owners. Determination of the customer's AML/TF risk. Creation of customer s expected transactional behavior. Monitoring of customer's transactions against their expected behavior, their recorded profile as well as that of their peers.

44 Know Your Customer Risk Rating Customer risk rating is based on various static and dynamic attributes 44 Customer Information Names Official valid ID Official ID Source of wealth/funds (business entity, business Source of wealth owner, employee, retiree, or other) Date of birth Date of birth Economic activity Country of Citizenship Citizenshi p Geography Country of residence / Customer s address Location of client s business Geography Customer s address Location Location of wealth) Sources of funds Customer Segmentation Political Poliitical Profile Connections Retail, Corporate, Lines of Private Business Banking, Santander Select Mexico Banking, etc. PEPs Senior public figure status Affiliations with government (via approvals or Government / Public Sector contracts revenue derived from government sources) High Risk Medium Risk Low Risk Products, Product/ Transactionalit Transactionality yand AUMs Third-Party Media searches Customer and Related reputation Data Type of accountholder (Individual, Corporate, Trust, PIC ) Use of high risk products or engage in high risk transactions Transactional activity that is significantly out of the norm for client s Transactions peer group (payments risk & AUMs and withdrawals) For corporations, other legal entities and some third party customer-related, the deed of Public media searches, background checks, enhanced due diligence information, incorporation must be presented, including information concerning the customer s name, legal form, address, directors, and the corporate bylaws, powers of attorney, entry in the appropriate register or other reliable identifying information. Types of products (savings, checking, investments, international wires, etc.) reputation

45 Beneficial Owner Global Model 45 The Santander corporate policy requires that all Group entities identify and verify identity of all individuals who own or control, directly or indirectly, more than 25% of the equity interest in an entity or that effectively manage or control the entity. Santander applies a risk-based approach: Minimum 25% equity interest for all lines of business, with the exception of: Domestic Private Banking: minimum 25% equity interest for Medium and Low risk clients; 10% for High Risk clients. International Private Banking: 10% equity interest for all clients, regardless of their risk rating. For widely held entities with shareholders who own less than 10%, we ll identify up to 60% of ownership or the top 10 shareholders. We analyze and apply CIP to all entities up the chain. Gradual phase in for Group entities that don t currently comply with these requirements. Tailored to country-specific regulatory requirements.

46 46