Centenal’s Zac Lucas Urges Singapore’s Wealth Management Community to be CRS Audit Ready

Zac Lucas, Founder and Head of Legal at Centenal, which is based in Singapore, gave an in-depth presentation to focus delegates minds on some worrisome, but extremely topical matters including CRS anti-avoidance, private client financial crime and regulation. He took the audience through the necessary review process and procedures for financial institutions, and the requisite audit process and risk management requirements. Be vigilant and be ready, Lucas implored, because a brave new world of regulation, compliance and supervision is here, and is now.

Lucas opened with explaining that as a proud sponsor of the Hubbis Compliance in Asia Forum 2020, a core mission at the event was to highlight the risk of not sufficiently preparing for the upcoming CRS audit assessment process, which is now live in Singapore. He warned the audience that if they ignore the requirements and the implications, they do so at their peril, as the regulators and authorities are ever more vigilant.

Steps to passing the CRS audit

He explained that his talk would therefore cover the context of the audit assessment, and then, wearing a Singapore hat, how the jurisdiction has translated that into domestic guidance. He said he would close the talk with the risk management processes that financial intermediaries will need to have in place, should an inspector demand an audience.

He reported that the guidance for Singapore was out since middle of last year (2019), and that some jurisdictions, for example the Channel Islands, have moved to implement the CRS Anti-Avoidance Mandatory Disclosure Rules (MDR).

Time waits for no FI

Looking forensically at the CRS audit, he pointed out that this has been telegraphed for over a year and is based on the Global Forum Terms of Reference. He noted that the latest annual OECD update on the implementation of the CRS also contains guidance on the sort of framework the Global form will assess when conducting their CRS Peer Reviews. He noted that Singapore had offered robust guidance. “This is very comprehensive,” he said, “if you are involved in multiple jurisdiction reporting, you will likely find that the Singapore guidance will be replicated in other jurisdictions.”

With that, he delved into more detail on the preparation for the first audit assessment, pointing out that FIs can use the framework to stress test their preparedness, particularly looking for areas on which they will likely fail. “Look for areas you are weak on,” he advised, “and you can then start to remediate those. I actually think the area of greatest non-compliance will be because of an inadequate risk management strategy, so you might have documented process management, but robust CRS risk management procedures will be lacking.”

Trusting the inputs

Lucas then went into considerable detail on the inputs. The first step would be the original implementation, or how the FI translated its entire client base to a CRS compliant status. “Your new accounts and client onboarding, the process and procedures that you have got behind those will likely be looked at in the first phase of the audit,” he explained. “Then they would cover monitoring, in other words how do the FIs actively monitor the financial accounts, because client circumstances change, and we know that a lot of monitoring hasn’t been done properly.”

He pointed to account closure, which he said is a broader topic than it might seem, as it can cover things like people passing away, or a financial institution such as an investment entity losing its FI status and becoming perhaps a passive entity, or maybe a Singapore trust migrating for example to the Channel Islands or the US, each of which could give rise to a universal closure of the relevant equity interest accounts.

Have you got closure?

“The audit process will require you to define your policies as to how you view an account closure,” Lucas stated. “And they will want to see proof of the FI’s monitoring and updating of any relevant regulatory and legislative changes because any such changes may have an impact internally and externally. And staff competency is an important area to address, staff need specific and ongoing CRS training.”

He pointed also to avoidance risk management. “What have you been doing to try and manage CRS avoidance, from the RM level, straight through to the clients, and of course the service lines that you work in. The audit will focus on that area as well. Moreover, they will look at business and operations, for example looking at major business changes like a new IT infrastructure, how you manage data, and so forth.”

And finally, he said that if the FI is centralising reporting outside of Singapore, or through a third-party entity, they will need to justify and show their internal governance of all these areas, the risk management, process management, and the capacity. “You will need to show some governance oversight,” he cautioned, “and not just the service agreement and the fee costs.”

The integrated approach

He also advised that firms adopt an integrated approach, whereby the CRS process management and risk management ought to be embedded into the AML documents and procedures.

Lucas gave the audience considerably more detail on areas that will be assessed such as account segmentation, Client lifecycle management, change in circumstances, account closure guidelines, self-certificate guidelines, document retention guidelines, processing management, and report preparation and verification.

“Remember,” Lucas advised delegates, “these are all processes and procedures that if your entire compliance team weren’t there and a new team were brought in, it could just continue working.”  In other words, transition risk must not exist, the FI cannot rely on one or a few people internally, it has to be cast-iron processes and systems holding the whole thing together.

The deer in the headlights

He then shifted the focus to risk management, an obvious area, but one Lucas observed on which FIs tend to drag their feet. He explained that the integrated AML/CRS manual ought to have a risk framework, with the risk assessment committee triggered on particular events.  “The basic goal here is avoidance detection and prevention. Not yet in Singapore, but already in the EU is the MDR - Mandatory Disclosure Rules – that highlight specific hallmarks of avoidance behaviour that the OECD is aware of,” Lucas explained. “These give us a great map for the risk assessment committee. Key areas are staff competency, new client onboarding risks, tracking changes in circumstance efficiently, flags relating to account closures, internal audits for CRS, in other words, have they been done, and some other key areas.”

All these elements can then be put into a comprehensive output summary, representing full, accurate, up-to-date reporting that can be handed over in the audit. “Singapore is working closely with numerous jurisdictions,” he noted, “so if you discover that you should have been reporting a client and you haven’t been doing it, you are encouraged to immediately report it because under the treaty obligations Singapore has in place, it must immediately exchange. Full and accurate records are always essential.”

The lifecycle

He further explained that for CRS purposes, a FI either has an individual account holder, or an entity account holder with controlling persons. “You will need a defined sequence of events within the lifecycle of any of these client files, including identification, classification, monitoring, reporting, and then closure, in other words the classic lifecycle of a file,” Lucas elucidated. “What you will need to demonstrate is you have the process and risk management frameworks during each of those lifecycle elements. If the auditors pull a file, all these elements must be in place.”

Lucas stepped back somewhat from the rigours of the implementation to comment that FIs are not actually supposed to evolved into private investigators, they are not supposed to be proactively searching out trouble but are supposed to be able to spot anomalies and be efficiently reactive as a result. “The basic premise here is that it is a reactive standard with regard to change in circumstances and then monitoring, so the way you demonstrate it to an inspector is to have conducted sufficient training and show procedures are well set in place.”

Raise the flags

Lucas also advised FIs to make sure they have a clear handle on the OECD residence blacklist – that is jurisdictions indicated by the OECD to pose a high risk with respect to their various residence and citizenship by investment schemes, clients from these jurisdictions would need to undergo additional residence related questions. Similarly, awareness of certain structures for holding wealth and issues around controlling shareholders and economic substance need to be carefully assessed by the FIs, from a risk management perspective.

“If, for example,” he explained, “you have a structure that is fully reportable and then there is a change of circumstance that reduces the reportability, you should at least obtain a risk assessment committee view on whether or not the change was motivated by a CRS avoidance motive,” he advised. “If it had a commercial outcome then you are fine, but if it had a CRS motivated outcome then you need to document it.”

Lucas noted that another issue the inspector might look at is how distributions from trusts are structured. “You must be careful,” he warned, “if there is any indication of the method of distributions being adapted in order to avoid any CRS reporting trail.”

Looking under the rocks

His final comment was to implore the FIs present to remember that CRS sits on top of AML financial crime legislation. “The idea behind this is if your clients are motivated to avoid the CRS, it is probably giving the lie to a deeper issue,” he warned, “and that deeper issue will be obviously the financial crimes legislation, more particularly for our region will be tax evasion. We saw in various recent tax amnesties how much money was held irregularly. So, let’s not be naïve about some of the motivations for client structuring their wealth in an international financial centre.”

His final word was to exhort the delegates to focus on all these key areas, and be well prepared for the CRS audits and therefore proactively prepare for a new transparent and robustly-supervised future.

Centenal and its CRS Expert

Zac Lucas is Founder and Head of Legal at Singapore-headquartered Fintech Centenal, which he set up in 2017 to help financial institutions overcome the many onboarding, data monitoring and reporting requirements imposed by the rollout of the OECD’s Common Reporting Standard (CRS) across the globe.

Three years on and Centenal now has a number of FIs integrating Centenal’s patented CRS Expert software, which the firm trademarked as its CRS compliance software solution back in 2017.

“Anyone professionally involved in the fiduciary or corporate service industries must understand and apply the CRS correctly,” Lucas told Hubbis recently, “and this means a great opportunity for us with our CRS Expert solution. The software is designed precisely to make it dramatically easier for FIs here in Singapore, and around the world, to comply internally and externally with the many demands imposed by the CRS.”

CRS is an information standard for the Automatic Exchange of Information (AEOI) regarding bank accounts on a global level, between tax authorities, which the Organisation for Economic Co-operation and Development (OECD) developed in 2014. Its purpose, very simply, is to combat tax evasion.

CRS Expert provides an integrated end-to-end solution for financial institutions (FIs) who are subject to reporting obligations under the CRS, which is in effect every reputable FI from every legitimate and compliant jurisdiction across the globe. CRS Expert, in a nutshell, was created to reduce the time, cost, risk and complexity involved in complying with CRS.

The software provides functionality across each stage of the CRS reporting cycle, including onboarding, monitoring and reporting. The visualised graphical user interface combined with CRS and ultimate beneficial owner (UBO) computational algorithms allow users to take advantage of many key features that will make them more efficient and compliant.

These features include centralised compliance and data management; automated CRS analysis; automated UBO analysis; integrated CRS/UBO analysis; centralised CRS/UBO monitoring including automated change analysis; automated CRS XML conversion; and exportable CRS XML reporting.

CRS Expert has in its current form evolved significantly from the original concept Lucas had back in 2016/7 and is now far more than the analytical tool it was designed as, and now offers a fully end-to-end software solution, taking the FI from client on-boarding through data monitoring and updating and through to end reporting to the relevant tax authorities.

Centenal’s target clients comprise trust companies, boutique private banks and asset managers of varying sizes, or indeed any financial institution subject to the CRS regulations in the more than 104 countries that have implemented it. That equates to around 400,000 financial institutions, reporting an estimated 1 billion accounts a year, mostly using a semi-manual process.

“We would, of course, bring tremendous efficiency gains to the CRS compliance function for any of these FIs,” Lucas explained. “The resultant advantages are many, especially the more accurate, productive, efficient and cost-effective use of what are nowadays increasingly costly compliance resources.”