What Is A Responsible Officer Anyway?

The clue really is in the name. It’s an ‘officer’ of the company (typically a director), and they must be ‘responsible’.

Of course, that doesn’t say much, does it?

When it comes to FATCA and QI regulations, the responsibilities of these officers are defined clearly in the QI and FFI agreements, as well as referenced directly in the regulations themselves.

It’s important to remember here that this isn’t a game. These are legally binding contractual obligations that your firm is responsible for, and you as the appointed Responsible Officer are the person named by your firm to take on those obligations on behalf of the company.

These two frameworks are also part of anti-tax evasion rules, so you don’t get to just palm these off on the lower echelons. The very same QI and FFI agreements that specify your firm’s obligation to appoint an RO also define what a reportable breach of those agreements is, which in our experience are typically material failures and events of default. So here’s the question, are you the right person to take on this role?

The Importance of Authority

It’s amazing how many financial firms don’t grasp the importance of the responsible officer position, and it’s even more surprising how many responsible officers we come across don’t actually meet the standard of responsibility. So let’s recap.

The standard for a responsible officer is expressed as someone with ‘sufficient authority’ to enforce the terms of the contract on the organisation. Another reason this can’t be delegated to someone else, and why responsible officers are often directors, or at least heads of departments. But there is a problem here – and that’s that most financial firms are, to one extent or another, siloed. Their management structures only meet at the very top of the organisation, and to be blunt, the people at the top might know the big picture, but they have very little knowledge of what goes on at an operational level. The people at the operational are siloed too, which means they will usually know what’s going on in their own department, but may not understand why they’re required to do something, and have little or no knowledge of specific QI or FATCA regulations. They will also have limited knowledge of what goes on anywhere else in the business, and certainly have no authority over it!

The IRS’s solution to this is not to solve it at all – but to put the responsible officer on the hook in the contract.

For example, in the QI contract the operational cycle consists of 4 components:

1. Documenting account holders – which impacts client onboarding, annual account reviews and KYC.
2. Withholding of tax – which involves the income distribution of the corporate actions function,
3. Depositing of tax to the US Treasury – which involves the finance department.
4. Reporting – which for most institutions is now a department in its own right, or a part of a compliance function.

All of these operational components are connected. So, if your firm makes a policy (onboarding Americans for example), or makes a procedural mistake (failing to properly validate a tax form) in one area, it will likely affect every other area. It may even expose the firm to regulatory obligations and risk that they didn’t think they have, and that other area might not even know about because it’s not in their silo.

This is one of the big reasons a responsible officer must not just have top-level authority, but also enough knowledge of the detail to be able to assess whether the QI contract and/or US regulations are being adhered to or not.

In our experience, many responsible officers come to this role without sufficient knowledge of what it entails. Sometimes it’s just that they drew the short straw because no one else wanted the job – which is hardly a great motivator to do a good job. It’s also often seen as an adjunct to an existing role (i.e., it’s not a full-time role but an add-on to someone’s day job). In small firms this might be OK, but in larger firms it absolutely will not pass muster. The role often ends up being added to a compliance department function in this case, but even here the existing regulatory load imposed on financial firms is so high that the US securities marker, which usually only represents a portion of the firm’s business, and it rarely gets the attention it requires.

So What Does It Take?

The big question now is, can you tick all of these boxes, not just at a strategic level, but at a control and detail level? Here’s what you have to have.

The first thing is a written compliance document that describes how the firm will:

• Meet its contractual obligations to document your client’s tax status and any claim of treaty benefits. And no, you can’t rely on KYC procedures for this.
• Withhold tax or arrange for it to be withheld by a financial counterparty on corporate action events.
• Deposit with the US Treasury and
• Report on forms 1042-S, 1042 and 8966 (FATCA)

It’s important to understand that you can outsource or delegate some of these activities – like depositing tax. But you cannot outsource or delegate the legal responsibility. You’re still on the hook for delegated tasks.

What Should Be In Your Compliance Program?

The content and quality of the compliance program document will vary depending on the types of clients and financial products your firm offers, along with the risk policies your firm adopts.

In these documents a policy is a firm and well-defined statement of how the firm wants to react to a given situation. For example, do you allow Americans to open accounts? The policy will be a simple yes or no. A procedure is a detailed explanation of how and what happens to enforce that policy. To carry on our example, if you don’t allow US account holders, how do you know that your account holder isn’t an accidental American? How did you protect the firm against this type of occurrence?

Procedures each have 4 components:

• Owner
• Trigger
• Activity
• Output

A Compliance Program should identify who is responsible for a procedure and what triggers it. Once triggered, it details what activity takes place and what the possible outcomes are from that activity. There can be several procedures associated with any one policy. Some might be triggered by the output of another procedure, which is how the Presumption Rules work.

Most importantly, understand that as a responsible officer you’ll probably need to involve people from several departments to get your Compliance Program drafted. If our experience is anything to go by, what other people think you do is not the same as what you actually do, and the difference between the two (and what the regulations say you can and can’t do) can easily trip you up. Just remember, as a responsible officer you’re the IRS’s eyes and ears, and the Compliance Program is their control and oversight mechanism that you’re contractually obligated to use.

Train and Explain: Once you’ve got your policies and procedures written and approved, you might think you have some time to sit back and relax. You would be wrong. Now, you have to train the relevant staff, explaining the content of that document so that they know what to do and when. We’ve conducted a number of independent Assessments of Effective Controls (also called an AoEC), and found that some staff didn’t even know there was a Compliance Program – let alone what was in it. Instead, they got their information by word of mouth from their line manager.

Technology Is Your Friend: A responsible officer also has a technology dimension, because most firms have computer systems that store and manage data, documentation and processes. The responsible officer has to have a good working knowledge of which systems are involved, as well as having a monitoring procedure in place to be advised if there are any significant IT changes about to take place (even without regulatory change). Equally, if the regulations do change, even without technology change, the responsible officer must be able to raise these issues with IT management so that the systems are always doing the right thing at the right time. This can be as simple as a change in the version number of a W-8. If you’re using a digital substitute, it has to be the right version, and you only have 6 months from the release of a new form to it being mandatory for daily use – including any data or functional changes in the new version.

Raising Concerns: The US regulations also require a specific procedure for people in the organisation to be able to raise a concern about the firm’s compliance to its QI agreement. That’s how important the IRS believes this is. Many firms point to their whistleblower policy for this, but that’s very different from raising a concern. Whistleblower policies merely protect the employee from being mistreated or fired because of the issue they raised. A raising of concern procedure should do that too, but also include a review process that’s run by the responsible officer to identify the type of potential failure, its importance to the firms’ contractual obligations and a remediation process to make any needed changes.

Absolutely all of this stands firmly at the responsible officer’s door. You can’t put your name on the IRS QAAMS web portal, or on a W-8IMY as the Responsible Officer, and think that you can point to someone else if anything goes wrong. Having good intentions will not cut it, and the buck stops with you.

If you’re not sure everything is up to scratch, there are a few things we can do to help. We can perform an Assessment of Effective Controls, which gives you a detailed report on how well your controls are implemented and where to improve. You can also sign up to our Tax Compliance Toolkit^tm to use the Compliance Program Builder, which will help you start building a proper compliance program. Or if you have any questions, just get in touch with the team at TConsult today.