On May 11, 2016, the U.S. Treasury Department’s Financial Crimes Enforcement Network (“FinCEN”) published its long-awaited Final Rule regarding the customer due diligence (“CDD”) requirements under the Bank Secrecy Act for banks, broker-dealers, mutual funds, and futures commission merchants and introducing brokers in commodities (collectively, “covered financial institutions”).1 The Final Rule requires these covered financial institutions to identify and verify the natural persons behind legal entity customers (beneficial owners), subject to certain exemptions. The new CDD requirements present significant compliance challenges for covered financial institutions. Accordingly, compliance with the Final Rule is not mandatory until May 11, 2018 (the “Applicability Date”), approximately two years after its effective date of July 11, 2016.

The Final Rule takes into account many, but not all, of the comments received in response to the Proposed Rule.2 At a high level, the Final Rule requires:

  • Consistent with the Proposed Rule, covered financial institutions must conduct CDD on certain legal entity customers that open new accounts going forward from the Applicability Date.
    • FinCEN considers CDD as consisting of the following four elements: (1) identifying and verifying the identity of customers; (2) identifying and verifying the identity of beneficial owners of legal entity customers; (3) understanding the nature and purpose of customer relationships; and (4) conducting ongoing monitoring for reporting suspicious transactions, and, on a risk-basis, maintaining and updating customer information.  Under FinCEN’s existing rules, the first element of CDD is already satisfied by the existing customer identification program (“CIP”) requirements of covered financial institutions, and the third and fourth elements are described by FinCEN as “already implicitly  required for covered financial institutions to comply with their suspicious activity reporting requirements.” According to the Final Rule, the only new requirement is the obligation to take explicit steps to identify and verify the identity of the natural persons who are the beneficial owners of legal entity customers.
    • The definition of beneficial owner remains unchanged and includes both an individual who owns more than 25 percent of the equity interests in a company and a single individual who exercises control.
  • Covered financial institutions must collect information on beneficial owners of legal entity customers when an account is opened, either using the model form included with the Final Rule or taking other steps to collect the same information, provided the individual providing the information makes a representation that, to the best of his or her knowledge, the information provided is complete and correct. Covered financial institutions can rely on the information provided by the customer (provided that it has no knowledge of facts that would reasonably call into question the reliability of the information).
  • Covered financial institutions must use CIP procedures to verify the identity of beneficial owners of legal entity customers, although the procedures for CDD need not be exactly the procedures for CIP. Moreover, unlike the CIP rule, the covered financial institutions can rely on copies of documents. As with the CIP rule, covered financial institutions may rely on the performance by another financial institution (including an affiliate) of the beneficial ownership requirements of the Final Rule, as long as the same criteria are met.
  • Covered financial institutions are not required to update beneficial ownership information on a periodic or ongoing basis, but only on an event-driven basis, when in the course of their normal monitoring they detect information about the customer that may be relevant to assessing the risk of the customer.
  • FinCEN clarified the definition of “legal entity customer” to mean “a corporation, limited liability company, or other entity that is created by the filing of a public document with a Secretary of State or similar office, a general partnership, and any similar entity formed under the laws of a foreign jurisdiction, that opens an account.” This definition would not include sole proprietorships, unincorporated associations or trusts (other than statutory trusts created by a filing with a Secretary of State or similar office).
  • The Final Rule adopts all of the exclusions from the definition of “legal entity customer” that were listed in the Proposed Rule,3 and adds several others:
    • A bank holding company, as defined in section 2 of the Bank Holding Company Act of 1956 (12 U.S.C. § 1841), or savings and loan holding company, as defined in section 10(n) of the Home Owners Loan Act (12 U.S.C. § 1467a(n)).
    • A pooled investment vehicle that is operated or advised by a financial institution excluded under this paragraph.
    • An insurance company that is regulated by a state.
    • A financial market utility designated by the Financial Stability Oversight Council under Title VII of the Dodd-Frank Wall Street Reform and Consumer Protection Act of 2010.
    • A foreign financial institution established in a jurisdiction where the regulator of such institution maintains beneficial ownership information regarding such institutions.
    • A non-U.S. governmental department, agency or political subdivision that engages only in governmental rather than commercial activities.
    • Any legal entity only to the extent that it opens a private banking account for non-U.S. persons that are subject to FinCEN’s private banking account rule (31 C.F.R. § 1010.620).
    • Non-excluded pooled investment vehicles, such as non-U.S. managed mutual funds, hedge funds and private equity funds: Covered financial institutions would be required to collect beneficial ownership information under the control prong only (e.g., an individual with significant responsibility to control, manage or direct the operator, adviser, or general partner of the vehicle).
    • Charities and nonprofit entities: Covered financial institutions would be required to collect beneficial ownership information under the control prong only.
  • Covered financial institutions are exempt from the beneficial ownership requirement with respect to certain new accounts solely used to finance the purchase of postage, insurance premiums or leasing of equipment, and certain private label credit card accounts.
  • Covered financial institutions must maintain records of any identifying information obtained regarding the beneficial ownership, including the certification (if obtained), for five years after the date the account is closed. Covered financial institutions must also maintain records of a description of any document relied on, of any non-documentary methods and the results of any measures undertaken, and of the resolution of each substantive discrepancy, for five years after the record is made.
  • In addition, the Final Rule adopts a new “fifth pillar” of the AML program, which requires appropriate risk-based procedures for conducting ongoing customer due diligence, to include, but not limited to: “(i) Understanding the nature and purpose of customer relationships for the purpose of developing a customer risk profile; and (ii) Conducting ongoing monitoring to identify and report suspicious transactions and, on a risk basis, to maintain and update customer information.”
    • The term “customer risk profile” is used to refer to the information gathered about a customer to develop the baseline against which customer activity is assessed for suspicious transaction reporting, and may include information such as the type of customer or type of account, service or product, and may, but need not, include a system of risk ratings or categories of customers.
    • Financial institutions are required to conduct ongoing monitoring to identify and report suspicious transactions and conduct a monitoring-triggered update of customer information. When a financial institution detects information about the customer in the course of its monitoring that is relevant to assessing risk, including a change in beneficial ownership information, it must update the customer information, including the beneficial ownership information.
    • FinCEN views the fifth pillar as an explicit codification of existing expectations. Apparently, covered financial institutions do not have until the Applicability Date to implement the requirements set forth in the fifth pillar. According to the preamble to the Final Rule, “current industry practice to comply with existing expectations for SAR reporting should already satisfy this proposed requirement.”4

As a companion to the Final Rule, the Treasury Department also sent a letter to Congress encouraging the adoption of legislation that would require U.S. companies to compile beneficial ownership information at the time of their creation, disclose beneficial ownership information to the states at the time the company is created, and file such information with the Treasury Department for use by law enforcement.5