In the wake of the Panama Papers controversy, the U.S. government has taken major steps this month to promote financial transparency. First, the Financial Crimes Enforcement Network (FinCEN) finalized its proposed rule issued in July 2014 (see client alert, “FinCEN Proposes Tighter Customer Due Diligence Requirements for Financial Institutions”), requiring banks and other covered financial institutions to identify and verify the identity of beneficial owners behind legal entity customers. The final rule also added a new “fifth pillar” to the anti-money laundering (AML) program rules, which requires appropriate risk-based procedures for conducting ongoing customer due diligence (CDD). Covered financial institutions will have to comply with these new requirements by May 11, 2018 (the Applicability Date).

Second, the Treasury Department proposed legislation that, if enacted, would require all companies formed in the United States to report beneficial ownership information to the Treasury Department.

Finally, the Justice Department submitted to Congress a legislative proposal that would enhance the ability of law enforcement officials to obtain information from domestic and foreign banks so they can investigate and prosecute money laundering. The legislation also would allow the Justice Department to prosecute money laundering linked to a broader set of predicate crimes. These regulatory changes and legislative proposals send a clear message to financial institutions in the United States and around the globe: The U.S. government is taking a tougher stance against money laundering and corruption. Thus, we expect enforcement actions to rise.

Financial institutions should consider the following key takeaways:

FinCEN’s Model Certification Form Will Not Be Required and Will Not Trigger a Safe Harbor. FinCEN dropped its proposal to mandate the use of its model Certification Form to collect beneficial ownership information from customers. Financial institutions will be able to obtain the required information by any means they deem appropriate, such as by using an institution’s proprietary form or directly capturing the relevant data in a customer database. Whichever method is employed, however, the individual opening the account on behalf of the legal entity customer must certify, to the best of his or her knowledge, the accuracy of the information. This change from the proposed rule will reduce the technological and operational changes that institutions must implement to comply with the rule. For example, institutions that already collect beneficial ownership information may continue to obtain and retain this data in the form (paper or electronic) that they have been using, as long as they satisfy the rule’s other requirements. FinCEN also declined to create a safe harbor for those that opt to use the Certification Form.

Institutions Will Be Required to Identify At Least One and as Many as Five Beneficial Owners for Each New Account Opened by a Legal Entity Customer. The rule defines a beneficial owner as each individual, if any, who directly or indirectly owns 25 percent or more of the equity interests of a legal entity customer (the ownership prong) and a single individual with significant responsibility to control, manage or direct a legal entity customer (e.g., chief executive officer, chief financial officer, chief operating officer, managing member, president, vice president) (the control prong). As a practical matter, this means that a financial institution will have to identify one beneficial owner under the control prong, regardless of whether any individual meets the 25 percent threshold. Moreover, institutions will be obligated to collect the required beneficial ownership information every time a new account is opened, even if the customer has other existing accounts for which the institution already obtained such information. Notwithstanding FinCEN’s requirements, financial institutions will have the discretion to identify additional beneficial owners or to establish a lower percentage threshold for beneficial ownership based on their own risk assessment. Accordingly, financial institutions will want to consider clear procedures outlining the circumstances in which more stringent requirements regarding beneficial ownership are warranted.

Reliance on Representations of Customers Will Be Permitted, Absent the Institution’s Knowledge to the Contrary. Financial institutions may rely on the information supplied by a legal entity customer regarding the identity of its beneficial owners, provided that the institution has no knowledge of facts that would reasonably call into question the reliability of such information. In other words, an institution cannot turn a blind eye to apparent red flags that it discovers through its onboarding or monitoring processes. A corollary to this provision is that while institutions need to verify the identity of beneficial owners (i.e., the individual’s existence), they are not required by the rule to engage in analyses or research to determine whether an individual is, in fact, a beneficial owner. Although FinCEN has recognized that the burden to identify beneficial ownership will largely lie on the legal entity customer and not on the institution, over-reliance on a customer’s representations should be avoided. Institutions will want to consider implementing risk-based policies to assess the reliability of information provided by their legal entity customers.

Although the Final Rule Only Applies Prospectively, Institutions Should Consider Collecting Beneficial Ownership Information for Existing Accounts on a Risk-Basis. Financial institutions will not be categorically required to gather beneficial ownership information for accounts established before the Applicability Date. In other words, the rule will only apply to accounts opened on or after such date. However, FinCEN has stated that it expects financial institutions to obtain beneficial ownership information for pre-existing accounts, when in the course of their normal monitoring, institutions detect information relevant to assessing or reevaluating an account’s risk. Such information could include, for example, a significant and unexplained change in customer activity. Although FinCEN only expects monitoring-triggered updates of beneficial ownership information, institutions should consider taking advantage of CDD refreshers to collect or update, on a risk-basis, beneficial ownership information for both pre-existing and new accounts. The risk-mitigating benefits of adopting this practice would far outweigh the associated costs.

FinCEN’s ‘Fifth’ AML Pillar Codifies Existing Obligations. FinCEN’s new “fifth” pillar will require all covered financial institutions to (i) understand the nature and purpose of customer relationships for the purpose of developing a customer risk profile; and (ii) conduct ongoing monitoring to identify and report suspicious transactions and, on a risk-basis, maintain and update customer information. In the past, these two elements were implicitly required in connection with an institution’s suspicious activity reporting obligations. Institutions will want to consider updating their policies to reflect these requirements explicitly, if that is not yet the case, and ensuring that their existing processes are designed to satisfy these obligations.

US Authorities Likely Will Increase Their Focus on AML and Sanctions Enforcement. We anticipate that the new beneficial ownership requirements will raise U.S. regulators’ expectations with respect to how an institution leverages its CDD procedures to comply with applicable AML and sanctions laws and regulations. In its final rule, FinCEN underscored that beneficial ownership information should be treated like a customer identification program and accordingly used to ensure that covered financial institutions comply with other rules. For example, FinCEN pointed out that institutions should use beneficial ownership information to ensure compliance with sanctions administered by the Office of Foreign Assets Control (OFAC) and specifically referenced OFAC’s 50 percent rule. In addition, with respect to aggregation of transactions for currency transaction reporting purposes, FinCEN noted that beneficial ownership identification may provide institutions with information they did not previously have, in order to determine when transactions are “by or on behalf of” the same person. We, therefore, expect that this final rule and the increased focus on financial transparency in the United States and abroad will result in increased enforcement and will make mitigation arguments more difficult in the event of a violation.

Assessing Existing CDD Procedures and Overall AML/Sanctions Programs. Although compliance with the final rule will not be required for two years, we anticipate that examiners will increasingly focus on this issue in AML target examinations and, in particular, will seek to understand how a financial institution is preparing to comply with the rule.

As such, financial institutions will want to consider examining their current AML/sanctions programs and creating an action plan detailing how they will adapt various aspects of their programs to the new rule, including CDD policies and procedures, employee training, monitoring systems, suspicious activity reporting and other relevant processes. Institutions that already collect beneficial ownership information should consider reassessing their existing compliance frameworks.

Managing Differences Between US and EU CDD Requirements. Since 2005, the EU has required financial institutions and other covered entities to collect beneficial ownership information. The Fourth AML Directive, which was enacted last year and which member states have to comply with by June 2017, also will further tighten existing rules. In particular, member states will have to establish central registers of beneficial owners that will be accessible to financial institutions and other designated parties. Member states also will have the authority to set lower beneficial ownership thresholds than the currently mandated threshold of an interest exceeding 25 percent. The EU’s CDD requirements differ in certain respects from FinCEN’s final rule. The latter provides more specificity in its requirements, whereas the former is predominantly focused on a risk-based approach. For instance, although both use “ownership” and “control” thresholds to define beneficial owners, FinCEN’s rule requires that only one individual be identified under the “control” threshold while the fourth directive does not specify how many need to be identified. Presumably, multiple individuals may exercise control over a legal entity, which means that a financial institution in the EU may have to identify more than one individual under the “control” threshold in accordance with the institution’s assessment of risk. The fourth directive also does not specifically provide for reasonable reliance on representations made by customers regarding their beneficial owners. This could suggest that EU regulators may expect financial institutions to conduct appropriate risk-based due diligence to independently vet the reliability of the information provided by a customer. In sum, institutions with global compliance programs will want to manage the differences between U.S. and EU CDD requirements, especially if their approach is to implement the strictest requirements of the jurisdictions in which they operate.