Introduction On May 11, 2016, the Financial Crimes Enforcement Network (FinCEN) published a final rule (the Final Rule) that formalizes new and existing customer due diligence (CDD) requirements for banks (including branches and agencies of foreign banks in the United States), broker-dealers in securities, mutual funds, futures commission merchants and introducing brokers in commodities (collectively, Covered Financial Institutions). By providing a clear CDD framework for Covered Financial Institutions, FinCEN intends to promote a more level playing field across and within financial sectors and minimize some of the disparities in CDD practices among financial institutions. The Final Rule describes four core elements of CDD that are required for the anti-money laundering (AML) programs of all Covered Financial Institutions:
1) identifying and verifying the identity of customers; 2) identifying and verifying the identity of beneficial owners of legal entity customers, subject to certain
exceptions; 3) understanding the nature and purpose of customer relationships to develop a customer risk profile;
and 4) ongoing monitoring for reporting suspicious transactions and, on a risk basis, maintaining and
updating customer information. The first element is already covered under existing customer identification program (CIP) rules, and the second element is a new requirement. According to FinCEN, the third and fourth elements are already implicit in the suspicious activity reporting requirements but have been explicitly added as the "fifth pillar" of an effective AML program. Covered Financial Institutions must comply with the Final Rule by May 11, 2018 (the Applicability Date).
FinCEN explains in the Final Rule that clarifying and strengthening the CDD regime serves various purposes, such as: assisting financial investigations by law enforcement; enhancing the ability to identify the assets and accounts of criminals; improving a financial institution's ability to assess and mitigate risk and comply with existing requirements; facilitating reporting and investigations in support of tax compliance, including compliance with the Foreign Account Tax Compliance Act (FATCA); and promoting consistency in CDD expectations across and within financial sectors. Additionally, the Final Rule is one component of the U.S. Treasury Department's broader three-part strategy to enhance financial transparency of legal entities. Other components of this strategy include (1) collection of beneficial ownership information on U.S. legal entities at the time of the entity's formation and (2) facilitating global implementation of international standards regarding CDD and beneficial ownership of legal entities.
The Final Rule follows a March 2012 Advanced Notice of Proposed Rulemaking (ANPRM) and an August 2014 Notice of Proposed Rulemaking (NPRM), both of which elicited numerous comments. After publication of the ANPRM, FinCEN received 90 comments and held five public hearings around the country. The feedback and discussions were critical to the development of the NPRM. The four core CDD elements from the ANPRM remained the same, however FinCEN took a different approach to some of the core elements, especially with respect to clarifying the beneficial ownership test. FinCEN received 141 comments on the NPRM, some of which have been incorporated into the Final Rule. Key changes to the NPRM that appear in the Final Rule include:
extending the implementation period from one year to two years from the date on which the Final Rule is issued;
permitting financial institutions to obtain beneficial ownership information by means other than the standard certification form;
revising the definition of "legal entity customer" and expanding the list of entities that are excluded from the definition of legal entity customer; and
modifying the standard certification form to include, among other things, titles of the individual submitting the certification and the beneficial owner with significant managerial responsibility, the address of the legal entity customer and clarification of address requirements.
The Final Rule also reflects FinCEN's consultation with various Federal functional regulators and the Department of Justice. FinCEN notes that nothing in the Final Rule is intended to lower, reduce or limit the due diligence expectations of the Federal functional regulators or in any way limit their existing regulatory discretion, which may undercut FinCEN's stated goal of consistency on this issue. The Final Rule is intended to be consistent with, and not to supersede, any regulations, guidance or authority of any Federal functional regulator or self-regulatory organization relating to customer identification, including verification of the identities of legal entity customers.
Due to the potentially significant effect on the economy, FinCEN conducted outreach to various financial institutions on the anticipated costs of implementing the proposed CDD requirements. From these discussions, the Treasury Department prepared a preliminary Regulatory Impact Assessment (RIA) on the costs and benefits
of the proposed rule and made this assessment available for comment in December 2015.1 A summary of the comments and the final RIA are included in the preamble to the Final Rule.
Beneficial Owner Requirements for Legal Entity Customers
Starting on the Applicability Date, Covered Financial Institutions must implement written procedures that are reasonably designed to identify and verify the identities of beneficial owners of legal entity customers at the time a new account is opened, subject to certain exceptions.
Covered Financial Institution
Covered Financial Institutions include financial institutions that are subject to a CIP requirement, such as banks, U.S. branches and agencies of foreign banks, federally insured credit unions, saving associations, Edge Act corporations, brokers or dealers in securities, futures commission merchants and introducing brokers in commodities. Some financial institutions such as money services businesses are not yet covered, but FinCEN has indicated that it may extend the CDD requirements to other types of financial institutions in the future.
The Final Rule's definition of "beneficial owner" consists of two prongs:
1) Under the ownership prong, a beneficial owner is each individual (if any) who, directly or indirectly, owns 25 percent or more of the equity interests of a legal entity customer.2 This prong would require identification of no more than four individuals and, if no individual meets the 25 percent threshold, no individuals would need to be identified.3
2) Under the control prong, a beneficial owner is a single individual with significant responsibility to control, manage or direct a legal entity customer, including (i) an executive officer or senior manager (e.g., a Chief Executive Officer, Chief Financial Officer, Chief Operating Officer, Managing Member, General Partner, President, Vice President or Treasurer) or (ii) any other individual who regularly performs similar functions.
In some cases, the same individual may satisfy both the ownership prong and the control prong. Alternatively, a Covered Financial Institution may voluntarily choose to identify additional individuals or use a lower threshold than 25 percent if it deems appropriate on the basis of risk.
There may be instances where 25 percent or more of the equity interests of a legal entity customer are not ultimately owned by any individual, but are owned by an entity excluded from the definition of legal entity customer (an "excluded legal entity" as defined below). Covered Financial Institutions are not required to identify an individual under the ownership prong in such cases. On the other hand, if 25 percent or more of the customer's equity interests are owned by a trust (other than a statutory trust), the trustee should be treated as the beneficial owner under the ownership prong.
Legal Entity Customer
The Final Rule defines "legal entity customer" as a corporation, limited liability company or other entity that is created by the filing of a public document with a Secretary of State or similar office, a general partnership, and any similar entity formed under the laws of a foreign jurisdiction that opens an account. Such definition includes limited partnerships and business trusts that are created by a filing with a state office. Legal entity customers do not include sole proprietorships, unincorporated associations, trusts (other than statutory trusts that are created through a state filing)4 or natural persons opening accounts on their own behalf.
Exclusions. The Final Rule provides a specific list of entities that are excluded from the definition of "legal entity customer" (each, an Excluded Legal Entity) since beneficial ownership information for these entities is generally available from other credible sources:
a financial institution regulated by a Federal functional regulator or a bank regulated by a State bank regulator;
a department or agency of the United States, of any State, or of any political subdivision of any State;
any entity established under the laws of the United States, of any State, or of any political subdivision of any State, or under an interstate compact between two or more States, that exercises governmental authority on behalf of the United States or any such State or political subdivision;
any entity (other than a bank) whose common stock or analogous equity interests are listed on the New York, American5 or NASDAQ stock exchange (each, a Listed Entity);
any entity organized under the laws of the United States or of any State and at least 51 percent of whose common stock or analogous equity interest is owned by a Listed Entity;
an issuer of a class of securities registered under section 12 of the Securities Exchange Act of 1934 or that is required to file reports under section 15(d) of that Act;
an investment company, as defined in section 3 of the Investment Company Act of 1940, that is registered with the Securities and Exchange Commission (SEC) under that Act;
an investment adviser, as defined in section 202(a)(11) of the Investment Advisers Act of 1940, that is registered with the SEC under that Act;
an exchange or clearing agency, as defined in section 3 of the Securities Exchange Act of 1934, that is registered under section 6 or 17A of that Act;
any other entity registered with the SEC under the Securities Exchange Act of 1934;
4 According to FinCEN, a trust is a contractual arrangement between the person who provides the funds or other assets and specifies the terms (i.e., the grantor or settlor) and the person with control over the assets (i.e., the trustee), for the benefit of those named in the trust deed (i.e., the beneficiaries). FinCEN notes that identifying a "beneficial owner" from among these parties based on the definition would not be possible. However, this does not supersede existing obligations regarding trusts generally. Under CIP rules, while financial institutions are not required to look through a trust to its beneficiaries, they may need to take additional steps to verify the identity of the customer, such as obtaining information about persons with control over the account. Financial institutions generally identify and verify the identity of trustees because they will necessarily be signatories on trust accounts. In certain circumstances involving revocable trusts, a bank may need to gather information about the settlor, grantor, trustee or other persons with the authority to direct the trustee or that have control over the account. 5 Currently named the NYSE MKT.
a registered entity, commodity pool operator, commodity trading advisor, retail foreign exchange dealer, swap dealer or major swap participant, each as defined in section 1a of the Commodity Exchange Act, that is registered with the Commodity Futures Trading Commission;
a public accounting firm registered under section 102 of the Sarbanes-Oxley Act;
a bank holding company, as defined in section 2 of the Bank Holding Company Act of 1956 (12 U.S.C. 1841) or savings and loan holding company, as defined in section 10(n) of the Home Owners' Loan Act (12 U.S.C. 1467a(n));
a pooled investment vehicle that is operated or advised by a financial institution that is an Excluded Legal Entity;
an insurance company that is regulated by a State;
a financial market utility designated by the Financial Stability Oversight Council under Title VIII of the Dodd-Frank Wall Street Reform and Consumer Protection Act of 2010;
a foreign financial institution established in a jurisdiction where the regulator of such institution maintains beneficial ownership information regarding such institution;
a non-U.S. governmental department, agency or political subdivision that engages only in governmental rather than commercial activities; and
any legal entity only to the extent that it opens a private banking account subject to 31 C.F.R 1010.620.
Control-Prong Only. The following legal entity customers are only subject to the control prong of the beneficial ownership requirement, either because ownership interests tend to fluctuate or because they do not exist:
a pooled investment vehicle that is operated or advised by a financial institution that is not an Excluded Legal Entity (such as non-U.S. managed mutual funds, hedge funds and private equity funds); and
any legal entity that is established as a nonprofit corporation or similar entity (including a charitable, nonprofit, not-for-profit, nonstock, public benefit or similar corporation) and has filed its organizational documents with the appropriate State authority as necessary.
Intermediated Account Relationships. To the extent that existing CIP guidance provides that a Covered Financial Institution can treat an intermediary (and not the intermediary's customers) as its customer, the Covered Financial Institution should treat the intermediary as its legal entity customer for purposes of the Final Rule. For example, banks generally may treat deposit brokers as their customers in a brokered deposit relationship, rather than each individual investor with a subaccount in a brokered deposit.
The beneficial ownership requirements apply to new accounts. A "new account" means each account (as defined in the CIP rules) opened at a Covered Financial Institution by a legal entity customer on or after the Applicability Date. Covered Financial Institutions are not expected to apply the requirements retroactively to customers with existing accounts on that date. However, unlike the CIP rules which exempt existing customers that open new accounts, the beneficial ownership rules apply to existing customers that open a new account on or after the Applicability Date. Moreover, as noted below, if a Covered Financial Institution learns as a result of normal
monitoring activities that the beneficial ownership of an existing legal entity customer may have changed, the institution is required to take steps to identify the beneficial owner at that time.
Exempt Accounts. An account that is opened for a legal entity customer for the following activities is exempt from the beneficial ownership requirements since it presents a low risk of money laundering:
1. at the point-of-sale to provide credit products, including commercial private label credit cards, solely for the purchase of retail goods and/or services at the associated retailers, up to a limit of US$50,000;6
2. to finance the purchase of postage and for which payments are remitted directly by the financial institution to the provider of the postage products;
3. to finance insurance premiums and for which payments are remitted directly by the financial institution to the insurance provider or broker; or
4. to finance the purchase or leasing of equipment and for which payments are remitted directly by the financial institution to the vendor or lessor of this equipment.
Limitations on Exemptions. Exemptions 2, 3 and 4 above do not apply to transaction accounts through which a legal entity customer can make payments to, or receive payments from, third parties. If there is the possibility of a cash refund on the account activity under Exemptions 2, 3, and 4, then beneficial ownership of the legal entity customer must be identified and verified by the financial institution, either at the time of initial remittance or at the time such refund occurs.
Identification and Verification Requirements
A Covered Financial Institution's procedures should enable it to:
Identify the beneficial owners of each legal entity customer (unless the entity is excluded or account is exempted) at the time a new account is opened, by either (1) obtaining a certification in the form provided in Appendix A of the Final Rule (the "Certification") from the individual opening the account on behalf of the legal entity or (2) obtaining from the individual the information required on the Certification by another means, provided that the individual certifies that, to the best of his or her knowledge, the information is accurate. These records may be retained electronically and incorporated into existing databases as part of the overall management of customer files, subject to the recordkeeping obligations noted below.
Verify the identity of such beneficial owners according to existing risk-based CIP rules and procedures for individuals within a reasonable time after the account is opened. In the case of documentary verification, the financial institution may rely on photocopies or other reproductions of identity documents. However, Covered Financial Institutions should conduct their own risk-based analyses of the types of photocopies or reproductions they will accept so that such reliance is reasonable.7
6 The reference to accounts being opened at the point of sale is not essential to the logic of the exemption, but it may create compliance questions for private label card issuers. 7 For example, a financial institution could decide that it will not accept reproductions below a certain optical resolution or reproductions transmitted via facsimile, or that it will only accept digital reproductions transmitted in certain file formats.
Covered Financial Institutions may rely on the beneficial ownership information supplied by their customers without independently verifying that the information is accurate, provided that the financial institution has no knowledge of facts that would reasonably call into question the reliability of such information.
Use of Beneficial Ownership Information
Beneficial ownership information should be used in a similar manner as information that is collected through CIP, including for compliance with Office of Foreign Assets Control (OFAC) regulations and currency transaction reporting (CTR) aggregation requirements. For example, Covered Financial Institutions should use beneficial ownership information to ensure they do not establish accounts or engage in prohibited transactions involving persons appearing on the Specially Designated Nationals and Blocked Persons List (SDNs) or any entity that is 50 percent or more owned, in the aggregate, by one or more SDNs. Covered Financial Institutions may also need to aggregate multiple currency transactions for CTR reporting where legal entity customers under common ownership are not being operated independently from each other or their primary owner (for example, where such entities share common employees and are frequently used to pay each other's expenses or the personal expenses of their primary owner). Covered Financial Institutions should also develop risk-based procedures to determine whether or when additional screening of beneficial owner names for negative media would be appropriate.
Covered Financial Institutions must maintain records of all beneficial ownership information obtained for legal entity customers, including: (1) any identifying information and the Certification, if obtained; and (2) a description of any document relied on for identity verification (noting the type, identification number, place of issuance and, if any, date of issuance and expiration), a description of any non-documentary methods and the results of such measures, and the resolution of any substantive discrepancies. Identification records must be retained for five years after the date the account is closed, and verification records must be retained for five years after the record is made.
Reliance on Another Financial Institution
Covered Financial Institutions may rely on another financial institution, including an affiliate, to perform the beneficial ownership requirements with respect to any legal entity customer that has opened an account or established a relationship with the other financial institution. Such reliance is permitted under the same conditions set forth in applicable CIP rules: (1) it must be reasonable under the circumstances; (2) the other financial institution must be subject to a rule implementing the AML program requirement and be regulated by a Federal functional regulator; and (3) the other financial institution must enter into a contract requiring it to certify annually to the Covered Financial Institution that it has implemented its AML program and will perform the specified beneficial ownership requirements.
Amendments to AML Program Requirements: The "Five Pillars"
The Final Rule revises FinCEN's existing AML program requirements for Covered Financial Institutions8 by expressly incorporating the traditional four pillars: (1) the establishment of internal policies, procedures and
8 The AML program requirements are found in 31 C.F.R. 1020.210 (banks), 31 C.F.R. 1023.210 (broker-dealers), 31 C.F.R. 1024.210 (mutual funds) and 31 C.F.R. 1026.210 (futures commission merchants and introducing brokers in commodities).
controls reasonably designed to achieve compliance with the Bank Secrecy Act and its implementing regulations; (2) the designation of a compliance officer responsible for monitoring day-to-day compliance with the program; (3) independent testing of compliance; and (4) training for appropriate personnel.
In addition, the Final Rule includes a fifth pillar to explicitly cover the third and fourth elements of CDD. Specifically, the fifth pillar requires appropriate risk-based procedures for conducting ongoing CDD, including but not limited to:
understanding the nature and purpose of customer relationships for the purpose of developing a customer risk profile (the third element of CDD); and
conducting ongoing monitoring to identify and report suspicious transactions and, on a risk basis, to maintain and update customer information (including beneficial owner information of legal entity customers) (the fourth element of CDD).
FinCEN views the fifth pillar as a codification of preexisting CDD expectations that should already be incorporated in a Covered Financial Institution's controls.
Understanding the Nature and Purpose of Customer Relationships
The third element of CDD requires Covered Financial Institutions to understand the nature and purpose of customer relationships in order to develop a customer risk profile.
FinCEN takes the position that, in order for Covered Financial Institutions to comply with existing requirements to identify and report suspicious activity, they must understand the nature and purpose of the customer relationship, including the types of transactions in which the customer would normally be expected to engage. In some circumstances, a Covered Financial Institution may understand the nature and purpose of a customer relationship based on information such as the type of customer, the type of account, the service or product used, or other basic information such as the customer's annual income, net worth, domicile, principal occupation or business, and history of activity. A "customer risk profile" is the information gathered about a customer to develop the baseline against which customer activity is assessed for suspicious transaction reporting. The customer risk profile may, but is not required to, include a system of risk ratings or categories of customers.
Covered Financial Institutions may integrate the customer risk profile into their transaction monitoring systems or use such information to determine whether a particular flagged transaction is suspicious. FinCEN understands that many institutions use the information to investigate suspicious activity triggered by transaction monitoring (i.e., after and not necessarily concurrent with transaction monitoring).
The fourth element of CDD requires Covered Financial Institutions to conduct ongoing monitoring to identify and report suspicious transactions and, on a risk basis, to maintain and update customer information. As with the third element, FinCEN believes that current industry practice to comply with existing expectations for suspicious activity reporting should already satisfy this requirement. Covered Financial Institutions are expected to have sufficient controls and monitoring systems to detect and report suspicious activity.
The obligation to update customer information (including beneficial ownership information) is generally triggered only when, during the course of its normal monitoring, a Covered Financial Institution becomes aware
of information relevant to assessing or reevaluating the risk posed by the customer. Such information could include, for example, a significant and unexplained change in customer activity or possible change in the customer's beneficial ownership. The Final Rule makes clear that the updating requirement is event-driven; Covered Financial Institutions are not expected to update customer information on an ongoing or regular basis. The updating of customer information applies to both customers with new accounts and customers with existing accounts on the Applicability Date.
The long-awaited Final Rule may still present some operational challenges to implementation, as well as heightening the expectations of regulators with respect to CDD practices within institutions. Financial institutions that are covered by the Final Rule should review their existing AML and CDD policies, procedures and systems to identify any gaps and determine what modifications and enhancements will be necessary to comply with the Final Rule.