The Financial Crimes Enforcement Network (FinCEN) on May 11 released its long-awaited Final Rule (CDD Rule) that will require certain financial institutions to "look through" the nominal account holder to identify the account's beneficial owners who own or control (directly or indirectly) certain legal entity customers. The rule also establishes a "fifth pillar" in FinCEN's AML Program requirement that mandates that certain institutions implement risk-based procedures for conducting customer due diligence.
The CDD Rule is a key part of the Administration's array of announced steps to combat money laundering, terrorist financing, and tax evasion on the heels of the "Panama Papers." The CDD Rule complements these efforts, including the Administration's call for Congress to adopt legislation that would require the collection of beneficial ownership information at the time legal entities are formed in the United States.1
The CDD Rule also addresses a weakness in the US antimoney laundering (AML) regime identified by the Financial Action Task Force's (FATF)2 "mutual evaluation" of the United States in 2006. FATF's evaluation deemed the US framework only "partially compliant" with CDD standards and sharply criticized the United States for lacking a beneficial ownership regime. FATF began onsite visits as part of another Mutual Evaluation of the United States in January 2016, and a new report is expected by the end of this year. Observers query whether the CDD Rule and the Administration's other responses to the Panama Papers will affect the FATF evaluation outcome.
In addition to its beneficial ownership requirement, the CDD Rule includes CDD standards for covered financial institutions subject to AML Program requirements. This so-called "fifth pillar," which FinCEN asserts merely formalizes existing practice, will require covered financial institutions to establish riskbased procedures to understand the "nature and purpose of the customer relationship," and to conduct ongoing monitoring to identify and report suspicious transactions, and update customer information. The CDD Rule applies only to "covered financial institutions:" banks, broker-dealers, mutual funds, futures commission merchants, and commodities introducing brokers, which are already subject to Customer Identification Program (CIP) requirements. FinCEN emphasizes that the CDD Rule's provisions are a "floor, not a ceiling," suggesting that it may be appropriate for covered financial institutions to do more than the minimum in the CDD Rule in circumstances of heightened risk..
The CDD Rule is the culmination of a rulemaking and guidance process on beneficial ownership dating back to March 2010, when FinCEN and other agencies jointly released guidance "to clarify and consolidate existing regulatory expectations" regarding beneficial ownership.3 FinCEN followed the interagency guidance with an Advance Notice of Proposed Rulemaking in 2012, several roundtable discussions with the private sector, and the Proposed Rule in July 2014.
Covered financial institutions must comply with the requirements by May 11, 2018.
In the CDD Rule, FinCEN said there are four key elements of CDD and that they should be explicit in the AML Program requirements for covered financial institutions:
- Identifying and verifying identity of customer;
- Identifying and verifying identity of beneficial owners of legal entity customers;
- Understanding the nature and purpose of customer relationships; and
- Conducting ongoing monitoring for suspicious activity reporting and customer information updates.
The first element is covered by the existing CIP requirements, and the second element regarding beneficial ownership is added by the CDD Rule. The CDD Rule also amends the AML Program requirement for covered financial institutions to formalize the third and fourth elements.
As in the Proposed Rule, the beneficial ownership requirement has both an ownership prong and a control prong. Under the ownership prong, a beneficial owner is generally any natural person (up to four) who owns 25 percent or more of a legal entity customer. Under the control prong, a beneficial owner is a single individual with significant responsibility for the legal entity customer.
As explained in detail below, FinCEN retained or expanded several limitations to the beneficial ownership and "fifth pillar" AML Program requirements after considering public comment on the Proposed Rule: 4
- Covered financial institutions can generally rely on the legal entity customer to identify which individuals are the beneficial owners.
- In a change from the Proposed Rule, covered financial institutions will not be required to use the standard Certification Form (included as Appendix A to the CDD Rule), but can instead obtain the required information from the individual opening the account on behalf of the legal entity customer, provided the individual certifies to the accuracy of the information provided.
- Covered financial institutions will not be required to identify an intermediary's underlying clients (e.g., investors in an omnibus account), unless those underlying clients are already considered "customers" for CIP purposes.
- Covered financial institutions will, under certain conditions, be able to rely on the CDD of other financial institutions, consistent with the approach in the existing CIP reliance structure.
- FinCEN emphasized that its new "fifth pillar" AML Program requirement does not require a continuous or periodic refresh of customer information. Rather, an institution must update customer information, including beneficial ownership, if in the course of its normal monitoring, it detects information relevant to assessing or reevaluating customer risk.
- FinCEN extended the implementation period from one year in the Proposed Rule to two years in the CDD Rule. The CDD Rule's Applicability Date is now May 11, 2018.
Under the CDD Rule, covered financial institutions must establish and maintain written procedures reasonably designed to identify and verify the identities of beneficial owners for new accounts opened by legal entity customers, unless an exemption applies.
Definition of Covered Financial Institution
As noted above, "covered financial institutions" include banks (including US branches of foreign banks), broker-dealers, mutual funds, and futures commission merchants and introducing brokers in commodities. The CDD Rule, however, suggests that FinCEN may seek to expand CDD requirements to additional financial institutions in the future, citing the benefits of a "more consistent, reliable, and effective" AML regulatory structure.
Definition of Beneficial Owners
A "beneficial owner" is an individual who satisfies the requirements of either the ownership prong or the control prong of the CDD Rule. FinCEN emphasized that the legal entity customer is generally responsible for determining and identifying the beneficial owners, not the covered financial institution. Thus covered financial institutions are not expected to investigate a legal entity's management or ownership structure or to identify or verify ownership interests and control responsibilities.
Under the ownership prong, a covered financial institution must identify each individual who owns 25 percent or more of the equity interests in the legal entity customer.5 If the beneficial owner under the ownership prong is an entity excluded from the definition of a legal entity customer, no beneficial owner need be identified with respect to that excluded entity. Information for beneficial owners should be obtained even if their ownership interest is indirect--i.e., held through multiple levels of legal entities. If no individual owns 25 percent or more of the equity interests, the covered financial institution would identify a beneficial owner under the control prong only.
Under the control prong, a covered financial institution must identify a single individual with significant responsibility to control, manage, or direct the legal entity customer. A legal entity customer must always designate an individual under the control prong, but it can use an individual already designated under the ownership prong. FinCEN said that the control prong is designed to ensure the financial institution has a record of at least one natural person associated with the legal entity customer.
Certain legal entity customers are subject only to the control prong of the beneficial ownership requirement: (i) non-excluded pooled investment vehicles (e.g., hedge funds not advised by a financial institution excluded from the "legal entity customer" definition) and (ii) domestic nonprofit organizations. In public comments on the Proposed Rule, securities industry6 and banking sector7 participants urged FinCEN to apply only the control prong to pooled investment vehicles because the ownership of such vehicles is constantly changing. FinCEN had proposed excluding domestic charities from the definition of legal entity customer, but made them subject to the control prong after commenters expressed concerns that it would be difficult to verify a customer's eligibility for this exclusion.
Accounts Subject to the Beneficial Ownership Requirement
The beneficial ownership requirement applies to "accounts" opened at a covered financial institution by a legal entity customer. In response to public comment, FinCEN adopted the definition of "account" from the CIP rules.8
The requirement applies only to "accounts" opened after the CDD Rule becomes applicable, including additional accounts opened by an existing customer after the Applicability Date: May 11, 2018. For preexisting accounts, however, covered financial institutions will have to obtain beneficial ownership information when they learn in the course of their normal monitoring that the beneficial owner of a legal entity customer may have changed (please see below for further discussion on this topic).
Definition of Legal Entity Customer and the Exclusions
Covered financial institutions must identify beneficial owners of their "legal entity customers." This term includes corporations, limited liability companies, and partnerships or other similar domestic or foreign business entities, but it does not include non-statutory trusts. The CDD Rule includes several exclusions, generally on the basis that the excluded entities already are required to submit beneficial ownership information to a government entity. Many exclusions, such as the exclusion for bank holding companies, were added in response to public comments. Key exclusions include:
- Domestic banks in the United States (including domestic offices of foreign banks);
- Entities listed on the New York, American, or NASDAQ stock exchanges;
- Majority-owned subsidiaries of such listed entities;
- Security issuers registered under Section 12 of the Securities Exchange Act of 1934;
- Investment companies;
- SEC- and CFTC- registered entities;
- Bank holding companies;
- Pooled investment vehicles operated by an entity that is not a legal entity customer;
- State-regulated insurance companies;
- Designated financial market utilities;
- Foreign financial institutions whose regulator maintains beneficial ownership information;
- Foreign government entities that do not engage in commercial activities; and
- Legal entities only to the extent that they open a private bank account.
Identifying and Verifying Beneficial Owners
Covered financial institutions must identify and verify beneficial owners. Identification must occur at the time the new account is opened, and may be accomplished by having the customer fill out a standard Certification Form (Appendix A), or by obtaining the same information required by the Certification Form by some other means.9 In either case, the individual opening the account on behalf of the legal entity customer must certify that the information provided on the form is true and accurate to the best of his or her knowledge.
The CDD Rule does not require covered financial institutions to verify the status of a beneficial owner, i.e., that the individual does in fact own 25 percent or more of the legal entity opening an account. Rather, covered financial institutions are only obligated to verify that the person identified as a beneficial owner is in fact that person. Covered financial institutions may rely on the beneficial ownership information provided by their customers,10 but must verify the identity of the beneficial owners.
Beneficial ownership verification procedures must be risk-based and must, at a minimum, contain the elements required for verifying the identification of customers pursuant to CIP, except that documentary verification may be made through photocopies, rather than original documents. Verification must be completed within a reasonable time after the account is opened. Generally, records must include, at a minimum, all identifying information about the customer that was obtained, a description of any document that was relied on, and a description of the verification procedures. Records must be retained for five years.
Financial institutions may legally rely on other financial institutions to fulfill beneficial ownership obligations under the same three conditions that apply to CIP reliance.11 FinCEN expects covered financial institutions to use collected beneficial ownership information to comply with sanctions requirements, other AML filing requirements, and tax reporting, investigations, and compliance. Additionally, as in CIP, beneficial ownership identification procedures must address situations in which the financial institution cannot form a reasonable belief that it knows the true identity of the beneficial owner of a legal entity customer after following the required procedures.
Intermediated Account Relationships
The CDD Rule maintains the Proposed Rule's approach to intermediated accounts. If an intermediary is the customer and the financial institution has no CIP obligation with respect to the intermediary's underlying clients pursuant to existing guidance, the financial institution should treat the intermediary, and not the intermediary's underlying clients, as its legal entity customer. For example, broker-dealers engaging in transactions through omnibus accounts should treat the intermediary as a customer if:
- The omnibus account was established to execute transactions for settlement at another institution or the intermediary provides limited customer information to the broker-dealer;
- The limited information provided is used primarily for record-keeping purposes or to establish subaccounts that hold positions for limited durations;
- All transactions in the omnibus account are initiated by the intermediary; and
- The beneficial owner has no direct control over the omnibus account.
This approach maintains existing regulatory guidance related to CIP and intermediated relationships.12
Amendments to the AML Program Rule: The "Fifth Pillar"
The other part of the CDD Rule amends the AML Program Rule for covered financial institutions to encompass the third and fourth elements of a CDD program, which are understanding the nature and purpose of customer relationships, and conducting ongoing monitoring to identify and report suspicious transactions and to update customer information. Notably, these elements of the CDD Rule apply to all customers of covered financial institutions, including those customers that are exempted from the beneficial ownership requirement.
Understanding the Nature and Purpose of Customer Relationships
The CDD Rule should be understood in conjunction with financial institutions' obligation to file suspicious activity reports (SARs). FinCEN's view is that a strong CDD program facilitates an institution's ability to detect and report transactions that appear suspicious in light of the institution's knowledge of a particular customer or class of customers. A covered financial institution must file a SAR when, among other things, the institution "knows, suspects, or has reason to suspect" that a transaction has "no business or apparent lawful purpose or is not the sort in which the particular customer would normally be expected to engage."13 In both the Proposed Rule and the CDD Rule, FinCEN has stated that this requirement necessarily demands an understanding of the "nature and purpose of the customer relationship."
Conducting Ongoing Monitoring
The Proposed Rule would have required institutions to "conduct ongoing monitoring to maintain and update customer information and to identify and report suspicious activity." A few commenters said that this articulation appeared to establish a new requirement to monitor, maintain, and update customer information on a continuous basis. In the preamble to the CDD Rule, FinCEN explained that the requirement should not be construed that way. The CDD Rule states that ongoing monitoring is conducted to identify and report suspicious transactions and, on a risk basis, to maintain and update customer information. This formulation is intended to capture FinCEN's expectation that financial institutions should conduct a "monitoring-triggered" update of customer information when they detect, during the course of their normal monitoring, information relevant to assessing or reevaluating the risk of a customer relationship.
Updates to Existing CDD Programs: Many covered financial institutions already collect some beneficial ownership information and have updated their AML policies and procedures in anticipation of the CDD Rule. However, all covered financial institutions should revisit their policies, procedures and training materials to ensure their current practices meet the requirements of the CDD Rule. While FinCEN asserts that the "fifth pillar" provisions are not new requirements, covered financial institutions may find that their procedures do not actually incorporate these expectations.
CDD Expectations for Non-Covered Financial Institutions: Non-covered financial institutions with SAR responsibilities may want to consider establishing some form of risk-based, customer due diligence processes. FinCEN and other federal functional regulators have emphasized that customer due diligence is a key input in SAR monitoring and analysis. And FinCEN's stated position that the "fifth pillar" merely formalizes existing expectations suggests that these expectations may be broadly applicable across FinCEN-regulated entities, and not just applicable to covered financial institutions.
Trigger-Based Updates: Also, while FinCEN expects financial institutions to conduct a "monitoringtriggered" update of customer information, it did not specify which triggers should be used. For example, FinCEN or prudential regulators may expect triggers to capture a change in ownership of a legal entity customer. Covered financial institutions may find themselves subject to criticism for a "silo effect" if salient information for purposes of ongoing monitoring is not effectively communicated from all relevant aspects of the firm to the AML compliance function. (This has been a frequent regulatory criticism with respect to institutions' SAR programs.)
Financial Intermediaries: SAR monitoring should not necessarily stop at the level of the legal entity customer, notwithstanding the fact that the CDD Rule states the intermediary may be treated as the legal entity customer under certain circumstances. In fact, failure to monitor or report underlying customer activity in intermediated accounts can attract regulatory scrutiny and lead to enforcement actions.14
Leveraging CDD for Other Compliance Efforts: One of the stated benefits of the CDD Rule is that it may serve to enhance financial institutions' compliance efforts in the areas of OFAC sanctions, currency transaction reporting requirements, tax and others. Covered financial institutions should assess the information flow among their new or updated CDD controls and the groups responsible for these other compliance requirements.
Potential Rulemakings by Functional Regulators: Each of the functional regulators implicated in this rulemaking (e.g., the Federal Reserve, FDIC, FINRA, NFA, and OCC) have issued their own AML Program Rules. It is unclear whether these regulators will update their existing rules to reflect the "fifth pillar," which currently appears in FinCEN's AML Program Rules for each type of covered financial institution.