On July 30, 2014, the Financial Crimes Enforcement Network (“FinCEN”) issued a proposed rule (see link at the end of the document) regarding customer due diligence (“CDD”) requirements for covered financial institutions (for this purpose, banks, securities firms including broker-dealers, mutual funds and futures commission merchants, as well as introducing brokers in commodities). As a result, prior to the effective date of the final rule, banks will need to review their BSA/AML policies and, if necessary, update related procedures to incorporate the expanded CDD requirements of the proposed rule. The proposed rule is consistent with federal banking regulators renewed emphasis on third party risk and the importance of effective due diligence procedures to assess risk.2
The proposed regulation would require financial institutions to maintain BSA/AML programs that have a CDD meeting the four “pillars” of the regulation. These are:
- identifying and verifying the identity of customers,
- identifying and verifying the identity of beneficial owners of legal entity customers,
- understanding the nature and purpose of customer relationships, and
- conducting ongoing monitoring to maintain and update customer information and to identify and report suspicious transactions.
FinCEN took pains to point out that these pillars are really not new in that most financial institutions are already employing most, if not all, of such elements in their BSA/AML program. Nonetheless, the proposed rules do add a requirement to understand the nature and purpose of customer relationships, conduct ongoing due diligence and update information, and identify the “beneficial owner” of business clients. Each of these four pillars is worth discussing in more detail.
Although these elements are new to FinCEN regulations, FinCEN believes that such provisions are inherent in a customer risk assessment and consistent with core BSA requirements of federal bank regulators.
The genesis of the proposed rules relates to the publication in March 2010 by FinCEN and prudential regulators of “joint guidance on obtaining and retaining beneficial ownership information.” Then, in March 2012, FinCEN commenced its rulemaking process by issuing an advance notice of proposed rulemaking (“ANPRM”) that set forth the elements contained in the current proposed rulemaking in some form or fashion. The proposed regulation issued on July 30, 2014, was in response to comments and issues resulting from the ANPRM.
Beneficial Ownership. FinCEN is proposing a new requirement that financial institutions identify the natural persons or beneficial owners of legal entity customers, subject to certain exceptions. For these purposes, beneficial owners are identified by obtaining a certification form (attached to the proposed rules as Appendix A) directly from the individual opening the new account of the legal entity customer. The definition of beneficial owner for BSA/AML purposes is “the natural person(s) who ultimately owns or controls the customer and/or the person on whose behalf a transaction is being conducted. It also incorporates those persons who exercise ultimate effective control over a legal person or arrangement.” FinCEN’s goal with the definition is to capture both the concept of ownership and that of effective control.
FinCEN is not requiring that the financial institution verify that the natural people identified on the certification form are in fact the beneficial owners. FinCEN then goes on to say, however, that the standards in the proposed rules are minimum standards. Therefore, beneficial ownership should be verified consistent with the bank’s existing CIP practices. Under current rules, a financial institution must obtain beneficial ownership information if it offers foreign private banking accounts or correspondent accounts for foreign financial institutions.
The proposed regulations reflect a two-prong definition of beneficial owner. The prongs are:
- Ownership Prong: Each individual, if any, who, directly or indirectly, through any contract, arrangement, understanding, relationship or otherwise, owns 25% or more of the equity interests of a legal entity customer; and
- Control Prong: An individual with significant responsibility to control, manage or direct a legal entity customer, including (A) an executive officer or senior manager (e.g., a chief executive officer, chief financial officer, chief operating officer, managing member, a general partner, president, vice president, or treasurer); or (B) any other individual who regularly performs similar functions.3 Each prong is intended to be an independent test. Thus, a financial institution must identify each individual who owns 25% or more of the equity interests. Conversely, there may be no beneficial owners at the 25% or more level. Again, these are minimum requirements. FinCEN noted with approval that some financial institutions identified all 10% beneficial owners.
Regardless of whether or not there are any, the financial institution must identify one control person. In cases where an individual owns 25% or more of the legal entity, and also meets the definition for control, that same individual could be identified as a beneficial owner under both prongs. A financial institution is entitled to rely on customer representations to determine the party with effective control.
There is no obligation to assess whether one or more parties are acting in concert. Again, financial institutions can rely on representations on that issue as well.
A “legal entity” customer is generally any business enterprise with a few exceptions. These exemptions include any customers that are currently exempt from CIP, as well as parties whose beneficial ownership information is generally available to the public from other sources such as public companies registered with the SEC.4
FinCEN notes that exempting these entities from the beneficial ownership requirement does not necessarily imply that all of them present a low risk of money laundering or terrorist financing. FinCEN pointed out that charities may present a high risk of such illegal activity, but charities are exempt from the beneficial ownership test because as a tax-exempt organization, they do not have beneficial owners. FinCEN does point out that under a charity structure, board oversight is akin to ownership and management is akin to control. Similarly, trusts, other than business trusts, are not deemed to be legal entity customers. With regard to trusts, financial institutions should take a risk-based approach.
Existing guidance as to who is a “customer” would continue to apply to the question of whether an entity is a “legal entity customer.”
If the intermediary is a customer establishing subaccounts, then the intermediary itself and not its client may be the legal customer entity in certain cases. Of course, consistent with the general FinCEN theme, the financial institution still must take a risk-based approach to underlying clients of the intermediary. FinCEN is still considering how to treat pooled investment vehicles.
There is no obligation to update the beneficial owner information unless the legal entity customer opens a new account. Otherwise, risk-based factors to be considered in updating the beneficial owner could include the type of business engaged in by the legal entity customer, changes in business operations or management of which the financial institution becomes aware, indications of possible misuse of a shell company in the account history, or changes in address or signatories on the account. As some financial institutions currently update CIP information at periodic intervals based on risk or when updating other customer information as part of routine account maintenance, financial institutions may consider updating beneficial ownership information on a similar basis. Importantly, existing rules on reliance on third parties that maintain a BSA/AML program continue to apply.
Understanding the Nature and Purpose of Customer Relationships. The proposed rules would change the language regarding a financial institution’s understanding. Under the ANPRM, the financial institution had to “understand the nature and purpose of the account and expected activity associated with the account for purposes of assessing the risk and identifying and reporting suspicious activity.” In contrast, the proposed rules now provide that the financial institution must “understand the nature and purpose of customer relationships in order to develop a customer risk profile.”
Commenters questioned whether the volume and nature of information to be produced is really helpful. FinCEN stated that it is standard practice by financial institutions to obtain such information in order to assess the risks and to inform what is suspicious behavior. FinCEN noted that the proposed rule in this regard is intended to be consistent with existing rules and guidance. For example, existing rules require a financial institution to report on a transaction that has “no business or apparent lawful purpose or is not the sort in which the particular customer would normally be expected to engage. In such context, FinCEN believes that it is well understood that “a bank should obtain information at account opening sufficient to develop an understanding of normal and expected activity for the customer’s occupation or business operations.” This quote is from the existing BSA/AML examination manual.
FinCEN notes, however, that in some circumstances, an understanding of the nature and purpose of a customer relationship can also be developed by inherent or self-evident information about the product or customer type or basic information about the customer. Such basic information that FinCEN notes could be telling include “annual income, net worth, domicile, or principal occupation or business.” For existing long-standing customers, the financial institution already may have a robust history of activity that could be highly relevant in understanding future expected activity or for purposes of detecting aberrations. Significantly, FinCEN states that this aspect of CDD applies to all accounts and not just to “customers” for CIP purposes. Thus, the exemptions referenced in the definition used for CIP would not apply.
Monitoring. FinCEN intends for the monitoring element to be consistent with current suspicious activity reporting and BSA/AML program requirements. FinCEN believes that conducting ongoing monitoring is implicit in the requirement to file SARs. The BSA/AML manual notes that the internal controls of a bank’s BSA/AML program should “provide sufficient controls and monitoring systems for timely detection and reporting of suspicious activity.”
There is no periodic requirement to update information. Instead, when a financial institution becomes aware of information relevant to assessing the risk posed by a customer, it is expected to update the customer’s relevant information accordingly. The BSA/AML Manual provides that “CDD processes should include periodic risk-based monitoring of the customer relationship to determine whether there are substantive changes to the original CDD information (e.g., change in employment or business operations).”
Record Retention. Under the proposed rule, financial institutions must maintain records for five years. Those records include all documents relied on for identification and verification of the beneficial owners, and any nondocumentary methods and results of measures undertaken for verification and the resolution of any substantive discrepancies discovered in verifying the identification information.
Effective Date. The proposed rules would become effective one year from the date that the final rules are issued. Because FinCEN believes much of what is in the proposed rules are existing practice, financial institutions should become very familiar with the proposed guidance. Not only is there a high likelihood that it will be issued in substantially the form promulgated, but it will no doubt inform examiners’ belief as to the application of the existing BSA/AML manual.
Proposed Rule: http://www.hunton.com/files/upload/FinCEN_Proposed_Rule.pdf