On May 11, 2018, after a two-year implementation period, federally regulated banks, federally insured credit unions, mutual funds, and brokers or dealers in securities, among others, became subject to customer due diligence rules (the "CDD Rule") issued by the Financial Crimes Enforcement Network ("FinCEN") on May 6, 2016. The CDD Rule amended Bank Secrecy Act ("BSA") regulations to clarify and strengthen customer due diligence requirements for institutions covered by the rule, and perhaps most notably included a new beneficial ownership requirement. The CDD Rule itself marked the culmination of a multi-year process that included a 2012 advanced notice of proposed rulemaking, a 2014 notice of proposed rulemaking, extensive outreach to impacted industries and regulatory agencies, and public hearings. Throughout the implementation period, institutions covered by the CDD Rule have been keenly attuned to not only signals as to how FinCEN would interpret the ambiguous or unclear rule provisions, but in how the federal banking agencies, which examine institutions for compliance with the BSA, will assess compliance with the CDD Rule.
On May 11, 2018, simultaneous with the expiration of the implementation period, the Federal Financial Institutions Examination Council (the "FFIEC") issued much-anticipated guidance explaining how the federal banking agencies intend to examine for compliance with the CDD Rule, including the rule's beneficial ownership requirement (the "FFIEC Guidance"). The FFIEC Guidance amends the "Customer Due Diligence -- Overview and Examination Procedures" section of the FFIEC's existing Bank Secrecy Act/Anti-Money Laundering Examination Manual (the "BSA Exam Manual") and adds to the BSA Exam Manual a new overview and examination procedures specific to the CDD Rule's beneficial ownership requirements.
The FFIEC Guidance is notable for how closely it hews to the CDD Rule and FinCEN's "FAQs" addressing questions that have arisen with respect to the CDD Rule, incorporating the rule's exclusions, exemptions, and limitations. Perhaps most significant is the FFIEC Guidance's treatment of the 25 percent beneficial ownership threshold established by the CDD Rule, which has been the source of significant industry concern and commentary. In the preamble to the CDD Rule, FinCEN stated:
[T]he 25 percent threshold is the baseline regulatory benchmark, but [ ] covered financial institutions may establish a lower percentage threshold for beneficial ownership (i.e., one that regards owners of less than 25 percent of equity interests as beneficial owners) based on their own assessment of risk in appropriate circumstances. As a general matter, FinCEN does not expect covered financial institutions' compliance with this regulatory requirement to be assessed against a lower threshold.
Subsequently, it was publicly reported that the 25 percent beneficial ownership threshold may be viewed only as a starting point by the federal banking agencies, and that these agencies intend to enforce lower thresholds when customers present higher risks. The seeming contradiction between the CDD Rule's 25 percent threshold and the possible enforcement of lower thresholds generated confusion and requests for clarification from industry members.
The FFIEC Guidance provides an important degree of clarity, stating:
[T]he collection of customer information regarding beneficial ownership is governed by the requirements specified in the beneficial ownership rule. The beneficial ownership rule requires the bank to collect beneficial ownership information at the 25 percent threshold regardless of the customer's risk profile. ... Other than the required beneficial ownership information, the level and type of customer information should be commensurate with the customer's risk profile, therefore the bank should obtain more customer information for those customers that have a higher customer risk profile and may find that less information for customers with a lower customer risk profile is sufficient.
Accordingly, once the 25 percent threshold has been satisfied, the degree to which an institution will be expected to collect any other customer information--not just beneficial ownership information--is dictated by the institution's assessment of its customer's risk. Importantly, this signals that the federal banking agencies, consistent with FinCEN's recent FAQs, are of the view that means of risk mitigation may be acceptable beyond simply collecting beneficial ownership information at a lower threshold.
Also significant is the FFIEC Guidance's direction to examiners that an institution's decision as to any given customer's risk--and hence the need to collect any other customer information--should not be second-guessed by examiners absent deficiencies in the institution's CDD program or malfeasance of some sort. Specifically, the FFIEC Guidance states:
Examiners should primarily focus on whether the bank has effective processes to develop customer risk profiles as part of the overall CDD program. Examiners may review individual customer risk decisions as a means to test the effectiveness of the process and CDD program. In those instances where the bank has an established and effective customer risk decision-making process, and has followed existing policies, procedures, and processes, the bank should not be criticized for individual customer risk decisions unless it impacts the effectiveness of the overall CDD program, or is accompanied by evidence of bad faith or other aggravating factors.
Beyond its treatment of beneficial ownership, the FFIEC Guidance is notable for:
- Imposing no new requirements related to the monitoring of customer relationships. According to the FFIEC Guidance, the requirement for ongoing monitoring of the customer relationship reflects existing practices, is risk-based and event driven, and occurs as a result of normal monitoring. Indeed, "[t]he monitoring element does not impose a categorical requirement that the bank must update customer information on a continuous or periodic basis." Rather, an institution's procedures "should establish criteria for when and by whom customer relationships will be reviewed." An institution "may establish policies, procedures, and processes for determining whether and when, on the basis of risk, periodic reviews to update customer information should be conducted to ensure that customer information is current and accurate" (emphasis added).
- Highlighting the relevance of customer information collected under the CDD rule to other regulatory requirements, including requirements related to suspicious activity reporting, private banking accounts, and sanctions programs. According to the FFIEC Guidance, institutions should define in their policies, procedures and processes how customer information will be used to meet other regulatory requirements.
- Stating that "[i]nformation provided by higher risk profile customers and their transactions should be reviewed more closely at account opening and more frequently throughout the term of their relationship with the bank." No detail is provided as to what is entailed.
The FFIEC Guidance should, to a certain extent, allay industry concerns that, in examining institutions for compliance with the CDD Rule, examiners will expect institutions to collect beneficial ownership information at thresholds lower than the 25 percent threshold established by the rule; it should also provide institutions with some assurance that, absent CDD program weaknesses or malfeasance, their decisions as to any given customer's risk rating (and, hence, the need, if any, to collect additional customer information) will not be second-guessed by examiners. However, only time will tell the extent to which the FFIEC Guidance in these respects will be viewed by examiners as a mandate or merely advisory in nature.