Mere weeks before the mandatory compliance deadline of May 11, 2018, FinCEN answered 37 of the most frequently asked questions by covered financial institutions regarding the implementation of its Customer Due Diligence (“CDD”) Rule, available here. The wide range of questions asked in the guidance demonstrates that covered financial institutions of all types continue to face numerous practical concerns in implementing compliant due diligence procedures. This Article analyzes the ten most important concepts to take away from FinCEN’s guidance and identifies outstanding considerations for covered financial institutions in implementing compliant processes.
Background on the CDD Rule
The ultimate goal of the CDD Rule is for covered financial institutions[i] to know the natural person beneficial owners[ii] of their legal entity customers.[iii] FinCEN believes institutions that better understand the nature and purpose of their customer relationships can develop more accurate expectations regarding the account’s baseline activity, more systemically report suspicious activity, and better combat money laundering.
To accomplish this goal, the Rule formalizes many existing CDD procedures and establishes a fifth “pillar” of compliant anti-money laundering (“AML”) programs: the identification and verification of the beneficial ownership of legal entity customers. After the compliance date of the Rule, covered financial institutions will be required to collect and verify beneficial ownership identification information for all legal entity customers for all new accounts using methods similar to existing customer identification procedures (“CIP”).
Covered financial institutions and other entities in affected industries have expressed numerous concerns about the anticipated burden of compliance and questionable effectiveness of the Rule since FinCEN first introduced the Rule six years ago, and FinCEN has continuously tweaked the Rule’s requirements and implementation in response to these considerations. In an attempt to resolve concerns still outstanding after the Rule’s promulgation as a Final Rule in 2016, FinCEN issued two sets of Frequently Asked Questions (and answers) on July 19, 2016 and April 3, 2018.
The “top ten” takeaways from this guidance are set forth below.
1. Institutions should consider whether a stricter beneficial ownership threshold than 25 percent is necessary or appropriate.
Under the ownership prong, institutions must obtain and verify the identity of all beneficial owners with at least 25 percent equity ownership in their legal entity customers. The 25 percent threshold under the ownership prong is a baseline benchmark, and institutions may establish a lower percentage threshold based on their own assessment of risk in appropriate circumstances. Institutions have no obligation to name the beneficial owner with the largest equity stake if none of the owners meet the threshold, although they may institute such a policy if they deem appropriate. Additionally, institutions must identify one person who maintains operational control of the legal entity under the control prong, although institutions may implement a policy of identifying more than one individual.
Prior to instituting a stricter threshold under either the ownership or control prongs, an institution should analyze whether simply identifying additional owners appropriately mitigates the specific risk posed by the customer—and whether the significantly increased burden in verifying additional identities is the most appropriate safeguard for that institution. Simply establishing a lower ownership threshold may not be sufficient or even appropriate to minimize the specific risk under the circumstances, and FinCEN will not allow a stricter threshold to substitute for appropriate CDD procedures.
2. Reliance on a customer’s representations is generally permissible.
Under the Rule, institutions must look through all layers of corporate ownership structures to identify the natural person(s) with beneficial ownership of the legal entity customer. In an effort to balance the goals of the Rule with the difficulty involved in investigating ownership of legal entities with complex structures, FinCEN stated that institutions may reasonably rely on the customer’s representative’s representations regarding the customer’s beneficial ownership structure, provided that the institution has no knowledge of facts that would “reasonably call into question the reliability of the information.” Similarly, absent grounds warranting an independent investigation, an institution is not required to verify the accuracy of a representation that the customer is excluded from the definition of “legal entity customer” or other representations regarding ownership structure or status. Nor must institutions investigate whether the legal entity was structured to avoid triggering the identification threshold under the ownership prong absent circumstances warranting it.
3. The methods of identifying the owner may differ from existing CIP.
Institutions must verify the beneficial owners according to risk-based procedures that contain the same elements required to be obtained and verified for individual customers under CIP requirements: name, date of birth, address, and identifying number. However, the procedures that the institution employs to obtain these elements need not be identical for legal entity customers as individual customers, and the CDD Rule allows the use of different methods and verification documents than CIP. Institutions should account for differences between existing CIP procedures, new CDD procedures, and federal and state law regarding the collection of and reliance upon particular documents.
Notably, an institution may rely on information provided by the customer’s representative regardless of whether the representative is a beneficial owner, provided that the institution does not know of facts that would reasonably call into question the reliability of such information. The representative may provide a valid identity document or satisfy non-documentary means of identification on behalf of the beneficial owner.
4. FinCEN’s form is not a safe harbor.
The use of the Certification Form promulgated by FinCEN, available here, is permissive, and institutions may use their own forms or other means of compliance rather than the form. FinCEN refused to designate the use of its Certification Form as a safe harbor establishing compliance with the Rule.
5. Existing customers and accounts are grandfathered in until a triggering event happens or a new account is opened.
Institutions are not required to retroactively identify or verify the beneficial ownership information of accounts opened prior to May 11, 2018. However, if an institution learns of information relevant to the assessment of the customer’s risk profile, the institution must obtain or update the customer’s beneficial ownership information.
Products in existence prior to May 11, 2018 that are renewed by the customer after that date are considered new accounts subject to the requirements of the Rule. In the case of loan renewals and certificate of deposit rollovers, which have low risks of money laundering, the customer need only certify that the beneficial ownership information is up-to-date and accurate or agree to notify the institution of any changes in beneficial ownership information, unless the institution knows of information that would reasonably call the reliability of the information into question.
If an existing legal entity customer whose beneficial ownership information has previously been provided and verified opens a new account, the institution may rely upon previously-provided identity information if the customer’s representative certifies or confirms that the information is up-to-date and accurate at the time the new account is opened and the institution does not know of facts that would reasonably call the reliability of the information into question. The institution must obtain and retain this certification or confirmation for each new account.
Absent specific risk-based concerns or a triggering event, institutions are not obligated to update beneficial ownership information as a matter of course during regular or periodic CDD monitoring.
6. Institutions must implement appropriate procedures regarding updates to non-structural ownership information.
If a customer’s beneficial ownership information changes only in part, the institution must only update the information that has changed, unless the institution determines that the customer’s ownership may have changed. FinCEN uses the example of a change of address for an already-verified beneficial owner, advising that it “would likely not be required” that the institution require a full re-certification that all identity information remains accurate and up-to-date, and it “may be reasonable” for the institution to merely verbally confirm the accuracy of the address change.
FinCEN’s guidance on this issue, however, still leaves some uncertainty. A simple change of address, without more, should never affect the customer’s ownership structure. However, because FinCEN declined to definitively state that a full re-certification is not required for a simple change of address, a more conservative procedure would be to require a full re-certification of all identity information whenever a customer provides updated beneficial ownership information that in any way affects the ownership of the customer.
7. Institutions must pay attention to their record retention policies.
Identification information must be retained for a period of five years after the closure of the legal entity’s account, and identity verification records must be retained for five years after the record is made. Institutions must also retain a description of each document relied on for verification, any non-documentary methods and results of measures undertaken for verification, and the resolution of any substantive discrepancies discovered in identifying and verifying the identification information for five years.
If the identity of an existing client opening a new account is verified by relying on pre-existing identification information, the institution must retain the underlying information, as well as the confirmation that the information is accurate, until five years after the closure of the new account.
In such cases, FinCEN allows the records for the new account to merely cross-reference the relevant identification records without repeating the verification information. If institutions choose to cross-reference rather than duplicate the information, they must retain the underlying identification records for five years after the closure of all accounts cross-referencing those records. Institutions should weigh the burden of maintaining duplicate identification information per account against the risk of failing to ensure that the necessary underlying information has been retained.
8. Certain types of legal entities are not subject to the ownership prong.
The Rule expressly provides that pooled investment vehicles whose operators or advisers are excluded from the definition of legal entity customers are not subject to the ownership prong. Recognizing the impracticality of monitoring the fluctuating ownership percentages of pooled investment vehicles generally, FinCEN stated that institutions also need not collect or verify the beneficial ownership information under the ownership prong for pooled investment vehicles whose operators or advisers are not excluded from the definition of legal entity customers. However, the control prong still applies to all pooled investment vehicles.
Also, if a trust qualifies as a beneficial owner of a legal entity under the ownership prong, the trustee should be listed as the beneficial owner even if the trustee is also a legal entity. The institution should collect identification information on the trustee as part of its CIP. If a trust has multiple co-trustees, the institution must collect and verify the identity of at least one co-trustee who owns 25 percent or more of the equity interests of the legal entity customer. The institution must also identify and verify a natural person as the beneficial owner of the customer under the control prong.
Entities without equity ownership, such as non-profit entities, non-stock corporations, NGOs, charities, and religious organizations, are excluded from the ownership prong. However, these entities are still subject to the control prong.
9. Institutions with foreign customers are not required to learn foreign law.
The Rule excludes from the definition of “legal entity customer” all foreign financial institutions whose regulator collects and maintains beneficial ownership information about that institution. However, institutions need not research foreign transparency laws or practices. Institutions may instead rely on representations by the customer that they are subject to foreign transparency laws, provided that it has no knowledge of facts that would reasonably call into question the reliability of such representations. Institutions that maintain correspondent accounts for foreign financial institutions should follow existing procedures required by 31 C.F.R. 1010.610.
10. Currency Transaction Reporting practices will generally remain the same.
Institutions are not required to aggregate multiple currency transactions made by separate legal entity customers merely because they share a common beneficial owner. Unless there is an affirmative reason to believe that the legal entities are not operating independently, institutions may presume their independence.
At this time, covered financial institutions should be well on their way to implementing CDD procedures compliant with the Rule. FinCEN’s guidance reflects the practical difficulties of developing front-line procedures that effectively comply with the Rule. Covered financial institutions would be well-served to consider how FinCEN’s answers to these frequently asked questions affect their procedures in the weeks prior to the effective date of the Rule.