The idea that a “fifth pillar” of Anti-Money Laundering (“AML”) compliance – customer due diligence requiring U.S. banks, broker-dealers, mutual funds, commodity futures merchants, and introducing brokers (“covered financial institutions”) to identify and verify beneficial owners – would, at some point, augment the long-standing four-pillared foundation of AML compliance has been in the air for a number of years. Covered financial institutions have been aware of its imminence since March 2012 when the Treasury Department’s Financial Crimes Enforcement Network (“FinCEN”) issued the Advanced Notice of Proposed Rulemaking concerning customer due diligence.

After four years addressing the myriad legal and operational challenges of such a proposal, FinCEN issued the final rule on May 5, 2016. The timing is likely no accident: the federal government acted urgently to adopt the proposed customer due diligence rules in response to the leak of the so-called “Panama Papers,” which aroused a good deal of public uproar over the purported use of offshore shell companies to hide personal financial information for illegal purposes.

The final rule imposes two requirements on covered financial institutions: (1) to identify beneficial owners of legal entities for which a covered financial institution provides an account (“legal entity customers”), and (2) to add risk-based customer due diligence procedures to the existing “four pillars” of AML program requirements.

The first part of the final rule is designed to address a long-standing problem for AML compliance personnel – beneficial ownership validation. The ability of those who control and profit from the accounts of legal entity customers to hide their identities is the soft underbelly of AML because it deprives financial institutions of information critical for effective basic customer due diligence; this is a major gap through which money launderers, tax evaders, drug traffickers, and terrorists can, and as the Panama Papers show often do, slip. This high-risk information gap was pointed out as early as 2001 by the Basel Committee on Banking Supervision in Switzerland which warned that financial institutions “need to be vigilant in preventing corporate business entities from being used by natural persons as a method of operating anonymous accounts.”

FinCEN’s final rule requires, with some exclusions, covered financial institutions to collect and verify the identities of those who own 25% or more of legal entity customers as well as those who “control” the entity. Connected to this requirement is the mandate that covered financial institutions establish and maintain written procedures that are reasonably calculated to identify and verify beneficial owners of a legal entity customer.

The final rule also amends the long-standing “four pillars” of the Bank Secrecy Act and the foundation to all compliant AML programs: written policies and procedures, a designated AML compliance officer, independent testing of the AML program, and suitable employee training. The “fifth pillar” of compliance requires covered financial institutions to establish and maintain risk-based customer due diligence procedures. In short, this provision requires the institution to (1) understand the nature and purpose of customer relationships in order to develop a customer risk profile, and (2) conduct ongoing monitoring to identify and report suspicious transactions and, on a risk basis, to maintain and update customer information. According to FinCEN, the customer risk profile consists of information collected at account-opening to create a baseline against which activity is assessed for suspicious activity reporting.

Without question, FinCEN’s final rule will pose challenges to covered financial institutions. For instance, the standard by which such a financial institution may rely on the beneficial ownership information provided by the customer is not entirely clear. Moreover, while the 25% threshold for beneficial owner verification is required, FinCEN advises that “covered financial institutions may establish a lower percentage threshold for beneficial ownership . . . based on their own assessment of risk in appropriate circumstances.” The fact is that any regulatory threshold sends a signal to those with criminal intent: stay under 25% and you can evade detection. The sophistication of those who seek to use the financial system for illegal ends should not be underestimated. As Global Witness, a London-based organization that exposes international corruption, has demonstrated in numerous reports, corruption, money laundering, tax evasion, and terrorist financing thrive on institutions that don’t ask too many questions.

All covered institutions must comply with the final rule by May 11, 2018.