The Financial Crimes Enforcement Network (FinCEN) published long-awaited additional Frequently Asked Questions on April 3, 2018 (the “Guidance”) relating to its Customer Due Diligence (CDD) Rule, which FinCEN promulgated pursuant to the Bank Secrecy Act (the “CDD Rule”). This comes at a time when most covered institutions are in the final stages of implementing plans to comply with the CDD Rule by its May 11, 2018 compliance applicability date. FinCEN previously published technical amendments to the Rule on September 29, 2017 and an initial set of FAQs on July 19, 2016. While such Guidance does not have the weight of authority of statute or regulation, it has traditionally helped to form the basis for examination and enforcement expectations. Here we will focus on themes in the new Guidance relating to application of the rule to existing customers.
As a reminder, the CDD Rule was originally published on May 11, 2016 after years of public hearings and comment periods. The rule sets forth CDD as a “fifth pillar” of a BSA/AML compliance program in addition to those established by the Bank Secrecy Act itself: system of internal controls, the appointment of a responsible officer, training, and independent testing. CDD entails upfront due diligence and ongoing monitoring, and this rule establishes the collection of Beneficial Ownership information as a required element of CDD for legal entity customers. In releasing the CDD Rule, FinCEN emphasized that CDD is not technically a new requirement but has always been an expected part of a BSA/AML program that results in effective suspicious activity monitoring and risk mitigation.
FinCEN’s rule requires that covered financial institutions collect a Beneficial Ownership certification form (or its equivalent) from each legal entity customer that opens a new account on or after May 11, 2018, and that institutions verify the identity of such persons using procedures akin to CIP procedures for individual customers. The general rule (see FAQ #13 of the Guidance) is that institutions do not have to collect or update Beneficial Ownership information on customers with accounts opened prior to May 11, 2018, and that the institution should instead focus on the occurrence of “trigger events” relevant to assessing or reassessing the risk posed by the customer, including the need to obtain or update Beneficial Ownership information.
One of the more helpful aspects of the Guidance in this regard relates to renewable loans and CDs. Covered institutions had expressed, and FinCEN evidently appreciated, concerns that the rule as written would lead to an unfortunate result for such products. This is because the opening of a new account is a core “trigger event” requiring the collection of Beneficial Ownership information, and renewing loans and CDs meet the rule’s definition of a “new account.” The implication of this is that loans and CDs renewed on the same terms to the same customers would require a brand new certification process and information collection effort. This would not only pose an operational burden but also potentially a bad customer experience and one seemingly not outweighed by risk mitigation and/law enforcement benefits. FAQ #12 in the Guidance provides:
Are financial institutions required to have their legal entity customers certify the beneficial owners for existing customers during the course of a financial product renewal (e.g., a loan renewal or certificate of deposit)?
Yes. Consistent with the definition of “account” in the CIP rules and subsequent each time a loan is renewed or a certificate of deposit is rolled over, the bank establishes another formal banking relationship and a new account is established . . . At the time of each subsequent renewal, to the extent that the legal entity customer and the financial service or product (e.g., loan or CD) remains the same, the customer certifies or confirms that the beneficial ownership information previously obtained is accurate and up-to-date, and the institution has no knowledge of facts that would reasonably call into question the reliability of the information, the financial institution would not be required to collect the beneficial ownership information again. In the case of a loan renewal or CD rollover, because we understand that these products are not generally treated as new accounts by the industry and the risk of money laundering is very low, if at the time the customer certifies its beneficial ownership information, it also agrees to notify the financial institution of any change in such information, such agreement can be considered the certification or confirmation from the customer and should be documented and maintained as such, so long as the loan or CD is outstanding. (Footnotes and certain excerpts were omitted here.)
On the one hand, this FAQ reiterates that a loan renewal or CD rollover is a “new account” and Beneficial Ownership certification trigger event, but on the other hand FinCEN’s guidance validates a sensible approach that institutions were hoping to take in such circumstances—namely, that the customer’s confirmation will suffice in such a case. Since the alternative described here requires that the customer “certifies or confirms” the previously provided information, it appears that FinCEN would accept a simple statement from a representative of the customer. Ideally this would be obtained from the person that provided the information at the original account opening and certified to its accuracy then. Unfortunately this particular FAQ does not specify that this type of confirmation can be provided either verbally or in writing, but it does provide that a customer’s upfront consent (presumably as part of loan agreement and CD account opening disclosures) may constitute certification or confirmation from the customer, assuming the other conditions of this alternative are met. This is a great result and could seemingly be accomplished through simple additions to an institution’s account opening materials—e.g., “Customer agrees to notify Bank in the event of any changes in the Beneficial Ownership information it has provided as part of this application.” Of course, it would be critical in such a case that the institution be vigilant for reasons to question the reliability of any previously collected information (along with other trigger events), and this option would not be available in cases where the loan or CD is renewed on any other terms except those on which it was originally established. Presumably interest rate changes on an auto-renewing CD would not be considered new terms, consistent with change-in-terms notice requirements under Regulation DD.
FAQs #7, 9, and 10 of the Guidance describe similar circumstances relating to existing accountholders (e.g., additional accounts opened by existing customers, and legal entity customers for which beneficial owners already have separate individual accounts at the institution) where an institution might leverage existing information, provided a type of confirmation is obtained that such information remains accurate. In each of these cases, and in contrast to the loan or CD renewal FAQ #12, each of these FAQs specifically indicate that this confirmation can be provided verbally or in writing. It is not clear whether this omission in FAQ #12 was intentional or not—the implication may be that FinCEN expects that most institutions will take advantage of the renewal provisions using supplemental written disclosures as described above.
FAQ #11 of the Guidance helpfully adds that accounts or subaccounts established by an institution (e.g., for recordkeeping or other operational purposes) solely to accommodate the business of an existing legal entity customer, and on its behalf, will not be considered new accounts for purposes of the CDD Rule.
This “existing customer” guidance provides further opportunities to minimize the compliance burden associated with this rule without introducing risk to the covered institution. A caveat is that in each of these cases, recordkeeping impacts should be considered to ensure that the institution satisfies the rule’s record retention requirements for each associated account (including any verbal confirmations that might be relied upon).
A related impact of this rule is that institutions may be charged with knowledge requiring them to aggregate cash transactions of beneficial owners for Currency Transaction Report (CTR) filing purposes. Consistent with prior FinCEN guidance, FAQ #32 of the Guidance states that institutions are nonetheless permitted to presume that different businesses sharing a common owner are operating independently from each other and from the common owner, except where contrary knowledge requires aggregation—for example, where the businesses are staffed by the same employees and at the same location.