On May 11, 2016, the U.S. Department of the Treasury’s Financial Crimes Enforcement Network (FinCEN) issued a final rule under the Bank Secrecy Act that enhances customer due diligence (CDD) requirements for “covered financial institutions,” including mutual funds, banks, broker-dealers, introducing brokers in commodities and futures commission merchants. The final rule includes a new requirement for covered financial institutions to identify and verify the identity of beneficial owners of legal entity customers, subject to certain exclusions and exemptions, as well as a requirement to adopt risk-based supervisory procedures for anti-money laundering (AML) programs. The final rule follows the issuance by FinCEN of an Advance Notice of Proposed Rulemaking in March 2012 and a Notice of Proposed Rulemaking (NPRM) in August 2014. The effective date of the final rule is July 11, 2016 and the compliance date is May 11, 2018 (the Compliance Date).
In the preamble to the final rule, FinCEN identifies four key elements of CDD as constituting the “minimum standard of CDD,” which FinCEN believes is fundamental to an effective AML program: (1) identifying and verifying the identity of customers; (2) identifying and verifying the identity of beneficial owners of legal entity customers (i.e., the natural persons who own or control legal entities); (3) understanding the nature and purpose of customer relationships to develop a customer risk profile; and (4) conducting ongoing monitoring for reporting suspicious transactions and, on a risk-basis, maintaining and updating customer information. Under FinCEN’s existing rules, the first element of CDD is already satisfied by the existing customer identification program (CIP) requirements of financial institutions,2 and the third and fourth elements are described by FinCEN as “already implicitly required for covered financial institutions to comply with their suspicious activity reporting requirements.” However, the AML program requirements for covered financial institutions are being amended by the final rule in order to include the third and fourth elements as explicit requirements. Notably, the second element—beneficial ownership information for legal entity customers—is a new requirement.
The New Requirement to Identify Beneficial Owners of Legal Entity Customers
FinCEN will require, subject to certain exemptions and exclusions, covered financial institutions to establish and maintain written procedures that are reasonably designed to identify and verify the identity of the beneficial owners of any legal entity customers and to include such procedures in their AML compliance programs.
Legal Entity Customer
“Legal entity customer” generally means a “corporation, limited liability company, or other entity that is created by the filing of a public document with a Secretary of State or similar office, a general partnership, and any similar entity formed under the laws of a foreign jurisdiction that opens an account.” The final rule provides a specific list of several entities that are excluded from the definition of “legal entity customer” since beneficial ownership information for these entities is generally accessible from other sources. Thus, the definition of “legal entity customer” excludes, among others: a financial institution regulated by a federal functional regulator or a bank regulated by a state bank regulator; entities whose common stock or equity interests are listed on a stock exchange; certain issuers of securities registered with the SEC under the Securities Exchange Act of 1934 (the Exchange Act); exchanges, clearing agencies or any other entity registered with the SEC under the Exchange Act; CFTC-registered entities; public accounting firms registered under the Sarbanes-Oxley Act; insurance companies regulated by a state; investment companies registered under the Investment Company Act of 1940 (the 1940 Act); investment advisers registered under the Investment Advisers Act of 1940; and certain pooled investment vehicles. Covered financial institutions do not need to collect beneficial owner information for the excluded entities.
A “beneficial owner” is defined to include:
- each individual, if any, who directly or indirectly, through any contract, arrangement, understanding, relationship, or other means, owns 25% or more of the equity interests of a legal entity customer (the ownership prong); and
- any individual with significant responsibility to control, manage, or direct a legal entity customer, including an executive officer, senior manager, or any other individual who performs similar functions (the control prong).
The preamble to the final rule states that the number of beneficial owners identified for each legal entity customer will vary due to the ownership prong—there could be as few as zero (i.e., if no individual meets the 25% threshold) and as many as four individuals who satisfy this prong. However, all legal entities would be required to identify at least one beneficial owner under the control prong.3 In cases in which an individual owns 25% or more of a legal entity and also meets the definition for control, that same individual could be identified as a beneficial owner under both prongs. Alternatively, a covered financial institution may voluntarily choose to identify additional individuals or use a lower threshold than 25% if it deems appropriate on the basis of risk.
Identification and Verification of Beneficial Owners
A covered financial institution must identify the beneficial owner(s) of each legal entity customer at the time a new account (i.e., each account opened at a financial institution by a legal entity customer on or after the Compliance Date) is opened (unless the customer is otherwise excluded or the account is exempted). Covered financial institutions may comply either by obtaining the required information on a standard certification form4 or by any other method that complies with the substantive requirements of the obligation. The final rule requires that covered financial institutions verify the identity of each beneficial owner by using risk-based procedures “to the extent reasonable and practicable.” At a minimum, these verification procedures must contain the elements required under the existing CIP. Therefore, the procedures for beneficial owners will be similar to those for individual customers under a CIP, except that for beneficial owners, financial institutions are entitled to rely on customer representations regarding the individual or individuals with ownership and/or control; provided that the financial institution has “no knowledge of facts that would reasonably call into question the reliability of the information.” Consequently, financial institutions, in general, do not need to verify whether individuals identified on certification forms (or by another method) as beneficial owners in fact hold the requisite ownership interest or exert significant control over the entity.
FinCEN permits covered financial institutions to rely on another financial institution’s (including an affiliate’s) performance of the beneficial owner identification and verification process so long as, among other things, the other financial institution enters into a contract requiring it to certify annually to the covered financial institution that it has implemented its AML program, and that it will perform (or its agent will perform) the specified requirements of the covered financial institution’s procedures to comply with the beneficial owner identification and verification requirements. In addition, covered financial institutions will be required to maintain records of the beneficial ownership information obtained, but may also assign this duty to another financial institution (including affiliates) under the same conditions as those set forth in the CIP rules.
Intermediated Account Relationships
In the 2014 NPRM, FinCEN proposed that if an intermediary is the legal entity customer and a covered financial institution has no CIP obligation with respect to the intermediary’s underlying clients pursuant to existing guidance, the covered financial institution should treat the intermediary, and not the intermediary’s underlying clients, as its legal entity customer. In the preamble to the final rule, FinCEN confirms that the foregoing principle will apply: “ To the extent that existing guidance provides that, for purposes of the CIP rules, a financial institution shall treat an intermediary (and not the intermediary’s customers) as its customer, the financial institution should treat the intermediary as its customer for purposes of this final rule.” Under existing guidance,5 if a broker-dealer or other financial institution purchases mutual fund shares on behalf of its customers by opening an account for the intermediary through the Fund/SERV system, the customers of the intermediary are not treated as customers of the mutual fund. Under the mutual fund CIP rule, a “customer” of a mutual fund includes a “person that opens a new account” and the intermediary is deemed to be such person.
Use of Beneficial Ownership Information
Beneficial ownership information should be used in a similar manner as information that is collected through CIP, including for compliance with Office of Foreign Assets Control regulations.
Risk-Based Procedures for Ongoing Due Diligence
As noted above, in addition to the requirement to identify and verify the beneficial owner(s) of certain legal entities that open new accounts, the final rule formalizes the requirement that covered financial institutions incorporate “appropriate risk-based procedures for conducting ongoing customer due diligence” in their AML compliance programs. Specifically, these procedures must include, but are not limited to:
- understanding the nature and purpose of customer relationships for the purpose of developing a customer risk profile; and
- conducting ongoing monitoring to identify and report suspicious transactions, and to maintain and update customer information (which includes information regarding the beneficial owners of legal entity customers).
FinCEN explained that the “customer risk profile refers to the information gathered about a customer at account opening used to develop a baseline against which customer activity is assessed for suspicious activity reporting” and may include “self-evident information” such as the type of customer or type of account, service or product. As to the requirement to update customer information, the preamble to the final rule indicates this is not intended to impose a categorical requirement to update customer information on a continuous or ongoing basis. Rather, this requirement is “event-driven” and triggered by information that arises in the normal course of monitoring.
AML Program Requirements for Mutual Funds
In the preamble to the final rule, FinCEN acknowledges that a relatively small proportion of a mutual fund’s underlying customers purchase their shares directly from the fund and instead, “the great majority of mutual fund investors purchase shares through an intermediary, such as a securities broker-dealer, and therefore the mutual fund has no direct relationship with them.” FinCEN further notes that of all the legal entity customers of a mutual fund, “a significant number are typically financial intermediaries (e.g., securities broker-dealers), most of which are regulated” and “any legal entities that are direct customers of a fund, and not any type of intermediary, would comprise a relatively small portion of its direct customers.” Nonetheless, both intermediary and non-intermediary customers are subject to a mutual fund’s AML program, which requires the application of risk-based due diligence. In this regard, FinCEN expects that non-intermediary legal entity customers of mutual funds would be subject to a different risk assessment than intermediary customers for due diligence purposes.
Notably, FinCEN states that the incorporation of explicit risk-based supervisory procedures for mutual funds’ AML programs “serves only to articulate current practice consistent with existing regulatory and supervisory expectations.” For instance, understanding the nature and purpose of customer relationships “encapsulates practices already generally undertaken by mutual funds to know and understand their customers.” FinCEN notes that many mutual funds use customer information during the course of an investigation into suspicious activity triggered by transaction monitoring and, in this connection, FinCEN “would not generally expect such firms to change their practices in order to comply with [the formalized requirement for ongoing monitoring].” As to customer risk profiles, FinCEN states that “we expect mutual funds to utilize the customer risk profile as necessary or appropriate during the course of complying with their [suspicious activity reporting] requirements—as we understand is consistent with the general current practice—in order to determine whether a particular transaction is suspicious.”
The Federal Register publication of the preamble and the final rule is available at: https://www.fincen.gov/ redirect.html?url=https://www.gpo.gov/fdsys/pkg/FR-2016-05-11/pdf/2016-10567.pdf.