On May 11, 2016, the Financial Crimes Enforcement Network (FinCEN), a bureau of the U.S. Department of Treasury, published its final rule addressing Customer Due Diligence Requirements for Financial Institutions (CDD Rule). Among other requirements, the CDD Rule will require banks, brokers or dealers in securities, mutual funds, and futures commission merchants and introducing brokers in commodities to collect information on the beneficial owners or “real persons” behind a legal entity when it opens a new account. The CDD Rule becomes effective on July 11, 2016, although compliance will be required by May 11, 2018.

Originally initiated in 2012, the long-anticipated CDD Rule was fast-tracked this year and finalized on May 6, 2016, just 33 days after the release of the “Panama Papers” created shock waves around the globe by revealing a secret world of shell companies used by wealthy individuals allegedly to hide assets. This is a major step in a new age of transparency to prevent tax evasion, confront terrorist financing and weapons proliferation, enforce sanctions, address corruption, and pursue drug traffickers and organized crime. This alert explains the context of the CDD Rule, its specifics, and the risks it exposes across all industries—and not just for financial institutions.

The CDD Rule and Its Effect on Requirements Under the Bank Secrecy Act

The Bank Secrecy Act, 31 U.S.C. § 5311, et seq. (BSA), was established in 1970 and is one of the most important tools in the fight against money laundering. FinCEN imposes anti-money laundering (AML) regulatory requirements on financial institutions pursuant to the BSA.

Unless exempted, financial institutions have been required to have AML programs that include, at a minimum, (i) the development of internal policies, procedures, and controls; (ii) the designation of a compliance officer; (iii) an ongoing employee training program; and (iv) an independent audit function to test programs. The requirements for AML programs include due diligence procedures, commonly referred to as “Know Your Customer” (KYC) policies, which generally include a Customer Identification Program (CIP), customer due diligence and ongoing monitoring.

The CDD Rule adds a new requirement that financial institutions identify and verify the beneficial owners or “natural persons” behind legal entity customers or “shell companies” and other corporate forms, including partnerships and limited liability companies. It also adds a fifth requirement to existing AML obligations: financial institutions must implement customer risk profiles and conduct ongoing monitoring for suspicious activity and, on a risk-basis, maintain and update customer information.

New Customer Due Diligence Requirements

In the wake of the “Panama Papers,” and in light of recent scrutiny on the use of shell companies to purchase real estate, promulgation of the CDD Rule was expedited and the rule announced on May 6, 2016 as part of a series of transparency initiatives.

Who is subject to the CDD Rule?

As of now, the CDD Rule applies to “covered financial institutions,” referring to banks; brokers or dealers in securities; mutual funds; and futures commission merchants and introducing brokers in commodities.

What does the CDD Rule Require?

The CDD Rule will focus on beneficial ownership of legal entities. It will: (A) require covered financial institutions to establish and maintain written procedures that are reasonably designed to identify and verify beneficial owners of legal entity customers; and (B) make explicit that AML programs require customer risk assessment and certain ongoing monitoring and, where appropriate, updates to beneficial ownership information.

Moreover, four core elements will now comprise the minimum standard of CDD. These elements are: (i) customer identification and verification; (ii) beneficial ownership identification and verification; (iii) an understanding of the nature and purpose of customer relationships to develop a customer risk profile; and (iv) ongoing monitoring and reporting of suspicious transactions and, on a risk-basis, maintain and update customer information.1

Who is a “Beneficial Owner”?

Under the final CDD Rule, the definition of “beneficial owner” has two prongs:

  • An ownership prong, requiring identification of each individual who, directly or indirectly, through any contract, arrangement, understanding, relationship or otherwise, owns 25 percent or more of the equity interests of the legal entity; and
  • A control prong, requiring the identification of an individual with significant responsibility to control, manage, or direct a legal entity customer, including an executive officer, senior manager (e.g., a C-level or senior officer, managing member, general partner or treasurer) or any other individual who regularly performs similar functions. 

Both prongs are required, which can include the identity of up to four individuals under the ownership prong and at least one individual under the control prong. Where a trust owns 25 percent or more of the equity interests of a legal entity customer, the beneficial owner shall mean the trustee.

How Do Financial Institutions Identify and Verify Beneficial Ownership?

To identify the beneficial owner(s), a covered financial institution must require certification of beneficial ownership from an individual who opens an account on behalf of a legal entity. The financial institution can obtain the required information either on a FinCEN certification form (Appendix A of the CDD Rule), or by alternate means, provided the individual certifies to the best of his/her knowledge that the information is accurate. Moreover, the financial institution can rely on the beneficial ownership information supplied by the customer, provided that it has no knowledge of facts that would reasonably call into question the reliability of the information. Verification procedures must contain the same elements as those for individual customers under a financial institution’s CIP program, except that, for beneficial owners, the institutions may rely on copies of identity documents.

FinCEN offered two important clarifications. First, covered financial institutions do not need to go back and seek certifications from customers for existing accounts—this requirement applies to new accounts. Second, however, covered financial institutions must seek re-certification of beneficial owner information for each new account opened by the same legal entity customer.

What Risk Assessment, Monitoring, Updating and Reporting Is Required?

The CDD Rule amends the AML program requirements for each covered financial institution to explicitly include risk-based procedures for conducting ongoing due diligence and to understand the nature and purpose of customer relationships in order to develop customer risk profiles. The customer risk profile refers to the information gathered about a particular customer at account opening and is used to develop a baseline against which customer activity is monitored and assessed for suspicious activity reporting. This can, but need not, include a system of risk ratings.

When a financial institution detects information (including a change in beneficial ownership information) during the course of normal monitoring that is relevant to the customer’s risk, it must update the customer information, including beneficial ownership information. There is no set requirement for periodically updating beneficial ownership information, however.

Beneficial ownership information and monitoring based on customer risk profile can lead to Suspicious Activity Reports (SARs) and provide information for currency transaction reporting (CTRs). This information is also used for sanctions rules and screening to comply with Office of Foreign Assets Control (OFAC) regulations. Finally, beneficial ownership identification procedures must address situations in which the financial institution cannot form a reasonable belief that it knows the true identity of the beneficial owner of a legal entity customer, even after following the required procedures.

Are there Exemptions?

The CDD Rule provides for several exemptions. For example, certain nonprofit entities do not require ownership certification since these entities may not have ownership interests, but certification is still required for the control prong.

When does the CDD Rule Go into Effect?

Compliance is not mandatory until May 11, 2018. However, delaying implementation of the CDD Rule until then presents risks because some of the requirements under the CDD Rule have implicitly been required of covered financial institutions. Further, lacking appropriate customer due diligence requirements exposes companies to other regulators, such as OFAC.

A New Age of Transparency Is Here

The CDD Rule represents just one element of the U.S. government’s broader strategy to enhance financial transparency. The United States and other leading economies have been coordinating for many years to expand financial transparency via the “Recommendations” of the Financial Action Task Force (FATF), among others. Private-sector “gatekeepers” in the international financial system, like banks and other covered financial institutions, have been asked to support a wide range of transparency and law enforcement goals to address illicit activities. With U.S. backing, a key update to the FATF Recommendations in 2012 focused on customer due diligence and beneficial ownership.

This action dovetails with the recent announcements by the Treasury Department that it will send new beneficial ownership legislation to Congress, which would (1) require U.S. companies to obtain and submit beneficial ownership information at the time of creation to the Treasury Department and (2) clarify FinCEN’s authority to collect information under Geographic Targeting Orders (GTOs) such as bank wire transfer information. This effort is in addition to existing bills which have been introduced in both the House and Senate addressing transparency issues with limited liability companies and other entities.2

To combat tax evasion, the Treasury Department also published a proposed rule on May 10, 2016, to require an Employee Identification Number (EIN) and certain tax reporting and recordkeeping obligations for single-member foreign-owned U.S. entities. This proposed rule would help close a current loophole allowing foreign persons to hide assets in U.S. accounts.

The Department of Justice also announced on May 5 that it plans to propose legislative amendments to expand its authority to pursue foreign corruption cases, which will include a proposed amendment to allow administrative subpoenas for records in money laundering investigations, and an amendment to expand foreign money laundering predicates in order to allow prosecutors to pursue kleptocrats and other corrupt officials directly.

In sum, rules and regulations focusing on transparency are expected to continue, as are enforcement initiatives on money laundering, sanctions, and the FCPA, as well as efforts to combat tax evasion, including through the use of the Foreign Account Tax Compliance Act (FATCA). Increased cooperation and sharing of information between nations are expected to continue to combat a wide range of criminal activity.

Best Practices

In light of this new age of transparency:

  • Implement a Know Your Customer program. Even if your entity is not covered by the BSA, knowing your customers and business associates (and their beneficial owners) is crucial for compliance with OFAC economic and trade sanctions (as highlighted in the CDD Rule), anti-corruption laws such as the U.S. Foreign Corrupt Practices Act (FCPA), and U.S. export controls.
  • Beware of “red” flags. Be diligent in asking questions to understand the persons or entities with whom you are transacting. In light of heightened scrutiny on customer due diligence, failure to make reasonable inquiries could later be viewed by law enforcement and prosecutors as evidence of potential willful blindness and aiding and abetting money laundering.
  • Assess your risk. The 25 percent requirement for beneficial ownership is a floor and not a ceiling; many banks request information on owners with as little as 10 percent interest. Covered financial institutions and other companies will need to tailor their due diligence requirements based on the nature of their business and the risks associated with their industry.
  • Keep up to date on developments. The list of covered financial institutions under the current CDD Rule is likely to expand. While the federal government’s definition of “financial institution” under the BSA encompasses twenty-six categories from vastly differing industries, FinCEN has issued exemptions to many of these categories. Even financial institutions not currently subject to regulation, however, can be brought into FinCEN’s jurisdiction—for example, “persons involved in real estate closings and settlements” are currently exempt from the BSA’s requirement to establish an AML program, but are now subject to new reporting requirements based on FinCEN’s GTOs.

Accordingly, conducting due diligence on beneficial owners is an issue not only for financial institutions (including those currently exempt), but also for companies generally across all sectors of the economy.