May 11, 2018 marked the compliance date for the Customer Due Diligence Requirements for Financial Institutions rule issued by the U.S. Treasury Department’s Financial Crimes Enforcement Network (“FinCEN”) on May 11, 2016 (the “CDD Rule”).
The CDD Rule represents a departure from prior FinCEN rules, under which financial institutions exercised their own judgment, making risk-based assessments as to when and how to identify and verify beneficial owner information for legal entity accounts, except in respect of specific cases.
In anticipation of this compliance date, the Financial Industry Regulatory Authority (“FINRA”) amended its anti-money laundering (“AML”) compliance program rule (“Rule 3310”), effective May 11, 2018, as announced in FINRA Regulatory Notice 18-19 (“Notice 18-19”). This note provides a brief summary of the CDD Rule, discusses recent FINRA guidance on the CDD Rule and the amendments to Rule 3310, provides an overview of the most recent series of FAQs released by FinCEN and highlights recent updates to FINRA’s Anti-Money Laundering Template for Small Firms (the “Small Firm Template”).
The CDD Rule
On May 11, 2016, FinCEN issued the CDD Rule. The CDD Rule was later amended on September 28, 2017 to make certain technical corrections.
CDD Rule Summary
Under the CDD Rule, “covered financial institutions” (a term described below) must establish procedures to:
- identify each natural person that directly or indirectly owns 25% or more of the equity interests of a “legal entity customer” (the “ownership prong”);
- identify one natural person with “significant responsibility to control, manage or direct” a legal entity customer, including an executive officer or senior manager (e.g., a Chief Executive Officer, Chief Financial Officer, Chief Operating Officer, Managing Member, General Partner, President, Vice President or Treasurer); or any other individual who regularly performs similar functions (the “control prong”), which may be a person reported under the ownership prong; and
- verify the identities of those persons according to risk-based procedures, which procedures must include the elements currently required under the Customer Identification Rule (the “CIP Rule”) at a minimum.
Identification of those beneficial owners of a “legal entity customer” (a term described below) must be conducted at the time a new “account” (a term described below) is opened. In addition, covered financial institutions are required to obtain a certification from the individual opening an account on behalf of a legal entity customer that identifies any individuals who meet the definitions under the ownership or control prongs.
As noted above, the financial institution is required to verify the identity of such persons using risk-based procedures that include, at minimum, the same documentary and non-documentary elements required under the CIP Rule (although under the CDD Rule, non-original documents may be accepted, subject to conditions). The institution is not, however, required to verify the fact of the identified beneficial owner’s relationship to the legal entity, absent a financial institution’s knowledge to the contrary. Therefore, for example, a financial institution does not need to independently verify whether or not the individual(s) presented as 25% owners are the only individuals who fall within the ownership prong.
FinCEN has stated that financial institutions should use the collected beneficial ownership information as they use other information they gather regarding customers (e.g., through compliance with CIP requirements), including for compliance with Office of Foreign Assets Control (OFAC) regulations and currency transaction reporting (CTR) aggregation requirements.
The CDD Rule only applies to accounts opened on or after May 11, 2018, but FinCEN noted that institutions may, as a prudential matter, decide to collect the same information from accounts opened prior to May 11, 2018. The CDD Rule provides important exclusions and exemptions for pooled investment vehicles, as well as other entity types. For a discussion of the application of the CDD Rule to pooled investment vehicles, see the Section entitled “Select Questions and Answers From the 2018 FAQs” below.
Account. Generally, “account” means a formal relationship established to provide or engage in services, dealings or other financial transactions, but its definition depends on the entity hosting the account.
- For banks, “account” means a formal banking relationship established to provide or engage in services, dealings or other financial transactions, including a deposit account, a transaction or asset account, a credit account or other extension of credit. “Account” also includes a relationship established to provide a safety deposit box or other safekeeping services, or cash management, custodian and trust services.
- For broker-dealers, “account” means a formal relationship established to effect transactions in securities, including, but not limited to, the purchase or sale of securities and securities loaned and borrowed activity, and to hold securities or other assets for safekeeping or as collateral.
- For mutual funds, “account” means any contractual or other business relationship between a person and a mutual fund established to effect transactions in securities issued by the mutual fund, including the purchase or sale of securities.
- For futures commission merchants or introducing brokers in commodities, “account” means a formal relationship, including, but not limited to, those established to effect transactions in contracts of sale of a commodity for future delivery, options on any contract of sale of a commodity for future delivery or options on a commodity.
Covered Financial Institution. The CDD Rule applies to all financial institutions currently subject to CIP requirements, which includes:
- insured banks (as defined in section 3(h) of the Federal Deposit Insurance Act);
- commercial banks;
- agencies or branches of a foreign bank in the United States;
- federally insured credit unions;
- savings associations;
- corporations acting under Section 25A of the Federal Reserve Act;
- trust banks or trust companies that are federally regulated and are subject to an anti-money laundering program requirement;
- brokers or dealers in securities registered, or required to be registered, with the Securities and Exchange Commission under the Securities Exchange Act of 1934, except persons who register pursuant to Section 15(b)(11) of the Securities Exchange Act of 1934;
- futures commission merchants or introducing brokers registered, or required to be registered, with the Commodity Futures Trading Commission under the Commodity Exchange Act, except persons who register pursuant to Section 4(f)(a)(2) of the Commodity Exchange Act; and
- mutual funds.
Legal Entity Customer. The CDD Rule requires covered financial institutions to obtain beneficial ownership information for a “corporation, limited liability company or other entity that is created by the filing of a public document with a Secretary of State or similar office, a general partnership and any similar entity formed under the laws of a foreign jurisdiction that opens an account.” Entities that are excluded from the definition of legal entity customer include:
- financial institutions regulated by a federal functional regulator or banks regulated by a state bank regulator;
- departments or agencies of the United States, of any state, or of any political subdivision of a state;
- entities (other than a bank) whose common stock or analogous equity interests are listed on the New York, American or NASDAQ stock exchange;
- issuers of securities registered under Section 12 of the Securities Exchange Act of 1934 or that are required to file reports under Section 15(d) of the Securities Exchange Act of 1934;
- investment companies, as defined in Section 3 of the Investment Company Act of 1940, registered with the Securities and Exchange Commission (“SEC”);
- SEC-registered investment advisers, as defined in Section 202(a)(11) of the Investment Advisers Act of 1940;
- exchanges, clearing agencies or any other entity registered with the SEC under the Securities Exchange Act of 1934;
- registered entities, commodity pool operators, commodity trading advisors, retail foreign exchange dealers, swap dealers or major swap participants, defined in Section 1a of the Commodity Exchange Act, registered with the Commodity Futures Trading Commission;
- bank holding companies, as defined in Section 2 of the Bank Holding Company Act of 1956;
- pooled investment vehicles operated or advised by a financial institution excluded from the beneficial ownership requirement;
- insurance companies regulated by a state;
- financial market utilities designated by the Financial Stability Oversight Council under Title VIII of the Dodd-Frank Act;
- non-U.S. financial institutions established in a jurisdiction where such institution’s regulator maintains beneficial ownership information regarding such institution; and
- legal entities opening private banking accounts.
FINRA Regulatory Notices 17-40 and 18-19
FINRA Regulatory Notice 17-40
On November 21, 2017, FINRA issued Regulatory Notice 17-40 (“Notice 17-40”), which provided guidance with respect to the obligations of member firms under Rule 3310 and the CDD Rule. FINRA noted that prior to the implementation of the CDD Rule, firms were required to develop and implement an AML program that incorporated “four pillars” enumerated in the Bank Secrecy Act (the “BSA”). These four pillars are:
- the establishment and implementation of policies, procedures and internal controls reasonably designed to achieve compliance with the applicable provisions of the BSA and the implementing regulations thereunder;
- independent testing for compliance to be conducted by the broker-dealer’s personnel or by a qualified outside party;
- designation of an individual or individuals responsible for implementing and monitoring the operations and internal controls of the program; and
- ongoing training for appropriate persons.
Notice 17-40 posits that the CDD Rule adds a “fifth pillar” to these requirements:
- appropriate risk-based procedures for conducting ongoing customer due diligence, to include, but not be limited to: (i) understanding the nature and purpose of customer relationships for the purpose of developing a customer risk profile; and (ii) conducting ongoing monitoring to identify and report suspicious transactions and, on a risk basis, to maintain and update customer information.
FINRA echoed language in the CDD Rule, highlighting that this fifth pillar does not represent “new law” and merely codifies existing expectations under the BSA for firms to identify and report suspicious transactions and to know and understand their customers. Notice 17-40 provides information and guidance in this respect, including:
- understanding the nature and purpose of customer relationships;
- conducting ongoing monitoring; and
- identifying and verifying the identity of beneficial owners of legal entity customers.
With respect to identifying and verifying the identity of beneficial owners of legal entity customers, FINRA noted that a firm may rely on beneficial ownership information supplied by the individual opening an account on behalf of a legal entity customer, provided that the firm does not have knowledge of facts that would reasonably call into question the validity or reliability of that information, and that a firm is allowed to rely on another financial institution for the performance of the requirements under the CDD Rule to the same extent that this reliance is permitted under the CIP Rule.
FINRA also stated in Notice 17-40 that it was considering further rulemaking to better align the language of Rule 3310 with that of the CDD Rule.
FINRA Regulatory Notice 18-19
As noted above, FINRA announced in Notice 18-19 that it was amending Rule 3310 to better align the rule’s language with that of the CDD Rule. The proposed amendments were subsequently published in the Federal Register as a Notice of Filing and Immediate Effectiveness.
In Notice 18-19, FINRA referenced the guidance that it had previously provided in Notice 17-40, especially with respect to firms’ ongoing customer due diligence requirements enumerated in the CDD Rule. The amendments add a new subsection (f) to Rule 3310, which states that:
Each member shall develop and implement a written anti-money laundering program reasonably designed to achieve and monitor the member’s compliance with the requirements of the Bank Secrecy Act (31 U.S.C. 5311, et seq.), and the implementing regulations promulgated thereunder by the Department of the Treasury. Each member’s anti-money laundering program must be approved, in writing, by a member of senior management. The anti-money laundering programs required by this Rule shall, at a minimum,
. . .
(f) Include appropriate risk-based procedures for conducting ongoing customer due diligence, to include, but not be limited to:
(i) Understanding the nature and purpose of customer relationships for the purpose of developing a customer risk profile; and
(ii) Conducting ongoing monitoring to identify and report suspicious transactions and, on a risk basis, to maintain and update customer information. For purposes of paragraph (f)(ii), customer information shall include information regarding the beneficial owners of legal entity customers (as defined in 31 CFR 1010.230(e)).
FINRA once again reiterated that the amendments to Rule 3310 do not represent “new law,” and in FINRA’s view merely codify existing expectations for firms, and reminded firms to ensure that their AML programs were updated, as necessary, to comply with the May 11, 2018 CDD Rule compliance date and Rule 3310 effective date.
Recent Guidance Issued by FinCEN
FinCEN’s 2018 Frequently Asked Questions
On April 3, 2018, FinCEN released its second series of FAQs with respect to the CDD Rule, which provides answers to an additional 37 questions (the “2018 FAQs”). The first series of FAQs with respect to the CDD Rule was published by FinCEN on July 19, 2016 (the “2016 FAQs”). The 2018 FAQs primarily cover various topics in connection with the requirement that financial institutions obtain beneficial ownership information for their legal entity customers, including:
- the beneficial ownership threshold and its interaction with other AML program obligations;
- collection and verification of identifying information, particularly for legal entity customers with complex ownership structures;
- the definition of “legal entity customer,” including the treatment of non-U.S. financial institutions; and
- clarification and discussion with respect to certain exemptions and exclusions under the CDD Rule.
The 2018 FAQs also provide guidance and answers to questions regarding the beneficial ownership certification requirement, including when a single customer opens multiple accounts and in respect of product or service renewals, obligations to update beneficial ownership information, requirements to understand the nature and purpose of the customer relationship, internal approval of AML program changes and currency transaction reporting.
Select Questions and Answers From the 2016 FAQs
Collection of Beneficial Ownership Information
- Question 10 – Obtaining Beneficial Ownership Information. Notes that a financial institution does not need to obtain information directly from the beneficial owners of a legal entity customer. The information must be obtained from the individual opening the account on behalf of the legal entity customer, although that individual may also be a beneficial owner.
- Question 11 – Types of Beneficial Ownership Information that Must be Collected. Financial Institutions must collect the name, date of birth, address, and social security number or other government identification number (i.e., passport number or other similar information in the case of non-U.S. persons) for each individual identified under the ownership or control prongs of the CDD Rule.
Requirement to Identify Beneficial Owners
- Question 12 – Nominee Owners. Reiterates that the CDD Rule requires financial institutions to identify the ultimate beneficial owners of legal entity customers, and not “nominees” or “strawmen.” The answer to this question reminds financial institutions, however, that it is the responsibility of the individual opening the account on behalf of the legal entity customer to identify the beneficial owners, and financial institutions may rely upon the information provided, unless the institution has reason to question its validity or accuracy.
- Question 2 – Setting a Lower Ownership Prong Threshold. Notes that there may be circumstances, where, based upon a financial institution’s risk assessment of a particular customer, the financial institution may determine there is a need to collect beneficial ownership information for individuals below the 25% threshold. Alternatively, a financial institution may determine that any heightened risk associated with a particular legal entity customer could be mitigated through other means, such as enhanced monitoring or collection of other information.
- Question 3 – Indirect Beneficial Owners. Provides guidance related to the identification of indirect owners of legal entity customers, and notes that covered financial institutions must obtain the identity of any individual who satisfies the definition of beneficial owner, regardless of whether that individual owns 25% or more of the legal entity customer directly, or indirectly, for example, through the aggregation of holdings across multiple parent entities. To this point, FinCEN notes that covered financial institutions do not need to independently investigate the ownership structure of the legal entity customer, and may rely on the information presented by the legal entity customer’s representative, provided that the institution does not have knowledge of any facts that would reasonably call into question the validity or reliability of that information.
Identification and Verification
- Question 4 – Verifying Beneficial Ownership Information. Explains that while the risk-based procedures used by a covered financial institution to verify the identity of beneficial owners of legal entity customers must contain, at minimum, the same elements used to verify the identity of individual customers under the CIP Rule, including procedures to address instances where the institution cannot form a reasonable belief that it knows the true identity of the legal entity customer’s beneficial owners, the procedures under the CDD Rule do not have to be identical to an institution's CIP Rule procedures. For example, the CDD Rule explicitly provides that a financial institution may use photocopies or other reproduction documents (e.g., a photocopy of a driver’s license or passport photo page) for documentary verification.
- Question 7 – Reliance on Prior CIP Information. Notes that financial institutions may rely on the CIP information that they have already collected for an individual with an existing account to satisfy their identification and verification obligations, in situations where the existing customer is named as a beneficial owner of a new legal entity customer. The information on file must be accurate and up-to-date, and the representative opening the account on behalf of the legal entity customer must certify — either verbally or in writing — that the pre-existing CIP information is accurate.
- Question 10 – Reliance on Prior CDD Certification. Provides that covered financial institutions that have already received a certification or equivalent form from a legal entity customer may rely on that information to fulfill its beneficial ownership identification and verification obligations for subsequent accounts opened by the same legal entity customer, provided that the customer certifies — either verbally or in writing — that the information is accurate and up-to-date at the time of each subsequent account opening, the institution maintains a record of each certification or confirmation and the institution does not have knowledge of any facts that would reasonably call into question the validity or reliability of that information.
- Question 14 – Requirements to Update CDD Information. Provides that covered financial institutions are not required to solicit or update beneficial ownership information absent specific risk-based concerns, although institutions do have discretion to collect and update beneficial ownership information as often as they deem appropriate. Covered financial institutions are, however, required to have policies and procedures in place to, among other responsibilities, maintain and update customer information on a risk basis, and obtain and update information, if, in the course of normal monitoring, the institution becomes aware of information about a customer or account, including a potential change in beneficial ownership, relevant to the assessment or re-assessment of that customer’s overall risk profile.
Exemptions and Exclusions
- Question 18 – Pooled Investment Vehicles. Explains that for pooled investment vehicles that are not otherwise excluded under the CDD Rule, it would be impractical for covered financial institutions to attempt to collect and verify the 25% ownership information for these types of entities, given how ownership interests fluctuate. Covered financial institutions are, however, required to collect beneficial ownership information for these types of entities under the control prong of the CDD Rule.
- Question 26 – Scope of Non-U.S. Financial Institution Exclusion. Provides that for the purposes of the “non-U.S. financial institution exclusion” under the CDD Rule, a non-U.S. regulator must merely collect and maintain beneficial ownership information for the legal entity customer. A covered financial institution is not required to research the specific transparency obligations imposed on a non-U.S. financial institution by its regulator and compare them with those imposed on U.S. financial institutions by U.S. Federal functional regulators, and may rely on a representation by the legal entity customer with respect to whether an exclusion applies, provided that the institution does not have knowledge of any facts that would reasonably call into question the validity or reliability of that information. The answer to this question also notes that correspondent accounts for non-U.S. financial institutions will continue to be subject to the due diligence and beneficial ownership identification requirements that were already in place prior to the implementation of the CDD Rule, rather than the requirements set forth in the CDD Rule.
- Question 28 – Scope of Non-U.S. Governmental Entity Exclusion. Explains that the “non-U.S. governmental department, agency or political subdivision that engages only in governmental rather than commercial activities exclusion” under the CDD Rule does not apply to state-owned enterprises engaged in profit-seeking activities, such as sovereign wealth funds, airlines or oil companies. The answer to this question does note, however, that many state-owned enterprises may not have any individual that meets the ownership prong under the CDD Rule, because the equity interest is held by a governmental department, agency or political subdivision. In those instances, covered financial institutions would only be required to obtain beneficial ownership information under the control prong of the CDD Rule. This response also reiterates that an institution may rely on a representation by the legal entity customer with respect to whether an exclusion applies, provided that the institution does not have knowledge of any facts that would reasonably call into question the validity or reliability of that information.
Updates to the FINRA Small Firm Template
On April 4, 2018, FINRA published an updated version of its Small Firm Template. The template was updated to reflect the obligations of firms under Rule 3310 and the CDD Rule. These changes have been incorporated into Section 6 of the template (Customer Due Diligence Rule), which provides revised discussion and example text with respect to a firm’s compliance obligations under Rule 3310 and the CDD Rule. Other substantive changes in the Small Firm Template include additions to the example text in the Firm Policy and National Security Letters Sections. In addition, the updated Small Firm Template includes minor clean-up changes, updated rule references and additional resources and guidance that have been published since the prior version.
The CDD Rule and Rule 3310 codify existing expectations under the BSA for firms to identify and report suspicious transactions and to know and understand their customers. This “fifth pillar” requires firms to understand the nature and purpose of customer relationships, conduct ongoing monitoring and identify and verify the identity of beneficial owners of legal entity customers. While the CDD Rule has been largely finalized since 2016, the May 11, 2018 CDD Rule compliance date and Rule 3310 effective date represents a reminder for firms to review their AML programs to ensure compliance with these rules.