On November 21, 2017, FINRA issued Regulatory Notice 17-40 to provide member firms guidance regarding their obligations under FINRA Rule 3310 (Anti-Money Laundering Compliance Program) in light of the Financial Crimes Enforcement Network's (FinCEN) adoption of a final rule on Customer Due Diligence Requirements for Financial Institutions (the “CDD Rule”). The CDD Rule became effective July 11, 2016. Member firms must be in compliance with its provisions by May 11, 2018.

In response to concerns about corruption, tax evasion and other criminal activity, the Treasury Department adopted the CDD Rule to engender more robust customer due diligence. While largely formalizing existing obligations and practices, the CDD Rule does impose a new obligation with respect to the identification of the true beneficial owners of every legal entity account.

The Anti-money laundering (“AML”) regulatory regime originates from the Bank Secrecy Act (“BSA”), which requires broker-dealers to develop and implement AML programs.1 Consistent with the BSA, FINRA adopted Rule 3310 in April 24, 20022 requiring every broker-dealer to establish, implement and maintain a written AML compliance program “reasonably designed to achieve and monitor” compliance with the BSA and its implementing regulations, including detection and reporting of suspicious activity.3 Each firm’s AML program must, at a minimum, satisfy the “four pillars” set forth in the BSA’s implementing regulations, which are incorporated into Rule 3310:

  • the establishment and implementation of policies, procedures and internal controls reasonably designed to achieve compliance with the applicable provisions of the BSA and implementing regulations;
  • independent testing for compliance by broker-dealer personnel or a qualified outside party;
  • designation of an individual or individuals responsible for implementing and monitoring the operations and internal controls of the AML program; and
  • ongoing training for appropriate persons.

With the purpose of clarifying and strengthening existing AML obligations, the CDD Rule articulates several elements of effective customer due diligence: (1) determination and verification of customer identity; (2) determination and verification of the identity of the beneficial account owner; (3) determination and understanding of the nature and purpose of the customer relationship; and (4) ongoing monitoring and information updates, as required on risk-assessment basis. According to FinCEN, the first element is already a requirement for AML programs; the second element is new; and the last two elements merely formalize existing obligations. The second, third and fourth elements constitute the ongoing customer due diligence obligation that is referred to as the “fifth pillar.”

Key to understanding the nature and purpose of the customer relationship (third element) is ascertaining the true identity of not only the customer (first element) but the beneficial owner(s) of the customer-entity (second element). In this regard, the CDD Rule mandates that firms amend their AML policies to require that within a reasonable time after account opening the identity of the legal entity customer’s beneficial owner(s) be determined and that the individual opening the account certify the accuracy of the beneficial owner information.

A “legal entity customer” is any corporation, limited liability company, or other entity created by the filing of a document with a governmental entity (such as the secretary of state); a general partnership; or any similar entity formed under the laws of a foreign jurisdiction.4 Additionally, the CDD defines an account “beneficial owner” as:

  • every individual who directly or indirectly owns 25% or more of the equity interest in the entity-customer; and
  • any individual with significant responsibility for controlling, directing or managing an entity-customer, which may include but is not limited to a Chief Executive Officer, Chief Financial Officer, Chief Operating Officer, Managing Member, President, Vice President or Treasurer.

The CDD Rule lacks guidance on how to compile “beneficial owner” information; however, at a minimum, the information must consist of (i) name; (ii) date of birth; (iii) address and (iv) social security or other governmental identification number. This is merely an articulation of what many firms already do in connection with their KYC obligation. Efforts to verify the identity of the beneficial owner must be at least as stringent as the firm’s Customer Identification Program procedures, which would allow firms to rely on information provided by another financial institution.

Armed with knowledge of the identity of the customer and the beneficial owner, firms must then develop a “customer risk profile” in order to have a “baseline” for use in identifying potentially suspicious activity. Baseline information may include information regarding the type of customer or account, the products and services offered to the account and the financial profile of the customer, including income, net worth, occupation and investment experience. The CDD Rule does not prescribe a specific form of risk profiling or scoring.

The monitoring obligation of the Rule’s fourth element applies to both existing and new accounts. Similarly, the obligation to update customer information applies to new and existing accounts. However, there is no expectation that a covered financial institution obtain updated beneficial ownership information from its legal entity customers on a continuous basis. Rather, customer information need be updated only when the firm becomes aware of, for example, a change in beneficial ownership, in the course of conducting its routine, risk-based monitoring.

Ultimately, while adoption of the CDD Rule is intended to enhance firms’ AML processes, many firms’ processes may already encompass the expectations contemplated by the Rule such that significant changes may not be necessary. Certainly the CDD Rule is presented merely as codifying expectations already existing under the BSA and Rule 3310. Any burden associated with the Rule is further tempered by exclusions for public companies and regulated entities.5 Nevertheless, firms should ensure that they are gathering and verifying the required identification information, that they are profiling their accounts on a risk basis and that they are monitoring, on an ongoing basis, their accounts for suspicious activity.

FinCEN Guidance on the Requirements of the CDD Rule can be found at https://www.fincen.gov/resources/statutes-regulations/guidance/frequently-asked-questions-regarding-customer-due-diligence.