On May 11, 2016, the U.S. Treasury Department’s Financial Crimes Enforcement Network (“FinCEN”) Final Rule codifying new and existing customer due diligence (“CDD”) requirements under the Bank Secrecy Act (“BSA”) was published in the Federal Register (the “Final Rule”). The CDD Final Rule becomes effective 60 days after publication (July 11, 2016) and covered institutions must comply with the Final Rule by May 11, 2018.
The Final Rule requires covered financial institutions (such as banks, broker-dealers, mutual funds, and futures commission merchants and introducing brokers in commodities) to maintain BSA/AML programs that satisfy the four “core elements” of CDD, which are:
- Identifying and verifying the identity of customers;
- Identifying and verifying the identity of beneficial owners of legal entity customers (i.e., the natural persons who own or control legal entities);
- Understanding the nature and purpose of customer relationships; and
- Conducting ongoing monitoring.
FinCEN emphasizes that most, if not all, of these four elements are already present in the vast majority of financial institutions’ BSA/AML programs – which constitute the “minimum standard” of CDD – but that the Final Rule serves to now make them explicit requirements. As such, the Final Rule contains two primary new components. First, the rule supplements the traditional “four pillars” of AML programs by adding a new “fifth pillar” which requires covered institutions to develop customer risk profiles and monitor suspicious activity on an ongoing basis, including maintaining and updating customer information and beneficial ownership information. Second, the rule requires covered institutions to verify the identity of the beneficial owners of their legal entity customers.
New “Fifth Pillar” of Essential Customer Due Diligence
The BSA requires certain financial institutions to have AML programs which contain a minimum of four elements that are commonly referred to as the “four pillars” of an effective AML program. (31 U.S.C.A. § 5318(h)), In the CDD Final Rule, FinCEN formally codified these four pillars and added a new multi-part fifth pillar. The five pillars, which will be codified at 31 C.F.R. § 1010.210(b), include:
- A system of internal controls to assure ongoing compliance;
- Independent testing for compliance to be conducted by bank personnel or by an outside party;
- Designation of an individual or individuals responsible for coordinating and monitoring day-to-day compliance;
- Training for appropriate personnel; and
- Appropriate risk-based procedures for conducting ongoing customer due diligence, to include, but not be limited to:
- Understanding the nature and purpose of customer relationships for the purpose of developing a customer risk profile; and
- Conducting ongoing monitoring to identify and report suspicious transactions and, on a risk basis, to maintain and update customer information. For purposes of this paragraph (b)(5)(ii), customer information shall include information regarding the beneficial owners of legal entity customers [as defined in the Final Rule].
Thus, pursuant to the Final Rule, the new fifth pillar expands the previous general concept of “understanding the nature and purpose of customer relationships” to include specifically developing customer risk profiles and conducting ongoing monitoring of existing customers. FinCEN explained that the “customer risk profile refers to the information gathered about a customer at account opening used to develop a baseline against which customer activity is assessed for suspicious activity reporting…” which “may include self-evident information such as the type of customer or type of account, service, or product.” In addition, “[t]he profile may, but need not, include a system of risk ratings or categories of customers.”
With regard to the requirement of ongoing monitoring, FinCEN identified that the “ongoing monitoring” will require covered institutions to “identify and report suspicious transactions and, on a risk basis, to maintain and update customer information.” This includes updating customer information, including beneficial ownership information, when the financial intuition becomes aware of changes to customer information during the process of “assessing or reevaluating the risk posed by the customer.”
Requirement to Identify Beneficial Ownership Information
Covered financial institutions are also now required to identify the natural persons or beneficial owners of legal entity customers, subject to certain exceptions. Beneficial owners are identified by obtaining a certification form directly from an individual opening a new account for a legal entity customer. The definition of beneficial owner for BSA/AML purposes is “the natural person(s) who own or control a legal entity” or “those who exercise effective control over a legal entity.” Thus, the proposed regulations reflect a two-prong definition of beneficial owners:
Ownership: Each individual, if any, who, directly or indirectly, through any contract, arrangement, understanding, relationship or otherwise, owns 25% or more of the equity interests of a legal entity customer; and
Control: An individual with significant responsibility to control, manage or direct a legal entity customer, including (i) an executive officer or senior manager (e.g., a chief executive officer, chief financial officer, chief operating officer, managing member, a general partner, president, vice president, or treasurer); or (ii) any other individual who regularly performs similar functions.
Each prong is designed to require and independent analysis. Thus, a financial institution must identify each individual who owns 25% or more of the equity interests. And, in many cases, there may be no beneficial owners at the 25% or more level. FinCEN also noted with approval – but ultimately did not require – that some financial institutions utilize a 10% ownership threshold. The lower threshold was rejected in part because it would require financial institutions to identify up to eleven beneficial owners.
Regardless of whether or not there are any beneficial owners pursuant to the first prong, the Final Rule requires the financial institution to identify at least one control person under the second prong. In cases where an individual owns 25% or more of a legal entity and also meets the definition for control, that same individual could be identified as a beneficial owner under both prongs.
Covered institutions are required to identify and verify the identities of the beneficial owners at the time a new account is opened, and must modify this information if the institution becomes aware of changes during the ongoing monitoring required by the “fifth prong.”
These identification and verification procedures required under the Final Rule are, according to FinCEN, likely to be very similar to the procedures for individual customers under a financial institution’s existing customer identification program (“CIP”). Except, however, pursuant to the Final Rule, covered financial institutions are entitled to rely on customer representations regarding the individual or individuals with ownership and/or control.
Thus, FinCEN is not requiring that the financial institution verify that the natural people identified on the certification form are in fact the beneficial owners, noting “we emphasize that FinCEN expects that financial institutions will generally be able to rely on the representations of the customer when it identifies its beneficial owners.”
FinCEN does note, however, that the standards in the Final Rule are minimum standards. Therefore, beneficial ownership should be verified consistent with an institution’s existing CIP practices. Under current rules, for example, a financial institution must obtain beneficial ownership information if it offers foreign private banking accounts or correspondent accounts for foreign financial institutions.
The beneficial ownership requirement is a notable and significant enhancement to the BSA/AML procedures previously required. FinCEN notes that the new Final Rule is designed to improve the ability of covered financial institutions to assess risk and facilitate tax compliance, and also to better align U.S. compliance regulations with those imposed internationally. The overall purpose of the Final Rule, as stated by FinCEN, is to address the issue that “covered financial institutions are not presently required to know the identity of the individuals who own or control their legal entity customers (also known as beneficial owners),” which “enables criminals, kleptocrats, and others looking to hide ill-gotten proceeds to access the financial system anonymously.”