May 11, 2018 was the applicability date for FinCEN's new "Customer Due Diligence Requirements for Financial Institutions" (the "CDD Rule").1 FinCEN noted the occasion by issuing a press release to remind covered financial institutions that the CDD Rule "clarifies and strengthens customer due diligence requirements" and "adds a new requirement ... to identify and verify the identity" of beneficial owners. The agency also issued an administrative ruling ("Ruling") to provide exceptive relief to covered financial institutions with respect to the application of beneficial ownership requirements to premium finance lending products that allow for cash refunds.
On the same day, the Federal Financial Institutions Examination Council (FFIEC)2 released two sections of its Bank Secrecy Act/Anti-Money Laundering (BSA/AML) Examination Manual ("FFIEC Manual"): (i) "Customer Due Diligence - Overview and Examination Procedures" ("CDD Section") and (ii) "Beneficial Ownership Requirements for Legal Entity Customers - Overview and Examination Procedures" ("Beneficial Ownership Section"). Whereas the Beneficial Ownership Section is new, the CDD Section is an update to the FFIEC Manual. A comparison between the previous and new CDD Sections can be found here.
FFIEC MANUAL: CDD SECTION AND BENEFICIAL OWNERSHIP SECTION
As discussed in our May 16, 2016 Client Alert, the CDD Rule establishes two main requirements for covered financial institutions, such as U.S. banks and U.S. branches and agencies of foreign banks, broker or dealers in securities, mutual funds, future commission merchants, and introducing brokers in commodities. First, the CDD Rule requires covered financial institutions to adopt ongoing risk-based customer due diligence procedures as part of their AML compliance programs, including to develop and update customer risk profiles and customer information and to conduct ongoing AML monitoring. Second, the CDD Rule requires covered financial institutions to establish and maintain written procedures to identify and verify the beneficial owners of their legal entity customers. The sections of the FFIEC Manual released on May 11 offer some clarification regarding the expectations of examiners with respect to these requirements, including with respect to certain issues we raised in our previous Client Alert.3
Customer Due Diligence
As part of their risk-based procedures for conducting ongoing customer due diligence, covered financial institutions are required by the CDD Rule to maintain risk-based procedures for "[c]onducting ongoing monitoring to identify and report suspicious transactions and, on a risk basis, to maintain and update customer information."4
1 Customer Due Diligence Requirements for Financial Institutions; Final Rule, 81 Fed. Reg. 29,398 (May 11, 2016) (codified at 31 C.F.R parts 1010, 1020, 1023, 1024, and 1026).
2 The FFIEC is an interagency body composed of federal and state regulators, which prescribes uniform principles, standards, and report forms for the federal examination of financial institutions.
3 In addition, FinCEN published FAQs concerning the CDD Rule on July 19, 2016, and April 3, 2018 to provide additional information and guidance for covered financial institutions regarding implementation of and compliance with the CDD Rule.
4 31 C.F.R. 1020.210(b)(5)(v)(ii).
1 2018 Morrison & Foerster LLP | mofo.com Attorney Advertising
In our previous Client Alert, we noted that the primary compliance challenge for a financial institution in implementing the customer due diligence requirement, or "fifth pillar," as part of its BSA/AML program was likely to be the obligation to update customer information as part of the ongoing monitoring process.
The CDD Section reiterates FinCEN's previous comments published in connection with the final CDD Rule,5 stating that "[t]he requirement to update customer information is event-driven and occurs as a result of normal monitoring," and also that "[t]he ongoing monitoring element does not impose a categorical requirement" that banks "must update customer information on a continuous or periodic basis." The obligation to update customer information relates to customer information that has "materially changed," and banks are advised to consider the materiality of a particular change identified during ongoing monitoring prior to determining whether an update to customer information is necessary. The CDD Section also provides that if the "customer information is material and relevant to assessing the risk of a customer relationship," then banks "should reassess the customer risk profile/rating and follow established bank policies, procedures, and processes for maintaining or changing the customer risk profile/rating."6 Although it does not define material change, the CDD Section states that "[o]ne common indication of a material change in the customer risk profile is transactions or other activity that are inconsistent with the bank's understanding of the nature and purpose of the customer relationship or with the customer risk profile."
The CDD Section also offers guidance concerning when banks should conduct reviews of the customer relationship to update customer information. The bank's CDD program must include risk-based procedures for performing ongoing monitoring of the customer relationship, on a risk basis, to maintain and update customer information, including beneficial ownership information of legal entity customers." Banks may establish "policies, procedures, and processes for determining whether and when, on the basis of risk, periodic reviews to update customer information should be conducted to ensure that customer information is current and accurate." Procedures should be implemented to establish criteria for when and by whom customer relationships will be reviewed, including updating customer information and reassessing the customer's risk profile. Procedures also should indicate who in the organization has authority to change a customer's risk profile.
The CDD Section lists a number of factors that may be relevant in determining when it is appropriate to review a customer relationship, including the following:
(i) Significant and unexplained changes in account activity;
(ii) Changes in employment or business operation;
(iii) Changes in ownership of a business entity;
(iv) Red flags identified through suspicious activity monitoring;
(v) Receipt of law enforcement inquiries and requests such as criminal subpoenas, National Security Letters (NSL), and section 314(a) requests;
5 81 Fed. Reg. 29,398, 29,399 (May 11, 2016) ("This provision does not impose a categorical requirement that financial institutions must update customer information, including beneficial ownership information, on a continuous or periodic basis. Rather, the updating requirement is event-driven, and occurs as a result of normal monitoring.").
6 With respect to this issue, in the Supplementary Information published with the final CDD Rule, FinCEN stated that "[w]hen a financial institution detects information (including a change in beneficial ownership information) about the customer in the course of its normal monitoring that is relevant to assessing or reevaluating the risk posed by the customer, it must update the customer information, including beneficial ownership information." 81 Fed. Reg 29,398, 29,399 (May 11, 2016); see also FinCEN, FIN-2018-G001, Frequently Asked Questions Regarding Customer Due Diligence Requirements for Financial Institutions, at 10-12 (April 3, 2018) at https://www.fincen.gov/sites/default/files/2018-04/FinCEN_Guidance_CDD_FAQ_FINAL_508_2.pdf (see FAQ 13, 14, and 16).
2 2018 Morrison & Foerster LLP | mofo.com Attorney Advertising
(vi) Results of negative media search programs; and
(vii) Length of time since customer information was gathered and the customer risk profile assessed.
In our previous Client Alert, we also noted that the CDD Rule sends a somewhat mixed message about whether the CDD Rule applies to existing accounts and whether financial institutions have an ongoing obligation to update or re-verify beneficial ownership information. The Beneficial Ownership Section provides some guidance on this issue and acknowledges that "banks are not required to conduct retroactive reviews to obtain beneficial ownership information on legal entity customers that were existing customers as of May 11, 2018." The Beneficial Ownership Section notes that "[b]anks must have procedures to maintain and update customer information, including beneficial ownership information for legal entity customers, on the basis of risk," and that banks may be required to obtain and update beneficial ownership information for existing legal entity customers based on their procedures for ongoing monitoring.
The new sections of the FFIEC Manual also provide guidance on a number of other issues relating to the CDD Rule, including those listed below, that appear to largely reflect existing regulatory expectations.
The CDD Section notes that there are no required risk profile categories for customer risk profiles, and "the number and detail of these categorizations will vary based on the bank's size and complexity."
Although banks should obtain sufficient information about their customers to form an understanding of the nature and purpose of customer relationships at the time of account opening, this understanding may be based on assessments of categories of customers, rather than individuals. The CDD Section states that "for certain lower-risk customers, the bank's understanding of the nature and purpose of a customer relationship can be developed by inherent or self-evident information such as the type of customer, the type of account opened, or the service or product offered."
Banks may consider implementing customer due diligence policies, procedures, and processes on an "enterprise-wide basis," and "[t]o the extent permitted by law, this implementation may include sharing or obtaining customer information across business lines, separate legal entities within an enterprise, and affiliated support units." Banks are similarly encouraged to "cross-check for customer information in data systems maintained within the financial institution for other purposes, such as credit underwriting, marketing, or fraud detection."
The CDD Section notes that, aside from beneficial ownership information, "the level and type of customer information" obtained "should be commensurate with the customer's risk profile[.]" Thus, banks "should obtain more customer information for those customers that have a higher customer risk profile and may find that less information for customers with a lower customer risk profile is sufficient." The type of information obtained from customers may also vary depending on the customer's risk profile, among other factors. Banks should have policies, procedures, and processes that define both when and what additional customer information will be obtained, based on the customer's risk profile and other specific risks posed.
3 2018 Morrison & Foerster LLP | mofo.com Attorney Advertising
The CDD Section observes that "[e]ven within categories of customers with a higher risk profile, there can be a spectrum of risks and the extent to which additional ongoing due diligence measures are necessary may vary on a case-by-case basis."
The beneficial ownership information and other customer information obtained under the CDD Rule may be relevant to other regulatory requirements, such as identifying suspicious activity or detecting parties sanctioned by OFAC. The CDD Section and Beneficial Ownership Section both stress that banks should have policies and procedures that define how this information will be used to meet such other regulatory requirements.
FINCEN ADMINISTRATIVE RULING: EXCEPTIVE RELIEF FOR PREMIUM FINANCE CASH REFUNDS AND BENEFICIAL OWNERSHIP REQUIREMENTS
In its May 11, 2018 Ruling, FinCEN noted that the CDD Rule currently exempts covered financial institutions from the beneficial ownership requirements to the extent that a legal entity customer opens an account for the purpose of financing insurance premiums and for which payments are remitted directly by the financial institution to the insurance provider or broker, unless there is a possibility of cash refunds. The Ruling provides exceptive relief to covered financial institutions from collecting and verifying the beneficial owner of legal entity customers that open such premium financing accounts even if there is a possibility of cash refund.
FinCEN points out that the risk of money laundering for accounts established to finance insurance premiums is low, due to the structural characteristics of premium finance lending and the purpose for which premium finance accounts are established. In addition, the Ruling states that FinCEN has confirmed, through discussions with law enforcement, the low risk of money laundering with respect to such transactions notwithstanding the possibility of a cash refund. Therefore, FinCEN has determined that "exceptive relief from the beneficial ownership requirements is appropriate in the context of premium finance arrangements, notwithstanding the potential for cash refunds as part of the arrangement, provided that such refunds are only remitted directly to the borrower or the borrower's agent or broker."
The Ruling points out that FinCEN may withdraw or modify this exceptive relief under any circumstances and reminds covered financial institutions of their obligations to comply with all other applicable BSA requirements, including the filing of suspicious activity reports.
Henry M. Fields (213) 892-5275 firstname.lastname@example.org
Oliver I. Ireland (202) 778-1614 email@example.com
Jiang Liu (212) 468-8008 firstname.lastname@example.org
Barbara R. Mendelson (212) 468-8118 email@example.com
Marc-Alain Galeazzi (212) 336-4153 firstname.lastname@example.org
Meghan E. Dwyer (212) 336-4067 email@example.com
Mark R. Sobin (212) 336-4222 firstname.lastname@example.org
4 2018 Morrison & Foerster LLP | mofo.com Attorney Advertising
Financial Services Team
California Alexis A. Amezcua Elizabeth Balassone Roland E. Brandel Sarah N. Davis Henry M. Fields Joseph Gabai Angela E. Kleine Jim McCabe James R. McGuire Mark David McPherson Ben Patterson Sylvia Rivera William L. Stern Nancy R. Thomas Lauren Lynn Wroblewski
(415) 268-6557 (415) 268-7585 (415) 268-7093 (415) 268-7478 (213) 892-5275 (213) 892-5284 (415) 268-6214 (415) 268-7011 (415) 268-7013 (212) 468-8263 (415) 268-6818 (213) 892-5734 (415) 268-7637 (213) 892-5561 (415) 268-6458
Robert J. Baehr James M. Bergin Meghan E. Dwyer David J. Fioccola Marc-Alain Galeazzi Adam J. Hunt Jessica Kaufman Mark P. Ladner Jiang Liu David H. Medlar Barbara R. Mendelson Michael B. Miller Ryan J. Richardson Jeffrey K. Rosenberg Mark R. Sobin Joan P. Warrington
(212) 336-4339 (212) 468-8033 (212) 336-4067 (212) 336-4069 (212) 336-4153 (212) 336-4341 (212) 336-4257 (212) 468-8035 (212) 468-8008 (212) 336-4302 (212) 468-8118 (212) 468-8009 (212) 336-4249 (212) 336-4130 (212) 336-4222 (212) 506-7307
Marcie Brimer Rick Fischer Adam J. Fleisher Natalie A. Fleming Nolen Calvin D. Funk Susan I. Gault-Brown Julian E. Hammar Oliver I. Ireland Crystal N. Kaldjob
(202) 887-6932 (202) 887-1566
Steven M. Kaufmann Donald C. Lampe
(202) 887-8781 (202) 887-1551
Jeremy R. Mandell Obrea O. Poindexter
(202) 887-6930 (202) 887-1597
Sean Ruff Trevor R. Salter
(202) 887-1679 (202) 778-1614
Nathan D. Taylor Jennifer S. Talbert
(202) 887-8794 (202) 887-1524 (202) 887-1505 (202) 887-8741 (202) 887-1530 (202) 887-1527 (202) 778-1644 (202) 887-1563
5 2018 Morrison & Foerster LLP | mofo.com Attorney Advertising
About Morrison & Foerster: We are Morrison & Foerster--a global firm of exceptional credentials. Our clients include some of the largest financial institutions, investment banks, Fortune 100, technology and life science companies. We've been included on The American Lawyer's A-List for 13 straight years, and Fortune named us one of the "100 Best Companies to Work For." Our lawyers are committed to achieving innovative and business-minded results for our clients, while preserving the differences that make us stronger. This is MoFo. Visit us at www.mofo.com. Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations. Prior results do not guarantee a similar outcome.
6 2018 Morrison & Foerster LLP | mofo.com Attorney Advertising