© 2016 Hunton & Williams LLP 1 June 2016 FinCEN Expands Customer Due Diligence Requirements On May 11, 2016, the Financial Crimes Enforcement Network (“FinCEN”) published its long-awaited final rule (see link at end of document) expanding customer due diligence (“CDD”) requirements for covered financial institutions (which are defined, for this purpose, as banks, securities firms including brokerdealers, mutual funds and futures commission merchants, as well as introducing brokers in commodities). As a result, covered financial institutions will be required to know not only the identities of their legal entity customers at the account opening stage (existing requirement) but also the individuals who own or control those entities, i.e., their beneficial owners, subject to certain thresholds and exceptions. As such, prior to the effective date of the final rule, “covered financial institutions” may need to evaluate and update their BSA/AML policies and, if necessary, update related procedures and systems to incorporate the expanded CDD requirements of the rule. The rule is consistent with federal securities and banking regulators renewed emphasis on the risks posed by third parties and the importance of covered financial institutions exercising effective due diligence procedures to assess such risks.1 The expanded CDD regulation effectively would create a fifth pillar for BSA/AML programs required under FinCEN’s rules governing certain financial institutions. To maintain an adequate BSA/AML program, under CDD requirements, covered financial institutions must meet four elements of the regulation. These are: • identifying and verifying the identity of customers, • identifying and verifying the identity of beneficial owners of legal entity customers, • understanding the nature and purpose of customer relationships, and • conducting ongoing monitoring to maintain and, on a risk basis, update customer information and to identify and report suspicious transactions. FinCEN took pains to point out that these pillars are really not new in that most financial institutions are already employing most, if not all, of such elements in their BSA/AML program. Nonetheless, the final rules do make explicit the requirements to understand the nature and purpose of customer relationships, conduct ongoing due diligence and update information, and identify the “beneficial owner” of business clients. Each of these four pillars is worth discussing in more detail. Although certain of these elements are new to FinCEN regulations, FinCEN believes that such provisions are inherent (or at least should be) in a financial institution’s customer risk assessment program and are consistent with core BSA/AML requirements imposed by federal bank regulators. 1 FinCEN indicated that, although the rule would initially not apply to other firms that currently are required to have BSA/AML programs (such as money services businesses), FinCEN is considering extending CDD requirements to such firms in the future. © 2016 Hunton & Williams LLP 2 The genesis of the final rule relates to the publication in March 2010, by FinCEN and prudential regulators, of “joint guidance on obtaining and retaining beneficial ownership information.” Then, in March 2012, FinCEN commenced its rulemaking process by issuing an advance notice of final rulemaking (“ANPRM”) that sets forth the elements contained in the current final rulemaking in some form or fashion. The ANPRM was followed by a Notice of Final Rulemaking (“NPRM”) issued on July 30, 2014. The final rule is the culmination of such efforts and is intended to address comments received on the NPRM. Beneficial Ownership. As noted above, FinCEN is finalizing a new requirement that financial institutions identify the beneficial owners of legal entity customers, subject to certain exceptions. For these purposes, beneficial owners are identified by obtaining a certification form (attached to the final rule as Appendix A) directly from the individual opening the new account of the legal entity customer. The definition of beneficial owner for BSA/AML purposes is “the natural person(s) who ultimately owns or controls the customer and/or the person on whose behalf a transaction is being conducted. It also incorporates those persons who exercise ultimate effective control over a legal person or arrangement.” FinCEN’s definition of a “beneficial owner” is designed to capture both the concept of ownership and that of effective control. The final rule requires a covered financial institution to establish and maintain written procedures that are reasonably designed to identify and verify beneficial owners of a legal entity customer unless such customers are expressly excluded (certain US or non-US regulated entities). A covered financial institution must demonstrate its compliance with FinCEN’s new requirement by obtaining, at the time of the account opening, a mandatory certification from the individual opening the account on behalf of the legal entity customer that identifies the beneficial owners (or by obtaining the information required by the form through alternative means). FinCEN, however, did clarify that the standards in the final rules are minimum standards. Therefore, beneficial ownership should be verified consistent with the bank’s existing, risk-based CIP practices through the use of documentary and non-documentary methods. Under current rules, a financial institution must obtain beneficial ownership information if it offers foreign private banking accounts or correspondent accounts for foreign financial institutions. The final regulations reflect a two-prong definition of beneficial owner. The prongs are: • Ownership Prong: Each individual, if any, who, directly or indirectly, through any contract, arrangement, understanding, relationship or otherwise, owns 25% or more of the equity interests of a legal entity customer; and • Control Prong: An individual with significant responsibility to control, manage or direct a legal entity customer, including (A) an executive officer or senior manager (e.g., a chief executive officer, chief financial officer, chief operating officer, managing member, a general partner, president, vice president, or treasurer); or (B) any other individual who regularly performs similar functions.2 Each prong is intended to be an independent test. Thus, a financial institution must identify each individual who owns 25% or more of the equity interests. Conversely, there may be no beneficial owners at the 25% or more level. Again, these are minimum requirements. FinCEN indicated that it does not expect compliance with this requirement to be tested or examined against a lower threshold. Nonetheless, FinCEN noted that some financial institutions, from a risk-based approach, may determine that they should use a lower threshold in certain circumstances. Against this 2 The certification form is no longer mandatory. A covered financial institution may substitute its own form provided the individual certifies the information and it contains the necessary information. © 2016 Hunton & Williams LLP 3 rather tepid protection, it is likely that many covered financial institutions will continue to identify all 10% beneficial owners. Regardless of whether or not there are any, the financial institution must identify at least one control person. In cases where an individual owns 25% or more of the legal entity, and also meets the definition for control, that same individual could be identified as a beneficial owner under both prongs. A financial institution is entitled to rely on customer representations to determine the party with effective control. According to FinCEN, covered financial institutions are only required to verify the existence of an identified beneficial owner and not that such owner really owns the interest in the legal entity. There are a number of caveats. First, the covered financial institution may have “no knowledge of facts that would reasonably call into question the reliability” of such certification. So, information held in one department can be expected to be attributed to the financial institution as a whole. Second, and perhaps most importantly, covered financial institutions must still maintain risk-based compliance programs. There is no obligation to assess whether one or more parties are acting in concert. Again, financial institutions can rely on representations on that issue as well. Moreover, FinCEN is not requiring retroactive application of the new rules. A “legal entity” customer is generally any business enterprise with a few exceptions. These exemptions include any customers that are currently exempt from CIP, as well as parties whose beneficial ownership information is generally available to the public from other sources such as public companies registered with the SEC.3 FinCEN notes that exempting these entities from the beneficial ownership requirement does not necessarily imply that all of them present a low risk of money laundering or terrorist financing. FinCEN pointed out that charities may present a high risk of such illegal activity, but charities are exempt from the beneficial ownership test because as a tax-exempt organization, they do not have beneficial owners. FinCEN does point out that under a charity structure, board oversight is akin to ownership and management is akin to control. Similarly, trusts, other than business trusts, are not deemed to be legal entity customers. With regard to trusts, financial institutions should take a risk-based approach. Existing guidance as to who is a “customer” would continue to apply to the question of whether an entity is a “legal entity customer.” If the intermediary is a customer establishing subaccounts, then the intermediary itself and not its client may be the legal customer entity in certain cases. Of course, consistent with the general FinCEN theme, the financial institution still must take a risk-based approach to underlying clients of the intermediary. FinCEN is still considering how to treat pooled investment vehicles. 3 An issuer of a class of securities registered under Section 12 of the Securities Exchange Act of 1934 or that is required to file reports under Section 15(d) of that Act; Any majority-owned domestic subsidiary of any entity whose securities are listed on a US stock exchange; An investment company, as defined in Section 3 of the Investment Company Act of 1940, that is registered with the SEC under that Act; An investment adviser, as defined in Section 202(a)(11) of the Investment Advisers Act of 1940, that is registered with the SEC under that Act; An exchange or clearing agency, as defined in Section 3 of the Securities Exchange Act of 1934, that is registered under Section 6 or 17A of that Act; Any other entity registered with the Securities and Exchange Commission under the Securities and Exchange Act of 1934; A registered entity, commodity pool operator, commodity trading advisor, retail foreign exchange dealer, swap dealer, or major swap participant, each as defined in section 1a of the Commodity Exchange Act, that is registered with the CFTC; A public accounting firm registered under section 102 of the Sarbanes-Oxley Act; and A charity or nonprofit entity that is described in Sections 501(c), 527, or 4947(a)(1) of the Internal Revenue Code of 1986, that has not been denied tax exempt status, and that is required to and has filed the most recently required annual information return with the Internal Revenue Service. © 2016 Hunton & Williams LLP 4 There is no obligation to update the beneficial owner information unless the legal entity customer opens a new account. Otherwise, risk-based factors to be considered in updating the beneficial owner could include the type of business engaged in by the legal entity customer, changes in business operations or management of which the financial institution becomes aware, indications of possible misuse of a shell company in the account history, or changes in address or signatories on the account. As some financial institutions currently update CIP information at periodic intervals based on risk or when updating other customer information as part of routine account maintenance, financial institutions may consider updating beneficial ownership information on a similar basis. Importantly, existing rules on reliance on third parties that maintain a BSA/AML program continue to apply. Understanding the Nature and Purpose of Customer Relationships. The rules now provide that the financial institution must “understand the nature and purpose of customer relationships in order to develop a customer risk profile.” In such context, FinCEN believes that it is well understood that “a bank should obtain information at account opening sufficient to develop an understanding of normal and expected activity for the customer’s occupation or business operations.” This quote is drawn from the existing BSA/AML examination manual. FinCEN notes, however, that in some circumstances, an understanding of the nature and purpose of a customer relationship can also be developed by inherent or self-evident information about the product or customer type or basic information about the customer. Such basic information that FinCEN notes could be telling include “annual income, net worth, domicile, or principal occupation or business.” For existing long-standing customers, the financial institution already may have a robust history of activity that could be highly relevant in understanding future expected activity or for purposes of detecting aberrations. Significantly, FinCEN states that this aspect of CDD applies to all accounts and not just to “customers” for CIP purposes. Thus, the exemptions referenced in the definition used for CIP would not apply. Monitoring. FinCEN intends for the monitoring element to be consistent with current suspicious activity reporting and BSA/AML program requirements. FinCEN believes that conducting ongoing monitoring is implicit in the requirement to file SARs. The BSA/AML manual notes that the internal controls of a bank’s BSA/AML program should “provide sufficient controls and monitoring systems for timely detection and reporting of suspicious activity.” There is no periodic requirement to update information. Instead, when a financial institution becomes aware of information relevant to assessing the risk posed by a customer, it is expected to update the customer’s relevant information accordingly. The BSA/AML Manual provides that “CDD processes should include periodic risk-based monitoring of the customer relationship to determine whether there are substantive changes to the original CDD information (e.g., change in employment or business operations).” Record Retention. Under the final rule, financial institutions must maintain records for five years. Those records include all documents relied on for identification and verification of the beneficial owners, and any nondocumentary methods and results of measures undertaken for verification and the resolution of any substantive discrepancies discovered in verifying the identification information. Effective Date. The final rule becomes effective two years from the date that the final rule was issued or May 11, 2018. Because FinCEN believes much of what is in the final rule reflects existing practice, financial institutions should be, in FinCEN’s view, very familiar with these rules as they apply to their existing risk-based BSA/AML compliance programs. FinCEN Final Rule © 2016 Hunton & Williams LLP 5 Contacts Peter G. Weinstock firstname.lastname@example.org Heather Archer Eastep email@example.com John J. Delionado firstname.lastname@example.org Shaswat (Shas) K. Das email@example.com Peter G. Weinstock, John J. Delionado, Heather Archer Eastep and Shaswat K. Das are attorneys in the Corporate and Litigation teams at Hunton & Williams LLP. This article presents their views and do not necessarily reflect those of Hunton & Williams or its clients. The information presented is for general information and education purposes. No legal advice is intended to be conveyed; readers should consult with legal counsel with respect to any legal advice they require related to the subject matter of the article. They may be reached at (214) 468-3395, (305) 536-2752 (703) 714-7471, or (202) 955-1520 or firstname.lastname@example.org, email@example.com, firstname.lastname@example.org, or email@example.com, respectively. © 2016 Hunton & Williams LLP. Attorney advertising materials. These materials have been prepared for informational purposes only and are not legal advice. This information is not intended to create an attorney-client or similar relationship. Please do not send us confidential information. Past successes cannot be an assurance of future success. Whether you need legal services and which lawyer you select are important decisions that should not be based solely upon these materials.