Six years after the Financial Crimes Enforcement Network (FinCEN) originally proposed its Customer Due Diligence (CDD) Rule, the deadline for financial institutions to comply draws near. Banks, broker-dealers, mutual funds and futures commission merchants and introducing brokers in commodities (“covered financial institutions”)[1] will have to start complying with the CDD Rule by May 11, 2018.[2] To comply with the primary change under the CDD Rule, covered financial institutions will now have to identify and verify the identity of beneficial owners of “legal entity customers” such as corporations, limited liability corporations, limited partnerships and general partnerships.[3]

Background: FinCEN initially proposed the CDD Rule in 2012,[4] arguing that requiring financial institutions to identify beneficial owners of accounts would help protect the U.S. financial system from criminal abuse and guard against terrorist financing, money laundering and other financial crimes. The proposal sparked significant response from the industry, with FinCEN receiving a total of 231 comments, many raising concerns about the costs and challenges of obtaining and verifying beneficial ownership information, and of implementing necessary system changes and training within FinCEN’s initially proposed one-year deadline. In response, FinCEN modified its original proposal somewhat. For instance, while FinCEN had proposed requiring firms to use a standard certification form to obtain beneficial ownership information, the revised rule permits, but does not require, use of the standard form. FinCEN also extended the original one-year compliance deadline to two years. FinCEN issued the revised rule as final in May 2016.[5]

Identification of Beneficial Owners: The CDD Rule requires firms to identify beneficial owner(s) of each legal entity customer at the time a new account is opened (unless the customer or account is covered by certain enumerated exclusions or exemptions), with beneficial ownership determined by ownership or control. Specifically, firms must identify (i) every individual (if any) who directly or indirectly owns 25 percent or more of the equity interests of a legal entity customer (i.e., from zero to four people) (“the ownership prong”); and (ii) at least one individual with “significant responsibility to control, manage or direct” the legal entity customer, such as an executive officer, senior manager or other individual who regularly performs similar functions (“the control prong”). Thus, firms must identify at least one, and perhaps up to five, individuals under the new rule. A firm is permitted to identify additional individuals “if it deems appropriate on the basis of risk.” In particular, firms may choose – as some do now – to identify beneficial owners with equity ownership at a certain threshold below 25 percent.

Verification of Beneficial Owners: The CDD Rule requires firms to have “risk-based” procedures to verify the identity of beneficial owners “to the extent reasonable and practicable.” These verification procedures must contain the same elements required for verifying the identity of customers who are individuals under applicable Customer Identification Program (CIP) requirements.[6] Firms may rely on the beneficial owner information as supplied by the customer, provided that the firm knows no facts that would reasonably call that information into question.

AML Procedures: In addition to the requirement to identify and verify beneficial owners, the CDD Rule adds two items to the list of required components of firms’ anti-money laundering programs. First, firms’ AML programs will have to include procedures for understanding the nature and purpose of the customer relationship for the purpose of developing a “customer risk profile.” A customer risk profile is information about the customer that informs a baseline against which the customer’s subsequent activity can be seen as aberrant for purposes of suspicious activity reporting. Second, firms’ AML programs will have to include procedures for ongoing monitoring to identify and report suspicious transactions. The program must include procedures to update customer information when the firm detects information about a customer that is relevant in assessing the risk posed by the customer. For example, if the firm learns of a change in a customer’s beneficial ownership, or if a customer exhibits a significant and unexplained change in activity (such as executing cross-border wire transfers for no apparent reason), the firm should update the customer information.

In adopting the CDD Rule, FinCEN described these two new AML program requirements as establishing customer due diligence as a “fifth pillar” of AML programs, supplementing the familiar statutory “four pillars” already enumerated in the Bank Secrecy Act[7]: (i) AML internal policies, procedures and controls; (ii) designation of an AML compliance officer; (iii) ongoing employee training; and (iv) independent testing. FinCEN also stated that it views the two new requirements as “nothing more than an explicit codification of existing expectations.”

Regulatory Focus: Firms should expect that CDD Rule compliance will be high on the agenda for regulatory examinations. FINRA,[8] for example, has long prioritized AML compliance, and it appeared again as one of the highlighted issues in FINRA’s priorities letter for 2018.[9] Similarly, AML compliance was one of the areas of focus in FINRA’s December 2017 report on exam findings,[10] where FINRA listed some of the more common AML program deficiencies it had found in recent exams, including:

  • programs that were not updated or adequately tailored to a firm’s current risks;
  • firms that delegated AML tasks to non-AML staff without adequate guidance or training;
  • firms that excluded certain accounts deemed low-risk from AML monitoring but failed to document or revisit the rationale for such exclusions; and
  • firms that experienced growth but did not increase resources for AML monitoring commensurately.

Significant AML program deficiencies can result in enforcement actions. In December, FINRA imposed a $13 million fine in a settlement with Merrill Lynch based entirely on deficiencies in its AML program, including its failure to review suspicious activity that was detected by the firm’s automated monitoring system.[11] And in just the past few months, FINRA has announced several disciplinary actions against smaller firms based in whole or in part on AML violations.[12]

Firms should expect that regulators across the financial industry will scrutinize compliance with the CDD Rule as part of their AML examinations. Firms will need to ensure that their procedures, systems and training are compliant in time for the coming May 11 deadline.