On May 11, 2016, the U.S. Treasury Department’s Financial Crimes Enforcement Network (FinCEN) published a final rule under the Bank Secrecy Act that enhances customer due diligence requirements for banks, broker-dealers, mutual funds, and futures commission merchants and introducing brokers in commodities. The final rule will become effective July 11, 2016, although financial institutions have a two-year grace period (until May 11, 2018) to comply with the new requirements.
The final rule requires these covered financial institutions to identify and verify the identity of the beneficial owners of all legal entity customers at the time a new account is opened. The final rule also amends the requirements for anti-money laundering programs to explicitly require covered financial institutions to adopt risk-based procedures for ongoing customer due diligence which include understanding the nature and purpose of customer relationships. While some financial institutions may already have implemented some or all of the new requirements, this final rule clarifies and codifies the customer due diligence standards and adds certain documentation requirements. It may incrementally increase compliance costs, although the rule has the benefit of clarifying FinCEN’s expectations.
These new requirements technically apply only to covered financial institutions, and not to other financial institutions subject to the Bank Secrecy Act (such as money services businesses). However those entities, as well as asset managers and other companies involved in large financial transfers, should consider implementing these changes as best practices. We summarize below the main provisions of the final rule and key takeaways for covered financial institutions.
Requirement to Identify Beneficial Owners
The main regulatory change is that FinCEN will require, subject to certain limited exemptions and exclusions, covered financial institutions1 to establish and maintain written procedures that are reasonably designed to identify and verify the identity of beneficial owners of any new legal entity customers beginning on May 11, 2018. While many financial institutions already collect this information as part of internal best practices, this rule formalizes this practice into a requirement and requires certification on behalf of the customer.
The information required for beneficial owners is similar to the information a financial institution must currently obtain from an individual customer. This information includes the name, date of birth, address, social security number (for U.S. persons), and passport number (for non-U.S. persons). The individual opening the account on behalf of the legal entity customer must certify to the best of the individual’s knowledge the accuracy of the information. The covered financial institution is provided a potential safe harbor permitting it to rely on the identification and certification provided by the customer as long as there is no knowledge of facts that would reasonably call into question the reliability of such information. The final rule attaches an example certification form as an appendix.
The financial institution must verify the identity of each beneficial owner identified according to risk-based procedures to the extent “reasonable and practicable.” The final rule states that the procedures must contain the elements required for verifying the identity of individual customers at a minimum. The elements of a verification program must include identifying the customer, verifying the customer’s identity (through documents or non-documentary methods), and establishing procedures for circumstances where the institution cannot form a reasonable belief that it knows the true identity of the individual.
“Beneficial owner” is defined to include:
- Each individual who, directly or indirectly, through any contract, arrangement, understanding, relationship, or other means, owns 25% or more of the equity interests of the customer; and
- Any individual with significant responsibility to control, manage, or direct the customer, including an executive, senior manager, or any other individual who performs similar functions.
The definition of “beneficial owner” also explicitly includes the trustee of any trust that owns 25% or more of the equity interests of the customer, directly or indirectly, through any contract, arrangement, understanding, relationship, or other means. The example certification makes clear that both the equity interest holders and managing individual must be identified, for a potential total of five people per certification.
FinCEN suggests that financial institutions conduct their own risk-based analyses of the types of photocopies or reproductions that they will accept of identification documents so that reliance remains reasonable. In addition, financial institutions may rely on the customer due diligence conducted by another covered financial institution under the same circumstances permitted under current regulations.
Anti-Money Laundering Program Amendments
The requirements for AML programs for covered financial institutions have also been amended to add a requirement to implement appropriate risk-based procedures for conducting ongoing customer due diligence. This requirement must include, but is not limited to, procedures to 1) understand the nature and purpose of customer relationships for the purpose of developing a customer risk profile and 2) conduct ongoing monitoring to identify and report suspicious transactions and, on a risk basis, maintain and update customer information (including beneficial ownership information).
FinCEN’s position is that this addition to the AML program requirements simply clarifies and codifies existing requirements under the Bank Secrecy Act, and that it should not create any new obligations. For example, the description of the final rule indicates that current industry practice for suspicious activity report (SAR) reporting should satisfy the requirement to understand the nature and purpose of customer relationships for developing a customer risk profile. FinCEN has clarified in the final rule that the term “customer risk profile” refers to the information gathered about a customer to develop the baseline against which customer activity is assessed for suspicious transaction reporting, and that it does not expect any significant changes to current practices relating to this requirement. Similarly, the requirement for banks to maintain internal controls to “provide sufficient controls and monitoring systems for timely detection and reporting of suspicious activity” as per the FFIEC Manual, is sufficient to satisfy the requirement to conduct ongoing monitoring and maintain and update customer information.
The AML amendments are notable in that they partially extend the beneficial ownership requirement described above to existing customers in some instances, rather than only new customers who open accounts on or after the applicability date. While the new beneficial ownership rules only apply to new customers, AML program amendments impose an ongoing requirement. As a result, if a financial institution learns as a result of its normal AML monitoring program that the beneficial owner of an existing legal entity customer has changed, these amendments would require the financial institution to collect beneficial ownership information.
FinCEN has further expanded the due diligence obligations of covered financial institutions in its final rule. While the rule does not apply to registered investment advisors (which FinCEN recently proposed to subject to formal AML requirements, as we reported previously), it is likely that FinCEN will extend the current rule to registered investment advisors once it finalizes its rule to include them under the Bank Secrecy Act. Also, while many asset managers are not technically subject to the Bank Secrecy Act’s AML requirements, they should consider amending their AML compliance policies and procedures in light of this final rule. Not only should these new requirements be considered best practices for AML compliance, they also indicate the level of diligence that regulators (and potentially prosecutors) might expect all U.S. companies to conduct in order to reasonably mitigate the risk of facilitating money laundering.
Due to the significance of these regulatory changes, covered financial institutions are not required to comply until May 11, 2018. The final rule imposes requirements only prospectively, and does not require financial institutions to obtain beneficial owner information from current or former customers. Instead, FinCEN advises that financial institutions should obtain beneficial ownership information from existing customers only when the financial institution detects information relevant to assessing or reevaluating the risk of a customer in the course of normal monitoring.
Going forward, this final rule may also have implications for financial institutions relating to economic sanctions compliance. On August 13, 2014, the U.S. Treasury Department’s Office of Foreign Assets Control (OFAC) issued guidance stating that an entity owned 50 percent or more in the aggregate, directly or indirectly, by one or more blocked persons is considered to be a blocked person by OFAC. Now that financial institutions will be required by FinCEN to keep beneficial ownership information for their legal entity customers, financial institutions will be unable to argue a lack of knowledge in the case of an OFAC enforcement action related to transactions with parties owned by blocked persons.