On May 11, 2016, the Financial Crimes Enforcement Network (FinCEN) published in the Federal Register a final rule (Final Rule) implementing significant changes to the customer due diligence regime within Bank Secrecy Act and anti-money laundering compliance. This rule, and in particular, its provisions on identifying the beneficial owners of legal entity customers, has been more than two years in the making. The Final Rule became effective on July 11, 2016, but compliance is not required until May 11, 2018. As we will see, the rules are not only significant in substance and scope, but will also require a substantial investment in time and money as covered financial institutions prepare to implement the new (fifth) pillar for an AML program.
Covered Financial Institutions
While FinCEN has authority over a significant range of participants in the U.S. financial system, only a subset of such participants are subject to the Final Rule. Those institutions covered by the Final Rule, defined as “covered financial institutions,” include federally regulated banks and federally insured credit unions, mutual funds, brokers or dealers in securities, futures commission merchants and introducing brokers in commodities.
FinCEN’s Role and Perspective on the Importance of Customer Due Diligence
FinCEN is the financial intelligence unit (FIU) of the United States. As the FIU, FinCEN is responsible for “receiving (and, sometimes, requesting), analyzing, and disseminating to the competent authorities disclosures of financial information” regarding suspected proceeds from crimes, potential terrorist financing and as may otherwise be required by law. Its “mission is to safeguard the financial system from illicit use and combat money laundering and promote national security through the collection, analysis, and dissemination of financial intelligence and strategic use of financial authorities.”
FinCEN’s authority to issue regulations and guidance originates from the Currency and Foreign Transactions Reporting Act of 1970, as amended by the USA PATRIOT Act of 2001 (PATRIOT Act) and other legislation, a framework referred to as the “Bank Secrecy Act” (BSA). The BSA authorizes the Secretary of the Treasury (Secretary) to require financial institutions to keep records and file reports that “have a high degree of usefulness in criminal, tax, or regulatory investigations or proceedings, or in the conduct of intelligence or counterintelligence activities, including analysis, to protect against international terrorism.”
Specifically with regard to customer due diligence (CDD), FinCEN indicates in the Final Rule that it believes there are four core elements of CDD. Through the Final Rule, FinCEN is making the four core elements explicit requirements in the required anti-money laundering (AML) program for covered financial institutions. These four core elements are:
- customer identification and verification,
- beneficial ownership identification and verification,
- understanding the nature and purpose of customer relationships to develop a customer risk profile, and
- ongoing monitoring for reporting suspicious transactions and, on a risk-basis, maintaining and updating customer information.
FinCEN notes that the first of the core elements “is already an AML program requirement and the second will be required by this final rule. The third and fourth elements are already implicitly required for covered financial institutions to comply with their suspicious activity reporting requirements.”
Beyond the AML program, FinCEN believes that this Final Rule and its robust CDD requirements significantly advance the purposes of the BSA by:
- “Enhancing the availability to law enforcement, as well as to the Federal functional regulators and self-regulatory organizations (SROs), of beneficial ownership information about legal entity customers obtained by U.S. financial institutions, which assists law enforcement financial investigations and a variety of regulatory examinations and investigations;
- Increasing the ability of financial institutions, law enforcement, and the intelligence community to identify the assets and accounts of terrorist organizations, corrupt actors, money launderers, drug kingpins, proliferators of weapons of mass destruction, and other national security threats, which strengthens compliance with sanctions programs designed to undercut financing and support for such persons;
- Helping financial institutions assess and mitigate risk, and comply with all existing legal requirements, including the BSA and related authorities;
- Facilitating reporting and investigations in support of tax compliance, and advancing commitments made to foreign counterparts in connection with the provisions commonly known as the Foreign Account Tax Compliance Act (FATCA);
- Promoting consistency in implementing and enforcing CDD regulatory expectations across and within financial sectors; and
- Advancing Treasury's broad strategy to enhance financial transparency of legal entities.”
Identifying and Verifying Beneficial Owners
As of May 11, 2018, covered financial institutions will be required to maintain written compliance procedures that are “reasonably designed to identify and verify the beneficial owners of legal entity customers,” except for those specifically excluded from the definition of “legal entity customer,” as outlined below. The new procedures must outline how the covered financial institution will identify and verify each beneficial owner at the time a new account is opened at the covered financial institution. One option for obtaining this information is to use a standard certification form, which FinCEN includes in the Final Rule as Appendix A. Otherwise, covered financial institutions must obtain the information “by any other means that comply with the substantive requirements of this obligation,” including the use of a proprietary form. However, what this likely means is that covered financial institutions will flock to the use of the standard certification form, at least initially, in order to demonstrate compliance and get comfortable with the practical side of obtaining this beneficial owner information.
With regard to the process of actually obtaining the information, covered financial institutions will be able to rely on the information that is provided by the individual opening the new account, provided the individual certifies, to the best of the individual's knowledge, the accuracy of the information. However, compliance will be found deficient where the covered financial institution relies on the information provided by an individual at account opening, but otherwise has knowledge that calls into question the reliability of such beneficial owner information. FinCEN acknowledges that in the vast majority of cases no other knowledge will exist that calls into question the reliability of the beneficial owner information provided, but where such knowledge does exist, something more will be needed to verify such information.
Generally, the procedures used for the identification and verification for beneficial owners will be substantially the same as those used for individual customers under the covered financial institution’s existing customer identification program (CIP), which is already otherwise required under AML program requirements. However, unlike the CIP rules, the beneficial owner rules permit reliance on copies of identification documents. In any event, the Final Rule also imposes record retention requirements for beneficial owner information.
Who is a Beneficial Owner?
FinCEN’s Final Rule creates a two-prong definition of a “beneficial owner.” One prong examines the ownership of the legal entity customer while the other prong identifies an individual with the responsibility to control the affairs of the legal entity customer. Each of these prongs must be considered for legal entity customers, which result in at least one individual identified as the beneficial owner. Covered financial institutions also have flexibility that has been built into the rule to identify beneficial owners based on the institution’s assessment of risk. The ownership and control prong are discussed in greater detail below.
Under the Final Rule’s ownership prong of the definition of a “beneficial owner,” any individual who owns, “directly or indirectly,” 25 percent or more of the equity interests of a legal entity customer is a beneficial owner and must be identified by the covered financial institution. The use of the phase “directly or indirectly” in the definition indicates that FinCEN is not interested in beneficial owners that are nominees or “straw men” and instead expect to obtain the ultimate beneficial owner of the legal entity customer. Given the 25 percent threshold, a covered financial institution could identify up to four individual beneficial owners of a legal entity customer. However, it may also be the case that no single individual owns more that 25 percent of the legal entity customer. In that case, no individual beneficial owner will be identified.
However, as is the case in financial institution regulation, the regulation itself sets out a “baseline regulatory benchmark.” Therefore, as the Final Rule indicates, covered financial institutions may review legal entity customers against a lower percentage threshold for beneficial ownership purposes, based on an institution’s own risk assessment. Indeed, as compliance efforts have gotten underway, it appears that some covered financial institutions intend to lower that percentage threshold to just 10 percent, a change FinCEN was not willing to make in the Final Rule.
Under the Final Rule’s control prong of the definition of a “beneficial owner,” an individual “with significant responsibility to control, manage, or direct a legal entity customer, including an executive officer or senior manager or any other individual who regularly performs similar functions” must be identified by the covered financial institution. Such individuals could be the Chief Executive Officer, Chief Financial Officer, Chief Operating Officer, Managing Member, General Partner, President, Vice President or Treasurer, among other possibilities. Generally, “FinCEN’s expectation is that the control person identified must be a high-level official in the legal entity, who is responsible for how the organization is run, and who will have access to a range of information concerning the day-to-day operations of the company.”
Even where no individual is identified under the ownership prong, a single individual must be identified under the control prong as a beneficial owner. Therefore, FinCEN intentionally uses a broad definition of beneficial owner under the control prong in order to provide enough flexibility to covered financial institutions in identifying beneficial owners. Again here, it is clear that covered financial institutions have flexibility, based on their own assessment of risk, to determine individuals that control their legal entity customer.
Exemptions for Certain Accounts
Subject to specific limitations imposed in the Final Rule, covered financial institutions will not be required to obtain beneficial owner information for the following four types of accounts:
- Private label retail credit accounts established at the point-of-sale;
- Accounts established for the purchase and financing of postage;
- Commercial accounts established to finance insurance premiums; and
- Accounts to finance the purchase or lease of equipment.
These exemptions are limited in that they will not apply where either: the accounts are transaction accounts that the legal entity customer uses to make payments to, or receive payments from, third parties; or if there is a possibility of a cash refund for those accounts established to finance the purchase of postage, insurance premiums or equipment leasing.
Legal Entity Customer Definition
The Final Rule defines a “legal entity customer” as “a corporation, limited liability company, or other entity that is created by the filing of a public document with a Secretary of State or similar office, a general partnership, and any similar entity formed under the laws of a foreign jurisdiction, that opens an account.” Therefore, the definition broadly includes business entities that are created by a filing with a state office, including business trusts and limited partnerships. However, the definition does not include sole proprietorships, unincorporated associations or trusts that are not created by a filing with a state office.
Significantly, the Final Rule outlines a number of exclusions from the definition of “legal entity customer,” largely based on the availability of information from Federal or State agencies, including the following:
- financial institutions regulated by a federal functional regulator or a bank regulated by a State bank regulator;
- certain exempt persons for purposes of the currency transactions reporting obligations:
- a department or agency of the US, of any State, or of any political subdivision of a State;
- any entity established under the laws of the US, or any state, or of any political subdivision of any State, or under an interstate compact;
- any entity whose common stock or similar equity interests are listed on the NYSE, American Stock Exchange or NASDAQ;
- any entity organized under the laws of the US or of any State at least 51% of whose common stock or analogous equity interests are held by a listed entity;
- Issuers of securities registered under section 12 of the Securities Exchange Act of 1934 or that is required to file reports under section 15(d) of the Securities Exchange Act;
- An SEC-registered investment company;
- An SEC-registered investment adviser;
- A registered exchange or clearing agency;
- Any other SEC-registered entity;
- Certain CFTC-registered entities;
- Certain public accounting firms registered under the Sarbanes-Oxley Act;
- A bank holding company or savings and loan holding company;
- A pooled investment vehicle operated or advised by a financial institution excluded from the definition of legal entity customer;
- An insurance company regulated by a State; and
- A financial market utility designated under title VIII of the Dodd-Frank Act.
One exclusion that was proposed, but not included in the final list of excluded entities under the definition of legal entity customer are charities and nonprofit entities, which are generally established by a filing with a state office. Instead of including an exclusion for such entities, FinCEN includes them as a type of entity that is subject only to the control prong of the beneficial owner definition. Therefore, covered financial institutions will be required to obtain beneficial owner information from charities and nonprofit entities, as legal entity customers, but only with regard to the control prong.
Changes to the AML Program Requirements
With respect to anti-money laundering programs more generally, FinCEN amended AML program requirements to explicitly include risk-based procedures on customer due diligence. These new requirements form what is now the fifth pillar of an AML compliance program for covered financial institutions.
Under the AML program regulations, covered financial institutions are required to include: “[a]ppropriate risk-based procedures for conducting ongoing customer due diligence, to include, but not be limited to:
- Understanding the nature and purpose of customer relationships for the purpose of developing a customer risk profile; and
- Conducting ongoing monitoring to identify and report suspicious transactions and, on a risk basis, to maintain and update customer information [including information on the beneficial owners of legal entity customers].”
This new fifth pillar will be a critical tool for FinCEN requiring the ongoing customer due diligence and monitoring. Of course, that necessarily means that covered financial institutions have new and enhanced compliance obligations with respect to their customers, including the maintenance of customer risk profiles.
While many of the requirements discussed herein are already implicitly or explicitly required by existing AML program requirements, making all four elements of CDD explicit will achieve FinCEN’s goal of strengthen AML programs. The beneficial ownership rules will, however, require more than enhanced procedures to comply. The new obligations imposed on covered financial institutions to obtain and verify beneficial owner information for legal entity customers will require a significant effort leading up to the compliance date of May 11, 2018. As many institutions are quickly learning, that effort needs to begin now.
Changes and enhancements need to be made to compliance policies, processes, information technology practices and employee training, among other aspects of BSA/AML compliance. Once the changes are made, they need to be implemented to scale and tested across covered financial institutions. With a two year implementation period, FinCEN is certainly expecting complete and comprehensive compliance as of May 11, 2018.
 See 31 CFR 101.605(e)(1).
 See 81 Fed. Reg. 29399, footnote 6 (May 11, 2016), “The BSA is codified at 12 U.S.C. 1829b, 12 U.S.C. 1951-1959, 18 U.S.C. 1956, 1957, and 1960, and 31 U.S.C. 5311-5314 and 5316-5332 and notes thereto, with implementing regulations at 31 CFR chapter X. See 31 CFR 1010.100(e).”
 See 81 Fed. Reg. 29399, footnote 7 (May 11, 2016), “31 U.S.C. 5311.”
 See 81 Fed. Reg. 29399 (May 11, 2016).
 See FIN-2016-G003, “Frequently Asked Questions Regarding Customer Due Diligence Requirements for Financial Institutions,” Financial Crimes Enforcement Network, Question 4, page 2 (July 19, 2016).
 See 81 Fed. Reg. 29398 (May 11, 2016).
 See 81 Fed. Reg. 29398 (May 11, 2016).
 Id. at 29407 (May 11, 2018).
 Id. at 29398. See also 31 CFR §1020.220, §1023.220, §1024.220 and §1026.220 for each respective covered financial institution.
 See 81 Fed. Reg. 29398, 29409 (May 11, 2016).
 See FIN-2016-G003, “Frequently Asked Questions Regarding Customer Due Diligence Requirements for Financial Institutions,” Financial Crimes Enforcement Network, Question 9, page 3 (July 19, 2016).
 See FIN-2016-G003, “Frequently Asked Questions Regarding Customer Due Diligence Requirements for Financial Institutions,” Financial Crimes Enforcement Network, Question 13, pages 4-5 (July 19, 2016).
 See 31 CFR 1010.230(h). See also 81 Fed. Reg. 29398, 29417 (May 11, 2016).
 See FIN-2016-G003, “Frequently Asked Questions Regarding Customer Due Diligence Requirements for Financial Institutions,” Financial Crimes Enforcement Network, Question 17, pages 5-6 (July 19, 2016).
 31 CFR 1010.230(e). See also 81 Fed. Reg. 29398, 29412 (May 11, 2016).
 See 81 Fed. Reg. 29398, 29412 (May 11, 2016).
 31 CFR 1010.230(e)(2). See also 81 Fed. Reg. 29398, 29413 (May 11, 2016) and See FIN-2016-G003, “Frequently Asked Questions Regarding Customer Due Diligence Requirements for Financial Institutions,” Financial Crimes Enforcement Network, Question 21, pages 7-8 (July 19, 2016).
 See 31 CFR 1020.210 (Banks); 31 CFR 1023.210 (Brokers or Dealers in Securities); 31 CFR 1024.210 (Mutual Funds); and 31 CFR 1026 (FCMs and IBs in commodities).