On May 11, 2016, the US Treasury Department’s Financial Crimes Enforcement Network (“FinCEN”) published its long-awaited Final Rule regarding the customer due diligence (“CDD”) requirements under the Bank Secrecy Act for banks, broker-dealers, mutual funds, and futures commission merchants and introducing brokers in commodities (collectively, “covered financial institutions”).1 The Final Rule requires these covered financial institutions to identify and verify the natural persons behind legal entity customers (beneficial owners), subject to certain exemptions. The new CDD requirements present significant compliance challenges for covered financial institutions. Accordingly, compliance with the Final Rule is not mandatory until May 11, 2018 (the “Applicability Date”), approximately two years after its effective date of July 11, 2016.
The Final Rule takes into account many, but not all, of the comments received in response to the Proposed Rule.2 At a high level, the Final Rule requires:
• Consistent with the Proposed Rule, covered financial institutions must conduct CDD on certain legal entity customers that open new accounts going forward from the Applicability Date.
o FinCEN considers CDD as consisting of the following four elements: (1) identifying and verifying the identity of customers; (2) identifying and verifying the identity of beneficial owners of legal entity customers; (3) understanding the nature and purpose of customer relationships; and (4) conducting ongoing monitoring for reporting suspicious transactions, and, on a risk-basis, maintaining and updating customer information. Under FinCEN’s existing rules, the first element of CDD is already satisfied by the existing customer identification program (“CIP”) requirements of covered financial institutions, and the third and fourth elements are described by FinCEN as “already implicitly required for covered financial institutions to comply with their suspicious activity reporting requirements.” According to the Final Rule, the only new requirement is the obligation to take explicit steps to identify and verify the identity of the natural persons who are the beneficial owners of legal entity customers.
o The definition of beneficial owner remains unchanged and includes both an individual who owns more than 25% of the equity interests in a company and a single individual who exercises control.
• Covered financial institutions must collect information on beneficial owners of legal entity customers when an account is opened, either using the model form included with the Final Rule or taking other steps to collect the same information, provided the individual providing the information makes a representation that, to the best of his or her knowledge, the information provided is complete and correct. Covered financial institutions can rely on the information provided by the customer (provided that it has no knowledge of facts that would reasonably call into question the reliability of the information).
• Covered financial institutions must use CIP procedures to verify the identity of beneficial owners of legal entity customers, although the procedures for CDD need not be exactly the procedures for CIP. Moreover, unlike the CIP rule, the covered financial institutions can rely on copies of documents. As with the CIP rule, covered financial institutions may rely on the performance by another financial institution (including an affiliate) of the beneficial ownership requirements of the Final Rule, as long as the same criteria are met.
• Covered financial institutions are not required to update beneficial ownership information on a periodic or ongoing basis, but only on an event-driven basis, when in the course of their normal monitoring they detect information about the customer that may be relevant to assessing the risk of the customer.
• FinCEN clarified the definition of “legal entity customer” to mean “a corporation, limited liability company, or other entity that is created by the filing of a public document with a Secretary of State or similar office, a general partnership, and any similar entity formed under the laws of a foreign jurisdiction, that opens an account.” This definition would not include sole proprietorships, unincorporated associations or trusts (other than statutory trusts created by a filing with a Secretary of State or similar office).
• The Final Rule adopts all of the exclusions from the definition of “legal entity customer” that were listed in the Proposed Rule,3 and adds several others:
o A bank holding company, as defined in section 2 of the Bank Holding Company Act of 1956 (12 U.S.C. § 1841), or savings and loan holding company, as defined in section 10(n) of the Home Owners Loan Act (12 U.S.C. § 1467a(n)).
o A pooled investment vehicle that is operated or advised by a financial institution excluded under this paragraph.
o An insurance company that is regulated by a state.
o A financial market utility designated by the Financial Stability Oversight Council under Title VII of the Dodd-Frank Wall Street Reform and Consumer Protection Act of 2010.
o A foreign financial institution established in a jurisdiction where the regulator of such institution maintains beneficial ownership information regarding such institutions.
o A non-US governmental department, agency or political subdivision that engages only in governmental rather than commercial activities.
o Any legal entity only to the extent that it opens a private banking account for non-US persons that are subject to FinCEN’s private banking account rule (31 C.F.R. § 1010.620).
o Non-excluded pooled investment vehicles, such as non-US managed mutual funds, hedge funds and private equity funds: Covered financial institutions would be required to collect beneficial ownership information under the control prong only (e.g., an individual with significant responsibility to control, manage or direct the operator, adviser, or general partner of the vehicle).
o Charities and nonprofit entities: covered financial institutions would be required to collect beneficial ownership information under the control prong only.
• Covered financial institutions are exempt from the beneficial ownership requirement with respect to certain new accounts solely used to finance the purchase of postage, insurance premiums or leasing of equipment, and certain private label credit card accounts.
• Covered financial institutions must maintain records of any identifying information obtained regarding the beneficial ownership, including the certification (if obtained), for five years after the date the account is closed. Covered financialinstitutions must also maintain records of a description of any document relied on, of any non-documentary methods and the results of any measures undertaken, and of the resolution of each substantive discrepancy, for five years after the record is made.
• In addition, the Final Rule adopts a new “fifth pillar” of the AML program, which requires appropriate risk-based procedures for conducting ongoing customer due diligence, to include, but not limited to: “(i) Understanding the nature and purpose of customer relationships for the purpose of developing a customer risk profile; and (ii) Conducting ongoing monitoring to identify and report suspicious transactions and, on a risk basis, to maintain and update customer information.”
o The term “customer risk profile” is used to refer to the information gathered about a customer to develop the baseline against which customer activity is assessed for suspicious transaction reporting, and may include information such as the type of customer or type of account, service or product, and may, but need not, include a system of risk ratings or categories of customers.
o Financial institutions are required to conduct ongoing monitoring to identify and report suspicious transactions and conduct a monitoring-triggered update of customer information. When a financial institution detects information about the customer in the course of its monitoring that is relevant to assessing risk, including a change in beneficial ownership information, it must update the customer information, including the beneficial ownership information.
o FinCEN views the fifth pillar as an explicit codification of existing expectations. Apparently, covered financial institutions do not have until the Applicability Date to implement the requirements set forth in the fifth pillar. According to the preamble to the Final Rule, “current industry practice to comply with existing expectations for SAR reporting should already satisfy this proposed requirement.”4
As a companion to the Final Rule, the Treasury Department also sent a letter to Congress encouraging the adoption of legislation that would require US companies to compile beneficial ownership information at the time of their creation, disclose beneficial ownership information to the states at the time the company is created, and file such information with the Treasury Department for use by law enforcement.5
1. See Final Rule, Customer Due Diligence Requirements for Financial Institutions, 81 Fed. Reg. 29398 (May 11, 2016), available at https://www.gpo.gov/fdsys/pkg/FR-2016-05-11/pdf/2016-10567.pdf (“Final Rule”).
2. See Notice of Proposed Rulemaking, Customer Due Diligence Requirements for Financial Institutions, 79 Fed. Reg. 45151 (Aug. 4, 2015), available at https://www.fincen.gov/statutes_regs/files/CDD-NPRM-Final.pdf (“Proposed Rule”).
3. The Proposed Rule and Final Rule exclude the following entities from the definition of “legal entity customer”: “(i) A financial institution regulated by a Federal functional regulator or a bank regulated by a State bank regulator; (ii) A person described in § 1020.315(b)(2) through (5) of this chapter; (iii) An issuer of a class of securities registered under section 12 of the Securities Exchange Act of 1934 or that is required to file reports under section 15(d) of that Act; (iv) An investment company, as defined in section 3 of the Investment Company Act of 1940, that is registered with the Securities and Exchange Commission under that Act; (v) An investment adviser, as defined in section 202(a)(11) of the Investment Advisers Act of 1940, that is registered with the Securities and Exchange Commission under that Act; (vi) An exchange or clearing agency, as defined in section 3 of the Securities Exchange Act of 1934, that is registered under section 6 or 17A of the Securities Exchange Act of that Act; (vii) Any other entity registered with the Securities and Exchange Commission under the Securities Exchange Act of 1934; (viii) A registered entity, commodity pool operator, commodity trading advisor, retail foreign exchange dealer, swap dealer, or major swap participant, each as defined in section 1a of the Commodity Exchange Act, that is registered with the Commodity Futures Trading Commission; (ix) A public accounting firm registered under section 102 of the Sarbanes-Oxley Act.” Proposed Rule, 79 Fed. Reg. at 45170-4517. See also Final Rule, 81 Fed. Reg. at 29452.
4. Final Rule, 81 Fed. Reg. at 29420.
5. See Letter to The Speaker of US House of Representatives, Honorable Paul D. Ryan, from Secretary of the Treasury, Jacob J. Lew (May 5, 2016), available at https://www.treasury.gov/press-center/press-releases/Documents/Lew%20to%20Ryan%20on%20CDD.PDF. See also Press Release, Treasury Announces Key Regulations and Legislation to Counter Money Laundering and Corruption, Combat Tax Evasion (May 5, 2016), available at https://www.treasury.gov/press-center/press-releases/Pages/jl0451.aspx.