Financial Crimes Enforcement Network (FinCEN) Proposes to Expand Financial Institution Customer Due Diligence Requirements
The proposal would require financial institutions to identify beneficial owners of legal entities and codify existing customer due diligence guidance.
In a continuing initiative to strengthen the customer due diligence (CDD) requirements imposed on regulated financial institutions under the Bank Secrecy Act (BSA), on July 30, the Financial Crimes Enforcement Network (FinCEN) published a notice of proposed rulemaking (NPR). The primary purpose of the NPR is to propose new CDD obligations for all financial institutions that are required under the BSA to have in place anti-money laundering (AML) programs and customer identification programs (CIPs). These (covered) financial institutions include banks, broker-dealers, open-end investment companies (mutual funds), futures commission merchants (FCMs), and introducing brokers in commodities (IBs). The proposed rules, if adopted, would
require covered financial institutions, subject to certain exemptions, to identify and verify the natural person beneficial owners of legal entity customers; and
codify explicit CDD requirements for covered financial institutions to (i) understand the nature and purpose of customer relationships and (ii) conduct ongoing customer monitoring, both of which would become required elements of a core AML program.
As a secondary objective, FinCEN also is proposing to update its regulations to codify the four current core requirements of a required financial institution’s AML program, often referred to as “pillars,” and to add a fifth “pillar” that specifically addresses CDD.
Comments on the NPR are due on or before October 3, 2014.
The need for legal entity owner identification and verification under AML laws, for some time, has been a topic of discussion in the U.S. and international regulatory and law enforcement communities. Given the documented abuse of legal entities by criminal and terrorist individuals and organizations to engage in illegal or illicit activities, U.S. and international authorities have stated that the identification of persons who own legal entities that do business within the financial system is an important means of reducing the misuse of legal entities for criminal and other improper purposes.
To this end, FinCEN published an advance notice of proposed rulemaking (ANPR) in March 2012, which outlined a framework for clarifying, codifying, and strengthening existing CDD requirements. The ANPR addressed customer identification procedures for understanding the nature and purpose of accounts, ongoing monitoring, and obtaining beneficial ownership information. FinCEN subsequently held multiple public hearings on the issues raised in the ANPR during 2012, with an aim to better understand commentators’ views and concerns regarding such requirements and the burdens associated with them.
The current NPR is the product of this regulatory process as well as the result of consultations among FinCEN and other interested federal financial institutions regulatory agencies (the Office of the Comptroller of the Currency, Federal Reserve Board, Federal Deposit Insurance Corporation, Securities and Exchange Commission [SEC], and Commodity Futures Trading Commission [CFTC]). FinCEN stated that the NPR, which has core objectives of clarifying and strengthening CDD under the BSA, would advance a number of important regulatory and law enforcement purposes and support the U.S. Department of the Treasury’s efforts to “enhance financial transparency and safeguard the financial system against illicit use.”
The NPR proposes rules that would require covered financial institutions generally to identify and verify the natural person beneficial owners of legal entity customers. It also would add CDD obligations to the mandatory components of financial institutions’ BSA AML programs. As stated by FinCEN, legally sufficient CDD consists of four elements: (i) identifying and verifying the identity of customers, (ii) identifying and verifying the identity of beneficial owners of legal entity customers, (iii) understanding the nature and purpose of customer relationships, and (iv) conducting ongoing monitoring to maintain and update customer information and to identify and report suspicious transactions. The requirement to identify and verify the identity of customers already is addressed in current CIP rules. FinCEN now proposes to codify elements (ii), (iii), and (iv) in its CIP regulations. While the legal entity beneficial owner verification requirements would be new, FinCEN also makes it clear that the two other newly codified CDD elements (understanding customer relationships and ongoing monitoring) do not represent a substantive change in covered financial institutions’ CDD obligations, saying that these elements already are required by existing regulatory and supervisory requirements.
Beneficial Ownership Identification and Verification
Key Definitions and Exclusions
The proposed rules require covered financial institutions to identify the natural persons who are “beneficial owners” of “legal entity customers,” subject to certain exemptions. These definitions and exemptions are important to understand the scope and application of the new requirements.
Definition of “Beneficial Owner”: The proposed definition of a “beneficial owner” has two separate elements, an ownership test and a control test. Under the ownership test, a beneficial owner is any individual who, directly or indirectly, through any means, owns 25% or more of the equity interests of a legal entity customer. Under the control test, the definition covers a single individual with significant responsibility to control, manage, or direct a legal entity customer, including an executive officer or senior manager, or any other individual who regularly performs similar functions. In effect, these two tests limit the number of beneficial owners of a legal entity customer to five individuals. This is because, as discussed in the NPR, no more than four individuals can satisfy the 25% ownership test, and only one person who meets the entity control criterion must be identified by the financial institution. In the case of legal entity customers that are owned through intermediate corporate entities, the financial institution is expected to identify the natural persons at the top level of the corporate organization who beneficially own the legal entity.
Definition of “Legal Entity Customer”: The proposed general definition of a “legal entity customer” is very broad and extends to any U.S. or foreign corporation, limited liability company, partnership, or other similar business entity that opens a new account with a financial institution.
Significantly, however, there is an extensive list of business entities that are excluded from the definition. Excluded entities include those entities that are excluded from the definition of “customer” under the current CIP rules. In addition, the proposed exclusions include the following:
Issuers with securities registered under section 12, or subject to reporting under section 15(d), of the Securities Exchange Act of 1934 (Exchange Act)
Any majority-owned U.S. subsidiary of an entity whose securities are listed on a U.S. stock exchange
SEC-registered investment companies
SEC-registered investment advisers
Exchanges and clearing agencies registered under section 6 or section 17A of the Exchange Act, respectively
Any other entities registered with the SEC under the Exchange Act
CFTC-registered entities, including FCMs, IBs, commodity pool operators, commodity trading advisers, retail foreign exchange dealers, swap dealers, major swap participants, boards of trade, derivatives clearing organizations, swap execution facilities, and swap data repositories
Public accounting firms registered under section 102 of the Sarbanes–Oxley Act
Internal Revenue Code–qualified charities and nonprofit entities in good tax-exempt standing
Three important points about the “legal entity customer” definition warrant mention:
The definition does not generally include trusts, although statutory trusts (e.g., business trusts) may be covered by the new requirements.
The definition applies only to legal entity customers that open an account with a financial institution on or after the effective date of the new rules. In other words, the proposed rules would not be applied retroactively, and covered financial institutions would not be required to obtain beneficial ownership information from legal entity customers with accounts that preceded the new rules. If a current legal entity customer, however, opens a new account, for example in connection with acquiring a new product or service, the beneficial owner verification rules would apply.
Financial intermediaries that are not subject to a current CIP requirement and are acting on behalf of clients are treated as the “legal entity customer” of the financial institution. Thus, financial institutions that open accounts for intermediaries, such as securities and commodity clearing firms and correspondent banks, would treat only the intermediaries as their customers, and not the intermediaries’ direct clients.
Further, FinCEN is considering exempting unregistered, pooled investment vehicles from the definition and has asked for comment on this concept, although it has not formally proposed in the NPR to do so.
Substantive CDD Requirements
The proposed rules would require covered financial institutions to (i) identify the beneficial owners of a legal entity customer at the time of account opening and (ii) verify the beneficial owners’ identities within a reasonable time thereafter. These requirements are intended to parallel the customer identification and verification duties of covered financial institutions under the current CIP rules. Beneficial owner identification information, however, would be obtained on a new standard certification form that FinCEN proposes to create. The FinCEN form, once adopted, would enhance compliance uniformity and clarity for covered financial institutions. In general, the NPR contemplates that a person seeking to open the account would provide the completed form, which would include each beneficial owner’s name, address, date of birth, and Social Security (or passport) number.
Important points about these requirements include the following:
The verification requirement for beneficial owners would extend only to verifying the identity of a beneficial owner using existing risk-based CIP practices. It would not require a financial institution to verify the status of a beneficial owner as such (whether the individual is, in fact, a beneficial owner of the legal entity customer), thus addressing commenters’ concerns on the ANPR that status verification, in many cases, could be prohibitively costly and impractical.
FinCEN determined not to propose a requirement that financial institutions periodically update their beneficial owner information, but it noted that financial institutions should keep such information as current as possible, using a risk-based approach.
Consistent with the requirements of the current CIP rules, financial institutions would be allowed to rely on the beneficial owner verification and CDD activities of another financial institution if (i) such reliance is reasonable, (ii) the other financial institution is subject to an AML program rule and is regulated by a federal functional regulator, and (iii) the other financial institution enters into a contract and provides annual certifications regarding its AML program and CIP requirements.
Changes to AML Program Requirements
As discussed above, the NPR codifies the four existing core AML program elements (or four “pillars”) and adds a fifth element, namely, the requirement that a financial institution adopt risk-based procedures for conducting CDD. These procedures would expressly include, but not be limited to, understanding the nature and purpose of customer relationships and conducting ongoing monitoring to maintain and update customer information and to identify and report suspicious transactions.
FinCEN states that it is proposing these changes to existing AML program requirements for covered financial institutions “to ensure alignment between existing AML requirements and CDD minimum standards.” In so doing, FinCEN intends to make it clear that “CDD is a core element of a financial institution’s policies and procedures to guard against money laundering.” In addition, because financial institutions’ AML programs must also comply with the regulations of their federal functional regulatory agencies (or, where applicable, the rules of self-regulatory organizations [SROs]) governing such programs, FinCEN believes that the incorporation of these CDD procedures into its regulations ensures that these requirements will be subject to examination and enforcement by the appropriate federal functional regulator or SRO in a manner consistent with current supervisory authorities and expectations.
The rules proposed in the NPR will certainly increase the CDD obligations of covered financial institutions by requiring them to obtain and verify beneficial ownership information for their legal entity clients. Financial institutions that open accounts for foreign legal entities will also face additional challenges in obtaining such information, particularly for legal entities domiciled in jurisdictions with secrecy laws. That being said, the proposed rules are not unexpected, having been proposed in concept in the ANPR, and do include some accommodations to address the concerns about burdens and practicality of implementation that were expressed during the ANPR phase of the regulatory process. It is significant that the new rules would require only the identification of natural person beneficial owners and the verification of that identity—not the status of the beneficial owners—although financial institutions nonetheless would need to be sensitive, consistent with their general risk-based CDD activities, to unusual or suspicious facts and circumstances that arise during the account opening and vetting process.
From a compliance management perspective, it is helpful that the new CDD requirements are incorporated into and aligned with the current CIP requirements. In practical terms, that means that a covered financial institution’s policies and procedures for compliance with CIP obligations, in most cases, should accommodate the new and expanded CDD obligations without too much difficulty. Also, the NPR’s proposal of a standardized CDD certification for obtaining beneficial ownership information has the benefit of taking the guesswork out of what information affected financial institutions are expected to obtain about their legal entity customers’ beneficial owners.
The proposed regulatory codification of CDD relationship knowledge and monitoring obligations into the core elements of an AML program may be more a matter of form than substance, when viewed against the backdrop of the current AML enforcement and compliance environment. All of the federal financial institution regulatory agencies that supervise covered financial institutions currently expect their regulated institutions to include these CDD procedures in their required AML programs. Under the current system, regulatory agencies will criticize—and bring enforcement actions against—financial institutions that do not include such procedures. Further, the inclusion of the additional CDD procedures in the required elements of the mandatory AML program does not change the risk-based approach that covered financial institutions are expected to use in developing and implementing these procedures, a point that the NPR makes in several places. In addition, the new regulatory requirements are also designed to align fully with existing regulatory and SRO requirements of the federal financial institutions regulatory agencies and the SROs under their oversight.
. The BSA is codified at 12 U.S.C. § 1829b; 12 U.S.C. §§ 1951–1959; 18 U.S.C. §§ 1956, 1957, 1960; and 31 U.S.C. §§ 5311–5314 and 5316–5332. The BSA’s implementing regulations are at 31 C.F.R. ch. X.
. FinCEN, Customer Due Diligence Requirements for Financial Institutions, Notice of Proposed Rulemaking, 79 Fed. Reg. 45,151 (proposed Aug. 4, 2014) (to be codified at 31 C.F.R. pts. 1010, 1020, 1023, 1024, 1026), available here. Although the Federal Register version of the NPR indicates that the proposal is dated July 23, 2014, the press release accompanying the announcement of the NPR states that it was issued on July 30.
. FinCEN, Customer Due Diligence Requirements for Financial Institutions, Advance Notice of Proposed Rulemaking, 77 Fed. Reg. 13,046 (Mar. 5, 2012).
. 77 Fed. Reg. at 45,152.
. These entities include but are not limited to (i) financial institutions that are regulated by a federal functional regulator (i.e., federally regulated banks, broker-dealers in securities, FCMs, and IBs) and state-regulated banks, (ii) federal and state government agencies and instrumentalities, and (iii) publicly held companies traded on certain U.S. stock exchanges.
. Although SEC-registered investment advisers are not subject to formal AML program or CIP requirements, through a no-action letter, the SEC staff permits broker-dealers to rely on SEC-registered advisers to perform some or all of a broker-dealer’s CIP obligations under certain circumstances and subject to certain conditions. See Securities Industry and Financial Markets Association, SEC No-Action Letter (January 11, 2013). It is unclear whether similar-type relief would be extended to broker-dealers if the NPR is adopted.
. These four elements are (i) the development of internal AML policies, procedures, and controls; (ii) the designation of an AML compliance officer; (iii) an ongoing employee AML training program; and (iv) an independent audit program to test AML functions.
. 79 Fed. Reg. at 45,165.