The Treasury Department’s Financial Crimes Enforcement Network (FinCEN) has issued final rules clarifying and strengthening customer due diligence (CDD) requirements for banks and other financial institutions. The rules add a fifth pillar to the anti-money laundering (AML) compliance model that is currently mandated under the Bank Secrecy Act (BSA).

Background and Implications

In May 2016, FinCEN issued final BSA rules establishing a baseline for identifying individuals with equity ownership or management control in financial institutions’ business customers. The rules further the interests of both government and financial institutions by improving banks’ ability to assess and mitigate financial crime and regulatory risk. The new rules apply to banks, brokers or dealers in securities, mutual funds, and futures commission merchants and introducing brokers in commodities. The rules are effective July 11, 2016, and covered institutions must comply by May 11, 2018.

Banks currently use widely divergent CDD practices to identify beneficial owners and controlling individuals in corporations, partnerships, and other legal entity customers, according to FinCEN. FinCEN notes that financial institutions are not currently required to know the identity of individuals who own or control legal entity customers, enabling criminals, kleptocrats, and other bad actors to hide proceeds or illegal activities and access the financial system anonymously.

The new rules will improve banks’ abilities to assist law enforcement with financial investigations, thereby advancing counterterrorism and other national security interests and facilitating tax compliance. FinCEN asserts that the rules will also enable financial institutions to perform transaction surveillance more efficiently by enhancing their ability to tailor surveillance parameters to customers’ business characteristics. Another important contribution will be the promotion of clear and consistent expectations and practices.

FinCEN claims that the costs of the final rules will not be unduly burdensome to financial institutions and will be justified by reduction in illicit activity. For the most part, industry best practices require banks and other financial institutions to maintain CDD requirements in excess of the minimum requirements of the new rules. By improving clarity and consistency throughout the industry, the new rules could promote a level playing field and facilitate bank management of financial crime and regulatory risk.

Reviewing Current CDD Practice

The purpose of CDD is to enable a bank to predict the types of transactions in which a customer is likely to engage, so that banks can determine when transactions may be suspicious, according to the Federal Financial Institutions Examination Council (FFIEC) BSA/AML Examination Manual (2014). CDD begins with verification of a customer’s identity through a bank’s customer identification program (CIP) and assessment of risks associated with that customer. CDD should be ongoing and higher risk customers should undergo enhanced CDD processes.

The FFIEC’s 2014 manual states that a bank’s CDD policies should be commensurate with its BSA/AML risk profile and that a bank should ensure that it possesses sufficient customer information to implement an effective suspicious activity monitoring system. However, other than requiring CIP programs, the manual has not, to date, mandated specific minimum CDD requirements. Notably, there has been little guidance regarding identification of beneficial owners and controlling individuals of customers that use a corporate or other legal entity structure.

Tightening CDD

In addressing this gap, FinCEN has identified the key elements of CDD as:

  • Identifying and verifying the identity of customers (CIP);
  • Identifying and verifying the identity of beneficial owners of legal entity customers;
  • Understanding the nature and purpose of customer relationships; and
  • Conducting ongoing monitoring to maintain and update customer information and to identify and report suspicious activity.

While existing CIP requirements adequately address the first element above, the final rules address the second element with the beneficial ownership requirement. Amendments to existing requirements for understanding customer relationships and for monitoring explicitly deal with the third and fourth elements, which are already implicitly addressed by current suspicious activity reporting requirements.

The final rules explicitly reference the BSA’s existing “pillars” of an adequate AML program. CDD would constitute a fifth pillar, FinCEN says, joining the other four (namely internal controls, independent testing, designated compliance manager/s, and personnel training).

Establishing Beneficial Ownership and Control

The beneficial ownership requirement constitutes the only entirely new obligation in the final rules. FinCEN seeks to incorporate the concept of ownership and effective control contained in the Financial Action Task Force (FATF) definition of “beneficial owner” as “the natural person(s) who ultimately owns or controls a customer and/or the person on whose behalf a transaction is being conducted,” as well as “those persons who exercise ultimate effective control over a legal person or arrangement.” It is worth emphasizing that beneficial owners are defined as natural persons rather than other legal entities.

In targeting beneficial ownership, the rules refer to two “prongs.” An “ownership prong” aims to identify individuals with substantial equity ownership interests, and a “control prong” aims to identify individuals with managerial control over the customer. Each prong is intended to provide an independent test. In total, however, the identification of no fewer than one individual and no more than five will be required. The same individual could be identified under the ownership prong and the control prong, if appropriate.

The ownership prong will require identification of each individual who directly or indirectly owns 25 percent or more of the equity interests of a legal entity customer. The term “equity interests” is to be interpreted broadly to encompass a wide variety of ownership interests including stock in a corporation and membership interest in a limited liability company or partnership.

The control prong requires the identification of one individual with significant responsibility to control, manage, or direct the legal entity customer, including an executive or senior manager (e.g., chief executive officer, chief financial officer, chief operating officer, managing member, general partner, president, vice president, or treasurer) or any other person who regularly performs similar functions. The customer has broad discretion to identify any individual who fits the definition.

The final rules define legal entity customers to include corporations, limited liability companies, partnerships, and similar business entities (whether or not officially registered in one of the 50 states). They will not include trusts, unless created through a filing with a secretary of state. Customers that are exempt from CIP (e.g., regulated financial institutions, publicly held companies traded on certain U.S. stock exchanges, and domestic government entities) will be exempt from the beneficial ownership requirements of the new rules. Other specified entities will also be exempt—generally customers whose beneficial ownership information is publicly available. Further, existing customers as of the implementation date of the regulation will not be subject to the beneficial ownership requirement.

How It Will Work

At the time an account is opened, financial institutions will be required to verify the identity of beneficial owners of legal entity customers consistent with existing CIP practice either by obtaining the required information on a standard certification form or by any other means that comply with the rules’ substantive requirements. Banks would need to record the beneficial owner’s name, date of birth, address, and government-issued identification number (a Social Security number for U.S. persons, or a passport number with country of issuance or similar identification number for non-U.S. persons). The forms, as well as descriptions of supporting documentation and verification, will have to be retained for five years after any account is closed.

FinCEN will not, however, require financial institutions to verify that the natural persons they have identified are in fact the beneficial owners of the legal entity customer. FinCEN expects financial institutions to be able to rely generally on customers’ representations, provided that they have no knowledge of facts that would reasonably call into question the reliability of the information.

Understanding and Monitoring Customer Relationships

In erecting a fifth “pillar” of core AML compliance, the new rules will amend existing AML program requirements to address the third and fourth CDD elements (above), explicitly linking a financial institution’s know your customer (KYC) program with current BSA-mandated monitoring and reporting of suspicious activity.

The third element will require banks and other financial institutions to understand the nature and purpose of customer relationships in order to develop a customer risk profile. FinCEN expects a bank to gain an understanding of its customer to assess the financial crime risk presented and to aid the bank in determining whether customer activity is “suspicious.” A customer risk profile refers to information gathered at account opening and may include self-evident information such as the type of customer or type of account and may include a system of risk ratings or categories of customers. Banks will not necessarily be required to obtain statements from customers regarding the nature and purpose of their relationships or to collect information not already collected pursuant to existing requirements.

The fourth element will explicitly require banks to conduct ongoing monitoring to maintain and update customer information and to identify and report suspicious activity. This element is also intended to be consistent with a bank’s existing suspicious activity reporting requirements. FinCEN expects that when a financial institution becomes aware of information that affects the assessment of risk presented by a customer, it will update the customer’s profile accordingly. The updating requirement is event-driven, occurs as a result of normal monitoring, and is not a categorical requirement to update customer information, including beneficial ownership information, on a continuous or periodic basis.

Providing a Baseline

FinCEN emphasizes that the rules describe minimum due diligence expectations and are not intended to reduce regulators’ expectations nor do they aim to undermine financial institutions whose own internal risk assessments have resulted in stricter CDD practices.

In fact, many banks already conduct more stringent CDD—for example, requiring identification of individuals with 10 percent ownership interests for higher risk customers. Many require the identification of a customer’s board of directors or senior executives. Further many banks require updating of customers’ CDD information on a periodic basis, depending on the level of risk presented by the customer.

FinCEN has projected that it does not expect the rules to require significant new activities or other changes to bank operations. That said, changes to written procedures may be necessary.