Friday, June 17 2016 8.59AM / by Sidley Austin LLP
On May 11 2016 the Financial Crimes Enforcement Network (FinCEN) published a final rule that formalises new and existing customer due diligence (CDD) requirements for banks (including branches and agencies of foreign banks in the United States), broker-dealers in securities, mutual funds, futures commission merchants and introducing brokers in commodities.
By providing a clear CDD framework for these covered financial institutions, FinCEN intends to promote a more level playing field across and within financial sectors and minimise some of the disparities in CDD practices among financial institutions. The final rule describes four core elements of CDD that are required in the anti-money laundering programmes of covered financial institutions:
The first element is already covered under existing customer identification programme rules, but the second element is a new requirement. According to FinCEN, the third and fourth elements are already implicit in the suspicious activity reporting requirements, but have been explicitly added as the 'fifth pillar' of an effective anti-money laundering programme. Covered financial institutions must comply with the final rule by May 11 2018.
FinCEN explains in the final rule that clarifying and strengthening the CDD regime serves various purposes, such as:
Additionally, the final rule is one component of the US Treasury Department's broader three-part strategy to enhance the financial transparency of legal entities. Other components of this strategy include:
The final rule follows a March 2012 advanced notice of proposed rulemaking and an August 2014 notice of proposed rulemaking, both of which elicited numerous comments. After publication of the 2012 notice, FinCEN received 90 comments and held five public hearings around the country. The feedback and discussions were critical in developing the 2014 notice.
The four core CDD elements from the 2012 notice remained the same; however, FinCEN took a different approach to some of the core elements, especially with respect to clarifying the beneficial ownership test. FinCEN received 141 comments on the 2014 notice, some of which have been incorporated into the final rule. Key changes to the 2014 notice that appear in the final rule include:
The final rule also reflects FinCEN's consultation with various federal functional regulators and the Department of Justice. FinCEN notes that nothing in the final rule is intended to lower, reduce or limit the due diligence expectations of the federal functional regulators or in any way limit their existing regulatory discretion, which may undercut FinCEN's goal of consistency on this issue. The final rule is intended to be consistent with, not to supersede, the regulations, guidance or authority of any federal functional regulator or self-regulatory organisation relating to customer identification (including verification of the identities of legal entity customers).
Due to the potentially significant effect on the economy, FinCEN conducted outreach to various financial institutions on the anticipated costs of implementing the proposed CDD requirements. In response, the Treasury Department prepared a preliminary regulatory impact assessment on the costs and benefits of the proposed rule, making this assessment available for comment in December 2015.(1) A summary of the comments and the final assessment are included in the preamble to the final rule.
Beneficial owner requirements for legal entity customers
On the rule entering into effect, the covered financial institutions must implement written procedures that are reasonably designed to identify and verify the identities of beneficial owners of legal entity customers at the time a new account is opened, subject to certain exceptions.
Covered financial institutions
Covered financial institutions include financial institutions that are subject to customer identification programme requirements, such as:
Some financial institutions (eg, money services businesses) are not yet covered, but FinCEN has indicated that it may extend the CDD requirements to other types of financial institution in the future.
The final rule's definition of 'beneficial owner' consists of two prongs:
In some cases, the same individual may satisfy both the ownership prong and the control prong. Alternatively, a covered financial institution may voluntarily choose to identify additional individuals or use a lower threshold than 25% if it deems this appropriate on the basis of risk.
There may be instances where 25% or more of the equity interests of a legal entity customer are not owned by any individual, but are owned by an entity excluded from the definition of a 'legal entity customer'. Covered financial institutions are not required to identify an individual under the ownership prong in such cases. If 25% or more of the customer's equity interests are owned by a trust (other than a statutory trust), the trustee should be treated as the beneficial owner under the ownership prong.
Legal entity customer
The final rule defines a 'legal entity customer' as a corporation, limited liability company or other entity that is created by the filing of a public document with a secretary of state or similar office, a general partnership or any similar entity formed under the laws of a foreign jurisdiction that opens an account. This definition includes limited partnerships and business trusts that are created by a filing with a state office. Legal entity customers do not include sole proprietorships, unincorporated associations, trusts (other than statutory trusts that are created through a state filing)(4) or natural persons opening accounts on their own behalf.
The final rule provides a specific list of entities that are excluded from the definition of a 'legal entity customer', since beneficial ownership information for these entities is generally available from other credible sources. These includes:
Control prong only
The following legal entity customers are subject only to the control prong of the beneficial ownership requirement, either because ownership interests tend to fluctuate or because they do not exist:
Intermediated account relationships
To the extent that existing customer identification programme guidance provides that a covered financial institution can treat an intermediary (and not the intermediary's customers) as its customer, the covered financial institution should treat the intermediary as its legal entity customer for the purposes of the final rule. For example, banks generally may treat deposit brokers as their customers in a brokered deposit relationship, rather than each individual investor with a sub-account in a brokered deposit.
The beneficial ownership requirements apply to new accounts. A 'new account' is defined as an account (as defined in the customer identification programme rules) opened at a covered financial institution by a legal entity customer after the applicability date of the final rule. Covered financial institutions are not expected to apply the requirements retroactively to customers with existing accounts on that date. However, unlike the customer identification programme rules, which exempt existing customers that open new accounts, the beneficial ownership rules apply to existing customers that open a new account on or after the applicability date.
The following accounts opened for legal entity customers are exempt from the beneficial ownership requirements, since they present a low risk of money laundering:
Limitations on exemptions
The second, third and fourth exemptions listed above do not apply to transaction accounts through which a legal entity customer can make payments to, or receive payments from, third parties. If there is the possibility of a cash refund on the account activity under these three exemptions, then beneficial ownership of the legal entity customer must be identified and verified by the financial institution, either at the time of initial remittance or when such refund occurs.
Identification and verification requirements
A covered financial institution's procedures should enable it to:
Covered financial institutions may rely on the beneficial ownership information supplied by their customers without independently verifying that the information is accurate, provided that the financial institution has no knowledge that would reasonably call into question the reliability of such information.
Use of beneficial ownership information
Beneficial ownership information should be used in a similar manner as information that is collected through customer identification programmes, including for compliance with Office of Foreign Assets Control regulations and currency transaction reporting aggregation requirements. For example, covered financial institutions should use beneficial ownership information to ensure that they do not establish accounts or engage in prohibited transactions involving persons appearing on the Specially Designated Nationals and Blocked Persons (SDNs) List or any entity that is 50% or more owned, in the aggregate, by one or more SDNs.
Covered financial institutions may also need to aggregate multiple currency transactions for currency transaction reporting where legal entity customers under common ownership are not being operated independently from each other or their primary owner (eg, where such entities share common employees and are frequently used to pay each other's expenses or the personal expenses of their primary owner). Covered financial institutions should also develop risk-based procedures to determine whether or when additional screening of beneficial owner names for negative media would be appropriate.
Covered financial institutions must maintain records of all beneficial ownership information obtained for legal entity customers, including:
Identification records must be retained for five years following the account's closure and verification records must be retained for five years after the record is made.
Reliance on another financial institution
Covered financial institutions may rely on another financial institution, including an affiliate, to perform the beneficial ownership requirements with respect to any legal entity customer that has opened an account or established a relationship with the other financial institution. Such reliance is permitted under the same conditions set forth in applicable customer identification programme rules:
Anti-money laundering programme requirement amendments
The final rule revises FinCEN's existing anti-money laundering programme requirements for covered financial institutions(8) by expressly incorporating the traditional four pillars:
The final rule further includes a fifth pillar to explicitly cover the third and fourth elements of CDD, requiring appropriate risk-based procedures for conducting ongoing CDD. This includes, but is not limited to:
FinCEN views the fifth pillar as a codification of pre-existing CDD expectations that should already be incorporated in a covered financial institution's controls.
Nature and purpose of customer relationships
The third element of CDD requires covered financial institutions to understand the nature and purpose of customer relationships in order to develop a customer risk profile.
FinCEN takes the position that in order for covered financial institutions to comply with existing requirements to identify and report suspicious activity, they must understand the nature and purpose of the customer relationship, including the types of transaction in which the customer would normally be expected to engage. In some circumstances, a covered financial institution may understand the nature and purpose of a customer relationship from information such as the type of customer, the type of account, the service or product used or other basic information such as the customer's annual income, net worth, domicile, principal occupation or business and history of activity. A 'customer risk profile' is the information gathered about a customer to develop the baseline against which customer activity is assessed for suspicious transaction reporting. The customer risk profile may include a system of risk ratings or categories of customer.
Covered financial institutions may integrate the customer risk profile into their transaction monitoring systems or use such information to determine whether a flagged transaction is suspicious. FinCEN understands that many institutions use such information to investigate suspicious activity triggered by transaction monitoring (ie, after and not necessarily concurrent with transaction monitoring).
The fourth element of CDD requires covered financial institutions to conduct ongoing monitoring to identify and report suspicious transactions and, on a risk basis, to maintain and update customer information. As with the third element, FinCEN believes that current industry practice to comply with existing expectations for suspicious activity reporting should already satisfy this requirement.
The obligation to update customer information (including beneficial ownership information) is generally triggered only when, during the course of its normal monitoring, a covered financial institution becomes aware of information relevant to assessing or re-evaluating the risk posed by the customer. Such information could include, for example, a significant and unexplained change in customer activity or possible change in the customer's beneficial ownership.
The final rule makes clear that the updating requirement is event driven and that covered financial institutions are not expected to update customer information on an ongoing or regular basis. The updating of customer information applies to both customers with new accounts and customers with existing accounts on the applicability date.
The long-awaited final rule may still present some operational challenges as well as heightening the expectations of regulators with respect to CDD practices within institutions. Financial institutions that are covered by the final rule should review their existing anti-money laundering and CDD policies, procedures and systems to identify any gaps and determine what modifications and enhancements will be necessary to comply with the final rule.
For further information on this topic please contact Connie M Friesen at Sidley Austin's New York office by email (email@example.com). Alternatively, contact Joel D Feinberg or David E Teitelbaum at Sidley Austin's Washington DC office by email (firstname.lastname@example.org or email@example.com).
(1) 80 Fed Reg 80308 (December 24 2015). (2) 'Equity interests' is not defined but, according to the final rule, it should be interpreted broadly to apply to a variety of legal structures and ownership situations. (3) The 25% threshold is consistent with that of many foreign jurisdictions, including EU member states, and with the Financial Action Task Force standard. Covered financial institutions are not required to affirmatively investigate whether equity holders are attempting to evade the 25% reporting threshold, but if staff know about or have reason to suspect such behaviour, they may need to file a suspicious activity report. (4) According to FinCEN, a 'trust' is a contractual arrangement between the person who provides the funds or other assets and specifies the terms (ie, the grantor or settlor) and the person with control over the assets (ie, the trustee), for the benefit of those named in the trust deed (ie, the beneficiaries). FinCEN notes that identifying a beneficial owner from among these parties based on this definition would not be possible. However, this does not supersede existing obligations regarding trusts generally. Under customer identification programme rules, while financial institutions are not required to look through a trust to its beneficiaries, they may need to take additional steps to verify the identity of the customer (ie, by obtaining information about persons with control over the account). Financial institutions generally identify and verify the identity of trustees because they will necessarily be signatories on trust accounts. In certain circumstances involving revocable trusts, a bank may need to gather information about the settlor, grantor, trustee or other persons with the authority to direct the trustee or that have control over the account. (5) Currently named the NYSE MKT. (6) The reference to accounts being opened at the point of sale is not essential to the logic of the exemption, but it may create compliance questions for private label card issuers. (7) For example, a financial institution could decide that it will not accept reproductions below a certain optical resolution or reproductions transmitted via fax, or that it will accept only digital reproductions transmitted in certain file formats.
(1) 80 Fed Reg 80308 (December 24 2015).
(2) 'Equity interests' is not defined but, according to the final rule, it should be interpreted broadly to apply to a variety of legal structures and ownership situations.
(3) The 25% threshold is consistent with that of many foreign jurisdictions, including EU member states, and with the Financial Action Task Force standard. Covered financial institutions are not required to affirmatively investigate whether equity holders are attempting to evade the 25% reporting threshold, but if staff know about or have reason to suspect such behaviour, they may need to file a suspicious activity report.
(4) According to FinCEN, a 'trust' is a contractual arrangement between the person who provides the funds or other assets and specifies the terms (ie, the grantor or settlor) and the person with control over the assets (ie, the trustee), for the benefit of those named in the trust deed (ie, the beneficiaries). FinCEN notes that identifying a beneficial owner from among these parties based on this definition would not be possible. However, this does not supersede existing obligations regarding trusts generally. Under customer identification programme rules, while financial institutions are not required to look through a trust to its beneficiaries, they may need to take additional steps to verify the identity of the customer (ie, by obtaining information about persons with control over the account). Financial institutions generally identify and verify the identity of trustees because they will necessarily be signatories on trust accounts. In certain circumstances involving revocable trusts, a bank may need to gather information about the settlor, grantor, trustee or other persons with the authority to direct the trustee or that have control over the account.
(5) Currently named the NYSE MKT.
(6) The reference to accounts being opened at the point of sale is not essential to the logic of the exemption, but it may create compliance questions for private label card issuers.
(7) For example, a financial institution could decide that it will not accept reproductions below a certain optical resolution or reproductions transmitted via fax, or that it will accept only digital reproductions transmitted in certain file formats.
(8) The anti-money laundering programme requirements are found in 31 CFR §1020.210 (banks), 31 CFR §1023.210 (broker-dealers), 31 CFR §1024.210 (mutual funds) and 31 CFR §1026.210 (futures commission merchants and introducing brokers in commodities).