Final rule on customer due diligence requirements issued

Introduction

On May 11 2016 the Financial Crimes Enforcement Network (FinCEN) published a final rule that formalises new and existing customer due diligence (CDD) requirements for banks (including branches and agencies of foreign banks in the United States), broker-dealers in securities, mutual funds, futures commission merchants and introducing brokers in commodities. By providing a clear CDD framework for these covered financial institutions, FinCEN intends to promote a more level playing field across and within financial sectors and minimise some of the disparities in CDD practices among financial institutions. The final rule describes four core elements of CDD that are required in the anti-money laundering programmes of covered financial institutions:

• identifying and verifying the identity of customers;
• identifying and verifying the identity of beneficial owners of legal entity customers, subject to certain exceptions;
• understanding the nature and purpose of customer relationships to develop a customer risk profile; and
• implementing ongoing monitoring for reporting suspicious transactions and, on a risk basis, maintaining and updating customer information.

The first element is already covered under existing customer identification programme rules, but the second element is a new requirement. According to FinCEN, the third and fourth elements are already implicit in the suspicious activity reporting requirements, but have been explicitly added as the 'fifth pillar' of an effective anti-money laundering programme. Covered financial institutions must comply with the final rule by May 11 2018.

Background

FinCEN explains in the final rule that clarifying and strengthening the CDD regime serves various purposes, such as:

• assisting financial investigations by law enforcement;
• enhancing the ability to identify the assets and accounts of criminals;
• improving a financial institution's ability to assess and mitigate risk and comply with existing requirements;
• facilitating reporting and investigations in support of tax compliance, including compliance with the Foreign Account Tax Compliance Act; and
• promoting consistency in CDD expectations across and within financial sectors.

Additionally, the final rule is one component of the US Treasury Department's broader three-part strategy to enhance the financial transparency of legal entities. Other components of this strategy include:

• the collection of beneficial ownership information on US legal entities at the time of the entity's formation; and
• the implementation of international standards regarding CDD and beneficial ownership of legal entities.

The final rule follows a March 2012 advanced notice of proposed rulemaking and an August 2014 notice of proposed rulemaking, both of which elicited numerous comments. After publication of the 2012 notice, FinCEN received 90 comments and held five public hearings around the country. The feedback and discussions were critical in developing the 2014 notice. The four core CDD elements from the 2012 notice remained the same; however, FinCEN took a different approach to some of the core elements, especially with respect to clarifying the beneficial ownership test. FinCEN received 141 comments on the 2014 notice, some of which have been incorporated into the final rule. Key changes to the 2014 notice that appear in the final rule include:

• extending the implementation period from one year to two years from the date on which the final rule is issued;
• permitting financial institutions to obtain beneficial ownership information by means other than the standard certification form;
• revising the definition of 'legal entity customer' and expanding the list of entities that are excluded from the definition; and
• modifying the standard certification form to include, among other things, titles of the individual submitting the certification and the beneficial owner with significant managerial responsibility, the address of the legal entity customer and clarification of address requirements.

The final rule also reflects FinCEN's consultation with various federal functional regulators and the Department of Justice. FinCEN notes that nothing in the final rule is intended to lower, reduce or limit the due diligence expectations of the federal functional regulators or in any way limit their existing regulatory discretion, which may undercut FinCEN's goal of consistency on this issue. The final rule is intended to be consistent with, not to supersede, the regulations, guidance or authority of any federal functional regulator or self-regulatory organisation relating to customer identification (including verification of the identities of legal entity customers).

Due to the potentially significant effect on the economy, FinCEN conducted outreach to various financial institutions on the anticipated costs of implementing the proposed CDD requirements. In response, the Treasury Department prepared a preliminary regulatory impact assessment on the costs and benefits of the proposed rule, making this assessment available for comment in December 2015.(1) A summary of the comments and the final assessment are included in the preamble to the final rule.

Beneficial owner requirements for legal entity customers

On the rule entering into effect, the covered financial institutions must implement written procedures that are reasonably designed to identify and verify the identities of beneficial owners of legal entity customers at the time a new account is opened, subject to certain exceptions.

Covered financial institution

Covered financial institutions include financial institutions that are subject to customer identification programme requirements, such as:

• banks;
• US branches and agencies of foreign banks;
• federally insured credit unions;
• saving associations;
• Edge Act corporations;
• brokers or dealers in securities;
• futures commission merchants; and
• introducing brokers in commodities.

Some financial institutions (eg, money services businesses) are not yet covered, but FinCEN has indicated that it may extend the CDD requirements to other types of financial institution in the future.

Beneficial owner

The final rule's definition of 'beneficial owner' consists of two prongs:

• Under the ownership prong, a beneficial owner is each individual (if any) who, directly or indirectly, owns 25% or more of the equity interests of a legal entity customer.(2) This prong would require identification of no more than four individuals. If no individual meets the 25% threshold, no individuals would need to be identified.(3)
• Under the control prong, a beneficial owner is a single individual with significant responsibility to control, manage or direct a legal entity customer, including:
  • an executive officer or senior manager (eg, a chief executive officer, chief financial officer, chief operating officer, managing member, general partner, president, vice president or treasurer); or
  • any other individual who regularly performs similar functions.

In some cases, the same individual may satisfy both the ownership prong and the control prong. Alternatively, a covered financial institution may voluntarily choose to identify additional individuals or use a lower threshold than 25% if it deems this appropriate on the basis of risk.

There may be instances where 25% or more of the equity interests of a legal entity customer are not owned by any individual, but are owned by an entity excluded from the definition of a 'legal entity customer'. Covered financial institutions are not required to identify an individual under the ownership prong in such cases. If 25% or more of the customer's equity interests are owned by a trust (other than a statutory trust), the trustee should be treated as the beneficial owner under the ownership prong.

Legal entity customer

The final rule defines a 'legal entity customer' as a corporation, limited liability company or other entity that is created by the filing of a public document with a secretary of state or similar office, a general partnership or any similar entity formed under the laws of a foreign jurisdiction that opens an account. This definition includes limited partnerships and business trusts that are created by a filing with a state office. Legal entity customers do not include sole proprietorships, unincorporated associations, trusts (other than statutory trusts that are created through a state filing)(4) or natural persons opening accounts on their own behalf.

Exclusions

The final rule provides a specific list of entities that are excluded from the definition of a 'legal entity customer', since beneficial ownership information for these entities is generally available from other credible sources. These include:

• a financial institution regulated by a federal functional regulator or a bank regulated by a state bank regulator;
• a department or agency of the United States, of any state or of any political sub-division of any state;
• any entity established under the laws of the United States, of any state, of any political sub-division of any state or under an interstate compact between two or more states, which exercises governmental authority on behalf of the United States or any such state or political sub-division;
• any entity (other than a bank) whose common stock or analogous equity interests are listed on the New York, American(5) or NASDAQ stock exchange (each, a listed entity);
• any entity organised under the laws of the United States or of any state and at least 51% of whose common stock or analogous equity interest is owned by a listed entity;
• an issuer of a class of securities registered under Section 12 of the Securities Exchange Act of 1934 or that is required to file reports under Section 15(d) of the act;
• an investment company, as defined in Section 3 of the Investment Company Act of 1940, that is registered with the Securities and Exchange Commission (SEC) under the act;
• an investment adviser, as defined in Section 202(a)(11) of the Investment Advisers Act of 1940, that is registered with the SEC under the act;
• an exchange or clearing agency, as defined in Section 3 of the Securities Exchange Act of 1934, that is registered under Section 6 or 17A of the act;
• any other entity registered with the SEC under the Securities Exchange Act of 1934;
• a registered entity, commodity pool operator, commodity trading adviser, retail foreign exchange dealer, swap dealer or major swap participant, each as defined in Section 1a of the Commodity Exchange Act, that is registered with the Commodity Futures Trading Commission;
• a public accounting firm registered under Section 102 of the Sarbanes-Oxley Act;
• a bank holding company, as defined in Section 2 of the Bank Holding Company Act of 1956 (12 USC 1841), or a savings and loan holding company, as defined in Section 10(n) of the Home Owners' Loan Act (12 USC 1467a(n));
• a pooled investment vehicle that is operated or advised by a financial institution that is excluded from the definition of a 'legal entity customer';
• an insurance company that is regulated by a state;
• a financial market utility designated by the Financial Stability Oversight Council under Title VIII of the Dodd-Frank Wall Street Reform and Consumer Protection Act of 2010;
• a foreign financial institution established in a jurisdiction where the regulator of such institution maintains beneficial ownership information regarding such institution;
• a non-US governmental department, agency or political sub-division that engages only in governmental rather than commercial activities; and
• any legal entity only to the extent that it opens a private banking account subject to 31 CFR §1010.620.

Control prong only

The following legal entity customers are subject only to the control prong of the beneficial ownership requirement, either because ownership interests tend to fluctuate or because they do not exist:

• a pooled investment vehicle that is operated or advised by a financial institution that is not excluded from the definition of a 'legal entity customer' (eg, non-US managed mutual funds, hedge funds and private equity funds); and
• any legal entity that is established as a non-profit corporation or similar entity (including a charitable, non-profit, not-for-profit, non-stock, public benefit or similar corporation) and has filed its organisational documents with the appropriate state authority as necessary.

Intermediated account relationships

To the extent that existing customer identification programme guidance provides that a covered financial institution can treat an intermediary (and not the intermediary's customers) as its customer, the covered financial institution should treat the intermediary as its legal entity customer for the purposes of the final rule. For example, banks generally may treat deposit brokers as their customers in a brokered deposit relationship, rather than each individual investor with a sub-account in a brokered deposit.

New accounts

The beneficial ownership requirements apply to new accounts. A 'new account' is defined as an account (as defined in the customer identification programme rules) opened at a covered financial institution by a legal entity customer after the applicability date of the final rule. Covered financial institutions are not expected to apply the requirements retroactively to customers with existing accounts on that date. However, unlike the customer identification programme rules, which exempt existing customers that open new accounts, the beneficial ownership rules apply to existing customers that open a new account on or after the applicability date.

Exempt accounts

The following accounts opened for legal entity customers are exempt from the beneficial ownership requirements, since they present a low risk of money laundering:

• accounts opened at the point of sale to provide credit products, including commercial private label credit cards, solely for the purchase of retail goods or services at the associated retailers, up to a limit of $50,000;(6)
• accounts opened to finance the purchase of postage and for which payments are remitted directly by the financial institution to the provider of the postage products;
• accounts opened to finance insurance premiums and for which payments are remitted directly by the financial institution to the insurance provider or broker; and
• accounts opened to finance the purchase or leasing of equipment and for which payments are remitted directly by the financial institution to the vendor or lessor of this equipment.

Limitations on exemptions

The second, third and fourth exemptions listed above do not apply to transaction accounts through which a legal entity customer can make payments to, or receive payments from, third parties. If there is the possibility of a cash refund on the account activity under these three exemptions, then beneficial ownership of the legal entity customer must be identified and verified by the financial institution, either at the time of initial remittance or when such refund occurs.

Identification and verification requirements

A covered financial institution's procedures should enable it to:

• identify the beneficial owners of each legal entity customer (unless the entity is excluded or account is exempted) at the time a new account is opened by:
  • obtaining a certification in the form provided in Appendix A of the final rule from the individual opening the account on behalf of the legal entity; or
  • obtaining from the individual the information required on the certification by other means, provided that the individual certifies that, to the best of his or her knowledge, the information is accurate. These records may be retained electronically and incorporated into existing databases as part of the overall management of customer files, subject to the record-keeping obligations noted below; and
• verifying the identity of such beneficial owners according to existing risk-based customer identification programme rules and procedures for individuals within a reasonable time after the account is opened. For documentary verification, a financial institution may rely on reproductions of identity documents. However, covered financial institutions should conduct their own risk-based analyses of the types of photocopy or reproduction they will accept, so that such reliance is reasonable.(7)

Covered financial institutions may rely on the beneficial ownership information supplied by their customers without independently verifying that the information is accurate, provided that the financial institution has no knowledge that would reasonably call into question the reliability of such information.

Use of beneficial ownership information

Beneficial ownership information should be used in a similar manner as information that is collected through customer identification programmes, including for compliance with Office of Foreign Assets Control regulations and currency transaction reporting aggregation requirements. For example, covered financial institutions should use beneficial ownership information to ensure that they do not establish accounts or engage in prohibited transactions involving persons appearing on the Specially Designated Nationals and Blocked Persons (SDNs) List or any entity that is 50% or more owned, in the aggregate, by one or more SDNs. Covered financial institutions may also need to aggregate multiple currency transactions for currency transaction reporting where legal entity customers under common ownership are not being operated independently from each other or their primary owner (eg, where such entities share common employees and are frequently used to pay each other's expenses or the personal expenses of their primary owner). Covered financial institutions should also develop risk-based procedures to determine whether or when additional screening of beneficial owner names for negative media would be appropriate.

Record keeping

Covered financial institutions must maintain records of all beneficial ownership information obtained for legal entity customers, including:

• any identifying information and the certification, if obtained; and
• a description of any document relied on for identity verification (noting the type, identification number, place of issuance and dates of issuance and expiration, if any), a description of any non-documentary methods and the results of such measures and the resolution of any substantive discrepancies.

Identification records must be retained for five years following the account's closure and verification records must be retained for five years after the record is made.

Reliance on another financial institution

Covered financial institutions may rely on another financial institution, including an affiliate, to perform the beneficial ownership requirements with respect to any legal entity customer that has opened an account or established a relationship with the other financial institution. Such reliance is permitted under the same conditions set forth in applicable customer identification programme rules:

• It must be reasonable under the circumstances;
• The other financial institution must be subject to a rule implementing the anti-money laundering programme requirement and be regulated by a federal functional regulator; and
• The other financial institution must enter into a contract requiring it to certify annually to the covered financial institution that it has implemented its anti-money laundering programme and will perform the specified beneficial ownership requirements.

Anti-money laundering programme requirement amendments

The final rule revises FinCEN's existing anti-money laundering programme requirements for covered financial institutions(8) by expressly incorporating the traditional four pillars:

• the establishment of internal policies, procedures and controls reasonably designed to achieve compliance with the Bank Secrecy Act and its implementing regulations;
• the designation of a compliance officer responsible for monitoring day-to-day compliance with the programme;
• independent testing of compliance; and
• training for appropriate personnel.

The final rule further includes a fifth pillar to explicitly cover the third and fourth elements of CDD, requiring appropriate risk-based procedures for conducting ongoing CDD. This includes, but is not limited to:

• understanding the nature and purpose of customer relationships for the purpose of developing a customer risk profile (the third element of CDD); and
• conducting ongoing monitoring to identify and report suspicious transactions and, on a risk basis, to maintain and update customer information (including beneficial owner information of legal entity customers) (the fourth element of CDD).

FinCEN views the fifth pillar as a codification of pre-existing CDD expectations that should already be incorporated in a covered financial institution's controls.

Nature and purpose of customer relationships

The third element of CDD requires covered financial institutions to understand the nature and purpose of customer relationships in order to develop a customer risk profile.

FinCEN takes the position that in order for covered financial institutions to comply with existing requirements to identify and report suspicious activity, they must understand the nature and purpose of the customer relationship, including the types of transaction in which the customer would normally be expected to engage. In some circumstances, a covered financial institution may understand the nature and purpose of a customer relationship from information such as the type of customer, the type of account, the service or product used or other basic information such as the customer's annual income, net worth, domicile, principal occupation or business and history of activity. A 'customer risk profile' is the information gathered about a customer to develop the baseline against which customer activity is assessed for suspicious transaction reporting. The customer risk profile may include a system of risk ratings or categories of customer.

Covered financial institutions may integrate the customer risk profile into their transaction monitoring systems or use such information to determine whether a flagged transaction is suspicious. FinCEN understands that many institutions use such information to investigate suspicious activity triggered by transaction monitoring (ie, after and not necessarily concurrent with transaction monitoring).

Ongoing monitoring

The fourth element of CDD requires covered financial institutions to conduct ongoing monitoring to identify and report suspicious transactions and, on a risk basis, to maintain and update customer information. As with the third element, FinCEN believes that current industry practice to comply with existing expectations for suspicious activity reporting should already satisfy this requirement.

The obligation to update customer information (including beneficial ownership information) is generally triggered only when, during the course of its normal monitoring, a covered financial institution becomes aware of information relevant to assessing or re-evaluating the risk posed by the customer. Such information could include, for example, a significant and unexplained change in customer activity or possible change in the customer's beneficial ownership. The final rule makes clear that the updating requirement is event driven and that covered financial institutions are not expected to update customer information on an ongoing or regular basis. The updating of customer information applies to both customers with new accounts and customers with existing accounts on the applicability date.

Comment

The long-awaited final rule may still present some operational challenges as well as heightening the expectations of regulators with respect to CDD practices within institutions. Financial institutions that are covered by the final rule should review their existing anti-money laundering and CDD policies, procedures and systems to identify any gaps and determine what modifications and enhancements will be necessary to comply with the final rule.

For further information on this topic please contact Connie M Friesen at Sidley Austin's New York office by telephone (+1 212 839 5300) or email ([email protected]). Alternatively, contact Joel D Feinberg or David E Teitelbaum at Sidley Austin's Washington DC office by telephone (+1 202 736 8000) or email ([email protected] or [email protected]). The Sidley Austin website can be accessed at www.sidley.com.

Endnotes

(1) 80 Fed Reg 80308 (December 24 2015).

(2) 'Equity interests' is not defined but, according to the final rule, it should be interpreted broadly to apply to a variety of legal structures and ownership situations.

(3) The 25% threshold is consistent with that of many foreign jurisdictions, including EU member states, and with the Financial Action Task Force standard. Covered financial institutions are not required to affirmatively investigate whether equity holders are attempting to evade the 25% reporting threshold, but if staff know about or have reason to suspect such behaviour, they may need to file a suspicious activity report.

(4) According to FinCEN, a 'trust' is a contractual arrangement between the person who provides the funds or other assets and specifies the terms (ie, the grantor or settlor) and the person with control over the assets (ie, the trustee), for the benefit of those named in the trust deed (ie, the beneficiaries). FinCEN notes that identifying a beneficial owner from among these parties based on this definition would not be possible. However, this does not supersede existing obligations regarding trusts generally. Under customer identification programme rules, while financial institutions are not required to look through a trust to its beneficiaries, they may need to take additional steps to verify the identity of the customer (ie, by obtaining information about persons with control over the account). Financial institutions generally identify and verify the identity of trustees because they will necessarily be signatories on trust accounts. In certain circumstances involving revocable trusts, a bank may need to gather information about the settlor, grantor, trustee or other persons with the authority to direct the trustee or that have control over the account.

(5) Currently named the NYSE MKT.

(6) The reference to accounts being opened at the point of sale is not essential to the logic of the exemption, but it may create compliance questions for private label card issuers.

(7) For example, a financial institution could decide that it will not accept reproductions below a certain optical resolution or reproductions transmitted via fax, or that it will accept only digital reproductions transmitted in certain file formats.

(8) The anti-money laundering programme requirements are found in 31 CFR §1020.210 (banks), 31 CFR §1023.210 (broker-dealers), 31 CFR §1024.210 (mutual funds) and 31 CFR §1026.210 (futures commission merchants and introducing brokers in commodities).