1. INDUSTRY
ADVISORY FROM
WASHINGTON, DC • NEW YORK, NY • DALLAS, TX
FinCEN Issues Final Rules on Customer Due june 2016
Diligence Requirements for Financial Institutions
The Treasury Department’s Financial Crimes Enforcement Network (FinCEN) has issued final rules clarifying and
strengthening customer due diligence (CDD) requirements for banks and other financial institutions. The rules add a
fifth pillar to the anti-money laundering (AML) compliance model that is currently mandated under the Bank Secrecy
Act (BSA).
Background and Implications
In May 2016, FinCEN issued final BSA rules establishing a baseline for identifying individuals with equity ownership
ormanagementcontrolinfinancialinstitutions’businesscustomers.Therulesfurthertheinterestsofbothgovernment
and financial institutions by improving banks’ ability to assess and mitigate financial crime and regulatory risk. The
new rules apply to banks, brokers or dealers in securities, mutual funds, and futures commission merchants and
introducing brokers in commodities. The rules are effective July 11, 2016, and covered institutions must comply by
May 11, 2018.
Banks currently use widely divergent CDD practices to identify beneficial owners and controlling individuals in
corporations, partnerships, and other legal entity customers, according to FinCEN. FinCEN notes that financial
institutions are not currently required to know the identity of individuals who own or control legal entity customers,
enabling criminals, kleptocrats, and other bad actors to hide proceeds or illegal activities and access the financial
system anonymously.
The new rules will improve banks’ abilities to assist law enforcement with financial investigations, thereby advancing
counterterrorism and other national security interests and facilitating tax compliance. FinCEN asserts that the rules
will also enable financial institutions to perform transaction surveillance more efficiently by enhancing their ability
to tailor surveillance parameters to customers’ business characteristics. Another important contribution will be the
promotion of clear and consistent expectations and practices.
FinCEN claims that the costs of the final rules will not be unduly burdensome to financial institutions and will be
justified by reduction in illicit activity. For the most part, industry best practices require banks and other financial
institutions to maintain CDD requirements in excess of the minimum requirements of the new rules. By improving
clarity and consistency throughout the industry, the new rules could promote a level playing field and facilitate bank
management of financial crime and regulatory risk.
Reviewing Current CDD Practice
The purpose of CDD is to enable a bank to predict the types of transactions in which a customer is likely to engage,
so that banks can determine when transactions may be suspicious, according to the Federal Financial Institutions
Examination Council (FFIEC) BSA/AML Examination Manual (2014). CDD begins with verification of a customer’s
identity through a bank’s customer identification program (CIP) and assessment of risks associated with that
customer. CDD should be ongoing and higher risk customers should undergo enhanced CDD processes.
2. INDUSTRY
ADVISORY (CONTINUED)
WASHINGTON, DC • NEW YORK, NY • DALLAS, TX
The FFIEC’s 2014 manual states that a bank’s CDD policies should be commensurate with its BSA/AML risk profile
and that a bank should ensure that it possesses sufficient customer information to implement an effective suspicious
activity monitoring system. However, other than requiring CIP programs, the manual has not, to date, mandated
specific minimum CDD requirements. Notably, there has been little guidance regarding identification of beneficial
owners and controlling individuals of customers that use a corporate or other legal entity structure.
Tightening CDD
In addressing this gap, FinCEN has identified the key elements of CDD as:
- Identifying and verifying the identity of customers (CIP);
- Identifying and verifying the identity of beneficial owners of legal entity customers;
- Understanding the nature and purpose of customer relationships; and
-Conducting ongoing monitoring to maintain and update customer information and to identify and
report suspicious activity.
While existing CIP requirements adequately address the first element above, the final rules address the second
element with the beneficial ownership requirement. Amendments to existing requirements for understanding
customer relationships and for monitoring explicitly deal with the third and fourth elements, which are already
implicitly addressed by current suspicious activity reporting requirements.
The final rules explicitly reference the BSA’s existing “pillars” of an adequate AML program. CDD would constitute a
fifth pillar, FinCEN says, joining the other four (namely internal controls, independent testing, designated compliance
manager/s, and personnel training).
Establishing Beneficial Ownership and Control
The beneficial ownership requirement constitutes the only entirely new obligation in the final rules. FinCEN seeks
to incorporate the concept of ownership and effective control contained in the Financial Action Task Force (FATF)
definition of “beneficial owner” as “the natural person(s) who ultimately owns or controls a customer and/or the
person on whose behalf a transaction is being conducted,” as well as “those persons who exercise ultimate effective
control over a legal person or arrangement.” It is worth emphasizing that beneficial owners are defined as natural
persons rather than other legal entities.
In targeting beneficial ownership, the rules refer to two “prongs.” An “ownership prong” aims to identify individuals
with substantial equity ownership interests, and a “control prong” aims to identify individuals with managerial
control over the customer. Each prong is intended to provide an independent test. In total, however, the identification
of no fewer than one individual and no more than five will be required. The same individual could be identified under
the ownership prong and the control prong, if appropriate.
The ownership prong will require identification of each individual who directly or indirectly owns 25 percent or
more of the equity interests of a legal entity customer. The term “equity interests” is to be interpreted broadly to
encompass a wide variety of ownership interests including stock in a corporation and membership interest in a
limited liability company or partnership.
3. INDUSTRY
ADVISORY (CONTINUED)
WASHINGTON, DC • NEW YORK, NY • DALLAS, TX
The control prong requires the identification of one individual with significant responsibility to control, manage, or
direct the legal entity customer, including an executive or senior manager (e.g., chief executive officer, chief financial
officer, chief operating officer, managing member, general partner, president, vice president, or treasurer) or any
other person who regularly performs similar functions. The customer has broad discretion to identify any individual
who fits the definition.
The final rules define legal entity customers to include corporations, limited liability companies, partnerships, and
similar business entities (whether or not officially registered in one of the 50 states). They will not include trusts,
unless created through a filing with a secretary of state. Customers that are exempt from CIP (e.g., regulated financial
institutions, publicly held companies traded on certain U.S. stock exchanges, and domestic government entities) will
be exempt from the beneficial ownership requirements of the new rules. Other specified entities will also be exempt—
generally customers whose beneficial ownership information is publicly available. Further, existing customers as of
the implementation date of the regulation will not be subject to the beneficial ownership requirement.
How It Will Work
At the time an account is opened, financial institutions will be required to verify the identity of beneficial owners
of legal entity customers consistent with existing CIP practice either by obtaining the required information on a
standard certification form or by any other means that comply with the rules’ substantive requirements. Banks would
need to record the beneficial owner’s name, date of birth, address, and government-issued identification number (a
Social Security number for U.S. persons, or a passport number with country of issuance or similar identification
number for non-U.S. persons). The forms, as well as descriptions of supporting documentation and verification, will
have to be retained for five years after any account is closed.
FinCEN will not, however, require financial institutions to verify that the natural persons they have identified are
in fact the beneficial owners of the legal entity customer. FinCEN expects financial institutions to be able to rely
generally on customers’ representations, provided that they have no knowledge of facts that would reasonably call
into question the reliability of the information.
Understanding and Monitoring Customer Relationships
In erecting a fifth “pillar” of core AML compliance, the new rules will amend existing AML program requirements
to address the third and fourth CDD elements (above), explicitly linking a financial institution’s know your customer
(KYC) program with current BSA-mandated monitoring and reporting of suspicious activity.
Thethirdelementwillrequirebanksandotherfinancialinstitutionstounderstandthenatureandpurposeofcustomer
relationships in order to develop a customer risk profile. FinCEN expects a bank to gain an understanding of its
customer to assess the financial crime risk presented and to aid the bank in determining whether customer activity is
“suspicious.” A customer risk profile refers to information gathered at account opening and may include self-evident
information such as the type of customer or type of account and may include a system of risk ratings or categories
of customers. Banks will not necessarily be required to obtain statements from customers regarding the nature and
purpose of their relationships or to collect information not already collected pursuant to existing requirements.