In May 2016, Treasury’s Financial Crimes Enforcement Network (FinCEN) issued its final rule on Customer Due Diligence (CDD) Requirements for Financial Institutions. The Final Rule can be found here; our prior discussion of the Final Rule can be found here.
The new rule requires covered financial institutions to identify and verify the identity of the beneficial owners of all legal entity customers. It also adds CDD as a fifth pillar to the traditional four pillars of an effective anti-money laundering (AML) program. The implementation date of May 11, 2018 is less than a year away. How can you ensure that you’ll be ready?
Understanding the Rule
1. Who is covered?
“Covered institutions” are financial institutions subject to Customer Identification (CIP) requirements, including banks, broker-dealers in securities, mutual funds, futures commission merchants and introducing brokers in commodities. Many other entities in the financial services industry, while not legally obligated to comply with CIP requirements, are contractually bound to do so by their lenders. Those entities must learn whether their lenders similarly will require them to comply with the new beneficial ownership requirements.
2. What is a “legal entity” customer?
“Legal entity customers” include the following entities created by a filing with a state office or with a Secretary of State:
- limited liability companies
- limited partnerships
- general partnerships
- business trusts
- any other entity created by a filing with a state office
- any similar entities formed under the laws of a non-US jurisdiction
The definition of “legal entity customer” does not include:
- natural persons
- sole proprietorships
- unincorporated associations, such as a local Girl Scout troop or a neighborhood association
- trusts, other than statutory trusts created by a filing with a state office
- Certain legal entities, including the following, are excluded from the Final Rule:
- federal or state regulated financial institutions (e.g., federally regulated banks, brokers or dealers in securities, mutual funds, futures commission merchants, and introducing brokers in commodities)
- bank and savings and loan holding companies
- state-regulated insurance companies
- publicly held companies listed on the New York, American, or NASDAQ Stock Exchanges
- registered investment advisers and investment companies
- SEC-registered exchanges or clearing agencies
- entities registered with the SEC
3. Who qualifies as a beneficial owner?
A “beneficial owner” includes individuals who fit within at least one of the following “prongs”:
(i) Any individual who, directly or indirectly, owns 25 percent or more of the legal entity customer (the “Ownership Prong”); and
(ii) One individual who has “significant responsibility to control, manage, or direct the legal entity.” (the “Control Prong”).
The Ownership Prong
The owners identified must be natural persons. For the Ownership Prong, this means that the customer may need to look through several layers of legal entities to determine whether an actual person is a 25% owner of the applicant. Below are some examples:
- Four different legal entities, A, B, C and D, each own 25% of your legal entity customer. The answer as to what information you must collect turns on the specifics of the ownership of Entities A, B, C and D.
- If Entities A, B, C and D each has multiple owners, with none owning 25% or more of the entity, then you need not collect any information under the ownership prong.
- If Entities A, B, C and D are each owned by a single individual (meaning that each individual ultimately owns 25% of your legal entity customer), then you must collect information on each of the individuals.
- If Entity A is owned by individual A and Entities B, C and D are each owned by multiple individuals, you need only collect information on individual A, because no other individual owns at least 25% of your legal entity customer.
- Fifty percent of your legal entity customer is owned by a publicly traded company. The remaining 50% is owned by two individuals. In this instance, you must collect information only on any of the individuals who own 25% or more of the legal entity customer. You need not collect information on, or have the customer look through, the publically traded company because publically traded companies are exempt from the Final Rule.
There may be no one who owns 25% or more of the legal entity. Therefore, there may not be a beneficial owner listed for the ownership prong.
Because it includes only those who own at least 25% of the customer, no more than four people can be designated under the ownership prong.
If a trust owns 25% or more of the legal entity, then use the trustee as the beneficial owner.
The Control Prong
FinCEN believes that determining who fits within the Control Prong is “straightforward.” “[T]he legal entity customer must provide identifying information for one person with significant managerial control.” Several job titles usually fit within this definition, including:
- Managing Member
- General Partner
- Vice President
- any other person who “regularly performs similar functions”
Remember that only one person need be designated under the Control Prong.
NGOs, charities and religious organizations such as churches are excluded from the Ownership Prong, but the Control Prong still applies.
4. How should you verify and identify the beneficial owners?
Under the Final Rule, covered financial institutions will be required to have written procedures to identify and verify beneficial owners of legal entity customers who open new accounts on or after May 11, 2018. Identification can be accomplished by gathering personal identifying information on the form FinCEN included as Appendix A to the Final Rule, found here, or by equivalent means.
You can verify the identity of a beneficial owner by performing your traditional CIP for the individuals listed on the form, with some important differences. Because the beneficial owner may not be present at account opening, you may use photocopies of identity documents, with the caveat that you “should conduct . . . risk-based analyses of the types of photocopies or reproductions that [you] will accept. . . . ”
Once you’ve collected this information, you will need to perform, at a minimum, OFAC screening.
You must verify the identity of the beneficial owners, e.g. determine that they are who they say they are. However, the Final Rule does not require that you verify their status as beneficial owners. This means that you do not need to calculate or determine who owns what percentage of the legal entity, and you need not determine if the entity is structuring to avoid a 25% ownership threshold. You may rely on the certification submitted by the customer unless something alerts you that the customer is providing information that may be false. If that occurs, you should, at a minimum, report that to your AML Compliance Officer.
5. What is the “Fifth Pillar”?
Traditionally, four pillars were considered fundamental to an effective AML program: (i) a system of internal controls; (ii) designation of an AML/BSA Compliance Officer; (iii) training; and (iv) testing and auditing. The Final Rule added a fifth pillar which requires covered institutions to understand the nature and purpose of relationships to develop a customer risk profile, conduct ongoing monitoring for reporting suspicious transactions, and, using a risk-based approach, maintain and update customer information.
FinCEN acknowledges that it is unlikely that a change in beneficial ownership will be identified through transaction monitoring. However, if you learn of information about the customer that is relevant to re-assessing the customer’s risk, you must update the customer information, including beneficial ownership information.
The Final Rule does not require you to update beneficial ownership information on a continuous or periodic basis: “the obligation for identification and verification should be considered a snapshot at the time that a new account is opened, not a continuous obligation.” Thus, updates to beneficial ownership should be event-driven as part of normal monitoring.
6. How can you get ready?
The implementation date is less than a year away – here are just some of the steps you need to take and the questions you need to be asking:
- Determine what business lines and departments will be impacted by the Final Rule.
- Review your risk assessment methodologies taking into account the beneficial ownership and CDD requirements.
- Refine your AML-specific risk appetite statements accordingly.
- Will your risk assessment impact your acceptance of customers with complex business structures or relationships?
- Update and evaluate your current CIP, verification and ongoing monitoring policies. These include:
- BSA Policy
- OFAC Policy
- CIP/New Account Opening Policies
- When updating your current CIP policies and procedures, will you re-write the section of your policies to include beneficial ownership or create a separate CIP section for beneficial ownership?
- Many financial institutions already identify persons who own at least 10% of a legal entity customer. If you currently identify beneficial owners at a lower ownership percentage, will you change your policy as the result of the regulation? What does your risk assessment tell you?
- Update and evaluate the following procedures:
- New Account Opening Procedures
- Suspicious Activity Monitoring Procedures
- CTR Aggregation Procedures
- Onboarding Processes and Procedures
- What will you collect?
- Will you conduct CIP on signatories?
- If you use a vendor to conduct verification, will they be able to verify up to six people (up to four under the ownership prong, one under the control prong, and one signatory)?
- Are there sufficient lines available to enter beneficial ownership information?
- Have you updated your relationship codes?
- Will you restrict an account if you are unable to verify one or more beneficial owners?
- Will you leverage individual CIP information where the customer is also a beneficial owner of a covered legal entity?
- Will new vendors and/or technology solutions be needed?
- Update your training programs to help ensure consistent understanding of the Final Rule and associated red flags.
- Customers will have questions. Do you have an easy-to-understand definition of “beneficial owner?”
- How will you determine whether a new customer is a “legal entity” subject to the Final Rule?
- Update the following forms:
- Signature Card
- Certification Form
- Will you use FinCEN’s form or create your own?
- New Account Worksheets
This checklist only scratches the surface of the changes you will need to implement in order to be prepared by the May 11, 2018 compliance date. And remember, as with any other aspect of BSA/AML, federal functional regulators may impose their own, additional supervisory expectations.