FinCEN Issues Sweeping New Requirements on Collection of Beneficial Ownership Information and Customer Due Diligence

Treasury and DOJ Announce Additional Measures to Pursue Money Laundering and Other Financial Crimes

On May 6, 2016, the U.S. Treasury Department's Financial Crimes Enforcement Network ("FinCEN") released a final rule codifying new and existing customer due diligence ("CDD") requirements under the Bank Secrecy Act ("BSA") for covered financial institutions, namely, banks, broker-dealers, mutual funds, and futures commission merchants and introducing brokers in commodities.[1]  This CDD final rule has two components: 

• First, subject to exceptions, covered institutions are required to identify the beneficial owners of their legal entity customers-including corporations, limited liability companies, partnerships, and similar entities-that open new accounts.  Specifically, covered institutions must identify and verify 1) one or more natural persons, if any, who directly or indirectly own 25% or more of a legal entity customer, and 2) a natural person who "controls" the entity. 
• Second, the rule supplements the traditional "four pillars" of an effective anti-money laundering ("AML") program by adding as a fifth pillar what FinCEN describes as preexisting CDD expectations.  Pursuant to this fifth pillar, covered institutions are required to develop customer risk profiles and to conduct ongoing monitoring to identify suspicious activity and, on a risk basis, to maintain and update customer information (including beneficial ownership information).  

Covered institutions must comply with the final rule by May 11, 2018. [2]

In addition to the CDD final rule, the Treasury Department proposed legislation requiring the reporting of beneficial ownership information upon company formation, and proposed regulations to increase the transparency of foreign-owned, single-member limited liability companies.  The Justice Department will also propose legislation to expand its authorities to pursue global money laundering and corruption and obtain easier access to foreign bank records.  The Administration's heightened efforts come in the wake of the release of the "Panama Papers"-millions of leaked documents from a Panamanian law firm-that focused attention on the use of anonymous shell companies to hide assets.  

Below we summarize the key features of the CDD final rule, identifying potential compliance challenges, and describe the additional measures announced by Treasury and the Justice Department. 

The CDD Final Rule

The CDD final rule has two main components:  a new requirement to identify beneficial owners of legal entity customers, and the addition of a "fifth pillar" relating to CDD expectations into the AML program requirements for each covered financial institution.  

Requirement to Identify Beneficial Ownership.  Covered financial institutions are required to maintain written procedures, incorporated into their AML compliance programs, to identify the following natural persons for each of their legal entity customers-subject to certain exceptions [3]-that open new accounts on or after the "applicability date" (May 11, 2018):

1. Ownership.  Each individual, if any, who, directly or indirectly, through any contract, arrangement, understanding, relationship or otherwise, owns 25 percent or more of the equity interests of a legal entity customer; and
2. Control.  A single individual with significant responsibility to control, manage, or direct a legal entity customer, including (i) An executive officer or senior manager (e.g., a Chief Executive Officer, Chief Financial Officer, Chief Operating Officer, Managing Member, General Partner, President, Vice President, or Treasurer); or (ii) Any other individual who regularly performs similar functions. [4] 

The number of individuals satisfying the definition of beneficial owner will vary from entity to entity.  Under the first test, up to four individuals (and as few as zero) may need to be identified.  Under the second test, at least one individual must be identified. 

Covered institutions must identify and verify the identities of the requisite individuals at the time the new account is opened.  This can be done either by obtaining a certification in the form of Appendix A to the final rule from the individual opening the account on behalf of the legal entity, or by obtaining the same information by another means, provided that the individual certifies the accuracy of the information. [5]  The identification and verification procedures are, according to FinCEN, very similar to those for individual customers under a covered institution's customer identification program ("CIP"). [6]  Also consistent with current CIP obligations, covered institutions will be required to maintain records of the beneficial ownership information they obtain, and they may rely on other financial institutions for the performance of the requirements, provided that the other financial institution meets certain requirements. [7]

This beneficial ownership requirement is a significant addition to the BSA/AML regime.  Historically, beneficial ownership reporting was required in two limited circumstances. [8]  The new requirement, along with the part of the rule that clarifies CDD requirements more generally, will better align the United States with international AML standards established by the Financial Action Task Force and other international bodies. [9]  The requirement, according to FinCEN, is designed to address the fact that covered institutions are "not presently required to know the identity of the individuals who own or control their legal entity customers," which enables "criminals, kleptocrats, and others looking to hide ill-gotten proceeds to access the financial system anonymously." [10]

Adding CDD as a Fifth Pillar to AML Program Requirements.  The BSA requires certain financial institutions to establish anti-money laundering (AML) programs, which, "at a minimum," have four elements.  These four elements are considered by FinCEN and other regulators as the "four pillars" of an effective AML program.  In the CDD final rule, FinCEN codified these four pillars in the FinCEN regulations pertaining to each type of covered financial institution and added a fifth multi-part pillar pertaining to CDD. [11]  As a result of the final rule, the five pillars fundamental to an effective AML program for these covered institutions are generally as follows:

1. A system of internal controls to assure ongoing compliance;
2. Independent testing for compliance to be conducted by financial institution personnel or by an outside party;
3. Designation of an individual or individuals responsible for coordinating and monitoring day-to-day compliance;
4. Training for appropriate personnel; and
5. Appropriate risk-based procedures for conducting ongoing customer due diligence, to include, but not limited to:

(i) Understanding the nature and purpose of customer relationships for the purpose of developing a customer risk profile; and

(ii) Conducting ongoing monitoring to identify and report suspicious transactions and, on a risk basis, to maintain and update customer information.  For purposes of this paragraph (5)(ii), customer information shall include information regarding beneficial owners of legal entity customers (as defined by the final rule). [12]    

With respect to (5)(i), FinCEN explained that "a customer risk profile refers to the information gathered about a customer at account opening used to develop a baseline against which customer activity is assessed for suspicious activity reporting."  This may include "self-evident information such as the type of customer or type of account, service, or product."  The profile "may, but need not, include a system of risk ratings or categories of customers." [13]  

With respect to (5)(ii), FinCEN explained that when a covered institution detects information about a customer in the normal course of monitoring-such as a significant and unexplained change in the customer's activity (for example, executing a cross-border wire transfer for no apparent reason)-that is relevant to "assessing or reevaluating the risk posed by the customer," the institution must "update the customer information, including beneficial ownership information." [14]

In response to public comments, FinCEN emphasized its belief that the fifth pillar encompasses "necessary and critical steps required to comply" with the existing requirement under the BSA to identify suspicious activity and file Suspicious Activity Reports. [15]  Incorporating these existing CDD expectations into the AML program requirements was meant to promote "uniformity and consistency" across the various categories of financial institutions, which will "strengthen the system as a whole, by further limiting opportunities for inconsistent application of unclear or unexpressed expectations." [16]

Compliance Challenges Posed by the Final Rule

As a significant new rule in the BSA/AML regime, covered institutions will face compliance and interpretive challenges.  Under a risk-based framework, there will be considerable uncertainty as to how vigorously FinCEN, the banking regulators, and the other agencies involved in AML enforcement will expect covered financial institutions to act in performing customer due diligence, putting to use the new beneficial ownership information obtained, and complying with the new fifth pillar of an effective AML compliance program.  While FinCEN believes that this fifth pillar codifies existing expectations rooted in suspicious transaction reporting obligations, there is reason to think that the fifth pillar will take on a life of its own, serving as a touchstone for increasingly demanding expectations on the part of regulators.  In addition, because CDD practices currently vary across sectors, covered institutions may face challenges in understanding the single CDD standard that FinCEN has now established across these sectors.

The following are some examples of the challenges posed by the final rule.

Reliance on Beneficial Ownership Information Supplied by Customer.  Under the final rule, covered financial institutions must generally verify only the existenceof an identified beneficial owner and not the individual's statusas a beneficial owner.  FinCEN provides that covered institutions may rely on the beneficial ownership information supplied by the customer, provided that they have "no knowledge of facts that would reasonably call into question the reliability" of the information. [17]  FinCEN has stated that "in the overwhelming majority of cases, a covered financial institution should be able to rely on the accuracy of the beneficial owner or owners identified by the legal entity customer, absent the institution's knowledge to the contrary."  The rule creates a fairly forgiving standard, but also a murky one, inviting regulators to second-guess a financial institution's reliance on its customer's beneficial ownership information.  Among other things, regulators may hold institutions responsible for knowledge held in one part of its operations, however distant from the function that performs diligence on new accounts.

Collection of Beneficial Ownership Information on Existing Customers.  While the beneficial ownership requirements apply only to new accounts opened on or after May 11, 2018, the ongoing monitoring requirement contained in the new fifth pillar will require a financial institution, if it detects "information relevant to assessing or reevaluating the [customer's risk]," to update customer information, including collection or updating of beneficial ownership information.  FinCEN has emphasized that this provision "does not impose a categorical requirement that financial institutions must update customer information, including beneficial ownership information, on a continuous or periodic basis," and that the need to update will be "event-driven." [18]  Nevertheless, covered institutions may have some well-deserved uncertainty as to the expectations that regulators will have regarding the extent and frequency of updating such information. 

Expectations Regarding the Ownership Threshold for Beneficial Owners. For the ownership prong, FinCEN required that covered institutions identify owners of 25% or more of the legal entity customer, and rejected proposals that that threshold be lowered to 10%.  Nevertheless, FinCEN stated that:

[T]he 25 percent threshold is the baseline regulatory benchmark, but that covered financial institutions may establish a lower percentage threshold for beneficial ownership . . . based on their own assessment of risk in appropriate circumstances.  As a general matter, FinCEN does not expect covered financial institutions' compliance with this regulatory requirement to be assessed against a lower threshold.  Nevertheless, consistent with the risk-based approach, FinCEN anticipates that some financial institutions may determine that they should identify and verify beneficial owners at a lower threshold in some circumstances; we believe that making this clear in the note accompanying the regulator text will aid them in doing so with respect to their customers. [19]

Additionally, the final rule provides: "A covered financial institution may also identify additional individuals as part of its customer due diligence if it deems appropriate on the basis of risk." [20]  Thus, even the rule's 25% threshold appears to yield to the risk-based principle.  Covered institutions should consider whether a lower threshold is appropriate for certain customers or classes of customers.

Heightened Expectations for Uses of Beneficial Ownership Information.  FinCEN has stated that it expects covered institutions to use the beneficial ownership information collected to "comply with other requirements," such as Office of Foreign Assets Control ("OFAC") sanctions compliance.  FinCEN also noted that it expects institutions to use beneficial ownership information to comply with Currency Transaction Reporting ("CTR") requirements, including the need to aggregate transactions that are "by or on behalf of" the same person for purposes of complying with the $10,000 threshold transaction requirement.  FinCEN has stated that beneficial ownership information may give a covered institution knowledge that a legal entity customer or customers are not being operated independently from each other or a primary owner, thus making it incumbent on the covered institution to aggregate transactions.  This is an example of how the increased information that will result from the rule will heighten regulators' expectations of an institution's ability to connect the dots in the course of AML compliance. 

Additional Treasury and Justice Department Measures

With an urgency stemming from the "Panama Papers," the Administration has announced additional regulatory and legislative proposals to combat money laundering and other financial crimes.

Treasury Measures. In addition to announcing the final CDD rule, the Treasury Department announced that it would send new beneficial ownership legislation to Congress. [21]  The legislation would require U.S. companies to compile beneficial ownership information at the time of their creation and to file such information with the Treasury Department for use by law enforcement. [22] The legislation would also clarify FinCEN's ability to collect bank wire transfer information and other information through Geographic Targeting Orders ("GTOs"), which allow FinCEN to impose special reporting requirements on financial institutions in targeted geographic areas for limited periods of time.  (Recent GTOs require certain U.S. title insurance companies to report beneficial ownership information of entities making all-cash purchases of high-value residential real estate, in an effort to battle financial crimes in the real estate sector. [23]) 

Additionally, Treasury announced proposed regulations to reduce tax evasion.  According to Treasury, certain foreign-owned U.S. entities (most notably single-member LLCs) have no obligation to obtain a tax identification number and report information to the IRS.  Among other things, the proposed regulations would require entities such as foreign-owned single-member LLCs to report ownership and transaction information to the IRS, and to obtain employer identification numbers ("EINs"). [24]

Justice Department Measures: Targeting International Corruption and Financial Crime. In addition to these measures, the Justice Department stated that it will propose legislative amendments to expand its authority to combat international corruption and money laundering. [25]  Among other things, the proposed amendments would make it easier for U.S. prosecutors to charge money launderers and to recover the proceeds of government corruption abroad.  The amendments seek to achieve this by expanding foreign money laundering predicates to include additional violations of foreign law that would be a money laundering predicate if committed in the U.S., allowing U.S. prosecutors to further pursue cases involving foreign corruption and to prosecute for money laundering the use of proceeds from a wider range of foreign corruption activities.

The proposed amendments would, among other things, also (1) enhance law enforcement's ability to obtain legally admissible foreign bank records through subpoenas served on U.S.-based branches; (2) allow U.S. law enforcement authorities to issue administrative subpoenas in money laundering investigations rather than grand jury subpoenas (which must be authorized by a federal prosecutor and are subject to secrecy requirements); and (3) create a framework for the use of classified information in kleptocracy-related civil asset recovery cases. 

If adopted, these changes would expand the authority of the Justice Department to prosecute money laundering- and corruption-related offenses while lessening administrative burdens to investigating such conduct.  These developments, if enacted, portend a possible increase in both the number and breadth of Department of Justice and other regulatory investigations related to these issues.

The CDD final rule is available here.