On May 5, 2016, the U.S. Treasury Department’s Financial Crimes Enforcement Network (FinCEN) issued final rules (the Final Rules) on customer due diligence requirements for banks, securities broker-dealers, mutual funds, and futures commission merchants and introducing brokers in commodities (collectively, covered financial institutions), focusing in particular on the beneficial owners of legal entity customers.¹ 

Background

The Currency and Foreign Transactions Reporting Act of 1970, as amended by the USA PATRIOT Act of 2001 (otherwise known as the Bank Secrecy Act), empowered FinCEN with the authority to impose anti-money laundering (AML) program requirements on financial institutions.² Under this authority, FinCEN issued an advance notice of proposed rulemaking regarding customer due diligence requirements for covered financial institutions on February 29, 2012,³ and then a notice proposing the customer due diligence rules on August 4, 2014.⁴

FinCEN received 141 comments in response to the customer due diligence rule proposal, including comments from financial institutions, trade associations, federal and state governmental agencies, and members of Congress. Many of the comment letters focused on the costs associated with implementing the requirement to identify and verify the beneficial owners of legal entity customers. Based on these comments addressing the potential costs of implementing the proposed rules, FinCEN issued a Regulatory Impact Assessment on December 24, 2015, that weighed the costs and benefits associated with the proposed customer due diligence rules.⁵ The release adopting the Final Rules addresses comments on both the rule proposal and the cost-benefit analysis contained in the Regulatory Impact Assessment.

FinCEN’s Final Rules

The Final Rules codify FinCEN’s four “pillars” of customer due diligence: (1) identifying and verifying the identity of customers; (2) identifying and verifying the beneficial owners of legal entity customers; (3) understanding the nature and purpose of customer relationships; and (4) conducting ongoing monitoring to maintain and update customer information and to identify and report suspicious transactions. FinCEN explained that since the first “pillar”—identifying and verifying the identity of customers—is already explicitly covered under existing regulatory requirements to have customer identification programs (CIPs),⁶ the Final Rules provide explicit requirements for only the three remaining “pillars” of customer due diligence. In addition, with respect to the three remaining “pillars,” FinCEN noted that the third and fourth “pillars”—understanding the nature of customer relationships and ongoing monitoring—are already implicitly required for covered financial institutions to comply with suspicious activity reporting requirements. Given this, FinCEN believes that the main impact of the Final Rules is to require covered financial institutions to identify and verify the beneficial owners of legal entity customers.⁷

1. Identifying and verifying the beneficial owners of legal entity customers

The Final Rules impose the obligation to take explicit steps to identify and verify the beneficial owners of legal entity customers (i.e., the natural persons who own or control legal entities). In order to effectively implement this requirement, the Final Rules offer specific definitions for both “legal entity customers” and “beneficial owners.”

1. Legal Entity Customers

Under the Final Rules, a “legal entity customer” means a “corporation, limited liability company, or other entity that is created by the filing of a public document with a Secretary of State or similar office, a general partnership, and any similar entity formed under the laws of a foreign jurisdiction that opens an account.” FinCEN clarified that a “legal entity customer” would not include trusts, except for trusts that are created through a filing with a state (e.g., statutory business trusts).⁸

The Final Rules offer several exemptions from the definition of a “legal entity customer,” including certain federally registered financial institutions, such as banks, broker-dealers, and investment advisers. In addition, FinCEN exempted the following entities:

• Investment companies registered with the U.S. Securities and Exchange Commission (SEC);
• Certain issuers of securities registered with the SEC under the Securities Exchange Act of 1934 (Exchange Act);
• Exchanges, clearing agencies, or any other entity registered with the SEC under the Exchange Act;
• Public accounting firms registered under the Sarbanes-Oxley Act;
• U.S. government departments or agencies, or any entity that exercises governmental authority on behalf of the U.S. federal or state government;
• Entities whose common stock or equity interests are listed on a stock exchange;
• Registered entities, commodity pool operators, commodity trading advisors, retail foreign exchange dealers, swap dealers, and major swap participants registered with the Commodity Futures Trading Commissions;
• Bank holding companies, and saving and loan holding companies;
• Certain pooled investment vehicles;
• State-regulated insurance companies;
• Financial market utilities designated by the Financial Stability Oversight Council;
• Foreign financial institutions where the foreign regulator maintains beneficial ownership information;
• Departments, agencies, and political subdivisions of foreign governments; and
• Private banking accounts subject to FinCEN’s private banking account rules.⁹

As FinCEN noted, many of these entities were exempted from the definition of a “legal entity customer” because information about their beneficial owners is already accessible. FinCEN also revised the initial rule proposal to add certain exemptions to the Final Rules, based on industry comment letters. For instance, the exemption for state-regulated insurance companies was added because “these companies must disclose and regularly update their beneficial owners, as well as the identities of senior management and other control persons” in connection with certain required state insurance filings.¹⁰

In addition, a “legal entity customer” must open an “account” with a covered financial institution, and FinCEN revised the initial rule proposal to adopt the same definition of an “account” that is found in the CIP rules.¹¹ This definition of an “account” notably excludes accounts opened for the purpose of participating in an employee retirement plan established under the Employee Retirement Income Security Act of 1974. According to FinCEN, these retirement accounts present an “extremely low money laundering risk,” and should be exempted from the Final Rules.¹²

2. Beneficial Ownership

The Final Rules establish two prongs to the definition of a “beneficial owner”: an ownership prong, and a control prong. Under the ownership prong, a “beneficial owner” is each individual (i.e., a natural person) “who, directly or indirectly…owns 25 percent or more of the equity interests of a legal entity customer.” Under the control prong, a “beneficial owner” is a single individual (i.e., a natural person) with “significant responsibility to control, manage, or direct a legal entity customer,” and may include an executive officer or senior manager, or any other individual who regularly performs such executive or managerial functions.¹³

Each prong is intended to be an independent test, so that a covered financial institution must identify and verify up to four individuals under the ownership prong and one individual under the control prong. So, for instance, if a legal entity is owned equally by four persons (e.g., four 25% owners), and then managed by a separate natural person, a covered financial institution would need to identify and verify all five persons.

The same person may satisfy both the ownership and the control prongs, and it is also possible for a legal entity to have no 25% owners. For instance, if a legal entity is owned by one person (e.g., one 100% owner), and then is managed by that same person, then a covered financial institution would need to identify and verify only that one person to satisfy this requirement of the Final Rules. On the other end of the spectrum, if a legal entity does not have any 25% owners, then a covered financial institution would need to identify and verify only a single person who satisfies the control prong of the Final Rules.

In addressing the comments on the definition of a “beneficial owner,” FinCEN emphasized that the requirement to identify and verify the beneficial ownership would be considered a “snapshot” rather than a continuous obligation that needs to be periodically updated, but that covered financial institutions would be expected to update this information based on the normal monitoring of risks in their AML programs.¹⁴ FinCEN also declined the suggestion in various comment letters to lower the threshold in the ownership prong to 10%, stating that many covered financial institutions already collect information on 25% owners and that collecting information on 10% owners is not a widespread practice.¹⁵

3. How to Identify and Verify Beneficial Owners

The Final Rules require covered financial institutions to identify the beneficial owners of legal entity customers at the time a new account is opened. Covered financial institutions may satisfy this requirement in one of two ways: either completing a standardized form attached to the Final Rules as Appendix A, or obtaining the information required by the standardized form through another means. This flexibility represents a significant change from the initial rule proposal. Originally, FinCEN had proposed the standardized form as a mandatory requirement, but revised the proposal, based on industry comments, to make the standardized form permissive rather than mandatory.¹⁶

The standardized form requests certain identifying information about the beneficial owners, such as name, date of birth, address, and social security number. The obligation to identify the beneficial owners would apply only to new accounts opened on behalf of a legal entity after the Final Rules take effect, and would not apply retrospectively.

After identifying the beneficial owners of new legal entity accounts, the covered financial institution must then verify the identity of the beneficial owners. Importantly, covered financial institutions would not be responsible for verifying the status of beneficial owners, but rather only the identity of the beneficial owners. FinCEN also clarified that covered financial institutions could verify the identity of beneficial owners using the same elements contained in the risk-based procedures currently used to verify customers under existing CIP practices. For instance, a covered financial institution could verify the identity of the beneficial owner by requesting a copy of the beneficial owner’s driver’s license. But the covered financial institution would not be required to undergo an exhaustive investigation through corporate records to verify the status of the beneficial owner (e.g., verifying that the beneficial owner is, in fact, the beneficial owner of the legal entity).¹⁷

2. Understanding the nature and purpose of customer relationships

The Final Rules explicitly require a covered financial institution to understand the nature and purpose of customer relationships in order to develop a customer risk profile. According to FinCEN, covered financial institutions should already satisfy this requirement by virtue of complying with the existing requirement to identify and report suspicious activity under the Bank Secrecy Act.¹⁸ Consequently, FinCEN does not anticipate that this requirement would force covered financial institutions to modify existing AML practices and procedures.¹⁹

3. Conducting ongoing monitoring to maintain and update customer information and to identify and report suspicious transactions

As the final “pillar” of customer due diligence codified by the Final Rules, covered financial institutions would be required to conduct ongoing monitoring for the purpose of maintaining and updating customer information and identifying and reporting suspicious activity. Like the requirement to understand customer relationships, FinCEN believes that covered financial institutions must already satisfy this requirement by virtue of complying with other provisions of the Bank Secrecy Act, and that no modification of existing AML practices and procedures would be expected.

Scope of Final Rules

FinCEN clarified that the Final Rules would apply initially only to covered financial institutions (e.g., banks, securities broker-dealers, mutual funds, and futures commission merchants and introducing brokers in commodities), the same entities subject to CIP requirements. In the initial rule proposal, FinCEN raised the prospect of eventually extending the rules to other financial institutions, including insurance companies. However, FinCEN chose not to reiterate or otherwise restate this prospect of expanding the scope of the requirements in the Final Rules.

Impact of Final Rules

The most significant impact of the Final Rules is the requirement to identify and verify the beneficial owners of legal entity customers, because this represents a new requirement for the AML programs of covered financial institutions. Indeed, FinCEN acknowledged that the “beneficial owner” requirement will likely require modification of existing customer onboarding processes, as well as incorporation of the standardized form (should a firm choose to collect the required information through the standardized form) into existing AML programs. By contrast, FinCEN asserted that understanding customer relationships and the ongoing monitoring requirements should not require modification of existing AML programs, since FinCEN believes that covered financial institutions must already comply with these obligations given the suspicious activity reporting requirements under the Bank Secrecy Act.

The Final Rules would also require covered financial institutions to amend their written procedures to explicitly incorporate the new requirements into their existing AML procedures.

Effective Date of Proposed Rules

The Final Rules will take effect on July 11, 2016, but covered financial institutions will have until May 11, 2018, to implement and fully comply with the Final Rules. This two-year implementation period expands upon the one-year implementation period originally proposed by FinCEN, after the vast majority of comment letters argued that a one-year implementation period was impractical given the changes that covered financial institutions would have to make to their customer onboarding procedures in order to comply with the Final Rules.
                                    

¹ The Final Rules are available at https://www.gpo.gov/fdsys/pkg/FR-2016-05-11/pdf/2016-10567.pdf. 
  
² See also Treasury Order 180-01 (July 1, 2014), delegating authority from the U.S. Treasury Department to FinCEN to implement, administer, and enforce compliance with the BSA and associated regulations, available at https://www.treasury.gov/about/role-of-treasury/orders-directives/Pages/to180-01.aspx. 
  
³ The advance notice of proposed rulemaking is available at http://www.gpo.gov/fdsys/pkg/FR-2012-03-05/pdf/2012-5187.pdf. 
  
⁴ The notice proposing the rules is available at https://www.fincen.gov/statutes_regs/files/CDD-NPRM-Final.pdf. 
  
⁵ The Regulatory Impact Assessment is available at https://www.fincen.gov/whatsnew/pdf/CDD_RIA.pdf. 
  
⁶ Section 326 of the Bank Secrecy Act.
  
⁷ Final Rules, at 2-3.
  
⁸ Final Rules, at 58-59.
  
⁹ Final Rules, at 209-211.
  
¹⁰ Final Rules, at 67.
  
¹¹ See, e.g., 31 C.F.R. § 1023.100(a)(2), defining an account as “a formal relationship with a broker-dealer established to effect transactions in securities, including, but not limited to, the purchase or sale of securities and securities loaned and borrowed activity, and to hold securities or other assets for safekeeping or as collateral.”
  
¹² Final Rules, at 60.
  
¹³ Final Rules, at 207-208.
  
¹⁴ Final Rules, at 49.
  
¹⁵ Final Rules, at 50.
  
¹⁶ Final Rules, at 31.
  
¹⁷ Final Rules, at 38-43.
  
¹⁸ Section 1020.320 of the Bank Secrecy Act.
  
¹⁹ Final Rules, at 87-95.