FinCEN Proposes Fifth BSA Pillar

by Pepper Hamilton LLP

On July 30, 2014, the Financial Crimes Enforcement Network (FinCEN) issued a Notice of Proposed Rulemaking (the Proposed Rule) to clarify and strengthen customer due diligence (CDD) requirements as a fifth pillar under the Bank Secrecy Act (BSA) for banks and other covered financial institutions. Under the Proposed Rule, covered financial institutions would be required for the first time to identify and collect information on the beneficial owners of their legal entity customers.

U.S. policymakers, including Treasury,1 seeking to balance privacy2 concerns with transparency and alignment with the Financial Action Task Force (FATF) recommendations,3 United States G-8 Action Plan for Transparency of Company Ownership and Control4 and pending rulemaking at the European Union,5 have proposed a risk-based approach, to be adopted by a covered financial institution’s board of directors. The four elements of the CDD in the Proposed Rule align with the approach set out in the FATF recommendations.

The Proposed Rule follows the March 5, 2012 issuance of an Advance Notice of Proposed Rulemaking by FinCEN regarding CDD, and included input from the financial services industry, lawmakers and policymakers. The Proposed Rule, and related guidance that followed, make it clear that the financial industry must cooperate in illuminating the less-than-transparent world of corporate ownership. The Proposed Rule and subsequent guidance make it clear that the board of directors and senior executive officers of a covered financial institution are responsible for adopting CDD procedures that are efficacious with respect to the institution’s current mix of products, services and customers, and that those procedures must be tested by an independent and competent party. Before a board approves the distribution of a new line of products and services, or the acquisition of an entity that has a mix of products, services, and customers that represent a new level of risk, it must independently test the current AML system and controls to confirm that the existing control environment is sufficiently robust to handle the new risks.

The key thrust of the Proposed Rule is that, for the first time, U.S. banks, brokers, dealers, mutual funds, commodity futures merchants and introducing brokers must have systems in place to: (i) collect information and (ii) maintain records of the information on individuals who hold 25 percent or more of an interest in a customer or who otherwise control the customer. Bank customers should be prepared to cooperate regarding information requests that are or will be made by covered financial institutions.

In promulgating the Proposed Rule, FinCEN designates four core elements as being critical to CDD within an effective BSA/AML program:

1) identifying and verifying the identity of customers

2) identifying and verifying the beneficial owners of legal entity customers

3) understanding the nature and purpose of customer relationships, and

4) conducting ongoing monitoring to maintain and update customer information and identify and report suspicious transactions.

FinCEN acknowledges that the first, third and fourth elements are already addressed by the Customer Identification Program (CIP) and other regulatory requirements imposed under current BSA/AML regulations, and it makes a pointed effort to reinforce their importance. The second element commands more of FinCEN’s attention because it would be established under a new section of the BSA/AML regulations. For compliance with the second element, the Proposed Rule would require covered financial institutions to revise onboarding procedures covering legal entity customers to identify their beneficial owners and, to the extent practicable, verify the identities of those owners by the same risk-based methodology employed for verifying customers who are individuals.

In the interest of reducing compliance burden, the Proposed Rule includes in an appendix a standard certification form for verifying the identity of beneficial owners. This Certification Regarding Beneficial Owners of Legal Entity Customers would standardize collection of beneficial ownership information and permit reliance on the information obtained from an individual when the financial institution opens a new account for a legal entity customer.

The Proposed Rule is open for a 60-day comment period, beginning August 4, 2014, and FinCEN particularly seeks comment from the financial services industry concerning:

  • whether financial institutions should be subject to a mandated timeframe for updating beneficial ownership information, and
  • if a definition of a “customer-risk profile” is needed.

The effective date of the Proposed Rule, once adopted, is expected to be one year from the publication of the final rule.

Pepper Points

  • Bank customers should anticipate that a covered institution’s due diligence process will become more rigorous even before the rule becomes final. State and federal prosecutors have recently been critical of opaque corporate structures that have obscured the true ownership of corporate entities, particularly in business lines that regulators consider as high risk. Prosecutors have complained that such structures have hindered their ability to track down and prosecute the individuals that control corporate entities in high-risk businesses. As a result, some covered financial institutions have begun increasing their due diligence.
  • Independent and competent testing of a covered financial institution’s BSA/AML compliance program is mandatory. When embarking on distribution of new products and services or acquisition of an entity that distributes products and services with a riskier profile, it is mandatory to conduct independent testing of the control environment to confirm that controls are in place before the covered entity assumes responsibility for distributing products with a riskier profile.
  • CDD, along with collection of customer information and monitoring of accounts and relationships, has always been part of an AML program. We suspect the elevation of CDD to a fifth pillar is meant to suggest to senior executives and board members that CDD is now an explicit requirement subject to enforcement if CDD program failure occurs.
  • FinCEN’s Proposed Rule will require changes to legal entity customer onboarding procedures at financial institutions at a time when other regulatory agencies are also taking actions affecting the onboarding of certain customers. For example, the OCC recently revised certain of its guidance to clarify financial institutions’ onboarding procedures for third-party payment processor customers.
  • A CIP-exempt customer must be monitored, as the customer’s activity and risk level can change over time.
  • One major concern expressed by many financial institutions in hearings and comments leading up to the issuance of the Proposed Rule was that verifying the status of a person as a beneficial owner of an entity would often be prohibitively costly and impracticable. FinCEN has accommodated this concern by requiring financial institutions solely to verify the identity of beneficial owners consistent with existing CIP practices.
  • Just as a financial institution may rely on another financial institution to conduct CIP procedures for a shared customer, so the Proposed Rule allows similar reliance for identification and verification of beneficial owners, including completion of the standard certification form.
  • The Proposed Rule would apply only to legal entity customers that open new accounts after the effective date (i.e., one year after the final regulation is published) and would not require financial institutions to look back at pre-existing accounts. However, if the risk profile of an existing customer changes and requires enhanced due diligence (EDD), it would be prudent to go back and complete the new form and then move on to perform EDD on the customer.
  • Tracking existing CIP guidance, FinCEN has decided to exempt from the beneficial owner requirements accounts maintained by trusts, as well as accounts maintained by intermediaries for the primary benefit of others. However, FinCEN appears to be inclined to apply those requirements, at least in some modified form, to pooled investment vehicles, such as hedge funds.
  • Pepper lawyers have been very active in counseling and defending clients with respect to the Bank Secrecy Act.
  • Freeh Group International Solutions, LLC has significant experience designing AML systems as well as performing independent review and monitoring of AML systems including AML system “look back” reviews required by prudential regulators.


1 See: FinCEN Advisory to United States Financial Institutions on Promoting a Culture of Compliance. On August 11, 2014, FinCEN further sharpened its focus on eradicating shortcomings in BSA/AML compliance programs by issuing Advisory FIN-2014-A007, which encourages financial institutions to strengthen their BSA/AML compliance culture through promotion of active leadership, elevation of deficiency mitigation over revenue interests, sharing of relevant departmental information with compliance staff, adequate funding of the compliance function, independent and competent testing of the compliance program, and thorough training of all personnel.

Also see: August 12, 2014 remarks of Jennifer Shasky Calvery, Director, FinCEN to 2014 Mid-Atlantic AML Conference, Washington, DC (

Also see: Comment by FDIC’s Associate Director of AML, Lisa Arquette (August 12, 2014): “Searching for revenue, banks are taking on products and services, even acquisitions that they don’t have AML controls in place to handle.”

Also see: Pepper Hamilton Financial Services Client Alert: “One Big Misunderstanding: FDIC Clarifies that Caution on Higher-Risk Activity Is Not a Prohibition on Third-Party Payment Processor Relationships” (August 5, 2014).

2 FinCEN has decided to exempt from the beneficial owner requirements accounts maintained by trusts, as well as accounts maintained by intermediaries for the primary benefit of others. However, FinCEN appears to be inclined to apply those requirements, at least in some modified form, to pooled investment vehicles, such as hedge funds. The debate over the degree of transparency that should be accorded beneficial ownership is not new. Its roots reach back at least as far as the evolution of the privacy provisions of the Gramm-Leach-Bliley Act, which witnessed a concerted effort to balance the need to have financial institutions inform trust beneficiaries of their right to privacy as “customers” of a bank, therefore requiring a bank to issue privacy notices and “opt out rights,” against the recognition that such an approach might violate the good and legal purpose the trust settlor had in mind in concealing from the beneficiaries the existence of the trust.

3 FATF is an independent inter-governmental body that includes the United States as a member. FATF is due to evaluate the United States in late 2015 or 2016, respecting United States standards of anti-money laundering and counter-terrorist financing. In 2006, FATF found that the United States did not have appropriate requirements in place to require covered financial institutions to assess the risk of the business relationships of customers or beneficial owners of customers to prevent the misuse of the financial system and that the United States should strengthen its customer identification requirements, particularly in the identification of beneficial owners.

4 United States G-8 Action Plan for Transparency of Company Ownership and Control (White House press release, June 18, 2013).

5 The European Parliament on March 11, 2014 adopted the EU’s proposed Fourth Anti-Money Laundering Directive, which will require the ultimate owners of companies and trusts to be listed in public registers in EU countries.

Written by:

Pepper Hamilton LLP

Pepper Hamilton LLP on:

Readers' Choice 2017
Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
Sign up using*

Already signed up? Log in here

*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
Privacy Policy (Updated: October 8, 2015):

JD Supra provides users with access to its legal industry publishing services (the "Service") through its website (the "Website") as well as through other sources. Our policies with regard to data collection and use of personal information of users of the Service, regardless of the manner in which users access the Service, and visitors to the Website are set forth in this statement ("Policy"). By using the Service, you signify your acceptance of this Policy.

Information Collection and Use by JD Supra

JD Supra collects users' names, companies, titles, e-mail address and industry. JD Supra also tracks the pages that users visit, logs IP addresses and aggregates non-personally identifiable user data and browser type. This data is gathered using cookies and other technologies.

The information and data collected is used to authenticate users and to send notifications relating to the Service, including email alerts to which users have subscribed; to manage the Service and Website, to improve the Service and to customize the user's experience. This information is also provided to the authors of the content to give them insight into their readership and help them to improve their content, so that it is most useful for our users.

JD Supra does not sell, rent or otherwise provide your details to third parties, other than to the authors of the content on JD Supra.

If you prefer not to enable cookies, you may change your browser settings to disable cookies; however, please note that rejecting cookies while visiting the Website may result in certain parts of the Website not operating correctly or as efficiently as if cookies were allowed.

Email Choice/Opt-out

Users who opt in to receive emails may choose to no longer receive e-mail updates and newsletters by selecting the "opt-out of future email" option in the email they receive from JD Supra or in their JD Supra account management screen.


JD Supra takes reasonable precautions to insure that user information is kept private. We restrict access to user information to those individuals who reasonably need access to perform their job functions, such as our third party email service, customer service personnel and technical staff. However, please note that no method of transmitting or storing data is completely secure and we cannot guarantee the security of user information. Unauthorized entry or use, hardware or software failure, and other factors may compromise the security of user information at any time.

If you have reason to believe that your interaction with us is no longer secure, you must immediately notify us of the problem by contacting us at In the unlikely event that we believe that the security of your user information in our possession or control may have been compromised, we may seek to notify you of that development and, if so, will endeavor to do so as promptly as practicable under the circumstances.

Sharing and Disclosure of Information JD Supra Collects

Except as otherwise described in this privacy statement, JD Supra will not disclose personal information to any third party unless we believe that disclosure is necessary to: (1) comply with applicable laws; (2) respond to governmental inquiries or requests; (3) comply with valid legal process; (4) protect the rights, privacy, safety or property of JD Supra, users of the Service, Website visitors or the public; (5) permit us to pursue available remedies or limit the damages that we may sustain; and (6) enforce our Terms & Conditions of Use.

In the event there is a change in the corporate structure of JD Supra such as, but not limited to, merger, consolidation, sale, liquidation or transfer of substantial assets, JD Supra may, in its sole discretion, transfer, sell or assign information collected on and through the Service to one or more affiliated or unaffiliated third parties.

Links to Other Websites

This Website and the Service may contain links to other websites. The operator of such other websites may collect information about you, including through cookies or other technologies. If you are using the Service through the Website and link to another site, you will leave the Website and this Policy will not apply to your use of and activity on those other sites. We encourage you to read the legal notices posted on those sites, including their privacy policies. We shall have no responsibility or liability for your visitation to, and the data collection and use practices of, such other sites. This Policy applies solely to the information collected in connection with your use of this Website and does not apply to any practices conducted offline or in connection with any other websites.

Changes in Our Privacy Policy

We reserve the right to change this Policy at any time. Please refer to the date at the top of this page to determine when this Policy was last revised. Any changes to our privacy policy will become effective upon posting of the revised policy on the Website. By continuing to use the Service or Website following such changes, you will be deemed to have agreed to such changes. If you do not agree with the terms of this Policy, as it may be amended from time to time, in whole or part, please do not continue using the Service or the Website.

Contacting JD Supra

If you have any questions about this privacy statement, the practices of this site, your dealings with this Web site, or if you would like to change any of the information you have provided to us, please contact us at:

- hide
*With LinkedIn, you don't need to create a separate login to manage your free JD Supra account, and we can make suggestions based on your needs and interests. We will not post anything on LinkedIn in your name. Or, sign up using your email address.