FinCEN Proposes to Expand Financial Institution Customer Due Diligence Requirements

by Morgan Lewis

The proposal would require financial institutions to identify beneficial owners of legal entities and codify existing customer due diligence guidance.

In a continuing initiative to strengthen the customer due diligence (CDD) requirements imposed on regulated financial institutions under the Bank Secrecy Act (BSA),[1] on July 30, the Financial Crimes Enforcement Network (FinCEN) published a notice of proposed rulemaking (NPR). The primary purpose of the NPR is to propose new CDD obligations for all financial institutions that are required under the BSA to have in place anti-money laundering (AML) programs and customer identification programs (CIPs).[2] These (covered) financial institutions include banks, broker-dealers, open-end investment companies (mutual funds), futures commission merchants (FCMs), and introducing brokers in commodities (IBs). The proposed rules, if adopted, would

  • require covered financial institutions, subject to certain exemptions, to identify and verify the natural person beneficial owners of legal entity customers; and
  • codify explicit CDD requirements for covered financial institutions to (i) understand the nature and purpose of customer relationships and (ii) conduct ongoing customer monitoring, both of which would become required elements of a core AML program.

As a secondary objective, FinCEN also is proposing to update its regulations to codify the four current core requirements of a required financial institution’s AML program, often referred to as “pillars,” and to add a fifth “pillar” that specifically addresses CDD.

Comments on the NPR are due on or before October 3, 2014.


The need for legal entity owner identification and verification under AML laws, for some time, has been a topic of discussion in the U.S. and international regulatory and law enforcement communities. Given the documented abuse of legal entities by criminal and terrorist individuals and organizations to engage in illegal or illicit activities, U.S. and international authorities have stated that the identification of persons who own legal entities that do business within the financial system is an important means of reducing the misuse of legal entities for criminal and other improper purposes.

To this end, FinCEN published an advance notice of proposed rulemaking (ANPR) in March 2012, which outlined a framework for clarifying, codifying, and strengthening existing CDD requirements.[3] The ANPR addressed customer identification procedures for understanding the nature and purpose of accounts, ongoing monitoring, and obtaining beneficial ownership information. FinCEN subsequently held multiple public hearings on the issues raised in the ANPR during 2012, with an aim to better understand commentators’ views and concerns regarding such requirements and the burdens associated with them.

The current NPR is the product of this regulatory process as well as the result of consultations among FinCEN and other interested federal financial institutions regulatory agencies (the Office of the Comptroller of the Currency, Federal Reserve Board, Federal Deposit Insurance Corporation, Securities and Exchange Commission [SEC], and Commodity Futures Trading Commission [CFTC]). FinCEN stated that the NPR, which has core objectives of clarifying and strengthening CDD under the BSA, would advance a number of important regulatory and law enforcement purposes and support the U.S. Department of the Treasury’s efforts to “enhance financial transparency and safeguard the financial system against illicit use.”[4]


The NPR proposes rules that would require covered financial institutions generally to identify and verify the natural person beneficial owners of legal entity customers. It also would add CDD obligations to the mandatory components of financial institutions’ BSA AML programs. As stated by FinCEN, legally sufficient CDD consists of four elements: (i) identifying and verifying the identity of customers, (ii) identifying and verifying the identity of beneficial owners of legal entity customers, (iii) understanding the nature and purpose of customer relationships, and (iv) conducting ongoing monitoring to maintain and update customer information and to identify and report suspicious transactions. The requirement to identify and verify the identity of customers already is addressed in current CIP rules. FinCEN now proposes to codify elements (ii), (iii), and (iv) in its CIP regulations. While the legal entity beneficial owner verification requirements would be new, FinCEN also makes it clear that the two other newly codified CDD elements (understanding customer relationships and ongoing monitoring) do not represent a substantive change in covered financial institutions’ CDD obligations, saying that these elements already are required by existing regulatory and supervisory requirements.

Beneficial Ownership Identification and Verification

Key Definitions and Exclusions
The proposed rules require covered financial institutions to identify the natural persons who are “beneficial owners” of “legal entity customers,” subject to certain exemptions. These definitions and exemptions are important to understand the scope and application of the new requirements.

Definition of “Beneficial Owner”: The proposed definition of a “beneficial owner” has two separate elements, an ownership test and a control test. Under the ownership test, a beneficial owner is any individual who, directly or indirectly, through any means, owns 25% or more of the equity interests of a legal entity customer. Under the control test, the definition covers a single individual with significant responsibility to control, manage, or direct a legal entity customer, including an executive officer or senior manager, or any other individual who regularly performs similar functions. In effect, these two tests limit the number of beneficial owners of a legal entity customer to five individuals. This is because, as discussed in the NPR, no more than four individuals can satisfy the 25% ownership test, and only one person who meets the entity control criterion must be identified by the financial institution. In the case of legal entity customers that are owned through intermediate corporate entities, the financial institution is expected to identify the natural persons at the top level of the corporate organization who beneficially own the legal entity.

Definition of “Legal Entity Customer”: The proposed general definition of a “legal entity customer” is very broad and extends to any U.S. or foreign corporation, limited liability company, partnership, or other similar business entity that opens a new account with a financial institution.

Significantly, however, there is an extensive list of business entities that are excluded from the definition. Excluded entities include those entities that are excluded from the definition of “customer” under the current CIP rules.[5] In addition, the proposed exclusions include the following:

  • Issuers with securities registered under section 12, or subject to reporting under section 15(d), of the Securities Exchange Act of 1934 (Exchange Act)
  • Any majority-owned U.S. subsidiary of an entity whose securities are listed on a U.S. stock exchange
  • SEC-registered investment companies
  • SEC-registered investment advisers
  • Exchanges and clearing agencies registered under section 6 or section 17A of the Exchange Act, respectively
  • Any other entities registered with the SEC under the Exchange Act
  • CFTC-registered entities, including FCMs, IBs, commodity pool operators, commodity trading advisers, retail foreign exchange dealers, swap dealers, major swap participants, boards of trade, derivatives clearing organizations, swap execution facilities, and swap data repositories
  • Public accounting firms registered under section 102 of the Sarbanes–Oxley Act
  • Internal Revenue Code–qualified charities and nonprofit entities in good tax-exempt standing

Three important points about the “legal entity customer” definition warrant mention:

  • The definition does not generally include trusts, although statutory trusts (e.g., business trusts) may be covered by the new requirements.
  • The definition applies only to legal entity customers that open an account with a financial institution on or after the effective date of the new rules. In other words, the proposed rules would not be applied retroactively, and covered financial institutions would not be required to obtain beneficial ownership information from legal entity customers with accounts that preceded the new rules. If a current legal entity customer, however, opens a new account, for example in connection with acquiring a new product or service, the beneficial owner verification rules would apply.
  • Financial intermediaries that are not subject to a current CIP requirement and are acting on behalf of clients are treated as the “legal entity customer” of the financial institution. Thus, financial institutions that open accounts for intermediaries, such as securities and commodity clearing firms and correspondent banks, would treat only the intermediaries as their customers, and not the intermediaries’ direct clients.

Further, FinCEN is considering exempting unregistered, pooled investment vehicles from the definition and has asked for comment on this concept, although it has not formally proposed in the NPR to do so.

Substantive CDD Requirements

The proposed rules would require covered financial institutions to (i) identify the beneficial owners of a legal entity customer at the time of account opening and (ii) verify the beneficial owners’ identities within a reasonable time thereafter. These requirements are intended to parallel the customer identification and verification duties of covered financial institutions under the current CIP rules. Beneficial owner identification information, however, would be obtained on a new standard certification form that FinCEN proposes to create. The FinCEN form, once adopted, would enhance compliance uniformity and clarity for covered financial institutions. In general, the NPR contemplates that a person seeking to open the account would provide the completed form, which would include each beneficial owner’s name, address, date of birth, and Social Security (or passport) number.

Important points about these requirements include the following:

  • The verification requirement for beneficial owners would extend only to verifying the identity of a beneficial owner using existing risk-based CIP practices. It would not require a financial institution to verify the status of a beneficial owner as such (whether the individual is, in fact, a beneficial owner of the legal entity customer), thus addressing commenters’ concerns on the ANPR that status verification, in many cases, could be prohibitively costly and impractical.
  • FinCEN determined not to propose a requirement that financial institutions periodically update their beneficial owner information, but it noted that financial institutions should keep such information as current as possible, using a risk-based approach.
  • Consistent with the requirements of the current CIP rules, financial institutions would be allowed to rely on the beneficial owner verification and CDD activities of another financial institution if (i) such reliance is reasonable, (ii) the other financial institution is subject to an AML program rule and is regulated by a federal functional regulator, and (iii) the other financial institution enters into a contract and provides annual certifications regarding its AML program and CIP requirements.[6]

Changes to AML Program Requirements
As discussed above, the NPR codifies the four existing core AML program elements (or four “pillars”)[7] and adds a fifth element, namely, the requirement that a financial institution adopt risk-based procedures for conducting CDD. These procedures would expressly include, but not be limited to, understanding the nature and purpose of customer relationships and conducting ongoing monitoring to maintain and update customer information and to identify and report suspicious transactions.

FinCEN states that it is proposing these changes to existing AML program requirements for covered financial institutions “to ensure alignment between existing AML requirements and CDD minimum standards.”[8] In so doing, FinCEN intends to make it clear that “CDD is a core element of a financial institution’s policies and procedures to guard against money laundering.”[9] In addition, because financial institutions’ AML programs must also comply with the regulations of their federal functional regulatory agencies (or, where applicable, the rules of self-regulatory organizations [SROs]) governing such programs, FinCEN believes that the incorporation of these CDD procedures into its regulations ensures that these requirements will be subject to examination and enforcement by the appropriate federal functional regulator or SRO in a manner consistent with current supervisory authorities and expectations.

Concluding Thoughts

The rules proposed in the NPR will certainly increase the CDD obligations of covered financial institutions by requiring them to obtain and verify beneficial ownership information for their legal entity clients. Financial institutions that open accounts for foreign legal entities will also face additional challenges in obtaining such information, particularly for legal entities domiciled in jurisdictions with secrecy laws. That being said, the proposed rules are not unexpected, having been proposed in concept in the ANPR, and do include some accommodations to address the concerns about burdens and practicality of implementation that were expressed during the ANPR phase of the regulatory process. It is significant that the new rules would require only the identification of natural person beneficial owners and the verification of that identity—not the status of the beneficial owners—although financial institutions nonetheless would need to be sensitive, consistent with their general risk-based CDD activities, to unusual or suspicious facts and circumstances that arise during the account opening and vetting process.

From a compliance management perspective, it is helpful that the new CDD requirements are incorporated into and aligned with the current CIP requirements. In practical terms, that means that a covered financial institution’s policies and procedures for compliance with CIP obligations, in most cases, should accommodate the new and expanded CDD obligations without too much difficulty. Also, the NPR’s proposal of a standardized CDD certification for obtaining beneficial ownership information has the benefit of taking the guesswork out of what information affected financial institutions are expected to obtain about their legal entity customers’ beneficial owners.

The proposed regulatory codification of CDD relationship knowledge and monitoring obligations into the core elements of an AML program may be more a matter of form than substance, when viewed against the backdrop of the current AML enforcement and compliance environment. All of the federal financial institution regulatory agencies that supervise covered financial institutions currently expect their regulated institutions to include these CDD procedures in their required AML programs. Under the current system, regulatory agencies will criticize—and bring enforcement actions against—financial institutions that do not include such procedures. Further, the inclusion of the additional CDD procedures in the required elements of the mandatory AML program does not change the risk-based approach that covered financial institutions are expected to use in developing and implementing these procedures, a point that the NPR makes in several places. In addition, the new regulatory requirements are also designed to align fully with existing regulatory and SRO requirements of the federal financial institutions regulatory agencies and the SROs under their oversight.

[1]. The BSA is codified at 12 U.S.C. § 1829b; 12 U.S.C. §§ 1951–1959; 18 U.S.C. §§ 1956, 1957, 1960; and 31 U.S.C. §§ 5311–5314 and 5316–5332. The BSA’s implementing regulations are at 31 C.F.R. ch. X.

[2]. FinCEN, Customer Due Diligence Requirements for Financial Institutions, Notice of Proposed Rulemaking, 79 Fed. Reg. 45,151 (proposed Aug. 4, 2014) (to be codified at 31 C.F.R. pts. 1010, 1020, 1023, 1024, 1026), available here. Although the Federal Register version of the NPR indicates that the proposal is dated July 23, 2014, the press release accompanying the announcement of the NPR states that it was issued on July 30.

[3]. FinCEN, Customer Due Diligence Requirements for Financial Institutions, Advance Notice of Proposed Rulemaking, 77 Fed. Reg. 13,046 (Mar. 5, 2012).

[4]. 77 Fed. Reg. at 45,152.

[5]. These entities include but are not limited to (i) financial institutions that are regulated by a federal functional regulator (i.e., federally regulated banks, broker-dealers in securities, FCMs, and IBs) and state-regulated banks, (ii) federal and state government agencies and instrumentalities, and (iii) publicly held companies traded on certain U.S. stock exchanges.

[6]. Although SEC-registered investment advisers are not subject to formal AML program or CIP requirements, through a no-action letter, the SEC staff permits broker-dealers to rely on SEC-registered advisers to perform some or all of a broker-dealer’s CIP obligations under certain circumstances and subject to certain conditions. See Securities Industry and Financial Markets Association, SEC No-Action Letter (January 11, 2013). It is unclear whether similar-type relief would be extended to broker-dealers if the NPR is adopted.

[7]. These four elements are (i) the development of internal AML policies, procedures, and controls; (ii) the designation of an AML compliance officer; (iii) an ongoing employee AML training program; and (iv) an independent audit program to test AML functions.

[8]. 79 Fed. Reg. at 45,165.

[9]. Id.

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Morgan Lewis | Attorney Advertising

Written by:

Morgan Lewis

Morgan Lewis on:

Readers' Choice 2017
Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
Sign up using*

Already signed up? Log in here

*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
Privacy Policy (Updated: October 8, 2015):

JD Supra provides users with access to its legal industry publishing services (the "Service") through its website (the "Website") as well as through other sources. Our policies with regard to data collection and use of personal information of users of the Service, regardless of the manner in which users access the Service, and visitors to the Website are set forth in this statement ("Policy"). By using the Service, you signify your acceptance of this Policy.

Information Collection and Use by JD Supra

JD Supra collects users' names, companies, titles, e-mail address and industry. JD Supra also tracks the pages that users visit, logs IP addresses and aggregates non-personally identifiable user data and browser type. This data is gathered using cookies and other technologies.

The information and data collected is used to authenticate users and to send notifications relating to the Service, including email alerts to which users have subscribed; to manage the Service and Website, to improve the Service and to customize the user's experience. This information is also provided to the authors of the content to give them insight into their readership and help them to improve their content, so that it is most useful for our users.

JD Supra does not sell, rent or otherwise provide your details to third parties, other than to the authors of the content on JD Supra.

If you prefer not to enable cookies, you may change your browser settings to disable cookies; however, please note that rejecting cookies while visiting the Website may result in certain parts of the Website not operating correctly or as efficiently as if cookies were allowed.

Email Choice/Opt-out

Users who opt in to receive emails may choose to no longer receive e-mail updates and newsletters by selecting the "opt-out of future email" option in the email they receive from JD Supra or in their JD Supra account management screen.


JD Supra takes reasonable precautions to insure that user information is kept private. We restrict access to user information to those individuals who reasonably need access to perform their job functions, such as our third party email service, customer service personnel and technical staff. However, please note that no method of transmitting or storing data is completely secure and we cannot guarantee the security of user information. Unauthorized entry or use, hardware or software failure, and other factors may compromise the security of user information at any time.

If you have reason to believe that your interaction with us is no longer secure, you must immediately notify us of the problem by contacting us at In the unlikely event that we believe that the security of your user information in our possession or control may have been compromised, we may seek to notify you of that development and, if so, will endeavor to do so as promptly as practicable under the circumstances.

Sharing and Disclosure of Information JD Supra Collects

Except as otherwise described in this privacy statement, JD Supra will not disclose personal information to any third party unless we believe that disclosure is necessary to: (1) comply with applicable laws; (2) respond to governmental inquiries or requests; (3) comply with valid legal process; (4) protect the rights, privacy, safety or property of JD Supra, users of the Service, Website visitors or the public; (5) permit us to pursue available remedies or limit the damages that we may sustain; and (6) enforce our Terms & Conditions of Use.

In the event there is a change in the corporate structure of JD Supra such as, but not limited to, merger, consolidation, sale, liquidation or transfer of substantial assets, JD Supra may, in its sole discretion, transfer, sell or assign information collected on and through the Service to one or more affiliated or unaffiliated third parties.

Links to Other Websites

This Website and the Service may contain links to other websites. The operator of such other websites may collect information about you, including through cookies or other technologies. If you are using the Service through the Website and link to another site, you will leave the Website and this Policy will not apply to your use of and activity on those other sites. We encourage you to read the legal notices posted on those sites, including their privacy policies. We shall have no responsibility or liability for your visitation to, and the data collection and use practices of, such other sites. This Policy applies solely to the information collected in connection with your use of this Website and does not apply to any practices conducted offline or in connection with any other websites.

Changes in Our Privacy Policy

We reserve the right to change this Policy at any time. Please refer to the date at the top of this page to determine when this Policy was last revised. Any changes to our privacy policy will become effective upon posting of the revised policy on the Website. By continuing to use the Service or Website following such changes, you will be deemed to have agreed to such changes. If you do not agree with the terms of this Policy, as it may be amended from time to time, in whole or part, please do not continue using the Service or the Website.

Contacting JD Supra

If you have any questions about this privacy statement, the practices of this site, your dealings with this Web site, or if you would like to change any of the information you have provided to us, please contact us at:

- hide
*With LinkedIn, you don't need to create a separate login to manage your free JD Supra account, and we can make suggestions based on your needs and interests. We will not post anything on LinkedIn in your name. Or, sign up using your email address.