Tackling the Challenges of Complying With FinCEN’s New Customer Due Diligence Rule

by Skadden, Arps, Slate, Meagher & Flom LLP

Skadden, Arps, Slate, Meagher & Flom LLP

Effective May 11, 2018, covered financial institutions1 are required to comply with the customer due diligence rule (the Rule) that the Financial Crimes Enforcement Network (FinCEN) finalized in May 2016. The Rule mandates the identification and verification of beneficial owners of legal entity customers.2

Although covered financial institutions are expected to have already implemented the requirements imposed by the Rule, the following takeaways from FinCEN’s FAQs, published on April 3, 2018, may help financial institutions tackle some of the challenges they may experience in complying with the Rule.

Managing Regulators’ Expectations, Which May Be at Odds With the Rule’s 25 Percent Ownership Threshold. Under the Rule, aside from having to identify an individual with significant managerial responsibility (the “control prong”), covered financial institutions are required to collect information on individuals, if any, who hold, directly or indirectly, 25 percent or more of the equity interests of a legal entity customer (the “ownership prong”). As financial institutions finalize their internal policies and procedures regarding beneficial ownership, they must reconcile the Rule’s 25 percent threshold with conflicting guidance and expectations from banking regulators recommending a lower ownership threshold (e.g., 10 percent), depending on customer risk. To ensure compliance with the Rule and effectively manage regulatory expectations, financial institutions will want to properly document their beneficial ownership requirements and specify the risk-based scenarios in which a lower threshold will be adopted. Financial institutions may benefit from establishing bright-line rules defining the circumstances warranting a deviation from the 25 percent threshold. For example, a financial institution may opt to impose a 10 percent threshold on legal entity customers domiciled in certain high-risk jurisdictions. Clear guidelines will facilitate compliance and ensure that standards regarding beneficial ownership are consistent throughout the institution.

Remaining Consistent in the Application of the Customer Identification Program (CIP) Requirements and the Rule. The CIP rule forms the basis for certain definitions or principles adopted by the Rule, including the definition of “account” and the requirements for customer verification. The term “account” under the Rule is defined by reference to the definition in the CIP rule, i.e., a formal banking relationship established to provide or engage in services, dealings or other financial transactions including a deposit account, a transaction or asset account, a credit account, or other extension of credit.3 Moreover, covered financial institutions must verify the identity of each beneficial owner according to risk-based procedures that contain, at a minimum, the same elements financial institutions are required to use to verify the identity of individual customers under the CIP rule. Given the interconnectedness between the CIP requirements and the Rule, financial institutions will want to remain consistent in their treatment of similar issues arising under both rules.

Relying on Exclusions From the Definition of “Legal Entity Customer.” Several types of legal entity customers are excluded from the collection and verification requirements of the Rule on the basis that beneficial ownership information for these entities is generally available from other credible sources. Some examples include financial institutions regulated by a federal functional regulator and certain issuers of securities with reporting requirements to the Securities and Exchange Commission. A financial institution may rely on information provided by the legal entity customer to determine whether the entity is excluded from the definition of a legal entity customer, provided that it has no knowledge of facts that would reasonably call into question the reliability of such information. Covered financial institutions are expected to specify, in their risk-based written policies and procedures, the type of information they will obtain to determine eligibility for exclusions.

Leveraging Information Collected on Existing Accounts to Comply With the Rule’s Requirements on New Accounts. In general, covered financial institutions must identify and verify the beneficial ownership information of a legal entity customer at the time each new account is opened, regardless of the number of accounts opened over a specific period of time. This means, for example, that if a corporate client opens 10 accounts over the course of a few days, the financial institution would have to collect beneficial ownership information with respect to each of those accounts as they are opened. However, an institution that has already collected beneficial ownership information from a legal entity customer in compliance with the Rule may rely on that information to fulfill the beneficial ownership requirement for subsequent accounts, provided that the customer certifies or confirms that such information is accurate and up-to-date at the time each subsequent account is opened and the financial institution has no knowledge of facts that would reasonably call into question the reliability of such information. The institution would also need to maintain a record of such certification or confirmation, including for both verbal and written confirmations by the customer. Similarly, if the beneficial owner of a legal entity customer is an existing customer of a financial institution and is subject to the financial institution’s CIP, the financial institution may rely on such information to fulfill the Rule’s requirements, provided the same conditions outlined above are met.

Identifying Beneficial Owners of Legal Entities Owned by Trusts. If a trust owns directly or indirectly — through any contract, arrangement, understanding, relationship or otherwise — 25 percent or more of the equity interests of a legal entity customer, one of the beneficial owners4 of the legal entity customer under the ownership prong is the trustee, regardless of whether the trustee is a natural person or a legal entity. In the event that the trustee is not a natural person, a covered institution must still collect identification information on the legal entity trustee as part of its CIP, consistent with the institution’s risk assessment and the customer’s risk profile. For example, if the equity interests of Company A are held 50 percent by a trust (whose trustee is Law Firm X), 25 percent by Individual 1 and 25 percent by Individual 2, the beneficial owners under the ownership prong would be Law Firm X, Individual 1 and Individual 2, whereas the beneficial owner under the control prong would be an individual with significant managerial responsibility. A covered financial institution would have to collect information on a total of four beneficial owners for Company A. Furthermore, where there are multiple trustees or co-trustees, financial institutions are expected to collect and verify the identity of, at a minimum, one co-trustee of a multitrustee trust who owns 25 percent or more of the equity interests of a legal entity customer that is not subject to an exclusion. A covered financial institution may choose to identify additional co-trustees based on their own risk assessment and in accordance with the institution’s account opening procedures.

Ultimately, a covered financial institution is not required to independently investigate a legal entity customer’s ownership structure and may accept and reasonably rely on the information presented by the legal entity customer regarding the status of its beneficial owners, provided that the institution has no knowledge of facts that would reasonably call into question the reliability of the information. However, financial institutions should not turn a blind eye to apparent red flags discovered through their onboarding or monitoring processes.

Applying the Rule to Loans, Certificates of Deposit (CD) and Other Similar Financial Products. Given that each time a loan is renewed or a certificate of deposit is rolled over, a financial institution initiates another formal banking relationship and a new account is established, covered financial institutions must obtain certified beneficial ownership information of the legal entity customers of such products and services at the time of the first renewal or rollover that occurs on or after May 11, 2018. For each subsequent renewal, however, to the extent that the legal entity customer and the financial service or product (e.g., loan or CD) remains the same, the customer certifies or confirms that the beneficial ownership information previously obtained is accurate and up-to-date, and the institution has no knowledge of facts that would reasonably call into question the reliability of the information, the financial institution would not be required to collect beneficial ownership information again. Moreover, because FinCEN has recognized that loan renewals or CD rollovers are not generally treated as new accounts by the industry and the risk of money laundering is very low, if at the time the customer certifies its beneficial ownership information, it also agrees to notify the financial institution of any change in such information and the agreement is documented by the institution, the agreement can be considered the certification or confirmation for as long as the loan or CD remains outstanding.

Addressing Customer Evasion or Attempted Evasion of Beneficial Ownership Requirements. A covered financial institution with notice of or reasonable suspicion that a customer is evading or attempting to evade beneficial ownership or other customer due diligence requirements should consider whether it should not open an account, close an existing account or file a suspicious activity report, consistent with its risk assessment and internal policies and procedures. 


1 Covered financial institutions include banks, securities brokers or dealers, mutual funds, futures commission merchants and introducing brokers in commodities.

2 See our May 16, 2016, client alert, “FinCEN Finalizes Customer Due Diligence Rule Amid Other Actions to Enhance Financial Transparency.”

3 “Account” also includes a relationship established to provide a safety deposit box or other safekeeping services, or cash management, custodian and trust services. “Account” does not include (i) a product or service where a formal banking relationship is not established with a person, such as check-cashing, wire transfer, or sale of a check or money order; (ii) an account that the bank acquires through an acquisition, merger, purchase of assets or assumption of liabilities; or (iii) an account opened for the purpose of participating in an employee benefit plan established under the Employee Retirement Income Security Act of 1974.

4 The legal entity customer may have additional beneficial owners under the ownership prong, depending on its ownership structure.

Download pdf

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Skadden, Arps, Slate, Meagher & Flom LLP | Attorney Advertising

Written by:

Skadden, Arps, Slate, Meagher & Flom LLP

Skadden, Arps, Slate, Meagher & Flom LLP on:

Readers' Choice 2017
Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
Sign up using*

Already signed up? Log in here

*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
Privacy Policy (Updated: October 8, 2015):

JD Supra provides users with access to its legal industry publishing services (the "Service") through its website (the "Website") as well as through other sources. Our policies with regard to data collection and use of personal information of users of the Service, regardless of the manner in which users access the Service, and visitors to the Website are set forth in this statement ("Policy"). By using the Service, you signify your acceptance of this Policy.

Information Collection and Use by JD Supra

JD Supra collects users' names, companies, titles, e-mail address and industry. JD Supra also tracks the pages that users visit, logs IP addresses and aggregates non-personally identifiable user data and browser type. This data is gathered using cookies and other technologies.

The information and data collected is used to authenticate users and to send notifications relating to the Service, including email alerts to which users have subscribed; to manage the Service and Website, to improve the Service and to customize the user's experience. This information is also provided to the authors of the content to give them insight into their readership and help them to improve their content, so that it is most useful for our users.

JD Supra does not sell, rent or otherwise provide your details to third parties, other than to the authors of the content on JD Supra.

If you prefer not to enable cookies, you may change your browser settings to disable cookies; however, please note that rejecting cookies while visiting the Website may result in certain parts of the Website not operating correctly or as efficiently as if cookies were allowed.

Email Choice/Opt-out

Users who opt in to receive emails may choose to no longer receive e-mail updates and newsletters by selecting the "opt-out of future email" option in the email they receive from JD Supra or in their JD Supra account management screen.


JD Supra takes reasonable precautions to insure that user information is kept private. We restrict access to user information to those individuals who reasonably need access to perform their job functions, such as our third party email service, customer service personnel and technical staff. However, please note that no method of transmitting or storing data is completely secure and we cannot guarantee the security of user information. Unauthorized entry or use, hardware or software failure, and other factors may compromise the security of user information at any time.

If you have reason to believe that your interaction with us is no longer secure, you must immediately notify us of the problem by contacting us at info@jdsupra.com. In the unlikely event that we believe that the security of your user information in our possession or control may have been compromised, we may seek to notify you of that development and, if so, will endeavor to do so as promptly as practicable under the circumstances.

Sharing and Disclosure of Information JD Supra Collects

Except as otherwise described in this privacy statement, JD Supra will not disclose personal information to any third party unless we believe that disclosure is necessary to: (1) comply with applicable laws; (2) respond to governmental inquiries or requests; (3) comply with valid legal process; (4) protect the rights, privacy, safety or property of JD Supra, users of the Service, Website visitors or the public; (5) permit us to pursue available remedies or limit the damages that we may sustain; and (6) enforce our Terms & Conditions of Use.

In the event there is a change in the corporate structure of JD Supra such as, but not limited to, merger, consolidation, sale, liquidation or transfer of substantial assets, JD Supra may, in its sole discretion, transfer, sell or assign information collected on and through the Service to one or more affiliated or unaffiliated third parties.

Links to Other Websites

This Website and the Service may contain links to other websites. The operator of such other websites may collect information about you, including through cookies or other technologies. If you are using the Service through the Website and link to another site, you will leave the Website and this Policy will not apply to your use of and activity on those other sites. We encourage you to read the legal notices posted on those sites, including their privacy policies. We shall have no responsibility or liability for your visitation to, and the data collection and use practices of, such other sites. This Policy applies solely to the information collected in connection with your use of this Website and does not apply to any practices conducted offline or in connection with any other websites.

Changes in Our Privacy Policy

We reserve the right to change this Policy at any time. Please refer to the date at the top of this page to determine when this Policy was last revised. Any changes to our privacy policy will become effective upon posting of the revised policy on the Website. By continuing to use the Service or Website following such changes, you will be deemed to have agreed to such changes. If you do not agree with the terms of this Policy, as it may be amended from time to time, in whole or part, please do not continue using the Service or the Website.

Contacting JD Supra

If you have any questions about this privacy statement, the practices of this site, your dealings with this Web site, or if you would like to change any of the information you have provided to us, please contact us at: info@jdsupra.com.

- hide
*With LinkedIn, you don't need to create a separate login to manage your free JD Supra account, and we can make suggestions based on your needs and interests. We will not post anything on LinkedIn in your name. Or, sign up using your email address.