The proposal would require financial institutions to identify beneficial owners of legal entities and codify existing customer due diligence guidance.
In a continuing initiative to strengthen the customer due diligence (CDD) requirements imposed on regulated financial institutions under the Bank Secrecy Act (BSA),[1] on July 30, the Financial Crimes Enforcement Network (FinCEN) published a notice of proposed rulemaking (NPR). The primary purpose of the NPR is to propose new CDD obligations for all financial institutions that are required under the BSA to have in place anti-money laundering (AML) programs and customer identification programs (CIPs).[2] These (covered) financial institutions include banks, broker-dealers, open-end investment companies (mutual funds), futures commission merchants (FCMs), and introducing brokers in commodities (IBs). The proposed rules, if adopted, would
As a secondary objective, FinCEN also is proposing to update its regulations to codify the four current core requirements of a required financial institution’s AML program, often referred to as “pillars,” and to add a fifth “pillar” that specifically addresses CDD.
Comments on the NPR are due on or before October 3, 2014.
Background
The need for legal entity owner identification and verification under AML laws, for some time, has been a topic of discussion in the U.S. and international regulatory and law enforcement communities. Given the documented abuse of legal entities by criminal and terrorist individuals and organizations to engage in illegal or illicit activities, U.S. and international authorities have stated that the identification of persons who own legal entities that do business within the financial system is an important means of reducing the misuse of legal entities for criminal and other improper purposes.
To this end, FinCEN published an advance notice of proposed rulemaking (ANPR) in March 2012, which outlined a framework for clarifying, codifying, and strengthening existing CDD requirements.[3] The ANPR addressed customer identification procedures for understanding the nature and purpose of accounts, ongoing monitoring, and obtaining beneficial ownership information. FinCEN subsequently held multiple public hearings on the issues raised in the ANPR during 2012, with an aim to better understand commentators’ views and concerns regarding such requirements and the burdens associated with them.
The current NPR is the product of this regulatory process as well as the result of consultations among FinCEN and other interested federal financial institutions regulatory agencies (the Office of the Comptroller of the Currency, Federal Reserve Board, Federal Deposit Insurance Corporation, Securities and Exchange Commission [SEC], and Commodity Futures Trading Commission [CFTC]). FinCEN stated that the NPR, which has core objectives of clarifying and strengthening CDD under the BSA, would advance a number of important regulatory and law enforcement purposes and support the U.S. Department of the Treasury’s efforts to “enhance financial transparency and safeguard the financial system against illicit use.”[4]
The NPR
The NPR proposes rules that would require covered financial institutions generally to identify and verify the natural person beneficial owners of legal entity customers. It also would add CDD obligations to the mandatory components of financial institutions’ BSA AML programs. As stated by FinCEN, legally sufficient CDD consists of four elements: (i) identifying and verifying the identity of customers, (ii) identifying and verifying the identity of beneficial owners of legal entity customers, (iii) understanding the nature and purpose of customer relationships, and (iv) conducting ongoing monitoring to maintain and update customer information and to identify and report suspicious transactions. The requirement to identify and verify the identity of customers already is addressed in current CIP rules. FinCEN now proposes to codify elements (ii), (iii), and (iv) in its CIP regulations. While the legal entity beneficial owner verification requirements would be new, FinCEN also makes it clear that the two other newly codified CDD elements (understanding customer relationships and ongoing monitoring) do not represent a substantive change in covered financial institutions’ CDD obligations, saying that these elements already are required by existing regulatory and supervisory requirements.
Beneficial Ownership Identification and Verification
Key Definitions and Exclusions
The proposed rules require covered financial institutions to identify the natural persons who are “beneficial owners” of “legal entity customers,” subject to certain exemptions. These definitions and exemptions are important to understand the scope and application of the new requirements.
Definition of “Beneficial Owner”: The proposed definition of a “beneficial owner” has two separate elements, an ownership test and a control test. Under the ownership test, a beneficial owner is any individual who, directly or indirectly, through any means, owns 25% or more of the equity interests of a legal entity customer. Under the control test, the definition covers a single individual with significant responsibility to control, manage, or direct a legal entity customer, including an executive officer or senior manager, or any other individual who regularly performs similar functions. In effect, these two tests limit the number of beneficial owners of a legal entity customer to five individuals. This is because, as discussed in the NPR, no more than four individuals can satisfy the 25% ownership test, and only one person who meets the entity control criterion must be identified by the financial institution. In the case of legal entity customers that are owned through intermediate corporate entities, the financial institution is expected to identify the natural persons at the top level of the corporate organization who beneficially own the legal entity.
Definition of “Legal Entity Customer”: The proposed general definition of a “legal entity customer” is very broad and extends to any U.S. or foreign corporation, limited liability company, partnership, or other similar business entity that opens a new account with a financial institution.
Significantly, however, there is an extensive list of business entities that are excluded from the definition. Excluded entities include those entities that are excluded from the definition of “customer” under the current CIP rules.[5] In addition, the proposed exclusions include the following:
Three important points about the “legal entity customer” definition warrant mention:
Further, FinCEN is considering exempting unregistered, pooled investment vehicles from the definition and has asked for comment on this concept, although it has not formally proposed in the NPR to do so.
Substantive CDD Requirements
The proposed rules would require covered financial institutions to (i) identify the beneficial owners of a legal entity customer at the time of account opening and (ii) verify the beneficial owners’ identities within a reasonable time thereafter. These requirements are intended to parallel the customer identification and verification duties of covered financial institutions under the current CIP rules. Beneficial owner identification information, however, would be obtained on a new standard certification form that FinCEN proposes to create. The FinCEN form, once adopted, would enhance compliance uniformity and clarity for covered financial institutions. In general, the NPR contemplates that a person seeking to open the account would provide the completed form, which would include each beneficial owner’s name, address, date of birth, and Social Security (or passport) number.
Important points about these requirements include the following:
Changes to AML Program Requirements
As discussed above, the NPR codifies the four existing core AML program elements (or four “pillars”)[7] and adds a fifth element, namely, the requirement that a financial institution adopt risk-based procedures for conducting CDD. These procedures would expressly include, but not be limited to, understanding the nature and purpose of customer relationships and conducting ongoing monitoring to maintain and update customer information and to identify and report suspicious transactions.
FinCEN states that it is proposing these changes to existing AML program requirements for covered financial institutions “to ensure alignment between existing AML requirements and CDD minimum standards.”[8] In so doing, FinCEN intends to make it clear that “CDD is a core element of a financial institution’s policies and procedures to guard against money laundering.”[9] In addition, because financial institutions’ AML programs must also comply with the regulations of their federal functional regulatory agencies (or, where applicable, the rules of self-regulatory organizations [SROs]) governing such programs, FinCEN believes that the incorporation of these CDD procedures into its regulations ensures that these requirements will be subject to examination and enforcement by the appropriate federal functional regulator or SRO in a manner consistent with current supervisory authorities and expectations.
Concluding Thoughts
The rules proposed in the NPR will certainly increase the CDD obligations of covered financial institutions by requiring them to obtain and verify beneficial ownership information for their legal entity clients. Financial institutions that open accounts for foreign legal entities will also face additional challenges in obtaining such information, particularly for legal entities domiciled in jurisdictions with secrecy laws. That being said, the proposed rules are not unexpected, having been proposed in concept in the ANPR, and do include some accommodations to address the concerns about burdens and practicality of implementation that were expressed during the ANPR phase of the regulatory process. It is significant that the new rules would require only the identification of natural person beneficial owners and the verification of that identity—not the status of the beneficial owners—although financial institutions nonetheless would need to be sensitive, consistent with their general risk-based CDD activities, to unusual or suspicious facts and circumstances that arise during the account opening and vetting process.
From a compliance management perspective, it is helpful that the new CDD requirements are incorporated into and aligned with the current CIP requirements. In practical terms, that means that a covered financial institution’s policies and procedures for compliance with CIP obligations, in most cases, should accommodate the new and expanded CDD obligations without too much difficulty. Also, the NPR’s proposal of a standardized CDD certification for obtaining beneficial ownership information has the benefit of taking the guesswork out of what information affected financial institutions are expected to obtain about their legal entity customers’ beneficial owners.
The proposed regulatory codification of CDD relationship knowledge and monitoring obligations into the core elements of an AML program may be more a matter of form than substance, when viewed against the backdrop of the current AML enforcement and compliance environment. All of the federal financial institution regulatory agencies that supervise covered financial institutions currently expect their regulated institutions to include these CDD procedures in their required AML programs. Under the current system, regulatory agencies will criticize—and bring enforcement actions against—financial institutions that do not include such procedures. Further, the inclusion of the additional CDD procedures in the required elements of the mandatory AML program does not change the risk-based approach that covered financial institutions are expected to use in developing and implementing these procedures, a point that the NPR makes in several places. In addition, the new regulatory requirements are also designed to align fully with existing regulatory and SRO requirements of the federal financial institutions regulatory agencies and the SROs under their oversight.
Contacts
If you have any questions or would like more information on the issues discussed in this LawFlash, please contact any of the following Morgan Lewis lawyers:
Washington, D.C.
Ignacio A. Sandoval
Philadelphia
Timothy W. Levin
[1]. The BSA is codified at 12 U.S.C. § 1829b; 12 U.S.C. §§ 1951–1959; 18 U.S.C. §§ 1956, 1957, 1960; and 31 U.S.C. §§ 5311–5314 and 5316–5332. The BSA’s implementing regulations are at 31 C.F.R. ch. X.
[2]. FinCEN, Customer Due Diligence Requirements for Financial Institutions, Notice of Proposed Rulemaking, 79 Fed. Reg. 45,151 (proposed Aug. 4, 2014) (to be codified at 31 C.F.R. pts. 1010, 1020, 1023, 1024, 1026), available here. Although the Federal Register version of the NPR indicates that the proposal is dated July 23, 2014, the press release accompanying the announcement of the NPR states that it was issued on July 30.
[3]. FinCEN, Customer Due Diligence Requirements for Financial Institutions, Advance Notice of Proposed Rulemaking, 77 Fed. Reg. 13,046 (Mar. 5, 2012).
[4]. 77 Fed. Reg. at 45,152.
[5]. These entities include but are not limited to (i) financial institutions that are regulated by a federal functional regulator (i.e., federally regulated banks, broker-dealers in securities, FCMs, and IBs) and state-regulated banks, (ii) federal and state government agencies and instrumentalities, and (iii) publicly held companies traded on certain U.S. stock exchanges.
[6]. Although SEC-registered investment advisers are not subject to formal AML program or CIP requirements, through a no-action letter, the SEC staff permits broker-dealers to rely on SEC-registered advisers to perform some or all of a broker-dealer’s CIP obligations under certain circumstances and subject to certain conditions. See Securities Industry and Financial Markets Association, SEC No-Action Letter (January 11, 2013). It is unclear whether similar-type relief would be extended to broker-dealers if the NPR is adopted.
[7]. These four elements are (i) the development of internal AML policies, procedures, and controls; (ii) the designation of an AML compliance officer; (iii) an ongoing employee AML training program; and (iv) an independent audit program to test AML functions.
[8]. 79 Fed. Reg. at 45,165.
[9]. Id.