On August 4, 2014, the U.S. Department of the Treasury’s Financial Crimes Enforcement Network (“FinCEN”) published a Notice of Proposed Rulemaking ("NPRM") that would amend existing Bank Secrecy Act (“BSA”) regulations intended to clarify and strengthen customer due diligence (“CDD”) obligations for banks, securities broker-dealers, mutual funds, and futures commission merchants and introducing brokers in commodities (collectively, “covered financial institutions”).
In drafting the modifications, FinCEN clearly took into consideration comments responding to its February 2012 Advance Notice of Proposed Rulemaking (“ANPRM”), as the current proposal appears narrower and somewhat less burdensome on financial institutions. Comments on the proposed rulemaking are due October 3, 2014.
Under the NPRM, covered financial institutions would be obligated to collect information on the natural persons behind legal entity customers (beneficial owners) and the proposed rule would make CDD an explicit requirement.1 If adopted the NPRM would amend FinCEN’s AML program rule (the four pillars) by making CDD a fifth pillar.2
Elements of the Proposed Rule
FinCEN views CDD as consisting of four core requirements: (i) identifying and verifying the identity of customers; (ii) identifying and verifying the identity of beneficial owners of legal entity customers; (iii) understanding the nature and purpose of customer relationships; (iv) conducting ongoing monitoring to maintain and update customer information and to identify and report suspicious transactions.
FinCEN’s existing regulatory requirements already expressly require covered financial institutions to identify and verify the identity of their customers as part of a CIP. And, with respect to its third and fourth CDD compliance program pillars – understanding the nature and purpose of an account and conducting ongoing monitoring – FinCEN contends its proposed rule in effect codifies pre-existing expectations consistent with current suspicious activity reporting obligations that were not elsewhere explicitly included in its own regulations. FinCEN maintains that the only truly new requirement being proposed as a separate provision is the obligation to identify the natural persons who are beneficial owners of legal entity customers (e.g., corporations, limited liability companies, partnerships, and other similar business entities, but excluding trusts unless created through a filing with a state).
“Beneficial Owners” Defined
Under the proposed rule, “beneficial owner” is defined by two independent prongs. Under the ownership prong, a beneficial owner is each individual “who, directly or indirectly . . . owns 25 percent or more of the equity interests of a legal entity customer.” Under the control prong, a beneficial owner is an individual “with significant responsibility to control, manage or direct a legal entity customer,” including an executive officer, senior manager or other individual who regularly performs similar functions.
The two prongs operate independently, meaning a covered institution would be required to identify and verify any individuals who satisfy either prong. Accordingly, under the ownership prong, a covered institution could be required to identify a maximum of four individuals if they each owned 25% of the legal entity, or the institution may not have to identify any individuals under this prong if no natural person reaches that 25% threshold. But regardless of how many individuals are named under the ownership prong, a covered institution must identify at least one individual under the control prong. In cases where an individual is both a 25% owner and meets the definition for control, that same individual could be identified as a beneficial owner under both prongs.
FinCEN reiterated that the proposed CDD requirements, including the beneficial ownership requirement, are intended to set forth minimum due diligence obligations. Therefore, if a financial institution determines, based on its own assessment of risk, that a lower ownership threshold, such as ten percent, is warranted, the financial institution is not precluded from identifying those individual owners and verifying their identity according to their current CIP procedures. Similarly, a financial institution may also identify other individuals that technically fall outside the proposed definition of “beneficial owner,” but may be relevant to mitigate risk (e.g., where an institution is aware of multiple individuals with independent holdings who are acting in concert with each other to structure their ownership interest to avoid the 25% threshold, or an individual that holds a substantial debt position).
Requirement to Identify and Verify Beneficial Owners
FinCEN recognized industry concerns regarding the difficulty of verifying that a natural person is, in fact, a beneficial owner of a legal entity, especially where the legal entity customer has a complex legal structure with multiple levels of ownership. Accordingly, FinCEN is not proposing that covered financial institutions verify the status of beneficial owners, as it proposed in its ANPRM. In this regard, FinCEN expects financial institutions to be able to rely generally on the representations of the customer. Rather, a covered financial institution is only required to verify the identity of beneficial owners.
For this purpose, FinCEN has proposed using a standard certification form that an individual opening an account on behalf of the legal entity customer is required to complete at the time of account opening. The form would require the individual opening the account: (i) to identify all beneficial owners of the legal entity customer by providing each beneficial owner’s name, date of birth, address, and social security number (passport number and country of issuance if a foreign person); and (ii) to certify, to the best of his or her knowledge, that the information provided is complete and correct. FinCEN believes use of a standard form provides clarity and consistency among covered financial institutions as to what is expected of them.
Impact on Trusts
Most trusts, unless created through a filing with a state, do not fall within FinCEN’s definition of “legal entity customer” and are therefore not subject to this proposed beneficial ownership requirement. However, the decision not to propose specific requirements in the context of trusts does not mean that FinCEN necessarily considers trusts to pose a reduced money laundering or terrorist financing risk relative to the business entities included within the definition of “legal entity customer.” Rather, FinCEN notes that a signatory on a trust account will necessarily be the trustee, who is already required by law to control the trust assets (including financial institution accounts) and to know the beneficiaries and act in their best interest. And financial institutions generally also identify and verify the identity of the trustee. In other words, financial institutions are already taking a risk-based approach to collecting information with respect to individuals for the purpose of knowing their customers. Therefore, FinCEN expects financial institutions to continue these practices and will consider additional rulemaking or guidance to strengthen or clarify this expectation.
Treatment of Intermediaries
For purposes of the beneficial ownership requirement, the NPRM does not require covered financial institutions to identify the beneficial owners of an intermediary’s underlying clients if the financial institution has no CIP obligation with respect to those underlying clients. It should treat the intermediary itself as the legal entity customer.
Existing Elements of an AML Program
The third element of the proposed CDD requires financial institutions to understand the nature and purpose of customer relationships in order to develop a customer risk profile. In FinCEN’s view, this element should not necessarily require modifications to existing practices or customer onboarding procedures, and FinCEN does not expect financial institutions to ask each customer for a statement as to the nature and purpose of the relationship or to collect information not already collected pursuant to existing requirements. Instead, the purpose is to clarify existing expectations required in order to comply with obligations to report suspicious activity and maintain an effective AML program. As a result, FinCEN believes that institutions should already be complying with this requirement as an essential step in suspicious activity reporting requirements.
The fourth element of the proposed CDD requires financial institutions to conduct ongoing monitoring for purposes of maintaining and updating customer information and identifying and reporting suspicious activity. As with the above element, FinCEN believes this requirement is also consistent with existing suspicious activity monitoring and reporting “as a practical matter”. FinCEN notes that these are minimum standards that should not lower or reduce expectations established by federal functional regulators.
Purpose of Proposal
FinCEN believes that clarifying and strengthening CDD requirements for U.S. financial institutions, specifically the obligation to identify beneficial owners, will enhance the ability of law enforcement in conducting financial investigations and regulatory examinations; increase the ability of financial institutions, law enforcement, and the intelligence community to identify the assets of terrorists and other national security threats; help financial institutions mitigate risk; facilitate reporting in support of the Foreign Account Tax Compliance Act (“FATCA”); and promoting consistency in implementing and enforcing CDD regulatory expectations.
The proposed rule will enhance financial transparency in multiple ways. It will increase the availability of beneficial ownership information to law enforcement and thereby assist law enforcement investigations. It will increase the ability of financial institutions and law enforcement to identify the assets of illicit actors, and further help financial institutions better assess and mitigate risk. The proposed CDD rule will also strengthen consistency in the application of FinCEN’s regulations across industry sectors.
Moreover, FinCEN states that requiring legal entities seeking access to financial institutions to disclose identifying information, such as the name, date of birth, and social security number of a natural person, will make such entities more transparent, and thus less attractive to criminals and those who assist them.
FinCEN’s measure coincides with its recent efforts to address shortcomingsidentified in recent AML and BSA enforcement actions by improving internal BSA/AML compliance programs. On August 11, for example, FinCEN issued Advisory FIN-2014-A007 in which it recommended that institutions create a “culture of compliance” by ensuring that: (i) leadership actively supports and understands compliance efforts; (ii) efforts to manage and mitigate BSA/AML deficiencies and risks are not compromised by revenue interests; (iii) relevant information from the various departments within the organization is shared with compliance staff to further BSA/AML efforts; (iv) the institution devotes adequate resources to its compliance function; (v) the compliance program is effective by, among other things, ensuring that it is tested by an independent and competent party; and (vi) leadership and staff understand the purpose of its BSA/AML efforts and how its reporting is used. This guidance follows public remarks by FinCEN Director Jennifer Shasky Calvery and other financial regulators and enforcement authorities calling for stronger compliance cultures. Director Shasky Calvery reinforced that messaged in an August 12, 2014 speech by asserting that, in the enforcement matters she has seen, a culture of compliance “could have made all the difference.”
Impact of Proposal
Financial institutions that are subject to the NPRM should consider if the requirements that FinCEN believes are currently part of CIP and ongoing monitoring are in fact taking place within their compliance programs, or if the codification of the third and fourth elements of the CDD requirements imposes obligations beyond what the financial institution currently has in place. In addition, covered financial institutions will not only have to implement processes to obtain beneficial owner information of legal entities, but also determine how to maintain and monitor that information and what other impact the fact of having and maintaining that information will have on existing transaction monitoring and suspicious activity obligations. Finally, those not yet covered by the rule, such as money services businesses (“MSBs”), casinos and insurance companies, may wish to comment as the NPRM specifically considers applying the rule to other entities not currently subject to CIP requirements, such as these, in the future.
Request for Comments
FinCEN invites comments on all aspects of the proposed rule, and specifically with respect to: the proposed definitions of “beneficial owner,” “equity interests,” and “legal entity customer;” proposed exemptions from the beneficial ownership rule; whether pooled investment vehicles should be exempt; whether setting a mandated timeframe for the updating beneficial ownership information should be implemented; and whether the effective date of one year from the date of issuance of the final rule is sufficient for financial institutions to comply. Comments on the proposal are due October 3, 2014.
Questions regarding the matters discussed may be directed to any of our lawyers listed in this alert, or to any other Orrick attorney with whom you may have consulted in the past.