On July 30, 2014, the Financial Crimes Enforcement Network (FinCEN) issued a Notice of Proposed Rulemaking (the Proposed Rule) to clarify and strengthen customer due diligence (CDD) requirements as a fifth pillar under the Bank Secrecy Act (BSA) for banks and other covered financial institutions. Under the Proposed Rule, covered financial institutions would be required for the first time to identify and collect information on the beneficial owners of their legal entity customers.
U.S. policymakers, including Treasury,1 seeking to balance privacy2 concerns with transparency and alignment with the Financial Action Task Force (FATF) recommendations,3 United States G-8 Action Plan for Transparency of Company Ownership and Control4 and pending rulemaking at the European Union,5 have proposed a risk-based approach, to be adopted by a covered financial institution’s board of directors. The four elements of the CDD in the Proposed Rule align with the approach set out in the FATF recommendations.
The Proposed Rule follows the March 5, 2012 issuance of an Advance Notice of Proposed Rulemaking by FinCEN regarding CDD, and included input from the financial services industry, lawmakers and policymakers. The Proposed Rule, and related guidance that followed, make it clear that the financial industry must cooperate in illuminating the less-than-transparent world of corporate ownership. The Proposed Rule and subsequent guidance make it clear that the board of directors and senior executive officers of a covered financial institution are responsible for adopting CDD procedures that are efficacious with respect to the institution’s current mix of products, services and customers, and that those procedures must be tested by an independent and competent party. Before a board approves the distribution of a new line of products and services, or the acquisition of an entity that has a mix of products, services, and customers that represent a new level of risk, it must independently test the current AML system and controls to confirm that the existing control environment is sufficiently robust to handle the new risks.
The key thrust of the Proposed Rule is that, for the first time, U.S. banks, brokers, dealers, mutual funds, commodity futures merchants and introducing brokers must have systems in place to: (i) collect information and (ii) maintain records of the information on individuals who hold 25 percent or more of an interest in a customer or who otherwise control the customer. Bank customers should be prepared to cooperate regarding information requests that are or will be made by covered financial institutions.
In promulgating the Proposed Rule, FinCEN designates four core elements as being critical to CDD within an effective BSA/AML program:
1) identifying and verifying the identity of customers
2) identifying and verifying the beneficial owners of legal entity customers
3) understanding the nature and purpose of customer relationships, and
4) conducting ongoing monitoring to maintain and update customer information and identify and report suspicious transactions.
FinCEN acknowledges that the first, third and fourth elements are already addressed by the Customer Identification Program (CIP) and other regulatory requirements imposed under current BSA/AML regulations, and it makes a pointed effort to reinforce their importance. The second element commands more of FinCEN’s attention because it would be established under a new section of the BSA/AML regulations. For compliance with the second element, the Proposed Rule would require covered financial institutions to revise onboarding procedures covering legal entity customers to identify their beneficial owners and, to the extent practicable, verify the identities of those owners by the same risk-based methodology employed for verifying customers who are individuals.
In the interest of reducing compliance burden, the Proposed Rule includes in an appendix a standard certification form for verifying the identity of beneficial owners. This Certification Regarding Beneficial Owners of Legal Entity Customers would standardize collection of beneficial ownership information and permit reliance on the information obtained from an individual when the financial institution opens a new account for a legal entity customer.
The Proposed Rule is open for a 60-day comment period, beginning August 4, 2014, and FinCEN particularly seeks comment from the financial services industry concerning:
- whether financial institutions should be subject to a mandated timeframe for updating beneficial ownership information, and
- if a definition of a “customer-risk profile” is needed.
The effective date of the Proposed Rule, once adopted, is expected to be one year from the publication of the final rule.
- Bank customers should anticipate that a covered institution’s due diligence process will become more rigorous even before the rule becomes final. State and federal prosecutors have recently been critical of opaque corporate structures that have obscured the true ownership of corporate entities, particularly in business lines that regulators consider as high risk. Prosecutors have complained that such structures have hindered their ability to track down and prosecute the individuals that control corporate entities in high-risk businesses. As a result, some covered financial institutions have begun increasing their due diligence.
- Independent and competent testing of a covered financial institution’s BSA/AML compliance program is mandatory. When embarking on distribution of new products and services or acquisition of an entity that distributes products and services with a riskier profile, it is mandatory to conduct independent testing of the control environment to confirm that controls are in place before the covered entity assumes responsibility for distributing products with a riskier profile.
- CDD, along with collection of customer information and monitoring of accounts and relationships, has always been part of an AML program. We suspect the elevation of CDD to a fifth pillar is meant to suggest to senior executives and board members that CDD is now an explicit requirement subject to enforcement if CDD program failure occurs.
- FinCEN’s Proposed Rule will require changes to legal entity customer onboarding procedures at financial institutions at a time when other regulatory agencies are also taking actions affecting the onboarding of certain customers. For example, the OCC recently revised certain of its guidance to clarify financial institutions’ onboarding procedures for third-party payment processor customers.
- A CIP-exempt customer must be monitored, as the customer’s activity and risk level can change over time.
- One major concern expressed by many financial institutions in hearings and comments leading up to the issuance of the Proposed Rule was that verifying the status of a person as a beneficial owner of an entity would often be prohibitively costly and impracticable. FinCEN has accommodated this concern by requiring financial institutions solely to verify the identity of beneficial owners consistent with existing CIP practices.
- Just as a financial institution may rely on another financial institution to conduct CIP procedures for a shared customer, so the Proposed Rule allows similar reliance for identification and verification of beneficial owners, including completion of the standard certification form.
- The Proposed Rule would apply only to legal entity customers that open new accounts after the effective date (i.e., one year after the final regulation is published) and would not require financial institutions to look back at pre-existing accounts. However, if the risk profile of an existing customer changes and requires enhanced due diligence (EDD), it would be prudent to go back and complete the new form and then move on to perform EDD on the customer.
- Tracking existing CIP guidance, FinCEN has decided to exempt from the beneficial owner requirements accounts maintained by trusts, as well as accounts maintained by intermediaries for the primary benefit of others. However, FinCEN appears to be inclined to apply those requirements, at least in some modified form, to pooled investment vehicles, such as hedge funds.
- Pepper lawyers have been very active in counseling and defending clients with respect to the Bank Secrecy Act.
- Freeh Group International Solutions, LLC has significant experience designing AML systems as well as performing independent review and monitoring of AML systems including AML system “look back” reviews required by prudential regulators.
1 See: FinCEN Advisory to United States Financial Institutions on Promoting a Culture of Compliance. On August 11, 2014, FinCEN further sharpened its focus on eradicating shortcomings in BSA/AML compliance programs by issuing Advisory FIN-2014-A007, which encourages financial institutions to strengthen their BSA/AML compliance culture through promotion of active leadership, elevation of deficiency mitigation over revenue interests, sharing of relevant departmental information with compliance staff, adequate funding of the compliance function, independent and competent testing of the compliance program, and thorough training of all personnel. http://www.fincen.gov/statutes_regs/guidance/pdf/FIN-2014-A007.pdf.
Also see: August 12, 2014 remarks of Jennifer Shasky Calvery, Director, FinCEN to 2014 Mid-Atlantic AML Conference, Washington, DC (http://www.fincen.gov/news_room/speech/pdf/20140812.pdf).
Also see: Comment by FDIC’s Associate Director of AML, Lisa Arquette (August 12, 2014): “Searching for revenue, banks are taking on products and services, even acquisitions that they don’t have AML controls in place to handle.”
Also see: Pepper Hamilton Financial Services Client Alert: “One Big Misunderstanding: FDIC Clarifies that Caution on Higher-Risk Activity Is Not a Prohibition on Third-Party Payment Processor Relationships” (August 5, 2014).
2 FinCEN has decided to exempt from the beneficial owner requirements accounts maintained by trusts, as well as accounts maintained by intermediaries for the primary benefit of others. However, FinCEN appears to be inclined to apply those requirements, at least in some modified form, to pooled investment vehicles, such as hedge funds. The debate over the degree of transparency that should be accorded beneficial ownership is not new. Its roots reach back at least as far as the evolution of the privacy provisions of the Gramm-Leach-Bliley Act, which witnessed a concerted effort to balance the need to have financial institutions inform trust beneficiaries of their right to privacy as “customers” of a bank, therefore requiring a bank to issue privacy notices and “opt out rights,” against the recognition that such an approach might violate the good and legal purpose the trust settlor had in mind in concealing from the beneficiaries the existence of the trust.
3 FATF is an independent inter-governmental body that includes the United States as a member. FATF is due to evaluate the United States in late 2015 or 2016, respecting United States standards of anti-money laundering and counter-terrorist financing. In 2006, FATF found that the United States did not have appropriate requirements in place to require covered financial institutions to assess the risk of the business relationships of customers or beneficial owners of customers to prevent the misuse of the financial system and that the United States should strengthen its customer identification requirements, particularly in the identification of beneficial owners.
4 United States G-8 Action Plan for Transparency of Company Ownership and Control (White House press release, June 18, 2013).
5 The European Parliament on March 11, 2014 adopted the EU’s proposed Fourth Anti-Money Laundering Directive, which will require the ultimate owners of companies and trusts to be listed in public registers in EU countries.