Practice Note - Complying With the Financial Crimes Enforcement Network’s Customer Due Diligence Rule for Issuers and Underwriters

Issue 1: Does the CDD Rule apply to capital markets transactions?

The CDD Rule applies at the time a legal entity customer⁴ opens a new “account” with a covered financial institution. Under the Bank Secrecy Act of 1970/USA PATRIOT Act, the definition of account is broad and includes any formal relationship to effect transactions in securities, among other things. Therefore, in the capital markets context, an account is viewed as any formal relationship an issuer establishes with a broker-dealer to effect transactions in securities, which arguably captures almost all firm commitment underwriting, best efforts and agency-related relationships between issuers and covered financial institutions.⁵

 FinCEN has indicated that the identification and verification requirements apply for each new account opening.⁶  However, institutions that have already obtained a certification form for a beneficial owner of the legal entity customer may rely on that information to fulfill their obligations, provided the customer certifies or confirms (orally or in writing) that such information is up to date and the institution is not aware of any facts that would call into question the reliability of the information. As a consequence, in the near term, covered financial institutions may request a new certification and verification documents, if any, for every deal even if the covered financial institution may already possess the information from a prior account opening.

Issue 2: How does the rule work? Does it apply to my issuer? Are there any exceptions? What about foreign issuers?

The CDD Rule requires covered financial institutions to identify and verify the identities of key individuals (beneficial owners) who own (directly or indirectly) and control legal entity customers of the covered financial institutions, subject to certain exceptions as further described below. It is important to note that the identification and verification requirement under both prongs applies only to beneficial owners that are individuals, whether such individuals hold interests in the legal entity customer directly or indirectly through one or more intermediaries, such as corporations, limited liability companies and partnerships.

FinCEN’s definition of beneficial ownership includes two prongs: (1) a control prong that covers individuals with significant responsibility to control, manage or direct a legal entity customer, including an executive officer, a senior manager or any other individual who regularly performs similar functions, and (2) an ownership prong covering individuals who directly or indirectly own 25 percent or more of the equity interests of a legal entity customer. The CDD Rule requires that covered financial institutions collect and verify one individual under the control prong and all individuals under the ownership prong (up to a maximum of four individuals under the ownership prong).  In certain capital market transactions, there may be only a control prong as no one individual owns more than 25 percent of the legal entity customer.

The identification and verification process that the CDD Rule requires must be completed before signing the underwriting agreement or similar transactional document.

In the capital markets context, investment banks that are covered financial institutions have complied with the rule by:

• obtaining a certificate from the issuer to obtain control person and beneficial ownership information; and
• assuming no exceptions apply, verifying the identity of the control person and each beneficial owner by, among other things, obtaining and reviewing photocopies or other reproductions of identification documents (such as a passport) for the control person and each such beneficial owner. 

Covered financial institutions have often used the beneficial ownership certificate forms developed by SIFMA, which are based on FinCEN’s form of certificate.⁷ Covered financial institutions should consult with their internal AML personnel to determine what their financial institution requires in terms of documentation related to the identification and verification of the control person and each beneficial owner.

The CDD Rule excludes certain entities from the legal entity customer definition and, thus, the application of the rule.⁸ It is important for capital markets participants to read and be familiar with the full list. The following are a few important exceptions:

• an issuer of a class of securities registered under Section 12 of the Securities Exchange Act of 1934 (the Exchange Act), or that is required to file reports under Section 15(d) of the Securities Act of 1933 (the Securities Act);
• any entity, other than a bank, whose equity securities are listed on the New York Stock Exchange or NASDAQ;
• a financial institution regulated by a federal functional regulator or a bank regulated by a state bank regulator;
• a foreign financial institution established in a jurisdiction where the regulator of such institution maintains beneficial ownership information regarding such institution; and
• certain other classes of entities, such as bank holding companies, savings and loan holding companies, state-regulated insurance companies, public accounting firms and investment companies.

This is not an exhaustive list and we encourage capital markets participants to review the full list set forth in the rules and to consult with their internal AML personnel.

Many of these exceptions exist on the theory that entities falling within these categories are subject to public disclosure and reporting requirements that require information similar to what the CDD Rule would require. While the logic may seem to apply to many foreign entities, such as entities listed on a foreign exchange or subject to reporting requirements under foreign securities law, FinCEN has, subject to one notable exception, deliberately declined to extend the exception to these categories of entities. The one notable exception is for foreign financial institutions established in a jurisdiction where the regulator of such institutions maintains beneficial ownership information regarding such institutions.

Issue 3: What is the beneficial ownership threshold for obtaining certification?

The CDD Rule generally requires identification and verification of individuals owning 25 percent or more of the equity interests of a legal entity customer. However, FinCEN has indicated that covered financial institutions may choose to implement stricter standards.⁹ For example, an institution may choose to impose a lower threshold because of its risk assessment of certain customers.

In the capital markets context, although investment banks that are covered financial institutions are required to obtain certifications at the 25 percent level, some covered financial institutions have required certification at the 10 percent level. We recommend that the covered financial institutions’ external counsel canvass all of the covered financial institutions in the syndicate at the beginning of the transaction and then request a certificate at the lowest required threshold to avoid requesting multiple certificates from the issuer. Unless it is clear, issuer’s counsel should confirm expectations with the covered financial institutions’ external counsel at the outset to avoid last minute surprises.

Issue 4: Must a certificate be obtained if the issuer is a public company or otherwise clearly falls within an exception?

Due to the record-keeping provisions in the CDD Rule and to ensure a consistent, smooth process, covered financial institutions may require a certification for all issuers, even if it is clear that the issuer falls within an exception. Form certificates based on FinCEN’s suggested certificate in the CDD Rule can be drafted to allow issuers to check a box indicating that an exception applies, obviating the need to complete the entire form.¹⁰

Issue 5: What if an issuer has very recently provided a certificate either in a recent deal or in another context?

FinCEN expects a covered financial institution to identify and verify the beneficial ownership information for a legal entity customer each time it opens a new account for that customer, regardless of the numbers of accounts opened or the time period between account openings.¹¹ However, if a covered financial institution already has information about an issuer or an identified individual obtained recently from another deal or transaction where an “account” was created, then it may rely on the information it has so long as the information is up to date and accurate and the issuer’s representative certifies or confirms (orally or in writing) that the information is up to date and still accurate. In practice, covered financial institutions may request a new certification and verification documents, if any, for every deal, even if they already possess the information from a prior account opening.

For medium-term note programs or at-the-market programs where the primary contract with the investment banks that are covered financial institutions is signed at the commencement of the program, it is unclear whether the FinCEN would view each takedown as a new account opening. However, notwithstanding that the distribution agreements or equivalent document may be signed at the beginning of the program, covered financial institutions should consider treating each takedown as a new account opening as a new engagement (often memorialized in a terms agreement) is entered into with each takedown.

Issue 6: Does an issuer need to provide a certificate to each covered financial institution engaged in a capital markets transaction?

Yes. But covered financial institutions will likely use a certification form based on the FinCEN or SIFMA form, and to ease the burden on issuers and beneficial owners, all of those institutions may be willing to accept the same certificate. The lead underwriter or agent, its external counsel and issuer’s counsel should coordinate to facilitate the single certificate approach and otherwise to ensure that the process is efficient and that each covered financial institution that requires the information will accept the single certificate, receives the certificate and receives any applicable verification document.

Issue 7: Are there privacy concerns with obtaining the information?

Yes. The CDD Rule requires covered financial institutions to obtain the name, date of birth, address and Social Security number (or, for non-U.S. persons, other government identification, such as passport number) for the control person and each beneficial owner, if applicable. In addition, covered financial institutions need to verify the identities of the control person and any beneficial owner, which generally requires, at least, obtaining a photocopy of a form of identification, such as a driver’s license or passport. Covered financial institutions should consult with their internal AML personnel regarding the institutions requirements for verification of legal entity customer information. Having access to this information presents data privacy risks to any covered financial institution, law firm or other party that obtains it, including, when applicable, the recently effective European Union General Data Protection Regulation (EU 2016/679).

In addition to consulting their internal privacy and AML personnel on the institution’s policies around privacy and AML requirements, covered financial institutions should consider taking precautions to minimize the data privacy risks to control persons and any beneficial owners who must provide this information consistent with each institution’s internal policies and procedures. Although practices may differ from deal to deal depending on the parties involved and the context, we suggest at a bare minimum that any sensitive information and verification documents be delivered directly to the applicable covered financial institutions, not through a law firm or another third party.

Issue 8: What other steps are being taken? Are representations needed in the underwriting agreement?

In the bank finance context, the LSTA promulgated inserts to credit facilities to add representations, covenants and closing conditions with respect to the CDD Rule. In the capital markets context, although representations have been added in some transactions, the documentation for most transactions has not been so modified, and the covered financial institutions have relied exclusively on the certifications provided by the issuer. Because the certifications are signed, arguably there is little incremental value in including a representation in an underwriting agreement or similar transactional document. What is more important is ensuring that reliance on the provided information is reasonable and that sufficient identity verification is performed on the beneficial owners identified in the certificate provided by the issuer consistent with prevailing know-your-customer/AML compliance practices. However, market practice is still evolving, and it may be the case that in the future, for issuers that fall within an exception to the CDD Rule, a representation in the underwriting agreement or other key transactional documents will be accepted in lieu of completing a certification.

Issue 9: Are guarantors independent legal entity customers that require a separate certification?

There is some debate about whether an account is also opened with respect to a guarantor when the securities are guaranteed. Under the federal securities law, a guarantee is a separate security from the underlying debt. Pending final resolution of this issue or clearer guidance from FinCEN, it is possible that covered financial institutions will accept one certificate that lists the issuer and all guarantors as the legal entity customer in cases where the individual beneficial owners of an issuer under the ownership and control prongs are the same for the issuer and the guarantors. Note that the analysis under the CDD Rule looks through intermediaries to beneficial owners that are individuals. However, if a guarantor is only partly owned or controlled by the issuer, a separate certification may be required for any individual beneficial owner of the guarantor that is not in common with the issuer.

Issue 10: What are the recordkeeping requirements?

Covered financial institutions must retain records of the information they obtain under the CDD Rule.¹² Their records must include, at a minimum, any identifying information (in most cases, the certificate) and a description of the verification, including a description of any documents relied on, any nondocumentary methods used and the results and the resolution of each substantive discrepancy. The identifying information (such as the certificate) must be retained for five years after the date the account is closed and the description of the verification must be retained for five years after the record is made. 

¹  See 31 CFR Section 1010.230 for the complete rule.

² Covered financial institutions include federally regulated banks and federally insured credit unions, mutual funds, brokers or dealers in securities, futures commission merchants and introducing brokers in commodities. See 31 CFR 1010.605(e)(1).

³ SIFMA’s memorandum may be obtained from SIFMA’s website, available here. LSTA’s market advisory may be obtained from LSTA’s website.

⁴ Subject to some very important exceptions discussed in this memo, a legal entity customer is defined as “a corporation, limited liability company, or other entity that is created by the filing of a public document with a Secretary of State or similar office, a general partnership, and any similar entity formed under the laws of a foreign jurisdiction that opens an account.” See 31 CFR Section 1010.230(e).

⁵ See 31 CFR Section 1023.100(a)(1) (“Account means a formal relationship with a broker-dealer established to effect transactions in securities, including, but not limited to, the purchase or sale of securities and securities loaned and borrowed activity, and to hold securities or other assets for safekeeping or as collateral.”),; see also SIFMA, “FinCEN’s New Customer Due Diligence Requirements for Financial Institutions in the Context of Certain Sales of Securities” (May 7, 2018).

⁶ See Question 10 of FinCEN’s Frequently Asked Questions Regarding Customer Due Diligence Requirements for Financial Institutions (April 3, 2018), available here.

⁷ SIFMA’s form of certifications may be obtained from SIFMA’s website, available here.

⁸ See 31 CFR Section 1010.230(e)(2) for a full list of exclusions.

⁹ See Question 1 of FinCEN’s Frequently Asked Questions Regarding Customer Due Diligence Requirements for Financial Institutions (April 3, 2018), available here.

¹⁰ See note 5.

¹¹ See note 8.

¹² 31 CFR Section 1010.230(i).