- identifying and verifying the identity of customers;
- identifying and verifying the identity of beneficial owners of legal entity customers, subject to certain exceptions;
- understanding the nature and purpose of customer relationships to develop a customer risk profile; and
- ongoing monitoring for reporting suspicious transactions and, on a risk basis, maintaining and updating customer information.
FinCEN explains in the Final Rule that clarifying and strengthening the CDD regime serves various purposes, such as: assisting financial investigations by law enforcement; enhancing the ability to identify the assets and accounts of criminals; improving a financial institution’s ability to assess and mitigate risk and comply with existing requirements; facilitating reporting and investigations in support of tax compliance, including compliance with the Foreign Account Tax Compliance Act (FATCA); and promoting consistency in CDD expectations across and within financial sectors. Additionally, the Final Rule is one component of the U.S. Treasury Department’s broader three-part strategy to enhance financial transparency of legal entities. Other components of this strategy include (1) collection of beneficial ownership information on U.S. legal entities at the time of the entity’s formation and (2) facilitating global implementation of international standards regarding CDD and beneficial ownership of legal entities.
- extending the implementation period from one year to two years from the date on which the Final Rule is issued;
- permitting financial institutions to obtain beneficial ownership information by means other than the standard certification form;
- revising the definition of “legal entity customer” and expanding the list of entities that are excluded from the definition of legal entity customer; and
- modifying the standard certification form to include, among other things, titles of the individual submitting the certification and the beneficial owner with significant managerial responsibility, the address of the legal entity customer and clarification of address requirements.
Starting on the Applicability Date, Covered Financial Institutions must implement written procedures that are reasonably designed to identify and verify the identities of beneficial owners of legal entity customers at the time a new account is opened, subject to certain exceptions.
Covered Financial Institution
Covered Financial Institutions include financial institutions that are subject to a CIP requirement, such as banks, U.S. branches and agencies of foreign banks, federally insured credit unions, saving associations, Edge Act corporations, brokers or dealers in securities, futures commission merchants and introducing brokers in commodities. Some financial institutions such as money services businesses are not yet covered, but FinCEN has indicated that it may extend the CDD requirements to other types of financial institutions in the future.
- Under the ownership prong, a beneficial owner is each individual (if any) who, directly or indirectly, owns 25 percent or more of the equity interests of a legal entity customer.2 This prong would require identification of no more than four individuals and, if no individual meets the 25 percent threshold, no individuals would need to be identified.3
- Under the control prong, a beneficial owner is a single individual with significant responsibility to control, manage or direct a legal entity customer, including (i) an executive officer or senior manager (e.g., a Chief Executive Officer, Chief Financial Officer, Chief Operating Officer, Managing Member, General Partner, President, Vice President or Treasurer) or (ii) any other individual who regularly performs similar functions.
There may be instances where 25 percent or more of the equity interests of a legal entity customer are not ultimately owned by any individual, but are owned by an entity excluded from the definition of legal entity customer (an “excluded legal entity” as defined below). Covered Financial Institutions are not required to identify an individual under the ownership prong in such cases. On the other hand, if 25 percent or more of the customer’s equity interests are owned by a trust (other than a statutory trust), the trustee should be treated as the beneficial owner under the ownership prong.
Legal Entity Customer
The Final Rule defines “legal entity customer” as a corporation, limited liability company or other entity that is created by the filing of a public document with a Secretary of State or similar office, a general partnership, and any similar entity formed under the laws of a foreign jurisdiction that opens an account. Such definition includes limited partnerships and business trusts that are created by a filing with a state office. Legal entity customers do not include sole proprietorships, unincorporated associations, trusts (other than statutory trusts that are created through a state filing)4 or natural persons opening accounts on their own behalf.
- a financial institution regulated by a Federal functional regulator or a bank regulated by a State bank regulator;
- a department or agency of the United States, of any State, or of any political subdivision of any State;
- any entity established under the laws of the United States, of any State, or of any political subdivision of any State, or under an interstate compact between two or more States, that exercises governmental authority on behalf of the United States or any such State or political subdivision;
- any entity (other than a bank) whose common stock or analogous equity interests are listed on the New York, American5 or NASDAQ stock exchange (each, a Listed Entity);
- any entity organized under the laws of the United States or of any State and at least 51 percent of whose common stock or analogous equity interest is owned by a Listed Entity;
- an issuer of a class of securities registered under section 12 of the Securities Exchange Act of 1934 or that is required to file reports under section 15(d) of that Act;
- an investment company, as defined in section 3 of the Investment Company Act of 1940, that is registered with the Securities and Exchange Commission (SEC) under that Act;
- an investment adviser, as defined in section 202(a)(11) of the Investment Advisers Act of 1940, that is registered with the SEC under that Act;
- an exchange or clearing agency, as defined in section 3 of the Securities Exchange Act of 1934, that is registered under section 6 or 17A of that Act;
- any other entity registered with the SEC under the Securities Exchange Act of 1934;
- a registered entity, commodity pool operator, commodity trading advisor, retail foreign exchange dealer, swap dealer or major swap participant, each as defined in section 1a of the Commodity Exchange Act, that is registered with the Commodity Futures Trading Commission;
- a public accounting firm registered under section 102 of the Sarbanes-Oxley Act;
- a bank holding company, as defined in section 2 of the Bank Holding Company Act of 1956 (12 U.S.C. 1841) or savings and loan holding company, as defined in section 10(n) of the Home Owners’ Loan Act (12 U.S.C. 1467a(n));
- a pooled investment vehicle that is operated or advised by a financial institution that is an Excluded Legal Entity;
- an insurance company that is regulated by a State;
- a financial market utility designated by the Financial Stability Oversight Council under Title VIII of the Dodd-Frank Wall Street Reform and Consumer Protection Act of 2010;
- a foreign financial institution established in a jurisdiction where the regulator of such institution maintains beneficial ownership information regarding such institution;
- a non-U.S. governmental department, agency or political subdivision that engages only in governmental rather than commercial activities; and
- any legal entity only to the extent that it opens a private banking account subject to 31 C.F.R §1010.620.
- a pooled investment vehicle that is operated or advised by a financial institution that is not an Excluded Legal Entity (such as non-U.S. managed mutual funds, hedge funds and private equity funds); and
- any legal entity that is established as a nonprofit corporation or similar entity (including a charitable, nonprofit, not-for-profit, nonstock, public benefit or similar corporation) and has filed its organizational documents with the appropriate State authority as necessary.
The beneficial ownership requirements apply to new accounts. A “new account” means each account (as defined in the CIP rules) opened at a Covered Financial Institution by a legal entity customer on or after the Applicability Date. Covered Financial Institutions are not expected to apply the requirements retroactively to customers with existing accounts on that date. However, unlike the CIP rules which exempt existing customers that open new accounts, the beneficial ownership rules apply to existing customers that open a new account on or after the Applicability Date. Moreover, as noted below, if a Covered Financial Institution learns as a result of normal monitoring activities that the beneficial ownership of an existing legal entity customer may have changed, the institution is required to take steps to identify the beneficial owner at that time.
- at the point-of-sale to provide credit products, including commercial private label credit cards, solely for the purchase of retail goods and/or services at the associated retailers, up to a limit of US$50,000;6
- to finance the purchase of postage and for which payments are remitted directly by the financial institution to the provider of the postage products;
- to finance insurance premiums and for which payments are remitted directly by the financial institution to the insurance provider or broker; or
- to finance the purchase or leasing of equipment and for which payments are remitted directly by the financial institution to the vendor or lessor of this equipment.
Identification and Verification Requirements
- Identify the beneficial owners of each legal entity customer (unless the entity is excluded or account is exempted) at the time a new account is opened, by either (1) obtaining a certification in the form provided in Appendix A of the Final Rule (the “Certification”) from the individual opening the account on behalf of the legal entity or (2) obtaining from the individual the information required on the Certification by another means, provided that the individual certifies that, to the best of his or her knowledge, the information is accurate. These records may be retained electronically and incorporated into existing databases as part of the overall management of customer files, subject to the recordkeeping obligations noted below.
- Verify the identity of such beneficial owners according to existing risk-based CIP rules and procedures for individuals within a reasonable time after the account is opened. In the case of documentary verification, the financial institution may rely on photocopies or other reproductions of identity documents. However, Covered Financial Institutions should conduct their own risk-based analyses of the types of photocopies or reproductions they will accept so that such reliance is reasonable.7
Use of Beneficial Ownership Information
Beneficial ownership information should be used in a similar manner as information that is collected through CIP, including for compliance with Office of Foreign Assets Control (OFAC) regulations and currency transaction reporting (CTR) aggregation requirements. For example, Covered Financial Institutions should use beneficial ownership information to ensure they do not establish accounts or engage in prohibited transactions involving persons appearing on the Specially Designated Nationals and Blocked Persons List (SDNs) or any entity that is 50 percent or more owned, in the aggregate, by one or more SDNs. Covered Financial Institutions may also need to aggregate multiple currency transactions for CTR reporting where legal entity customers under common ownership are not being operated independently from each other or their primary owner (for example, where such entities share common employees and are frequently used to pay each other’s expenses or the personal expenses of their primary owner). Covered Financial Institutions should also develop risk-based procedures to determine whether or when additional screening of beneficial owner names for negative media would be appropriate.
Covered Financial Institutions must maintain records of all beneficial ownership information obtained for legal entity customers, including: (1) any identifying information and the Certification, if obtained; and (2) a description of any document relied on for identity verification (noting the type, identification number, place of issuance and, if any, date of issuance and expiration), a description of any non-documentary methods and the results of such measures, and the resolution of any substantive discrepancies. Identification records must be retained for five years after the date the account is closed, and verification records must be retained for five years after the record is made.
Reliance on Another Financial Institution
Covered Financial Institutions may rely on another financial institution, including an affiliate, to perform the beneficial ownership requirements with respect to any legal entity customer that has opened an account or established a relationship with the other financial institution. Such reliance is permitted under the same conditions set forth in applicable CIP rules: (1) it must be reasonable under the circumstances; (2) the other financial institution must be subject to a rule implementing the AML program requirement and be regulated by a Federal functional regulator; and (3) the other financial institution must enter into a contract requiring it to certify annually to the Covered Financial Institution that it has implemented its AML program and will perform the specified beneficial ownership requirements.
Amendments to AML Program Requirements: The “Five Pillars”
The Final Rule revises FinCEN’s existing AML program requirements for Covered Financial Institutions8 by expressly incorporating the traditional four pillars: (1) the establishment of internal policies, procedures and controls reasonably designed to achieve compliance with the Bank Secrecy Act and its implementing regulations; (2) the designation of a compliance officer responsible for monitoring day-to-day compliance with the program; (3) independent testing of compliance; and (4) training for appropriate personnel.
In addition, the Final Rule includes a fifth pillar to explicitly cover the third and fourth elements of CDD. Specifically, the fifth pillar requires appropriate risk-based procedures for conducting ongoing CDD, including but not limited to:
- understanding the nature and purpose of customer relationships for the purpose of developing a customer risk profile (the third element of CDD); and
- conducting ongoing monitoring to identify and report suspicious transactions and, on a risk basis, to maintain and update customer information (including beneficial owner information of legal entity customers) (the fourth element of CDD).
Understanding the Nature and Purpose of Customer Relationships
The third element of CDD requires Covered Financial Institutions to understand the nature and purpose of customer relationships in order to develop a customer risk profile.
FinCEN takes the position that, in order for Covered Financial Institutions to comply with existing requirements to identify and report suspicious activity, they must understand the nature and purpose of the customer relationship, including the types of transactions in which the customer would normally be expected to engage. In some circumstances, a Covered Financial Institution may understand the nature and purpose of a customer relationship based on information such as the type of customer, the type of account, the service or product used, or other basic information such as the customer’s annual income, net worth, domicile, principal occupation or business, and history of activity. A “customer risk profile” is the information gathered about a customer to develop the baseline against which customer activity is assessed for suspicious transaction reporting. The customer risk profile may, but is not required to, include a system of risk ratings or categories of customers.
Covered Financial Institutions may integrate the customer risk profile into their transaction monitoring systems or use such information to determine whether a particular flagged transaction is suspicious. FinCEN understands that many institutions use the information to investigate suspicious activity triggered by transaction monitoring (i.e., after and not necessarily concurrent with transaction monitoring).
The fourth element of CDD requires Covered Financial Institutions to conduct ongoing monitoring to identify and report suspicious transactions and, on a risk basis, to maintain and update customer information. As with the third element, FinCEN believes that current industry practice to comply with existing expectations for suspicious activity reporting should already satisfy this requirement. Covered Financial Institutions are expected to have sufficient controls and monitoring systems to detect and report suspicious activity.
The obligation to update customer information (including beneficial ownership information) is generally triggered only when, during the course of its normal monitoring, a Covered Financial Institution becomes aware of information relevant to assessing or reevaluating the risk posed by the customer. Such information could include, for example, a significant and unexplained change in customer activity or possible change in the customer’s beneficial ownership. The Final Rule makes clear that the updating requirement is event-driven; Covered Financial Institutions are not expected to update customer information on an ongoing or regular basis. The updating of customer information applies to both customers with new accounts and customers with existing accounts on the Applicability Date.
The long-awaited Final Rule may still present some operational challenges to implementation, as well as heightening the expectations of regulators with respect to CDD practices within institutions. Financial institutions that are covered by the Final Rule should review their existing AML and CDD policies, procedures and systems to identify any gaps and determine what modifications and enhancements will be necessary to comply with the Final Rule.
1 80 Fed. Reg. 80308 (Dec. 24, 2015).
2 The term “equity interests” is not defined but, according to the Final Rule, should be interpreted broadly to apply to a variety of different legal structures and ownership situations.
3 The 25 percent threshold is consistent with that of many foreign jurisdictions, including EU Member States, and with the FATF standard. Covered Financial Institutions are not required to affirmatively investigate whether equity holders are attempting to evade the 25 percent reporting threshold, but, if staff know or have reason to suspect such behavior, they may need to file a suspicious activity report.
4 According to FinCEN, a trust is a contractual arrangement between the person who provides the funds or other assets and specifies the terms (i.e., the grantor or settlor) and the person with control over the assets (i.e., the trustee), for the benefit of those named in the trust deed (i.e., the beneficiaries). FinCEN notes that identifying a “beneficial owner” from among these parties based on the definition would not be possible. However, this does not supersede existing obligations regarding trusts generally. Under CIP rules, while financial institutions are not required to look through a trust to its beneficiaries, they may need to take additional steps to verify the identity of the customer, such as obtaining information about persons with control over the account. Financial institutions generally identify and verify the identity of trustees because they will necessarily be signatories on trust accounts. In certain circumstances involving revocable trusts, a bank may need to gather information about the settlor, grantor, trustee or other persons with the authority to direct the trustee or that have control over the account.
5 Currently named the NYSE MKT.
6 The reference to accounts being opened at the point of sale is not essential to the logic of the exemption, but it may create compliance questions for private label card issuers.
7 For example, a financial institution could decide that it will not accept reproductions below a certain optical resolution or reproductions transmitted via facsimile, or that it will only accept digital reproductions transmitted in certain file formats.
8 The AML program requirements are found in 31 C.F.R. §1020.210 (banks), 31 C.F.R. §1023.210 (broker-dealers), 31 C.F.R. §1024.210 (mutual funds) and 31 C.F.R. §1026.210 (futures commission merchants and introducing brokers in commodities).
If you have any questions regarding this Sidley Update, please contact the Sidley lawyer with whom you usually work, or
|Joel D. Feinberg
+1 202 736 8473
|Connie M. Friesen
+1 212 839 5507
|David E. Teitelbaum
+1 202 736 8683
To receive Sidley Updates, please subscribe at www.sidley.com/subscribe.
Sidley Austin provides this information as a service to clients and other friends for educational purposes only. It should not be construed or relied on as legal advice or to create a lawyer-client relationship.
Attorney Advertising - For purposes of compliance with New York State Bar rules, our headquarters are Sidley Austin LLP, 787 Seventh Avenue, New York, NY 10019, 212.839.5300; One South Dearborn, Chicago, IL 60603, 312.853.7000; and 1501 K Street, N.W., Washington, D.C. 20005, 202.736.8000.