June 14, 2016
On May 11, 2016, the Financial Crimes Enforcement Network (FinCEN) issued its long-awaited final rule on customer due diligence (CDD) and beneficial ownership information requirements. This final rule, coincidently or not, has arrived in timely fashion on the heels of a massive media leak commonly referred to as the Panama Papers.1 The leak provoked public outcry over the alleged hiding of wealth from government regulation and public scrutiny through the use of shell companies, served as a reminder of the importance of international and domestic financial transparency and perhaps even helped push FinCEN’s rule to its final stage.
Financial institutions are operating in an environment of intense regulatory scrutiny regarding compliance with existing requirements. Significant portions of the new rule are framed by FinCEN as clarifications of existing regulatory and supervisory expectations, rather than new requirements. However, a careful reading of the preamble and the explicit requirements outlined below portends a difficult road to compliance and, we predict, eventual enforcement activity.
In 2006, the U.S. AML regime was rated by the intergovernmental Financial Action Task Force (FATF), as reported in its Mutual Evaluation Report (MER), as being only partially compliant with the FATF’s CDD standards and, specifically, with beneficial ownership principles. Then, in 2010, joint guidance was issued by FinCEN, the U.S. Securities and Exchange Commission (SEC) and the U.S. Commodities Futures Trading Commission (CFTC) to clarify the regulators’ expectations for obtaining beneficial ownership information, using a risk-based approach, for certain types of accounts and customer classifications.2
Later, in February 2012, FinCEN issued an Advanced Notice of Proposed Rulemaking (ANPR) to help establish a common and more prescriptive definition of a beneficial owner and collection of information.3 Shortly thereafter, in June 2013, the United States presented to the G-8 its Action Plan for Transparency of Company Ownership and Control, which set forth key principles aimed at transparency around ownership and control.4
A year later, in July 2014, the Notice of Proposed Rulemaking (NPR) was issued; it represented a departure from then existing FinCEN regulations permitting financial institutions to exercise their own risk-based judgment when determining how to apply beneficial ownership requirements.5 After almost four years in the making, the final rule was published in May 2016. As summarized below, the new rule is mandatory for new accounts opened on or after the applicability date of May 11, 2018.
Summary of the New Rule
The final rule requires “covered institutions” to identify the beneficial owners of new legal entity customers. Covered institutions are financial institutions subject to Customer Identification Program (CIP) requirements (i.e., banks, broker-dealers in securities, mutual funds, futures commission merchants and introducing brokers in commodities). “Legal entity” customers are generally defined as entities created by filing public documents with a secretary of state or similar office, including any similar entity formed under the laws of a foreign jurisdiction.
The final rule includes an implicit concession to many industry stakeholders by expanding the number and type of exclusions from the existing definition of legal entity customer to exclude certain types of insurance companies; financial market utilities; non-U.S. government departments, agencies or subdivisions; charities and other nonprofit entities; legal entities opened for private banking services for non-U.S. persons; and non-excluded pooled investment funds vehicles (e.g., hedge funds, private equity funds). Additionally, and importantly, the final rule does not categorically exclude foreign financial institutions, but rather excludes only foreign financial institutions established in jurisdictions where the regulator of such an institution maintains the relevant beneficial ownership information. Examples of excluded foreign financial institutions may include entities governed by the Fourth European Directive, which requires that ultimate beneficial owners be listed on central registers that are accessible to obliged entities and law enforcement agencies. The final rule applies only to new legal entity customers of covered institutions. Similar to the NPR, the new rule consists of two significant components: beneficial ownership and the addition of the fifth pillar of AML compliance, which is discussed below.
Requirements to Identify Beneficial Ownership
The final rule is a significant addition to the U.S. Bank Secrecy Act/anti-money laundering (BSA/AML) regime and will better align U.S. AML standards with the FATF’s international standards. Covered institutions, as defined above, are now obligated to maintain written procedures as part of their AML compliance programs to identify a natural person owner(s) (not a legal entity) for each of their legal entity customers opening new accounts on or after the applicability date who meet the following criteria:
Depending on the circumstances, there may be cases where no one person owns 25 percent or more of the equity interest of a legal entity customer. For example, an entity may have ten owners each owning ten percent of a legal entity. In such cases, FinCEN recognizes that the beneficial ownership criteria may not be met; however, in all cases, all entities are required to meet the control prong. In cases where an individual is both a 25 percent owner and meets the control definition, that same individual can be defined as a beneficial owner under both definitions. At the time the account is opened, covered institutions are required to identify and verify, in a manner very similar to what is required under a covered institution’s CIP, identities of the individual(s) who meet the ownership and control criteria, which can be done by using the form of Appendix A to the final rule. Additionally, records of the requisite information must be maintained.
A key component of the final rule indicates that covered institutions may rely on other financial institutions to perform the requirements to identify beneficial ownership, provided that the covered institution “… has no knowledge of facts that would reasonably call into question the reliability of the information.”6 Additionally, while the beneficial owner information obtained must be maintained, covered institutions are not required to update this information on an ongoing basis; rather, the final rule indicates that covered institutions must update this information on an event-driven basis. This, in turn, may increase the pressure to ensure that ongoing monitoring and risk assessment of customers are being performed consistently and comprehensively.
CDD as the Fifth Pillar to AML Program Requirements
As a result of the final rule, an additional CDD pillar has now been added to the original four pillars considered fundamental to an effective AML program (i.e., a system of internal controls, designation of an AML compliance officer, training and independent testing). Specifically, the fifth pillar requires covered institutions to gain an understanding of the nature and purpose of relationships to develop a customer risk profile, conduct ongoing monitoring for reporting suspicious transactions and, using a risk-based approach, maintain and update customer information.
Covered institutions are now explicitly required to update customer information, using a risk-based approach, as part of ongoing monitoring and creating a customer risk profile. This profile is expected to include information gathered during onboarding and throughout the customer relationship, on a periodic and event-driven basis, against which customer activity will be reviewed for potentially suspicious activity.
When possible, this type of customer risk profile should be integrated into an institution’s transaction monitoring system to help identify red flags and potentially suspicious activity. As noted in the ANPR and the final rule, the industry should be reminded that CIP-exempt customers are not exempt from ongoing monitoring requirements.
While the proposed rule would have required covered institutions to be in compliance with the fifth pillar within approximately one year of the rule’s issuance date, the final rule requires compliance by May 11, 2018, a concession to public commentary.
Practical Implications and Compliance Challenges Posed by the Final Rule
FinCEN repeatedly emphasizes in the preamble to the final rule that institutions should leverage existing processes, providing some relief to financial institutions in the form of a lengthened applicability runway, limitations on scope of verification, reliance, expanded exemptions and principles on risk-based approaches.
Firms with more mature AML compliance programs had in most respects already integrated many of the principles set forth in the proposed rule. The preamble contains an unprecedented message from FinCEN regarding supervisory discretion to require additional risk-based controls beyond the minimum ones prescribed; it also signals the potential for the following expectations, which will pose operational challenges to many financial institutions:
Establishing and Communicating a Single View of a Customer: The final rule includes a seemingly forgiving, yet vague, provision that generally implies that the covered institution must verify the existence of an identified beneficial owner, but not the accuracy of the information obtained. Therefore, the covered institution may rely on the information supplied by the customer, provided that the covered institution is not aware of any facts that would contradict the information provided. This poses a challenge to covered institutions because, for example, they may now be held responsible for knowledge held in one part of the organization, which may very well be detached from the CDD function responsible for obtaining beneficial ownership information on new accounts.
The rule of reliance emphasizes, among other things, the importance of seamless information sharing of beneficial ownership information across an organization. Once beneficial ownership information is collected, a covered institution should expect to apply this information consistently throughout its organization, both domestically and globally, to meet other AML program requirements, including transaction monitoring, currency transaction reporting (CTR) aggregation and Office of Foreign Assets Control (OFAC) sanction screening.
In the event that potentially suspicious information is detected, an institution has the responsibility to connect the dots and apply this information throughout the organization. For example, the beneficial ownership information may provide covered institutions with information suggesting that customers are not operating independently from one another, thus placing the onus on the institution to aggregate transactions for purposes of identifying and monitoring for potentially suspicious activity.
Ongoing Monitoring: Covered institutions will be expected to closely monitor and understand the customers’ risk profile to ensure “know your customer” (KYC) reviews are adequately performed on an event-driven basis. Covered institutions can help ensure customer profile risk is appropriately captured and monitored by building more precise baseline customer risk profiles and incorporating new information into transaction monitoring programs. Necessary enhancements may include potential remediation of existing accounts (pre-applicability date) for event-driven risk changes. Updated customer risk profiles and/or expected activity obtained and understood should then be incorporated into transaction monitoring; likewise, information obtained from transaction monitoring reviews, which may affect a customer’s risk profile, should prompt customer profile updates as appropriate.
Retroactive Application: While FinCEN requested specific commentary regarding obtaining beneficial ownership information on all existing accounts, which many industry stakeholders felt would be extremely burdensome, the final rule mandates only that covered institutions are required to obtain beneficial ownership information for accounts opened on or after the applicability date. However, the ongoing monitoring requirement explicitly required by the fifth pillar states that financial institutions should update customer profile information on an event-driven basis.
Covered institutions would then assume that if and when they detect information that would prompt them to reevaluate a customer’s risk level, such as changes in beneficial ownership status, this information should be obtained, regardless of when the account was opened. Firms which repeatedly find (or whose examiners find) weaknesses in KYC/CDD information on an event-driven basis for pre-applicability accounts will likely face increasing pressure to conduct full-blown CDD refresh reviews – a time-consuming and costly exercise.
Determining the Right Threshold: The rule allows covered institutions to establish a lower threshold than 25 percent for beneficial ownership based on their own assessment of risk. Covered institutions will need to exercise their own judgment when considering whether a lower threshold is appropriate for a portion, or all, of their customers, which, again, may lead to inconsistent practices across the industry and uncertainty as to what regulators are truly expecting.
This poses a particular challenge for U.S. branches or other U.S.-based affiliates of foreign institutions that operate under different beneficial ownership definitions and requirements. Global banks will need to identify, evaluate and ultimately reconcile beneficial ownership requirement discrepancies to ensure that global customer acceptance and assessment policies are consistently applied.
Increased Risk of De-Risking: Finalization of the new rule in the wake of the Panama Papers scandal highlights the existing and increasing risk of maintaining certain relationships when customer information is not easily obtainable. The new rule, coupled with recent data leaks, may push many institutions toward a decision that the business rewards of maintaining accounts for certain categories of customers do not justify the regulatory risk of doing so. Customer categories impacted by this dynamic may include private investment companies (PICs), trusts, remittance companies, partnerships and, to some extent, charities. Of course, the predictable but unintended consequence of regulated firms exiting these businesses is to push their financial activities deeper into the shadows. This has led to recent regulatory guidance that discourages de-risking and instead suggests that institutions implement appropriate risk-based controls for maintaining these accounts. Nevertheless, many financial institutions are finding that this guidance provides little comfort to remain in markets that don’t provide an acceptable return once regulatory risk and uncertainty is priced in.
Enforcement Risks Posed by the Fifth Pillar: The fifth pillar will create new compliance burdens for institutions, specifically around design and implementation of new controls and procedures relating to updating customer information as part of ongoing monitoring. In the event that information is detected through ongoing monitoring, which would prompt an event-driven review, and institutions fail to review and/or update customer profiles (including beneficial ownership information), we predict that regulators will take enforcement actions against covered institutions as part of the new fifth pillar. In fact, it could be argued that this trend is already underway, and the CDD pillar simply formalizes and provides some degree of clarity to existing regulatory agency expectations.
The extent of business process changes required will vary across institutions based on size, global footprint and risks posed by their customer base. Although many leading firms have implemented beneficial ownership requirements over the past several years and many are already substantially compliant with the fifth pillar in practice, it is critical for institutions to understand not only the specific requirements set forth in the final rule but also the potential consequences for noncompliance. Institutions are encouraged to begin taking the following steps now:
- Establish or refine AML-specific risk appetite statements to ensure alignment with updated risk assessment results and acceptance of certain client types and complex business structures or relationships.
- Review risk assessment methodologies and related inputs, such as customer, geographic and product/service risk rating methodologies, through the lens of beneficial ownership and CDD requirements.
- Update and evaluate current customer identification, verification and ongoing monitoring policies and procedures.
- Review and update KYC-related forms and systems to align with the new rule and to allow for a more robust rationale in justifying assigned risks associated with client profiles.
- Update training and awareness programs for front lines and compliance to help ensure consistent understanding of the rule and associated red flags.
- Perform a holistic review of enterprise-wide customer information sharing practices to evaluate the firm’s ability to consistently produce a single view of customers.
- Perform KYC systems assessments to evaluate the effectiveness of existing customer information collection practices and appropriateness of the linkage between information collected and customer risk profile results.
- Review existing transaction monitoring protocols to ensure proper use and incorporation of baseline activity and customer risk profiles.
1Customer Due Diligence Requirements for Financial Institutions, Financial Crimes Enforcement Network, May 11, 2016; more information, read the Panama Papers.
2Guidance on Obtaining and Retaining Beneficial Ownership Information, Financial Crimes Enforcement Network, March 5, 2010.
3Customer Due Diligence Requirements for Financial Institutions, Financial Crimes Enforcement Network, March 5, 2012.
4United States G-8 Action Plan for Transparency of Company Ownership and Control, White House Office of the Press Secretary, June 18, 2013: .
5Customer Due Diligence Requirements for Financial Institutions, Financial Crimes Enforcement Network, Aug. 4, 2014.
6Customer Due Diligence Requirements for Financial Institutions, Financial Crimes Enforcement Network, May 11, 2016.
Content Contributed by: