New FinCEN Rules: Customer Due Diligence to Prevent 'Criminals, Kleptocrats, and Others' from Hiding 'Ill-Gotten Proceeds'

August 03, 2016

As part of the Obama Administration’s continuing efforts to curb money laundering and other international corruption, on July 11, 2016 the final rules on Customer Due Diligence Requirements for Financial Institutions issued by the Financial Crimes Enforcement Network (“FinCEN”) became effective.1 The rules were issued in final form in early May of 2016, and are required to be fully implemented by covered financial institutions by May 11, 2018. FinCEN has published answers to frequently asked questions regarding the Final Rule.

The rules are intended to close a significant hole in the existing regulatory scheme by requiring banks, securities broker-dealers, mutual funds, and futures commission merchants and introducing brokers in commodities (collectively, “covered financial institutions”) to obtain, verify and record the identity of the beneficial owners of their legal entity customers. The desire is to eliminate the ability of “criminals, kleptocrats, and others looking to hide ill-gotten proceeds” from accessing the financial system anonymously by means of creating legal entities to hide their individual identities.

The stated purpose of the new regulations is to assist law enforcement in financial investigations, prevent evasion of the existing  anti-money laundering sanctions, assist covered financial institutions in better assessing risk, facilitate tax compliance and advance the compliance of the U.S. with international efforts to curb money laundering and other wrongdoing.

Core Elements of Due Diligence

In promulgating these new rules, FinCEN identifies four core elements that should be explicitly required as components of proper anti-money laundering due diligence. They include (1) customer identification and verification; (2) beneficial ownership identification and verification; (3) understanding the nature and purpose of customer relationships to develop a customer risk profile, and (4) ongoing monitoring for reporting suspicious transactions and, on a risk-basis, maintaining and updating customer information. Promulgation of these final rules is intended to make these requirements explicit to the extent they were not in the past.

FinCEN has the legal authority to promulgate these rules under the Bank Secrecy Act to guard against money laundering. They require that all covered financial institutions establish and maintain written procedures that are reasonably designed to identify the beneficial owners of their legal entity customers. Of course, essential to the development of these procedures is an understanding of how the terms “legal entity customers” and “beneficial owners” are defined in the new rules.

Beneficial Ownership Requirements

There is a two-prong test for the definition of “beneficial owner” that covers both ownership and control. Any individual that owns at least 25 percent of the equity interests in a legal entity customer will qualify as a beneficial owner who must be identified under the new regulations. If no person owns at least 25 percent of the equity interests in a legal entity customer, then no person would be required to be identified under the ownership prong. Thus, the greatest possible number of persons to be identified under this prong would be four.

The second prong of the “beneficial owner” definition covers control and requires that, for each legal entity customer, a single individual be identified who has “significant responsibility to control, manage, or direct a legal entity customer, including an executive officer or senior manager or any other individual who regularly performs similar functions." This controlling manager or officer would be subject to identification and appropriate diligence regardless of the number of persons who qualified for scrutiny under the ownership prong. The regulation also allows for some flexibility, permitting financial institutions discretion to identify additional beneficial owners under the control prong, as appropriate, “based on risk.”

The final rule indicates that a covered financial institution may rely on the information supplied by the legal entity customer regarding the identity of its beneficial owner or owners “provided it has no knowledge of facts that would reasonably call into question the reliability of such information.” The covered financial institution would be expected to undertake diligence in the event that it had knowledge that made it believe the information provided was inaccurate or incomplete. In providing this standard, FinCEN acknowledges that the customer may be the only source of this information available to the covered financial institution.

Legal Entity Customer Defined

The term “legal entity customer” is defined in the new regulations to mean a corporation, limited liability company, or other entity that is created by the filing of a public document with a Secretary of State or similar office, a general partnership, and any similar entity formed under the laws of a foreign jurisdiction, that opens an account. Accordingly, this definition would include limited partnerships and business trusts that are created by a filing with a state office. It would not, however, include sole proprietorship or unincorporated associations since, as the analysis in the Federal Register indicates, “neither is an entity with legal existence separate from the associated individual or individuals that in effect creates a shield permitting an individual to obscure his or her identity.”

There are, however, a myriad of exceptions to the definition of “legal entity customer”-- many based on the fact that such entities already require the type of beneficial owner disclosure that is being required under the new regulatory scheme. These include, but are not limited to: (1) financial institutions regulated by a Federal or State bank regulator; (2) entities that have their common stock listed on the New York or American Stock Exchange or NASDAQ; (3) issuers of any class of securities registered under the Securities Exchange Act of 1934 or that are required to file reports thereunder; (4) investment companies registered with the SEC under The Investment Company Act of 1940; (5) investment advisers registered with the SEC under the Investment Advisers Act of 1940; (6) exchanges or clearing agencies or any other entities registered with the SEC under the Securities Exchange Act of 1934; (7) any entity, commodity pool operator, commodity trading advisor, retail foreign exchange dealer, swap dealer or major swap participant registered with the CFTC; (8)  public accounting firms registered under Sarbanes-Oxley; (9) bank holding companies or savings and loan holding companies; (9) insurance companies regulated by a state; (10) financial market utilities designated under Dodd-Frank; and (11) certain foreign entities, including, without limitation, foreign financial institutions established in a jurisdiction where the applicable regulator maintains beneficial ownership information regarding such institution.

“Account” Definition Excludes ERISA Accounts 

 In defining the term “account” for purposes of the rules, FinCEN tied the definition to the existing definition of “account” provided for in the CIP rules, and expressly made it clear that accounts opened for the purpose of participating in an employee benefit plan under ERISA would be specifically excluded, “inasmuch as accounts established to enable employees to participate in retirement plans under ERISA are of extremely low money laundering risk.”

Model Compliance Certification

The final rule requires that a covered financial institution promulgate and maintain appropriate procedures to identify and verify beneficial owners of legal entity customers at the time of account opening. While no specific documentation is required, FinCEN has created a model certification form that complies with the necessary requirements and has been attached to the Rules as Appendix A to 31 CFR Part 1010.230. View the full text of the final rules, including the model compliance certification.

Risk-Based Due Diligence

The rules also require that each covered financial institution develop a customer risk profile based upon the information obtained from its customer during the account opening process. This risk profile, which will include, but not be limited to, the beneficial ownership information now required under the rules, must be used by the institution on an ongoing basis to assess the activities of the customer and to determine when suspicious activity is occurring that would require the financial institution to prepare a suspicious activity report.

These new rules were initially proposed by FinCEN in 2014 and have been part of an arduous approval process. In establishing these rules, FinCEN states that it has been cognizant of the considerable legal, clerical and operational requirements that will be necessary to implement these rules, and accordingly has provided for a two-year implementation period. Full compliance will be required on May 11, 2018. In the interim, covered financial institutions may wish to confer with counsel knowledgeable about the new regulations to insure proper and timely compliance.

For more information please contact one of the lawyers below:

31 CFR Parts 1010, 1020, 1023, et. al.
Media Contacts