On May 11, 2016, FinCen (the Financial Crimes Enforcement network of the U. S. Treasury Department) issued a final rule regarding enhanced customer due diligence (“CDD”) requirements that amends regulations under the Bank Secrecy Act. While the rule has been in effect for almost 2 years, compliance is mandatory by May 11, 2018. While Customer Identification Program (“CIP”) procedures have been around for quite some time, this new CDD rule requires additional layers of inquiry, diligence and collection of data with respect to “legal entity customers” who open new accounts or receive extensions of credit.
The CDD rule adds a “fifth pillar” to the “four pillars” of an effective anti-money laundering program. The first four pillars consist of the following, at a minimum, to be performed by a bank:
- A system of internal controls to assure ongoing compliance;
- Independent testing for compliance, to be performed by the bank or third parties;
- Designation of individual(s) responsible for monitoring and coordinating day-to-day compliance; and
- Training for appropriate personnel.
The fifth pillar adds a new layer of complexity, as follows:
- Appropriate risk-based procedures for conducting ongoing customer due diligence, to include (but not be limited to):
- Understanding the nature and purpose of customer relationships for the purposes of developing a customer risk profile, and
- Ongoing monitoring to identify and report suspicious transactions and on a risk basis, and to maintain and update customer information, with customer information to include information about the “beneficial ownership” of “legal entity customers”.
What is a “legal entity customer“?
Legal entity customers include corporations, LLCs, partnerships, business trusts and any other entity created by a filing with a state office. This term does not include natural persons, sole proprietorships, unincorporated associations, trusts (other than those created by a state filing) and various regulated entities such as banks, insurance companies, registered investment adviser, etc.
Banks are now required to identify the “beneficial owners” of each legal entity customer and collect and collect the following information with respect to each beneficial owner: name, address, date of birth, Social Security number (or similar numbers for non US persons).
What is beneficial ownership?
Beneficial ownership for purposes of the CDD rule consists of 2 prongs:
- Ownership Prong: Any individual who, directly or indirectly, owns 25% or more of the legal entity customer. Entities such as non-profit or public benefit corporations are not subject to the ownership prong.
- Responsibility Prong: Any individual who has “significant responsibility to control, manage, or direct the entity”. The following are given as examples: CEO, CFO, COO, managing member, general partner, president, vice president, treasurer or any other person who regularly performs similar functions.
As an example, if the legal entity has 4 owners who each own 25%, there are 4 beneficial owners and the required information must be collected from each of the four. If no one person owns 25% or more, no information has to be collected from such owners but one person must always be identified under the responsibility prong.
Forms: The collection of the required information be done by following and filling out the form suggested by FinCen (found at 82 Federal Register 45184 (published 9-28-17) or obtaining the required information from the individual who will certify the accuracy of the information provided.
Originals v. copies. Since the beneficial owner(s) may not be in your office when the account is opened, a bank may use photocopies of identification.
Reliance on customer: You may rely on the certification of the information furnished by the customer, so long as the bank has “no knowledge of facts that would reasonably call into question the reliability of the information.”
Not retroactive: The CDD rule is not retroactive, but new accounts opened by existing customers after May 11, 2018 are subject to the new CDD rule and the obligation to update customer information is “event based”, which means that if the bank learns something about a customer that is relevant to reevaluating or reassessing the risk posed by that customer, then the beneficial ownership information should be updated.
Record Retention: As a general rule, the records must be kept for 5 years.
Rely on other banks? You may rely on information from other banks, but similar to the CIP, an bank may rely on such information if (i) the reliance is reasonable under the circumstances, (ii) the bank supplying the information must be subject to AML requirements and be regulated by federal functional regulator and (iii) must enter into a contract requiring it to annually certify that it has an AML program and that it will perform the specified beneficial ownership diligence.
Relief on the Horizon? Congress is considering a bill, the Counter Terrorism and Illicit Finance Act, which would, among other things, require legal entities to submit beneficial ownership information to FinCen to create a national directory of beneficial owners. Having such a directory would eliminate some of the back office detective work and potentially create a safe harbor for relying on the published information.