by David S. Cohen, Franca Harris Gutierrez, Sharon Cohen Levin, Jeremy Dresner and Michael Romais
Last week the Financial Crimes Enforcement Network (FinCEN) issued much-anticipated Frequently Asked Questions (PDF: 387 KB) (FAQs) that provide additional guidance to financial institutions relating to the implementation of the new Customer Due Diligence Rule (CDD Rule), set to go into effect on May 11, 2018.[1] In general, the FAQs clarify certain issues that have caused implementation challenges for financial institutions. While FinCEN’s earlier guidance provided a general overview of the CDD Rule—including the purpose of the rule, the institutions to which it is applicable, and some relevant definitions—the new FAQs provide greater detail for financial institutions seeking to comply with the CDD Rule. The FAQs are meant to assist covered financial institutions in understanding the scope of their customer due diligence (CDD) obligations, as well as the rule’s impact on their broader anti-money laundering (AML) compliance. While the guidance is helpful in clarifying some of FinCEN’s expectations, the implementation challenge lies in applying the CDD Rule to a financial institution’s specific products and services.
As financial institutions work to meet the CDD Rule’s fast-approaching May 11 compliance deadline, they should pay special attention to the following key areas summarized below.
Overview of New FAQs: Key Issues for Financial Institutions
FinCEN’s 37 new FAQs aim to provide clarity on a range of issues in the application of the CDD Rule. The topics generally include identification, collection, and verification of beneficial ownership information; the accounts subject to the beneficial ownership requirements; customers and accounts excluded from the beneficial ownership requirements; Currency Transaction Report (CTR) filing with respect to beneficial owners; and ongoing customer monitoring.
“Fifth Pillar” Requirements
The CDD Rule establishes CDD as the “fifth pillar” of an AML compliance program. One of the key elements of the CDD pillar is understanding the nature and purpose of a customer relationship to develop a customer risk profile, which is required for all customers and accounts.[2] Addressing the nature and purpose requirement, FAQ 37 states that “[f]inancial institutions must implement risk-based procedures as part of their AML program to demonstrate an understanding of the nature and purpose of customer relationships to develop customer risk profiles.”[3] Customer risk profiles should include “the information gathered about a customer at account opening,” and they are “used to develop a baseline against which customer activity can be assessed for suspicious activity reporting.”[4] If account activity changes relative to the baseline of the original nature and purpose of the account, risk-based ongoing monitoring may identify a need to update customer information, such as beneficial ownership.[5]
A customer risk profile may include a system of risk ratings or categories of customers, but this is not required.[6] The documentation required to demonstrate an understanding of the nature and purpose of a customer relationship may vary with the type of customer, account, service, or product.[7] In the case of certain products such as safety deposit boxes, for example, the nature and purpose of the customer relationship is self-evident, and no additional documentation would be needed to demonstrate this understanding beyond the documentation needed to establish that type of account.[8] Every financial institution should consider the risks presented by each type of account it offers, the risks presented by its particular customer base, and how those two sets of risks interact.
Updating Beneficial Ownership Information
As a general matter, the FAQs make clear that the CDD Rule establishes a minimum standard, a 25 percent ownership interest in the legal entity customer, requiring the collection of beneficial ownership information. However, financial institutions may choose to collect and verify beneficial ownership information at a lower ownership threshold than the rule requires.[9] FinCEN also states that “[t]here may be circumstances where a financial institution may determine” that collecting information at a lower threshold “may be warranted.”[10] Although FinCEN does not directly say so, the implication is that financial institutions should strongly consider applying a lower ownership threshold based on the customer’s risk. FinCEN also notes that a financial institution “may reasonably conclude” that collecting information at a level lower than 25 percent “would not help mitigate” the customer’s specific risk or otherwise provide useful information to the financial institution.[11] FinCEN adds that financial institutions could also mitigate “any additional heightened risk” by other means, such as “enhanced monitoring or collecting other information, including expected account activity, in connection with the particular legal entity customer.”[12]
In all cases, institutions must maintain written procedures reasonably designed to identify and verify beneficial ownership and include such procedures in their AML program regardless of whether they adhere to the 25 percent threshold or use a lower threshold (such as 10 percent).[13]
Application of the Rule and Relationship with Ongoing Monitoring
The CDD Rule only applies to accounts opened after its May 11, 2018 effective date. The FAQs make clear that there is no affirmative requirement to obtain beneficial ownership information from customers with accounts opened prior to May 11, 2018,[14] nor is there an affirmative requirement to periodically update or solicit such information for any account.[15] A financial institution must, however, update existing beneficial ownership information for any client when—in the course of normal monitoring relevant to assess or reassess the customer’s overall risk profile—the financial institution becomes aware of information about the customer or account that includes a possible change of beneficial ownership information.[16] Financial institutions must also update beneficial ownership information for an existing client that opens a new account, although the financial institution may be able to rely on a customer certification in certain circumstances.
Reasonable Reliance on Information Provided by Customers
FinCEN emphasized throughout the FAQs that financial institutions may rely on information provided by customers when such reliance is reasonable, i.e., when the financial institution has “no knowledge of facts that would reasonably call into question the reliability of such information.”[17] For example, financial institutions do not need to independently investigate a legal entity customer’s ownership structure, and may instead reasonably rely on information provided by the customer.[18] Financial institutions may also rely on the information provided by the legal entity customer to determine whether the legal entity is excluded from the definition of a legal entity customer, provided the institution has no knowledge to the contrary.[19]
Interplay Between CDD and CIP
Under the CDD Rule, financial institutions are required to verify beneficial ownership according to risk-based procedures that contain, at a minimum, the same elements institutions use to verify customer identity under the Customer Identification Program (CIP) rules.[20] However, the CDD and existing CIP procedures do not need to be identical. Financial institutions may use the same documentary and nondocumentary methods of verification as those for CIP. Unlike CIP, the CDD Rule permits some variances, such as allowing photocopies and reproductions of documents.[21] Ultimately, financial institutions should conduct a risk-based analysis of their own customer base to determine which verification methods are appropriate.[22]
Financial institutions may verify the identity of a beneficial owner who does not appear in person at account opening by accepting (from the customer’s representative) a photocopy or other reproduction of a valid identity document, or via non-documentary methods such as contacting the beneficial owner.[23]
Existing Customers
The requirement to collect and verify beneficial ownership information applies to every new account opening, although FinCEN’s FAQs have softened somewhat the steps financial institutions must take for existing customers.[24] For existing customers subject to CIP, financial institutions may rely on information obtained through CIP to fulfill the identification and verification requirements of the CDD Rule, provided that a representative of the customer “certifies or confirms (verbally or in writing) the accuracy of the pre-existing CIP information.”[25] Similarly, if a customer opens multiple accounts at a financial institution, simultaneously or not, the financial institution may rely on the information already obtained from the customer, provided the customer “certifies or confirms (verbally or in writing) that such information is up to date and accurate at the time each subsequent account is opened and the financial institution has no knowledge of facts that would reasonably call into question the reliability of such information.”[26] Financial institutions should maintain a record of such confirmations.[27]
Foreign Customers
FinCEN included a number of FAQs about foreign customers.[28] For example, although companies traded on U.S. stock exchanges are excluded from the definition of legal entity customer, companies traded on foreign exchanges are not excluded, so financial institutions must collect and maintain beneficial ownership information about such customers.[29] Furthermore, financial institutions may not take a “risk-based approach” to collecting the required beneficial ownership information from legal entity customers listed on foreign exchanges.[30] Institutions may, however, rely on the public disclosures of such entities as they may with other legal entity customers (whether listed or not), “absent any reason to believe such information is inaccurate or not up-to-date.”[31]
A foreign financial institution (FFI) is excluded from the definition of legal entity customer if its foreign regulator collects and maintains beneficial ownership information about the FFI.[32] If the foreign regulator does not collect such information, however, covered financial institutions must do so.[33] Consistent with a prominent theme in the CDD Rule, financial institutions may rely on the representations of the FFI as to whether this exclusion applies to that FFI, provided the institution does not have knowledge of facts that would reasonably call into question the reliability of such representations.[34]
Absent reliance on a reasonable representation from the FFI, FinCEN suggests that financial institutions should contact the relevant foreign regulator “or use other reliable means” to determine whether the foreign regulator maintains beneficial ownership information.[35] The U.S. government will not maintain a list of non-U.S. jurisdictions where regulators maintain beneficial ownership information for FFIs they regulate or supervise.[36] Financial institutions are not required to research the specific transparency requirements a foreign regulator may impose and compare them to U.S. AML requirements—rather the inquiry is simply whether a foreign regulator for the FFI collects and maintains information on the beneficial owner(s) of the regulated institution.[37]
Securities Industry
Two of the FAQs discuss the opening of subaccounts and pooled investment vehicles. First, FinCEN clarified that the beneficial ownership requirement does not apply when financial institutions open additional accounts or subaccounts for a legal entity customer for the institution’s own recordkeeping or operational purposes (such as to accommodate trading strategies), rather than at the customer’s request.[38] Second, FinCEN stated that, in general, financial institutions are not required to “look through” a pooled investment vehicle to identify beneficial ownership information. However, financial institutions are required to collect beneficial ownership information about the pooled investment vehicle under the “control prong” of the rule, i.e., about “an individual with significant responsibility to control, manage, or direct the vehicle.”[39]
CTR Reporting Requirements
The CDD Rule does not change existing CTR reporting requirements.[40] “[C]overed financial institutions should presume that different businesses that share a common owner are operating separately and independently from each other and from the common owner.”[41] Thus, FinCEN does not expect transactions across commonly owned legal entity customers to be aggregated absent indications that the businesses are not operating independently (e.g., same staff or location, or accounts of one business are repeatedly used to pay the expenses of another business). Financial institutions are also not required to list beneficial owners of a trust or estate account when completing a CTR. A financial institution must list a beneficial owner in Part 1 of the CTR only if the institution has knowledge that the transaction(s) requiring the filing is made on behalf of the beneficial owner and results in either cash in or cash out totaling more than $10,000 during any one business day.[42]
***
Additional background
On May 11, 2016, FinCEN issued a Final Rule that established a “fifth pillar” of FinCEN’s AML program requirement mandating that covered financial institutions implement risk-based procedures for conducting CDD.[43] Among other things, the CDD Rule requires certain financial institutions to “look through” the nominal account holder to identify the account’s beneficial owners, i.e., those who own or control (directly or indirectly) certain legal entity customers.
FinCEN issued technical amendments on September 29, 2017, to correct a sample Certification Form and add a paragraph inadvertently omitted in the Final Rule.[44] Shortly after issuing the Final Rule, FinCEN published its first set of FAQs (PDF: 387 KB) regarding the Rule.[45]
For a detailed analysis of the Final Rule and its provisions, please see our previous Anti-Money Laundering Alert: FinCEN Finalizes Beneficial Ownership and Customer Due Diligence Requirements.
Footnotes
[1] U.S. Dep’t of the Treasury, Fin. Crimes Enf’t Network, Frequently Asked Questions Regarding Customer Due Diligence Requirements for Financial Institutions, FIN-2018-G001 (Apr. 3, 2018) (PDF: 580 KB).
[2] FAQ 35.
[3] FAQ 37.
[4] Id. See also 81 Fed. Reg. 29398.
[5] FAQ 36.
[6] FAQ 35.
[7] Id.
[8] FAQ 37.
[9] FAQ 1.
[10] FAQ 2.
[11] Id.
[12] Id.
[13] Id.
[14] FAQ 13.
[15] FAQ 14.
[16] Id.
[17] See, e.g., FAQs 3, 6, and 21.
[18] FAQ 3.
[19] FAQ 21.
[20] FAQ 4.
[21] FAQs 4 and 6.
[22] FAQ 4.
[23] FAQs 4 and 6.
[24] FAQs 7 and 10.
[25] FAQ 7.
[26] FAQ 10.
[27] Id.
[28] See, e.g., FAQs 24, 25, 26, 27, and 28.
[29] FAQ 24.
[30] FAQ 25.
[31] Id.
[32] FAQ 26.
[33] Id.
[34] Id. See also FAQ 21.
[35] FAQ 27.
[36] Id.
[37] FAQ 26.
[38] FAQ 11.
[39] FAQ 18.
[40] FAQ 33.
[41] FAQ 32.
[42] FAQ 33.
[43] Customer Due Diligence Requirements for Financial Institutions, 81 Fed. Reg. 29398 (May 11, 2016) (to be codified at 31 C.F.R. Subt. B., Ch. X).
[44] See Customer Due Diligence Requirements for Financial Institutions; Correction, 82 Fed. Reg. 45812 (Sept. 28, 2017).
[45] See U.S. Dep’t of the Treasury, Fin. Crimes Enf’t Network, Frequently Asked Questions Regarding Customer Due Diligence Requirements for Financial Institutions, FIN-2016-G003 (July 19, 2016) (PDF: 387 KB).
David S. Cohen, Franca Harris Gutierrez, and Sharon Cohen Levin are partners, Jeremy Dresner is special counsel, and Michael Romais is an associate at Wilmer Cutler Pickering Hale and Dorr LLP.
Disclaimer
The views, opinions and positions expressed within all posts are those of the author alone and do not represent those of the Program on Corporate Compliance and Enforcement (PCCE) or of New York University School of Law. PCCE makes no representations as to the accuracy, completeness and validity of any statements made on this site and will not be liable for any errors, omissions or representations. The copyright of this content belongs to the author and any liability with regards to infringement of intellectual property rights remains with the author.