The U.S. Treasury Department’s Financial Crimes Enforcement Network (FinCEN) has finalized its long-awaited beneficial ownership rule, which it proposed in 2014. The regulation does two things.  First, it extends Customer Due Diligence (CDD) requirements under Bank Secrecy Act (BSA) rules to the natural persons behind a legal entity. Second, the regulation adds a fifth pillar to the traditional “four pillars” of an effective anti-money laundering (AML) program by requiring covered financial institutions to establish risk-based procedures for conducting ongoing customer due diligence. As of May 11, 2018, entities subject to BSA will be required to identify and verify the identity of beneficial owners of legal entity customers at the time the customer opens a new account, subject to certain exclusions and exemptions, as well as develop risk profiles and conduct ongoing monitoring of customers.

I. Background

The final rule was issued quietly on May 5, 2016, in an advance version, with the official version published in the Federal Register on May 11, 2016. Although the rule will technically become effective July 11, 2016, compliance will not become mandatory until May 11, 2018.

The low-key issuance of the final rule was surprising given the recent flurry of attention around the rulemaking after the so-called “Panama Papers” leak in April 2016. The Panama Papers are a leaked set of millions of confidential documents of the Panamanian law firm Mossack Fonseca that provide detailed information about how wealthy individuals around the world, including public officials, hide their money from government regulation and public scrutiny—and possibly commit illegal activities—using shell companies. This revelation spurred a public outcry, with many urging FinCEN to finalize the beneficial ownership rule to thwart use of the U.S. banking system by such shell companies without the ability to determine the individual persons behind them. FinCEN had issued an Advance Notice of Proposed Rulemaking (ANPR) for this rule in 2012 and a Notice of Proposed Rulemaking (NPRM) in 2014.

FinCEN’s stated impetus for this rulemaking was its determination, after consultation with the federal financial regulators and the Department of Justice, that more explicit rules for covered financial institutions with respect to CDD were necessary to enhance financial transparency and safeguard the financial system against illicit use. The BSA authorizes FinCEN to impose AML program requirements on all covered financial institutions and to require such institutions to maintain procedures to ensure compliance with the BSA and its implementing regulations or to guard against money laundering.

In conjunction with this final rule, the Treasury Department sent Congress draft legislation that would require legal entities to know and report information on beneficial ownership to federal and state government at the time the company is formed. As described, the draft legislation would not supplant the FinCEN beneficial ownership rule, but rather provide additional data that would be used to comply with the rule, as well as for other purposes.

II. New Beneficial Ownership Rule

Beginning on May 11, 2018, covered financial institutions must do two things for all legal entity customers who open new accounts at the financial institution, unless an exception applies: 1) identify and 2) verify the identity of the beneficial owners of the legal entity.

Who Does the Rule Apply to?

The final rule applies to “covered financial institutions,” which are those already subject to BSA Customer Identification Program (CIP) requirements. These generally include depository institutions, securities broker-dealers, mutual funds, and futures commission merchants and introducing brokers in commodities.

The rule does not exclude smaller institutions. FinCEN recognized the increased burden on smaller institutions, but noted that “even though some smaller institutions might be lower risk, size alone should not be a determinative factor for a risk assessment, making it an inappropriate basis for a categorical exclusion.” FinCEN also reiterated that it expects financial institutions to implement procedures for collecting beneficial ownership information that are appropriate for the institution’s size and type of business.

What is an “Account?”

Consistent with the proposed rule, the final rule does not apply retroactively; it applies only to legal entity customers who open new accounts on or after the May 11, 2018, compliance date. The term “new account” is defined to include each account opened at a covered financial institution by that customer. In other words, a covered financial institution will be required to identify and verify a legal entity customer’s beneficial owners each time the customer opens a new account at the institution after the compliance date, even if the institution has already identified and verified the customer’s beneficial owners at the time the customer opened a previous account.

What is a “Legal Entity Customer”?

The proposed rule applies to “legal entity customers,” which are generally defined as:

a corporation, limited liability company, or other entity that is created by the filing of a public document with a Secretary of State or similar office, a general partnership, and any similar entity formed under the laws of a foreign jurisdiction that opens an account.

A long list of entities are excluded from the definition of “legal entity customer,” including but not limited to:

  • Regulated financial institutions;
  • Certain governmental agencies;
  • Entities whose common stock or equity interest are listed on the New York Stock Exchange or the American Stock Exchange or have been designated as a NASDAQ National Market Security listed on the NASDAQ Stock Market;
  • Issuers of classes of securities registered under Section 12 of the Securities Exchange Act;
  • Registered investment companies and investment advisers;
  • Exchange or clearing agencies;
  • Other entities registered with the Securities and Exchange Commission;
  • Public accounting firms registered under Sarbanes-Oxley Act;
  • Bank holding companies;
  • Savings and loan hold companies; and
  • State-regulated insurance companies.

Certain exemptions to the requirements to identify and verify the identity of each beneficial owner also apply to certain activities. For instance, private label credit card accounts established at the point-of-sale solely for the purchase of retail goods or services at the issuing retailer are not subject to the beneficial owner identification and verification requirements if those accounts have a credit limit of no more than $50,000. Credit cards accepted at any outlet or at an ATM, however, are not exempt.

Pooled investment vehicles operated by an excluded entity and certain nonprofit entities are partially exempt in that they are generally subject only to the control prong of the beneficial ownership definition.

Where do trusts fit in?

An important point to note is that the “legal entity customer” definition does not apply to most trusts since most trust do not need to file public documents to be created. FinCEN has noted that “identifying a ‘beneficial owner’ from among” trust grantors, trustees, and beneficiaries “would not be possible.”

However, possible or not, FinCEN still believes that some information beneficial ownership information about trust accounts should be obtained in some instances:

We reiterate our understanding that, consistent with existing obligations, financial institutions are already taking a risk-based approach to collecting information with respect to various persons associated with trusts in order to know their customer,and that we expect financial institutions to continue these practices as part of their overall efforts to safeguard against money laundering and terrorist financing.

When a trust is a “beneficial owner” of a legal entity customer, the beneficial owner is to be considered the trustee of the trust.

Who is a “Beneficial Owner”?

Under the new rule, a “beneficial owner” includes two types of individuals:

  1. Any individual who, directly or indirectly, owns 25 percent or more of equity interest in the legal entity customer; and
  2. A single individual who has “significant responsibility to control, manage, or direct a legal entity.”

It is not entirely clear what would constitute “significant responsibility” under the second prong, but the rule indicates that such individuals could be an executive officer, senior manager, or any other person who “regularly performs similar functions.”

Under the ownership prong, a legal entity customer could have between zero and four beneficial owners—zero if no individual owns 25 percent or more of an entity or four if each individual owns exactly 25 percent of the entity. For the second, control prong, all legal entities will be required to name at least one individual. Accordingly, each legal entity customer will have between one and five beneficial owners.

Critics have pointed out that this definition could allow real owners to hide behind an executive serving as a figurehead. Or, there may be multiple people controlling a legal entity and the rule does not take into account the fact that a controlling person may be following instructions provided by someone above if though that person actually has no real ownership of the company. Some argue that these are not the types of individuals who pose the risks the rule is designed to address.

What is Required?

The financial institution may comply either by obtaining the required information on a standard Certification Form provided by the rule or by any other means that comply with the substantive requirements of the provision. The rule does not list specific individuals who would be appropriate to certify an entity’s beneficial owners, but FinCEN does state that the form does not need to be notarized or approved by the customer’s board of directors or any other governing body.

While use of the standard Certification form would provide institutions certain protections, FinCEN has stopped short of providing a blanket safe harbor by use of the Certification Form. Instead, the final rule allows covered financial institution to rely on information that the legal entity customer supplies about the identity of its beneficial owners, so long as the institution does not have “knowledge of any facts that would reasonable call into question the reliability of such information.”

The financial institution may rely on the beneficial ownership information supplied by the customer, provided that it has no knowledge of facts that would reasonably call into question the reliability of the information. The identification and verification procedures for beneficial owners are very similar to those for individual customers under a financial institution’s customer identification program (CIP), except that for beneficial owners, the institution may rely on copies of identity documents. Financial institutions are required to maintain records of the beneficial ownership information they obtain, and may rely on another financial institution for the performance of these requirements, in each case to the same extent as under their CIP rule.

Collection of beneficial owners’ sensitive personal information (e.g., name, date of birth, Social Security number, and passport number, if the beneficial owner is not a U.S. person) may raise privacy concerns and increase fears of identity theft. Nevertheless, FinCEN has said these concerns are insufficient to justify limiting the collection of this information and pointed out that financial institutions are required to protect this information under the Gramm-Leach-Bliley Act and Right to Financial Privacy Act. Of course, the practical value of these privacy protections versus a subpoena remains questionable.

FinCEN states that financial institutions should use beneficial ownership information as they use other information they gather regarding customers (e.g., through compliance with CIP requirements), including for compliance with the Office of Foreign Assets Control (OFAC) regulations, and the currency transaction reporting (CTR) aggregation requirements under the BSA.

What Records Must be Retained?

Consistent with CIP rules, records of information collected in connection with identifying and verifying beneficial owners must be retained for five years after the account is closed, for identification records, and five years after the record is made, for verification records. For identification, the records must include, at a minimum, any identifying information the institution obtained, including the Certification Form, if it was obtained. For verification, a covered institution must maintain a description of any document the institution reviewed to verify the beneficial owner’s identity, noting the type, any identification number, any place of issuance, any date issuance, and any expiration date.

III. Anti-Money Laundering Program Rule Amendments

The final rule also amends AML program requirements for each type of covered financial institution by adding the requirement that institutions implement risk-based procedures to conduct ongoing customer due diligence, including understanding the nature and purpose of customer relationships to develop a customer risk profile.

According to FinCEN, an institution must develop a “customer risk profile” using the information the institution gathers about the customer at account opening and use that customer risk profile as a baseline against which the institution will assess future customer activity for potential suspicious activity reporting. For instance, the profile may include the type of customer or type of account, service, or product type.

When a financial institution detects information (including a change in beneficial ownership information) about the customer in the course of its normal monitoring that is relevant to assessing or reevaluating the risk posed by the customer, it must update the customer information, including beneficial ownership information. Such information could include a significant and unexplained change in the customer’s activity, such as executing cross-border wire transfers for no apparent reason or a significant change in the volume of activity without explanation. It could also include information indicating a possible change in the customer’s beneficial ownership, because such information could also be relevant to assessing the risk posed by the customer.

FinCEN notes, however, that this provision does not impose a categorical requirement that financial institutions must update customer information, including beneficial ownership information, on a continuous or periodic basis. Rather, the requirement to update such information is event-driven and occurs as a result of normal monitoring.

FinCEN also noted that the requirements of the rule “represent a floor, not a ceiling, and, consistent with the risk-based approach, financial institutions may do more in circumstances of heightened risk, as well as to mitigate risks generally.” In addition, the banking regulators may themselves impose their own supervisory requirements on the institutions they examine.

These AML program amendments will apply to all legal entity customers, including existing ones, as of May 11, 2018.

IV. Next Steps for Covered Entities 

In preparation for the mandatory compliance date of May 11, 2018, financial institutions should evaluate their current identification, verification and monitoring processes to determine whether changes may be warranted and what employee training is needed. Covered institutions may also need to amend their BSA programs to include the new fifth pillar if the institution does not already conduct ongoing CDD as contemplated by the rule and document its procedures for doing so.

These actions will be critical to complying with the final rule upon its compliance date. It is also important to keep in mind that federal functional regulators may set their own, additional supervisory expectations, as with any other aspect of BSA/AML.