This month marks the one-year anniversary of the Financial Crimes Enforcement Network (FinCEN)’s long-awaited beneficial ownership rule, which imposes certain Customer Identification Program (CIP) requirements under the Bank Secrecy Act (BSA). FinCEN proposed the rule in 2014 and finalized it in May 2016. FinCEN has also issued Frequently Asked Questions Regarding Customer Due Diligence Requirements for Financial Institutions, which provides guidance in understanding and implementing the new rule. All financial institutions subject to the rule must begin complying with it no later than May 11, 2018.
The rule will impose new compliance obligations on federally regulated banks, federally insured credit unions, mutual funds, brokers or dealers in securities, futures commission merchants, and introducing brokers in commodities.
Key Provisions of the Final Rule
As we previously wrote, the new rule generally requires all covered financial institutions to identify, and verify the identity of, the beneficial owners of each legal entity customer that opens a new account at the financial institution. The rule applies to “covered financial institutions,” which are those institutions already subject to BSA CIP requirements, and the rule does not exempt smaller institutions.
“Legal entity customers” generally include corporations, limited liability companies, general partnerships, and other entities formed by filing a public document with a Secretary of State or similar office. Several types of entities are excluded, such as entities traded on the New York Stock Exchange (NYSE), registered investment companies and investment advisors, and state-regulated insurance companies.
A “new account” is any account opened at a covered financial institution by a customer. The rule applies only to accounts open on or after the May 11, 2018 compliance date; the rule will not apply retroactively. The rule applies to all accounts, including checking accounts, savings accounts, certificates of deposit, and loans.
A “beneficial owner” includes two types of individuals:
- Any individual who, directly or indirectly, owns 25 percent or more of equity interest in the legal entity customer; and
- A single individual who has “significant responsibility to control, manage, or direct a legal entity.”
Regarding ownership–the first prong–a legal entity customer could have between zero and four beneficial owners. For control–the second prong–all legal entities must name at least one individual. Accordingly, each legal entity customer will have between one and five beneficial owners.
To comply with the rule, a covered financial institution must collect from any legal entity customer opening a new account the name, date of birth, address, and social security number or other government identification number for each beneficial owner of the legal entity customer. The institution can collect the required information on a standard Certification Form provided in the rule, on the institution’s own form, or by any other method that complies with the substantive requirements of the rule. The identification and verification procedures for beneficial owners are very similar to those for individual customers under a financial institution’s existing CIP, except that for beneficial owners, the financial institution may rely on copies of identity documents and the institution may obtain the required information about the beneficial owners from the individual opening the new account at the covered financial institution on behalf of the legal entity customer, rather than collecting the information directly from the beneficial owners.
Covered financial institutions must retain records of information collected in connection with identifying beneficial owners for five years after the account is closed; for records information collected in connecting with verifying beneficial owners’ identities, the institution must retain such records for five years after the record is made. Identification records must include, at a minimum, any identifying information the institution obtained, including the Certification Form, if it was obtained. For verification, a covered institution must maintain a description of any document the institution reviewed to verify the beneficial owner’s identity, noting the type, any identification number, any place of issuance, any date of issuance, and any expiration date.
The new rule also amends existing anti-money laundering (AML) program requirements by requiring covered financial institutions to implement and maintain risk-based procedures to conduct ongoing customer due diligence (CDD), including understanding the nature and purpose of customer relationships, conducting ongoing monitoring to identify and report suspicious transactions, and maintaining and updating customer information.
Action Items for Complying with the Final Rule
Over the next 12 months, financial institutions should begin taking the necessary steps to comply with the final rule. Some of the changes that may be required include:
Policies and Procedures
- Updating BSA/AML policies and procedures, including with specific regard to CIP policies and procedures
- Updating new account opening procedures, including developing procedures to identify and verify identifies of beneficial owners who are not present during account opening
- Updating Currency Transaction Report (CTR) aggregation procedures
- Updating suspicious activity monitoring procedures
- Updating risk assessments
- Updating OFAC policies and procedures, including OFAC scanning procedures
- Determining whether to adopt FinCEN’s standard Certification Form
- Revising signature card forms
- Revising certification forms
- Revising other new account documentation
- Updating system input screens for data entry
- Restructuring databases to store new additional information
- Updating existing monitoring procedures to incorporate ongoing CDD
- Training branch personnel on reasons behind the new rule and new information needed to open legal entity accounts
- Training operations personnel
- Training compliance personnel
- Training any other personnel whose work touches BSA/AML issues
Third-Party Vendor Management
- If using a third-party vendor, coordinating with vendor to ensure the vendor will comply with the new rule and testing the vendor’s changes
- Incorporate the rule into processes for ongoing monitoring of vendors
- Updating scope of annual BSA audit to include new requirements of the rule
To ensure compliance by the May 11, 2018 compliance date, financial institutions should allow ample time to implement all needed changes, such as the above.