The “Fifth Pillar” of AML/BSA Compliance FinCEN Issues Final Rule for New Customer Due Diligence Requirements under the Bank Secrecy ActFor years, financial institutions have operated under the maxim that an effective anti-money laundering and Bank Secrecy Act compliance program (collectively “AML”) rests upon four pillars: (1) written policies and procedures; (2) a designated AML compliance officer; (3) independent testing of the institution’s AML program; and (4) implementation of an adequate employee training program. Now regulators have effectively added a fifth pillar to AML compliance programs—the establishment of a risk-based, customer due-diligence procedure.

The U.S. Treasury Department’s Financial Crimes Enforcement Network (FinCEN) issued its Final Rule for Customer Due Diligence (CDD) under the Bank Secrecy Act (BSA) for banks and other covered financial institutions on May 11, 2016. The Final Rule, effective July 11, 2016, imposes a new requirement on banks, broker-dealers, mutual funds, futures commission merchants, and introducing brokers in commodities to identify and verify the identity of the natural persons behind the legal entity customers – the beneficial owners. Covered financial institutions must be in full compliance by May 11, 2018.

The Rule applies when an account is opened by a new or existing “legal entity customer,” including a corporation, limited liability company, or other entity that is created by the filing of a public document with a Secretary of State or similar office, a general partnership, or similar entities formed under the laws of a foreign jurisdiction.. For each new account that a legal entity customer opens, the financial institution must identify the beneficial (or true) owner(s) under either of the following criteria:

A) Each individual, if any, who directly or indirectly, through any contract, arrangement, understanding, relationship, or otherwise, owns 25 percent or more of the equity interests of the legal entity customer; or

B) A single individual with significant responsibility to control, manage, or direct a legal entity customer, including an executive officer or senior manager, or any other individual who regularly performs similar functions.

Covered financial institutions must identify at least a beneficial owner under the control criterion for each legal entity customer. Also, depending on the ownership structure of the legal entity, covered financial institutions may identify zero to four individuals under the ownership criterion. If a trust owns, directly or indirectly, 25 percent or more of the equity interest of a legal entity customer, the beneficial owner for the purposes of the ownership criterion is the trustee.

Covered financial institutions may identify beneficial ownership by either obtaining a certification from the individual opening the account on behalf of the legal entity customer, or by obtaining the information from the customer through other means (so long as the individual certifies the accuracy of the information). FinCEN appended a “Certification Regarding Beneficial Owners of Legal Entity Customers” model form to its Final Rule.

After identifying the beneficial owner(s) of a legal entity customer, covered financial institutions must verify that information using reasonable and practicable risk-based procedures. Such procedures must contain the elements required for verifying the identity of individual customers under the financial institutions’ customer identification program (CIP). The Final Rule allows covered financial institutions to rely on information supplied by the legal entity customer regarding the identity of its beneficial owner(s), provided they do not have knowledge of facts that would reasonably call into question the reliability of the information. In addition, covered financial institutions may rely on another financial institution’s (or its affiliates) identification and verification of the legal entity customer’s beneficial owner(s). However, the reliance must be reasonable under the circumstances, and the other financial institution must be subject to a rule implementing statutory AML program requirements or subject to a contract requiring it to certify annually that it has implemented an adequate AML program.

Significantly, the Final Rule excludes several categories of entities from the definition of “legal entity customer,” including banks and financial institutions, investment advisers, exchange or clearing agencies, and certain other entities registered with the SEC or the CFTC. The Final Rule also excludes insurance companies, non-U.S. financial institutions established in jurisdictions whose regulators maintains beneficial ownership information, and non-U.S. governmental entities engaging in non-commercial activities. Covered financial institutions are also exempt from verification requirements for new accounts opened for certain limited purpose activities, including certain accounts opened at the point-of-sale to provide credit products for the purchase of retail goods and services up to a certain amount, and accounts opened to finance the purchase of postage, insurance premiums, or the leasing of equipment.

In addition to the requirement to identify and verify the beneficial owner(s) of certain legal entity customers that open new accounts, the new rule includes other requirements already at least implicitly recognized under the BSA/AML regulatory requirements, including CIP procedures and risk-based monitoring to identify suspicious transactions. However, beginning in May 2018, deficiencies in these programs alone, could result in violation of law findings.

To comply with the new CDD rule, each covered financial institution should begin to:

  • Review current new account opening policies and procedures and update them to incorporate beneficial ownership identification requirements for legal entity customers into existing CDD policies, procedures, and processes.
  • Retroactively determine the beneficial owner(s) of current legal entity customers.
  • Review the current BSA/AML compliance program to ensure compliance with all CIP, CDD, and risk-based monitoring requirements.

Also of note, FinCEN has proposed including investment advisers under the BSA’s definition of “financial institutions,” which would require them as well to establish BSA/AML compliance programs and report suspicious activity.

Although the “fifth pillar” rule was originally proposed in 2012, the promulgation of the final rule is timely in the wake of the Panama Papers scandal, which largely centered on lax due diligence concerning customer identities. Compliance with the new rule will require a substantial commitment of training and resources in advance of the May 11, 2018 deadline, especially in light of the renewed international scrutiny on the subject.