The Financial Crimes Enforcement Network (FinCEN), the U.S. agency tasked with issuing anti-money laundering (AML) regulations, recently finalized long-pending regulations that would require that banking organizations, securities broker-dealers, mutual funds, futures commission merchants and introducing brokers in commodities (“covered financial institutions”) identify the beneficial owners of their legal entity customers. The final rule also requires that these covered financial institutions incorporate customer due diligence procedures into their required AML compliance programs.

Certain US financial institutions must maintain AML compliance programs and a subset of those financial institutions, the covered financial institutions, also must implement a written risk-based customer identification program (“CIP”) that, at a minimum, includes obtaining, verifying and retaining certain information regarding each new customer, whether the customer is a natural person or an entity. Persons exempt from the CIP procedures include governmental agencies and regulated financial institutions.

The Financial Action Task Force (FATF), the international AML standards setting organization, recommends that countries “should ensure that there is adequate, accurate and timely information on the beneficial ownership and control of legal persons that can be obtained or accessed in a timely fashion by competent authorities.” The FATF defines a “beneficial owner” as the natural person(s) who ultimately owns or controls a customer and/or natural person on whose behalf a transaction is being conducted. It also includes those persons who exercise ultimate effective control over a legal person or arrangement. Other international organizations also endorsed a requirement to identify beneficial owners.

Current CIP compliance with FATF standard

Current CIP procedures are not required to include identification of the beneficial owners for every legal entity, except with respect to certain private banking and correspondent accounts. In August 2014, FinCEN issued a proposed rule to require that the covered financial institutions noted above identify the beneficial owners of legal entities and add specific customer due diligence requirements into their AML compliance programs. After review of the comments and consultation with the other applicable regulators, FinCEN now has finalized the regulations.

Final Rule requirements

Which financial institutions must comply with the final rule?

Only the covered financial institutions noted above that are currently subject to the CIP requirement.

What does the regulation require?

Subject to certain exemptions, the covered financial institution must identify the beneficial owner(s) of each legal entity customer at the time a new account is opened, and obtain an executed form from the individual opening the account certifying to such beneficial ownership information, or obtain the information through other means so long as the individual certifies, to the best of his or her knowledge, that the information is accurate.

In addition, the financial institution generally must verify the identity of each beneficial owner by using, at a minimum, the risk-based CIP procedures on verifying the identity of customers.

What is a “beneficial owner”?

• Each individual, if any, who, directly or indirectly, through any contract, arrangement, understanding, relationship or otherwise, owns 25% or more of the equity interests of a legal entity customer (“ownership prong”); and
• An executive officer or senior manager of the legal entity (Chief Executive Officer, Chief Financial Officer, President, Vice President, or Treasurer); or any other individual who regularly performs similar functions (“control” prong).

All individuals who meet the “ownership” prong of the definition would be subject to the new identification and verification requirements. Under the “control” prong of the definition, only one individual must be identified and verified. A covered financial institution may identify additional individuals as part of its customer due diligence if it deems it appropriate on the basis of risk.

What is a “legal entity customer”?

A corporation, limited liability company, or other entity that is created by the filing of a public document with a state secretary of state or similar office, a general partnership, and any similar entity formed under the laws of a non-U.S. jurisdiction that opens an account.

In addition to those persons already exempt from the definition of customer under the CIP regulations, such as regulated financial institutions, several additional categories of persons also would be exempt from the definition of a legal entity customer, such as public accounting firms, financial market utilities deemed to be systemically significant, and non-U.S. financial institutions established in jurisdictions where their regulators maintain beneficial ownership information regarding such financial institutions.

Certain types of legal entity customers that are pooled investment vehicles or nonprofit corporations need only provide information for the “control” prong of the beneficial owner requirement.

Are there any exemptions?

There are limited exemptions to the requirements, such as a legal entity customer that opens an account to finance the purchase of postage or insurance premiums, provided that such accounts cannot be used to make or receive payments from third parties.

Can one financial institution rely on another financial institution’s compliance with this regulation?

Yes, under conditions similar to those for reliance on another financial institution’s CIP.

When is it effective?

July 1, 2016; but only applicable to new accounts opened on or after May 11, 2018.

What are the recordkeeping requirements?

Recordkeeping requirements generally would be the same as for current customers covered under the CIP.

Clarifying the AML compliance program requirements

In addition to the new beneficial owner requirement, FinCEN is requiring that these covered institutions incorporate into their required AML compliance program appropriate risk-based procedures for conducting ongoing customer due diligence that must include at least (i) understanding the nature and purpose of customer relationships for the purpose of developing a customer risk profile; and (ii) conducting ongoing monitoring to identify and report suspicious transactions, and, on a risk basis, maintaining and updating customer information.