Locke Lord QuickStudy: Final FinCEN Customer Due Diligence Rule Released – Concerns Abound as Covered Financial Institutions Grapple with Implementation

July 26, 2016

The United States Department of Treasury’s Financial Crimes Enforcement Network’s (FinCEN) new customer due diligence rule released in May has caused concern throughout the industry. In what it says is an effort to prevent individuals who conceal ill-gotten gains from entering the financial system, FinCEN’s rule requires Covered Financial Institutions to know the individuals who own or control their Legal Entity Customers. While the rule may have been well-intentioned, it has the potential to put undue burden on many entities that will undoubtedly have a hard time identifying these so-called Beneficial Owners.

At its core, FinCEN’s new customer due diligence rule, which must be implemented by May 11, 2018, requires Covered Financial Institutions to do four things relative to their customers. They are required to (1) identify and verify their customers, (2) identify and verify the Beneficial Owners of their Legal Entity Customers, with certain exceptions, (3) understand the nature and purpose of customer relationships to develop a customer risk profile and (4) ensure that monitoring for reporting suspicious transactions and, on a risk basis, maintaining customer information is ongoing.1 For purposes of this regulation, the definition of Covered Financial Institution remains the same as it was in Section 1010.605(e)(1), thereby incorporating financial institutions previously covered by the customer identification program (CIP). Legal Entity Customer is defined as “a corporation, limited liability company, or other entity that is created by the filing of a public document with a Secretary of State or similar office, a general partnership, and any similar entity formed under the laws of a foreign jurisdiction that opens an account.” Generally, a Beneficial Owner is identified as

(1) each individual, if any, who, directly or indirectly, through any contract, arrangement, understanding, relationship or otherwise, owns 25 percent or more of the equity interests of a legal entity customer; and (2) a single individual with significant responsibility to control, manage, or direct a legal entity customer, including: (i) An executive officer or senior manager (e.g., a Chief Executive Officer, Chief Financial Officer, Chief Operating Officer, Managing Member, General Partner, President, Vice President, or Treasurer); or (ii) Any other individual who regularly performs similar functions.2

Concerns with New Customer Due Diligence Identification Requirements
As part of their new obligations, Covered Financial Institutions must identify and verify the Beneficial Owners of their Legal Entity Customers. In its Notice of Proposed Rulemaking FinCEN initially proposed requiring that Covered Financial Institutions use a standard FinCEN form that would request information concerning the Beneficial Owners. After the comment period, FinCEN decided that incorporation of the form into already existing compliance systems of Covered Financial Institutions would be too burdensome. The final rule allows Covered Financial Institutions three options: (1) to use FinCEN’s certification form, (2) to use the Covered Financial Institutions’ own forms, so long as they meet the requirements of Section 1010.230(b)(1) or (3) to use “any other means that satisf[ies] the substantive requirements of Section 1010.230(b)(1).3

Commenters also expressed concern with the selection of individuals certifying to the identity of the Beneficial Owners of Legal Entity Customers and mechanisms for obtaining that information. For instance, commenters suggested that FinCEN specifically state which individuals could sign the form. Commenters requested that those identifying Beneficial Owners be required to have a heightened level of knowledge, secure appropriate board consents, seek notarization or employ other means to demonstrate they could properly identify Beneficial Owners. Commenters also requested that Covered Financial Institutions be allowed to use information previously submitted from customers to satisfy the rule requirements. These suggestions were made to address concerns that individuals certifying to the identity of Beneficial Owners lacking knowledge would expose the financial institutions to risk of non-compliance and to address concerns about costs.

FinCEN declined to adopt the approaches put forth by commenters. Under the final rule, customers must have the information submitted to the Covered Financial Institutions certified by an individual authorized to open accounts on behalf of the Legal Entity Customer. How financial institutions ensure that the person certifying to the identification has the appropriate level of knowledge is left to the financial institution. FinCEN disapproved of using information previously submitted by customers, arguing that the goals behind implementing the program would be best served through requiring that the information be collected at the time the account is opened. FinCEN also made clear that using its standard certification form would not automatically grant Covered Financial Institutions safe harbor. Despite this, Covered Financial Institutions can rely on the information submitted by Legal Entity Customers regarding the identity of Beneficial Owners so long as they have no knowledge of acts reasonably calling into question the reliability of that information.

Concerns with New Customer Due Diligence Verification Requirements
Regarding verification, FinCEN originally proposed that procedures to verify the identity of Beneficial Owners be identical to those in CIP. Commenters argued that this would have been unworkable, as Beneficial Owners are often not present at the opening of the account and financial institutions are limited in the amount of information they have at any given time. As such, the final rule does not require procedures to be identical to those in CIP, but does require them to capture the elements of CIP.

Notwithstanding this concession by FinCEN, those critical of the final rule have argued that the cost of implementing the rule will be substantial. The final rule’s certification and verification requirements are based on beneficial ownership. Many commenting on the rule pointed out that “customer identification procedures on non-present beneficial owners would be too difficult” and that “expanding the number of natural persons subject to CIP procedures would increase costs, particularly for institutions that rely upon vendors that charge on a per capita basis for CIP.”4 Commenters thought that a risk-based approach would be more prudent and would assuage costs. FinCEN has justified its categorical approach by arguing that risk-based approaches would allow illicit actors to infiltrate the financial system by masking their activities as low risk.

Exempt Accounts and Excluded Financial Institutions
There are account openings that are exempt under the final rule. Most notably, among others, for accounts established at the point-of-sale to provide credit products (solely for the purchase of retail goods and/or services at these retailers and up to a limit of $50,000) and accounts “established to finance insurance premiums and for which payments are remitted directly by the financial institution to the insurance provider or broker”, provided, in each case, the Legal Entity Customer cannot send or receive payments from a third party and/or receive a cash refund for accounts opened to finance, among other things, the purchase of insurance premiums. Certain financial institutions already subject to certain federal and state regulation that make beneficial ownership and management information available via federal and state agencies are excluded under the final rule.

Questions remain even after finalization of the rule. Entities classified as Covered Financial Institutions now have to grapple with how to best collect information from their Legal Entity Customers, how to mitigate the costs of adding to CIP and the implications of getting Beneficial Owner information when Beneficial Owners are often not present at account opening. Moreover, though monitoring of Legal Entity Customers’ relations with their Beneficial Owners does not have to be continuous, the ongoing nature of the rule will likely raise implications as to its practicality in the future. Given the final rule’s expansive coverage, we believe that those covered should assess their customer due diligence policies and analyze what parts of the policies need to be strengthened to ensure compliance.

1United States Department of Treasury, Financial Crimes Enforcement Network, FR Doc. 2016-10567 (2016).
2Beneficial Ownership Information for Legal Entity Customers 31 C.F.R. § 1010.230(d) (2016).
3Financial Crimes Enforcement Network, supra note 1.