A compliance deadline of May 11 is fast-approaching for compliance with the Financial Crimes Enforcement Network’s new rules and obligations for customer due diligence by financial institutions. Last month, banks received new guidance that alternately offered clarification and curveballs.
The original rule was enacted in May 2016 by FinCEN, a bureau of the Department of the Treasury tasked with safeguarding the financial system from illicit use and money laundering.
The Customer Due Diligence (CDD) Final Rule adds a new requirement that financial institutions (including banks, brokers, or dealers in securities, mutual funds, futures commission merchants, and introducing brokers in commodities) collect and verify the personal information of the real people/beneficial owners who own, control, and profit from companies when those companies open accounts.
Specifically, the rule contains three core requirements: identifying and verifying the identity of the beneficial owners of companies opening accounts; understanding the nature and purpose of customer relationships to develop customer risk profiles; and conducting ongoing monitoring to identify and report suspicious transactions and, on a risk basis, to maintain and update customer information.
With respect to the requirement to obtain beneficial ownership information, financial institutions will have to identify and verify the identity of any individual who owns 25 percent or more of a legal entity and an individual who controls the legal entity.
There are also a number of new recordkeeping obligations.
A two-year implementation period was provided to allow covered entities to gear up for new compliance obligations.
While banks and others faced the finish line for implementing the new demands, FinCEN threw a last-minute challenge their way in the form of new guidance.
The 37 questions addressed issues on acceptable means of identifying and verifying beneficial ownership information, collecting information for direct and indirect owners, and thresholds for identifying beneficial owners.
Additionally, the FAQs provide information on the requirements for obtaining this information when multiple accounts are opened or accounts are renewed (certificates of deposit or loan renewals, for example), as well as information on monitoring and updating customer information.
The late-in-the-game guidance from FinCEN is garnering mixed reactions from the financial sector.
The Independent Community Bankers of America (ICBA), for example, which represents 5,700 community banks, is asking Congress to delay compliance for at least one year because “delayed rule guidance warrants a corresponding delay in mandatory compliance.”
Ahead of a House Financial Services hearing on the rule, the ICBA wrote to legislators to argue that the government should collect beneficial ownership records at the time a legal entity is formed if it wants this information, rather than requiring financial institutions to do it for them.
“Collecting and verifying the identity of all owners of each entity by either the Internal Revenue Service or other appropriate federal agency and/or state in which the entity is formed would provide uniformity and consistency across the United States,” the ICBA wrote. “Making the formation of an entity contingent on receiving beneficial owner information would create a strong incentive for equity owners and investors to provide such information.”
If responsibility for collecting beneficial ownership information remains with financial institutions, the ICBA recommends that it be based on customers rather than accounts. This change would be consistent with the customer information program established by the Bank Secrecy Act.
“From my 39 years in banking, I can tell you customers do not update their phone numbers and e-mail addresses with the bank on any regular basis. We will most likely have to rely on mail. If the customer does not respond to the bank’s request, tracking exceptions will be required.”
Dalia Martinez, Vice President, International Bank of Commerce
“A focus on customers rather than accounts would greatly facilitate information collection, alleviating community bank burden and producing more accurate information,” it wrote. “The creation of an additional account by an existing customer or the renewal of a customer account should not trigger a new obligation to verify beneficial ownership information as long as the bank has no knowledge of facts that would reasonably call into question the reliability of the information already on file.”
Also, the trade association argued, the Federal Financial Institutions Examination Council has not yet released an updated exam manual incorporating the CDD Rule. “The FFIEC exam manual is another critical piece of the puzzle bankers need to understand how they will actually be examined for CDD Rule compliance,” it said, adding that “the FAQs, while important, do not resolve all ambiguities regarding compliance with the rule.”
“Community bankers should not have to engage in guesswork and court the costly risk of error or misinterpretation when it comes to regulatory compliance,” it wrote. “They need certainty to the last detail, and only the exam manual will provide this certainty.”
Community banks are also asking the government to consider covering the significant expense in terms of both direct and indirect costs of Bank Secrecy Act compliance.
BSA compliance is fundamentally a governmental, law enforcement function. As such, the costs should be borne by the government, the ICBA said, supporting the creation of a tax credit to offset the cost of this compliance.
Others in the banking world are having similar concerns about the timing and content of the FAQs.
“The promulgation of the rule, which has been 10 years in the making, and FinCEN’s recent, extensive guidance interpreting the rule, represent an enormous labor and expenditure intellectual effort by the agency and a substantial achievement,” says Carlton Greene, a partner at the law firm of Crowell & Moring who was previously FinCEN’s chief counsel. He also praised the hard work and professionalism of covered institutions complying with their obligations under the Bank Secrecy Act.
“Like an iceberg, the majority of these efforts typically go unseen by regulators,” he said. “I also know the outsized expenditure of resources that so many of these institutions devote to AML compliance and the day-to-day frustrations and burdens that come from ensuring compliance.”
While FinCEN’s new FAQs “provide important interpretive guidance that has solved a number of questions that threatened implementation or threatened to impose large and unexpected costs on it,” the guidance also “generated new questions that create new risks for covered financial institutions,” he said.
RGUIDANCE ON NEW DUE DILIGENCE RULES
The following are from “Frequently Asked Questions Regarding Customer Due Diligence Requirements for Financial Institutions,” a guidance document released by the Treasury Department’s Financial Crimes Enforcement Network to clarify expectations of customer due diligence requirements for financial institutions that are effective on May 11.
Are there circumstances where covered financial institutions should consider collecting beneficial ownership information at a lower equity interest threshold under the anti-money laundering program rules with regard to certain customers?
There may be circumstances where a financial institution may determine that collection and verification of beneficial ownership information at a lower threshold may be warranted, based on the financial institution’s own assessment of its risk relating to its customer.
Transparency in beneficial ownership, however, is only one aspect of a covered financial institution’s customer due diligence obligations.
A financial institution may reasonably conclude that collecting beneficial ownership information at a lower equity interest than 25 percent would not help mitigate the specific risk posed by the customer or provide information useful to the financial institution in analyzing the risk. Rather, any additional heightened risk could be mitigated by other reasonable means, such as enhanced monitoring or collecting other information, including expected account activity, in connection with the particular legal entity customer.
In all cases, however, it is important that covered financial institutions establish and maintain written procedures that are reasonably designed to identify and verify the identity of beneficial owners of legal entity customers and to include such procedures in their AML compliance program.
A covered financial need not independently investigate the legal entity customer’s ownership structure and may accept and reasonably rely on the information regarding the status of beneficial owners presented to the financial institution by the legal entity customer’s representative, provided that the institution has no knowledge of facts that would reasonably call into question the reliability of the information.
What means of identity verification are sufficient to reliably confirm beneficial ownership under the CDD Rule?
Covered financial institutions must verify the identity of each beneficial owner according to risk-based procedures that contain, at a minimum, the same elements financial institutions are required to use to verify the identity of individual customers under applicable Customer Identification Program (CIP) requirements. This includes the requirement to address situations in which the financial institution cannot form a reasonable belief that it knows the true identity of the legal entity customer’s beneficial owners.
Although the CDD Rule’s beneficial ownership verification procedures must contain the same elements as existing CIP procedures, they are not required to be identical to them.
For example, a covered financial institution’s policies and procedures may state that the institution will accept photocopies of a driver’s license from the legal entity customer to verify the beneficial owner(s)’ identity if the beneficial owner is not present, which is not permissible in the CIP rules.
A financial institution’s CIP must contain procedures for verifying customer identification, including describing when the institution will use documentary, non-documentary, or a combination of both methods for identity verification.
In addition, in contrast to the CIP rule, the CDD Rule expressly authorizes covered financial institutions to use photocopies or other reproduction documents for documentary verification.
Financial institutions should conduct their own risk-based analysis to determine the appropriate method(s) of verification and the appropriate documents or types of photocopies or reproductions to accept in order to comply with the beneficial owner verification requirement.
If a covered financial institution has updated the beneficial ownership information on the account(s) of a legal entity customer, and subsequently a new account is opened on behalf of the same legal entity customer, is the institution required to retain all sets of beneficial ownership documentation, thereby retaining up to three sets of information: the original set collected at account opening, the updated set, and a third, a duplicate of the second (updated) set for the new account?
Yes. Covered financial institutions are required to retain all beneficial ownership information collected about a legal entity customer. Identifying information, including the Certification Form or its equivalent, must be maintained for a period of five years after the legal entity’s account is closed.
However, all verification records must be retained for a period of five years after the record is made. Therefore, whether a financial institution must retain a set of identification or verification records is dependent upon the date an account is opened and closed, or the date a record is made.
For example, if a covered financial institution relies on pre-existing beneficial ownership information in its possession as true and accurate identification information when opening a new account for a legal entity customer, the financial institution should maintain the original records, and any updated information, including a record of any verbal or written confirmation of pre-existing information, until five years after the closing of the new account in order to comply with the recordkeeping requirements in the regulation.
Are financial institutions required to have their legal entity customers certify the beneficial owners for existing customers during the course of a financial product renewal (e.g., a loan renewal or certificate of deposit)?
Yes. Consistent with the definition of “account” in the CIP rules and subsequent interagency guidance, each time a loan is renewed or a certificate of deposit is rolled over, the bank establishes another formal banking relationship and a new account is established. Covered financial institutions are required to obtain information on the beneficial owners of a legal entity that opens a new account, meaning (in the case of a bank) for each new formal banking relationship established, even if the legal entity is an existing customer.
For financial services or products established before May 11, 2018, covered financial institutions must obtain certified beneficial ownership information of the legal entity customers of such products and services at the time of the first renewal following that date. At the time of each subsequent renewal, to the extent that the legal entity customer and the financial service or product (e.g., loan or CD) remains the same, the customer certifies or confirms that the beneficial ownership information previously obtained is accurate and up-to-date, and the institution has no knowledge of facts that would reasonably call into question the reliability of the information, the financial institution would not be required to collect the beneficial ownership information again.
In the case of a loan renewal or CD rollover, because we understand that these products are not generally treated as new accounts by the industry and the risk of money laundering is very low, if at the time the customer certifies its beneficial ownership information, it also agrees to notify the financial institution of any change in such information, such agreement can be considered the certification or confirmation from the customer and should be documented and maintained as such, so long as the loan or CD is outstanding.
Greene cited specific areas of the guidance that could create complications. They include questions about:
How pooled investment vehicles that are advised or operated by non-financial institutions will be treated under the rule’s requirement to obtain beneficial ownership information;
what events trigger the requirement to update customer information, especially information apart from beneficial ownership;
the types of actions and contact with the customer that must be undertaken as part of such updates, especially with respect to information apart from beneficial ownership;
what information must be gathered to reasonably understand the “nature and purpose” of a customer’s business; and when a covered institution will be deemed to have “knowledge of facts that would reasonably call into question the reliability” of customer-provided information.
A larger concern, Greene said, is the current relationship between FinCEN and federal banking regulators.
FinCEN has delegated examination authority to the federal functional regulators. These agencies use their own independent authorities to examine for and enforce compliance with the BSA. “This has the potential to lead these regulators to create and enforce their own interpretations of or additions to BSA rules, or otherwise to emphasize enforcement in areas that diverge from FinCEN’s priorities,” he said. “This potentially complicates FinCEN’s ability to establish a coherent approach to AML regulation.”
International Bank of Commerce Vice President Dalia Martinez testified at the House hearing on behalf of the Mid-Size Bank Coalition, an organization that represents 88 community banks in 34 states.
Compliance with the CDD Rule is “very expensive and burdensome,” she said. “[It] has many gray areas that are difficult to implement” and “the rule puts a burden on banks to ensure the information the customer provides is accurate, but banks are not given either the tools or the guidance they need to make that determination.”
Martinez put a price tag on bankers’ pain. Her bank, IBC, has spent 2,912 hours in design and testing and 7,859 hours in training 2,142 employees and officers preparing to comply with this regulation. These expenditures are on top of the $5 million a year it currently spends to comply with existing BSA/AML regulations.
Under the rule, banks can rely on the information that customers disclose about the ownership structure of the bank customer only so long as the financial institution does not “have knowledge” of facts that would reasonably call into question the reliability of the information. “However, FinCEN does not define ‘having knowledge,’ ” Martinez said. “Financial institutions have millions of records. Are we to comb through all our records to ensure information provided on a beneficial ownership attestation does not conflict with a document already contained in the bank’s records?”
An example of a burden created by the rule concerns Certificates of Deposit (CDs) that renew automatically.
“Upon maturity, the CD renews and the customer never has to come to the bank as renewal information is mailed to the customer,” Martinez said. FinCEN FAQs, however, state that upon the first auto renewal of a CD established prior to May 11, 2018, the financial institution must obtain the beneficial ownership and CDD information.
“This means banks will need to contact their customers to try to obtain the beneficial ownership information,” she said. “From my 39 years in banking, I can tell you customers do not update their phone numbers and e-mail addresses with the bank on any regular basis. We will most likely have to rely on mail. If the customer does not respond to the bank’s request, tracking exceptions will be required.”
“Once again, the exception is tracked for BSA exam purposes and is subject to second-guessing after the fact,” she added. “This will lead to even more de-risking, which will harm bank customers, especially small-business customers who are not exempt from any of these requirements.”
The main concerns for Greg Baer, president of The Clearing House Association, are two-fold: The rule requires financial institutions to identify beneficial owners on a per-account basis and not a per-customer basis; and the rule’s preamble does not explicitly affirm FinCEN’s sole ultimate authority to determine CDD standards and may “leave the door open for further ad hoc interpretations by examiners.”
Co-owned by 25 large commercial banks, The Clearing House is the oldest banking payments company in the United States.
There are also procedural concerns and legality questions with the recent guidance, Baer said. Notably, the FAQs were not open to notice and comment as required of rulemaking under the Administrative Procedures Act.
Since adoption of the CDD rule in 2016, Baer explained, financial institutions have invested millions of dollars and rebuilt their internal systems to implement the rule’s provisions ahead of the May 11, 2018, compliance deadline. “The new beneficial ownership information collection requirement has obliged them to make substantial changes to the onboarding of new accounts and employee training practices as well as significant technological investments to incorporate the requirements of the final rule” he said.
The guidance also complicates the offering of financial products that include contractual provisions requiring the financial institution to auto renew them without interruption. “On May 11, financial institutions will be in the untenable situation of either not being in compliance with the FAQs to the CDD rule or breaching their contracts with customers,” Baer said.
“For example, a small business may not be able to pay its employees or vendors, because its line of credit would be put into default until a financial institution can obtain beneficial ownership information from the business; as that default would be the result of a contractual breach by its bank, it could sue for damages,” he added.