with co-author Sean Wagner
On May 11, 2016, the U.S. Treasury Department’s Financial Crimes Enforcement Network (FinCEN) issued a new customer due diligence rule which requires, among other things, covered financial institutions to collect and verify information on beneficial owners of accounts opened in the name of a legal entity (CDD Rule). Financial institutions have two years, until May 11, 2018, to implement the rule and ensure compliance.
What is the CDD Rule?
The CDD Rule outlines explicit customer due diligence requirements designed to prevent bank customers from using financial systems for illicit purposes. The CDD Rule applies to a wide variety of covered financial institutions, which are defined as insured banks, commercial banks, U.S. branches and agencies of foreign banks, federally insured credit unions, savings associations, Edge Act corporations, certain federally regulated trust companies, broker-dealers subject to SEC registration requirements, futures commission merchants, brokers in commodities and mutual funds.
Covered financial institutions will be required to identify and verify the identity of the beneficial owners of all legal entity customers at the time each new account is open. In other words, if a new account is open in the name of a corporation, limited liability, general partnership or other entity formed under domestic or foreign laws (unless otherwise excluded under the CDD Rule), the covered financial institution must identify any beneficial owner who directly or indirectly owns 25 percent or more of the equity interests of the entity and is a single individual with significant responsibility to control, manage or direct a legal entity customer.
What Steps Can Your Business Take Now?
1. Update Policies and Procedures.
The CDD Rule requires covered financial institutions to establish and maintain written procedures that are reasonably designed to identify and verify the beneficial owners of legal entity customers. These procedures must enable the institution to identify the beneficial owners of each customer at the time a new account is opened, unless the customer is otherwise excluded or the account is exempted. Likewise, compliance and legal departments will want to analyze how the business will build in processes to ensure that exempt and excluded customers and accounts are identified and tracked.
The policies and procedures must also establish risk-based practices for verifying the identity of each beneficial owner disclosed to the covered financial institution, to the extent reasonable and practicable. The customer identification procedures should outline a methodology sufficient to verify the identity of customers that are individuals under applicable customer identification requirements, including, but not limited to, each customer’s name, date of birth, address and taxpayer or other identification number. This information will form the baseline for risk profiles associated with each customer, which will now include information regarding the beneficial owners of legal entity customers. The CDD Rule requires covered financial institutions to conduct ongoing monitoring of accounts and identify suspicious activity utilizing customer risk profiles to enhance detection of suspicious transactions. Under the CDD Rule, covered financial institutions will need to formulate updated procedures and guidelines for identifying suspicious activities to include reasonable consideration of customer risk profiles.
2. Implement Risk-Based Procedures.
The CDD Rule amends the Anti-Money Laundering (AML) program to explicitly require covered institutions to implement and maintain appropriate risk-based procedures for conducting ongoing due diligence. Covered financial institutions should begin the process now of understanding the nature, purpose and scope of the institution’s customer relationships and develop processes to monitor and identify ongoing customer due diligence. For example, an institution should assess the following functions and begin implementing changes to adapt to the CDD Rule:
- Implement new (and update existing) independent testing, audit functions and reporting;
- Designate a compliance officer or other individual for day-to-day compliance with the CDD Rule;
- Implement new (and update existing) training for appropriate personnel;
- Ensure that internal controls, feedback loops and oversight by management and the board incorporate the CDD Rule requirements;
- Utilize in-house and external legal resources to monitor developments in FinCEN guidance and enforcement actions, and review policies, procedures and processes to ensure that these implementations are meeting the legal standards under the CDD Rule.
3. Collect and Store Information About Beneficial Ownership.
Covered financial institutions must collect and verify the beneficial ownership information from each person who meets the definition under the dual prongs of ownership and control identified above. Institutions need to consider how this information will be stored, updated and cross-referenced to reduce costs and duplication. Additional considerations, such as data privacy, information security and storage of non-public personal information should be reviewed.
4. Monitor Developments and Additional Guidance.
On July 19, 2016, FinCEN issued Frequently Asked Questions to assist covered financial institutions in understanding the scope, purpose and requirements under the CDD Rule. FinCEN has indicated that it intends to issue additional Frequently Asked Questions and guidance as appropriate. It will be imperative that covered financial institutions continue to monitor developments, explanations and guidance to ensure that current programs and anticipated changes to policies, procedures, risk process, training and controls are in line with FinCEN expectations.
The CDD Rule presents a number of operational challenges for covered financial institutions related to the gathering, storage and effective utilization of customer and beneficial owner information. In light of these challenges, as well as the heightened expectations of government stakeholders, covered financial institutions should begin the process of reviewing and updating existing policies, procedures and systems to ensure they have the necessary infrastructure to comply with the CDD Rule when it goes into effect on May 11, 2018.