On Jan. 22, 2019, the Financial Industry Regulatory Authority (FINRA) released its annual Priorities Letter, in which the organization described the areas that it will focus on during examinations. One such area is the implementation of the Financial Crimes Enforcement Network’s (FinCEN) Customer Due Diligence (CDD) Rule and its Beneficial Ownership Rule.
The Rule, which came into effect on May 11, 2018, requires firms to:
FinCEN allowed a 2-year implementation period after issuing the Final Rule on May 11, 2016, and most financial institutions already had long-standing policies and procedures in place with respect to much of the Rule’s requirements.
However, the requirement to identify the beneficial owners of legal entity customers was a dramatic change in policy and procedure with respect to onboarding and ongoing monitoring of legal entity customers and was one of the challenges presented in the implementation.
This five-part whitepaper explores the most significant challenges faced by financial institutions in implementing the beneficial ownership requirement of the CDD Rule as well as recommendations for complying with the various requirements.
Financial institutions affected by the beneficial ownership rule include:
Institutions that are currently not covered include:
Before identifying the beneficial owner, identify the legal entity customer
The CDD Rule requires a financial institution to obtain and verify the identity of each beneficial owner of a legal entity customer. However, before identifying the beneficial owner(s), one must first define what constitutes a legal entity customer.
According to FinCEN, a legal entity customer is a corporation, limited liability company, or other entity that is created by the filing of a public document with a Secretary of State or another similar office; a general partnership; or any similar entity formed under the laws of a foreign jurisdiction that opens an account.
While on the surface this seems simple, FinCEN has also outlined an extensive list of exemptions, and financial institutions need to analyze their own commercial customer bases and target markets for types of entities that may or may not qualify as legal entities under the CDD Rule. Exemptions include (but are not limited to):
A financial institution with a customer base that includes governmental and quasi-governmental agencies (federal, state or municipal), other financial institutions both domestic and foreign, and foreign legal entities should pay special attention to these definitions and exclusions.
A financial institution’s own policies and risk appetite come into play when deciding the type of legal entity for a commercial customer. There are several options with a wide variety of nuances among them.
For example, the institution could identify the customer’s specific category of legal entity during the onboarding/due diligence process through a review of the entity’s formation document(s) and prior to requesting the certification of beneficial ownership from the customer. This may be the simplest solution for the vast majority of legal entity customers, which will most likely be LLCs, closely held corporations, and partnerships.
At the opposite end of the spectrum, the customer could be asked to self-identify its legal entity type from a detailed list of inclusions and exclusions provided by the institution. While the latter removes much of the risk from the institution of incorrectly excluding a particular customer from beneficial ownership identification requirements, this could be perceived as burdensome from a customer relations perspective.
The CDD Rule has two “prongs” of beneficial ownership: an ownership prong, and a control prong.
The ownership prong is any individual (human) person who, directly or indirectly, through any contract, arrangement, understanding, relationship, or otherwise, owns or controls 25 percent or more of the equity interests of a legal entity customer.
With closely held corporations, it is very common to find 25% or more owners that are private trusts rather than individuals, shielding these assets from the trust grantor/beneficiary’s creditors. In these situations, the beneficial owner is the individual who is the Trustee of the trust.
The control prong of beneficial ownership represents a single individual with significant responsibility to control, manage or direct a legal entity customer. An executive officer or senior manager such as CFO, CEO, etc. meets this definition.
The legal entity customer must identify one individual under the control prong, regardless of whether or not any beneficial owners under the ownership prong exist. In other words, a legal entity customer may have no beneficial owners under the ownership prong, but will always have one under the control prong.
It is critical that the financial institution requires the customer to supply the beneficial owners’ names and identifying information, under both prongs. In the US today, most states do not collect this information, making it unavailable through public records.
Ownership information may sometimes be gleaned from a company’s formation documents; however, this information is typically limited to only the entity’s direct owners and their initial capital contributions.
In a multi-tiered structure, it is highly likely that no public information is available identifying the ultimate owners. The customer representative who is opening the account and completing the beneficial ownership certification may not have the detailed ownership information for a multi-tiered structure.
In this situation, the customer representative must contact the company’s legal counsel to obtain this information—the financial institution must not do this on the customer’s behalf.
The CDD Rule mandates that 25% is the minimum ownership threshold. However, financial institutions are free to require ownership information at a lower threshold, based on risk. For example, an institution may determine that non-US commercial customers domiciled in certain countries are higher risk, and therefore require that all beneficial owners of, say, 15% or more be identified.
The 25% threshold has the potential for added risk when individual owners seek to maintain anonymity. Federal law enforcement has commented that there will likely be a significant increase in individuals’ corporate ownership percentages that are just under this 25% threshold (ex. 24.9%, 24.5% etc.) as those seeking to remain hidden presume that financial institutions will use the 25% standard.
Vendor solutions for identifying beneficial ownership of legal entities are showing up everywhere now that the CDD Rule has taken effect. Unfortunately, because corporate ownership information for non-traded entities (the bulk of corporations in the U.S. today) is neither collected nor stored by most states, this information will likely have been obtained indirectly and could be out of date. Use caution and request a real-life demo before purchasing a system or database of corporate ownership data.
To comply with the CDD Rule, ensure the following is done within your organization:
Collecting beneficial ownership information
The CDD Rule provides a very simplistic template for a beneficial ownership data collection and attestation form. The Rule clearly states that the use of this specific template is not mandatory and that financial institutions are free to develop their own formats.
At first, many financial institutions’ legal counsels were loath to deviate in any way from the FinCEN template, fearing the risk of not collecting the right information. As time has passed, more and more institutions are now using their own versions, collecting additional information beyond the basics. Here is the basic information to be collected:
Financial institutions have expanded on this basic information with their own customized beneficial ownership forms, requesting data such as:
Some institutions have gone a step further by requiring that the legal entity self-identify its type/classification from a list of all the entity types identified in the CDD Rule, including those that are exempt from beneficial ownership reporting.
If the customer is an exempt entity type (such as a publicly traded company), the customer needs only sign and return the form, with no further data provided. Although it results in a much longer form, this practice provides several significant advantages:
The beneficial ownership form’s delivery to and return by the legal entity customer poses its own set of challenges. Institutions must weigh the costs and risks versus benefits of the three basic formats: paper; electronic/emailed; and online entry.
One of the most challenging aspects of the CDD Rule, for which no clear guidance is offered, is how to effectively manage beneficial owner data. Beneficial owner information is a new and unique set of data elements for most financial institutions.
The institution’s client/accountholder/borrower is the legal entity itself, not the individuals who control it. Most financial institutions’ legacy databases and systems were not designed to capture information about individuals who may be several times removed from the legal entity itself, as is often the case with multi-layered ownership structures.
Institutions should consider these elements when deciding where to store their legal entity customers’ beneficial owner data:
A data interface to the institution’s OFAC (Office of Foreign Assets Control) automated screening system or other sanctioned screening system ensures beneficial owners (in particular, those under the ownership prong) are not sanctioned parties named on the Specially Designated Nationals and Blocked Parties list currently or in the future.
To comply with the CDD Rule, ensure the following is done within your organization:
The CDD Rule requires financial institutions to apply the same customer identification principles to beneficial owners as the USA PATRIOT Act does not do for customers (also known as the Customer Identification Program, or “CIP” rules).
Financial institutions must, at a minimum, apply the same CIP processes for beneficial owners as for direct individual account owners.
In a simple legal entity structure where one or more individuals are the direct owners of the business, applying CIP processes is relatively straightforward. These individuals are often directly involved in the day-to-day operation of the enterprise and are readily accessible for obtaining identity verification documents.
However, a significant proportion of legal entities in the U.S., in particular, limited liability corporations (“LLCs”) have highly complex structures. For various reasons, both legitimate and not, the individuals who are the true beneficial owners are often shielded behind multiple layers of intermediate LLCs acting purely as holding companies, with no other business purpose. Identifying these individuals is one of the primary objectives of the CDD Rule.
These individuals may often have no direct involvement in day-to-day business activities and may be significantly distanced from the enterprise both financially and geographically. Obtaining their identifying documents presents a much more significant challenge to the financial institution.
FinCEN acknowledges the unique challenges in obtaining identification documentation from beneficial owners who are often far removed from the business’s routine activities.
In what was to be the first of several Guidance documents covering Frequently Asked Questions regarding the CDD Rule [FIN-2018-G001, April 3, 2018], FinCEN clarifies that a financial institution may accept photocopies of driver’s licenses (or other identity documents) from legal entity customers to verify their beneficial owners’ identities if these individuals are not present at account opening.
This practice is specifically not permitted under the CIP rules for direct account holders.
For financial institutions that offer online account opening to legal entity customers, the option to accept photocopies of beneficial owners’ identification documents is especially helpful. The customer representative may simply provide copies of beneficial owners’ identity documents electronically, either through the account-opening portal or by email.
Special considerations arise with respect to the confidentiality of documents provided through electronic channels. The online account-opening portal should provide a high level of security over this confidential data. Transmission through email should take place over a secure/encrypted channel.
It is common for a financial institution to open multiple accounts for a particular legal entity customer over time. Businesses often separate their funds into different accounts for fiduciary or accounting purposes, such as payroll or accounts payable disbursements, accounts receivable deposits, short-term investments, and the like.
The CDD Rule states that a financial institution must identify and verify the identity of each beneficial owner of a legal entity customer at the time each new account is opened. Fortunately, FinCEN supplementary guidance has provided some relief when an existing customer, with the same beneficial owners, opens a new account.
If the legal entity’s beneficial owner(s) have already been identified pursuant to the financial institution’s CIP process, it may rely on information in its possession to fulfill the identification and verification requirements for the new account opening. There are two caveats, however: The existing information must be current and accurate, and the legal entity customer’s representative must attest to the accuracy of the pre-existing information, either in writing or verbally.
While this practice does eliminate the often onerous and customer-unfriendly process of obtaining new beneficial owner identity documents with every new account the existing business customer opens, complete and detailed records must be maintained to ensure compliance with the CDD Rule is well-documented.
The financial institution’s beneficial ownership record for the new account should clearly cross-reference the existing CIP record for each individual. Obtaining written attestation (rather than verbal) from the customer’s representative as to the accuracy of the existing beneficial owners’ identity documents tends to promote better overall information quality and clearly documents the financial institution’s compliance process.
When opening an account for a legal entity, the account owner/customer is the legal entity itself, not those who own or control it.
The CIP rules are highly focused on identity verification processes for natural persons/individuals and not legal entities. Accordingly, financial institutions have had to establish their own unique risk-based requirements for identifying the legitimate existence of a legal entity customer.
Documentary methods of identity verification can be relatively straightforward for the most common legal entity types, including LLCs, corporations, and limited partnerships. Corporate formation documents, such as Articles of Incorporation (for corporations), Articles of Organization and Operating Agreements (for LLCs), and Partnership Agreements (for various types of partnerships), should be obtained and confirmed to be accurate and current. The entity’s standing with its Secretary of State is generally easy to confirm online or through a corporate data aggregation service. Additional documents that help support the entity’s existence as bona fide include Bylaws, minutes of meetings of Directors/Members/Shareholders, and shareholder registers.
Challenges may arise with certain types of businesses. For example, a number of U.S. states do not require a general partnership to register with the Secretary of State, or even to execute a written Partnership Agreement. A sole proprietorship, while not considered a legal entity separate from the individual (or spouses) who operates it, nevertheless should be validated as a legitimate business enterprise when opening an account. In these cases, documentation supporting business operations should be obtained, such as a Schedule C (or Schedule F for a farming business) from the individual’s most recent federal income tax return.
The CDD Rule, as well as the CIP rules, require the financial institution to establish a “reasonable belief” that it knows the true identities of both the legal entity customer and its beneficial owners. “Reasonable belief” is a subjective term for which each financial institution must establish its own risk-based definition.
The CIP rules (and by default, the CDD Rule) require a financial institution to establish procedures for responding to situations when such “reasonable belief” cannot be established. These must include what constitutes a lack of reasonable belief; the terms under which a customer may use an account while identity verification is pending; when an account should not be opened (or closed, if temporarily opened) if identity verification fails; and when filing a Suspicious Activity Report (SAR) regarding customer or beneficial owner identity is justified.
To comply with the CDD Rule, ensure the following is done within your organization:
For decades, anonymous company ownership has been abused for illegal financial gain, whether it be money laundering, tax evasion, terrorist financing, or other criminal activities. The United States, in particular, has long been considered one of the largest money laundering havens in the world, due to its anonymous corporate formation laws, legal use of nominee (proxy) directors/shareholders, and corporate service agents that provide a brick-and-mortar address and answering service for companies that exist only on paper.
In a statement on the “Introduction of the Incorporation Transparency and Law Enforcement Assistance Act” former U.S. Senator Carl Levin (D-Mich) stated, “Right now, in the United States, it takes more information to get a driver’s license or to open a U.S. bank account than to form a U.S. corporation.”
The United States’ response to prolonged criticism of its anonymous corporate formation laws by the Financial Actions Task Force, a global anti-money laundering regulatory standard-setting group, has been the CDD Rule. While certainly not perfect— anonymous corporate formation remains alive and well—the collection of self-reported beneficial ownership data by financial institutions has opened up opportunities for enhanced identification, and reporting to law enforcement, of risky company ownership and transactions that were once almost undetectable.
Without beneficial ownership data, financial institutions could not identify seemingly unrelated business account holders that are, in fact, ultimately controlled by the same individuals. Nefarious actors may create multiple shell companies—or quasi-legitimate businesses—where the true beneficial owners are hidden behind layers of LLCs or Limited Partnerships, then open bank accounts for these entities at the same financial institution, but at different branches or even in different states. Funds are easily moved between accounts in what on the surface appear to be arms-length transactions between unrelated businesses, when in fact a “layering” process is occurring.
With an appropriately managed database of beneficial ownership data, new and existing business accounts with shared partial or full beneficial ownership may now be actively connected. In essence, this could take the form of “householding,” a technique used in the financial services industry that provides for the grouping of accounts by client data rather than an account number or tax ID. This gives the financial institution the opportunity to assess the risks associated with these once-unrelated, but now connected, accounts and customers—in particular, across branches and regions.
With beneficial ownership and associated corporate connection data in place, a financial institution’s transaction monitoring system can be finely tuned to flag potential money laundering or other questionable activity for further investigation.
For example, if the financial institution now knows that its customer Park Place LLC, located in New York City, and its customer Boardwalk Partners LP, in Los Angeles, are connected through joint beneficial ownership by two individuals, it can monitor for unusual or suspicious patterns of wire transfers, withdrawals, and deposits activity between these two entities.
The financial institution may also monitor for external payments made to or from Park Place LLC or Boardwalk LP to the identified beneficial owners themselves, or to unusual recipients such as trusts or other unidentified legal entities.
Should patterns of unusual or suspicious external payments to or from unidentified domestic legal entities become apparent, financial institutions may request information about those external account holders—and their beneficial owners—from the sending/receiving financial institution under the 314(b) Information Sharing provision of the USA PATRIOT Act.
Because the CDD Rule is built on self-reporting by the legal entity customer of its beneficial owners (or absence thereof), the potential for inaccurate data, whether unintentional or deliberate, remains significant.
In addition, the legal use of nominee shareholders poses a further hindrance to both law enforcement and financial institutions in identifying true beneficial owners. When analyzing beneficial ownership data, financial institutions should watch for repeated use of the same shareholder names, as it is common for the same individual to allow his/her name to be used hundreds of times as a nominee.
Corporate formation agents similarly use their own physical addresses for shell corporations, so mining for legal entity customer address data with identical physical locations in Wyoming, Delaware, and Nevada in particular may uncover similar concerns.
Beneficial ownership data offers new opportunities to enhance customer risk assessment and transaction monitoring, allowing the financial institution to identify connections between legal entities once hidden.
A financial institution’s transaction monitoring system, with beneficial ownership and associated intercompany relationship information in its database, may be tuned to detect patterns of unusual or suspicious transactions between seemingly unrelated entities and individuals.
Further mining of legal entity customer ownership and address data may detect the potential use of nominees used as beneficial owners, or corporate formation agents locations providing a physical address.
Most of the United States anti-money laundering laws and regulations are written in a broad context, with the intent that each financial institution will assess its own specific risk-based compliance process.
The CDD Rule is no exception, and in fact, is perhaps even more lacking in specificity than many of its predecessors. As a result, FinCEN has already given clarification on a significant number of points not adequately described in the original Rule. This makes compliance even more complex, as the rules to be complied with are spread across the original Final Rule and multiple Guidance documents.
The key to successful compliance, both from an internal processing perspective as well as regulators’ audit reviews, is complete and clear documentation.
Good documentation, from a regulatory compliance perspective, provides a clear answer to these key
questions:
The “why” is arguably the most important of all these questions. It clarifies to regulators, internal auditors, and management (and for posterity) exactly what the financial institution’s rationale was in implementing a particular process.
This rationale should incorporate the specific regulatory citing (or subsequent FinCEN guidance) upon which the decision was based, along with the factors involved in the decision-making process. Another benefit of documenting “why” is that it removes the risk of referencing anecdotal information when those who made the decision are no longer available.
Examples of documentation practices to comply with Beneficial Ownership requirements:
Documentation of regulatory compliance should be reflected across multiple formats, depending on how the information will be used and what level of granularity is required.
At the highest level, a “Decision Document” may be used to describe the high-level process, regulatory interpretation, and rationale such as the When/What/Who/Why method described above. Decision Documents can provide one additional and important benefit: buy-in from all stakeholders impacted by the process. Circulating a draft of each Decision Document prior to finalization and subsequent procedure development ensures all affected departments are on board with the new process (and that their concurrence is documented as well). Decision Documents are typically created and maintained by the financial institution’s compliance group.
From the Decision Document, detailed desk procedures can then be designed to implement the process in accordance with the decisions made. Desk procedures should cross-reference their applicable Decision Documents, and vice versa, providing a complete audit trail from decision to procedure and back again.
While this type of documentation may initially seem burdensome, it becomes invaluable to ensuring procedures are based on decisions made thoughtfully and with full stakeholder buy-in, and to provide regulators with the financial institution’s basis for compliance decisions.
As organizations like FINRA begin to assess the effectiveness of the implementation of the CDD Rule, some financial institutions may have to revisit their risk assessments, policies, and procedures to ensure proper compliance. For those looking at the beneficial ownership aspect of the Rule, consider these tips:
Alessa provides all the anti-money laundering (AML) capabilities that banks, money services businesses (MSBs), FinTechs, casinos and other regulated industries need – all within one platform. To learn more about Alessa can help your organization maintain compliance with the regulations such as the beneficial ownership rule, contact us today.