Drug cartels and other criminal organizations regularly use shell companies, front companies, and other legal entities to conceal the proceeds of their illegal activities. It is estimated that criminals use legal entities to conceal at least $40 billion of illicit activity every year. See The Puppet Masters: How the Corrupt Use Legal Structures to Hide Stolen Assets and What to Do About It, The International Bank for Reconstruction and Development/The World Bank (2011). The anonymity provided by legal entities can be used to conceal criminals’ identities and make tracking their activities difficult. Regulators outside of the U.S. have already taken steps to require the disclosure of the individuals who control legal entities, and the U.S. recently moved another step closer towards this requirement.
FinCEN Rule Proposal
On July 30, 2014, the Financial Crimes Enforcement Network (FinCEN), a bureau of the United States Department of the Treasury, issued a Notice of Proposed Rulemaking (NPRM), FIN 1506-AB25, to strengthen customer due diligence requirements for financial institutions regulated under the Bank Secrecy Act. 79 Fed. Reg. 45,151 (August 4, 2014). The period for written comments on the NPRM ended on October 3, 2014 and an examination of comments selected for publication reflects some of the challenges financial institutions will face as they “look through” legal entities to identify the natural persons who own or control them.
The institutions affected by the final rule will include banks, broker-dealers, futures commission merchants, introducing brokers in commodities, and mutual funds. FinCEN’s goal is to codify what are commonly referred to as the four “pillars” of customer due diligence: (1) identify and verify the identity of customers; (2) identify and verify the identity of beneficial owners of legal entity customers (i.e., the natural persons who own or control legal entities); (3) understand the nature and purpose of customer relationships; and (4) conduct on-going monitoring to maintain and update customer information and to identify and report suspicious activities.
Identifying Beneficial Owners
The second pillar is the most challenging in that it requires financial institutions to identify beneficial owners. There are two prongs to the identification process. The first prong is the ownership prong; the financial institution must identify each individual, if any, who, directly or indirectly, through contract, arrangement, understanding, relationship or otherwise, owns 25 percent or more of the equity interests in a legal entity customer. The second prong is the control prong and requires the identification of an individual with significant responsibility to control, manage, or direct a legal entity customer. This individual may be an executive officer or senior manager. These two prongs are independent tests, but the first prong will be the most challenging to satisfy.
These tests apply to any “legal entity customer,” which is broadly defined to include most U.S. and foreign corporations, limited liability companies, partnerships, or similar business entities that open a new account. Although the proposed rule does not include trusts within the definition of a legal entity customer other than those created through a filing with a state, it is not clear if estates, revocable or irrevocable family trusts, or unincorporated associations will be subject to the final rule. It should be noted that FinCEN proposes that certain legal entities with existing accounts at certain financial institutions will be exempt from the rule, but as discussed below, new accounts, even if opened by an existing customer, will be subject to the beneficial ownership tests. In this regard, particular challenges may be presented by non-exempt pooled investment vehicles, such as hedge funds, whose ownership structure may continuously fluctuate, rendering the beneficial ownership information only accurate for a brief period of time.
One of the chief concerns expressed in the comments to the NPRM is that the burden and costs associated with the categorical collection of beneficial ownership information will outweigh any benefit that law enforcement will derive from such information. FinCEN estimates that 8 million accounts are opened annually for legal entities covered by the proposed rule. According to FinCEN, this would result in an estimated cost of $54 million across the roughly 21,550 financial institutions covered by proposed rule, including depository institutions (13,375) and broker-dealers (5,100). The cost, however, is likely much higher. Financial institutions must devote additional time and resources to integrate enhanced systems with existing systems and software, such as software for OFAC screening, case management, and employee training modules.
Consistency with Existing Customer Due Diligence (CDD) Standards
Although the NPRM includes, as Appendix A, a standard certification form to be used to identify the beneficial owners of legal entity customers, each financial institution has different customers and varying customer onboarding processes and workflows. Using a prescriptive form moves away from the time-tested “risk-based” approach that allows financial institutions to allocate compliance resources to high-risk customers, but does not create a “safe harbor” for those who use the standard certification form. Financial institutions may be faulted if a regulator believes that “red flags” in certain cases warranted further investigation. This may include the expectation that the financial institution use a lower ownership threshold, such as 10 percent, to identify beneficial owners.
In view of this uncertainty in the application of the proposed rule, some in the industry have suggested modification of language in the rule that undermines the clarity and consistency of the CDD framework implemented by the federal functional regulators to make clear that such regulators have the ultimate authority to determine CDD standards. To that end, consideration should be given under the final rule to expressly permitting financial institutions to utilize a risk-based approach to determine when it is necessary to verify the identity of beneficial owners and how such verification should be performed. This would entail, among other things, permitting financial institutions to collect beneficial ownership information through means other than the model certification form.
Beneficial Ownership Status
In the NPRM, FinCEN advises that it does not expect financial institutions to verify the status of a beneficial owner identified on a certification form (i.e., whether the individual identified on the form is in fact a beneficial owner). Although financial institutions are not expected to undertake an exhaustive analysis to determine beneficial ownership, the proposed rule requires financial institutions to leverage existing customer identification policies to verify the identity of each beneficial owner and respond to circumstances in which they cannot form a reasonable basis that they know the true identity of a beneficial owner. This may pose a challenge when the identity of the individual cannot easily be verified or where the legal entity is domiciled in a jurisdiction with secrecy laws.
Previously Identified Owners
The proposed rule raises an issue as to the obligation of financial institutions when opening a new account for a customer whose beneficial owners have been previously identified consistent with the implementation of Customer Identification Program (CIP) requirements in 2003. To the extent such financial institutions have a reasonable belief that they have previously identified current beneficial owners and such information is current, some question whether such financial institutions should automatically be required to re-identify beneficial owners upon the opening of a new account for the customer. Guidance in this area will likely help to avoid confusion and the misallocation of resources that are better focused on higher risk customer relationships.
Intermediated Account Relationships and Omnibus Accounts
In the NPRM, FinCEN expresses concern about the illicit finance risks posed by underlying clients of intermediary customers because of the lack of insight financial institutions have into those clients and their activities. Id. at 45,161. An “intermediary” generally refers to a customer that maintains an account for the primary benefit of others, such as the intermediary’s own underlying clients. For example, broker-dealers may establish omnibus accounts for a financial intermediary (e.g., an investment advisor) that, in turn, establishes sub-accounts for the intermediary’s clients, whose information may not be disclosed to the broker-dealer. Id. at 45,160.
FinCEN has advised that, for purposes of the beneficial ownership requirement, if an intermediary is the customer, and the financial institution has no CIP obligation with respect to the intermediary’s underlying clients pursuant to existing guidance, a financial institution should treat the intermediary rather than the intermediary’s underlying client as its legal entity customer. Id. at 45,161. For example, a broker-dealer that appropriately maintains an omnibus account for an intermediary, under the conditions set forth in the 2003 Omnibus Guidance for Broker-Dealers, may treat the intermediary, and not the underlying clients, as its legal entity customer. Id.
Indirect Ownership Interests
The proposed rule requires that, where a legal entity customer is owned by (or controlled by) one or more other legal entities, financial institutions look through those other legal entities to determine which natural persons own 25 percent or more of the equity interests of the legal entity customer. Id. at 45,158. FinCEN recognizes that identifying such owners can be challenging in cases of complex corporate organizations. While FinCEN has advised that it does not expect financial institutions to perform complex and exhaustive analysis to determine with legal certainty whether an individual is a beneficial owner, FinCEN expects financial institutions to be able to rely generally on the representations of the customer when answering the financial institution’s questions about the individual persons behind the legal entity, including whether someone identified as a beneficial owner is in fact a beneficial owner under the rule. Id. at 45,162.
Guidance in the Preamble
Notably, the preamble to the proposed rule contains substantive guidance in a number of areas that are important to financial institutions. For instance, the preamble provides that FinCEN recognizes that inherent information about a customer relationship, such as the type of customer, the type of account opened, or the service or product offered, may be sufficient to understand the nature and purpose of the relationship. Id. at 45,163. The preamble also contains the guidance, discussed above, concerning financial institutions’ reliance on the representations of the customer when identifying beneficial owners. Strong consideration should be given to including in the final rule guidance from the preamble that is instructive on important issues.
The proposed rule would require that financial institutions conduct “ongoing monitoring to maintain and update customer information and to identify and report suspicious transactions.” Proposed 31 C.F.R. § 1010.210(b)(5)(ii). FinCEN states that financial institutions would satisfy the requirement “by continuing their current monitoring practices, consistent with existing guidance and regulatory expectations,” citing the BSA/AML Examination Manual as an example of existing guidance. 79 Fed. Reg. 45,164 at n. 59. FincCEN further states that “monitoring is also a necessary element of detecting and reporting suspicious activities, and as such must apply not only to ‘customers’ for purposes of CIP rules, but more broadly to all account relationships maintained by the covered financial institution.” Id. at 45,164
Most in the financial services industry would agree that financial institutions are generally obligated to detect and report the suspected use of their facilities for illicit purposes. FinCEN’s broad statement extending the on-going monitoring requirement to “all account relationships,” however, seemingly implies a uniform requirement that appears at odds with the longstanding principle that AML compliance resources should be focused on accounts that pose the greatest risk of money laundering and/or terrorist financing.
Although the NPRM proposes an effective date of one year from the date of the issuance of the final rule, many of the comments received in response to the NPRM urge a longer effective date of 18 months or two years to allow for implementation. Indeed, many financial institutions cannot begin planning implementation efforts until the proposed rule is finalized. Further, information technology budgets are commonly set in the third quarter of the current year. Accordingly, if the rule for instance is finalized in early 2015, implementing IT enhancements necessary to comply with the rule on its effective date may prove problematic, resulting in the deferment of technology upgrades to other systems. Because it appears inevitable though that financial institutions will be required to “look through” legal entity customers, it is not too early to start planning for implementation of the final rule.
For more information on this client advisory, please contact:
Matthew C. Luzadder