Deadline Approaches for Implementation of FinCEN Customer Due Diligence Requirements

Kelley Drye Client Advisory

On May 11, 2016, the Financial Crimes Enforcement Network (“FinCEN”) adopted final rules which codify customer due diligence requirements for financial institutions (the CDD Rule”)[1] under the Bank Secrecy Act (the BSA”).  The CDD Rule became effective on July 11, 2016.  Covered financial institutions, which means banks, broker-dealers, mutual funds, futures commission merchants and introducing brokers in commodities, are reminded that they must comply with the CDD Rule by May 11, 2018 (the Applicability Date”).

According to FinCEN, to ensure clarity and consistency across sectors, the core elements of customer due diligence that should be explicitly incorporated in the anti-money laundering (“AML”) program of a covered financial institution are:

  1. Identifying and verifying the identity of customers;
  2. Identifying and verifying the identity of beneficial owners (i.e., the natural persons who own or control a legal entity customer);
  3. Understanding the nature and purpose of customer relationships; and
  4. Conducting ongoing monitoring.

In issuing the CDD Rule, FinCEN sought to bring additional transparency to the U.S. and worldwide financial systems and bolster its ongoing efforts to combat illicit use of such systems by bad actors.  FinCEN acknowledged that prior to the adoption of the CDD Rule, the first element listed above was already an AML program requirement and the third and fourth elements were implicit requirements for covered financial institutions to comply with suspicious activity reporting obligations under the BSA.  In FinCEN’s view, the above-listed elements constituted the minimum standard for an effective AML program.  Under the CDD Rule, elements three through four became explicit requirements to be incorporated into a financial institution’s AML program.

With the looming deadline, covered financial institutions should by now have in place written procedures and policies that are reasonably designed to identify and verify beneficial owners of legal entity customers.  At a minimum, such procedures should include the elements used by financial institutions to identify their customers under applicable Customer Identification Programs.

Prior to the adoption of the CDD Rule, covered financial institutions were not required to look through an entity’s corporate ownership structure to know the identity of ultimate beneficial owners of a legal entity customer.  Barring certain exceptions and exemptions, when a new account is opened on or after the Applicability Date, a covered financial institution must identify and verify the identity of such beneficial owners.  In practice, a covered financial institution may rely on the beneficial ownership information provided and certified by an individual authorized by the customer on a standard customer certification form[2] or other substantively satisfactory account opening means, provided the covered financial institution has no knowledge of information that makes questionable the information supplied by the customer.  FinCEN declined to provide a blanket safe harbor for the use of the prescribed form.  Covered financial institutions are not required to update beneficial ownership information on a periodic or ongoing basis, but only on an event-driven” basis as in the course of normal, ongoing monitoring related to assessing the customer’s risk profile and information is detected which indicates a possible change in the beneficial ownership of the customer.[3]

Under the CDD Rule, a beneficial owner is, at the time of the account opening, each of the following: (i) an individual who owns directly or indirectly 25% or more of the equity interests of a legal entity customer (the ownership prong); and (ii) an individual with significant responsibility to control or direct the legal entity (e.g., a chief executive officer, chief financial officer, general partner, vice president or individuals who undertake similar duties) (the control prong).  If deemed appropriate as part of its risk analysis, a covered financial institution may identify additional individuals who may not strictly fit into the aforementioned descriptions, but who wield some influence over how the customer operates.

The CDD Rule further enhances AML program requirements in that a covered financial institution’s AML program must also include: (i) a system of internal controls to assure ongoing compliance; (ii) independent testing for compliance; (ii) designation of a compliance officer or individual(s) responsible for implementation and monitoring operations and internal control; and (iv) ongoing training for appropriate personnel; and (v) appropriate risk-based procedures for conducting ongoing customer due diligence to include understanding the nature and purpose of customer relationships to develop customer risk profiles and conduct ongoing monitoring to identify and report suspicious transactions, and, on a risk basis, to maintain and update customer information.  Additionally, procedures should address those situations in which a covered financial institution is unable to form a reasonable belief as to the true identity of a beneficial owner. 

FinCEN’s recently issued guidance in the form of Frequently Asked Questions contains additional details concerning the CDD Rule.[4]  For more information, please contact:

Matthew C. Luzadder
(312) 857-2623

Wendy A. Clarke
(203) 351-8141

[3] Summary 31 CFR Parts 1010, 1020, 1023, et al.