Photo Credit: Scandinavian Stock

As the saying goes, the chickens have finally come to roost. FinCEN and the banking authorities have issued a final ruling on beneficial ownership with respect to Customer Due Diligence, now requiring financial institutions to identify beneficial owners of covered businesses as part of the account opening process. The final ruling has been issued after years of debate and a pinball machine of comments from banks and other covered institutions.

The final rule establishes an additional pillar (referred to as the “fifth pillar”) of an Anti-Money Laundering compliance program. The well-known four pillars of an effective AML program include: policies, procedures, and internal controls; independent testing; a designated compliance officer; and training. This fifth pillar will require banks to establish risk-based procedures for conducting ongoing customer due diligence, including the development of customer risk profiles and implementation of ongoing monitoring to identify and report suspicious activity and, on a risk basis, to update customer information. What is especially pertinent is the fact that customer profiles are to be updated based on “event driven” circumstances. Whereas banks were questioning the capacity of updating all customer information, hence putting each customer account on a frequency schedule, the new ruling clarifies that a customer profile should be revisited and updated based upon certain events that otherwise would not have occurred. For example, if a convenience store that routinely deposits $10,000 per month were to suddenly begin depositing $500,000 per month, this sort of event would prompt the Bank to revisit the customer’s profile and update it accordingly.

Secondly, FinCEN has clarified the definition of a “beneficial owner” and has done so using a two prong approach. The Rule defines beneficial owner as each of the following:

• Ownership Prong: Each individual, if any, who, directly or indirectly, owns 25% or more of the equity interests of a legal entity customer
• Control Prong: A single individual with significant responsibility to control, manage, or direct a legal entity customer, including an executive officer or senior manager (e.g., a Chief Executive Officer, Chief Financial Officer, Chief Operating Officer, Managing Member, General Partner, President, Vice President, or Treasurer); or any other individual who regularly performs similar functions. This list of positions is illustrative, not exclusive, as there is significant diversity in how legal entities are structured.

Fortunately, certain aspects of the new ruling won’t impose anything different than what most banks should already be doing. The verification procedures contain the same elements required under the existing Customer Identification Program. This is beneficial in a sense, at least from an employee training standpoint, as account opening representatives would apply most, if not the same, controls as they would any other customer entering the Bank seeking to open an account. At a minimum, records must include the identifying information obtained (including the certification form, if used) and a description of documents that the financial institution reviewed to verify the beneficial owner’s identity. Recordkeeping requirements apply the same way as well. Banks must retain the identification records for five years after the account is closed, and retain the verification records for five years after the record is made.

Many covered institutions may be wondering (and this is certainly a valid question), does this ruling apply to my existing customers? Fortunately, it does NOT, so take a deep breath, as this does not require your bank to retroactively identify and apply the beneficial ownership identification requirements to your existing business customer. But what if an existing customer under the confines of the regulation decides to open a new account with the Bank, meaning, the customer comes in and wishes to open a secondary operating account, or even a payroll account? Does this mean that covered institutions have to apply the identification requirements then? This may be a question to ask your regulator for further clarity, as the guidance is somewhat vague in this regard. Common sense would point banks in the direction of applying the requirements in such circumstances, but some may disagree.

While covered financial institutions should begin to implement risk-based procedures to comply with the new ruling (if they haven’t done so already), there’s plenty of time to establish such policies, as well as reflect on the impact that the new ruling will have on your institution’s program. The new ruling doesn’t take effect until May 11, 2018, but it is imperative that banks begin to establish controls and train their employees on these new standards long before that start date.

 

Comments