The Financial Crimes Enforcement Network (“FinCEN”) has issued a final rule that significantly broadens customer due diligence requirements. Most importantly, it requires financial institutions to identify and verify “beneficial owners” when opening new accounts for “legal entity” customers. The final rule also requires financial institutions to develop written “customer risk profiles” based on the nature and purpose of a legal entity’s relationships with its beneficial owners, and to conduct ongoing monitoring to identify and report suspicious transactions involving these accounts. Covered financial institutions are required to comply with the final rule by May 11, 2018.

In addition to federally insured banks and thrifts, other “covered financial institutions” include federally insured credit unions, mutual funds, securities brokers/dealers, futures commission merchants, and introducing brokers in commodities transactions.

Beneficial Ownership Requirements

Financial institutions are now required to obtain, verify and record the identities of the “beneficial owners” of “legal entity” customers when a new account is opened, unless the type of customer or account is expressly excluded from these requirements.

Who Are Legal Entity Customers?

Included: Corporations, limited liability companies, any entity that is created by the filing of a public document with a Secretary of State or similar office, general partnerships, and similar entities formed under the laws of a foreign jurisdiction. Also included are limited partnerships and business trusts that are created by a filing with the state.

Excluded: Natural persons opening accounts on their own behalf, sole proprietorships, unincorporated associations, and trusts (other than statutory trusts created by a filing with the state), as well as banks, bank holding companies, insurance companies, qualifying foreign financial institutions, certain pooled investment vehicles, companies publicly traded on the New York, American or NASDAQ stock exchanges, other SEC-registered entities, and certain state and federal governmental units.

Types of accounts that are excluded include an account for a legal entity customer that is for point-of-sale purchases of retail goods or services, and accounts for financing equipment for which payments are remitted directly by the financial institution to the equipment vendor or lessor. These accounts are not exempt, however, if a legal entity customer can make payments to, or receive payments from, third parties through such an account, or if there is a possibility of a cash refund on the account activity.

Who Are Beneficial Owners?

The final rule defines two types of beneficial owners, those who have an ownership interest in the financial institution's customer, and those who control the financial institution's customer.

Ownership:  Each individual (if any) who directly or indirectly owns 25% or more of the equity interests of a legal entity customer (which may be up to four individuals).

Control:  One individual with significant responsibility for controlling, managing or directing a legal entity customer, such as an executive officer or senior manager. Legal entities may identify more than one such individual, but are only required to identify one.

Required Due Diligence Procedures

The new rule requires financial institutions to develop written customer due diligence procedures that are reasonably designed to identify and verify the beneficial owners of legal entity customers who open a new account.

Identification: The financial institution may identify beneficial owners either by using the new certification form included in the rule as Appendix A, or by obtaining the information required in the Appendix A form by other means (such as by using the institution’s own form). The individual opening the account must certify the accuracy of this information, and the financial institution may rely on the information supplied by the customer provided it has no knowledge of facts that could reasonably call into question the reliability of the information.

Verification: At a minimum, the procedures must be identical to the institution's CIP procedures required for verifying the identity of individual customers. Consequently, financial institutions must collect the name, date of birth, address and social security number or other government-issued identification number (e.g., the passport number or similar information in the case of foreign persons) of beneficial owners. Financial institutions may rely on photocopies or other reproductions of identity documents, but they should conduct their own risk-based analyses so that such reliance is reasonable.

The identification and verification requirements are not retroactive. They apply only to legal entity customers that open accounts after May 11, 2018.

Also note that financial institutions must retain verification records for five years after a record is made, and they must retain identification records for five years after the date the account is closed.

Ongoing Risk-Based Due Diligence Requirements

The new rule also amends the anti-money laundering (“AML”) program requirements to explicitly require covered financial institutions to implement risk-based procedures for conducting ongoing customer due diligence regarding legal entity customers. These procedures require financial institutions to understand the nature and purpose of the customer relationship in order to develop a “customer risk profile.” A customer risk profile is created using the information gathered at the account opening and represents a baseline against which to assess future suspicious account activity for reporting purposes.

The required AML procedures must include ongoing monitoring to identify and report suspicious transactions related to the account, and — on a risk basis — updating the account's customer information. However, the final rule makes clear that financial institutions are not expected to update customer information regularly; the updating requirement is only triggered when, during the course of its normal monitoring, a financial institution becomes aware of information relevant to reevaluating the customer’s risk. In such cases, the financial institution must update the account information, including its beneficial ownership information.

For additional information about the new requirements, read the final rule and FinCEN’s FAQs.