FinCEN Issues FAQs on Customer Due Diligence Regulation

April 23, 2018

Click for PDF

On April 3, 2018, FinCEN issued its long-awaited Frequently Asked Questions Regarding Customer Due Diligence Requirements for Financial Institutions, FIN-2018-G001. https://www.fincen.gov/resources/statutes-regulations/guidance/frequently-asked-questions-regarding-customer-due-0.[1]  The timing of this guidance is very controversial, issued five weeks before the new Customer Due Diligence (“CDD”) regulation goes into effect on May 11, 2018.[2]  Most covered financial institutions (banks, broker-dealers, mutual funds, and futures commission merchants and introducing brokers in commodities) already have drafted policies, procedures, and internal controls and made IT systems changes to comply with the new regulation.  Covered financial institutions will need to review these FAQs carefully to ensure that their proposed CDD rule compliance measures are consistent with FinCEN’s guidance.

The guidance is set forth in 37 questions.  As discussed below, some of the information is helpful, allaying financial institutions’ most significant concerns.  Other FAQs confirm what FinCEN has said in recent months informally to industry groups and at conferences.  A few FAQs raise additional questions, and others, particularly the FAQ on rollovers of certifications of deposit and loan renewals, are not responsive to industry concerns and may raise significant compliance burdens for covered financial institutions.  The guidance reflects FinCEN’s regulatory interpretations based on discussions within the government and with financial institutions and their trade associations.  The need for such extensive guidance on so many issues in the regulation illustrates the complexity of compliance and suggests that FinCEN should consider whether clarifications and technical corrections to the regulation should be made.  We provide below discussion of highlights from the FAQs, including areas of continued ambiguity and uncertainty in the regulation and FAQs.

Highlights from the FAQs

  • FAQ 1 and 2 discuss the threshold for obtaining and verifying beneficial ownership.  FinCEN states that financial institutions can “choose” to collect beneficial ownership information at a lower threshold than required under the regulation (25%), but does not acknowledge that financial institution regulators may expect a lower threshold for certain business lines or customer types or that there may be regulatory concerns if financial institutions adjust thresholds upward to meet the BSA regulatory threshold.  A covered financial institution may be in compliance with the regulatory threshold, but fall short of regulatory expectations.
  • FAQ 7 states that a financial institution need not re-verify the identity of a beneficial owner of a legal entity customer if that beneficial owner is an existing customer of the financial institution on whom CIP has been conducted previously provided that the existing information is “up-to-date, accurate, and the legal entity’s customer’s representative certifies or confirms (verbally or in writing) the accuracy of the pre-existing CIP information.”  The example given suggests that no steps are expected to verify that the information is up-to-date and accurate beyond the representative’s confirmation or certification.  The beneficial ownership records must cross reference the individual’s CIP record.
  • FAQs 9-12 address one of the most controversial aspects of the regulation, about which there has been much confusion: the requirement that, when an existing customer opens a new account, a financial institution must identify and verify beneficial ownership information.  FinCEN provides further clarity on what must be updated and how:Under FAQ 10, if a legal entity customer, for which the required beneficial ownership information has been obtained for an existing account, opens a new account, the financial institution can rely on the information obtained and verified previously “provided the customer certifies or confirms (verbally or in writing) that such information is up-to-date and accurate at the time each subsequent new account is opened,” and the financial institution has no knowledge that would “reasonably call into question” the reliability of the information.  The financial institution also would need to maintain a record of the certification or confirmation by the customer.There is no grace period.  If an account is opened on Tuesday, and a new account is opened on Thursday, the certification or confirmation is still required.  In advance planning for compliance, many financial institutions had included a grace period in their procedures.
  • FAQ 11 provides that, when the financial institution opens a new account or subaccount for an existing legal entity customer whose beneficial ownership has been verified for the institution’s own recordkeeping and operational purposes and not at the customer’s request, there is no requirement to update the beneficial ownership information for the new account.  This is because the account would be considered opened by the financial institution and the requirement to update only applies to each new account opened by a customer.  This is consistent with what FinCEN representatives have said at recent conferences.The FAQ specifies that this would not apply to (1) accounts or subaccounts set up to accommodate a trading strategy of a different legal entity, e.g., a subsidiary of the customer, or (2) accounts of a customer of the existing legal entity customer, “i.e., accounts (or subaccounts) through which a customer of a financial institution’s existing legal entity carries out trading activity through the financial institution without intermediation from the existing legal entity customer.”  We believe the FAQ may fall far short of addressing all the concerns expressed to FinCEN on this issue by the securities industry.
  • FAQ 12 addresses an issue which has been a major concern to the banking industry:  whether beneficial ownership information must be updated when a certificate of deposit (“CD”) is rolled over or a loan is renewed.  These actions are generally not considered opening of new accounts by banks.FinCEN continues to maintain that CD rollovers or loan renewals are openings of new accounts for purposes of the CDD regulation.  Therefore, the first time a CD or loan renewal for a legal entity customer occurs after May 11, 2018, the effective date of the CDD regulation, beneficial ownership information must be obtained and verified, and at each subsequent rollover or renewal, there must be confirmation that the information is current and accurate (consistent with FAQ 10) as for any other new account for an existing customer.  There is an exception or alternative approach authorized in FAQ 12 “because the risk of money laundering is very low”:  If, at the time of the rollover or renewal, the customer certifies its beneficial ownership information, and also agrees to notify the financial institution of any change in information in the future, no action will be required at subsequent renewals or rollovers.The response in FAQ 12 is not responsive to the concerns that have been expressed by the banking industry and will be burdensome for banks to administer.  Obtaining a certification in time, without disrupting the rollover or renewal, will be challenging, and it appears that if it the certification or promise to update is not obtained in time, the account may have to be closed.
  • FAQs 13 through 17 address another aspect of the regulation that has generated extensive discussion: When (1) must beneficial ownership be obtained for an account opened before the effective date of the regulation, or (2) beneficial ownership information updated on existing accounts whose beneficial ownership has been obtained and verified.Following closely what was said in the preamble to the final rule, FAQ 13 states that the obligation is triggered when a financial institution “becomes aware of information about the customer during the course of normal monitoring relevant to assessing or reassessing the risk posed by the customer, and such information indicates a possible change in beneficial ownership.”FAQ 14 clarifies somewhat what is considered normal monitoring but is not perfectly clear what triggers obtaining and verifying beneficial ownership.  It is clear that there is no obligation to obtain or update beneficial ownership information in routine periodic CDD reviews (CDD refresh reviews) “absent specific risk-based concerns.” We would assume that means, following FAQ 13, concerns about the ownership of the customer.  Beyond that FAQ 14  is less clear.  It states that the obligation is triggered “when, in the course of normal monitoring a financial institution becomes aware of information about a customer or an account, including a possible change of beneficial ownership information, relevant to assessing or reassessing the customer’s overall risk profile.  Absent such a risk-related trigger or event, collecting or updating of beneficial ownership information is at the discretion of the covered financial institution.”The trigger or event may mean in the course of SAR monitoring or when conducting event-driven CDD reviews, e.g., when a subpoena is received or material negative news is identified – something that may change a risk profile.  Does the obligation then arise only if the risk profile change includes a concern about whether the financial institution has accurate ownership information?  That may be the intent, but is not clearly stated.  If the account is being considered for closure because of the change in risk profile, would the financial institution be released from the obligation to obtain beneficial ownership?   That would make sense, but is not stated.  This FAQ is in need of clarification and examples would be helpful.On another note, the language in FAQ 14 also is of interest because it may suggest, in FinCEN’s view, that periodic CDD reviews should be conducted on a risk basis, and CDD refresh reviews may not be expected for lower risk customers, as is the practice for some banks.
  • FAQ 18 seems to address at least partially a technical issue with the regulation that arises because SEC-registered investment advisers are excluded from the definition of legal entity customer in the regulation, but U.S. pooled investment vehicles advised by them are not excluded.[3]  FAQ 18 states that, if the operator or adviser of a pooled investment vehicle is not excluded from the definition of legal entity customer, under the regulation, e.g., like a foreign bank, no beneficial ownership information is required to be obtained on the pooled investment vehicle under the ownership prong, but there must be compliance with beneficial ownership control party prong, i.e., verification of identity of a control party.  A control party could be a “portfolio manager” in these situations.FinCEN describes why no ownership information is required as follows:  “Because of the way the ownership of a pooled investment vehicle fluctuates, it would be impractical for covered financial institutions to collect and verify ownership identity for this type of entity.”  Thus, in the case where the operator or adviser of the pooled investment vehicle is excluded from the definition of legal entity, like an SEC-registered investment adviser, it would seem not to be an expectation to obtain beneficial ownership information under the ownership prong.  Nevertheless, the question of whether you need to obtain and verify the identity of a control party for a pooled investment vehicle advised by a SEC registered investment adviser is not squarely answered in the FAQ.  A technical correction to the regulation is still needed, but it is unlikely there would be regulatory or audit criticism for following the FAQ guidance at least with respect to the ownership prong.
  • FAQ 19 clarifies that, when a beneficial owner is a trust (where the legal entity customer is owned more than 25% by a trust), the financial institution is only required to verify the identity of one trustee if there are multiple trustees.
  • FAQ 20 deals with what to do if a trust holds more than a 25% beneficial interest in a legal entity customers and the trustee is not an individual, but a legal entity, like a bank or law firm.  Under the regulation, if a trust holds more than 25% beneficial ownership of a legal entity customer, the financial institution must verify the identity of the trustee to satisfy the ownership prong of the beneficial ownership requirement.  The ownership prong references identification of “individuals.”  Consequently, the language of the regulation does not seem to contemplate the situation where the trustee was a legal entity.FAQ 20 seems to suggest that, despite this issue with the regulation, CIP should be conducted on the legal entity trustee, but apparently, on a risk basis, not in every case:  “In circumstances where a natural person does not exist for purposes of the ownership/equity prong, a natural person would not be identified.  However, a covered financial institution should collect identification information on the legal entity trustee as part of its CIP, consistent with the covered institution’s risk assessment and customer risk profile.”  (Emphasis added.)More clarification is needed on this issue, and perhaps an amendment to the regulation to address this specific situation.  Pending additional guidance, the safest course appears to be to verify the identity of legal entity trustee consistent with CIP requirements, which may pose practical difficulties, e.g., will a law firm trustee easily provide its TIN?  Presumably, CIP would not be required on any legal entity trustee that is excepted from the definition of legal entity under 31 C.F.R. § 1010.230(e)(2).
  • FAQ 21 addresses the question of how does a financial institution verify that a legal entity comes within one of the regulatory exceptions to the definition of legal entity customer in 31 C.F.R. § 1010.230(e)(2).  The answer is that the financial institution generally can rely on information provided by the customer if it has no knowledge of facts that would reasonably call into question the reliability of the information.  Nevertheless, that is not the end of the story.  The FAQ provides that the financial institution also must have risk-based policies and procedures that specify the type of information they will obtain and reasonably rely on to determine eligibility for exclusions.
  • FAQ 24 may resolve another technical issue in the regulation.  The exceptions to the definition of legal entity in the regulation refer back to the BSA CIP exemption provisions, which in turn, cross reference the Currency Transaction Reporting (CTR) exemption for banks when granting so-called Tier One exemptions.  One category for the CTR exemption is “listed” entities, which includes NASDAQ listed entities, but excludes NASDAQ Capital Markets Companies, i.e., this category of NASDAQ listed entity is not subject to CIP or CTR Tier One exemptions.  31 C.F.R. § 1020.315(b)(4).  This carve out was not discussed in the preamble to the CDD final regulation or in FAQ 24.The FAQ simply states:  “[A]ny company (other than a bank) whose common stock or analogous equity interests are listed on the New York Stock Exchange, the American Stock Exchange (currently known as the NYSE American), or NASDAQ stock exchange” is excepted from the definition of legal entity.  In any event, as with the FAQ 18 issue, it would appear that a technical correction is needed on this point, but, given the FAQ, it is unlikely that a financial institution would be criticized if it treated NASDAQ Capital Markets Companies as excepted legal entities.
  • FAQs 32 and 33 end the speculation that the CDD regulation impacts CTR compliance.  Consistent with FinCEN CTR guidance, under FAQ 32, the rule remains that, for purposes of CTR aggregation, the fact that two businesses share a common owner does not mean that a financial institution must aggregate the currency transactions of the two businesses for CTR reporting, except in the narrow situation where there is a reason to believe businesses are not being operated separately.

Conclusion

Financial institutions and their industry groups will likely continue to seek further guidance on the most problematic issues in the CDD regulation.  It is our understanding that FinCEN and the bank regulators also will address compliance with the CDD regulation in the upcoming update to the FFIEC Bank Secrecy Act/Anti-Money Laundering Examination Manual. Covered financial institutions already have spent, and will continue to spend, significant time and resources to meet the complex regulatory requirements and anticipated regulatory expectations.  In this flurry of activity to address regulatory risk, it is essential for financial institutions to continue to consider any money laundering risk of legal entity clients and that CDD not become simply mechanical.  It is not only a matter of documenting and updating all of the right information about beneficial ownership and control, but financial institutions should continue to assess whether the ownership structure makes sense for the business or whether it is overly complex for the business type and purposely opaque.  Also, it is important to consider whether it makes sense for a particular legal entity to be seeking a relationship with your financial institution and whether the legal entity is changing financial institutions voluntarily.  CDD measures to address regulatory risk and money laundering risk overlap but are not equivalent.

   [1]   FinCEN also issued FAQs on the regulation on July 19, 2016. https://www.fincen.gov/sites/default/files/2016-09/FAQs_for_CDD_Final_Rule_%287_15_16%29.pdf.   FINRA issued guidance on the CDD regulation in FINRA Notice to Members 17-40 (Nov. 21, 2017). http://www.finra.org/sites/default/files/notice_doc_file_ref/Regulatory-Notice-17-40.pdf.

   [2]   The Notice of Final Rulemaking was published on May 11, 2016 and provided a two-year implementation period.  81 Fed. Reg. 29,398 (May 11, 2016). https://www.gpo.gov/fdsys/pkg/FR-2016-05-11/pdf/2016-10567.pdf.  FinCEN made some slight amendments to the rule on September 29, 2017.  https://www.fincen.gov/sites/default/files/federal_register_notices/2017-09-29/CDD_Technical_Amendement_17-20777.pdf

The new regulations are set forth in the BSA regulations at 31 C.F.R. § 1010.230 (beneficial ownership requirements); 31 C.F.R. § 1020.210(a)(5) (banks); 31 C.F.R. § 1023.210(b)(5) (broker-dealers); 31 C.F.R. § 1024.210(b)(4) (mutual funds); and 31 C.F.R. § 1026.210(b)(5) (future commission merchants and introducing brokers in commodities).

   [3]   The regulation does not clearly address the beneficial ownership requirements for a U.S. pooled investment vehicle operated or controlled by a registered SEC investment adviser.  Pooled investment vehicles operated or advised by a “financial institution” regulated by a Federal functional regulator are not considered legal entities under the regulation.  31 C.F.R. § 1010.230(e)(2)(xi).  An SEC registered investment adviser, however, is not yet a financial institution under the BSA.  Under 31 C.F.R. § 1010.230(e)(3), a pooled investment vehicle that is operated or advised by a “financial institution” not excluded from the definition of legal entity is subject to the beneficial ownership control party prong.

Gibson Dunn’s lawyers  are available to assist in addressing any questions you may have regarding these developments.  Please contact any member of the Gibson Dunn team, the Gibson Dunn lawyer with whom you usually work in the firm’s Financial Institutions practice group, or the authors:

Stephanie L. Brooker – Washington, D.C. (+1 202-887-3502, [email protected])
Arthur S. Long – New York (+1 212-351-2426, [email protected])
Linda Noonan – Washington, D.C. (+1 202-887-3595, )

© 2018 Gibson, Dunn & Crutcher LLP

Attorney Advertising:  The enclosed materials have been prepared for general informational purposes only and are not intended as legal advice.