By Chris SimpkinsAs the required implementation date of May 11, 2018, for the Financial Crimes Enforcement Network’s customer due diligence/beneficial ownership rule creeps ever closer, the process and procedural challenges that financial institutions may face are crystallizing. As is often the case, a rule that initially seemed rather straightforward has yielded multiple devils in the details. This article addresses some of those challenges and posits some possible solutions.
To recap briefly the basic tenets of the rule as expressed in FIN-2016-G003 (FinCEN’s first set of frequently asked questions (FAQs) on the topic):
The CDD Rule outlines explicit customer due diligence requirements and imposes a new requirement for these financial institutions to identify and verify the identity of beneficial owners of legal entity customers, subject to certain exclusions and exemptions…FinCEN intends that the legal entity customer identify its ultimate beneficial owner or owners and not ‘nominees’ or ‘straw men’…The CDD Rule requires covered financial institutions to establish and maintain written procedures that are reasonably designed to identify and verify the beneficial owners of legal entity customers. These procedures must enable the institution to identify the beneficial owners of each customer at the time a new account is opened, unless the customer is otherwise excluded or the account is exempted.
Sounds easy, right? However, one of the issues that has proven to be the most vexing within the industry is, ironically, the definition of “new account” in the context above.
The ‘new account’ conundrum
The CDD rule adopts the same basic definition of “account” as previously expressed within the Customer Identification Program (CIP) rule issued in 2003. The FAQs to that rule, published in January 2004, noted the following: “For purposes of the CIP rule, each time a loan is renewed or a certificate of deposit is rolled over, the bank establishes another formal banking relationship and a new account is established.”
The second set of FAQs relevant to the CDD rule published by FinCEN on April 3, 2018, confirms that the same stance applies to beneficial ownership. The response to Question 12 of those FAQs begins by quoting the same verbiage from January 2004 and then specifies a financial institution’s obligation: “For financial services or products established before May 11, 2018, covered financial institutions must obtain certified beneficial ownership information of the legal entity customers of such products and services at the time of the first renewal following that date.” Thus, for example, a certificate of deposit owned by a legal entity will become a “new account” upon its first rollover after May 11, 2018.
Commercial loan renewals typically require involvement on the part of financial institution associates, affording an opportunity for the collection of beneficial ownership information on a possibly long-standing commercial relationship. However, certificate of deposit renewals are often automatic, and as a result, they do not allow for the collection of information. Thus, financial institutions are grappling with how to monitor renewals of certificates of deposit owned by legal entities to ensure beneficial ownership information is properly collected at the appropriate time. With a new account, beneficial ownership information is to be collected prior to account opening; thus, financial institutions will need to develop procedures to highlight upcoming (maybe within the next thirty days?) relevant certificate of deposit renewals to begin the information collection process. The question then arises, what if the financial institution is unable to collect it? Presumably, in compliance with the requirements of the rule, the renewal would not occur; and the certificate of deposit would be redeemed to the owners.
FinCEN did provide some light at the end of the tunnel on this topic, however, regarding future renewals and rollovers. Again quoting from the second set of FAQs relevant to the CDD rule, “In the case of a loan renewal or CD rollover, because we understand that these products are not generally treated as new accounts by the industry and the risk of money laundering is very low, if at the time the customer certifies its beneficial ownership information, it also agrees to notify the financial institution of any change in such information, such agreement can be considered the certification or confirmation from the customer and should be documented and maintained as such, so long as the loan or CD is outstanding.” That is certainly helpful, but financial institutions will need to consider how best to document that agreement from the customer onto the beneficial ownership certification form (possibly by adding a statement to that effect that is unique for CD and loan products).
Collection of information
Do we really have to collect beneficial ownership information every time a new account is opened? When the final rule was first released, initial readings and commentaries did interpret the rule as requiring the collection of beneficial ownership information with every new account. However, the rule appears to be more nuanced than that; referencing the same quote from above from the rule’s FAQs, a financial institution’s “procedures must enable the institution to identify the beneficial owners of each customer at the time a new account is opened.” Thus, essentially, the beneficial owners must be known each time a new account is opened; if they were previously known and confirmed to remain as such with the opening of subsequent accounts, the rule’s requirements would presumably be satisfied. Thus, some financial institutions are opting for the inclusion on the beneficial ownership certification form, a re-certification statement along the lines of, “I certify that the beneficial ownership information previously provided remains valid as of this date.”
The second set of FAQs relevant to the CDD rule confirms FinCEN’s acceptance of this strategy. Quoting from the response to question 10 within those FAQs: “However, an institution that has already obtained a Certification Form (or its equivalent) for the beneficial owner(s) of the legal entity customer may rely on that information to fulfill the beneficial ownership requirement for subsequent accounts, provided the customer certifies or confirms (verbally or in writing) that such information is up-to-date and accurate at the time each subsequent account is opened and the financial institution has no knowledge of facts that would reasonably call into question the reliability of such information.”
However, this article began by noting that there were multiple devils in the details; and this possible solution represents one of those. If a financial institution chooses to opt for a re-certification statement, the previously provided beneficial ownership information must presumably be accessible to the new account associate and in a manner to be provided to or at least viewed by the customer opening the new account. Consider this scenario: a commercial builder that operates as an LLC is negotiating multiple development deals, two of which are finalized in the same week. The builder’s beneficial ownership information is provided at the time of application of the first deal, and that application then winds its way through the underwriting and approval process. When the same builder finalizes the second deal of the week a few days later, and again approaches the financial institution for financing, the builder’s representative states that the beneficial ownership information is the same as it was at the time of the first application.
However, that first application has yet to be approved. Thus, the beneficial ownership information is on the certification form accompanying that first loan’s application. However, that information has yet to be entered into the financial institution’s core system. If the second application is being discussed with a different loan officer, or if a different representative of the builder is negotiating the second request for credit, then the usage of the re-certification statement would require the retrieval of the beneficial ownership certification form from the first application to know what was truly being re-certified.
Similar scenarios could be imagined with a start-up business attempting to open multiple deposit accounts in its first week. Thus, while the usage of a re-certification statement to confirm previously provided information, would satisfy the requirements of the rule, a financial institution must consider the effects on its workflow and processes. In some situations, it may just be simpler to collect beneficial ownership information with each account opening.
Intermediary legal entities
On the bright, sunny morning of May 12, 2018, Snidely Whiplash—the representative of Testament LLC—enters your financial institution desiring to open an account in the name of his company. When asked about beneficial ownership, he explains that Testament LLC is 100 percent owned by Snidely Enterprises LLC, which is itself owned 50 percent by Whiplash Enterprises LLC, and 50 percent by Luthercorp. No surprise, Whiplash Enterprises is partially owned by him, but 50 percent is owned by Nathaniel Warchester. Similarly, Luthercorp is 50 percent owned by Lena Luthor and 50 percent owned by Lex Luthor. Thus, each of the four individuals own 25 percent, through a variety of legal entities, of Testament LLC. Those four names will be entered as beneficial owners…but what about the intermediary legal entity names? Do those need to be recorded? If so, where? Many core software vendors that have released updates for recording beneficial ownership information have only allowed five slots—four for the beneficial owners and one for the controlling/managing authority.
To be fair, that is in accordance with the first set of FAQs, which state that, “…a legal entity will have a total of between one and five beneficial owners (i.e., one person under the control prong and zero to four persons under the ownership prong).”
However, it is hard to imagine that the desire would not exist from the perspectives of regulators and law enforcement for a financial institution to somehow record the involvement of (from the example above) Snidely Enterprises LLC, Whiplash Enterprises LLC, and Luthorcorp. (What if those entities—but not their owners—were later part of a 314(a) request or possibly added to the OFAC list?) A revised beneficial ownership certification form could collect this information, possibly with a question for each beneficial owner as to whether their ownership is “via any legal entity(ies)” and then requiring the entity(ies) to be named. Then, a financial institution would have to decide where to record that entity information. If the core system did not have available fields, could the information be recorded within the financial institution’s AML system in such a way as to allow OFAC and 314(a) checks of the names? Again, there appears to be no stated requirement to record the intermediary legal entity names, but time will tell whether it becomes a best practice expectation. Now, speaking of those core software limitations…
If CDD requires knowledge of beneficial ownership to the 25 percent level, would not enhanced due diligence require knowledge to a lower level? This argument has been made at several conferences and seminars by both individual bankers and regulators. Essentially, if knowledge of beneficial ownership to the 25 percent level is expected of any new legal entity customer (or any legal entity customer opening a new account), would not a greater expectation for high-risk customers on whom EDD is continually performed exist? If such an expectation exists, it has not been required by any regulatory authority.
In fact, FinCEN addresses this topic directly in the second set of FAQs relevant to the CDD rule with question two, the response to which states that “[a] financial institution may reasonably conclude that collecting beneficial ownership information at a lower equity interest than 25 percent would not help mitigate the specific risk posed by the customer or provide information useful to the financial institution in analyzing the risk. Rather, any additional heightened risk could be mitigated by other reasonable means, such as enhanced monitoring or collecting other information, including expected account activity, in connection with the particular legal entity customer.”
In other words, is lowering the threshold for beneficial ownership collection to 10 or 20 percent really the best way to mitigate the additional risk posed by a customer? FinCEN is stating that a financial institution could “reasonably conclude” that there are more efficient and effective ways to do so.
However, a financial institution is still allowed to collect information at a lower threshold, based on its own risk assessment of the customer; and there are certainly times where it may be prudent to do so. (For example, if an existing high-risk individual customer is found to be a 10 percent owner of a new legal entity opening an account with your institution, your assessment of that entity’s risk will be impacted accordingly. Would a financial institution not record that 10 percent ownership interest in that case just because it fell below 25 percent?) Thus, for those situations, the process of recording beneficial ownership information at a lower threshold faces some practical difficulties when confronted with many of those core software limitations referenced above.
If many of those systems only allow five slots for the recording of beneficial ownership information, where would additional owner information be recorded (other than on an expanded beneficial ownership certification form, presumably, and possibly within the institution’s AML system)? Financial institutions may also unwittingly create a best practice expectation for their institution, if not others, that will be difficult to maintain. If a financial institution chooses to collect beneficial ownership information to the 10 percent level on some high-risk customers, they must then clearly distinguish to which high-risk customers the lower threshold would be applied (and why), and choose how soon that information must be collected after the high-risk designation (presuming it did not occur at account opening). What if the customer fails to comply or fails to comply in a timely manner? Will the financial institution close the account because the customer is non-cooperative, even though the actual regulatory requirements for the collection of beneficial ownership information have been met?
The result could be a continual inconsistency within a financial institution’s high-risk customer population that may never be fully resolved. Without the force of a regulatory requirement to prompt customer participation, the difficulties of enforcement may very well outweigh the possible benefits.
Requirement for information
What is the retention requirement for past beneficial ownership information that is no longer valid or no longer required to be maintained? Remember Testament LLC? Well, let us assume for the sake of argument that Snidely Whiplash was not happy with having to provide beneficial ownership information. Thus, after the initial opening of the account, Mr. Whiplash returns with updated ownership documents revealing that another entity—Grimm Enterprises LLC, owned by Benjamin J. Grimm—now owns 10 percent of Testament LLC, thus diluting every other beneficial owner’s ownership percentage to below 25 percent.
At that point, should a financial institution just delete in its systems, the beneficial ownership information previously recorded but for the one controlling authority? Presumably, yes, as no one individual would own 25 percent or more of the legal entity any longer. However, the original beneficial ownership certification form would still exist and should be maintained in accordance with record retention requirements for account opening documents.
The second set of FAQs relevant to the CDD rule addresses this very point; specifically, in the response to question nine, FinCEN states that, “[c]overed financial institutions are required to retain all beneficial ownership information collected about a legal entity customer. Identifying information, including the Certification Form or its equivalent, must be maintained for a period of five years after the legal entity’s account is closed.” Additionally, actions such as these would seem suspicious and ideally should prompt a review of the relationship, possibly leading to a SAR filing.
The example above is exaggerated, but there will be many non-controversial occurrences where one owner simply sells his interest in a legal entity to another individual. Such occurrences will really be no different than the changing of trustees on a trust or the changing of authorized signers on a business. The original information will still be available on imaged documents, but no requirement to record such legacy information within a core system will exist. Instances like these will need to be understood by the institution and explainable in an examination or investigation.
How do 314(a) expectations apply to beneficial ownership? Quoting again from the FAQs on the rule: “FinCEN does not expect the information obtained under the CDD Rule to add additional 314(a) requirements for financial institutions. The regulation implementing section 314(a) does not require the reporting of beneficial ownership information associated with an account or transaction matching a named subject in a 314(a) request. Covered financial institutions are required to search their records for accounts or transactions matching a named subject and report whether a match exists using the identifying information provided in the request.”
Complicating this matter further is a slight inconsistency in verbiage between the FAQs and the actual regulation in the Federal Register. Quoting from the relevant portion of the Federal Register: “The rule implementing Section 314(a)…does not authorize the reporting of Beneficial Ownership information associated with an account or transaction matching a named subject.” Notice the distinction in verbal phrases—“does not require” versus “does not authorize”—when describing the reporting of beneficial ownership information associated with an account or transaction matching a named 314(a) subject.
In either case, the rule appears to state that there is no requirement to report the beneficial owners of a matching legal entity when responding to a 314(a) request. However, the verbiage from the Federal Register appears to suggest that, not only is there no requirement to do so, but also there is no authorization to do so. In effect, a financial institution might find itself at risk by doing so. (This would not, of course, preclude the reporting of such information on a SAR that might result from an investigation prompted by the appearance of the entity on a 314(a) list.)
However, for most financial institutions, that is not the most relevant question related to 314(a) requests. Rather, most wonder what to do if a beneficial owner—but not the entity that he/she owns—is a match to a 314(a) request. Adopting the premise of the statements from the rule and FAQ referenced above, the assumption would be that beneficial ownership alone is not enough to justify the reporting of a positive match. Consider the instructions for 314(a) searches: “The financial institutions must query their records for data matches, including accounts maintained by the named subject during the preceding 12 months and transactions conducted within the last six months. Financial institutions have two weeks from the posting date of the request to respond with any positive matches. If the search does not uncover any matching of accounts or transactions, the financial institution is instructed not to reply to the 314(a) request.” The specific reference to “accounts maintained by…” suggests that a matched party must be an owner or signer on an account, which a beneficial owner may not be.
Thus, if no reporting requirements are added, then what’s the challenge? As most financial institutions utilize a querying system that matches all customer records to the 314(a) list once received, financial institutions must now be cognizant of the fact that there may be some positive matches that should not be reported. Procedurally, the identification of such matches could be achieved in two ways. First, each positive match could be closely scrutinized and investigated before reporting, allowing the discovery that the matching individual’s only connection to the financial institution is as a beneficial owner (most institutions likely do this already). Second, the ownership code used to identify beneficial owners within a financial institution’s core system could be added as a data point on the 314(a) query’s output.
Finally, despite what the letter of the rules and FAQ state, it does seem somewhat counter-intuitive that law enforcement would not want to know that an individual on the 314(a) list owns a legal entity that banks with your financial institution. It is hoped that the upcoming guidance referenced above will provide clarity on this issue.
When identifying your trigger events for updating beneficial ownership information, consider how monitoring will occur. Surveys and questionnaires circulating throughout the industry over the last two years have revealed some fairly common trigger events that most financial institutions plan on adopting, including:
- The opening of a new account
- Reclassification of a customer to a higher level of risk
- Change in address if a major change (generally into another state or country)
The monitoring of such events will largely rely on associate notification and/or action, whether that associate is on the front line or in the BSA department. Thus, training and testing of the CDD rule’s requirements and the related implementation strategies, are essential.
However, one common trigger event was not mentioned above—knowledge of a change in ownership. If identifying as a trigger event, financial institutions need to word this one carefully.Simply designating “a change in ownership” as a trigger event would seemingly obligate a financial institution to know of every change in ownership of a legal entity, on its books. Describing the trigger event as “knowledge of a change in ownership” is preferable, as the knowledge must exist before the requirement to update the information is triggered. Of course we need to remember that if one person at the institution “knows,” then the institution knows and that the concept of “should have known” is lurking behind the “knowledge” label as well.
Cognizant of the fact that many changes in legal entity ownership occur without any notification to the entity’s financial institution and without any public reporting, some financial institutions have chosen to not focus on trigger events. Instead they simply update beneficial ownership information for all relevant legal entity customers on a periodic basis, typically annually. Not only is this a daunting task, but financial institutions choosing to pursue this path should consider the risks of inconsistent results. Let us assume that Awesome Bank has five legal entity customers with existing beneficial ownership information, none of which has been changed in the last year. Awesome Bank sends recertification requests to each customer; three of the five customers respond, noting no changes, but two do not. Repeated attempts to get the two remaining customers to respond, yield no results. Awesome Bank then attempts to reverify the information by other means but is unsuccessful. Thus, they have no way of knowing if the beneficial ownership information is still accurate.
Similar to the discussion above about lowering the 25 percent ownership threshold based on high-risk status, the financial institution is now in the position of deciding whether failure to respond to a recertification request is ample cause to close the relationship, even though the beneficial ownership information currently on file may be totally accurate. In short, financial institutions need to be wary of setting trigger events that are admirable in intent but difficult to consistently practice and monitor, particularly if the trigger event sets an expectation beyond those in the CDD rule itself. (The second set of FAQs relevant to the CDD rule does make it clear that FinCEN does not expect periodic reviews absent specific risk-based concerns. Quoting from the response to question 14, “Covered financial institutions do not have an obligation to solicit or update beneficial ownership information as a matter of course during regular or periodic reviews, absent specific risk-based concerns…periodic reviews are not by themselves a trigger to obtain or update beneficial ownership information.”)
How does the concept of “permissible purpose” apply to beneficial ownership? As stated in the FAQs, “…the procedures must establish risk-based practices for verifying the identity of each beneficial owner identified to the covered financial institution, to the extent reasonable and practicable. The procedures must contain the elements required for verifying the identity of customers that are individuals under applicable customer identification program (“CIP”) requirements.” Thus, does this mean that a financial institution can just use the same methods it currently uses to verify customer identities with beneficial owners as well? Maybe, maybe not.
Some financial institutions rely on services that perform a check at account opening of customers’ identity and bank history using credit report data. The usage of credit report data places such actions under the purview of the Fair Credit Reporting Act, which requires a “permissible purpose” before such checks can be performed. The definition of “permissible purpose” includes using the information “in connection with a credit transaction involving the consumer on whom the information is to be furnished and involving the extension of credit to, or review or collection of an account of, the consumer”; “in connection with a business transaction that is initiated by the consumer”; and “to review an account to determine whether the consumer continues to meet the terms of the account.”
Thus, in the context of the FCRA, is a beneficial owner who is not also an authorized signer, a “consumer”? Since such a beneficial owner would not actually have control over the account relationship in question, it could certainly be argued that he/she is not. Thus, in cases such as these, there may be no “permissible purpose” to verify a beneficial owner’s identity using such a service. Again, regulatory clarity on this issue is desirable.
It should be stated that there is no apparent prohibition on using services that do not use credit report data in an attempt to verify the identity of beneficial owners. Similarly, if a financial institution relies on documentary verification—such as collection and review of one or more forms of primary identification—for customers, that financial institution could do the same for beneficial owners. Thus, identity verification methods for beneficial owners still exist; those methods may just not be the same that are used for customers.
Practically, for financial institutions that rely on services using credit report data at account opening, steps will need to be taken to ensure that only signers and the legal entity itself are submitted to the service for identity verification. If CIF records are created for all parties at once and then submitted with the push of a button, the financial institution will need to consider how to exclude the CIF records for the beneficial owners from that submission (and then how to recognize that alternative identity verification procedures will still need to be performed for the beneficial owners).
The second set of FAQs relevant to the CDD rule (published April 4, 2018) were certainly beneficial in clarifying some of the issues discussed above, but implementation challenges remain. With little remaining time before the applicability date of the rule, financial institutions are encouraged to be both forward-thinking and practical in their application of the rule. Advanced compliance goals that at first may seem achievable are often challenged by the realities of day-to-day processes and procedures, and financial institutions should be wary of setting a goal of exceeding compliance expectations that not only fails but results in unnecessary demands and inconsistent results.
As compliance professionals have learned over the years, establish a plan that includes evaluation of the pitfalls and uncertainties and then implement the plan. Adjust to subsequent guidance and interpretation as they occur. Waiting until everything is clear is not a very workable option.
Chris Simpkins, CAMS, CFE, serves as the Bank Secrecy Act/Office of Foreign Asset Control officer for Arvest Bank, having been in that role for approximately 14 years. He joined Arvest with its acquisition of Superior Bank (formerly Superior Federal Bank) in 2003, where he was serving as audit manager and had been a part (and at times, the entirety) of its internal audit department since 1992. Within both roles, he has worked a variety of internal fraud cases. For the last four years, Simpkins has served on the advisory board for the annual American Bankers Association/American Bar Association Money Laundering Enforcement Conference.
This article originally appeared in the May/June 2018 issue of ABA Bank Compliance magazine and is reproduced here with permission.