CSI Resources

The Advisor banner

It’s Go Time for CDD Final Rule

  • by Keith Monson, CSI Chief Risk Officer
  • May 03, 2018

FinCEN FAQ Answers Lingering Questions as Effective Date Nears

Financial institutions’ 22-month anticipation of the Financial Crimes Enforcement Network’s (FinCEN) CDD Final Rule will soon be over. On May 11, they will be required to perform enhanced due diligence on new accounts for legal entity customers and to demonstrate an understanding of the nature and purpose of their customer relationships as a fifth pillar of their anti-money laundering (AML) programs.

As the deadline was fast approaching, FinCEN sought to answer lingering questions about the rule with a Frequently Asked Questions (FAQ) document. Published on April 3, 2018, it was a supplement to a July 2016 FAQ—an initial set of 26 questions—shared shortly after the final rule was issued. This latest FAQ covers 37 questions that further parse through the nuances of the rule.

Quick Hits from FinCEN’s Latest FAQ

According to the final rule, when financial institutions open a new account for a covered legal entity, they must collect identity-verifying information on up to five beneficial owners—at most four individual owners (at 25 percent each) and one in a position of control. Just like the Customer Identification Program (CIP) requirements that the USA PATRIOT Act imposed on consumer accounts, this rule requires banks to collect the name, date of birth, address and social security number of beneficial owners.

Institutions had many questions about exactly when, how and from whom this information must be collected. FinCEN’s FAQ clears up most of the confusion, including these quick hits:

  • Ownership threshold: According to question 1, institutions can choose to impose a lower ownership threshold than the rule’s 25 percent if their risk profile calls for it.
  • Beneficial owner address: Per question 5, institutions can use either a residential or a business street address.
  • FinCEN certification form: It is provided for convenience, and question 8 confirms that its use is optional. For compliance sake, bank-created forms must capture the same data as FinCEN’s form.
  • Sole proprietorships: These do not meet the rule’s definition of a legal entity customer. As explained in question 22, they are not “a separate legal entity from the associated individual(s).”
  • Nonprofit entities: Question 23 notes that “All nonprofit entities—whether or not tax-exempt” are exempt from the ownership prong of the rule but not the control prong.
  • Publicly traded companies: If traded in the United States, they are exempt because of existing public disclosure requirements. But question 24 indicates that companies listed on foreign exchanges are not exempt and beneficial ownership information must be collected on them.

Three Critical Questions Answered

In speaking with institutions about the rule, questions about three key areas came up repeatedly. Here is how FinCEN answered those questions:

Existing Accounts and Renewals

The final rule indicates that previously existing legal entity customer accounts would be grandfathered, but many institutions wanted to confirm that. FinCEN responded with Question 13: “Financial institutions are not required to conduct retroactive reviews to obtain beneficial ownership information from customers with accounts opened prior to May 11, 2018.” However, if an institution becomes aware of a change in the legal entity customer’s situation, that “triggers” the need to obtain the beneficial ownership information required under the rule.

Institutions were also uncertain about their obligation for product renewals. Question 12 answers that: “Each time a loan is renewed or a certificate of deposit is rolled over, the bank establishes another formal banking relationship and a new account is established.” Therefore, beneficial ownership must be collected at the time of the first renewal following May 11, 2018. When subsequent renewals come up, institutions may rely on the customer’s word that nothing has changed.

FinCEN acknowledges that loan renewals and CD rollovers pose very little risk of money laundering, and so it provides this leeway. If during the first renewal after May 11, 2018, “the customer certifies its beneficial ownership information” and “it also agrees to notify the financial institution of any change in such information, such agreement can be considered the certification or confirmation from the customer.” Simply document and retain that information.

Legal Entity Customers with Complex Structures

Determining the beneficial ownership of a legal entity customer owned by individuals is straightforward. If ownership is split evenly between four partners, then beneficial ownership must be collected on each one. Or, if two individuals own 25 percent a piece and five other owners have a 10 percent share each, then the enhanced due diligence is only required on the first two.

Things are a little more confusing when a legal entity customer (first level) is owned by another legal entity customer (second level). In this case, the institution opening the account needs to delve into the ownership of that second level. If its ownership is split evenly between four partners, then collect the identity-verifying information on those individuals. Or, like above, if two individuals own 25 percent of the second level company, while all remaining partners own less than 25 percent, the financial institution only needs to collect information on the first two.

But what happens when a legal entity customer is owned by multiple legal entities? The same process must occur, but it will require a bit more arithmetic as FinCEN explains in question 3 with a visual aid, which helps outline various scenarios in which identity-verifying information must be collected.

Fifth Pillar Ongoing Monitoring

In addition to beneficial ownership requirements, the CDD Final Rule adds a fifth pillar to AML programs. It explicitly requires institutions to understand the nature and purpose of all customer relationships: consumer and commercial, including legal entity customers. Several questions in the April FAQ provide additional information about complying with this part of the rule:

Question 15 indicates that institutions can leverage their existing CIP processes to help comply with the fifth pillar. As long as those processes as previously written or as updated meet the rule’s requirement, an institution “may use its existing monitoring process to comply with customer due diligence monitoring and updating obligations.”

Questions 35 and 37 discuss the importance of institutions knowing who their customers are, while reminding them that they can do so by relying on “self-evident” information. In other words, they can evaluate customers from a risk perspective based on business type and/or on the types of products used. The FAQ states that a customer profile “may, but need not, include a system of risk ratings or categories of customers.” Institutions with a risk rating system or customer categories already in place can definitely leverage that information in order to comply with the fifth pillar.

Your Final To-Do List

With the CDD Final Rule going into effect, these five tasks should be at the top of your institution’s to-do list.

  1. Read FinCEN’s FAQ: Although this article covers much of the FAQ, institutions should still read it in its entirety.
  2. Double-check policies and procedures: Make sure the policies and procedures you have updated in preparation for the rule square with the information provided in the FAQ.
  3. And if necessary, update policies and procedures: If you identify any inconsistencies while double-checking, correct them with the appropriate information from FinCEN.
  4. Communicate with employees: Make sure employees are advised of any policy or procedure updates, and also remind them of the effective date of the rule.
  5. Get board approval of BSA/AML policy, if needed: If you made any updates to your BSA/AML policy in step 3, or if you have not yet gotten your board to approve your revised BSA/AML policy with the rule incorporated, it must be done as soon as possible.

Completing these steps should help alleviate anxiety about the rule’s implementation. And remember, regulators do not necessarily expect perfection at the start; they expect a good faith compliance effort.

Keith Monson serves as CSI’s chief risk officer. In this role, Monson maintains an enterprisewide compliance framework for risk assessment and reporting, as well as other key components of CSI’s corporate compliance program. With nearly 25 years of banking experience, he has a wide range of expertise in the compliance arena, having served as chief compliance officer for both large and small financial institutions.