The American CDD rule: what you need to know
Russell Sacks and partners, Shearman & Sterling, Partner, New York, 30 May 2018
The compliance date for the “Customer Due Diligence Requirements for Financial Institutions rule” issued by the US Treasury Department’s Financial Crimes Enforcement Network (FinCEN) fell on 11 May. The new rule, long in gestation, only applies to accounts opened on or after that date.
The CDD Rule marks a departure from previous FinCEN rules, under which financial institutions exercised their own judgment, making risk-based assessments about when and how to identify and verify beneficial owner information for legal-entity accounts, except in respect of specific cases.
In anticipation of the compliance date, the Financial Industry Regulatory Authority (FINRA) amended its anti-money laundering (AML) compliance programme rule (“Rule 3310”), effective on 11 May this year, as announced in FINRA Regulatory Notice 18-19. This note provides a comprehensive summary of the CDD Rule, discusses recent FINRA guidelines that pertain to it and the amendments to Rule 3310, provides an overview of the most recent series of answers to ‘frequently asked questions’ released by FinCEN and looks at recent updates to FINRA’s Anti-Money Laundering Template for Small Firms .
The CDD Rule
On 11 May 2016, FinCEN issued the CDD Rule. It was later amended on 28 September 2017 to make certain technical corrections. This rule dictates that “covered financial institutions” (a term described below) must establish procedures to:
- identify each natural person who directly or indirectly owns 25% or more of the equity interests of a “legal-entity customer” (this is the “ownership prong”);
- identify one natural person with “significant responsibility to control, manage or direct” a legal-entity customer, who might be an executive officer or senior manager or anyone else who regularly performs similar functions (this is the “control prong”) and who may be a person reported under the ownership prong; and
- verify the identities of those people according to risk-based procedures, which procedures must include the elements currently required under the Customer Identification Rule (the “CIP Rule”) at a minimum.
The identification of those beneficial owners of a “legal-entity customer” (a term described below) must be conducted at the time a new “account” (a term described below) is opened. In addition, a covered financial institution is required to obtain certification from someone who wants to open an account on behalf of a legal-entity customer that identifies any individuals who meet the definitions under the ‘ownership’ or ‘control’ prongs.
As noted above, the financial institution is required to verify the identity of such persons using risk-based procedures that include, at minimum, the same documentary and non-documentary elements required under the CIP Rule (although under the CDD Rule, non-original documents may be accepted, subject to conditions). The institution is not, however, required to verify the fact of the identified beneficial owner’s relationship with the legal entity, except in the case a financial institution’s knowledge to the contrary. Therefore, for example, a financial institution does not, independently, have to verify whether or not the individual(s) who are presented as 25% owners are the only individuals who qualify for the ‘ownership’ prong.
FinCEN has stated that financial institutions should use the collected beneficial ownership information as they use other information that they gather about customers (e.g. when they are complying with CIP requirements), not least when they are complying with Office of Foreign Assets Control (OFAC) regulations and currency transaction reporting (CTR) aggregation requirements.
The CDD Rule only applies to accounts opened on or after 11 May but FinCEN seems to hope that institutions will apply it to all accounts. The rule contains important exclusions and exemptions for pooled investment vehicles and other types of entity.
A glossary of terms
Account. Generally speaking, this is a formal relationship established to provide or engage in services, dealings or other financial transactions, but its definition depends on the entity that is hosting the account. For banks, ‘account’ means a formal banking relationship established to provide or engage in services, dealings or other financial transactions, including a deposit account, a transaction or asset account, a credit account or some other extension of credit. It also includes a relationship established to provide a safety deposit box or other safekeeping services, or cash management, custodial or trust services.
For broker-dealers, ‘account’ means a formal relationship established to effect transactions in securities, including, but not limited to, the purchase or sale of securities and securities loaned and borrowed activity, and to hold securities or other assets for safekeeping or as collateral.
For mutual funds, ‘account’ means any contractual or other business relationship between a person and a mutual fund established to effect transactions in securities issued by the mutual fund, including the purchase or sale of securities.
For futures commission merchants or introducing brokers in commodities, ‘account’ means a formal relationship, including, but not limited to, those established to effect transactions in contracts of sale of a commodity for future delivery, options on any contract of sale of a commodity for future delivery or options on a commodity.
Covered Financial Institution. The CDD Rule applies to all financial institutions currently subject to CIP requirements, which includes:
- insured banks (as defined in s3(h) Federal Deposit Insurance Act 1950);
- commercial banks;
- agencies or branches of a foreign bank in the United States;
- federally insured credit unions;
- savings associations;
- corporations acting under s25A Federal Reserve Act;
- trust banks or trust companies that are federally regulated and are subject to an anti-money laundering programme requirement;
- brokers or dealers in securities registered, or required to be registered, with the Securities and Exchange Commission, except persons who register pursuant to s15(b)(11) Securities Exchange Act 1934;
- futures commission merchants or introducing brokers registered, or required to be registered, with the Commodity Futures Trading Commission, except persons who register pursuant to s4(f)(a)(2) Commodity Exchange Act; and
- mutual funds.
Legal-entity customer. The CDD Rule requires covered financial institutions to obtain beneficial ownership information for a “corporation, limited liability company or other entity that is created by the filing of a public document with a Secretary of State or similar office, a general partnership and any similar entity formed under the laws of a foreign jurisdiction that opens an account.” Entities that are excluded from the definition of legal-entity customer include:
- financial institutions regulated by a federal functional regulator or banks regulated by a state bank regulator;
- departments or agencies of the Government of the United States, of any state, or of any political subdivision of a state;
- entities (other than banks) whose common stock or analogous equity interests are listed on the New York, American or NASDAQ stock exchange;
- issuers of securities registered under s12 Securities Exchange Act 1934 or that are required to file reports under s15(d);
- investment companies, as defined in s3 Investment Company Act 1940, registered with the SEC;
- SEC-registered investment advisors, as defined in s202(a)(11) Investment Advisors Act 1940;
- exchanges, clearing agencies or any other entity registered with the SEC;
- registered entities, commodity pool operators, commodity trading advisors, retail foreign exchange dealers, swaps dealers or major swap participants registered with the Commodity Futures Trading Commission;
- bank holding companies, as defined in s2 Bank Holding Company Act 1956;
- pooled investment vehicles operated or advised by a financial institution excluded from the beneficial ownership requirement;
- insurance companies regulated by a state;
- financial market utilities designated by the Financial Stability Oversight Council under Title VIII of the Dodd-Frank Act;
- non-US financial institutions established in a jurisdiction where such institution’s regulator maintains beneficial ownership information regarding such institution; and
- legal entities opening private banking accounts.
FINRA Regulatory Notice 17-40
Last November, FINRA issued Regulatory Notice 17-40, which provided guidance with respect to the obligations of its firms under Rule 3310 and the CDD Rule. FINRA noted that prior to the implementation of the CDD Rule, firms were required to develop and implement AML programmes that incorporated four ‘pillars’ enumerated in the Bank Secrecy Act 1970 (BSA). These four pillars are:
- the establishment and implementation of policies, procedures and internal controls reasonably designed to achieve compliance with the applicable provisions of the BSA and the implementing regulations thereunder;
- independent testing for compliance to be conducted by the broker-dealer’s personnel or by a qualified outside party;
- the designation of someone to be responsible for implementing and monitoring the operations and internal controls of the programme; and
- continual training.
Notice 17-40 suggests that the CDD Rule adds a so-called ‘fifth pillar’ to these requirements: appropriate risk-based procedures for continual customer due diligence, to include, but not to be limited to: (i) understanding the nature and purpose of relationships with customers for the purpose of developing a customer risk profile; and (ii) continual monitoring to identify and report suspicious transactions and, on a risk basis, to maintain and update information about customers.
FINRA echoed language in the CDD Rule, stressing that this fifth pillar does not represent ‘new law’ and merely codifies FINRA’s pre-existing ideas of how firms should identify and report suspicious transactions and know and understand their customers in accordance with the BSA.
With respect to identifying and verifying the identities of beneficial owners of legal-entity customers, FINRA noted that a firm may rely on beneficial ownership information supplied by the individual opening an account on behalf of a legal-entity customer, provided that the firm does not have knowledge of facts that would reasonably call into question the validity or reliability of that information, and that a firm is allowed to rely on another financial institution for the performance of the requirements under the CDD Rule to the same extent that this reliance is permitted under the CIP Rule.
FINRA also stated in Notice 17-40 that it was thinking of making another rule to align the language of Rule 3310 with that of the CDD Rule more closely.
FINRA Regulatory Notice 18-19
As noted above, FINRA announced in Notice 18-19 that it was amending Rule 3310 to align the rule’s language with that of the CDD Rule more closely. The proposed amendments were subsequently published in the Federal Register as a Notice of Filing and Immediate Effectiveness.
In Notice 18-19, FINRA referred to the guidance that it had previously provided in Notice 17-40, especially with respect to firms’ continuing customer due diligence requirements enumerated in the CDD Rule. The amendments add a new subsection (f) to Rule 3310, which states that:
“Each member shall develop and implement a written anti-money laundering programme reasonably designed to achieve and monitor the member’s compliance with the requirements of the BSA and [its] implementing regulations. Each member’s AML programme must be approved, in writing, by a member of senior management. The AML programmes required by this rule shall, at a minimum, (f) Include appropriate risk-based procedures for conducting ongoing customer due diligence, to include, but not be limited to: (i) understanding the nature and purpose of customer relationships for the purpose of developing a customer risk profile; and (ii) conducting ongoing monitoring to identify and report suspicious transactions and, on a risk basis, to maintain and update customer information. For purposes of paragraph (f)(ii), customer information shall include information regarding the beneficial owners of legal-entity customers.”
Answers to FinCEN’s recent FAQs
On 3 April this year, FinCEN released its second series of answers to FAQs with respect to the CDD Rule, referring to an additional 37 questions. It had published its first series of FAQs with respect to the CDD Rule in July 2016. The recent FAQs primarily cover various topics to do with the duty of financial institutions to obtain information about the beneficial ownership of their legal-entity customers, including:
- the beneficial ownership threshold and its interaction with other AML programme obligations;
- the collection and verification of identifying information, particularly for legal-entity customers with complex ownership structures;
- the definition of ‘legal-entity customer,’ not least when it is a non-US financial institution; and
- a clarification and discussion with respect to certain exemptions and exclusions from the CDD Rule.
The FAQs of 2018 also provide guidance and answers to questions regarding the beneficial ownership certification requirement, not least when a single customer opens several accounts and in respect of product or service renewals, obligations to update beneficial ownership information, requirements to understand the nature and purpose of each relationship with each customer, internal approval of AML programme changes and currency transaction reporting.
Selected answers from the FAQs of 2016
Question 10 – Obtaining Beneficial Ownership Information. Here FinCEN notes that a financial institution does not need to obtain information directly from the beneficial owners of a legal-entity customer. It must come from the individual who opens the account on behalf of the legal-entity customer, although he may be a beneficial owner also.
Question 11 – Types of Beneficial Ownership Information that Must be Collected. Every financial institution must collect the name, date of birth, address and social security number or other government-sanctioned identifying number (i.e., passport number or similar) for each individual identified under the ‘ownership’ or ‘control’ prongs of the CDD Rule.
Question 12 – Nominee Owners. Here the regulator reiterates its point that the CDD Rule requires financial institutions to identify the ultimate beneficial owners of legal-entity customers, and not ‘nominees’ or ‘strawmen.’ The answer to this question reminds financial institutions, however, that it is the responsibility of the individual opening the account on behalf of the legal-entity customer to identify the beneficial owners, and financial institutions may rely upon the information provided, unless the institution has reason to question its validity or accuracy.
Selected answers from the FAQs of 2018
Question 2 – Setting a Lower Ownership Prong Threshold. There may be circumstances in which a financial institution might decide that it ought to collect beneficial ownership information about ‘risky’ individuals below the 25% threshold. Alternatively, it might decide that it could offset some exceptionally onerous risk associated with a particular legal-entity customer by other means, perhaps by stepping up it monitoring or collecting other information.
Question 3 – Indirect Beneficial Owners. This deals with the identification of indirect owners of legal-entity customers and notes that a covered financial institution must obtain the identity of any individual who satisfies the definition of beneficial owner, regardless of whether he owns 25% or more of the legal-entity customer directly, or indirectly, for example, through the aggregation of holdings in various parent entities. With this in mind, FinCEN notes that covered financial institutions do not need to investigate the ownership structure of the legal-entity customer independently and may rely instead on the information presented by the legal-entity customer’s representative, as long as the institution does not know of any facts that would reasonably call the validity or reliability of that information into question.
Question 4 – Verifying Beneficial Ownership Information. This explains that although the risk-based procedures that a covered financial institution uses to verify the identities of beneficial owners of legal-entity customers must contain, at minimum, the same elements it uses to verify the identities of individual customers under the CIP Rule, including procedures to address instances where the institution cannot form a reasonable belief that it knows the true identity of the legal-entity customer’s beneficial owners, the procedures under the CDD Rule do not have to be identical to that institution's CIP Rule procedures. For example, the CDD Rule states explicitly that a financial institution may use photocopies or other reproduced documents for documentary verification.
Question 7 – Reliance on Prior CIP Information. Here FinCEN notes that a financial institution may rely on the CIP information that it has already collected for somebody with an existing account to satisfy its obligations to identify and verify, in situations where the existing customer is named as a beneficial owner of a new legal-entity customer. The information on file must be accurate and up-to-date and the representative who opens the account on behalf of the legal-entity customer must certify — either verbally or in writing — that the pre-existing CIP information is accurate.
Question 10 – Reliance on Prior CDD Certification. Any covered financial institution that has already received a certification or equivalent form from a legal-entity customer may rely on that information to fulfil its beneficial ownership identification and verification obligations for subsequent accounts opened by the same legal-entity customer, as long as the customer certifies — either verbally or in writing — that the information is accurate and up-to-date at the time of each subsequent account opening, the institution maintains a record of each certification or confirmation and the institution does not know of any facts that would reasonably call into question the validity or reliability of that information.
Question 14 – Requirements to Update CDD Information. No covered financial institution is required to solicit or update beneficial ownership information in the absence of specific risk-based concerns, although it has discretion to collect and update beneficial ownership information as often as it thinks fit. It is, however, required to have policies and procedures in place to maintain and update information about customers on a risk basis and obtain and update information, if, in the course of normal monitoring, it becomes aware of information about a customer or account, including a potential change in beneficial ownership, relevant to the assessment or re-assessment of that customer’s general risk profile.
Question 18 – Pooled Investment Vehicles. For vehicles of this type that are not otherwise excluded under the CDD Rule, it would be impractical for covered financial institutions to attempt to collect and verify the 25% ownership information in view of the way in which ownership interests fluctuate. Covered financial institutions are, however, required to collect beneficial ownership information for such entities under the ‘control’ prong of the CDD Rule.
Question 26 – Scope of Non-US Financial Institution Exclusion. For the purposes of the “non-US financial institution exclusion” to be found in the CDD Rule, a non-US regulator must merely collect and maintain beneficial ownership information for the legal-entity customer. A covered financial institution is not required to research the specific transparency obligations imposed on a non-US financial institution by its regulator and compare them with those imposed on US financial institutions by US federal functional regulators. It may rely on a representation by the legal-entity customer with respect to whether an exclusion applies, as long as the institution does not have knowledge of any facts that would reasonably call into question the validity or reliability of that information. The answer to this question also notes that correspondent accounts for non-US financial institutions will continue to be subject to the due diligence and beneficial ownership identification requirements that were already in place before the CDD Rule came in, rather than the requirements set forth in the CDD Rule.
Question 28 – Scope of Non-US Governmental Entity Exclusion. This explains that the “non-US governmental department, agency or political subdivision that engages only in governmental rather than commercial activities exclusion” under the CDD Rule does not apply to state-owned enterprises engaged in profit-seeking activities, such as sovereign wealth funds, airlines or oil companies. The answer to this question does note, however, that many state-owned enterprises may not have any individual who meets the ‘ownership’ prong under the CDD Rule, because the equity interest is held by a governmental department, agency or political subdivision. In those instances, covered financial institutions would only be required to obtain beneficial ownership information under the control prong of the CDD Rule. This response also reiterates the fact that an institution may rely on a representation by the legal-entity customer with respect to whether an exclusion applies, as long as the institution does not know of any facts that would reasonably call into question the validity or reliability of that information.
Updates to the FINRA Small Firm Template
On 4 April, FINRA published an updated version of its Small Firm Template to take account the obligations of firms to obey Rule 3310 and the CDD Rule. These changes have been incorporated into section 6 of the template (the Customer Due Diligence Rule). Other substantive changes include additions to the ‘example text’ in the Firm Policy and National Security Letters Sections. Minor ‘clean-up’ changes, updated rule references and additional resources and guidance have been published since the old version.
Great expectations
The CDD Rule and Rule 3310 codify the existing expectations that regulators have in respect of compliance with the BSA, taking in the identification and reporting of suspicious transactions and the duty to know and understand one’s customers. This ‘fifth pillar’ requires firms to understand the nature and purpose of their relationships with customers, to keep monitoring their activity and to identify and verify the identities of the beneficial owners of legal-entity customers.
* Russell Sacks can be reached on +1 212 848 7585 or at rsacks@shearman.com. His co-authors are partners Stuart Fleischmann, Ilir Mujalovic, Merritt Johnson, Lona Nallengara, Nathan Greene and Jay Baris, along with Buddy Donohue of counsel, Jennifer Morton of counsel and associate P Sean Kelly.