Long-awaited changes to BSA add a fifth pillar: customer due diligence.
The long-awaited changes to the Bank Secrecy Act’s customer due diligence requirements go into effect this Friday, May 11. Although many credit unions may not deal with the type of sophisticated entities that this regulation is designed to address, they will still need policies and procedures in place that respond to this guidance.
The Financial Crimes Enforcement Network began laying the groundwork for these changes in 2012 by issuing an advance notice of proposed rulemaking. FinCEN then issued a proposed CDD rule in 2014 and the final rule was issued in 2016.
The new rules require covered financial institutions to identify and verify the identity of beneficial owners of customers/members each time a new account is opened. The financial institution may rely on copies of identity documents supplied by the customer as long as they believe the information is reliable. The final rule also requires anti-money laundering programs to explicitly include risk-based procedures for conducting ongoing CDD and developing a customer risk profile.
Fifth Pillar of BSA Compliance
The final rule adds a “fifth pillar” to overall BSA compliance—CDD. CDD is not one of the original four pillars of BSA compliance, but is an implicit requirement. The fifth pillar is spelled out in 31 CFR 1020.210:
(5) Appropriate risk-based procedures for conducting ongoing customer due diligence, to include, but not be limited to:
- (i) Understanding the nature and purpose of customer relationships for the purpose of developing a customer risk profile; and
- (ii) Conducting ongoing monitoring to identify and report suspicious transactions and, on a risk basis, to maintain and update customer information. For purposes of this paragraph (b)(5)(ii), customer information shall include information regarding the beneficial owners of legal entity customers.
Beneficial Ownership Information
The BSA regulation includes a new section specifically on beneficial ownership requirements. Financial institutions must have written procedures to identify and verify “beneficial owners of customers.” In the case of credit unions, these “beneficial owners” are the owners or “those who benefit from ownership” of businesses. The written procedures must be contained in financial institutions’ anti-money laundering compliance programs.
There are two parts to the definition of beneficial owner: ownership and control. A beneficial owner is defined as the following:
(1) Each individual, if any, who, directly or indirectly, through any contract, arrangement, understanding, relationship or otherwise, owns 25 percent or more of the equity interests of a legal entity customer; and
(2) A single individual with significant responsibility to control, manage, or direct a legal entity customer, including:
- (i) An executive officer or senior manager (e.g., a Chief Executive Officer, Chief Financial Officer, Chief Operating Officer, Managing Member, General Partner, President, Vice President, or Treasurer); or
- (ii) Any other individual who regularly performs similar functions.
The number of beneficial owners can vary. Up to four individuals can meet the ownership part of the definition, and an additional person can meet the management part of the definition. Consequently, it is possible to have five beneficial owners.
Customer
“Customer” is referred to in the final rule as “legal entity customer.” “Legal entity customer” is defined as “a corporation, limited liability company, or other entity that is created by the filing of a public document with a Secretary of State or similar office, a general partnership, and any similar entity formed under the laws of a foreign jurisdiction that opens an account.” There are several exceptions to who is considered a legal entity customer, including a financial institution regulated by a Federal functional regulator and a public accounting firm registered under section 102 of the Sarbanes-Oxley Act.
Identify
Under the final rule, financial institutions must identify beneficial owners of accounts each time a new account is opened.
There are two options for meeting the identification requirement. First, financial institutions can identify beneficial owners by obtaining a certification from the individual opening the account on behalf of the customer. Appendix A of the new rule includes a model form for the certification. The model form asks for beneficial owner information, including name, date of birth, address and Social Security/passport number. The second option is for the financial institution to obtain from the individual the information required by the model form by a different means, provided the individual certifies, to the best of the individual’s knowledge, the accuracy of the information.
Verify
The final rule requires financial institutions to utilize its risk-based procedures to verify the identity of each beneficial owner. The risk-based procedures can contain the same steps currently followed for verifying the identity of individual customers under the Customer Identification Program provisions. For documentary verification, photocopies are permissible for the same documents as those in the existing CIP provisions, such as a driver’s license. A financial institution is permitted to rely on the information supplied by the customer regarding the identity of its beneficial owner or owners, provided that it has no reason to question the reliability of this information.
John Zasada is principal with CliftonLarsonAllen, Minneapolis.