On May 11, 2016, FinCEN published in the Federal Register its long-awaited anti-money laundering (“AML”) rules (the “Final Rules”) governing corporate entities doing business with banks and other financial institutions that are subject to the requirements of the Patriot Act.1
While the Final Rules are relatively straightforward conceptually, the compliance burden will be substantial for bank lenders and other covered institutions. First, a bank must identify persons owning or controlling 25% or more of a “legal entity,” discussed below, whenever the legal entity opens a new account at the bank.2 Second, a bank must also identify an individual who has substantial management authority at the legal entity, such as a CEO, CFO, managing partner, etc.
Third, the Final Rules codify within the FinCEN regulations five “pillars” that must be included in a bank’s AML compliance program.3 Among other things, a newly added pillar includes the necessity to monitor and update the beneficial ownership of a legal entity—which will mean that corporate borrowers will be subjected, on a regular basis, to due diligence requests from their bank lenders for certifications.
This Dorsey Client Alert focuses on the impact that the Final Rules may have on domestic and foreign banks engaged in lending transactions. Among other things, it identifies compliance risks and lending challenges that banks will face as the Final Rules are implemented.
The Beneficial Ownership Rules
The Final Rules apply to several categories of financial institutions, including banks, foreign banks doing business in the United States, savings associations and credit unions, and address a loophole that advocates of a strong AML program have repeatedly criticized—namely, that a bank was under no obligation to identify the beneficial ownership of a legal entity to which the bank provides a wide range of banking services (with the result that money laundering and similar crimes could not be identified by electing to engage in business through a legal entity).
As noted above, the Final Rules will impose on banks the obligations to identify and verify the beneficial ownership of legal entities whenever a new account is opened. Several important defined terms contained in the Final Rules are as follows:
Legal Entity. The concept of a legal entity is a simple one, and includes virtually every type of corporate business that can be chartered or formed, including: (a) corporations; (b) partnerships; (c) limited partnerships; (d) limited liability corporations; (e) limited liability partnerships; (f) other corporate forms requiring the filing with a State Secretary of State or similar officer; and (g) any corporate entity chartered in a foreign country and doing business in the U.S.4
Account. For banks, an account encompasses just about any lending, deposit or other bank service requiring a contractual relationship with a customer, and includes: (a) a deposit account; (b) a transaction or asset account; (c) a credit account; (d) any other extension of credit; (e) a safety deposit box or other safekeeping service; (f) cash management services; (g) custodial services; and (h) trust and fiduciary services. Stated another way, the Final Rules attempt to include within coverage any formal contractual relationship between a bank and a legal entity, which indicates that a bank should assume that any bank service being offered to a legal entity constitutes an account.
Beneficial Ownership. There are two distinct prongs to the beneficial ownership requirements for legal entities: (a) the identification of any individual owning 25% or more of the legal entity (the “ownership prong”); and (b) the identification of a management official exercising control over the legal entity (the “control prong”).5
While difficulties in identifying individuals with a 25% or more ownership interest under the ownership prong are discussed in greater detail below, it is important to note that this approach is similar in kind to the ownership rules in the federal Bank Holding Company Act, which allows for up to 4 individuals to “control” a bank holding company (i.e., by each person owning 25% of the holding company).6
In regard to a management official that must be identified under the control prong, the Final Rules identify a list of relatively typical management officials who may be deemed to be exercising “significant responsibility to control, manage or direct” the legal entity, including: (a) a CEO; (b) a CFO; (c) a COO; (d) a chairman; (e) a managing partner; and (f) any other official holding management authority. (Thankfully, the Final Rules permit a bank to only identify one person exercising management authority, although several individuals in a typical corporate structure would hold or share that authority.)
The Final Rules require that a bank create an AML compliance program that incorporates ongoing customer due diligence (“CDD”) elements in regard to legal entity customers:
- Obtaining beneficial ownership and control information when an account is being opened
- Analyzing—and understanding—the account relationship to develop a customer risk profile
- Conducting ongoing monitoring to identify and report suspicious transactions (via the filing of Suspicious Activity Reports (“SARs”))
- On a risk basis—to update customer information7
In regard to the opening of an account, a bank must identify and verify both prongs of the beneficial ownership requirement. To simplify the process, the Final Rules contain a form that might be used by a bank (provided that there is no indication that additional CDD is needed to confirm the beneficial ownership requirement).8
Following the completion of the identification and verification components, a bank must build a risk-based profile of the legal entity in order to commence monitoring activity for the account relationship. What this means is that if account activity is not within the parameters established for the assigned risk profile, a bank would be required to “red-flag” the account, and determine whether the filing of a SAR is warranted.
Finally—and perhaps most importantly—a bank will be required to periodically review the account relationship to determine whether the beneficial ownership for a legal entity should be recertified—which would likely involve directly requiring management of a legal entity to either confirm that a change in beneficial ownership has not occurred, or else that a change has occurred, which would then require that the bank update its CDD for that legal entity.
Recordkeeping and Effective Date for the Final Rules
The Final Rules require that beneficial ownership CDD compliance records must be retained by a bank for five years from the date that the record is created. Among other things, because of the obligation of continuing to monitor beneficial ownership of a legal entity, the file records for a bank regarding a legal entity could become voluminous. (Further, a bank may elect not to purge records that fall beyond the record retention period for accounts that remain open.)
More troublesome, however, is the fact that while the applicability date for the beneficial ownership requirements for legal entities is technically May 11, 2018, FinCEN has made it clear that it believes that the CDD obligations for legal entities are de facto already in effect because they are so closely linked to a bank’s existing monitoring AML obligations. Moreover, FinCEN has indicated that the federal banking regulators are authorized to impose more stringent requirements on regulated banks—which means that banks might wish to consider implementing the requirements of the Final Rules sooner than later.
Exceptions and Exemptions
The Final Rules contain several carve-outs from the general rule that lending banks must identify and verify the beneficial ownership of a customer.
First, there is a general exemption for other financial institutions—all of which are regulated and hence do not present the same degree of concern regarding beneficial ownership. This category includes: (a) a financial institution regulated by a state or federal functional regulator; (b) a foreign financial institution from a jurisdiction where the regulator maintains beneficial ownership information regarding that institution; (c) a bank holding company; (d) a publicly traded and SEC-registered company; (e) a registered investment company; (f) a registered investment advisor; (g) an exchange or clearing agency; and (h) other similar exemptions (16 in total).
In regard to the foreign bank exception, it may be necessary for a bank located in the U.S. to obtain some confirmation that the foreign bank regulator has established ownership and control rules that satisfy the requirements of the Final Rules. (This condition precedent also creates an incentive for foreign banks to cause their home country regulator to adopt beneficial ownership regulations that comply with this requirement.)
In regard to registered investment companies and registered investment advisors, these exceptions were somewhat controversial because they exempt investment companies and investment advisors from conducting CDD regarding their clients, which can include hedge funds, trusts and other investment entities. (The Administration has indicated that it wishes to narrow or eliminate this exemption by legislation.) Further, the federal bank regulators may instruct bank lenders to require additional CDD regarding the clients of investment companies and investment advisors as a condition to those entities maintaining accounts at banks that are subject to the Final Rules.
Another important exception in the Final Rules is that the required CDD may be performed by a third party bank or an affiliate of a third party bank whose customer is opening an account at a bank lender, provided that:(a) the reliance is reasonable; (b) the other financial institution is subject to FinCEN’s AML regulations and is regulated by a federal functional regulator; and (c) the other financial institution contractually undertakes to certify annually that it has implemented an AML program and its own AML compliance is adequate. (The degree of inquiry by a bank in order to “reasonably rely” on another institution is unclear; this legal hurdle is discussed below.9)
Penalties for Non-Compliance
While the penalties for the failure to maintain an effective AML compliance program are already substantial, a further element is now present in regard to the obligation of a bank’s legal entity customer to certify to the bank beneficial ownership under the two prongs (i.e., ownership and management control). Specifically, any such certifications arguably become subject to Section 1014 of Title 18 of the United States Code, which states:
18 USC 1014—
Whoever knowingly makes any false statement or report…to any institution the accounts of which are insured by the Federal Deposit Insurance Corporation, a branch or agency of a foreign bank…or a mortgage lending business,…upon any application, advance, discount, purchase, purchase agreement, repurchase agreement, commitment, loan, or insurance agreement or application for insurance or a guarantee, or any change or extension of any of the same, by renewal, deferment of action or otherwise,….shall be fined not more than $1,000,000 or imprisoned not more than 30 years, or both.
Because of the initial requirement that a legal entity verify beneficial ownership—when coupled with the ongoing obligation to recertify upon the request of a bank— individuals providing the certifications may be extremely uncomfortable providing such verifications without engaging in their own due diligence, which may complicate the on-going CDD process on the part of the lending bank.
Lending Challenges Presented to Banks
Domestic and foreign banks lending to legal entities will have to carefully review their underwriting and loan documentation to accommodate the beneficial ownership requirements of the Final Rules.
Several operational and legal challenges are as follows:
Lending documentation. Borrowers are very frequently reluctant (or refuse) to cooperate with a bank lender in a manner that is outside of the scope of their specific contractual undertakings. This may place a bank in the position of arguing that a legal entity now has an affirmative obligation to provide beneficial ownership information when requested by the lending bank.
We suggest that a bank consider amending its application and loan documentation as soon as is practicable to incorporate appropriate covenants addressing the obligation of a legal entity to fully cooperate with a bank’s CDD pursuant to the Final Rules. In that regard, bank lending obligations should state that the initial loan application and underwriting process now includes cooperation in regard to identifying and verifying beneficial ownership of a legal entity. In regard to ongoing CDD by a lending bank, similar covenants should be drafted that places an affirmative obligation on a legal entity to respond to a request by a bank to update or recertify beneficial ownership information.
Lending Due Diligence. One of the difficult challenges to be faced by a bank when conducting CDD with a legal entity will be to establish standards that will comply with the CDD inquiry obligations. Similarly, a lending bank may also need to consider whether the degree of beneficial ownership required to be disclosed should be more rigorous than the minimal levels set by the Final Rules.
In regard to initial CDD for a legal entity, a lending bank should consider whether the verification procedures authorized by the Final Rules will be adequate in the particular lending circumstances. Even though it appears that a beneficial owner’s ownership status can be confirmed by a management official of a legal entity, it is possible that prudent underwriting (and as potentially criticized by after-the-fact reviews by bank regulators) will require more than the execution of a one-page form document.
Associated with this issue is the possibility that merely requiring beneficial ownership for individuals holding 25% or more of a legal entity may prove inadequate—and the bank regulators may elect to impose more stringent standards. For example, generally applicable bank control laws and regulations impose presumptions of control above a 10% threshold. It is not beyond possibility that similar restrictions could be required by the bank regulators as the Final Rules are implemented.
Education and Training of Legal Entities. Clearly the beneficial ownership obligations will come as a shock to many bank borrowers—who traditionally have used legal entities to shield investors from scrutiny and disclosure. In that regard, banks may consider the necessity to commence educating the borrower community regarding these new disclosure obligations—including the borrower’s legal counsel— who may play an important role when counseling a newly formed legal entity that transparency in ownership should now be expected.
Unanswered Questions and Challenges
The adoption of the Final Rules brings AML, OFAC and similar laws into greater symmetry, which is a declared goal by FinCEN and federal and law enforcement officials. While the codification of heretofore requirements for an effective AML compliance program creates greater clarity for banks (i.e., identifying by regulation the components of a compliance program), the Final Rules also create many additional ambiguities that will eventually have to be considered by banks and other financial institutions.
Several issues that have already been identified are as follows:
First, as noted above, it is very possible that the minimum beneficial ownership standards for CDD contained in the Final Rules will be adjusted to a higher, more robust level by the banking regulators. Care must be exercised by lending banks to anticipate any such determination so that the contractual obligations of a legal entity conform to current legal requirements for CDD (as adjusted from time to time).
Second, even though the Final Rules are applicable to accounts opened on and after May 11, 2018, it is also very possible that the banking regulators will require that the beneficial ownership CDD be implemented by lending banks earlier than that date. Particularly in light of the detailed changes that must be made to a bank’s underwriting and documentation policies and procedures, prudence may dictate implementing the new CDD requirements sooner than later.
Third, in regard to reliance on another financial institution to certify and identify a bank’s legal entity customer, that third party institution’s attestation is conditioned on the execution of a contract with the third party institution certifying the effectiveness of its own AML program. At the moment, what will be sufficient in regard to a “contract” is completely unclear; further, many financial institutions will be leery about making a certification to another bank in light of the possible criminal liability created by 12 U.S.C. § 1014.
Finally, banks should be aware that the Final Rules create disclosure issues with other legal disciplines that will have to be addressed (and hopefully, homogenized). For example, tax attorneys have identified possible differing requirements when identifying beneficial ownership interests under the Final Rules versus the identification of beneficial ownership for IRS, state and foreign reporting purposes. Similarly, what constitutes beneficial ownership could become a complex analysis based upon control on investments that fall below the 25% threshold—and place legal entities in the unenviable position of determining whether further inquiry as to ownership is required.
In the minimum, these disparate compliance requirements may create regulatory confusion and could create potential liability to both banks and their legal entity customers.
* * *
We trust that this analysis is helpful when identifying the obligations of domestic and foreign banks when considering the implementation of the Final Rules. Note that this Alert does not constitute legal advice—banks should consult with legal counsel as the Final Rules are implemented and interpreted by FinCEN and the federal banking regulators.
1. 81 Fed.Reg. 29397. 31 CFR 1010, 1020, 1023, 1024, and 1026. The Final Rules are effective as of July 11, 2016; financial institutions must comply with the Final Rules regarding opening of accounts (termed the applicability date) by May 11, 2018.
2. It is important to note that while FinCEN has indicated that it will not impose the CDD requirements retroactively to accounts that predate the Final Rules’ applicability date for new accounts, financial institutions are still expected to collect beneficial ownership information on those accounts on an event-trigger basis (for example, in the event that the customer’s transaction activities appear to deviate from the customer’s usual transaction activities).
3. The existing four pillars are: (1) the development of internal policies, procedures, and control; (2) the designation of a compliance officer; (3) the establishment of an ongoing employee training program; and (4) the implementation of an independent audit function to test programs. See 31 U.S.C. 5318(h). The beneficial ownership requirement makes the fifth pillar.
4. Individuals, unincorporated associations and sole proprietorships are not covered by the Final Rules (but are covered by the “know your customer” requirements of the Patriot Act).
5. In situations where the corporate entity is owned by individuals each with less than 25% ownership, the financial institution is only required to collect beneficial ownership information under the control prong (that is, identifying an individual with “significant managerial control,” such as a CEO or senior manager), and is not required to collect beneficial ownership information under the ownership prong. However, FinCEN has emphasized that financial institutions may determine, pursuant to a risk-based approach, that certain circumstances may warrant the collection of beneficial ownership of an individual even if the person does not meet the 25% threshold.
6. FinCEN has indicated that the 25% ownership interest merely establishes a floor requirement; financial institutions can request information concerning beneficial owners with less than 25% of the corporate entity if they establish their own ownership thresholds as part of the underwriting process.
7. While FinCEN has specified that there is no absolute requirement to continuously update customer information, financial institutions will be expected to conduct risk-based monitoring, which can be triggered during the course of transactional monitoring. For example, if there is a sudden and unexplained change in customer deposit activity, it would be appropriate for the financial institution to update the customer information. Importantly, this requirement applies not only to new accounts, but to accounts that were opened prior to the applicability date for new accounts as set forth in the Final Rules.
8. See 31 CFR 1010.230(b)(2). FinCEN has emphasized that the covered institutions are required to verify the identity of the individual identified as a beneficial owner in a manner similar to the institutions existing CIP procedures required for verifying the identity of individual customers. FinCEN has also noted that using the one page certification form to obtain beneficiary ownership information does not provide financial institutions a safe harbor if the information provided turns out to be false.
9. See 31 CFR 1010.230(j).