How to Comply With FinCEN’s Beneficial Ownership Rule

On Jan. 22, 2019, the Financial Industry Regulatory Authority (FINRA) released its annual Priorities Letter, in which the organization described the areas that it will focus on during examinations. One such area is the implementation of the Financial Crimes Enforcement Network’s (FinCEN) Customer Due Diligence (CDD) Rule and its Beneficial Ownership Rule.

What is FinCEN’s Beneficial Ownership Rule?

The Rule, which came into effect on May 11, 2018, requires firms to:

• Identify and verify the identity of new customers
• Identify and verify the identity of the beneficial owners of companies opening accounts
• Understand the nature and purpose of customer relationships to develop customer risk profiles
• Conduct ongoing monitoring to identify and report suspicious transactions and, on a risk basis, to maintain and update customer information

FinCEN allowed a 2-year implementation period after issuing the Final Rule on May 11, 2016, and most financial institutions already had long-standing policies and procedures in place with respect to much of the Rule’s requirements.

However, the requirement to identify the beneficial owners of legal entity customers was a dramatic change in policy and procedure with respect to onboarding and ongoing monitoring of legal entity customers and was one of the challenges presented in the implementation.

This five-part whitepaper explores the most significant challenges faced by financial institutions in implementing the beneficial ownership requirement of the CDD Rule as well as recommendations for complying with the various requirements.

Covered Financial Institutions for the CDD Rule

Financial institutions affected by the beneficial ownership rule include:

• Banks
• Credit unions
• Broker-dealers in securities
• Mutual funds
• Futures commission merchants and introducing brokers in commodities

Institutions that are currently not covered include:

• Money service businesses (MSBs)
• Insurance companies
• Casinos and card clubs
• Dealers in precious metals, precious stones and jewels
• Providers of prepaid access

Part 1 – Identifying Beneficial Ownership

Before identifying the beneficial owner, identify the legal entity customer

The CDD Rule requires a financial institution to obtain and verify the identity of each beneficial owner of a legal entity customer. However, before identifying the beneficial owner(s), one must first define what constitutes a legal entity customer.

According to FinCEN, a legal entity customer is a corporation, limited liability company, or other entity that is created by the filing of a public document with a Secretary of State or another similar office; a general partnership; or any similar entity formed under the laws of a foreign jurisdiction that opens an account.

While on the surface this seems simple, FinCEN has also outlined an extensive list of exemptions, and financial institutions need to analyze their own commercial customer bases and target markets for types of entities that may or may not qualify as legal entities under the CDD Rule. Exemptions include (but are not limited to):

1. A financial institution regulated by a federal functional regulator or a bank regulated by a state bank regulator;
2. An issuer of a class of securities registered under section 12 of the Securities Exchange Act of 1934 or that is required to file reports under section 15(d) of that Act;
3. A registered entity, commodity pool operator, commodity trading advisor, retail foreign exchange dealer, swap dealer, or major swap participant, each as defined in section 1a of the Commodity Exchange Act, that is registered with the Commodity Futures Trading Commission
4. A public accounting firm registered under section 102 of the Sarbanes-Oxley Act; and
5. An insurance company that is regulated by a State

A financial institution with a customer base that includes governmental and quasi-governmental agencies (federal, state or municipal), other financial institutions both domestic and foreign, and foreign legal entities should pay special attention to these definitions and exclusions.

How Should a Financial Institution Determine What is the Commercial Customer’s Type of Legal Entity?

A financial institution’s own policies and risk appetite come into play when deciding the type of legal entity for a commercial customer. There are several options with a wide variety of nuances among them.

For example, the institution could identify the customer’s specific category of legal entity during the onboarding/due diligence process through a review of the entity’s formation document(s) and prior to requesting the certification of beneficial ownership from the customer. This may be the simplest solution for the vast majority of legal entity customers, which will most likely be LLCs, closely held corporations, and partnerships.

At the opposite end of the spectrum, the customer could be asked to self-identify its legal entity type from a detailed list of inclusions and exclusions provided by the institution. While the latter removes much of the risk from the institution of incorrectly excluding a particular customer from beneficial ownership identification requirements, this could be perceived as burdensome from a customer relations perspective.

Defining and Identifying Beneficial Owners

The CDD Rule has two “prongs” of beneficial ownership: an ownership prong, and a control prong.

The ownership prong is any individual (human) person who, directly or indirectly, through any contract, arrangement, understanding, relationship, or otherwise, owns or controls 25 percent or more of the equity interests of a legal entity customer.

With closely held corporations, it is very common to find 25% or more owners that are private trusts rather than individuals, shielding these assets from the trust grantor/beneficiary’s creditors. In these situations, the beneficial owner is the individual who is the Trustee of the trust.

The control prong of beneficial ownership represents a single individual with significant responsibility to control, manage or direct a legal entity customer. An executive officer or senior manager such as CFO, CEO, etc. meets this definition.

The legal entity customer must identify one individual under the control prong, regardless of whether or not any beneficial owners under the ownership prong exist. In other words, a legal entity customer may have no beneficial owners under the ownership prong, but will always have one under the control prong.

It is critical that the financial institution requires the customer to supply the beneficial owners’ names and identifying information, under both prongs. In the US today, most states do not collect this information, making it unavailable through public records.

Ownership information may sometimes be gleaned from a company’s formation documents; however, this information is typically limited to only the entity’s direct owners and their initial capital contributions.

In a multi-tiered structure, it is highly likely that no public information is available identifying the ultimate owners. The customer representative who is opening the account and completing the beneficial ownership certification may not have the detailed ownership information for a multi-tiered structure.

In this situation, the customer representative must contact the company’s legal counsel to obtain this information—the financial institution must not do this on the customer’s behalf.

Is 25% or More Ownership Mandatory?

The CDD Rule mandates that 25% is the minimum ownership threshold. However, financial institutions are free to require ownership information at a lower threshold, based on risk. For example, an institution may determine that non-US commercial customers domiciled in certain countries are higher risk, and therefore require that all beneficial owners of, say, 15% or more be identified.

The 25% threshold has the potential for added risk when individual owners seek to maintain anonymity. Federal law enforcement has commented that there will likely be a significant increase in individuals’ corporate ownership percentages that are just under this 25% threshold (ex. 24.9%, 24.5% etc.) as those seeking to remain hidden presume that financial institutions will use the 25% standard.

Vendor solutions for identifying beneficial ownership of legal entities are showing up everywhere now that the CDD Rule has taken effect. Unfortunately, because corporate ownership information for non-traded entities (the bulk of corporations in the U.S. today) is neither collected nor stored by most states, this information will likely have been obtained indirectly and could be out of date. Use caution and request a real-life demo before purchasing a system or database of corporate ownership data.

Summary and Recommendations

To comply with the CDD Rule, ensure the following is done within your organization:

1. Identify the commercial customer’s legal entity type first. Institutions with a client base that includes government or quasi-government agencies and non-US entities should closely examine the CDD Rule’s exclusions with respect to these. Evaluate the risks versus rewards of the institution’s determination of legal entity type versus customer self-identification.
2. Understand the math in determining beneficial ownership with complex ownership structures. Beneficial owners are the individuals with the ultimate controlling interests.
3. Require the customer to supply the names and ownership percentages for all beneficial owners. With complex structures, request an organization chart to document and validate the customer’s calculations. Always obtain current company formation documents to support the legal entity customer’s identification, as well as legal entity type and direct owners.
4. Consider added scrutiny when ultimate beneficial owners fall just under the 25% threshold. Consider using a lower threshold on a risk basis.

Part 2 – How to Collect, Store, Manage, and Maintain Beneficial Ownership Information

Collecting beneficial ownership information

The CDD Rule provides a very simplistic template for a beneficial ownership data collection and attestation form. The Rule clearly states that the use of this specific template is not mandatory and that financial institutions are free to develop their own formats.

At first, many financial institutions’ legal counsels were loath to deviate in any way from the FinCEN template, fearing the risk of not collecting the right information. As time has passed, more and more institutions are now using their own versions, collecting additional information beyond the basics. Here is the basic information to be collected:

• Name, date of birth, residence address, and tax ID number of any individual who owns/controls, directly or indirectly, 25% or more of the legal entity customer—if any
• Name, date of birth, residence address, and tax ID number of one individual with significant responsibility to control, manage, or direct the legal entity customer
• Name and signature of the individual opening the account (who may or may not be a beneficial owner)

Financial institutions have expanded on this basic information with their own customized beneficial ownership forms, requesting data such as:

• Each owner’s percentage owned or controlled
• Titles (especially for the individual named under the control prong)
• An organization chart, when a complex structure is involved

Some institutions have gone a step further by requiring that the legal entity self-identify its type/classification from a list of all the entity types identified in the CDD Rule, including those that are exempt from beneficial ownership reporting.

If the customer is an exempt entity type (such as a publicly traded company), the customer needs only sign and return the form, with no further data provided. Although it results in a much longer form, this practice provides several significant advantages:

• It dramatically simplifies the onboarding process, by requiring that every new legal entity customer receive and return the beneficial ownership form. This provides a clear audit trail and removes “guesswork” as to which customers should or should not receive the form.
• It eliminates the risk of error by requiring the legal entity customer to “self-exempt.” There is no risk of a financial institution employee misidentifying a customer as an exempt entity and hence not obtaining the form.
• It provides expanded customer data for due diligence, transaction monitoring, and analytics.

Paper or Electronic Form?

The beneficial ownership form’s delivery to and return by the legal entity customer poses its own set of challenges. Institutions must weigh the costs and risks versus benefits of the three basic formats: paper; electronic/emailed; and online entry.

• A paper form is simple and may be included with other hard-copy onboarding materials such as account agreements, signature cards, etc. It also simplifies the signature process with a “wet” or manual signature. Returning the form by mail or in-person provides secure transmission of the private/confidential data included in it.
• An electronic form transmitted by email has the advantage of expediency and ease of completion for the customer. Distribution, return, and follow-up can also be monitored electronically. The use of electronic signature technology will also improve the customer experience but adds complexity and cost if the institution has not widely adopted e-signature. Additionally, if the financial institution does not provide a secure/encrypted email system for the returned document, the beneficial owners’ private data is at risk of compromise.
• A secure online form is the most efficient option from both the customer’s and the institution’s perspectives. However, the institution must deploy the necessary technology, including e-signature, for this option. A further advantage of an online form is that the data is already in electronic format which can be automatically saved in a database for further analysis and querying, whereas paper forms and (in some cases) electronic forms require manual data entry.

Data Management Challenges

One of the most challenging aspects of the CDD Rule, for which no clear guidance is offered, is how to effectively manage beneficial owner data. Beneficial owner information is a new and unique set of data elements for most financial institutions.

The institution’s client/accountholder/borrower is the legal entity itself, not the individuals who control it. Most financial institutions’ legacy databases and systems were not designed to capture information about individuals who may be several times removed from the legal entity itself, as is often the case with multi-layered ownership structures.

Institutions should consider these elements when deciding where to store their legal entity customers’ beneficial owner data:

• Data security: Beneficial ownership data includes “personally identifiable information” (PII)—date of birth and tax ID number—as well as a residence address. This information is treated with the highest level of security. Carefully assess the need for broad employee access to this information, and consider redacting PII data based on job function.
• Search and retrieval: The data must be readily searchable based on name, legal entity relationship, and category (i.e. ownership prong or control prong). This ensures a timely response to any law enforcement request and facilitates internal analysis as well.
• Data quality: Design appropriate controls to ensure accurate and complete data entry and prevent duplicate records. Decide how to address situations where the same individual is identified under both the ownership prong and the control prong (a highly likely scenario for closely held corporations, LLCs, and partnerships).
• Data interfaces with other compliance systems: Accurate and complete beneficial ownership data provides institutions with significantly enhanced anti-money laundering (AML) monitoring capabilities, as it reveals the previously hidden relationships between individuals and the legal entities they control, as well as between apparently unrelated legal entities based on common beneficial ownership. The AML system can then detect and give alerts on high-risk transaction patterns between entities and individuals linked solely through beneficial ownership.

A data interface to the institution’s OFAC (Office of Foreign Assets Control) automated screening system or other sanctioned screening system ensures beneficial owners (in particular, those under the ownership prong) are not sanctioned parties named on the Specially Designated Nationals and Blocked Parties list currently or in the future.

Summary and Recommendations

To comply with the CDD Rule, ensure the following is done within your organization:

• Determine the most effective way (paper, electronic form, secure online form) to collect beneficial ownership information from new legal entity clients. Using the FinCEN template is neither mandated nor recommended. Require additional information beyond the basics to leverage the opportunity for additional due diligence as well as help confirm accuracy.
• Discover the most effective way to electronically store beneficial ownership data, so that it remains highly secure and accurate, and easily retrievable.
• Feed beneficial ownership data to the AML system for significantly enhanced transaction monitoring, and to the automated sanctions screening systems for additional compliance risk mitigation.

Part 3 – Identity Verification for Beneficial Owners

A CIP Add-On

The CDD Rule requires financial institutions to apply the same customer identification principles to beneficial owners as the USA PATRIOT Act does not do for customers (also known as the Customer Identification Program, or “CIP” rules).

Financial institutions must, at a minimum, apply the same CIP processes for beneficial owners as for direct individual account owners.

In a simple legal entity structure where one or more individuals are the direct owners of the business, applying CIP processes is relatively straightforward. These individuals are often directly involved in the day-to-day operation of the enterprise and are readily accessible for obtaining identity verification documents.

However, a significant proportion of legal entities in the U.S., in particular, limited liability corporations (“LLCs”) have highly complex structures. For various reasons, both legitimate and not, the individuals who are the true beneficial owners are often shielded behind multiple layers of intermediate LLCs acting purely as holding companies, with no other business purpose. Identifying these individuals is one of the primary objectives of the CDD Rule.

These individuals may often have no direct involvement in day-to-day business activities and may be significantly distanced from the enterprise both financially and geographically. Obtaining their identifying documents presents a much more significant challenge to the financial institution.

Identity Verification Methods for Individuals under the CIP Rule

• Documentary method: Obtaining and reviewing the individual’s unexpired,  government-issued photo identification, evidencing nationality or residence.
• Non-documentary methods: Directly contacting the individual; independently comparing information provided by the individual with other sources; checking references with other financial institutions; and/or obtaining a financial statement, tax return, or other supporting documentation from the individual.

Special CIP Rules for Beneficial Owners

FinCEN acknowledges the unique challenges in obtaining identification documentation from beneficial owners who are often far removed from the business’s routine activities.

In what was to be the first of several Guidance documents covering Frequently Asked Questions regarding the CDD Rule [FIN-2018-G001, April 3, 2018], FinCEN clarifies that a financial institution may accept photocopies of driver’s licenses (or other identity documents) from legal entity customers to verify their beneficial owners’ identities if these individuals are not present at account opening.

This practice is specifically not permitted under the CIP rules for direct account holders.

Online Account Opening Considerations

For financial institutions that offer online account opening to legal entity customers, the option to accept photocopies of beneficial owners’ identification documents is especially helpful. The customer representative may simply provide copies of beneficial owners’ identity documents electronically, either through the account-opening portal or by email.

Special considerations arise with respect to the confidentiality of documents provided through electronic channels. The online account-opening portal should provide a high level of security over this confidential data. Transmission through email should take place over a secure/encrypted channel.

Eliminating Duplication of Effort

It is common for a financial institution to open multiple accounts for a particular legal entity customer over time. Businesses often separate their funds into different accounts for fiduciary or accounting purposes, such as payroll or accounts payable disbursements, accounts receivable deposits, short-term investments, and the like.

The CDD Rule states that a financial institution must identify and verify the identity of each beneficial owner of a legal entity customer at the time each new account is opened. Fortunately, FinCEN supplementary guidance has provided some relief when an existing customer, with the same beneficial owners, opens a new account.

If the legal entity’s beneficial owner(s) have already been identified pursuant to the financial institution’s CIP process, it may rely on information in its possession to fulfill the identification and verification requirements for the new account opening. There are two caveats, however: The existing information must be current and accurate, and the legal entity customer’s representative must attest to the accuracy of the pre-existing information, either in writing or verbally.

While this practice does eliminate the often onerous and customer-unfriendly process of obtaining new beneficial owner identity documents with every new account the existing business customer opens, complete and detailed records must be maintained to ensure compliance with the CDD Rule is well-documented.

The financial institution’s beneficial ownership record for the new account should clearly cross-reference the existing CIP record for each individual. Obtaining written attestation (rather than verbal) from the customer’s representative as to the accuracy of the existing beneficial owners’ identity documents tends to promote better overall information quality and clearly documents the financial institution’s compliance process.

CIP for the Legal Entity Itself

When opening an account for a legal entity, the account owner/customer is the legal entity itself, not those who own or control it.

The CIP rules are highly focused on identity verification processes for natural persons/individuals and not legal entities. Accordingly, financial institutions have had to establish their own unique risk-based requirements for identifying the legitimate existence of a legal entity customer.

Documentary methods of identity verification can be relatively straightforward for the most common legal entity types, including LLCs, corporations, and limited partnerships. Corporate formation documents, such as Articles of Incorporation (for corporations), Articles of Organization and Operating Agreements (for LLCs), and Partnership Agreements (for various types of partnerships), should be obtained and confirmed to be accurate and current. The entity’s standing with its Secretary of State is generally easy to confirm online or through a corporate data aggregation service. Additional documents that help support the entity’s existence as bona fide include Bylaws, minutes of meetings of Directors/Members/Shareholders, and shareholder registers.

Challenges may arise with certain types of businesses. For example, a number of U.S. states do not require a general partnership to register with the Secretary of State, or even to execute a written Partnership Agreement. A sole proprietorship, while not considered a legal entity separate from the individual (or spouses) who operates it, nevertheless should be validated as a legitimate business enterprise when opening an account. In these cases, documentation supporting business operations should be obtained, such as a Schedule C (or Schedule F for a farming business) from the individual’s most recent federal income tax return.

“Reasonable Belief” of True Identities

The CDD Rule, as well as the CIP rules, require the financial institution to establish a “reasonable belief” that it knows the true identities of both the legal entity customer and its beneficial owners. “Reasonable belief” is a subjective term for which each financial institution must establish its own risk-based definition.

The CIP rules (and by default, the CDD Rule) require a financial institution to establish procedures for responding to situations when such “reasonable belief” cannot be established. These must include what constitutes a lack of reasonable belief; the terms under which a customer may use an account while identity verification is pending; when an account should not be opened (or closed, if temporarily opened) if identity verification fails; and when filing a Suspicious Activity Report (SAR) regarding customer or beneficial owner identity is justified.

What Constitutes Unsatisfactory Identification?

For individuals:

• Refusal to provide identifying information for beneficial owners, often citing “privacy laws”
• Expired identity documentation, or documentation that does not include a photograph
• Unusual identity documents provided in lieu of a driver’s license require additional scrutiny:
  a U.S. passport; a military identification card; a foreign-issued passport or visa

For businesses:

• Lack of a formal corporate formation document beyond the simple form supplied to the Secretary of State
• Unsigned formation documents
• For an LLC or limited partnership, a formation document that does not include accurate and up-to-date ownership information that reconciles with direct and beneficial ownership information supplied
  by the customer’s representative at the account opening

Summary and Recommendations

To comply with the CDD Rule, ensure the following is done within your organization:

• Beneficial owners’ identities must be verified using methods outlined in existing CIP rules; however, photocopies of documents may be obtained in lieu of examining originals.
• Pre-existing identity documentation on file may be referenced instead of obtaining new information each time a current business customer opens a new account; however, the documentation must be current and accurate, and the customer’s representative must attest to this.
• The financial institution must be able to establish a “reasonable belief” that they know the identity of each beneficial owner; clear procedures should be established to define when an account should not be opened, and potentially a Suspicious Activity Report filed, should identity verification fail.

Part 4 – Opportunities for Enhanced Transaction Monitoring and Customer Risk Assessment from Beneficial Ownership Data

Beneficial Ownership – The Missing Link

For decades, anonymous company ownership has been abused for illegal financial gain, whether it be money laundering, tax evasion, terrorist financing, or other criminal activities. The United States, in particular, has long been considered one of the largest money laundering havens in the world, due to its anonymous corporate formation laws, legal use of nominee (proxy) directors/shareholders, and corporate service agents that provide a brick-and-mortar address and answering service for companies that exist only on paper.

In a statement on the “Introduction of the Incorporation Transparency and Law Enforcement Assistance Act” former U.S. Senator Carl Levin (D-Mich) stated, “Right now, in the United States, it takes more information to get a driver’s license or to open a U.S. bank account than to form a U.S. corporation.”

The United States’ response to prolonged criticism of its anonymous corporate formation laws by the Financial Actions Task Force, a global anti-money laundering regulatory standard-setting group, has been the CDD Rule. While certainly not perfect— anonymous corporate formation remains alive and well—the collection of self-reported beneficial ownership data by financial institutions has opened up opportunities for enhanced identification, and reporting to law enforcement, of risky company ownership and transactions that were once almost undetectable.

Identify Interconnected Business Account Holders

Without beneficial ownership data, financial institutions could not identify seemingly unrelated business account holders that are, in fact, ultimately controlled by the same individuals. Nefarious actors may create multiple shell companies—or quasi-legitimate businesses—where the true beneficial owners are hidden behind layers of LLCs or Limited Partnerships, then open bank accounts for these entities at the same financial institution, but at different branches or even in different states. Funds are easily moved between accounts in what on the surface appear to be arms-length transactions between unrelated businesses, when in fact a “layering” process is occurring.

With an appropriately managed database of beneficial ownership data, new and existing business accounts with shared partial or full beneficial ownership may now be actively connected. In essence, this could take the form of “householding,” a technique used in the financial services industry that provides for the grouping of accounts by client data rather than an account number or tax ID. This gives the financial institution the opportunity to assess the risks associated with these once-unrelated, but now connected, accounts and customers—in particular, across branches and regions.

Enhanced Transaction Monitoring Capabilities

With beneficial ownership and associated corporate connection data in place, a financial institution’s transaction monitoring system can be finely tuned to flag potential money laundering or other questionable activity for further investigation.

For example, if the financial institution now knows that its customer Park Place LLC, located in New York City, and its customer Boardwalk Partners LP, in Los Angeles, are connected through joint beneficial ownership by two individuals, it can monitor for unusual or suspicious patterns of wire transfers, withdrawals, and deposits activity between these two entities.

The financial institution may also monitor for external payments made to or from Park Place LLC or Boardwalk LP to the identified beneficial owners themselves, or to unusual recipients such as trusts or other unidentified legal entities.

Should patterns of unusual or suspicious external payments to or from unidentified domestic legal entities become apparent, financial institutions may request information about those external account holders—and their beneficial owners—from the sending/receiving financial institution under the 314(b) Information Sharing provision of the USA PATRIOT Act.

Caveats

Because the CDD Rule is built on self-reporting by the legal entity customer of its beneficial owners (or absence thereof), the potential for inaccurate data, whether unintentional or deliberate, remains significant.

In addition, the legal use of nominee shareholders poses a further hindrance to both law enforcement and financial institutions in identifying true beneficial owners. When analyzing beneficial ownership data, financial institutions should watch for repeated use of the same shareholder names, as it is common for the same individual to allow his/her name to be used hundreds of times as a nominee.

Corporate formation agents similarly use their own physical addresses for shell corporations, so mining for legal entity customer address data with identical physical locations in Wyoming, Delaware, and Nevada in particular may uncover similar concerns.

Summary and Recommendations

Beneficial ownership data offers new opportunities to enhance customer risk assessment and transaction monitoring, allowing the financial institution to identify connections between legal entities once hidden.

A financial institution’s transaction monitoring system, with beneficial ownership and associated intercompany relationship information in its database, may be tuned to detect patterns of unusual or suspicious transactions between seemingly unrelated entities and individuals.

Further mining of legal entity customer ownership and address data may detect the potential use of nominees used as beneficial owners, or corporate formation agents locations providing a physical address.

Part 5 – Documentation: The Key to Regulatory Compliance

Most of the United States anti-money laundering laws and regulations are written in a broad context, with the intent that each financial institution will assess its own specific risk-based compliance process.

The CDD Rule is no exception, and in fact, is perhaps even more lacking in specificity than many of its predecessors. As a result, FinCEN has already given clarification on a significant number of points not adequately described in the original Rule. This makes compliance even more complex, as the rules to be complied with are spread across the original Final Rule and multiple Guidance documents.

The key to successful compliance, both from an internal processing perspective as well as regulators’ audit reviews, is complete and clear documentation.

What, When, Who, and Why

Good documentation, from a regulatory compliance perspective, provides a clear answer to these key
questions:

• What processes or steps are occurring?
• When do these processes or steps take place?
• Who is responsible for performing these steps?
• Why did the financial institution choose to implement these steps?

The “why” is arguably the most important of all these questions. It clarifies to regulators, internal auditors, and management (and for posterity) exactly what the financial institution’s rationale was in implementing a particular process.

This rationale should incorporate the specific regulatory citing (or subsequent FinCEN guidance) upon which the decision was based, along with the factors involved in the decision-making process. Another benefit of documenting “why” is that it removes the risk of referencing anecdotal information when those who made the decision are no longer available.

Examples of documentation practices to comply with Beneficial Ownership requirements:

• What: The bank will use its own Beneficial Ownership Certification Form, which will allow each customer to select its legal entity type and, if applicable, self-exempt from Beneficial Ownership Reporting.
• When: The Certification Form will be provided in hard copy to every business customer that opens a new account during the account application process.
• Who: The Relationship Manager or New Accounts Officer (as assigned by client size or by branch) is responsible for delivering the Certification Form to the customer, obtaining the completed and signed form from the customer, and delivering it to Compliance via intercompany mail for review.
• Why: The CDD Rule states that financial institutions do not have to use the sample form provided by FinCEN in the Final Rule, and that they may develop their own form. The Relationship Manager/New Accounts Officer is the customer-facing representative of the bank with the client, and is therefore in the best position to provide the form to the client, obtain the completed/signed version, and deliver it to Compliance.

Decision Document to Desk Procedure

Documentation of regulatory compliance should be reflected across multiple formats, depending on how the information will be used and what level of granularity is required.

At the highest level, a “Decision Document” may be used to describe the high-level process, regulatory interpretation, and rationale such as the When/What/Who/Why method described above. Decision Documents can provide one additional and important benefit: buy-in from all stakeholders impacted by the process. Circulating a draft of each Decision Document prior to finalization and subsequent procedure development ensures all affected departments are on board with the new process (and that their concurrence is documented as well). Decision Documents are typically created and maintained by the financial institution’s compliance group.

From the Decision Document, detailed desk procedures can then be designed to implement the process in accordance with the decisions made. Desk procedures should cross-reference their applicable Decision Documents, and vice versa, providing a complete audit trail from decision to procedure and back again.

While this type of documentation may initially seem burdensome, it becomes invaluable to ensuring procedures are based on decisions made thoughtfully and with full stakeholder buy-in, and to provide regulators with the financial institution’s basis for compliance decisions.

Summary and Recommendations

• Use Decision Documents to record the When/What/Who/Why for important regulatory compliance interpretations and decisions.
• Obtain and record key stakeholders’ consensus on decisions impacting their respective areas.
• Cross-reference Decision Documents with desk procedures to provide a full audit trail.

Conclusion

As organizations like FINRA begin to assess the effectiveness of the implementation of the CDD Rule, some financial institutions may have to revisit their risk assessments, policies, and procedures to ensure proper compliance. For those looking at the beneficial ownership aspect of the Rule, consider these tips:

1. Identify the commercial customer’s legal entity type first. Institutions with a client base that includes government or quasi-government agencies and non-US entities should closely examine the CDD Rule’s exclusions with respect to these. Evaluate the risks versus rewards of the institution’s determination of legal entity type versus customer self-identification.
2. Understand the math in determining beneficial ownership with complex ownership structures. Beneficial owners are the individuals with the ultimate controlling interests.
3. Require the customer to supply the names and ownership percentages for all beneficial owners. With complex structures, request an organization chart to document and validate the customer’s calculations. Always obtain current company formation documents to support the legal entity customer’s identification, as well as legal entity type and direct owners.
4. Consider added scrutiny when ultimate beneficial owners fall just under the 25% threshold. Consider using a lower threshold on a risk basis.
5. Determine the most effective way (paper, electronic form, secure online form) to collect beneficial ownership information from new legal entity clients.
6. Using the FinCEN template is neither mandated nor recommended. Require additional information beyond the basics to leverage the opportunity for additional due diligence as well as to help confirm accuracy.
7. Beneficial owners’ identities must be verified using methods outlined in existing CIP rules; however, photocopies of documents may be obtained in lieu of examining originals.
8. Pre-existing identity documentation on file may be referenced instead of obtaining new information each time a current business customer opens a new account; however, the documentation must be current and accurate, and the customer’s representative must attest to this.
9. The financial institution must be able to establish a “reasonable belief” that they know the identity of each beneficial owner; clear procedures should be established to define when an account should not be opened, and potentially a Suspicious Activity Report (SAR) filed, should identity verification fail.
10. Use Decision Documents to record the When/ What/Who/Why for important regulatory compliance interpretations and decisions.
11. Obtain and record key stakeholders’ consensus on decisions impacting their respective areas.
12. Cross-reference Decision Documents with desk procedures to provide a full audit trail.

For further information, view our answers to frequently asked questions about beneficial ownership and FinCEN’s requirements.

Alessa provides all the anti-money laundering (AML) capabilities that banks, money services businesses (MSBs), FinTechs, casinos and other regulated industries need – all within one platform. To learn more about Alessa can help your organization maintain compliance with the regulations such as the beneficial ownership rule, contact us today.