Objective. Assess the bank’s written procedures and overall compliance with regulatory requirements for identifying and verifying beneficial owner(s) of legal entity customers.
Under the Beneficial Ownership Rule,1 a bank must establish and maintain written procedures that are reasonably designed to identify and verify beneficial owner(s) of legal entity customers and to include such procedures in its anti-money laundering compliance program.
Legal entities, whether domestic or foreign, can be used to facilitate money laundering and other crimes because their true ownership can be concealed. The collection of beneficial ownership information by banks about legal entity customers can provide law enforcement with key details about suspected criminals who use legal entity structures to conceal their illicit activity and assets. Requiring legal entity customers seeking access to banks to disclose identifying information, such as the name, date of birth, and Social Security number of natural persons who own or control them will make such entities more transparent, and thus less attractive to criminals and those who assist them.
Similar to other customer information that a bank may gather, beneficial ownership information collected under the rule may be relevant to other regulatory requirements. These other regulatory requirements include, but are not limited to, identifying suspicious activity, and determining Office of Foreign Assets Control (OFAC) sanctioned parties. Banks should define in their policies, procedures, and processes how beneficial ownership information will be used to meet other regulatory requirements.
Legal Entity Customers
For the purposes of the Beneficial Ownership Rule,2 a legal entity customer is defined as a corporation, limited liability company, or other entity that is created by the filing of a public document with a Secretary of State or other similar office, a general partnership, and any similar entity formed under the laws of a foreign jurisdiction that opens an account. A number of types of business entities are excluded from the definition of legal entity customer under the Beneficial Ownership rule. In addition, and subject to certain limitations, banks are not required to identify and verify the identity of the beneficial owner(s) of a legal entity customer when the customer opens certain types of accounts. For further information on exclusions and exemptions to the Beneficial Ownership Rule, see Appendix 1. These exclusions and exemptions do not alter or supersede other existing requirements related to BSA/AML and OFAC sanctions.
Beneficial ownership is determined under both a control prong and an ownership prong. Under the control prong, the beneficial owner is a single individual with significant responsibility to control, manage or direct a legal entity customer.3 This includes, an executive officer or senior manager (Chief Executive Officer, Chief Financial Officer, Chief Operating Officer, President), or any other individual who regularly performs similar functions. One beneficial owner must be identified under the control prong for each legal entity customer.
Under the ownership prong, a beneficial owner is each individual, if any, who, directly or indirectly, through any contract, arrangement, understanding, relationship or otherwise, owns 25 percent or more of the equity interests of a legal entity customer.4 If a trust owns directly or indirectly, through any contract, arrangement, understanding, relationship or otherwise, 25 percent or more of the equity interests of a legal entity customer, the beneficial owner is the trustee.5 Identification of a beneficial owner under the ownership prong is not required if no individual owns 25 percent or more of a legal entity customer. Therefore, all legal entity customers will have a total of between one and five beneficial owner(s) – one individual under the control prong and zero to four individuals under the ownership prong.
Banks may rely on the information supplied by the legal entity customer regarding the identity of its beneficial owner or owners, provided that it has no knowledge of facts that would reasonably call into question the reliability of such information.6 However, bank staff who know, suspect, or have reason to suspect that equity holders are attempting to avoid the reporting threshold may, depending on the circumstances, be required to file a SAR.7 More information on filing of SARs may be found in the “Suspicious Activity Reporting Overview” section on page 60 of the FFIEC BSA/AML Examination Manual.
Identification of Beneficial Ownership Information
A bank must establish and maintain written procedures detailing the identifying information that must be obtained for each beneficial owner of a legal entity customer opening a new account after May 11, 2018. At a minimum, the bank must obtain the following identifying information for each beneficial owner of a legal entity customer:
A bank may obtain identifying information for beneficial owner(s) of legal entity customers through a completed certification form10 from the individual opening the account on behalf of the legal entity customer, or by obtaining from the individual the information required by the form by another means, provided the individual certifies, to the best of the individual's knowledge, the accuracy of the information. A bank may rely on the information supplied by the individual opening the account on behalf of the legal entity customer regarding the identity of its beneficial owner(s), provided that it has no knowledge of facts that would reasonably call into question the reliability of such information. If a legal entity customer opens multiple accounts a bank may rely on the pre-existing beneficial ownership records it maintains, provided that the bank confirms (verbally or in writing) that such information is up-to-date and accurate at the time each account is opened.11
Banks must have procedures to maintain and update customer information, including beneficial ownership information for legal entity customers, on the basis of risk. Additionally, banks are not required to conduct retroactive reviews to obtain beneficial ownership information on legal entity customers that were existing customers as of May 11, 2018. However, the bank may need to obtain (and thereafter update) beneficial ownership information for existing legal entity customers based on its ongoing monitoring. For further guidance on maintaining and updating of customer information including beneficial ownership information, please see the “Ongoing Monitoring of Customer Relationship” section of the “Customer Due Diligence Overview” section of the FFIEC BSA/AML Examination Manual.12
Verification of Beneficial Owner Information
A bank must establish and maintain written risk-based procedures for verifying the identity of each beneficial owner of a legal entity customer within a reasonable period of time after the account is opened. These procedures must contain the elements required for verifying the identity of customers that are individuals under 31 CFR 1020.220(a)(2), provided, that in the case of documentary verification, the bank may use photocopies or other reproductions of the documents listed in paragraph (a)(2)(ii)(A)(1) of 31 CFR 1020.220. Guidance on documentary and non-documentary verification methods may be found in the core overview section “Customer Identification Program,” of the FFIEC BSA/AML Examination Manual.
A bank need not establish the accuracy of every element of identifying information obtained, but must verify enough information to form a reasonable belief that it knows the true identity of the beneficial owner(s) of the legal entity customer. The bank’s procedures for verifying the identity of the beneficial owners must describe when it uses documents, non-documentary methods, or a combination of methods.
Lack of Identification and Verification of Beneficial Ownership Information
Also consistent with 31 CFR 1020.220, the bank should establish policies, procedures, and processes for circumstances in which the bank cannot form a reasonable belief that it knows the true identity of the beneficial owner(s) of a legal entity customer. These policies, procedures, and processes should describe:
- Circumstances in which the bank should not open an account.
- The terms under which a customer may use an account while the bank attempts to verify the identity of the beneficial owner(s) of a legal entity customer.
- When the bank should close an account, after attempts to verify the identity of the beneficial owner(s) of a legal entity customer have failed.
- When the bank should file a SAR in accordance with applicable law and regulation.
Recordkeeping and Retention Requirements
A bank must establish recordkeeping procedures for beneficial ownership identification and verification information. At a minimum, the bank must maintain any identifying information obtained, including without limitation the certification (if obtained), for a period of five years after the date the account is closed.
The bank must also keep a description of any document relied on (noting the type, any identification number, place of issuance and, if any, date of issuance and expiration), of any non-documentary methods and the results of any measures undertaken, and of the resolution of each substantive discrepancy for five years after the record is made.
Reliance on Another Financial Institution
A bank is permitted to rely on the performance by another financial institution (including an affiliate) of the requirements of the Beneficial Ownership Rule with respect to any legal entity customer of the covered financial institution that is opening, or has opened, an account or has established a similar business relationship with the other financial institution to engage in services, dealings, or other financial transactions, provided that:
- Reliance is reasonable, under the circumstances.
- The relied-upon financial institution is subject to a rule implementing 31 USC 5318(h) and is regulated by a federal functional regulator.13
- The other financial institution enters into a contract requiring it to certify annually to the bank that it has implemented its AML program, and that it will perform (or its agent will perform) the specified requirements of the bank’s procedures to comply with the requirements of the Beneficial Ownership Rule.
Objective: Assess the bank’s written procedures and overall compliance with regulatory requirements for identifying and verifying beneficial owner(s) of legal entity customers.
- Determine whether the bank has adequate written procedures for gathering and verifying information required to be obtained, and retained (including name, address, taxpayer identification number (TIN), and date of birth) for beneficial owner(s) of legal entity customers who open an account after May 11, 2018.
- Determine whether the bank has adequate risk-based procedures for updating customer information, including beneficial owner information, and maintaining current customer information.
- On the basis of a risk assessment, prior examination reports, and a review of the bank’s audit findings, select a sample of new accounts opened for legal entity customers since May 11, 2018 to review for compliance with the Beneficial Ownership Rule. The sample should include a cross-section of account types. From this sample, determine whether the bank has performed the following procedures:
- Opened the account in accordance with the requirements of the Beneficial Ownership Rule (31 CFR 1010.230).
- Obtained the identifying information for each beneficial owner of a legal entity customer as required (e.g. name, date of birth, address, and identification number).
- Within a reasonable time after account opening, verified enough of the beneficial owner’s identity information to form a reasonable belief as to the beneficial owner’s true identity.
- Appropriately resolved situations in which beneficial owner’s identity could not be reasonably established.
- Maintained a record of the identity information required by the Beneficial Ownership Rule, the method used to verify identity, and verification results (31 CFR 1010.230(i)).
- Filed SARs as appropriate.
- On the basis of the examination procedures completed, including transaction testing, form a conclusion about the adequacy of procedures for complying with the Beneficial Ownership Rule
Appendix 1 – Beneficial Ownership
Exclusions from the definition of Legal Entity Customer
Under 31 CFR 1010.230(e)(2) a legal entity customer does not include:
- A financial institution regulated by a federal functional regulator14 or a bank regulated by a state bank regulator;
- A person described in 31 CFR 1020.315(b)(2) through(5):
- A department or agency of the United States, of any state, or of any political subdivision of any State;
- Any entity established under the laws of the United States, of any state, or of any political subdivision of any state, or under an interstate compact between two or more states, that exercises governmental authority on behalf of the United States or any such state or political subdivision;
- Any entity (other than a bank) whose common stock or analogous equity interests are listed on the New York Stock Exchange or the American Stock Exchange (currently known as the NYSE American) or have been designated as a NASDAQ National Market Security listed on the NASDAQ stock exchange (with some exceptions);
- Any subsidiary (other than a bank) of any “listed entity” that is organized under the laws of the United States or of any state and at least 51 percent of whose common stock or analogous equity interest is owned by the listed entity, provided that a person that is a financial institution, other than a bank, is an exempt person only to the extent of its domestic operations;
- An issuer of a class of securities registered under section 12 of the Securities Exchange Act of 1934 or that is required to file reports under section 15(d) of that Act;
- An investment company, investment adviser, an exchange or clearing agency, or any other entity that is registered with the SEC;
- A registered entity, commodity pool operator, commodity trading advisor, retail foreign exchange dealer, swap dealer, or major swap participant that is registered with the CFTC;
- A public accounting firm registered under section 102 of the Sarbanes-Oxley Act;
- A bank holding company or savings and loan holding company;
- A pooled investment vehicle that is operated or advised by a financial institution that is excluded under paragraph (e)(2);
- An insurance company that is regulated by a state;
- A financial market utility designated by the Financial Stability Oversight Council;
- A foreign financial institution established in a jurisdiction where the regulator of such institution maintains beneficial ownership information regarding such institution;
- A non-U.S. governmental department, agency, or political subdivision that engages only in governmental rather than commercial activities;
- Any legal entity only to the extent that it opens a private banking account subject to 31 CFR 1010.620.
Trusts are not included in the definition of legal entity customer, other than statutory trusts created by a filing with a Secretary of State or similar office.15
Exemptions from the Ownership Prong
Certain legal entity customers are subject only to the control prong of the beneficial ownership requirement, including:
- A pooled investment vehicle operated or advised by a financial institution not excluded under paragraph 31 CFR 1010.230(e)(2); and
- Any legal entity that is established as a nonprofit corporation or similar entity and has filed its organizational documents with the appropriate state authority as necessary.
Exemptions and Limitations on Exemptions
Subject to certain limitations, banks are not required to identify and verify the identity of the beneficial owner(s) of a legal entity customer when the customer opens any of the following categories of accounts:
- Accounts established at the point-of-sale to provide credit products, including commercial private label credit cards, solely for the purchase of retail goods and/or services at these retailers, up to a limit of$50,000;
- Accounts established to finance the purchase of postage and for which payments are remitted directly by the financial institution to the provider of the postage products;
- Accounts established to finance insurance premiums and for which payments are remitted directly by the financial institution to the insurance provider or broker;
- Accounts established to finance the purchase or leasing of equipment and for which payments are remitted directly by the financial institution to the vendor or lessor of this equipment.
These exemptions will not apply:
- If the accounts are transaction accounts through which a legal entity customer can make payments to, or receive payments from, third parties.
- If there is the possibility of a cash refund on the account activity opened to finance the purchase of postage, to finance insurance premiums, or to finance the purchase or leasing of equipment, then beneficial ownership of the legal entity customer must be identified and verified by the bank as required either at the initial remittance, or at the time such refund occurs.
1 See 31 CFR 1010.230
2 See 31 CFR 1010.230(e)(1)
3 See 31 CFR 1010.230(d)(2)
4 See 31 CFR 1010.230(d)(1)
5 See 31 CFR 1010.230(d)(3)
6 See 31 CFR 1010.230(b)(2)
7 Department of the Treasury, Financial Crimes Enforcement Network (2016), “Customer Due Diligence Requirements for Financial Institutions,” final rules (RIN 1506-AB25), Federal Register, vol. 81 (May 11), p. 29410.
8 For an individual: a residential or business street address, or if the individual does not have such an address, an Army Post Office (APO) or Fleet Post Office (FPO) box number, the residential or business street address of next of kin or of another contact individual, or a description of the customer’s physical location. For a person other than an individual (such as a corporation, partnership, or trust): a principal place of business, local office, or other physical location. See 31 CFR 1010.220(a)(2)(i)(3)
9 An identification number for a U.S. person is a taxpayer identification number (TIN) (or evidence of an application for one), and an identification number for a non-U.S. person is one or more of the following: a TIN; a passport number and country of issuance; an alien identification card number; or a number and country of issuance of any other unexpired government-issued document evidencing nationality or residence and bearing a photograph or similar safeguard. TIN is defined by section 6109 of the Internal Revenue Code of 1986 (26 USC 6109) and the IRS regulations implementing that section (e.g., Social Security number (SSN) or individual taxpayer identification number (ITIN), or employer identification number (EIN)). See 31 CFR 1010.220(a)(2)(i)(4)
10 See 31 CFR 1010.230, Appendix A, Certification Regarding Beneficial Owners of Legal Entity Customers (2016)
11 FinCEN, FIN-2018-G001, Frequently Asked Questions Regarding Customer Due Diligence Requirements for Financial Institutions, Question #10, April 2018.
12 FFIEC, Core Examination Overview and Procedures, Customer Due Diligence Overview, May 2018.
13 Federal functional regulator means: Federal Reserve, FDIC, NCUA, OCC, U.S. Securities and Exchange Commission (SEC), or U.S. Commodity Futures Trading Commission (CFTC).
14 Federal functional regulator means: Federal Reserve, FDIC, NCUA, OCC, U.S. Securities and Exchange Commission (SEC), or U.S. Commodity Futures Trading Commission (CFTC).
15 FinCEN, FIN-2016-G003, Frequently Asked Questions Regarding Customer Due Diligence Requirements for Financial Institutions, Question #22, July 19, 2016.