Alert May 19, 2016

FinCEN Issues Final Customer Due Diligence Rule


FinCEN’s new customer due diligence rule requires covered financial institutions to, among other things, collect information on the significant beneficial owners of customers that are legal entities. Financial institutions have two years – until May 11, 2018 – to comply.

The U.S. Treasury Department’s Financial Crimes Enforcement Network (FinCEN) has expanded the due diligence obligations of certain financial institutions that are subject to a customer identification program requirement under existing FinCEN rules. On May 11, FinCEN published its customer due diligence rule (the Final Rule), which, among other things, requires covered financial institutions to maintain written procedures that are reasonably designed to identify and verify the identity of the beneficial owners of their legal entity customers. The term “beneficial owner” means individuals who meet certain ownership or control tests, as defined in the Final Rule.

The Final Rule follows a Notice of Proposed Rulemaking issued by FinCEN on July 30, 2014 (the Proposed Rule) and reflects many of the comments FinCEN received in response to the Proposed Rule. In December 2014, we published a client alert analyzing the Proposed Rule. This Client Alert analyzes the Final Rule and identifies significant changes between the Proposed Rule and the Final Rule.

Financial Institutions Subject to the Final Rule

The Final Rule specifically applies to covered financial institutions, which include insured banks, commercial banks, U.S. branches and agencies of foreign banks, federally insured credit unions, savings associations, Edge corporations, federally regulated trust companies that are subject to an anti-money laundering program requirement, broker-dealers, futures commission merchants, introducing brokers in commodities and mutual funds. State chartered trust companies that do not accept federally insured deposits and are not subject to regulation by a federal regulator do not appear to fall within the definition of covered financial institution and would not be subject to the Final Rule even though such trust companies are required to maintain a customer identification program (CIP).

New Customer Account Diligence

As in the Proposed Rule, the Final Rule requires covered financial institutions to identify the beneficial owners of all legal entity customers at the time each new account is opened. The Final Rule permits a covered financial institution to rely on information provided by a legal entity customer regarding the identity of its beneficial owners, provided the covered financial institution does not have any knowledge of facts that would reasonably call into question the reliability of such information. A covered financial institution could gather this information from a legal entity customer by obtaining a certification form provided as an appendix to the Final Rule from the individual opening the account, or it could collect the information required by the certification form through other means (for example, electronically) if the individual opening the account certifies the accuracy of the information to the best of his or her knowledge. The Proposed Rule mandated use of the certification form, so the Final Rule adopted by FinCEN provides additional flexibility to covered financial institutions.

The Final Rule also requires each covered financial institution to verify the identity of each beneficial owner identified to the financial institution using risk-based procedures to the extent reasonable and practicable. These procedures must at a minimum contain the elements required under the CIP rule. However, the Final Rule clarifies that a covered financial institution may use photocopies or other reproductions of documentary evidence in connection with carrying out its CIP procedures on beneficial owners.

The Final Rule does not require a covered financial institution to periodically update beneficial ownership information of legal entity customers at specific intervals. However, a covered financial institution would be required to obtain and verify beneficial ownership information for a legal entity customer each time the customer opens a new account. In addition, based upon the risk presented by a particular customer relationship and patterns or transactions identified by the financial institution during the course of monitoring customer activity, a financial institution may decide that it would be appropriate to obtain or update beneficial ownership information concerning an existing customer even if that customer does not open a new account.

Definition of Account

The definition of “account” for purposes of the Final Rule is the same as used for purposes of FinCEN’s CIP rules for financial institutions. As a result, an account does not include an account opened for the purpose of participating in an employee benefit plan established under the Employee Income Retirement Security Act of 1974, as amended (ERISA). However, the beneficial owners of an employer that establishes an account in connection with a non-ERISA plan would need to be identified unless the employer is excluded from the definition of legal entity customer. Furthermore, since accounts acquired by acquisition, merger, purchase of assets or assumption of liabilities are not considered accounts for purposes of the CIP rules, covered financial institutions would not be required to identify beneficial owners of legal entity customers whose accounts are acquired through an acquisition transaction.

The Final Rule also excludes certain accounts established for special purposes from the definition of account, meaning that a covered financial institution would not be required to identify beneficial owners of legal entity customers that establish these types of accounts. These excluded accounts consist of private label retail credit card accounts established at the point of sale, accounts established to facilitate the purchase of postage, commercial accounts to finance insurance premiums and accounts to finance the purchase or lease of equipment. However, transactional accounts that permit a legal entity customer to make payments to or receive payments from third parties or to receive a cash refund on account activity would not qualify for the exclusion.

Identification of Beneficial Owners

The definition of “beneficial owner” remains the same as in the Proposed Rule. There are two prongs to the definition of beneficial ownership:

  1. each individual, if any, who directly or indirectly owns 25 percent or more of the equity interests of a legal entity customer (the ownership prong); and
  2. a single individual with significant responsibility to control, manage, or direct a legal entity customer, including an executive officer or senior manager or any other individual who regularly performs similar functions (the control prong).

Each entity can have from zero to four individuals who satisfy the ownership prong, and each entity must have at least one beneficial owner under the control prong. In some cases, a single individual may be identified as the beneficial owner under both the ownership prong and the control prong of the definition. If a trust directly or indirectly owns 25% or more of the equity interests of a legal entity customer, the beneficial owner for purposes of the ownership prong of the definition is the trustee.

Legal Entity Customer

The due diligence requirements of the Final Rule apply only to “legal entity customers.” A legal entity customer is defined as “a corporation, limited liability company, or other entity that is created by the filing of a public document with a Secretary of State or similar office, a general partnership, and any similar entity formed under the laws of a foreign jurisdiction that opens an account.” Since the definition of legal entity customer refers to entities formed by the filing of a document with a governmental official, it does not generally include trusts other than statutory trusts and similar trusts created by such a filing.

For policy and practical reasons, certain entity types are excluded from the definition of legal entity customer. The Final Rule adopts all of the exclusions in the Proposed Rule, in addition to the following new categories:

  • A bank holding company.

  • A savings and loan holding company.

  • A pooled investment vehicle that is operated or advised by a financial institution excluded under the Final Rule.

  • An insurance company that is regulated by a state.

  • A designated financial market utility.

  • A foreign financial institution established in a jurisdiction where the regulator of such institution maintains beneficial ownership information regarding such institutions.

  • A non-U.S. governmental department, agency or political subdivision that engages only in governmental rather than commercial activities.

  • Any legal entity only to the extent that it opens a private banking account for non-U.S. persons that are subject to FinCEN’s private banking account rule (31 C.F.R. § 1010.620).

In addition, for the following types of legal entity customers, a covered financial institution would only be required to collect beneficial ownership information and verify the identity of an individual under the control prong (e.g., an individual with significant responsibility to control, manage or direct the operator, adviser, or general partner of the vehicle):

  • A pooled investment vehicle that is operated by a financial institution not excluded from the definition of legal entity customer, such as non-U.S. managed mutual funds, hedge funds and private equity funds.

  • Charities and nonprofit entities.

FinCEN has also clarified that, to the extent existing guidance permits a financial institution to treat an intermediary (and not the intermediary’s customers) as its customer for purposes of the CIP rule, then the financial institution should treat the intermediary as its customer for purposes of complying with the Final Rule.

AML Diligence for Existing Customer Accounts

The Final Rule requires covered financial institutions to implement risk-based procedures for conducting ongoing customer due diligence. A financial institution’s procedures must, at a minimum, allow it to:

  1. understand the nature and purpose of customer relationships for the purpose of developing a customer risk profile; and
  2. conduct ongoing monitoring to identify and report suspicious transactions and, on a risk basis, maintain and update customer information (including beneficial ownership information).

FinCEN stated that these AML program requirements clarify existing requirements under the Bank Secrecy Act, and do not create additional obligations.

In particular, FinCEN reinforced its expectation that financial institutions should obtain information sufficient to permit the financial institution to develop an understanding of the customer’s normal and expected activity in order to form a baseline for purposes of identifying unusual or suspicious activity that may warrant additional inquiry or that forms the basis for a suspicious activity report. FinCEN also reiterated several times in the adopting release that accompanied the Final Rule that a financial institution is not expected to update beneficial ownership information for legal entity customers on any fixed or predetermined schedule but that financial institutions must conduct ongoing monitoring of customer activity and, as a result, may identify customer activity that warrants updating information about the customer, including beneficial ownership information, in order to effectively identify suspicious activity and transactions.


The Final Rule permits a covered financial institution to rely on the performance by another financial institution of the requirements of the Final Rule with respect to any legal entity customer of the covered financial institution that is opening or has opened an account or has established a similar business relationship with another financial institution to provide or engage in services, dealings or other transactions, provided that (i) such reliance is reasonable under the circumstances, (ii) the other financial institution is subject to an anti-money laundering program rule under the Bank Secrecy Act and is regulated by a federal functional regulator, and (iii) the other financial institution enters into a contract with the covered financial institution requiring it to certify annually that it has implemented its anti-money laundering program and that it will perform the specified requirements of the covered financial institution’s procedures.

Financial institutions are permitted to rely on other financial institutions under similar circumstances for purposes of fulfilling their obligations under FinCEN’s CIP rules, and the U.S. Securities and Exchange Commission (the “SEC”) has issued a series of no-action letters permitting broker-dealers to rely fully in certain circumstances on investment advisers registered with the SEC to perform some or all of their CIP obligations. The Final Rule and the adopting release that accompanied the Final Rule do not address whether broker-dealers may rely on SEC-registered investment advisers for purposes of complying with the Final Rule or whether such reliance would be appropriate if FinCEN adopts its proposed AML program requirement for investment advisers.

Recordkeeping Requirements

The Final Rule also requires covered financial institutions to document and retain records relating to the beneficial owner identification and verification process. Identifying information regarding the legal entity customer must be retained for five years after the date the account is closed. Information relating to the beneficial ownership verification process must be documented and retained for five years.


The new requirements present a significant regulatory burden for covered financial institutions. Accordingly, compliance with the Final Rule is not mandatory until May 11, 2018, which affords covered financial institutions two years to implement adequate compliance policies and procedures.