The US government has issued final rules requiring financial institutions to capture the beneficial owners behind companies, a long-awaited finalization that also formalizes other compliance best practices and more tightly binds together fraud, corruption and tax evasion under the auspices of anti-money laundering programs.
The finalization last week of the rule by the US Treasury’s Financial Crimes Enforcement Network (FinCEN) comes on the heels of an April data leak of more than 11 million records from a Panamanian law firm, dubbed the “Panama Papers,” revealing that anonymous shell companies have helped dozens of individuals tied to fraud schemes, money laundering operations and on US sanctions lists get access to the international financial system.
The heavily-debated rule, first seen in an advanced notice of proposed rulemaking in early 2012, has evolved considerably over the years. The original proposal prompted a flurry of comment letters to FinCEN from institutions and financial services trade groups, which argued that requiring institutions to independently research and verify the beneficial ownership details on customers would prove overly complex and burdensome. The final rules instead allow institutions to rely mostly on details being divulged in a self-certification form, with institutions then required to verify the identities of the living, breathing individuals listed.
The final rule also amends existing anti-money laundering (AML) regulations to clarify and strengthen compliance by making “explicit several components of customer due diligence that have long been expected under existing regulations.” These include customer risk assessments and transaction monitoring, which are currently in the US interagency exam manual but were not requirements under federal regulations. It also lists nearly a dozen exemptions to beneficial owner requirements, from other banks to investment vehicles. To read an ACFCS run down of the exemptions, please click here.
Overall, the final rule was “about what we expected,” said Rob Rowe, vice president and associate chief counsel for the American Bankers Association, the industry’s main lobbying group, adding that there were some aspects that were a disappointment, including the addition of a “fifth pillar” to the classically four-pronged AML program in the form of monitoring customer transactions.
“We had gone back and forth” with Treasury, he said. “We said you don’t need to do this. The idea when you have a program is that it’s supposed to be risk-based so each institution tailors it to its own risks. But this is taking away some of the flexibility.”
The primary purpose of the new customer due diligence (CDD) rule is “to assist financial investigations by law enforcement, with the goal being to impair criminals’ ability to exploit the anonymity provided by the use of legal entities to engage in financial crimes including fraud and money laundering, and also terrorist financing, corruption, and sanctions evasion,” FinCEN stated in a more than 200-page submission in the Federal Register.
Requiring financial institutions to “perform effective CDD so that they understand who their customers are and what type of transactions they conduct is a critical aspect of combating all forms of illicit financial activity, from terrorist financing and sanctions evasion to more traditional financial crimes, including money laundering, fraud, and tax evasion,” according to the final rule.
The rule, however, is not without its limitations, chiefly due to forces outside of the control of FinCEN, the ardent architect of the rule and arbiter of the nation’s AML framework.
Even in final form, major vulnerability persists
Since its inception, the beneficial ownership rule has had a gaping vulnerability because whatever information the institution collects on these real people – including individuals with “significant responsibility” and control over a company or owning 25 percent – institutions have few ways to verify the information.
The primary culprit of this conundrum: The United States does not require company formation agents to collect this information, nor does the government collect the information in a centralized database, similar to initiatives already underway in the United Kingdom and Europe.
Without new legislation being enacted, which could take an indeterminate amount of time, the entire initiative for banks has a major gap, Rowe said.
“The question we have always had in this entire process of collecting beneficial ownership information is we can’t verify it,” he said. “The final rule doesn’t have anything on verification. They ask who the beneficial owner is, the person tells you, you verify their identification, and that’s it. Then you say thank you.”
That could change with a bevy of companion legislative proposals that dropped alongside the beneficial ownership rule, including requiring companies to know and report their true owners at company creation and measures to close a loophole that allowed certain foreign-owned, single-member LLCs to evade IRS registration requirements, among other initiatives. To see an ACFCS breakout of the proposals, please click here.
Some critics, however, aren’t swayed, and believe that because the rule allows companies to choose a manager, or someone who exercises “managerial control” over the company, to be the beneficial owner, it could lead to scenarios where figurehead individuals obscure the real power players pulling the strings.
“Many U.S. banks have done the hard work involved with developing systems that verify the true owners of shell companies seeking to open accounts,” said Elise Bean, the former staff director and chief counsel of the U.S. Senate Permanent Subcommittee on Investigations, in a statement.
The new rule “makes all that hard work irrelevant, by allowing U.S. financial institutions to name a company manager as the company’s beneficial owner, even when that manager has no true ownership role,” she said. “It is a mistake that needs to be fixed.”
The loopholes in the final Treasury rule could still “allow banks to open accounts for companies without having any idea of the identity of the people who ultimately own or control that company,” said Heather Lowe, legal counsel and director of government affairs at Global Financial Integrity, in a statement.
“Without this critical information, banks can’t determine whether the people behind the company are on a sanctions list, a drug kingpin list, or are public officials who may be stealing from their countries treasury or trying to stash their bribe money in U.S. banks,” she said.
But while some civil society groups may critique the self-certification form that can be used for beneficial ownership information, there is more at play that could give the initiative sharper teeth than appears.
If someone lies on the self-certification form, that could be considered lying on a bank record, which is a felony, opening the door for federal prosecutors to go after the individual or potentially the company for perjury, Rowe said.
Breaking down the new CDD “beneficial ownership” rule
The new rule adds a new requirement that financial institutions – including banks, brokers or dealers in securities, mutual funds, futures commission merchants, and introducing brokers in commodities – collect and verify the personal information of the “real people who own, control, and profit from companies when those companies open accounts.”
Specifically, the rule contains these core requirements:
- Identifying and verifying the identity of the beneficial owners of companies opening accounts down to the 25 percent ownership level and an “individual who controls the legal entity.”
- Further, the legal entity customer must “provide identifying information for one person with significant managerial control.” That means a single individual with “significant responsibility to control, manage, or direct a legal entity customer,” including: An executive officer or senior manager, such as a Chief Executive Officer, Chief Financial Officer, Chief Operating Officer, Managing Member, General Partner, President, Vice President, or Treasurer or any other individual who regularly performs similar functions.
- Understanding the nature and purpose of customer relationships to develop customer risk profiles.
- Conducting ongoing monitoring to identify and report suspicious transactions and, on a risk basis, to maintain and update customer information.
Further, after analyzing an avalanche of comment letters, the final rule extends the “proposed implementation period from one year to two years, expands the list of exemptions, and makes use of a standardized beneficial ownership form optional as long as a financial institution collects the required information,” according to FinCEN.
New CDD rules more tightly knit together, fraud, tax under AML
From the financial institution perspective, one positive is that the initial time frame for implementation was extended from one year to two years. For some institutions, this is a necessity because the new rules will require significant hardware and software upgrades, initiatives that could easily have 12-18 month outlay and implementation periods, Rowe said.
The new rule extends further than simply improving corporate transparency, according to FinCEN, and bolsters financial crime investigations across the board, from identifying the illicit assets of drug kingpins and weapons proliferators to terrorists and tax evaders.
Getting the names of underlying owners and controllers of a company would allow banks to run these names through negative news and sanctions screening systems to see if they have any ties to blacklisted groups or jurisdictions. If an entity is owned more than 50 percent by a designated individual or entity, it is subject to restrictions issued by the US Treasury’s Office of Foreign Assets Control (OFAC).
In tandem, beneficial ownership details on individuals can be screened to see if they were ever associated with or accused of fraudulent behavior, from simple credit card scams to more complex and esoteric investment frauds to Ponzi schemes, according to a former Treasury official.
“The stuff that really surprised me in the new CDD rule is how FinCEN tied together OFAC, tax evasion and fraud explicitly into the role of AML,” said the person, who asked not to be named. “That makes sense, but I think the problem is that a lot of banks are still treating them separately.”
It’s also significant that FinCEN ensured certain bedrock compliance tenets, in particular customer risk assessments and transaction monitoring, were ensconced in the rule, said the person.
“FinCEN reiterated that the purpose of that move was to create a level playing field, so there aren’t different standards for smaller banks than there are for bigger banks,” said the person, though that will likely present challenges for smaller banks that don’t have the budget or resources to upgrade from manual to automated monitoring.
Going further, the rule would also facilitate the “reporting and investigations in support of tax compliance, and advancing commitments made to foreign counterparts in connection with the provisions” commonly known as the Foreign Account Tax Compliance Act (FATCA).
FATCA requires foreign financial institutions to identify U.S. account holders, including legal entities with substantial U.S. ownership, and to report certain information about those accounts to the IRS.
The United States has negotiated with foreign governments to enter into intergovernmental agreements that facilitate the effective implementation of these requirements.
“A general requirement for U.S. financial institutions to obtain beneficial ownership information for AML purposes advances this commitment, and puts the United States in a better position to work with foreign governments to combat offshore tax evasion and other financial crimes,” according to FinCEN.
While not perfect, rule was needed, says FinCEN
FinCEN also backed up its reasons to uncover secretive beneficial owners, as opacity is a magnet for criminal enterprises.
The rule highlighted several examples that Treasury has tracked as a part of its National Money Laundering Risk Assessment and Terrorist Financing Risk Assessment, including:
- In 2013, prosecutors in New York indicted 34 alleged members of Russian American organized crime groups, charging that they participated in a range of racketeering activities. One of the constituent racketeering enterprises was alleged to have moved millions of dollars in unlawful gambling proceeds through a network of shell companies in Cyprus and the United States.
- In 2011, Federal prosecutors indicted 13 individuals for their alleged unlawful takeover and looting of a publicly-held mortgage company. Some of these defendants allegedly used the assets of the company to acquire shell companies, while other defendants are alleged to have further obscured the ownership of these companies through complex legal structures involving other shell companies.
- In 2006, prosecutors indicted a number of individuals for their roles in supporting a long-running nationwide drug trafficking organization. The proceeds generated by this trafficking organization were laundered through numerous shell and shelf corporations created to provide apparently legitimate fronts for this income.
“The abuse of legal entities to disguise involvement in illicit financial activity is a longstanding vulnerability that facilitates crime, threatens national security, and jeopardizes the integrity of the financial system,” according to the final rule.
Criminals have exploited the anonymity that use of legal entities can provide to “engage in money laundering, corruption, fraud, terrorist financing, and sanctions evasion, among other financial crimes,” FinCEN stated.
Still, one of the biggest challenges apart from physical and virtual implementation hurdles will be what regulators expect banks to do with the ownership information once they get it, Rowe said, adding that if banks can’t properly monitor this new extended body of customers, it could result in institutions dropping the company the owners represent.
“This means banks have to track a whole new additional group,” of people who are not necessarily customers so won’t have an account to link back to a transaction monitoring system to screen for aberrant behavior, he said. “So, if I am a bank, what I am supposed to do? Add the name to a database and screen for negative news? Do I run the name through Google or sanctions filters?”