The New AML Regulations and Their Impact on Banks—Increased Compliance for Lending Transactions with Legal Entities
On May 11, 2016, FinCEN published in the Federal Register its long-awaited anti-money laundering (“AML”) rules (the “Final Rules”) governing corporate entities doing business with banks and other financial institutions that are subject to the requirements of the Patriot Act.1
While the Final Rules are relatively straightforward conceptually, the compliance burden will be substantial for bank lenders and other covered institutions. First, a bank must identify persons owning or controlling 25% or more of a “legal entity,” discussed below, whenever the legal entity opens a new account at the bank.2 Second, a bank must also identify an individual who has substantial management authority at the legal entity, such as a CEO, CFO, managing partner, etc.
Third, the Final Rules codify within the FinCEN regulations five “pillars” that must be included in a bank’s AML compliance program.3 Among other things, a newly added pillar includes the necessity to monitor and update the beneficial ownership of a legal entity—which will mean that corporate borrowers will be subjected, on a regular basis, to due diligence requests from their bank lenders for certifications.
This Dorsey Client Alert focuses on the impact that the Final Rules may have on domestic and foreign banks engaged in lending transactions. Among other things, it identifies compliance risks and lending challenges that banks will face as the Final Rules are implemented.
The Beneficial Ownership Rules
The Final Rules apply to several categories of financial institutions, including banks, foreign banks doing business in the United States, savings associations and credit unions, and address a loophole that advocates of a strong AML program have repeatedly criticized—namely, that a bank was under no obligation to identify the beneficial ownership of a legal entity to which the bank provides a wide range of banking services (with the result that money laundering and similar crimes could not be identified by electing to engage in business through a legal entity).
As noted above, the Final Rules will impose on banks the obligations to identify and verify the beneficial ownership of legal entities whenever a new account is opened. Several important defined terms contained in the Final Rules are as follows:
Legal Entity. The concept of a legal entity is a simple one, and includes virtually every type of corporate business that can be chartered or formed, including: (a) corporations; (b) partnerships; (c) limited partnerships; (d) limited liability corporations; (e) limited liability partnerships; (f) other corporate forms requiring the filing with a State Secretary of State or similar officer; and (g) any corporate entity chartered in a foreign country and doing business in the U.S.4
Account. For banks, an account encompasses just about any lending, deposit or other bank service requiring a contractual relationship with a customer, and includes: (a) a deposit account; (b) a transaction or asset account; (c) a credit account; (d) any other extension of credit; (e) a safety deposit box or other safekeeping service; (f) cash management services; (g) custodial services; and (h) trust and fiduciary services. Stated another way, the Final Rules attempt to include within coverage any formal contractual relationship between a bank and a legal entity, which indicates that a bank should assume that any bank service being offered to a legal entity constitutes an account.
Beneficial Ownership. There are two distinct prongs to the beneficial ownership requirements for legal entities: (a) the identification of any individual owning 25% or more of the legal entity (the “ownership prong”); and (b) the identification of a management official exercising control over the legal entity (the “control prong”).5
While difficulties in identifying individuals with a 25% or more ownership interest under the ownership prong are discussed in greater detail below, it is important to note that this approach is similar in kind to the ownership rules in the federal Bank Holding Company Act, which allows for up to 4 individuals to “control” a bank holding company (i.e., by each person owning 25% of the holding company).6
In regard to a management official that must be identified under the control prong, the Final Rules identify a list of relatively typical management officials who may be deemed to be exercising “significant responsibility to control, manage or direct” the legal entity, including: (a) a CEO; (b) a CFO; (c) a COO; (d) a chairman; (e) a managing partner; and (f) any other official holding management authority. (Thankfully, the Final Rules permit a bank to only identify one person exercising management authority, although several individuals in a typical corporate structure would hold or share that authority.)
The Final Rules require that a bank create an AML compliance program that incorporates ongoing customer due diligence (“CDD”) elements in regard to legal entity customers:
- Obtaining beneficial ownership and control information when an account is being opened
- Analyzing—and understanding—the account relationship to develop a customer risk profile
- Conducting ongoing monitoring to identify and report suspicious transactions (via the filing of Suspicious Activity Reports (“SARs”))
- On a risk basis—to update customer information7
In regard to the opening of an account, a bank must identify and verify both prongs of the beneficial ownership requirement. To simplify the process, the Final Rules contain a form that might be used by a bank (provided that there is no indication that additional CDD is needed to confirm the beneficial ownership requirement).8
Following the completion of the identification and verification components, a bank must build a risk-based profile of the legal entity in order to commence monitoring activity for the account relationship. What this means is that if account activity is not within the parameters established for the assigned risk profile, a bank would be required to “red-flag” the account, and determine whether the filing of a SAR is warranted.
Finally—and perhaps most importantly—a bank will be required to periodically review the account relationship to determine whether the beneficial ownership for a legal entity should be recertified—which would likely involve directly requiring management of a legal entity to either confirm that a change in beneficial ownership has not occurred, or else that a change has occurred, which would then require that the bank update its CDD for that legal entity.
Recordkeeping and Effective Date for the Final Rules
The Final Rules require that beneficial ownership CDD compliance records must be retained by a bank for five years from the date that the record is created. Among other things, because of the obligation of continuing to monitor beneficial ownership of a legal entity, the file records for a bank regarding a legal entity could become voluminous. (Further, a bank may elect not to purge records that fall beyond the record retention period for accounts that remain open.)
More troublesome, however, is the fact that while the applicability date for the beneficial ownership requirements for legal entities is technically May 11, 2018, FinCEN has made it clear that it believes that the CDD obligations for legal entities are de facto already in effect because they are so closely linked to a bank’s existing monitoring AML obligations. Moreover, FinCEN has indicated that the federal banking regulators are authorized to impose more stringent requirements on regulated banks—which means that banks might wish to consider implementing the requirements of the Final Rules sooner than later.
Exceptions and Exemptions
The Final Rules contain several carve-outs from the general rule that lending banks must identify and verify the beneficial ownership of a customer.
First, there is a general exemption for other financial institutions—all of which are regulated and hence do not present the same degree of concern regarding beneficial ownership. This category includes: (a) a financial institution regulated by a state or federal functional regulator; (b) a foreign financial institution from a jurisdiction where the regulator maintains beneficial ownership information regarding that institution; (c) a bank holding company; (d) a publicly traded and SEC-registered company; (e) a registered investment company; (f) a registered investment advisor; (g) an exchange or clearing agency; and (h) other similar exemptions (16 in total).
In regard to the foreign bank exception, it may be necessary for a bank located in the U.S. to obtain some confirmation that the foreign bank regulator has established ownership and control rules that satisfy the requirements of the Final Rules. (This condition precedent also creates an incentive for foreign banks to cause their home country regulator to adopt beneficial ownership regulations that comply with this requirement.)
In regard to registered investment companies and registered investment advisors, these exceptions were somewhat controversial because they exempt investment companies and investment advisors from conducting CDD regarding their clients, which can include hedge funds, trusts and other investment entities. (The Administration has indicated that it wishes to narrow or eliminate this exemption by legislation.) Further, the federal bank regulators may instruct bank lenders to require additional CDD regarding the clients of investment companies and investment advisors as a condition to those entities maintaining accounts at banks that are subject to the Final Rules.
Another important exception in the Final Rules is that the required CDD may be performed by a third party bank or an affiliate of a third party bank whose customer is opening an account at a bank lender, provided that:(a) the reliance is reasonable; (b) the other financial institution is subject to FinCEN’s AML regulations and is regulated by a federal functional regulator; and (c) the other financial institution contractually undertakes to certify annually that it has implemented an AML program and its own AML compliance is adequate. (The degree of inquiry by a bank in order to “reasonably rely” on another institution is unclear; this legal hurdle is discussed below.9)
Penalties for Non-Compliance
While the penalties for the failure to maintain an effective AML compliance program are already substantial, a further element is now present in regard to the obligation of a bank’s legal entity customer to certify to the bank beneficial ownership under the two prongs (i.e., ownership and management control). Specifically, any such certifications arguably become subject to Section 1014 of Title 18 of the United States Code, which states:
18 USC 1014—
Whoever knowingly makes any false statement or report…to any institution the accounts of which are insured by the Federal Deposit Insurance Corporation, a branch or agency of a foreign bank…or a mortgage lending business,…upon any application, advance, discount, purchase, purchase agreement, repurchase agreement, commitment, loan, or insurance agreement or application for insurance or a guarantee, or any change or extension of any of the same, by renewal, deferment of action or otherwise,….shall be fined not more than $1,000,000 or imprisoned not more than 30 years, or both.
Because of the initial requirement that a legal entity verify beneficial ownership—when coupled with the ongoing obligation to recertify upon the request of a bank— individuals providing the certifications may be extremely uncomfortable providing such verifications without engaging in their own due diligence, which may complicate the on-going CDD process on the part of the lending bank.
Lending Challenges Presented to Banks
Domestic and foreign banks lending to legal entities will have to carefully review their underwriting and loan documentation to accommodate the beneficial ownership requirements of the Final Rules.
Several operational and legal challenges are as follows:
Lending documentation. Borrowers are very frequently reluctant (or refuse) to cooperate with a bank lender in a manner that is outside of the scope of their specific contractual undertakings. This may place a bank in the position of arguing that a legal entity now has an affirmative obligation to provide beneficial ownership information when requested by the lending bank.
We suggest that a bank consider amending its application and loan documentation as soon as is practicable to incorporate appropriate covenants addressing the obligation of a legal entity to fully cooperate with a bank’s CDD pursuant to the Final Rules. In that regard, bank lending obligations should state that the initial loan application and underwriting process now includes cooperation in regard to identifying and verifying beneficial ownership of a legal entity. In regard to ongoing CDD by a lending bank, similar covenants should be drafted that places an affirmative obligation on a legal entity to respond to a request by a bank to update or recertify beneficial ownership information.
Lending Due Diligence. One of the difficult challenges to be faced by a bank when conducting CDD with a legal entity will be to establish standards that will comply with the CDD inquiry obligations. Similarly, a lending bank may also need to consider whether the degree of beneficial ownership required to be disclosed should be more rigorous than the minimal levels set by the Final Rules.
In regard to initial CDD for a legal entity, a lending bank should consider whether the verification procedures authorized by the Final Rules will be adequate in the particular lending circumstances. Even though it appears that a beneficial owner’s ownership status can be confirmed by a management official of a legal entity, it is possible that prudent underwriting (and as potentially criticized by after-the-fact reviews by bank regulators) will require more than the execution of a one-page form document.
Associated with this issue is the possibility that merely requiring beneficial ownership for individuals holding 25% or more of a legal entity may prove inadequate—and the bank regulators may elect to impose more stringent standards. For example, generally applicable bank control laws and regulations impose presumptions of control above a 10% threshold. It is not beyond possibility that similar restrictions could be required by the bank regulators as the Final Rules are implemented.
Education and Training of Legal Entities. Clearly the beneficial ownership obligations will come as a shock to many bank borrowers—who traditionally have used legal entities to shield investors from scrutiny and disclosure. In that regard, banks may consider the necessity to commence educating the borrower community regarding these new disclosure obligations—including the borrower’s legal counsel— who may play an important role when counseling a newly formed legal entity that transparency in ownership should now be expected.
Unanswered Questions and Challenges
The adoption of the Final Rules brings AML, OFAC and similar laws into greater symmetry, which is a declared goal by FinCEN and federal and law enforcement officials. While the codification of heretofore requirements for an effective AML compliance program creates greater clarity for banks (i.e., identifying by regulation the components of a compliance program), the Final Rules also create many additional ambiguities that will eventually have to be considered by banks and other financial institutions.
Several issues that have already been identified are as follows:
First, as noted above, it is very possible that the minimum beneficial ownership standards for CDD contained in the Final Rules will be adjusted to a higher, more robust level by the banking regulators. Care must be exercised by lending banks to anticipate any such determination so that the contractual obligations of a legal entity conform to current legal requirements for CDD (as adjusted from time to time).
Second, even though the Final Rules are applicable to accounts opened on and after May 11, 2018, it is also very possible that the banking regulators will require that the beneficial ownership CDD be implemented by lending banks earlier than that date. Particularly in light of the detailed changes that must be made to a bank’s underwriting and documentation policies and procedures, prudence may dictate implementing the new CDD requirements sooner than later.
Third, in regard to reliance on another financial institution to certify and identify a bank’s legal entity customer, that third party institution’s attestation is conditioned on the execution of a contract with the third party institution certifying the effectiveness of its own AML program. At the moment, what will be sufficient in regard to a “contract” is completely unclear; further, many financial institutions will be leery about making a certification to another bank in light of the possible criminal liability created by 12 U.S.C. § 1014.
Finally, banks should be aware that the Final Rules create disclosure issues with other legal disciplines that will have to be addressed (and hopefully, homogenized). For example, tax attorneys have identified possible differing requirements when identifying beneficial ownership interests under the Final Rules versus the identification of beneficial ownership for IRS, state and foreign reporting purposes. Similarly, what constitutes beneficial ownership could become a complex analysis based upon control on investments that fall below the 25% threshold—and place legal entities in the unenviable position of determining whether further inquiry as to ownership is required.
In the minimum, these disparate compliance requirements may create regulatory confusion and could create potential liability to both banks and their legal entity customers.