FinCEN Updates Due Diligence Rules
ABA Journal’s 10th Annual Blawg 100
On May 11, 2016, the Financial Crimes Enforcement Network (“FinCEN”) issued new final rules under the Bank Secrecy Act requiring financing institutions, including brokerage firms, to adopt additional anti-money laundering (AML) procedures that include specific due diligence and ongoing monitoring requirements related to customer risk profiles and customer information. In addition, the new rules require financial institutions to collect and verify information about beneficial owners and control person of legal entity customers.
The Securities Exchange Act of 1934 (“Exchange Act”) specifically requires brokerage firms to comply with the Bank Secrecy Act. FinCEN provides minimum rules. Brokerage firms are also required to comply with AML rules established by FINRA, including FINRA Rule 3310. The purpose of the AML rules is to help detect and report suspicious activity including the predicate offenses to money laundering and terrorist financing, such as securities fraud and market manipulation. FINRA also provides a template to assist small firms in establishing and complying with AML procedures. As of the date of this blog, FINRA has not updated Rule 3310 or its form template.
The new rules will make the difficult process of opening brokerage accounts even more difficult, especially for foreign individuals and entities and U.S. individuals and entities operating through offshore entities. The new rules could impact the ongoing process of depositing and trading in penny stocks, even for existing brokerage firm clients. FinCEN initially issued advance notice of proposed rulemaking in March 2012 and issued proposed rules in August 2014. A push to issue final rules gained momentum following the release of the Panama Papers. The new rules become effective for new customer accounts opened on or after May 11, 2018; however, as discussed below, where appropriate it may have retroactive application.
FinCEN requires that financial institutions address the following four key elements in all of their AML programs: (i) customer identification and verification; (ii) beneficial ownership identification and verification; (iii) understanding the nature and purpose of customer relationships to develop risk profiles; and (iv) ongoing monitoring for reporting suspicious transactions and maintaining and updating customer information.
Obligation to identify and verify beneficial ownership
The USA Patriot Act grants authority to FinCEN to establish rules for financial institutions to identify and verify customer information and establish AML procedures in general. All financial institutions are required to have minimum AML procedures, and the application of these procedures has been the subject of many enforcement proceedings. The initial customer identification program rule (CIP Rule) was enacted in 2003 and required financial institutions to identify any individual or entity that opened an account but did not require identification of beneficial ownership.
A “legal entity” is defined as a corporation, limited liability company, partnership or other entity that is created by the filing of a public document with a U.S. state or foreign governmental body. Under the new rules, the financial institution will need to identify beneficial owners of a legal entity that own (i) 25% or more of the equity of the legal entity; and (ii) any control persons over the legal entity, including officers, directors and senior management. Certain entities are excluded from the definition of an “entity” for purposes of the CIP rules, including financial institutions, banks, bank holding companies, certain pooled investment funds, state regulated insurance companies and foreign financial institutions.
Subject to certain exclusions, the new rule requires financial institutions to identify and verify the beneficial owners of their legal entity customers. The rulemaking process included numerous comments on this requirement. As a concession, the final rule generally does not contain a requirement that the financial institution verify that a listed beneficial owner in fact holds the disclosed ownership interest or exerts actual control over the entity.
As with most such rules, the financial institution can establish written processes and procedures tailored to that institution and its operations. Such processes and procedures must include a consideration of both the ownership test and control test of beneficial ownership. A financial institution must collect information on all individuals who either directly or indirectly own 25% or more of the equity of an entity. Where a financial institution has questions or determines there are risk factors, they may collect identifying information on owners with a lower percentage as well. In addition, the financial institution must collect information on all individuals that have the ability to control, manage or direct the entity, including officers, directors and key management.
The terms “direct and indirect” and “control” remain undefined and are to be broadly construed based on facts and circumstances to encompass all forms of potential ownership and control. Likewise, when making risk and knowledge assessments, the financial institution must consider all facts and circumstances and is held to a “reasonableness” standard.
Financial institutions must verify the collected information. The original CIP Rule established verification requirements based on risk. The same risk-based verification processes remain in place, with some modifications. In essence, the financial institution must gather due diligence, including corporate records, ownership records and the like, and continue such process until it is satisfied it has enough information on the beneficial owners of that particular entity, considering the risk imposed by that entity.
There are two significant modifications from the CIP Rule. In particular, a financial institution may rely on photocopies of documents rather than originals, and the institution may rely on disclosures of ownership from the entity itself except where it has knowledge of facts that would call into question the reliability or veracity of such information.
The risk assessment in the CIP Rule includes a consideration of all relevant facts and circumstances, including, but not limited to: (i) type of account; (ii) method of opening account; (iii) size of account and trading activity; (iv) type of identifying customer information; (v) relationship with the customer, including other accounts with the same beneficial owners, length of relationship, personal knowledge, and account activity; (vi) whether the customer has a physical address or physical business location; (vii) whether the customer has a U.S. tax identification number; and (viii) historical activity, including a suspicious activity.
Although the rule sets a firm requirement that financial institutions complete written procedures and apply them to all accounts opened on or after May 11, 2018, FinCEN is clear that a financial institution has a broad requirement to monitor and know its customers. Where risks are identified, additional procedures as outlined in the new rules should be applied to accounts, effective immediately. In addition, financial institutions should have ongoing monitoring procedures and may, where appropriate, go back and ask for information on existing accounts, as well as require updated information for accounts on a continuing basis. For instance, if an account has suspicious activity or contradictory ownership or control information is brought to the financial institution’s attention, there would be an obligation to conduct further due diligence and update and verify ownership and control information.
Basic AML Procedure Requirements
The USA Patriot Act sets out the basic requirements for effective AML policies and procedures. In particular, an effective AML program requires: (i) written policies and procedures; (ii) a designated compliance officer; (iii) an ongoing training program; (iv) an independent audit; and (v) customer due diligence. The new rules are focused on the fifth element: customer due diligence.
An effective customer due diligence process must have procedures for effectively understanding a customer relationship and establishing a customer risk profile, and for ongoing monitoring and compliance procedures, including those related to detecting and reporting suspicious activities and updated customer beneficial ownership and control information.
The Bank Secrecy Act imposes an obligation on broker-dealers to file a SAR with FinCEN to report any transaction (or a pattern of transactions) involving $5,000 or more, in which it “knows, suspects, or has reason to suspect” that it “(1) involves funds derived from illegal activity or is conducted to disguise funds derived from illegal activities; (2) is designed to evade any requirements of the Bank Secrecy Act; (3) has no business or apparent lawful purpose and the broker-dealer knows of no reasonable explanation for the transaction after examining the available facts; or (4) involves use of the broker-dealer to facilitate criminal activity.”
SEC guidance points out red flags that should cause a broker to conduct further investigation as to whether a SAR needs to be filed, including:
- Atypical trading patterns in the issuers’ securities, including trading involving sudden spikes in price and volume;
- Certain patterns of trading activity being common to several customers, including, but not limited to, the sales of large quantities of the shares of multiple issuers by the customers;
- Notifications received from the broker-dealers’ clearing firms that the clearing firms had identified potentially suspicious activity in the securities of certain issuers or certain of the broker-dealers’ customer Such notifications have taken the form of alerts, expressions of concern, or actions taken by the clearing firms to restrict trading in certain issuers’ securities and/or certain customer accounts;
- The involvement of certain types of accounts, including those that provide anonymity to the beneficial owners in the liquidation of the shares of the micro-cap issuers (see examples below);
- Requests received from FINRA for information relating to certain issuers and the broker-dealers’ customer accounts;
- Certain types of issuer information, such as nominal assets and low operating revenue, and frequent changes to the type of activity in which the business was engaged, the name of the corporate entity, directors, and/or management; and
- Sales through the broker-dealer by individuals known throughout the industry to be stock
The SEC gave examples of the types of accounts that should raise a red flag and therefore further inquiry. Those accounts include, but are not limited to:
- Accounts of purported stock loan companies, which may hold the restricted securities of corporate insiders who have pledged the securities as collateral for, and then defaulted on, purported loans, after which the securities are sold on an unregistered basis;
- Accounts held in the name of a corporate entity (or LLC), either for the company’s own use or as a third-party custodian on behalf of other beneficial shareholders or customers, which disguise the unregistered sales of securities owned by corporate insiders of the company and allow for those insiders to withdraw proceeds individually;
- Accounts held in the names of foreign financial institutions, such as offshore banks and/or broker-dealers that sold shares of the stock on an unregistered basis on behalf of customers, who may have been stock promoters; and
- Accounts using a master/sub-structure, which allows for trading anonymity with respect to the sub-accounts’
FINRA Rule 3310
Brokerage firms are also required to comply with AML rules established by FINRA, including FINRA Rule 3310. The purpose of the AML rules is to help detect and report suspicious activity, including the predicate offenses to money laundering and terrorist financing, such as securities fraud and market manipulation. FINRA also provides a template to assist small firms in establishing and complying with AML procedures. As of the date of this blog, FINRA has not updated Rule 3310 or its form template.
FINRA Rule 3310 sets out minimum standards to be included in a firm’s written AML compliance program. At a minimum, a firm’s AML compliance program must meet the following requirements:
- The policy must be approved in writing by a senior manager;
- The policy must be reasonably designed to ensure that the firm detects and reports suspicious activity;
- The policy must be reasonably designed to achieve compliance with the AML Rules, including, among others, having a risk-based customer identification program (CIP Rule) that enables the firm to form a reasonable belief that it knows the true identify of its customers;
- The policy must be independently tested to ensure proper implementation;
- Each FINRA member firm must submit contact information for its AML Compliance Officer to FINRA;
- Ongoing training must be provided to appropriate personnel.
FINRA also provides numerous forms to be used in conjunction with an AML Compliance program, including a (i) suspicious activity report (SAR); (ii) currency transaction report (CTR); (iii) report of foreign bank and financial accounts (FBAR); (iv) report of international transportation of currency of monetary instruments; (v) blocked properties reporting form; (vi) voluntary form for reporting blocked transactions; and (v) voluntary form for reporting rejected transactions.
Securities attorney Laura Anthony and her experienced legal team provides ongoing corporate counsel to small and mid-size private companies, OTC and exchange traded issuers as well as private companies going public on the NASDAQ, NYSE MKT or over-the-counter market, such as the OTCQB and OTCQX. For nearly two decades Legal & Compliance, LLC has served clients providing fast, personalized, cutting-edge legal service. The firm’s reputation and relationships provide invaluable resources to clients including introductions to investment bankers, broker dealers, institutional investors and other strategic alliances. The firm’s focus includes, but is not limited to, compliance with the Securities Act of 1933 offer sale and registration requirements, including private placement transactions under Regulation D and Regulation S and PIPE Transactions as well as registration statements on Forms S-1, S-8 and S-4; compliance with the reporting requirements of the Securities Exchange Act of 1934, including registration on Form 10, reporting on Forms 10-Q, 10-K and 8-K, and 14C Information and 14A Proxy Statements; Regulation A/A+ offerings; all forms of going public transactions; mergers and acquisitions including both reverse mergers and forward mergers, ; applications to and compliance with the corporate governance requirements of securities exchanges including NASDAQ and NYSE MKT; crowdfunding; corporate; and general contract and business transactions. Moreover, Ms. Anthony and her firm represents both target and acquiring companies in reverse mergers and forward mergers, including the preparation of transaction documents such as merger agreements, share exchange agreements, stock purchase agreements, asset purchase agreements and reorganization agreements. Ms. Anthony’s legal team prepares the necessary documentation and assists in completing the requirements of federal and state securities laws and SROs such as FINRA and DTC for 15c2-11 applications, corporate name changes, reverse and forward splits and changes of domicile. Ms. Anthony is also the author of SecuritiesLawBlog.com, the OTC Market’s top source for industry news, and the producer and host of LawCast.com, the securities law network. In addition to many other major metropolitan areas, the firm currently represents clients in New York, Las Vegas, Los Angeles, Miami, Boca Raton, West Palm Beach, Atlanta, Phoenix, Scottsdale, Charlotte, Cincinnati, Cleveland, Washington, D.C., Denver, Tampa, Detroit and Dallas.
Contact Legal & Compliance LLC. Technical inquiries are always encouraged.
Legal & Compliance, LLC makes this general information available for educational purposes only. The information is general in nature and does not constitute legal advice. Furthermore, the use of this information, and the sending or receipt of this information, does not create or constitute an attorney-client relationship between us. Therefore, your communication with us via this information in any form will not be considered as privileged or confidential.
This information is not intended to be advertising, and Legal & Compliance, LLC does not desire to represent anyone desiring representation based upon viewing this information in a jurisdiction where this information fails to comply with all laws and ethical rules of that jurisdiction. This information may only be reproduced in its entirety (without modification) for the individual reader’s personal and/or educational use and must include this notice.
© Legal & Compliance, LLC 2016