FFIEC BSA/AML Assessing Compliance with BSA Regulatory Requirements (2024)

Beneficial Ownership Requirements for Legal Entity Customers—Overview

Objective. Assess the bank’s written procedures and overall compliance with regulatory requirements for identifying and verifying beneficial owner(s) of legal entity customers.

Under the Beneficial Ownership Rule,¹See 31 CFR 1010.230 a bank must establish and maintain written procedures that are reasonably designed to identify and verify beneficial owner(s) of legal entity customers and to include such procedures in its anti-money laundering compliance program.

Legal entities, whether domestic or foreign, can be used to facilitate money laundering and other crimes because their true ownership can be concealed. The collection of beneficial ownership information by banks about legal entity customers can provide law enforcement with key details about suspected criminals who use legal entity structures to conceal their illicit activity and assets. Requiring legal entity customers seeking access to banks to disclose identifying information, such as the name, date of birth, and Social Security number of natural persons who own or control them will make such entities more transparent, and thus less attractive to criminals and those who assist them.

Similar to other customer information that a bank may gather, beneficial ownership information collected under the rule may be relevant to other regulatory requirements. These other regulatory requirements include, but are not limited to, identifying suspicious activity, and determining Office of Foreign Assets Control (OFAC) sanctioned parties. Banks should define in their policies, procedures, and processes how beneficial ownership information will be used to meet other regulatory requirements.

Legal Entity Customers

For the purposes of the Beneficial Ownership Rule,²See 31 CFR 1010.230(e)(1) a legal entity customer is defined as a corporation, limited liability company, or other entity that is created by the filing of a public document with a Secretary of State or other similar office, a general partnership, and any similar entity formed under the laws of a foreign jurisdiction that opens an account. A number of types of business entities are excluded from the definition of legal entity customer under the Beneficial Ownership rule. In addition, and subject to certain limitations, banks are not required to identify and verify the identity of the beneficial owner(s) of a legal entity customer when the customer opens certain types of accounts. For further information on exclusions and exemptions to the Beneficial Ownership Rule, see Appendix 1. These exclusions and exemptions do not alter or supersede other existing requirements related to BSA/AML and OFAC sanctions.

Beneficial Owner(s)

Beneficial ownership is determined under both a control prong and an ownership prong. Under the control prong, the beneficial owner is a single individual with significant responsibility to control, manage or direct a legal entity customer.³See 31 CFR 1010.230(d)(2) This includes, an executive officer or senior manager (Chief Executive Officer, Chief Financial Officer, Chief Operating Officer, President), or any other individual who regularly performs similar functions. One beneficial owner must be identified under the control prong for each legal entity customer.

Under the ownership prong, a beneficial owner is each individual, if any, who, directly or indirectly, through any contract, arrangement, understanding, relationship or otherwise, owns 25 percent or more of the equity interests of a legal entity customer.⁴See 31 CFR 1010.230(d)(1) If a trust owns directly or indirectly, through any contract, arrangement, understanding, relationship or otherwise, 25 percent or more of the equity interests of a legal entity customer, the beneficial owner is the trustee.⁵See 31 CFR 1010.230(d)(3) Identification of a beneficial owner under the ownership prong is not required if no individual owns 25 percent or more of a legal entity customer. Therefore, all legal entity customers will have a total of between one and five beneficial owner(s) – one individual under the control prong and zero to four individuals under the ownership prong.

Banks may rely on the information supplied by the legal entity customer regarding the identity of its beneficial owner or owners, provided that it has no knowledge of facts that would reasonably call into question the reliability of such information.⁶See 31 CFR 1010.230(b)(2) However, bank staff who know, suspect, or have reason to suspect that equity holders are attempting to avoid the reporting threshold may, depending on the circ*mstances, be required to file a SAR.⁷ Department of the Treasury, Financial Crimes Enforcement Network (2016), “Customer Due Diligence Requirements for Financial Institutions,” final rules (RIN 1506-AB25), Federal Register, vol. 81 (May 11), p. 29410. More information on filing of SARs may be found in the “Suspicious Activity Reporting Overview" section on page 60 of the FFIEC BSA/AML Examination Manual.

Identification of Beneficial Ownership Information

A bank must establish and maintain written procedures detailing the identifying information that must be obtained for each beneficial owner of a legal entity customer opening a new account after May 11, 2018. At a minimum, the bank must obtain the following identifying information for each beneficial owner of a legal entity customer:

• Name.
• Date of birth.
• Address.⁸ For an individual: a residential or business street address, or if the individual does not have such an address, an Army Post Office (APO) or Fleet Post Office (FPO) box number, the residential or business street address of next of kin or of another contact individual, or a description of the customer’s physical location. For a person other than an individual (such as a corporation, partnership, or trust): a principal place of business, local office, or other physical location. See 31 CFR 1010.220(a)(2)(i)(3)
• Identification number.⁹ An identification number for a U.S. person is a taxpayer identification number (TIN) (or evidence of an application for one), and an identification number for a non-U.S. person is one or more of the following: a TIN; a passport number and country of issuance; an alien identification card number; or a number and country of issuance of any other unexpired government-issued document evidencing nationality or residence and bearing a photograph or similar safeguard. TIN is defined by section 6109 of the Internal Revenue Code of 1986 (26 USC 6109) and the IRS regulations implementing that section (e.g., Social Security number (SSN) or individual taxpayer identification number (ITIN), or employer identification number (EIN)). See 31 CFR 1010.220(a)(2)(i)(4)

A bank may obtain identifying information for beneficial owner(s) of legal entity customers through a completed certification form¹⁰ See 31 CFR 1010.230, Appendix A, Certification Regarding Beneficial Owners of Legal Entity Customers (2016) from the individual opening the account on behalf of the legal entity customer, or by obtaining from the individual the information required by the form by another means, provided the individual certifies, to the best of the individual's knowledge, the accuracy of the information. A bank may rely on the information supplied by the individual opening the account on behalf of the legal entity customer regarding the identity of its beneficial owner(s), provided that it has no knowledge of facts that would reasonably call into question the reliability of such information. If a legal entity customer opens multiple accounts a bank may rely on the pre-existing beneficial ownership records it maintains, provided that the bank confirms (verbally or in writing) that such information is up-to-date and accurate at the time each account is opened.¹¹ FinCEN, FIN-2018-G001, Frequently Asked Questions Regarding Customer Due Diligence Requirements for Financial Institutions , Question #10, April 2018.

Banks must have procedures to maintain and update customer information, including beneficial ownership information for legal entity customers, on the basis of risk. Additionally, banks are not required to conduct retroactive reviews to obtain beneficial ownership information on legal entity customers that were existing customers as of May 11, 2018. However, the bank may need to obtain (and thereafter update) beneficial ownership information for existing legal entity customers based on its ongoing monitoring. For further guidance on maintaining and updating of customer information including beneficial ownership information, please see the “Ongoing Monitoring of Customer Relationship” section of the “Customer Due Diligence Overview” section of the FFIEC BSA/AML Examination Manual.¹² FFIEC, Core Examination Overview and Procedures, Customer Due Diligence Overview , May 2018.

Verification of Beneficial Owner Information

A bank must establish and maintain written risk-based procedures for verifying the identity of each beneficial owner of a legal entity customer within a reasonable period of time after the account is opened. These procedures must contain the elements required for verifying the identity of customers that are individuals under 31 CFR 1020.220(a)(2), provided, that in the case of documentary verification, the bank may use photocopies or other reproductions of the documents listed in paragraph (a)(2)(ii)(A)(1) of 31 CFR 1020.220. Guidance on documentary and non-documentary verification methods may be found in the core overview section “Customer Identification Program,” of the FFIEC BSA/AML Examination Manual.

A bank need not establish the accuracy of every element of identifying information obtained, but must verify enough information to form a reasonable belief that it knows the true identity of the beneficial owner(s) of the legal entity customer. The bank’s procedures for verifying the identity of the beneficial owners must describe when it uses documents, non-documentary methods, or a combination of methods.

Lack of Identification and Verification of Beneficial Ownership Information

Also consistent with 31 CFR 1020.220, the bank should establish policies, procedures, and processes for circ*mstances in which the bank cannot form a reasonable belief that it knows the true identity of the beneficial owner(s) of a legal entity customer. These policies, procedures, and processes should describe:

• Circ*mstances in which the bank should not open an account.
• The terms under which a customer may use an account while the bank attempts to verify the identity of the beneficial owner(s) of a legal entity customer.
• When the bank should close an account, after attempts to verify the identity of the beneficial owner(s) of a legal entity customer have failed.
• When the bank should file a SAR in accordance with applicable law and regulation.

Recordkeeping and Retention Requirements

A bank must establish recordkeeping procedures for beneficial ownership identification and verification information. At a minimum, the bank must maintain any identifying information obtained, including without limitation the certification (if obtained), for a period of five years after the date the account is closed.

The bank must also keep a description of any document relied on (noting the type, any identification number, place of issuance and, if any, date of issuance and expiration), of any non-documentary methods and the results of any measures undertaken, and of the resolution of each substantive discrepancy for five years after the record is made.

Reliance on Another Financial Institution

A bank is permitted to rely on the performance by another financial institution (including an affiliate) of the requirements of the Beneficial Ownership Rule with respect to any legal entity customer of the covered financial institution that is opening, or has opened, an account or has established a similar business relationship with the other financial institution to engage in services, dealings, or other financial transactions, provided that:

• Reliance is reasonable, under the circ*mstances.
• The relied-upon financial institution is subject to a rule implementing 31 USC 5318(h) and is regulated by a federal functional regulator.¹³ Federal functional regulator means: Federal Reserve, FDIC, NCUA, OCC, U.S. Securities and Exchange Commission (SEC), or U.S. Commodity Futures Trading Commission (CFTC).
• The other financial institution enters into a contract requiring it to certify annually to the bank that it has implemented its AML program, and that it will perform (or its agent will perform) the specified requirements of the bank’s procedures to comply with the requirements of the Beneficial Ownership Rule.