FINRA Provides Guidance to Firms Regarding Anti-Money Laundering Program Requirements Under FINRA Rule 3310 Following Adoption of FinCEN's Final Rule to Enhance Customer Due Diligence Requirements for Financial Institutions Effective Date: *

*November 21, 2017

FinCEN's Customer Due Diligence Requirements for Financial Institutions and FINRA Rule 3310

Summary

FINRA is issuing this Notice to provide guidance regarding member firms' obligations under FINRA Rule 3310 (Anti-Money Laundering Compliance Program) in light of the Financial Crimes Enforcement Network's (FinCEN) adoption of a final rule on Customer Due Diligence Requirements for Financial Institutions (CDD Rule).

FinCEN's CDD Rule became effective July 11, 2016. Member firms must be in compliance with its provisions by May 11, 2018.

Questions concerning this Notice should be directed to:

Background & Discussion

The Bank Secrecy Act¹ (BSA), among other things, requires financial institutions,² including broker-dealers, to develop and implement anti-money laundering (AML) programs that, at a minimum, meet the statutorily enumerated "four pillars."³ These four pillars require brokerdealers to have written AML programs that include, at a minimum:

In addition to meeting the BSA's requirements with respect to AML programs, brokerdealers must also comply with FINRA Rule 3310, which incorporates the BSA's four pillars, including requiring broker-dealers' AML programs to establish and implement policies and procedures that can be reasonably expected to detect and cause the reporting of suspicious transactions.

On May 11, 2016, FinCEN, the bureau of the Department of the Treasury responsible for administering the BSA and its implementing regulations, issued the CDD Rule⁵ to clarify and strengthen customer due diligence for covered financial institutions,⁶ including brokerdealers. In its CDD Rule, FinCEN identifies four components of customer due diligence: (1) customer identification and verification; (2) beneficial ownership identification and verification; (3) understanding the nature and purpose of customer relationships; and (4) ongoing monitoring for reporting suspicious transactions and, on a risk basis, maintaining and updating customer information.⁷ As the first component is already an AML program requirement, the CDD Rule focuses on the other three components.

Specifically, the CDD Rule focuses particularly on the second component by adding a new requirement that covered financial institutions identify and verify the identity of the beneficial owners of all legal entity customers at the time a new account is opened, subject to certain exclusions and exemptions. The CDD Rule also addresses the third and fourth components, which FinCEN states "are already implicitly required for covered financial institutions to comply with their suspicious activity reporting requirements," by amending the existing AML program rules for covered financial institutions to explicitly require these components to be included in AML programs as a new "fifth pillar." As a result of the CDD Rule, member firms should ensure that their AML programs are updated, as necessary, to comply with the CDD Rule by May 11, 2018.

This Notice provides guidance to member firms regarding their obligations under FINRA Rule 3310 in light of the adoption of FinCEN's CDD Rule. In addition, the Notice summarizes the CDD Rule's impact on member firms, including the addition of the new fifth pillar required for member firms' AML programs. Member firms should also consult the CDD Rule as well as FinCEN's related FAQs,⁸ which FinCEN indicates it will periodically update.

FINRA Rule 3310 and Amendments to Minimum Requirements for Member Firms' AML Programs

Section 352 of the USA PATRIOT Act of 2001⁹ amended the BSA to require broker-dealers to develop and implement AML programs that include the four pillars mentioned above. Consistent with Section 352 of the PATRIOT Act, and incorporating the four pillars, FINRA Rule 3310 requires each member firm to develop and implement a written AML program reasonably designed to achieve and monitor the member firm's compliance with the BSA and implementing regulations. Among other requirements, FINRA Rule 3310 requires that each member firm, at a minimum: (1) establish and implement policies and procedures that can be reasonably expected to detect and cause the reporting of suspicious transactions; (2) establish and implement policies, procedures, and internal controls reasonably designed to achieve compliance with the BSA and implementing regulations; (3) provide for annual (on a calendar-year basis) independent testing for compliance to be conducted by member firm personnel or a qualified outside party;¹⁰ (4) designate and identify to FINRA an individual or individuals (i.e., AML compliance person(s)) who will be responsible for implementing and monitoring the day-to-day operations and internal controls of the AML program and provide prompt notification to FINRA of any changes to the designation; and (5) provide ongoing training for appropriate persons.

FinCEN's CDD Rule does not change the requirements of FINRA Rule 3310, and member firms must continue to comply with its requirements.¹¹ However, FinCEN's CDD Rule amends the minimum statutory requirements for member firms' AML programs by requiring such programs to include risk-based procedures for conducting ongoing customer due diligence.¹² This ongoing customer due diligence element, or "fifth pillar" required for AML programs, includes: (1) understanding the nature and purpose of customer relationships for the purpose of developing a customer risk profile; and (2) conducting ongoing monitoring to identify and report suspicious transactions and, on a risk basis, to maintain and update customer information.¹³ As stated in the CDD Rule, these provisions are not new and merely codify existing expectations for firms to adequately identify and report suspicious transactions as required under the BSA and encapsulate practices generally undertaken already by securities firms to know and understand their customers.¹⁴ However, to the extent that these elements, which are briefly summarized below, are not already included in member firms' AML programs, the CDD Rule requires member firms to update their AML programs to explicitly incorporate them.

FINRA is considering whether further rulemaking is necessary to more closely align FINRA Rule 3310 with FinCEN's CDD Rule in light of the now-codified fifth pillar requirement for firms' AML programs.

Summary of Fifth Pillar's Requirements

Understanding the Nature and Purpose of Customer Relationships

FinCEN states in the CDD Rule that firms must necessarily have an understanding of the nature and purpose of the customer relationship in order to determine whether a transaction is potentially suspicious and, in turn, to fulfill their suspicious activity reporting obligations.¹⁵ To that end, the CDD Rule requires that firms understand the nature and purpose of the customer relationship in order to develop a customer risk profile. The customer risk profile refers to information gathered about a customer to form the baseline against which customer activity is assessed for suspicious transaction reporting.¹⁶ Information relevant to understanding the nature and purpose of the customer relationship may be self-evident and, depending on the facts and circumstances, may include such information as the type of customer, account or service offered, and the customer's income, net worth, domicile, or principal occupation or business, as well as, in the case of existing customers, the customer's history of activity.¹⁷ The CDD Rule also does not prescribe a particular form of the customer risk profile.¹⁸ Instead, the CDD Rule states that depending on the firm and the nature of its business, a customer risk profile may consist of individualized risk scoring, placement of customers into risk categories or another means of assessing customer risk that allows firms to understand the risk posed by the customer and to demonstrate that understanding.¹⁹

The CDD Rule also addresses the interplay of understanding the nature and purpose of customer relationships with the ongoing monitoring obligation discussed below. The CDD Rule explains that firms are not necessarily required or expected to integrate customer information or the customer risk profile into existing transaction monitoring systems (for example, to serve as the baseline for identifying and assessing suspicious transactions on a contemporaneous basis).²⁰ Rather, FinCEN expects firms to use the customer information and customer risk profile as appropriate during the course of complying with their obligations under the BSA in order to determine whether a particular flagged transaction is suspicious.²¹

Conducting Ongoing Monitoring

As with the requirement to understand the nature and purpose of the customer relationship, the requirement to conduct ongoing monitoring to identify and report suspicious transactions and, on a risk basis, to maintain and update customer information, including information regarding the beneficial ownership of legal entity customers, merely adopts existing supervisory and regulatory expectations as explicit minimum standards of customer due diligence required for firms' AML programs.²² If, in the course of its normal monitoring for suspicious activity, the member firm detects information that is relevant to assessing the customer's risk profile, the member firm must update the customer information, including the information regarding the beneficial owners of legal entity customers, as discussed below.²³ However, there is no expectation that the member firm update customer information, including beneficial ownership information, on an ongoing or continuous basis.²⁴

Identifying and Verifying the Identity of Beneficial Owners of Legal Entity Customers

In addition to requiring that member firms incorporate the fifth pillar into their AML programs, the CDD Rule also requires member firms to establish and maintain written procedures as part of their AML programs that are reasonably designed to identify and verify the identities of beneficial owners²⁵ of legal entity customers.²⁶ FinCEN states that this information can provide law enforcement with key details about suspected criminals who conceal illicit activity and assets through legal structures they own or control.²⁷ In addition, FinCEN states the information will help financial institutions to assess and mitigate risk more effectively in connection with existing requirements, such as enhancing suspicious activity report filings.²⁸

Under the CDD Rule, member firms must obtain from the natural person opening the account²⁹ on behalf of the legal entity customer, the identity of the beneficial owners of the entity.³⁰ In addition, that individual must certify, to the best of his or her knowledge, as to the accuracy of the information. FinCEN intends that the legal entity customer identify its ultimate beneficial owner(s) and not "nominees" or "straw men."³¹ The CDD Rule does not prescribe the form in which member firms must collect the required information, which includes the name, date of birth, address and Social Security number or other government identification number of beneficial owners.³² Rather, member firms may choose to obtain the information by using FinCEN's standard certification form³³ adopted as part of this rulemaking or by another means, provided that the chosen method satisfies the identification requirements in the CDD Rule.³⁴ In any case, the CDD Rule requires that member firms maintain records of the beneficial ownership information they obtain.³⁵

Once member firms obtain the required beneficial ownership information, the CDD Rule requires that member firms verify the identity of the beneficial owner(s)—in other words, that they are who they say they are and not their status as beneficial owners—through riskbased procedures that include, at a minimum, the elements required for member firms' CIP procedures for verifying the identity of individual customers.³⁶ Such verification must be completed within a reasonable time after account opening.³⁷ Member firms may rely on the beneficial ownership information supplied by the individual opening the account, provided that they have no knowledge of facts that would reasonably call into question the reliability of that information.³⁸

To the same extent as permitted under the CIP rules, the CDD Rule permits member firms to rely on another financial institution for the performance of the CDD Rule's requirements.³⁹

The CDD Rule's requirements with respect to beneficial owners of legal entity customers applies on a prospective basis, that is, only with respect to legal entity customers that open new accounts from the date of the CDD Rule's implementation. However, a member firm should obtain beneficial ownership information for an existing legal entity customer if, during the course of normal monitoring, it receives information that is needed to assess or reevaluate the risk of the customer.⁴⁰

^1. 31 U.S.C. 5311, et seq.

^2.See 31 U.S.C. 5312(a)(2) (defining "financial institution").

^3. 31 U.S.C. 5318(h)(1).

^4. 31 CFR 1023.210(b).

^5. FinCEN Customer Due Diligence Requirements for Financial Institutions; CDD Rule, 81 FR 29397 (May 11, 2016) (CDD Rule Release); 82 FR 45182 (September 28, 2017) (making technical correcting amendments to the final CDD Rule published on May 11, 2016). FinCEN is authorized to impose AML program requirements on financial institutions and to require financial institutions to maintain procedures to ensure compliance with the BSA and associated regulations. 31 U.S.C. 5318(h)(2) and (a)(2). The CDD Rule is the result of the rulemaking process FinCEN initiated in March 2012. See 77 FR 13046 (March 5, 2012) (Advance Notice of Proposed Rulemaking) and 79 FR 45151 (August 4, 2014) (Notice of Proposed Rulemaking).

^6.See 31 CFR. 1010.230(f) (defining "covered financial institution").

^7.See CDD Rule Release at 29398.

^8. On July 19, 2016, FinCEN published Frequently Asked Questions on the CDD Rule. See U.S. Department of the Treasury Financial Crimes Enforcement Network Guidance FIN-2016-G003, Frequently Asked Questions Regarding Customer Due Diligence Requirements for Financial Institutions (July 19, 2016) (FinCEN FAQs).

^9. Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism Act of 2001, Pub. L. No. 107-56, 115 Stat. 272 (2001).

^10. If a member firm does not execute transactions for customers or otherwise hold customer accounts or act as an introducing broker with respect to customer accounts (e.g., engages solely in proprietary trading or conducts business only with other broker-dealers), then "independent testing" is required every two years. See FINRA Rule 3310(c).

^11. In fact, FinCEN notes that broker-dealers must continue to comply with FINRA Rules, notwithstanding differences between the CDD Rule and FINRA Rule 3310. See CDD Rule Release 29421, n. 85.

^12.See CDD Rule Release at 29420; 31 CFR 1023.210.

^13.See id. at 29420-21.

^14.See id. at 29419.

^15.See id. at 29421.

^16.See id. at 29422.

^17.See id.

^18.See id.

^19.See id.

^20.See id.

^21.See id.

^22.See id. at 29402.

^23.See id. at 29420-21.

^24.See id.

^25. There are both ownership and control prongs of the definition of beneficial owner for purposes of the CDD Rule. A beneficial owner is: (1) each individual (if any) who directly or indirectly owns 25 percent of the equity interests of a legal entity customer; and (2) a single individual with significant responsibility to control, manage, or direct a legal entity customer, including an executive officer or senior manager. See id. at 29409; FinCEN FAQs Question 9; 31 CFR 1010.230(d). Despite imposing a 25 percent threshold for the ownership prong, FinCEN's guidance suggests that financial institutions may find it appropriate to identify and verify beneficial owners at a lower ownership threshold if circumstances warrant. See CDD Rule Release at 29410. For guidance on the types of individuals that have "significant responsibility to control, manage, or direct a legal entity customer," see FinCEN FAQs, Question 13.

^26. A legal entity customer is a "corporation, limited liability company, or other entity that is created by the filing of a public document with a Secretary of State or similar office, a general partnership, and any similar entity formed under the laws of a foreign jurisdiction, that opens an account." 31 CFR 1010.230(e)(1). The requirements to identify and verify the identity of beneficial owners do not apply to, among others, financial institutions regulated by a Federal functional regulator or a bank regulated by a state bank regulator, investment advisers, as defined in the Investment Advisers Act of 1940, that are registered with the Securities and Exchange Commission (SEC), entities registered with the SEC under the Securities Exchange Act of 1934, state-regulated insurance companies and specified pooled investment vehicles. For a full list of entities excluded from the legal entity customer definition, see 31 CFR 1010.230(e)(2).

In addition, in the FinCEN FAQs, FinCEN stated that the definition of legal entity customer does not include sole proprietorships, unincorporated associations, trusts (other than statutory trusts) or natural persons opening the account on their own behalf. See FinCEN FAQs, Question 20. Furthermore, the CDD Rule clarifies who is the legal entity customer in the context of intermediated account relationship. It explains that, to the extent that existing guidance provides that, for purposes of the customer identification program (CIP) rules, a financial institution shall treat an intermediary (and not the intermediary's customers) as its customer, the financial institution should treat the intermediary as its customer for the CDD Rule. See CDD Rule Release at 29416.

^27.See CDD Rule Release at 294000.

^28.See id.

^29. The CDD Rule incorporates the definition of "account" that is used in the CIP rules. See 31 CFR 1010.230(c). See also 31 CFR 1020.100(a)(2) (for banks); 1023.100(a)(2) (for brokers and dealers in securities); 1024.100(a)(2) (for mutual funds); and 1026.100(a)(2) (for futures commission merchants or introducing brokers in commodities). Covered financial institutions are not required to identify and verify the beneficial owners of certain entities that are excluded from the definition, and covered financial institutions that open certain types of accounts for legal entity customers do not have to verify the beneficial owners of those entities. See FinCEN FAQs, Questions 17, 20, 21 and 22.

^30. The natural person opening the account on behalf of the legal entity customer could be, though need not be, a beneficial owner of the legal entity customer. See FinCEN FAQs, Question 10.

^31.See FinCEN FAQs, Question 1.

^32.See FinCEN FAQs, Question 11.

^33.See Appendix A to 31 CFR 1010.230; CDD Rule Release at 29454.

^34.See 31 CFR 1010.230(b)(1); CDD Rule Release at 29405.

^35.See CDD Rule Release at 29405.

^36.See id. at 29407.

^37.See id. at 29408.

^38.See id. at 29407.

^39.See 31 CFR 1010.230(i) and (j). A financial institution must have procedures for maintaining a record of information obtained in connection with identifying and verifying beneficial owners for a period of five years after the date the account is closed. See also Letter from Emily Westerberg Russell, Senior Special Counsel, Division of Trading and Markets, SEC, to Aseel Rabie, Managing Director and Associate General Counsel, Securities Industry and Financial Markets Association (SIFMA), dated December 12, 2016 (SIFMA SEC No-Action Letter), availableat https://www.sec.gov/divisions/marketreg/mr-noaction/2016/securities-industry-financialmarkets-association-120916.pdf (extending no action relief when broker-dealers rely on investment advisers for identifying and verifying beneficial owners of legal entity customers, subject to enumerated conditions).

^40.See id. at 29404.