If you're a payment facilitator, how much do you currently know about the owners of your sub-merchant customers? If you're a processor, how much do you know about the owners of your payment facilitator customer's sub-merchant customers? And if you're a bank, how much do you know about the owners of your processor customer's payment facilitator customer's sub-merchant customers (who are, technically, also your customers)? If the answer to any of these questions is less than "a lot," you should be aware that ownership verification requirements are scheduled for important changes in May 2018.
On May 11, 2016, the Financial Crimes Enforcement Network (FinCEN), part of the U.S. Department of the Treasury, published a rule requiring banks to implement due diligence procedures to identify and verify the beneficial owners of all legal entity customers at the time of account opening. This will require banks – and their processor, ISO, and payment facilitator partners – to capture the beneficial ownership information of merchants seeking access to merchant processing accounts. A brief history lesson is required to understand when and how these requirements apply in the payments space.
FinCEN is responsible for interpreting and enforcing the Bank Secrecy Act (BSA) and its implementing anti-money laundering (AML) regulations. Among other obligations, the BSA requires banks and other financial institutions to verify the identity of their customers, referred to as Customer Identification Program (CIP) and Customer Due Diligence (CDD) requirements (colloquially, "Know Your Customer" or KYC). For corporations, limited liability companies, and other "entity" customers, banks are not currently required to verify the identity of each entity's owners. Instead, FinCEN's guidance requires a bank to develop policies and procedures that define the situations in which, based on its risk assessment of an entity customer, the bank will verify the identities of the individuals with ownership or control of the customer.
In addition to banks, other types of financial institutions have obligations under the BSA, including "money transmitters," which are companies that accept currency or funds and transmit them to another location or person. Money transmitters are also required to verify the identity of their customers but, like banks, are not currently subject to specific requirements to collect information about the owners of their entity customers (nor will they be under the new beneficial ownership rule). If not for FinCEN's "payment processor" exemption, many payment facilitators would be money transmitters directly subject to the BSA because they receive settlement funds and distribute them to their sub-merchant customers. Pursuant to this exemption, a company is not a money transmitter if it facilitates payments for the purchase of goods and services through a clearance and settlement system under an agreement with the seller. The application of the exemption depends on the specific facts of a company's business model, but most payment facilitators could likely meet the requirements.
However, even if not directly subject to the BSA, payment facilitators are usually required to perform KYC activities under contracts with their sponsoring banks or sponsoring bank and processor (banks, of course, are subject to FinCEN's regulations). While banks are not required to form a direct merchant agreement with a sub-merchant until after it exceeds the Visa or MasterCard thresholds, the network rules make clear that a payment facilitator enters an agreement with a sub-merchant as the bank's agent, and that each sub-merchant is "to be treated as a Merchant of its Payment Facilitator's Acquirer." Because the sub-merchant is ultimately the bank's customer, the bank is required to collect KYC information on those companies. As the customer-facing entity for sub-merchants, the bank will push down its KYC obligations to its payment facilitator partners through the sponsorship agreement. Thus, payment facilitators are almost always contractually required to perform KYC activities, even if they are not legally required to do so.
Which brings us back to FinCEN's new beneficial ownership rule. If a payment facilitator is currently collecting sub-merchant ownership information, chances are the primary reason for this is requirements imposed by its bank sponsor. As noted, the current obligation to collect beneficial ownership information is "risk-based" and is left to each bank's independent risk assessment. So, for example, if your bank's risk assessment dictates that individuals that own or control 50% or more of the sub-merchant need to be identified, then you may already be collecting beneficial ownership information on a limited basis. Starting in May 2018, however, the new beneficial ownership rules kick in, and will require banks to obtain from their legal entity customers the identity of (1) beneficial owners of 25% or more; and (2) a single individual with significant control over the entity, taken together to mean "beneficial owners."
Under the rule, the legal entity customer is generally responsible for identifying the beneficial owners, and banks may generally rely on the information provided by legal entity customers. FinCEN provides a sample Certification Form that account applicants may complete to provide beneficial ownership information, but banks are not required to use it. The same information may be collected (and retained for 5 years) in other ways. In addition, the bank must verify the identity of any individual who is a beneficial owner by confirming the individual's existence (through identifying documents or other standard CIP methods) but is not required to verify an individual's status as a beneficial owner.
As the effective date approaches, banks will likely push the new, stricter standard for ownership information down to their sponsored counterparties. Payment facilitators should prepare for this eventuality by discussing these new requirements with their bank sponsors ahead of the effective date and considering how a stricter ownership identity verification requirement can be integrated into their onboarding processes without creating undue friction. For example, payment facilitators may want to consider how the FinCEN beneficial ownership Certification Form could be incorporated into their standard application flow.
As a final note, while a payment facilitator may collect ownership information primarily because of sponsor bank contractual requirements, there are other important reasons for doing so. All U.S. companies are prohibited from doing business with individuals or entities that appear on the Office of Foreign Assets Control (OFAC) Specially-Designed Nationals (SDN) List of sanctioned persons and companies. In general, the prohibition also extends to any entity, 50% or more of which is owned directly or indirectly, in the aggregate, by one or more individuals or entities on the SDN List. While there is no specific statutory requirement to check customers or their owners against the SDN List, periodic risk-based checks are a best practice for avoiding accidentally onboarding a sub-merchant on the SDN List or one that has a principal owner on the SDN List.
In addition, both the FTC and the CFPB have focused on merchant underwriting in recent years, including the potential for fraudsters to conduct activities through multiple interrelated companies (often using straw companies or nominees as principals). Either regulator would have serious concerns with a sub-merchant underwriting program that did not involve some level of risk-based ownership identification intended to root out potential fraudsters. In this regard, the FTC has regularly included a "screening" requirement in its consent decrees with payment processors and ISOs that requires them to obtain from each prospective customer the "name of the principal(s) and controlling Person(s) of the entity, and Person(s) with a majority ownership interest in the entity."
* * * * * * * * * *
The new beneficial ownership rules are right around the corner. If your bank has not assessed how to flow these requirements down to its processor and payment facilitator partners, now is the time to do it. And if you are a payment facilitator that has never had to collect this type of information, it may be prudent to get a jump on your competition by designing a new intake program that ensures compliance while minimizing customer friction.