What cryptos need to know about the BSA’s ‘Fifth Pillar’

The BSA’s so-called ‘fifth pillar’ has created a lot of confusion over how it applies to crypto, if at all. This post explains what it means for crypto businesses.

Most crypto businesses are considered money services businesses (MSBs) money transmitters, meaning they are required to comply with the Bank Secrecy Act (BSA) by developing a comprehensive anti-money laundering (AML) compliance program.

For years, crypto MSBs/money transmitters and other financial institutions were required to adopt procedures to address four core elements of customer due diligence (CDD) in their BSA/AML compliance programs.

These four elements are referred to as the four pillars of a BSA/AML compliance program:

1. Develop a system of internal controls to ensure ongoing compliance
2. Identify a designated BSA/AML Compliance Officer
3. Perform independent testing of BSA/AML compliance policies and procedures
4. Train employees adequately

In May 2018, a new fifth pillar was added that requires covered financial institutions to identify and verify the identity of beneficial owners of legal entity customers.

This fifth pillar has introduced a lot of confusion among MSBs in general as well as an ongoing debate as to whether or not it actually applies to crypto at all.

Let’s break down the fifth pillar, FinCEN’s position on why it’s needed, and what crypto businesses should do, so you can make an educated decision.

What is the fifth pillar of BSA compliance?

The fifth pillar of BSA compliance according to FinCEN applies to accounts opened or renewed by new or existing legal entity customers.

A legal entity customer is defined as a corporation or limited liability company as well as any other entity that is formed by filing public documents with the Secretary of State or another appropriate state office (with some exceptions). In addition, general partnerships or similar entities that are formed in foreign jurisdictions are considered to be legal entities as far as FinCEN and the BSA are concerned.

Under the rules of the fifth pillar, covered financial institutions are required to identify the beneficial owners of any legal entities that open new accounts every time an account is opened (including renewal accounts).

Specifically, financial institutions must use the following criteria to determine the beneficial owners of a legal entity customer:

• If an individual directly or indirectly owns 25% or more of the equity interests of the legal entity customer, they are considered a beneficial owner. This includes ownership through contracts, relationships, or any other type of arrangement or understanding.
• If the business entity doesn’t have any 25% or more equity owners, then whoever controls operations is considered the ultimate beneficial owner, and the documentation requirements apply to that person (possibly a CCO, or a trade manager).
• If an individual has a significant responsibility to control, direct, or manage the legal entity customer, then they are a beneficial owner. This includes executive officers, senior managers, or any other person who performs the functions associated with these roles.

What is required to comply with the fifth pillar of BSA compliance?

To comply with the requirements of the fifth pillar, financial institutions must follow several steps:

• Identify at least one beneficial owner of every legal entity customer.
• Verify the ownership information using reasonable risk-based procedures. Typically, these procedures would be part of the financial institution’s customer identification program (CIP).
• Update the compliance program to review current account opening procedures and make changes as needed to comply with all BSA/AML rules related to customer due diligence.
• Train employees on the new procedures.

But that’s not all.

Financial institutions also have to create internal policies to identify and verify beneficial owners.

The compliance officer and compliance team need to answer a variety of questions in order to create these policies, including:

• What is considered a new account?
• What events should trigger the need to identify and verify beneficial owners?
• Should the beneficial ownership threshold established by FinCEN be lower? Some financial institutions use a threshold of 10% instead.
• What steps will be taken to manage high-risk legal entity customers?

Once the policies are created and employees are trained on the new procedures to identify and verify beneficial owners, they must also retain all related documentation for five years.

Why did FinCEN add the fifth pillar?

According to FinCEN, the fifth pillar was added to the customer due diligence requirements to address a weakness in regulations that enabled criminals to hide money anonymously through legal entities.

Specifically, FinCEN says the fifth pillar:

• Helps law enforcement in financial investigations
• Helps prevent evasion of targeted financial sanctions
• Facilitates tax compliance
• Helps financial institutions assess risk
• Advances the United States’ compliance with international commitments and standards

Of course, the ultimate goal is to guard against money laundering.

Does the fifth BSA compliance pillar apply to crypto businesses?

At this time, the fifth pillar does not specifically include crypto MSBs/money transmitters, but that doesn’t mean it doesn’t apply to crypto businesses.

As stated in the Bank Secrecy Act Anti-Money Laundering Examination Manual from the Federal Financial Institutions Examination Council (FFIEC), “For purposes of the CDD Rule, covered financial institutions are federally regulated banks and federally insured credit unions, mutual funds, brokers or dealers in securities, futures commission merchants, and introducing brokers in commodities.”

Based on that definition, it would seem that crypto MSBs don’t have to worry about the fifth pillar of BSA/AML compliance, right?

Not so fast.

Think of it this way. The four other pillars do apply to crypto MSBs.

When making a determination of whether or not the fifth pillar applies to your cryptocurrency business, consider this language from the Federal Register:

“FinCEN views the fifth pillar as nothing more than an explicit codification of existing expectations; as these expectations should already be taken into account in a bank’s internal controls.”

Also, the Federal Register states:

“The identification and verification procedures for beneficial owners are very similar to those for individual customers under a financial institution’s customer identification program (CIP), except that for beneficial owners, the institution may rely on identity documents. Financial institutions are required to maintain records of the beneficial ownership information they obtain, and may rely on other financial institutions for the performance of these requirements, in each case to the same extent as under their CIP rule.”

Based on those two quotes, it certainly seems that any financial institution required to comply with the first four pillars (and that includes crypto MSBs) should comply with the fifth pillar as well.

FinCEN already expected financial institutions to perform customer due diligence. Adding the fifth pillar simply put the expectation in writing and made it official and more explicit.

Furthermore, it’s not a big leap to predict that FinCEN will expand the definition of covered financial institutions as it relates to the fifth pillar in the future. It makes sense for crypto MSBs to comply with all of the regulations now rather than trying to catch up later.

Key takeaways for crypto business compliance

It’s in your company’s best interest to follow the steps to comply with all five pillars of a comprehensive BSA/AML compliance program, which includes identifying and verifying beneficial owners, developing appropriate risk files, and defining due diligence processes. Many crypto MSBs, particularly crypto exchanges, are already doing it to future-proof their businesses and be ahead of the curve.

If you need help determining if your business needs fifth pillar protocols and developing appropriate policies and procedures, the experts at BitAML can help. Reach out to us today to schedule a free consultation.