April 2, 2015
Authored by: Bryan Cave Leighton Paisner
On August 4, 2014, FinCEN released proposed rules that would require banks and certain other financial institutions to identify the “beneficial owners” of their business entity customers and to verify the identity of each such beneficial owner (the “Proposal”). If the Proposal results in final rules that are substantially identical to the proposed rules, financial institutions might be unable to comply without violating the federal Fair Credit Reporting Act (“FCRA”).
Under the Proposal, “beneficial owners” would generally include at least one manager of the entity and each individual owning 25% or more of the entity. This could mean up to five individuals if no manager also owns 25% or more of the entity.
The Proposal would require a financial institution first to identify the customer’s beneficial owners. This should be reasonably manageable because institutions would be able to provide a certification form to its customer and require that the customer name its beneficial owners. Financial institution’s would not be required to take independent steps to verify the status of such persons as beneficial owners.
The potential legal conflict arises under the second prong of the Proposal, under which the financial institution would be required to verify the identity of those persons whom it has been told are the customer’s beneficial owners. The Proposal would require a financial institution to verify the identity of each beneficial owner using risk-based procedures that are “identical to the covered financial institution’s Customer Identification Program procedures required for verifying the identity of customers that are individuals.”
Whether in a deposit or loan context, banks often will obtain a single credit report or other consumer report for the combined purposes of an initial OFAC screen, to confirm the customer’s creditworthiness, and to verify the customer’s identity under the institution’s Customer Identification Program (“CIP”). Such reports are “consumer reports” under the FCRA and therefore subject to the FCRA’s rules, including with respect to when such reports may be obtained.
If an institution is required to apply “identical” CIP procedures for beneficial owners, it would appear that many institutions would be required to obtain these same consumer reports on the beneficial owners. The problem is that the FCRA prohibits obtaining of a consumer report on an individual in a business, non-consumer context unless the individual will be personally liable for the account or loan, such as in the case of a sole proprietor or guarantor, or unless the individual first provides written consent. (See FTC Staff Opinions July 22, 2000 and June 22, 2001, each involving Charles Tatelbaum.) Obtaining this consent from up to five beneficial owners could be very challenging.
Consider the common situation in which a business applies for a deposit or loan and the application is signed only by a manager. The other beneficial owners might be living in different states or countries, might have very little to do with the business other than being larger shareholders, and might be very unwilling to authorize a financial institution to obtain a consumer report on him or her. Faced with a conflict between the FCRA and FinCEN’s requirements, institutions might be compelled to decline applications rather than taking on the burdens of chasing down every beneficial owner and persuading them to consent to obtaining consumer reports. And it is safe to assume that some beneficial owners would simply refuse.
One possible solution might be to take the position that the reports on beneficial owners are not in fact “consumer reports.” There is some authority for the proposition that a report on an individual is not a consumer report under the FCRA unless it both reflects on the individual’s personal characteristics and is used or expected to be used as a factor in determining the individual’s eligibility for a product or service or other purpose for which consumer reports may be obtained. The argument therefore would be that these reports on beneficial owners are not technically “consumer reports” because they are not being obtained to make an eligibility decision with respect to the beneficial owner, but only with respect to the business.
There are risks with this approach, however. First, it might be inconsistent with the Tatelbaum letters referred to above. In those letters the FTC took the position that the actual use of the report was not important. What was controlling was why the information was collected; i.e., whether it was collected for the purpose of assisting third parties in the evaluation of a consumer’s eligibility for credit or other services or benefits. The information in the beneficial owner reports in question was collected to assist third parties in making credit and other eligibility decisions about such individuals. Under the apparent Tatelbaum rationale, the reports would still be consumer reports even if used only to verify the individual’s identity.
In addition, two key purposes of the FCRA are to ensure that (a) persons that provide reports on individuals to banks and other parties take appropriate steps to provide accurate information, and (b) individuals are informed when information in their consumer report is being used to take actions so that they can correct any errors in the report or correct their behavior going forward so as to minimize negative information in their reports. If a beneficial owner never knows that a report was obtained, that individual cannot cure any errors in the report or modify their future behavior. This policy consideration might compel a court or regulator to treat the reports on beneficial owners as consumer reports and subject to the FCRA.
Another possible solution would be for FinCEN to issue more flexible rules so that financial institutions could obtain a more limited report about beneficial owners, specifically reports that are limited to each individual’s name, address and social security number. The FTC in the past took the position that such limited demographic reports generally were not consumer reports. Again, however, there is a problem. The FTC no longer has interpretive authority for the FCRA and it is unclear if the CFPB, who now has primary interpretive authority for the FCRA, would take a similar position.
What clearly is needed is a definitive and enforceable statement from the CFPB that these reports on beneficial owners are not subject to the FCRA. They could state that the reports are not consumer reports so long as they are only used to verify a person’s identity or, if FinCEN adjusted its position to allow institutions to use more limited demographic reports, the CFPB could confirm that those reports are not consumer reports. We discussed this issue with the CFPB on an informal basis a few months ago and they more or less took the position that it was not their problem, that it was FinCEN’s problem. While the CFPB clearly believes it is saving consumers from the financial services industry, one might think FinCEN’s view that it is saving the Country from actual terrorists might be more compelling. Unless the CFPB comes around to that view or FinCEN significantly modifies the proposed rules, banks will be between a rock and a hard spot. Again.