Tick Tock - five months to go before FinCEN's customer due diligence rule compliance date: The who, what, when, where, and why of the CDD Rule

On May 11, 2016, the U.S. Treasury Department's Financial Crimes Enforcement Network (FinCEN) published its final rule under the Bank Secrecy Act (BSA) regarding customer due diligence (CDD) and verification requirements for covered financial institutions (CDD Rule). The CDD Rule adds requirements for certain financial institutions to identify and verify beneficial owners of legal entity customers (Beneficial Owners) in furtherance of the BSA. The CDD Rule also adds an ongoing risk-based CDD requirement to a covered financial institution’s anti-money laundering (AML) program. Many entities covered under the CDD Rule have already begun working to change their programs, policies, and systems to comply with the new standards; and regulators, examiners, and law enforcement have begun preparing to verify that these financial institutions are in compliance with the requirements.

By complying with these AML requirements, covered institutions may also reduce their risks under other federal laws such as the sanctions regulations implemented by the Treasury Department’s Office of Foreign Assets Control (OFAC). The U.S. Government continues to aggressively enforce sanctions and AML regulations.


Who? There are several questions about the “who” for the CDD Rule: who is covered; who is a legal entity customer; and who is a beneficial owner of a legal entity customer


Who, Part One: Who is covered by this rule?

Although the BSA and implementing regulations cover a broad variety of financial institutions, only a subset of these are within the scope of the CDD Rule. For this rule, the financial institutions covered (Covered Financial Institutions) include:

  • federally-regulated banks;
  • federally-insured credit unions;
  • mutual funds;
  • securities broker-dealers;
  • futures commission merchants; and
  • introducing brokers in commodities.

Who, Part Two: Who is a legal entity customer?

The CDD Rule defines a “legal entity customer” as one of the following:

  • a corporation;
  • a limited liability company;
  • another entity created by a public filing with a Secretary of State or its equivalent;
  • a general partnership;
  • a limited partnership;
  • a business trust created by filing with a state office; and
  • any similar entity formed under foreign law.

But sole proprietorships, unincorporated associations, and natural persons opening their own accounts are not “legal entities” within the meaning of the rule. And there are several other specific exclusions, such as financial institutions that are regulated by a federal functional regulator or state bank regulator; political departments and agencies of the U.S. or a State; various different types of entities that are registered with the CFTC or SEC; and other entities enumerated in the regulation.

Who, Part Three: Who is the beneficial owner?

The CDD Rule defines the term “Beneficial Owner” as:

  • any individual who (directly or indirectly) owns 25% or more of the equity of a legal entity customer; and
  • a single individual with ability to control, manage, or direct a legal entity customer (e.g., CEO, CFO, COO, President, VP), or anyone else who regularly performs these functions.

It does not include a nominee or straw man. So, every legal entity customer within the scope of the CDD Rule will have at least one, and up to five, beneficial owners: the single individual who can control or direct the entity, and individuals who own 25% or more of the legal entity customer.


What? This is the big one: What needs to be done to comply with the CDD Rule? 


To comply with the CDD Rule, a Covered Financial Institution must establish and maintain written CDD procedures reasonably designed to enable it to:

  • identify the Beneficial Owners of any legal entity customer, other than those that are excluded under the CDD Rule, at the time a new account is opened (unless the account is exempted under the rule); and
  • verify the identity of each Beneficial Owner disclosed, according to risk-based procedures to the extent reasonable and practicable.

Identification/Verification. Covered Financial Institutions may comply with the identification and verification provisions of the CDD Rule by obtaining the required information on a standard Certification Form provided by FinCEN. Otherwise, they may use other means that are in compliance with the requirements of the CDD Rule. These requirements include obtaining the name, date of birth, address, and social security number (or similar identification number, for non-U.S. individuals) of any Beneficial Owner. Covered Financial Institutions may rely on the information about Beneficial Owners provided by their legal entity customer unless the Covered Financial Institution has knowledge of information that reasonably calls into question the reliability of the information. The CDD Rule also notes that a Covered Financial Institution may rely on copies of identity documents of a Beneficial Owner, unlike the verification procedures for a Covered Financial Institution’s customer identification program (CIP). Other than that distinction, the two requirements are very similar.

Covered Financial Institutions may rely on a third party financial institution to conduct Beneficial Owner CDD requirements under the CDD Rule, subject to certain limitations, for shared legal entity customers.

Ongoing Risk-Based CDD. The CDD Rule amends the AML program requirements for Covered Financial Institutions to explicitly include risk-based procedures for conducting ongoing CDD, and includes a requirement for Covered Financial Institutions to understand the nature and purpose of customer relationships for the purpose of developing a customer risk profile. This requirement imposes an obligation on a Covered Financial Institution to gather sufficient information, at the time of account opening, to develop a baseline against which the customer’s activity may be assessed for SAR requirements. A Covered Financial Institution may consider information such as the type of customer requesting services, the type of account being opened, and the services or products being used. Covered Financial Institutions must also conduct ongoing monitoring to identify and report suspicious transactions and, on a risk basis, to maintain and update customer information. For the purposes of monitoring suspicious activity, the customer information being monitored should include Beneficial Owner information.

Recordkeeping. Covered Financial Institutions must maintain records they obtain about Beneficial Owners for five years. These records must include any identifying information obtained for identification, such as the standard Certification Form, if applicable. The records must also contain a description of the documents relied on for verification and non-documentary methods undertaken.


When? When do I have to comply?


Covered Financial Institutions must fully implement and comply with the CDD Rule by May 11, 2018.


Where? Where can I find these rules and related guidance?


The final CDD Rule is published here.

FinCEN has published FAQs on the CDD Rule here.




Why, Part One: Why did FinCEN impose this rule?

According to the Preamble to the CDD Rule, through its consultation with the Federal functional regulators and the Department of Justice, FinCEN determined that more explicit rules regarding the CDD requirements for Covered Financial Institutions are necessary to strengthen the BSA regime. The resulting requirements are part of an effort to increase transparency and further safeguard U.S. financial institutions from illicit use. The U.S. Treasury estimates that the CDD Rule will help curb at least US$1.8 billion of the estimated $300 billion in illicit proceeds generated in the U.S. by financial crimes.

According to FinCEN in its CDD Rule, four core elements make up the minimum standards to a CDD program:

  1. Customer identification and verification,
  2. Beneficial Owner identification and verification,
  3. Understanding the nature and purpose of customer relationships to develop a customer risk profile, and
  4. Ongoing monitoring for reporting suspicious transactions and, on a risk-basis, maintaining and updating customer information.

Of those four, customer identification and verification is already an explicit requirement imposed on Covered Financial Institutions. The third and fourth are currently only imposed implicitly and Beneficial Owner information is not required, leaving a gap in the CDD procedures across Covered Financial Institutions. Under current rules, legal entities may access Covered Financial Institutions’ products and services without disclosing their natural person Beneficial Owners. This anonymity creates a means for criminals to conceal ill-gotten proceeds by, for example, using seemingly legitimate shell, shelf, or front companies as the Covered Financial Institution customers while channeling funds to the ultimate Beneficial Owner. Beneficial Owner anonymity also creates hurdles for law enforcement and regulators attempting to detect or investigate financial crimes, such as money laundering, fraud, terrorist financing, sanctions evasion, and corruption.

The CDD Rule requires additional CDD, including those regarding Beneficial Owners, in an attempt to enable Covered Financial Institutions, law enforcement, and relevant regulators to detect potential criminal activity.

According to FinCEN, the CDD enhancements under the CDD Rule will advance the BSA’s purpose by:

  • making legal entities a less attractive means for concealing criminal activities;
  • assisting law enforcement with detection and identification of criminal activity;
  • facilitating more fulsome implementation of sanctions and counter-terrorism (and other threats to national security) efforts;
  • aiding Covered Financial Institutions in assessing risk and detecting potentially suspicious activity (and increasing the information available for Covered Financial Institutions to include in their SARs);
  • enhancing the transparency and information exchange used to combat cross-border tax evasion and other financial crimes, such as the Foreign Account Tax Compliance Act (FATCA);
  • clarifying the CDD expectations for Covered Financial Institutions, thereby promoting a more “level playing field” for AML compliance requirements;
  • advancing Treasury’s broad strategy to enhance the overall financial transparency of legal entities.

Why, The Sequel:

Certain elements of the CDD Rule had been percolating at FinCEN starting in 2012. However, the announcement of the CDD Rule in 2016 coincided with the unprecedented leak, known as the “Panama Papers,” of over 11 million files from a Panamanian law firm. The Panama Papers exposed information about over 200,000 shell companies and their ownership structures. Information from the Panama Papers prompted investigations into whether the involved entities were created to evade various financial crimes laws. The Panama Papers also raised questions about the ability of individuals to hide their wealth from U.S. government regulation and the adequacy of the rules in place at the time to detect such activity.

Why, (Last One): Why should Covered Financial Institutions comply?

Failure to comply could serve as a basis for costly enforcement actions. The BSA’s implementing regulations give FinCEN, and federal banking agencies with delegated authority, the ability to assess civil money penalties in the millions of dollars and injunctive relief for failure to comply with the BSA’s requirements. Additionally, willful failures to comply may result in criminal prosecution that could lead to fines and other criminal penalties, including possible imprisonment for individuals.

In the words of Kenneth Blanco, at the time the Acting Assistant Attorney General at the Justice Department (and now the current FinCEN Director):

We at the department – and in the Criminal Division in particular – remain sharply focused on understanding the ownership structure and the apparent ease with which criminal organizations use shell companies to move and ultimately conceal criminal proceeds. This is a global problem requiring a vigorous response. Piercing the corporate veil to determine the true owner of bank accounts and other valuable assets more often than not requires us to undertake a time-consuming and resource-intensive process. Grand jury subpoenas, witness interviews, and even foreign legal assistance requests are sometimes required to get behind the outward facing structure of these shell companies. The Department therefore views the customer due diligence final rule announced by the U.S. Treasury Department last May as a critical step toward greater transparency and a reporting system, which makes it harder for sophisticated criminals or kleptocrats to hide their identities and their illicit proceeds behind opaque corporate structures. And we will be taking a hard look at compliance with this rule in the course of our future investigations.



As noted above, FinCEN considers the new CDD requirements as highly important for combating financial crimes. Likewise, supervision and enforcement efforts by FinCEN, other regulators, and examiners will likely focus on these new provisions. Due to the high priority placed on the rule and the quickly approaching implementation date, Covered Financial Institutions should dedicate the necessary resources to be in compliance by May 11, 2018.

If you have any questions or would like assistance in implementing these requirements, please let us know.

Download PDF Back To Listing