FinCEN's Customer Due Diligence rule added a fifth pillar to the BSA compliance framework - and many businesses still haven't fully implemented it. Here's what the rule requires and where most programs fall short.
FinCEN's Customer Due Diligence rule, which became effective in May 2018, added beneficial ownership identification as a mandatory fifth element of the BSA compliance framework. The rule requires covered financial institutions to identify and verify the identity of beneficial owners of legal entity customers - specifically, any natural person who owns 25% or more of the entity, plus one individual who controls the entity. This requirement applies at account opening and must be refreshed when material changes occur.
The practical challenge of beneficial ownership compliance is that legal entity customers often have complex, multi-layered ownership structures. A limited liability company may be owned by another LLC, which is owned by a trust, which has multiple beneficiaries. Tracing beneficial ownership through these structures requires persistence and documentation. Accepting a customer's representation of their ownership structure without verification is not CDD compliance - it's a paper exercise that won't survive examination.
Risk-based CDD goes beyond the minimum beneficial ownership requirement. For higher-risk customers - those with complex ownership structures, foreign connections, cash-intensive businesses, or transaction patterns that don't match their stated business purpose - enhanced due diligence is required. EDD means collecting more information, verifying it more rigorously, and monitoring the relationship more closely. The specific EDD measures must be documented and proportionate to the identified risk.
Ongoing monitoring is the CDD element most commonly missing from small business programs. CDD is not a one-time exercise at account opening - it's a continuous obligation to understand your customers and detect changes in their risk profile. A customer who opens an account with a straightforward business purpose and then begins conducting transactions inconsistent with that purpose has triggered a CDD update obligation. Your monitoring procedures must be designed to catch these changes.
The most common CDD examination finding we see is a gap between the written CDD policy and actual practice. The policy says the institution collects beneficial ownership information for all legal entity customers. The examination reveals that the form was collected for some customers but not others, that the information was never verified, or that the forms are stored in a filing cabinet that no one has reviewed in two years. CDD compliance requires operational discipline, not just a good policy document.
Tags
BSA/AML Principal Consultant · Soflo Consulting
Specializes in BSA/AML program development and compliance training for regulated businesses nationwide - from community banks and fintech startups to real estate professionals and money services businesses.
View all articles by Elena VargasKey Takeaways
- 1The CDD rule requires beneficial ownership identification for any natural person owning 25%+ of a legal entity
- 2Complex ownership structures must be traced to natural persons - accepting representations without verification is insufficient
- 3Enhanced due diligence is required for higher-risk customers and must be documented and proportionate
- 4Ongoing monitoring is a continuous obligation - CDD must be updated when customer risk profiles change
- 5The most common finding is a gap between written CDD policy and actual operational practice
Need Expert Guidance?
Put these insights into action. Schedule a free consultation with a Soflo Consulting compliance specialist.
Stay Ahead of Compliance
Get FinCEN updates, BSA/AML guidance, and federal compliance news delivered to your inbox no fluff.
