The CDD Final Rule: Seven Things to Remember

July 7, 2016 by Verafin

Until now, the lack of any general requirement for financial institutions (FIs) to know and verify the identity of the beneficial owners of their entity customers created the opportunity for criminal exploitation of the banking system through anonymous access.

This weakness was recently exposed by the Panama Paper scandal, which involved the leak of approximately 11.5 million documents that included the private financial information of more than 214,000 offshore entities. Media outlets across the globe quickly filled with stories of how shell companies, by obscuring the identities of their beneficial owners, are used to hide assets.

On May 5, 2016, the US Department of the Treasury announced a Customer Due Diligence (CDD) Final Rule and proposed Beneficial Ownership legislation. “The Treasury Department has long focused on countering money laundering and corruption, cracking down on tax evasion, and hindering those looking to circumvent our sanctions,” stated Treasury Secretary Jacob J. Lew. “Building on years of important work with stakeholders, the actions we are finalizing today mark a significant step forward to increase transparency and to prevent abusive conduct within the financial system.”

With the Final Rule, FinCEN has explicitly added risk-based CDD as a “fifth pillar” of BSA/AML compliance, codifying existing expectations tied to suspicious activity reporting requirements.

CDD Final Rule – Four Core Principles

The rule presents four core elements of Customer Due Diligence (CDD):

  1. Customer identification and verification,
  2. Beneficial ownership identification and verification for legal entity customers,
  3. Understanding the nature and purpose of the customer relationship to develop a customer risk profile, and
  4. Ongoing monitoring (for reporting suspicious transactions and, on a risk-basis, maintaining and updating customer information, including beneficial ownership information).

Most BSA/AML Programs Already Include 3 of the 4 Principles

It is important to note that, beyond the obligation to identify the beneficial owner(s) of legal entity customers, a robust BSA/AML program should already include three of the four above principles. Examiners will already expect FIs to gather information about customers at account opening, build a customer risk profile, and use the profile in ongoing monitoring to identify unusual behavior.

In its Executive Summary, FinCEN states that only the second of the four principles imposes a new compliance obligation. The first is already an AML program requirement, while the third and fourth principles “are already implicitly required for covered financial institutions to comply with their suspicious activity reporting requirements.”

Seven Things for BSA/AML Professionals to Remember when Updating Procedures

Below are seven things to remember when creating new policies and updating procedures in preparation for collecting Ultimate Beneficial Owner (UBO) information:

1. Timelines

With an effective date of July 11, 2016, financial institutions (FIs) have until the May 11, 2018 applicability date to implement appropriate policies and procedures to ensure compliance with the rule’s requirements.

2. Identification and Verification

The rule requires FIs to collect information at account opening that will allow the identification of individuals who own and/or control legal entity customers. The identity of these individuals must be verified — generally government-issued identification can be used.

3. Ownership and Control

In the rule, FinCEN defines two prongs for which UBO information is collected:

  •  Ownership: Under the rule, any individuals who directly or indirectly own 25 percent or more of the equity interests in the legal entity must be identified. This means that up to four individuals may be identified; in some cases, however, there may not be any individual identified under the ownership prong (for example, if no individual actually owns 25 percent or more of the equity interest).
  • Control: Unlike the ownership prong, for which it is possible that no single individual be identified, the control prong requires at least one individual be identified who has significant managerial control over the legal entity customer. This individual could be an executive officer, a senior manager, or any other individual who regularly performs similar functions. An individual identified under the ownership prong above can also be identified under the control prong.

4. Exclusions and Exemptions

The rule includes a number of exemptions and exclusions, reducing the number of legal entity customers from whom UBO information needs to be collected.

This list of excluded legal entity types includes sole proprietors and unincorporated associations. Typically, this is because the entity does not have a legal existence that is separate from the “associated individual or individuals that in effect creates a shield permitting an individual to obscure his or her identity.”

5. Certification Form

There is a certification form (Appendix A to 1010.230 – Certification Regarding Beneficial Owners of Legal Entity Customers) outlining the specific UBO information that must be collected from each applicable legal entity customer. However, the use of this form is optional. Required UBO information may be obtained “by any other means that comply with the substantive requirements of this obligation… provided the individual certifies, to the best of the individual’s knowledge, the accuracy of the information.”

The rule further indicates that this certification may be obtained “in the same way the financial institution obtains other information from its customers in connection with its account opening procedures.”

6. Updating UBO Information for Existing Customers

When a new or existing legal entity customer opens a new account, UBO information must be collected, but there is no requirement to obtain UBO information for existing legal entity customers.

There is also no categorical requirement to update this information on a regular basis. Instead, FinCEN expects information to be updated when, during the course of normal monitoring, something is discovered that is relevant to the customer’s risk profile.

7. CTR Aggregation

Regarding the aggregation of transactions for Currency Transaction Reporting (CTR) purposes, FinCEN expects the application of existing procedures consistent with CTR regulations and guidance.

While UBO and legal entity activity should be recognized as distinct from one another, aggregation of multiple currency transactions is required if there is knowledge that these transactions are by or on behalf of any person and result in either cash-in or cash-out totaling more than $10,000 during any one business day.


Until now, the ability for individuals to hide financial activity through anonymous ownership of business entities was a glaring weakness in the fight against financial crime. By taking steps to gain a more complete profile of entity customers, FIs can help to greatly reduce the flow of illicit funds through the US banking system – closing a significant BSA/AML gap.

The CDD Final Rule is a significant step toward greater financial transparency. The good news for many BSA/AML professionals is your current program, in all likelihood, already incorporates three of the four elements from the new rule.

Verafin is the industry leader in enterprise Financial Crime Management solutions, providing a cloud-based, secure software platform for Fraud Detection and Management, BSA/AML Compliance and Management, High-Risk Customer Management and Information Sharing. Over 3800 banks and credit unions use Verafin to effectively fight financial crime and comply with regulations. Leveraging its unique big data intelligence, visual storytelling and collaborative investigation capabilities, Verafin significantly reduces false positive alerts, delivers context-rich insights and streamlines the daunting BSA/AML compliance processes that financial institutions face today.

Share This...