One Year Later: The CDD Final Rule

As the regulatory landscape shifts and turns in response to macroeconomic forces, technological innovation and geopolitical pressures, regulatory agencies amend existing rules and create new rules in an effort to ensure a level playing field for all. Outcomes are never guaranteed and those who follow the rules more closely than others may not always reap the greatest rewards. However, the likelihood of complying with a regulation and benefiting from its protections increases when the practical meaning of the words and phrases used to express the ideas and concepts contained within the rule are fully understood. This article will take a careful look at one such rule or, more properly, set of rules: the Customer Due Diligence (CDD) Requirements for Financial Institutions, also known as the CDD Final Rule or the Final Rule, issued by the U.S. Department of the Treasury’s Financial Crimes Enforcement Network (FinCEN).1 Following a two-year dormancy period baked into the CDD Final Rule to give the U.S. financial services sector sufficient time to build out and implement robust systems, processes and procedures necessary for compliance, the Final Rule became applicable to all covered financial institutions, as described below, with full effect on May 11, 2018.

Structure of the Rule

Rules issued by U.S. regulators are published in the Federal Register and can be downloaded from the U.S. Government Publishing Office (GPO) website in PDF form. The Final Rule text, published in the May 11, 2016, edition of the Federal Register, appears within what is actually a 60-page, 65,000-word document (the GPO version) of which the first 54 pages constitute a preamble that serves as a primer on the CDD Final Rule and should be read in its entirety. The CDD Final Rule is a series of amendments to Title 31 of the Code of Federal Regulations (31 CFR Parts 1010, 1020, 1023, 1024 and 1026) (the U.S. Code), accessible online at the Electronic Code of Federal Regulations’ website in HTML format (the e-CFR version).2 Frequently, official guidance is released by a regulator subsequent to the publication of a rule, as was the case here with FinCEN’s April 3, 2018, CDD Final Rule FAQ (the FAQ), a 24-page PDF which provides thoughtful answers to several dozen important questions.3 Of course, the threshold question one might ask is, “Why would I need to read through the entire rule if I have a copy of the official FAQ handy?” The answer is that any work product that abridges and summarizes a topic— no matter how reliable or well-informed the source—can never completely replace firsthand knowledge of the subject matter in question. The aim here is to demystify the structure of a complex rule and give every reader a sense of confidence that they can tackle any portion—no matter how small or large—without regret that the time spent could have been put to better use elsewhere.

The Reason for the Upgrade

The CDD Final Rule is forward looking and akin to a roadmap of where the industry is headed, rather than a solutions manual on how precisely to build out the systems and processes necessary to get there. The opening paragraph of the preamble is a brief summary that states the purpose of the CDD Final Rule: to strengthen and clarify CDD requirements for ‘‘covered financial institutions’’ defined as (i) banks; (ii) brokers or dealers in securities; (iii) mutual funds; and (iv) futures commission merchants and introducing brokers in commodities.4 This is followed by the executive summary, which explains that—without knowledge of the identities of the individuals who own and control legal entity customers—covered financial institutions may unwittingly allow the proceeds of illicit activities to move anonymously through the financial system. The core elements of CDD are introduced here as well and entail (a) identification and verification of customers and their beneficial owners; (b) understanding customer relationships; and (c) monitoring transactions to detect and report suspicious activity. A synopsis of the Rule’s major provisions follows, along with a societal cost-benefit analysis.

Who truly is your customer?

A “beneficial owner” is any individual who owns at least a 25 percent equity stake in a legal entity customer (i.e., an entity that is neither a publicly traded company nor majority owned by a company listed on a major stock exchange) and, in the case of a trust that owns such equity stake, a trustee of that trust. This threshold can be met via direct ownership of shares or other interests in any such legal entity customer, or indirectly through ownership interests in one or more legal entities with an ownership interest in the legal entity customer. The less technical explanation is that it is now a requirement to truly know your customer at the living, breathing, biological level. The challenge in many cases is to identify anyone who, through any chain of ownership, ultimately owns a significant percentage of a legal entity customer or exerts significant control. Examples include the CEO, chief financial officer, chief operating officer, managing member, general partner, president, vice president or treasurer of a legal entity customer.5 The full requirement is to identify satisfactorily and verify all owners at the 25 percent or higher level—and at least one person with senior managerial responsibilities—in a manner that is consistent with the financial institution’s customer identification program.

Room for Improvement

When reviewing any rule, formal definition sections should never be overlooked

In a report issued October 31, 2018, the Library of Congress Congressional Research Service (CRS), a shared staff providing expert assistance to congressional committees and members of Congress, expressed concerns over potential loopholes in the CDD Final Rule.6 For example, when five or more individuals own a legal entity it is entirely possible that no single person would have a 25 percent or greater stake in the entity. In such an instance, all of the owners can remain anonymous and only a single management official would be required to be named. The CRS also points out that corporate formation agents and real estate transactions are exempt, which has drawn criticism from the Financial Action Task Force (FATF). In a nod to jurisdictions outside the U.S. that are working to increase transparency and strengthen enforcement, the CRS report spotlights the United Kingdom’s creation of a public register of beneficial ownership information and the European Union’s efforts to require member states to do the same. This sentiment was echoed in a March 13, 2019, letter to the U.S. House Committee on Financial Services, penned by nine leading industry trade associations (also known as the Joint Trades) including the American Bankers Association and the Securities Industry and Financial Markets Association (SIFMA). The Joint Trades support legislation that would create a “federal registry of beneficial owners of legal business entities” to close a “significant gap in the U.S. regulatory system that allows criminals, money launderers, kleptocrats, and terrorist financiers to obscure their identities from law enforcement.”7 The letter also advocates, among other things, “the use of technology and artificial intelligence within financial institutions’ AML programs.” However, it should be noted that efforts to build artificial intelligence technologies are currently under way at many of the leading banks and financial services firms.

Definitions Matter

When reviewing any rule, formal definition sections should never be overlooked as it can be challenging to unmask the deeper intentions and expectations of the regulator without carefully scrutinizing key terms. Here, the appropriate section can be found within Part 1010 General Provisions of the eCFR version.8 Once there, click on the link to Subpart A-General Definitions 1010.100 and scroll down the screen looking for defined terms that resonate with the materials reviewed thus far. Do not overlook what may appear to be the simplest and most commonplace terms as these are often the ones whose formal definitions are misconstrued, leading to unnecessary risk exposure. For example, “person” is defined as, “an individual, a corporation, a partnership, a trust or estate, a joint stock company, an association, a syndicate, joint venture, or other unincorporated organization or group, an Indian Tribe (as that term is defined in the Indian Gaming Regulatory Act), and all entities cognizable as legal personalities.”9 Therefore, a person can be a natural living being, a legal entity, or a group of people and/or entities officially recognized in some way as a group but not necessarily involving a formal legal designation. Tricky stuff but important to keep in mind when reviewing customer-submitted documentation for purposes of determining who and/ or what owns the customer. Another familiar but interestingly defined term is “business day” which “with respect to banks means that day, as normally communicated to its depository customers, on which a bank routinely posts a particular transaction to its customer’s account.”10 As a result, the concept of a business day is very subjective under the Rule as it is determined by the bank’s own practices as communicated to its customers and not necessarily the prevailing standard in the jurisdiction. In addition, attention should be paid to carve-outs built into defined terms. In other words, something that is excluded from a definition can often be as important as those things that are included. This tenet is borne out by the foreign financial institution exclusion whereby a bank organized outside the U.S. that is subject to similar regulatory oversight in its home jurisdiction is not required to furnish the same beneficial ownership information previously provided to, and maintained by, its functional regulator. This may seem obvious at first glance but it is the sort of distinction that could be confused by client onboarding teams.

Take Note of the Footnotes

Throughout the text of the Final Rule, there are numerous footnotes (188 in total), which are often quite helpful and reader-friendly. In fact, many are so well-written and informative that it is an excellent idea to thumb through a few of the footnotes at the bottom of a page before reading the text above. For example, footnotes 13, 16 and 20 provide concise definitions of shell companies, shelf corporations and front companies, respectively, all of which can be used to conceal illicit financial activities. On the other hand, footnote 42 provides a clear window into the thought process of the regulator as it summarizes FinCEN’s expectation of the extent to which a covered financial institution may reasonably rely upon information provided to it by a legal entity customer as satisfactory evidence of the “true identity” of its beneficial owner(s). However, there is a very curious detail the drafters imbedded whereby a covered financial institution must “Verify the identity of each beneficial owner . . . according to risk-based procedures to the extent reasonable and practicable.”11 The conundrum here is that the standard for determining what is reasonable is objective in nature and requires one to do what a majority of one’s peers would do under similar circumstances, whereas the standard for determining what is practicable is subjective in nature and allows one to do what one is able to do within the boundaries of one’s own internal policies and procedures—even if contrary to the majority’s view. Since the drafters have positioned these opposing concepts as qualifiers for a firm’s “risk-based procedures,” it would seem that the regulator is giving some latitude for firms to use their best judgment. Minimum standards for verification include reliance upon the information supplied by the customer, so long as the firm has no knowledge of any fact that would call into question the reliability of such customer-provided information. To aid in the process of properly identifying and verifying beneficial owners and establishing industry best practices, the CDD Final Rule includes Appendix A to § 1010.230—Certification Regarding Beneficial Owners of Legal Entity Customers, which is a sample form to serve as an industry template.

Technological Innovation:
The Future is Now

During an address given at the February 4, 2019, SIFMA Anti-Money Laundering & Financial Crimes Conference, FinCEN Director Kenneth A. Blanco stated that “we must keep pace with evolving forms of illicit finance threats and related crimes, and close any regulatory gaps that expose our financial system to money laundering and the other underlying illicit activities that threaten our financial system and put our nation, communities, and families in harm’s way.”12 In his remarks, Blanco emphasized FinCEN’s recognition of the importance to “upgrade and modernize our system where needed” and encouraged firms to innovate by “improving their ability to identify customers and monitor transactions by experimenting with new technologies that rely on advanced analytical techniques including artificial intelligence and machine learning.” From this, it seems one thing is certain: An ever-increasing reliance on technological advances will be the norm as the vast amounts of customer information gathered, analyzed and stored by firms in order to meet their regulatory obligations continues to grow.

Kevin Antis, J.D., CAMS, New York, NY, USA,

  1. “Customer Due Diligence Requirements for Financial Institutions; Final Rule,” Financial Crimes
    Enforcement Network
  2. “Title 31 → Subtitle B → Chapter X,” Electronic Code of Federal Regulations,
  3. “Frequently Asked Questions Regarding Customer Due Diligence Requirements for Financial Institutions,” Financial Crimes Enforcement Network, April 3, 2018,
  4. “Customer Due Diligence Requirements for Financial Institutions; Final Rule,” Financial Crimes
    Enforcement Network
  5. Ibid.
  6. “Implementation of Treasury’s New Customer Due Diligence Rule: A Step Toward Beneficial Ownership Transparency?” Congressional Research Service, October 31, 2018,
  7. “Joint Trades Support AML BO,” American Bankers Association, March 13, 2019, https://www.aba.
  8. “Title 31 → Subtitle B → Chapter X→Part 1010” Electronic Code of Federal Regulations,
  9. Ibid.
  10. Ibid.
  11. “Customer Due Diligence Requirements for Financial Institutions; Final Rule,” Financial Crimes
    Enforcement Network
  12. “Prepared Remarks of FinCEN Director Kenneth A. Blanco, delivered at the SIFMA Anti-Money Laundering & Financial Crimes Conference,” Financial Crimes
    Enforcement Network
    , February 4, 2019,

Leave a Reply