The Treasury Department’s Financial Crimes Enforcement Network (“FinCEN”) has adopted new anti-money laundering (“AML”) regulations that impose additional customer due diligence requirements on certain financial institutions (the “CDD Rule”).[1] These new regulations, originally proposed about two years ago,[2] were announced on the heels of the unprecedented leak of confidential files of the Panamanian law firm, Mossack Fonseca.[3] The White House described the CDD Rule as another arrow in the government’s quiver to combat “corrupt officials, tax cheats, and other criminals” who have used “anonymous shell companies” to, among other things, “hide assets, engage in money laundering, or avoid taxes in their home countries.”[4]

FinCEN adopted the CDD Rule with the purpose of clarifying and strengthening the AML requirements for banks, brokers or dealers in securities, mutual funds, and futures commission merchants and introducing brokers in commodities (“covered financial institutions”). At its core, the CDD Rule requires covered financial institutions to identify and verify the identity of the beneficial owners of their legal entity customers. The deadline for compliance is May 11, 2018.[5]


Initially, the AML regulatory regime under the Bank Secrecy Act imposed certain recordkeeping and reporting requirements on banks and thrifts. However, in a series of legislative and regulatory actions, particularly in the period following the September 11 terrorist attacks, AML requirements have been tightened substantially and covered financial institutions expanded to include, among others, not only banks and thrifts, but also broker-dealers and mutual funds.[6]

For many years, AML compliance programs have been required to include, at a minimum, the so-called “four pillars” of AML compliance: (1) internal policies, procedures, and controls; (2) an AML compliance officer; (3) ongoing employee training; and (4) an independent audit.[7] The CDD Rule reflects FinCEN’s belief that there are four key elements of effective customer due diligence. These elements are:

  1. customer identification and verification;
  2. beneficial ownership identification and verification;
  3. understanding the nature and purpose of customer relationships to develop a customer risk profile; and
  4. ongoing monitoring for reporting suspicious transactions and, on a risk adjusted basis, maintaining and updating customer information.

The first element is already satisfied by existing customer identification requirements. The CDD Rule now requires the second element and incorporates the third and fourth elements, which have been an implicit part of monitoring for suspicious activity, as a “fifth pillar” of AML compliance. This alert focuses on the latter three elements of customer due diligence.

Beneficial Ownership Identification and Verification

Currently, AML regulations do not require covered financial institutions to identify the individuals that own or control their legal entity customers. The CDD Rule changes this by requiring covered financial institutions “to establish and maintain written procedures that are reasonably designed to identify and verify beneficial owners of legal entity customers” that open new accounts “and to include such procedures in their anti-money laundering compliance program required under 31 U.S.C. 5318(h) and its implementing regulations.”[8] The CDD Rule also requires covered financial institutions to obtain a certification from individuals opening an account on behalf of a legal entity customer that the beneficial ownership information supplied is true and accurate to the best of the individual’s knowledge.[9] Covered financial institutions must record the beneficial ownership information and generally must maintain it for a period of five years.[10] Additionally, policies and procedures for compliance with the CDD Rule must be included as part of a covered financial institution’s AML compliance program.

An understanding of the CDD Rule’s defined terms is essential in crafting appropriate policies and procedures for an AML compliance program. The rule’s key definitions are “legal entity customer,” “beneficial owner,” and “account” and “new account.”

Legal Entity Customer

The CDD Rule requires covered financial institutions to identify the individuals who own or control their legal entity customers. A “legal entity customer” is defined as any corporation, limited liability company, or other entity that is created by the filing of a public document with a secretary of state or similar office, a general partnership, and any similar entity formed under the laws of a foreign jurisdiction, that opens an account.[11] However, public companies and certain entities already subject to another regulatory regime, such as federally registered investment companies, investment advisers, and broker-dealers, are excluded from the definition.[12] Additionally, pooled investment vehicles are excluded if they are operated or advised by a financial institution that is excluded.[13] Accordingly, private funds advised by a federally registered investment adviser are excluded.

Beneficial Owner

Once a covered financial institution identifies its legal entity customers, it must then identify its beneficial owners. The CDD Rule defines “beneficial owner” as: (1) each individual, if any, who directly or indirectly owns 25% or more of the equity interest of a legal entity customer (the “ownership prong”);[14] and (2) a single individual with significant responsibility to control, manage, or direct a legal entity customer (the “control prong”).[15] In the case of a trust that meets the 25% threshold, a covered financial institution need only identify the trustee of the trust under the ownership prong.[16] Also, under the ownership prong, if a person excluded from the definition of legal entity customer meets the 25% threshold, a financial institution is not required to identify the excluded entity’s individual equity owners.[17] Covered financial institutions are able to rely upon representations about equity ownership provided by the legal entity customer. Significantly, in the absence of red flags, there is no duty to investigate whether beneficial owners are attempting to avoid the reporting requirements.

While it is possible for a legal entity customer to have no qualifying disclosures under the ownership prong, all legal entity customers must disclose at least one natural person under the control prong. This individual can be an executive or senior officer (e.g., a chief executive officer, chief financial officer, chief operating officer, managing member, general partner, president, vice president, treasurer) or any other individual who regularly performs similar functions.[18] Thus, all legal entity customers will have to designate at least one individual who can satisfy the control prong of the definition.

Account and New Account

After a financial institution identifies its legal entity customers and their beneficial owners, it must identify the accounts for which it is required to record such ownership information and monitor for suspicious activity. The definition of “account” is specific to the particular type of covered financial institution.[19] For example, if the covered financial institution in question is a mutual fund, an account is defined as “any contractual or other business relationship between a person and [the] mutual fund established to effect transactions in securities issued by the mutual fund, including the purchase or sale of securities.”[20] Notably, it is common in the financial industry for broker-dealers and other financial intermediaries to open omnibus or similar accounts with mutual funds to facilitate investments by their customers. If the intermediary is excluded from the definition of legal entity customer under the CDD Rule, then the mutual fund would not be required to obtain any beneficial ownership information about underlying customers. FinCEN recognizes that, in such case, the entity maintaining the omnibus account is better positioned to perform such an inquiry.[21]

The CDD Rule distinguishes between existing accounts and new accounts. Under the rule, “new account” is defined as any account opened at a covered financial institution by a legal entity customer on or after May 11, 2018.[22] The definition captures each account opened after the compliance date, not just the first account opened. Thus, the beneficial ownership requirement is not retroactive and covered financial institutions will only need to gather certified beneficial ownership information from legal entity customers opening accounts on or after May 11, 2018.

Customer Relationships and Risk Profiles

Generally, covered financial institutions currently undertake to know their customers, and the CDD Rule’s requirement to understand the nature and purpose of customer relationships codifies this practice.[23] Not every customer presents the same degree of risk with respect to money laundering. Like the current AML regime, the CDD Rule prescribes a risk-based approach to monitoring customer behavior for money laundering activity.

The CDD Rule requires covered financial institutions to develop a risk profile for each customer.[24] For purposes of the rule, “customer risk profile” refers to the information gathered about a customer at the time an account is opened. This information is used as a baseline against which customer activity can be assessed for purposes of suspicious activity reporting. More specifically, a financial institution must understand the nature and purpose of the customer relationship in order to understand the types of transactions in which a particular customer would normally be expected to engage. Thus, for example, as a part of their suitability due diligence at account opening, broker-dealers are expected, inter alia, to inquire about the source of the customer's assets and income.[25] This will establish a baseline against which the broker-dealer can subsequently determine if the inflow and outflow of cash and securities is consistent with the customer’s financial status and expected trading patterns. It also enables broker-dealers to detect and investigate any deviations from the customer’s predicted behavior.

Monitoring for Suspicious Transactions and Updating Customer Information

Covered financial institutions will be obligated, consistent with the fourth element of customer due diligence, to monitor customer accounts for suspicious transactions.[26] The adopting release makes clear that this obligation applies to both existing and new accounts. Similarly, the obligation to update customer information also applies to all accounts. However, there is no expectation that a covered financial institution obtain updated beneficial ownership information from its legal entity customers on a continuous basis. Rather, a financial institution must update its customer information only when it becomes aware of new facts, including a change in beneficial ownership, about a customer in the course of its normal risk-based monitoring.

By requiring covered financial institutions to update customer information, including disclosures regarding the beneficial ownership of legal entity customers, the CDD Rule strengthens the existing requirement to report suspicious activity.[27] This obligation is not intended to be continuous, but rather risk based and event driven. In other words, the beneficial ownership information gathered by covered financial institutions is only a snapshot of the legal entity customer at the time a new account is opened. Such information should be updated when, through risk-based monitoring, the financial institution becomes aware of facts that alter its understanding of the customer’s beneficial ownership and risk profile. Accordingly, the third element of customer due diligence informs the fourth, because an up-to-date risk profile will enable a financial institution to accurately identify transactions that are not of the sort in which the customer would normally be expected to engage.


The adoption of the CDD Rule coincided with the Panama Papers leak and its revelations about potential contemporary money laundering practices. The rule’s aim is to enhance the effectiveness of AML compliance programs by explicitly requiring what many financial institutions, in the exercise of prudent business practices, have been doing for some time — implementing risk-based procedures reasonably designed to detect and respond to red flags. The regulatory burden imposed by the rule is tempered by the exclusions provided for public companies and regulated entities, the rule’s generally prospective focus, and the fact that the rule builds upon well-established principles of customer identification and suspicious activity reporting. However, the CDD Rule will require covered financial institutions to review and supplement existing customer identification programs, coordinate with third parties, and modify systems and processes to meet the new requirements. Although financial institutions have two years to come into compliance, implementation of necessary changes could take considerable time. Accordingly, firms should begin to address the new requirements promptly, especially in light of the current focus on AML compliance by regulators and law enforcement authorities.