What is the FinCEN CDD Rule?

The full answer

The FinCEN Customer Due Diligence Rule, finalized May 11, 2016 and mandatory since May 11, 2018, codified four requirements that covered financial institutions must embed in their AML programs. Three of those requirements existed in prior FinCEN guidance. The genuinely new obligation was beneficial ownership identification and verification for legal entity customers.

The four pillars are:

1. Customer identification and verification (CIP) for individuals and entities. This predates the CDD Rule; FinCEN's CIP requirements have been in effect since 2003.
2. Beneficial ownership identification and verification. At account opening, institutions must collect a written certification identifying the natural persons behind every legal entity customer.
3. Understanding the nature and purpose of customer relationships. This means documenting a risk profile with expected transaction activity, not just completing an intake form.
4. Ongoing monitoring. Transactions must be measured against that documented profile, and customer information must be updated when material changes occur.

The rule is codified at 31 CFR Parts 1010, 1020, 1023, 1024, and 1026 and applies to federally regulated banks, federally insured credit unions, savings associations, broker-dealers in securities, mutual funds, futures commission merchants, and introducing brokers in commodities.

The beneficial ownership requirement in detail

Covered institutions must collect a certification form from legal entity customers at account opening. Two prongs apply:

• Ownership prong: Every natural person who directly or indirectly owns 25% or more of the entity's equity must be named. If no individual meets that threshold, no ownership-prong person needs to be listed.
• Control prong: At least one person with significant managerial control must always be identified, regardless of ownership percentage. CEO, CFO, general partner, managing member, or equivalent all qualify.

Verification uses the same documentary or non-documentary procedures required under CIP. Reliance on the customer's certification is permitted unless the institution has knowledge of facts that call it into question.

Exempt entity categories

FinCEN's CDD Rule FAQ identifies 22 exempt legal entity customer categories. Beneficial ownership collection is not required for publicly traded companies listed on a U.S. exchange, SEC-reporting companies, regulated financial institutions (banks, registered broker-dealers, registered investment advisers), and U.S. government agencies. These entities already operate under ownership transparency regimes that serve the same purpose.

Where the rule stands in 2025

The Corporate Transparency Act (CTA), effective January 1, 2024, requires most U.S. legal entities to report beneficial ownership information directly to FinCEN's BOI database. FinCEN proposed amendments in 2024 that would allow financial institutions to rely on that database rather than independently collecting certifications. Those amendments had not been finalized as of mid-2025. The 2018 CDD Rule requirements remain fully in force.

Why this matters

Weak CDD programs are the most consistently cited root cause in FinCEN enforcement actions and federal bank examination findings. The link to SAR obligations is direct: if an institution doesn't know what a customer's expected activity looks like, it can't identify when something looks wrong. The fourth pillar (ongoing monitoring) is only as good as the third (understanding the relationship). Without a documented risk profile, monitoring alerts against nothing coherent.

The beneficial ownership requirement addresses a specific structural gap. Shell company structures are the primary vehicle for trade-based money laundering, sanctions evasion, and professional money laundering networks. Collecting a certification form is the regulatory floor. The real compliance question is whether the institution actually understands who it's banking. For what constitutes a beneficial owner and how complex ownership chains affect that analysis, the 25% ownership threshold is a starting point, not a complete answer.

The OCC's BSA/AML Comptroller's Handbook states that CDD should be "risk-based and commensurate with the risks posed by the customer." Collecting the form without using it in risk rating decisions is not considered adequate by examiners, and we've seen institutions learn that the hard way.

Stale records are the most common exam failure mode. A beneficial ownership certification filed at account opening that was never updated after a restructuring, acquisition, or change in management is a control failure, not a filing artifact. Examiners treat it as such. Customer risk ratings should be refreshed when material changes occur; under the CDD Rule, that same trigger applies to the underlying ownership data.

For higher-risk relationships, CDD alone isn't sufficient. Enhanced due diligence adds source of wealth documentation, source of funds verification, senior management sign-off, and more frequent reviews. The CDD Rule sets the floor; EDD is the response to elevated risk signals.

Where AI tools are deployed for transaction monitoring, the accuracy of the underlying CDD data determines model performance. Monitoring built on incomplete or stale customer profiles produces alerts that are harder to triage. The false positive rate in AML monitoring at most institutions is already 95-98%. Bad CDD makes it worse, because the model has no accurate baseline against which to measure deviation.

CDD failures compound into broader exam problems. What happens when a bank fails an AML exam typically starts with CDD deficiencies documented across multiple exam cycles. Prior findings on record also directly affect what triggers a regulatory exam, including targeted examinations focused specifically on whether prior CDD deficiencies were remediated.

Some institutions are now moving toward perpetual KYC models, which replace periodic refresh cycles with continuous event-driven updates. That's a direct operational response to the ongoing monitoring obligation in the CDD Rule's fourth pillar. The rule requires that institutions update customer information when material changes occur; perpetual KYC automates the detection of those changes rather than relying on periodic reviews to catch them.

Enforcement history makes the stakes concrete. U.S. Bancorp's 2018 deferred prosecution agreement with the DOJ included $613 million in combined penalties across the DOJ, FinCEN, and OCC. CDD failures were a contributing factor alongside broader BSA program breakdowns. How FinCEN defines suspicious activity and the SAR filing timeline both depend on an institution having a coherent CDD program to begin with. Without one, the obligation to file SARs becomes unenforceable in practice, not just in theory.

Related questions

• What is the difference between CDD and EDD?
• What is a beneficial owner?
• How often should customer risk ratings be refreshed?
• What is perpetual KYC?
• What happens when a bank fails an AML exam?

Related concepts and regulations

• How does FinCEN define suspicious activity?
• How long do banks have to file a SAR?
• Can AI be used for AML transaction monitoring?
• What triggers a regulatory exam?
• What percentage of AML alerts are false positives?