FinCEN CDD Rule: What It Requires and Who It Applies To

What is FinCEN CDD Rule?

The FinCEN Customer Due Diligence Final Rule (81 FR 29397) is a U.S. federal anti-money laundering regulation issued by the Financial Crimes Enforcement Network. FinCEN published the final rule on May 11, 2016, giving covered institutions a two-year implementation period. The compliance deadline was May 11, 2018.

The rule was introduced to close a specific structural gap. Anonymous shell companies and legal entities with opaque ownership structures were moving illicit funds through U.S. banks, because neither regulators nor institutions had a reliable mechanism to trace who actually owned or controlled those entities. The 2016 FATF Mutual Evaluation of the United States identified beneficial ownership gaps as a systemic weakness in the U.S. AML regime, consistent with what FATF Rec 10 (FATF) has long required of FATF member countries.

The rule added a fourth pillar to the existing compliance framework. Under the BSA (US-FinCEN) and the Customer Identification Program requirements codified in Section 326 CIP (US-FinCEN), institutions were already required to verify individual customers, monitor transactions, and file suspicious activity reports. The CDD Rule's fourth pillar added a structured obligation: identify and verify the beneficial owners of legal entity customers, and monitor those relationships over time.

For large banks, this formalized practices many compliance teams already ran informally. For community banks and smaller broker-dealers, it created a formal program requirement for the first time.

Who does FinCEN CDD Rule apply to?

The rule applies to "covered financial institutions" as defined at 31 CFR § 1010.605(e)(1). There are no asset size exemptions. Any institution in a covered category must comply, regardless of size or business model.

Covered entity types:

• Banks: Federally insured commercial banks, state-chartered banks that are members of the Federal Reserve System, and federally and state-chartered savings associations insured by the FDIC. Community banks are fully covered.
• Broker-dealers: Firms registered with the SEC under Section 15 of the Securities Exchange Act of 1934, including those operating in government and municipal securities markets.
• Mutual funds: Open-end investment companies registered under Section 8 of the Investment Company Act of 1940.
• Futures commission merchants (FCMs): Registered with the CFTC under the Commodity Exchange Act.
• Introducing brokers in commodities: Those registered with the CFTC.

Foreign banks with U.S. branches are covered. Private banks offering services to non-U.S. persons carry parallel obligations under 31 USC § 5318(i).

Not all legal entity customers trigger the beneficial ownership collection obligation. The rule exempts publicly traded companies listed on U.S. exchanges, regulated financial institutions, government entities, and other categories listed at 31 CFR § 1010.230(e)(2). The exemption must be documented and verified before it's claimed. Examiners regularly find exemption claims that are factually wrong; that's a deficiency finding on its own.

What does FinCEN CDD Rule require?

The rule establishes four core obligations, commonly called the "four pillars":

1. Customer identification and verification: Collect and verify identifying information for individual customers. This predates the CDD Rule; it comes from the CIP requirements in Section 326 CIP (US-FinCEN). The CDD Rule incorporated CIP as pillar one for program completeness.

2. Beneficial ownership identification and verification: For every new account opened by a legal entity customer, identify and verify:

   • Each individual who owns, directly or indirectly, 25% or more of the equity interests of the legal entity (the "ownership prong"). Up to four individuals can meet this threshold simultaneously.
   • One individual with significant responsibility for managing or controlling the entity (the "control prong"): a CEO, CFO, COO, managing member, general partner, president, or functional equivalent. The control prong is mandatory regardless of equity ownership percentages.

   Verification must follow CIP standards: documentary (government-issued ID) or non-documentary (database checks). Institutions may rely on certifications from the legal entity customer using FinCEN's standard beneficial ownership certification form.

3. Understanding the nature and purpose of customer relationships: Develop a risk profile for each customer at account opening. The rule doesn't prescribe a specific format. Regulators expect that profile to inform monitoring thresholds and decisions about when Enhanced Due Diligence (EDD) is warranted.

4. Ongoing monitoring: Monitor customer transactions for suspicious activity and update customer information when material changes occur. Higher-risk customers require more frequent review, not just event-driven checks. The SAR Filing (US-FinCEN) obligation remains in place: when monitoring surfaces suspicious activity, institutions must file within 30 days of detection.

Record retention: All CDD records, including beneficial ownership certification forms, must be retained for five years after account closure, per 31 CFR § 1010.430.

Timing: The beneficial ownership obligation applies at account opening. The rule doesn't mandate periodic re-certification on a fixed schedule, but institutions must update records when they learn of material ownership changes.

What evidence do regulators expect?

OCC, FDIC, Federal Reserve, and FinCEN examiners use the FFIEC BSA/AML Examination Manual as their primary reference. On a CDD examination, they look for:

• Written CDD policies and procedures: A board-approved program describing how the institution identifies covered legal entity customers, collects and verifies beneficial ownership, and updates records when ownership changes. Policies must be current and consistently applied.
• Beneficial ownership certification forms: Completed and signed certifications from legal entity customers, or equivalent independent verification documentation. Blanket exemption claims without supporting evidence are a deficiency.
• Customer risk-rating methodology: A documented, consistently applied process for assigning risk ratings at onboarding. Examiners verify that higher-risk ratings trigger appropriate monitoring intensity and EDD.
• Training records: Annual logs confirming that relationship managers, account officers, and compliance personnel received CDD-specific training. Examiners sample training content for accuracy, not just completion timestamps.
• Transaction monitoring documentation: Evidence that alert thresholds reflect the customer risk profiles established at onboarding, along with tuning logs showing those thresholds are reviewed periodically.
• Case management records: Documentation that triggered alerts were investigated, escalated, or cleared with a written rationale. If a SAR was filed, the decision must trace back to the monitoring system.
• Independent audit results: Reports from internal audit or external testing of the CDD program, with management responses and evidence of actual remediation for prior findings.

Examiners also conduct transactional testing. They sample accounts opened after May 11, 2018 and confirm that beneficial ownership forms were collected at or before account opening, not retroactively.

Common failure modes

Examiners cite the same deficiencies repeatedly, across institutions of all sizes:

• Stale beneficial ownership records: Collecting the certification form at account opening and never updating it when ownership changes. When corporate ownership shifts after a restructuring or private equity transaction, many institutions have no process to detect or record the change. The 2024 TD Bank enforcement action, which resulted in $3 billion in penalties from DOJ and FinCEN, cited sustained failures to update customer records as risk indicators changed. The DOJ announcement is the most detailed public account of systemic CDD breakdowns at a major U.S. bank.
• Exemption claims without verification: Asserting that a legal entity is exempt without confirming the exemption actually applies. Examiners find factually incorrect exemption claims regularly.
• Missing the control prong: Collecting the 25% ownership information but failing to identify a control prong individual. Both are required. Neither is optional.
• Failure to look through holding structures: Treating the immediate entity as the customer without identifying the beneficial owners of its parent. A subsidiary of a private holding company isn't automatically exempt.
• Risk ratings that don't move: Setting a customer risk rating at onboarding and leaving it unchanged even when transaction patterns diverge from the stated profile. USAA Federal Savings Bank's 2022 $140 million FinCEN penalty cited this as a core program deficiency. The FinCEN enforcement actions page has the full consent order.
• Undertrained front-line staff: Account officers opening accounts without knowing which entity types trigger the beneficial ownership requirement, or what the 25% threshold means in practice.

Penalties for non-compliance

FinCEN has broad authority to assess civil money penalties under 31 USC § 5321. For willful violations, penalties can reach the greater of $100,000 per day or the amount of the transaction involved. Criminal penalties under 31 USC § 5322 can reach $500,000 per violation and include imprisonment.

Program-level failures draw far larger penalties:

• TD Bank (2024): Pleaded guilty to conspiracy to commit money laundering. Total resolution was $3 billion: $1.3 billion to FinCEN and DOJ, with additional settlements from the OCC and the Federal Reserve. The DOJ announcement described years of willful BSA/AML failures, including CDD breakdowns that allowed drug cartel proceeds to move through the bank undetected.
• Capital One (2021): $390 million civil money penalty from FinCEN for willful BSA violations. The FinCEN assessment cited failure to implement and maintain an effective AML program, including CDD obligations on a large portfolio of cash-intensive business customers.
• USAA Federal Savings Bank (2022): $140 million from FinCEN and the OCC. The FinCEN consent order cited customer due diligence failures and failure to monitor accounts at a level commensurate with actual customer risk.

Beyond financial penalties, FinCEN can impose multi-year remediation programs under consent orders, restrict transaction types, and refer matters to DOJ for criminal prosecution. In egregious cases, individual compliance officers can face personal liability.

Related regulations and frameworks

The CDD Rule sits within a layered regulatory structure at both the U.S. and international levels.

At the federal level, it is a direct extension of the BSA (US-FinCEN), the foundational U.S. AML statute. The AMLA 2020 (US-FinCEN) built on the CDD Rule's beneficial ownership requirements by directing FinCEN to create a national beneficial ownership registry under the Corporate Transparency Act. That registry is a separate legal obligation: institutions can't substitute a CTA registry query for collecting beneficial ownership at account opening. The two programs run in parallel.

For broker-dealers, FINRA Rule 3310 imposes AML program requirements that overlap with the CDD Rule. Nationally chartered banks face parallel requirements under 12 CFR Part 21, administered by the OCC.

At the international level, the CDD Rule is the U.S. implementation of FATF Rec 10 (FATF), which requires FATF member countries to impose CDD obligations on financial institutions. FATF Rec 24 (FATF) sets the international standard for beneficial ownership transparency of legal entities and directly informed the rule's design.

EU equivalents include the 6th Anti-Money Laundering Directive and the forthcoming EU AML Regulation, which impose similar beneficial ownership requirements on EU financial institutions. Institutions operating across both jurisdictions need to reconcile the U.S. 25% ownership threshold with EU member state thresholds, which vary from 10% to 25% depending on jurisdiction.

How FluxForce supports FinCEN CDD Rule compliance

FluxForce's AI agents automate the four pillars of CDD: collecting and verifying beneficial ownership data at account opening, building customer risk profiles, monitoring transactions against those profiles, and flagging material changes that require record updates. Nova Sentinel runs ongoing monitoring across entity relationships, while Aiden Flux handles identity verification and UBO resolution for legal entity customers. Every decision includes a full audit trail that satisfies examiner documentation requirements. Book a demo to see how FluxForce maps to your institution's CDD obligations.