May 11, 2018

On the Horizon

Looming over the horizon is the long-awaited Customer Due Diligence (CDD) Final Rule that takes effect May 11, 2018. Issued by the Treasury Department on May 5, 2016 the then Treasury Secretary Jacob Lew said, “the actions we are finalizing today mark a significant step forward to increase transparency and to prevent abusive conduct within the financial system.”

While causing quite a stir as particularly onerous to financial institution operations, FinCEN believes it should not create an undue burden in its implementation. Essentially, the rule is intended to explicitly codify FinCEN’s existing expectations that a financial institution has already incorporated internal controls to understand the nature and purpose of a member relationship relative to suspicious activity reporting.

“Fifth Pillar”

Current Anti-Money Laundering (AML) programs must include, at minimum:

  1. A system of internal controls
  2. Independent testing
  3. Designation of a compliance officer or individuals responsible for day-to-day compliance
  4. Training for appropriate personnel

These requirements are known as the four “pillars” of an AML program and collectively represent its foundation and structure.

The CDD Rule is an effort to strengthen a credit union’s AML program and is effectively the “fifth pillar”:

5. Covered institutions must have appropriate risk-based procedures for conducting ongoing CDD to understand the nature and purpose of customer relationships and to conduct ongoing monitoring to identify and report suspicious transactions, and, on a risk basis, to maintain and update customer information.

Before you overwhelm yourself just reading that fifth pillar (it is certainly a mouthful), it’s likely you have most of the core elements already covered in your policies and internal controls. Simply consider the new “fifth pillar” as shoring up the current load-bearing first pillar (system of internal controls) and as an extension of your Customer Identification Program (CIP). Putting it in this perspective may help relieve any lingering apprehension.

Breaking it Down

While the Federal Register publication is 62 pages long (Vol. 81, No. 91, issued May 11, 2016) the basic requirements can be broken down as follows:



Exists Today

New or Expanded




  1. Identify & verify the identity of all legal entity customers at the time a new account is opened.
  • A legal entity includes those created by a filing with a state office or with a Secretary of State. It does NOT include: natural persons, sole proprietorships, unincorporated associations (e.g. Girl Scout troop) and others specified in the Rule
  • Exempted for the requirement are, in part, publicly held companies, registered investment advisors and companies, SEC-registered entities, and others specified in the Rule.
  • Definition of beneficial owner (two-pronged definition):
    • Any individual who owns 25% or more of the legal entity (ownership prong).
    • One single individual with significant responsibility to control, manage, or direct a legal entity (e.g., a CEO, CFO, VP,) (control prong).
  • Each prong is an independent test. An example of this:

Company A is owned by Person 1 (80%) and Person 2 (20%). Person 3 is the CEO of Company A.

In this example, the beneficial verification requirement would apply to Person 1 and Person 3.

2. Comply by obtaining the required information on a standard certification form or by any other means that comply with the substantive requirements (e.g., questionnaire).





  1. Customer Risk Profile refers to information gathered about a customer at account opening used to develop a baseline against which customer activity is assessed for suspicious activity reporting.
    1. This may include self-evident information such as the type of customer or type of account, service, or product (e.g., a member who uses his/her account to make international transfers may be rated a higher risk than a member who has a savings account funded by direct deposit).
  • The profile may, but need not, include a system of risk ratings or categories of customers.


Implicitly Required


Explicitly Required



  1. Conduct ongoing monitoring to identify and report suspicious activities.
    1. Most likely already in place

2. Identify transactions that are suspicious relative to the member’s risk.

  • These may be integrated into an automated monitoring system. Although, FinCEN does not stipulate HOW the monitoring must be done.

3. During normal monitoring, if information is detected that is relevant in assessing or reevaluating the risk posed by the member, the member information must be updated. Such information could include significant and unexplained change in activity (e.g., cross-border wire transfers for no reason). It could also include information indicating a possible change in beneficial ownership.

  • This does not impose a categorical requirement that financial institutions must update information on a continuous basis. Rather, the updating requirement is event-driven and occurs from normal monitoring.


Implicitly Required


Explicitly Required

Are You Ready?

Most of the requirements should cause minimal disruption to your procedures and policies, if you have a solid BSA/AML program in place. If you don’t, you now have a timely opportunity to look at your program holistically and tighten it up. For everyone, now is the time to fully acquaint yourself with the new Rule, receive and provide additional training, and revisit all policies, procedures, forms, notices, and processes. Documentation is going to be more important than ever. Be sure to document how you risk-rated a member and how you are conducting ongoing monitoring. Always record events that may be suspicious (or why it isn’t) and follow up accordingly. Remember, examiners and auditors will be closely scrutinizing your program for compliance with this new pillar.

Helpful Resources

We’ve gathered some information that might provide useful to your credit union as you implement these new requirements. These documents have been prepared by unrelated third parties respected within the industry for their compliance expertise. We do not represent nor endorse any of the sources listed below:

Federal Register Vol. 81, No. 91, issued May 11, 2016 by the Department of the Treasury.

CDD Checklist provided by CUNA.

Certification of Beneficial Ownership, provided by Banker’s Compliance Consulting.

Beneficial Ownership Requirement White Paper, LexisNexis.

As always, we are here to answer any questions or assist you in preparation of this new Rule. Give us a call at 866-965-2294 or email one of our auditors. We’re here as your trusted partner.