On May 11, the Financial Crimes Enforcement Network (FinCEN) released a final rule on new customer due diligence (CDD) requirements for financial institutions, including banks and broker/dealers. Because of the potential compliance challenges the new rules impose, the requirements do not become mandatory until May 11, 2018.  

FinCEN establishes four core elements of CDD that should be explicit requirements for any institution’s anti-money laundering program. These are:

1. Customer identification and verification;

2. Beneficial Ownership identification and verification;

3. Understanding the nature and purpose of customer relationships to develop a customer risk profile; and

4. Ongoing monitoring for reporting suspicious transactions and, on a risk basis, maintaining and updating customer information.

The first requirement is already an AML program requirement and the new rule imposes the second requirement. While the third and fourth elements—understanding the nature and purpose of the customer relationship with ongoing monitoring—are implicitly required at present, the new rules explicitly set forth the third and fourth elements which essentially become a fifth pillar of a BSA/AML compliance program, added to BSA management, internal controls, independent testing, and appropriate training.

Under the Beneficial Ownership provisions, financial institutions must identify and verify the identity of the beneficial owners of all legal entity customers (other than those 16 entity types that are excluded) at the time a new account is opened. A Beneficial Owner is defined as each individual who owns or controls 25 percent or more of equity interests of a legal entity customer or a single individual with significant responsibility to control, manage, or direct a legal entity customer. The required information may be obtained on a standard certification form or by any other means that comply with the substantive requirements. The identification and verification procedures for beneficial owners are very similar to those for individual customers under existing CIP programs.

Additionally, the rules explicitly include risk based procedures for conducting ongoing customer due diligence, including understanding the nature and purpose of customer relationships for the purpose of developing and maintaining a customer risk profile. In addition, customer due diligence shall include ongoing monitoring to identify and report suspicious transactions and to maintain and update customer information, including information on beneficial owners of legal entity customers. Given the fact that FinCEN considers these elements to be implicitly required under current law and the prominence given as a fifth pillar of a compliant BSA/AML compliance program, these procedures should be implemented as soon as possible, if not already in place, rather than waiting until May 2018 and risking examination criticism.