5/10/18 - Complying with FinCEN’s CDD Rule
Home > News & Insights > Insights & Publications

5/10/18 - Complying with FinCEN’s CDD Rule

The long-awaited compliance deadline for the Financial Crimes Enforcement Network’s customer-due-diligence rule, the so-called “fifth pillar”1 of Bank Secrecy Act/anti-money-laundering programs, is May 11, 2018. The CDD rule aims to clarify and strengthen customer due diligence by requiring firms to develop customer risk profiles and to collect and verify beneficial-ownership information for legal-entity customers. The rule applies to covered financial institutions, including broker-dealers, banks, mutual funds, and futures commission merchants. Of note to broker-dealers is the Financial Industry Regulatory Authority’s recent amendment to its rule for anti-money-laundering compliance programs, rule 3310, to conform to the CDD rule’s requirements.2 The implementation date of the amendment is May 11, the same date as the compliance deadline for the CDD rule.

Since FinCEN finalized the CDD rule two years ago, it has issued an amendment and published two sets of frequently asked questions, which emphasize that several aspects of the rule simply codify current expectations.3 Overall, however, the rule aims to help firms identify suspicious activity, particularly activity that is consistent with the attempts of criminals, kleptocrats, and other nefarious actors to hide gains.

The broad reach of the CDD rule, its amendment, and some lingering interpretive issues have made it difficult for firms to operationalize the rule’s requirements while ensuring full compliance. Many continue to struggle with implementation and are likely to look to industry-wide regulatory developments, alerts, guidance, and examinations — rather than enforcement actions — for clear, practicable expectations and best practices.

Knowns and Unknowns

While FinCEN has clarified numerous technical questions in its FAQs, certain interpretive issues remain, such as the handling of customers in pooled investment vehicles. Time will tell how financial institutions proceed with their risk-based approaches and whether those approaches are more conservative than what the rule requires. For example, many FIs already use an ownership threshold of 10% for riskier customers, rather than the required 25%. Over time, the availability and value of data analytics and artificial-intelligence technology are likely to inform changes to firms’ approaches.

Effective CDD is Critical to Preventing Illicit Financial Activity

The process steps for effective customer due diligence are4:


Requirements of FINRA’s Amended Rule 3310

On May 3, 2018, FINRA filed for an amendment to rule 3310 to conform to FinCEN’s CDD rule. For FINRA member firms, rule 3310 now requires that AML programs must, “at a minimum, include appropriate risk-based procedures for conducting ongoing customer due diligence.”5 Specifically, firms are required to:

  • Understand “the nature and purpose of customer relationships for the purpose of developing a customer risk profile6  
  • Conduct monitoring on an ongoing basis to “identify and report suspicious transactions” and “to maintain and update customer information,” including “information regarding the beneficial owners of legal entity customers (as defined in 31 CFR 1010.230(e))”7
Developing Customer Risk Profiles

Firms must understand the “nature and purpose of customer relationships” and establish a “baseline” to assess suspicious activity (i.e., a customer risk profile).8 Customer risk profiles should include:

  • The activity history of existing customers9
  • A determination of whether flagged transactions are suspicious (although firms are not “necessarily required” to make profiles part of their transaction-monitoring systems).10  

According to its stated exam priorities, the Securities and Exchange Commission will also assess whether firms are taking “reasonable steps to understand the nature and purpose of customer relationships.”11  

Updating Customer Risk Profile Based on Monitoring

Firms must maintain and update customer information (including beneficial-ownership information). While they do not need to update customer information on a continuous basis, they must update information if suspicious-activity monitoring reveals “information that is relevant to assessing the customer’s risk profile.” 12

  • Much of this provision codifies existing supervisory and regulatory expectations. In addition, rule 3310 has long required broker-dealers to establish and implement policies and procedures reasonably designed to detect (and prompt reporting of) suspicious activity. Maintaining accurate customer-risk-profile information is necessary for such monitoring.13  
  • Exam and enforcement priority: AML compliance remains a focus of securities regulators and is one of FINRA’s 2018 regulatory and examination priorities.14 FINRA has stated that member firms should ensure their AML programs are updated, as necessary, to comply with the CDD rule by May 11. FINRA expects customer-information procedures to be in place and able to describe how the results of suspicious-activity monitoring affect customer information.15
Identifying and Verifying Beneficial Ownership

Firms must maintain written procedures for identifying and verifying the beneficial owners of legal-entity customers. Firms must identify: (1) individuals who directly or indirectly own 25% or more of the legal entity, and (2) one “control” owner,16 or a senior individual with access to day-to-day information about the entity (e.g., a C-suite executive).

The following guidelines and scenarios also apply:

  • Collection should be on a going-forward basis, unless monitoring suggests that a reassessment of customer risk is necessary.
  • If customers open multiple accounts with the same institution, the institution may rely on previously provided beneficial-ownership information if the customer certifies or confirms (verbally or in writing) that the information is up-to-date and accurate at the opening of each subsequent account and the institution has no data to suggest otherwise.17  
  • Certain requirements, particularly those related to customers of securities firms, remain unclear. Implementation approaches may ultimately depend on the risk appetite of each firm.

Suggestions for Securities Firms

Firms can take several steps to prepare for the CDD rule and the amendment to FINRA’s rule 3310:

  • Confirm that AML programs are consistent with the new requirements by developing written, risk-based procedures for ongoing due diligence, operationalizing processes to develop customer risk profiles, and demonstrating links between customer risk profiles and suspicious-activity monitoring
  • Consider the new due-diligence rules’ “minimum” requirements and determine any additional measures to take, based on the unique risks they face
  • Confirm the comprehensiveness of AML programs during upcoming audit cycles to assess adequacy before examiner reviews and comply with independent-review requirements

How Promontory Can Help

Understanding Firm-Specific Challenges. We understand that effective AML and financial-crime risk management and compliance programs address firm-specific risks, including risks stemming from a firm’s customer base, product mix, and geographic footprint. Such programs must also account for any broader supervision and culture issues — a key focus for regulators when evaluating program deficiencies.

An Expert-Led Approach. Our professionals are subject-matter experts who have worked in senior positions at financial institutions and regulatory agencies, including securities regulators, around the world. We have drafted regulations, advised government officials, and supported clients in their fight against criminals and terrorists. During engagements, our senior experts provide tailored, actionable recommendations and take a hands-on approach to mitigate risk and help clients interpret and operationalize new and evolving regulatory requirements.

IBM: A Partner in Excellence. With IBM’s world-class technology solutions, we have unmatched, end-to-end execution capabilities on a global scale.

Contact Us

Dustin Palmer
Managing Director
+1 202 384 1141

Conway Dodge
Managing Director
+1 202 370 0461

Elizabeth Bethoney
Vice President of AML Operations, Promontory Risk Review
+1 720 612 5000

Christine Livingston
+1 202 384 1053

Richard Patterson
+1 202 370 0466


1. The other four pillars are: (1) internal controls, (2) independent testing, (3) designation of an anti-money-laundering compliance officer, and (4) ongoing training. The Financial Industry Regulatory Authority’s AML compliance-program rule also requires the development of procedures to detect and enable monitoring of suspicious activity.

2. “Regulatory Notice 18-19,” FINRA (May 3, 2018).

3. The rule was published on May 11, 2016 and amended on Sept. 29, 2017.

4. “Customer Due Diligence Requirements for Financial Institutions,” Financial Crimes Enforcement Network and Department of the Treasury, Federal Register (May 11, 2016).

5. “Regulatory Notice 18-19,” FINRA (May 3, 2018).

6. Ibid.

7. Ibid.

8. “Regulatory Notice 17-40,” FINRA (Nov. 21, 2017).

9. Ibid.

10. Ibid.

11. “2018 National Exam Program Examination Priorities,” Securities and Exchange Commission (Feb. 7, 2018)

12. “Regulatory Notice 17-40,” FINRA (Nov. 21, 2017).

13. Ibid.

14. “2018 Regulatory and Examination Priorities Letter,” FINRA, (Jan. 8, 2018).

15. “Regulatory Notice 18-19,” FINRA (May 3, 2018).

16. “Frequently Asked Questions Regarding Customer Due Diligence Requirements for Financial Institutions,” FinCEN (April 3, 2018).

17. Ibid.