Pomegra Wiki

Customer Due Diligence Rule

The Customer Due Diligence Rule is a regulation issued by FinCEN (Financial Crimes Enforcement Network) in 2016 requiring U.S. financial institutions to identify and verify the identity of customers and their beneficial owners, assess risk, and maintain records of that information. It is the regulatory backbone of modern anti-money-laundering (AML) compliance in the United States.

For the broader process of verifying customer identity, see Know Your Customer (KYC).

The rule’s four pillars: identification, verification, beneficial ownership, and risk

FinCEN’s Customer Due Diligence Rule mandates four specific requirements. First, institutions must obtain identifying information from every customer—name, date of birth, address, and identification number (such as a Social Security number or taxpayer ID). This is the baseline.

Second, they must verify that information using reliable, independent sources or documents. A photocopy of a driver’s license is a start, but the institution should cross-reference it against other data to confirm the customer is who they claim.

Third—and this is where the rule broke new ground—institutions must identify and verify the beneficial owners of legal entities (companies, trusts, partnerships). The beneficial owner is the real human or humans who ultimately control the entity, as distinct from nominee directors or straw entities. For a corporation, this means identifying the owners of 25% or more of its equity. For a trust, it means the grantor, settlor, trustees, and beneficiaries (with some nuance). For a partnership, the partners.

This requirement was pivotal because shell companies and complex ownership structures had long been a way to hide illicit money flows. By forcing financial institutions to pierce the corporate veil and identify the real owners, the rule aimed to make it much harder to move criminal proceeds through anonymous entities.

Fourth, institutions must assess the customer’s risk profile—the likelihood that the customer or their beneficial owners are involved in financial crime, terrorism financing, or other regulatory violations. This assessment informs the bank’s ongoing monitoring strategy. High-risk customers get more scrutiny; low-risk customers get less.

Why beneficial ownership verification was overdue

Before 2016, many U.S. banks could legally open accounts for shell companies without ever learning who actually controlled them. An entity could register in a business-friendly state like Delaware with minimal disclosure, appoint a nominee director, and open a bank account—all without the bank ever identifying the true beneficial owner.

This opacity enabled money laundering, tax evasion, and sanctions evasion. A corrupt foreign official could move embezzled wealth through U.S. banks via shell companies; a criminal could hide assets; a sanctioned entity could evade restrictions. The lack of beneficial ownership verification was a systematic vulnerability.

International bodies like the Financial Action Task Force (FATF) had been pushing countries to close this gap for years. When the U.S. finally mandated beneficial ownership identification in the CDD Rule, it signalled that regulators would no longer tolerate the use of shells to hide beneficial owners from banks.

How financial institutions comply

Most banks now use a combination of customer questionnaires and third-party databases to satisfy the CDD Rule. When a company opens a corporate account, the bank provides a form asking for the names, titles, and ownership percentages of all beneficial owners. The customer fills it out and provides supporting documentation (articles of incorporation, operating agreements, tax returns, ID documents for the beneficial owners).

The bank then verifies the information—it may look up corporate records with the state, cross-reference ownership claims against tax forms, and confirm the identification documents for named beneficial owners. Large institutions often license specialized CDD software or outsource the verification to third-party compliance vendors.

For ongoing compliance, the rule requires institutions to maintain records of the information they collected and periodically review and update it—typically annually or if the institution becomes aware of a change in the customer’s status or ownership structure.

The challenge of complex ownership: cascading structures

The rule’s application becomes tricky with layered ownership. Imagine a Delaware LLC owned by a Cayman Islands fund, which is itself owned by a Singapore holding company, which is owned by trusts in various jurisdictions. Tracing beneficial ownership to a human can require international digging and coordination. FinCEN’s guidance acknowledges this complexity but does not exempt institutions from the obligation. Banks must do their best to identify the true beneficial owners, even if it requires hiring external investigators or refusing the account if ownership cannot be established to reasonable confidence.

Some legal structures deliberately obscure ownership—for example, trusts where beneficiaries are not disclosed. In these cases, the rule requires the bank to identify the settlor, trustee, and any known beneficiaries. If the trust’s structure genuinely prevents identification of further beneficial owners, the bank documents that fact and sets its monitoring accordingly.

Enhanced due diligence for high-risk customers

The CDD Rule also permits (and in some cases mandates) enhanced due diligence (EDD) for customers or entities that pose elevated risk. Examples include entities in high-risk jurisdictions, politically exposed persons (PEPs), and entities in sectors associated with higher crime risk (e.g., money services businesses, real estate).

For high-risk customers, banks may conduct deeper investigations, obtain additional documentation, impose transaction limits, or decline the business entirely. This escalation is the bank’s prerogative and is often the practical tool by which the CDD Rule affects market access—a risky-looking entity may be rejected not because the bank found evidence of wrongdoing but because compliance costs and liability risk exceed the expected profit from the relationship.

Criticism and pressure for reform

Critics have raised several objections to the CDD Rule. Compliance is expensive, pushing smaller institutions toward consolidation and reducing banking access for small businesses and non-profits that struggle with the process. Beneficial ownership verification, while well-intentioned, can be gamed—individuals use nominees or straw entities to obscure their role, and the rule does not always pierce complex international structures.

There has also been calls to extend the rule further. Advocates of greater transparency argue that the U.S. should maintain a national beneficial ownership registry (similar to those in some countries) to avoid forcing every bank to independently verify the same information. However, privacy advocates worry about the security of such a registry and the ease with which it could be misused.

The rule has also been tested by new forms of entity—cryptocurrency exchanges, decentralized finance (DeFi) platforms, and staking services fall into a regulatory gray area. FinCEN has been gradually clarifying that these entities, if they accept fiat currency or hold customer assets, must comply with the CDD Rule, but the rules for purely on-chain or self-custodial services remain in flux.

Relationship to international standards

The CDD Rule aligns broadly with guidance from the Financial Action Task Force (FATF), an international body coordinating anti-money-laundering efforts. Most developed countries now mandate beneficial ownership identification. However, enforcement and implementation vary widely; some jurisdictions are more thorough and well-resourced than others. The U.S. rule is considered relatively robust but remains a point of contention between regulators and the private sector over cost and compliance burden.

See also

  • Know Your Customer (KYC) — the customer identification process that underpins CDD
  • Beneficial owner — the real human or entity with ultimate control, as required under CDD
  • Anti-money laundering (AML) — the regulatory framework of which CDD is a core pillar
  • Office of the Comptroller of the Currency — key regulator enforcing the CDD Rule for banks
  • Sanctions — restrictions on financial dealings that CDD helps enforce

Wider context

  • Securities and Exchange Commission — enforces CDD for brokers and investment firms
  • Dodd-Frank Act — U.S. financial regulation that complemented the CDD Rule
  • Financial regulation — the broader regulatory environment
  • Cryptocurrency exchange — increasingly subject to CDD requirements
  • Bank — the primary institution bound by the CDD Rule
  • Corporate structure — the legal entities and ownership arrangements CDD seeks to clarify