FinCEN Frequently Asked Questions Regarding Customer Due Diligence Requirements for Financial Institutions

On April 3, 2018, the Financial Crimes Enforcement Network (FinCEN) issued its long-awaited second set of Frequently Asked Questions (FAQs)1 to assist covered financial institutions in understanding the scope of the Customer Due Diligence for Financial Institutions (CDD Rule).2

Summary of the FAQs
FinCEN’s FAQs address 37 of the most frequently asked questions. The vast majority of the questions are grouped under broad topics. Below, we summarize what we believe to be the most important aspects of the FAQs and topics, but financial institutions should consult the FAQs for more detail.3





Beneficial Ownership for Complex Structures


  • Covered financial institutions are required to obtain customer identities for all individuals who directly or indirectly through multiple corporate structures own 25% or more of a legal entity customer that is opening an account.

Identification and Verification of Beneficial Owners


4-8, 10-11

  • The CDD Rule’s verification procedures must contain the same elements as existing Customer Identification Procedures (CIP), but are not required to be identical to them. For example, while the CIP rule prohibits the use of photocopies to verify identity, the CDD Rule allows the use of photocopies or reproductions.

  • Notwithstanding the permissibility of photocopies, covered financial institutions should conduct a risk-based analysis to determine the appropriate verification methods and use of photocopies or reproductions.

  • A covered financial institution may rely on information obtained pursuant to its CIP to identify and verify a beneficial owner provided the legal entity’ customer’s representative certifies or orally confirms that the CIP information is up to date and accurate.

  • An account or subaccount created solely to accommodate the business (i.e., a specific trading strategy) of an existing legal entity customer that has previously identified its beneficial ownership is not subject to the CDD Rule. Accounts or subaccounts not falling within this interpretation include those:

    • Created to accommodate a trading strategy of a separate legal entity.

    • Through which the customer of a covered financial institution’s existing legal entity customer conducts trading without intermediation from the existing legal entity customer.

Collecting Beneficial Ownership for Product or Service Renewals



  • Covered financial institutions must obtain beneficial ownership information for legal entity customers the first time that products or services established prior to May 11, 2018, are renewed after that date. Beneficial ownership information does not have to be collected at each subsequent renewal provided the customer certifies or confirms that the information is accurate and up to date and the covered financial institution has no knowledge of facts that would call the reliability of this information into question.

  • With respect to loan renewals and CD rollovers specifically, if at the time of certification, the customer agrees to notify the covered financial institution of any change in beneficial ownership information, the certification will be considered accurate and up to date for the term of the loan or CD.

Collecting Beneficial Ownership Information for Existing Accounts



  • A covered financial institution is only required to obtain beneficial ownership information for accounts established before May 11, 2018 when the covered financial institution becomes aware during normal monitoring of a possible change of beneficial ownership.

Updating Beneficial Ownership Information



  • Absent specific risk-based concerns, covered financial institutions do not have an obligation to solicit or update beneficial ownership information as a matter of course during regular or periodic reviews. In addition, covered financial institutions do however have complete discretion to collect or update beneficial ownership information as often as they see fit absent specific risk-based concerns.

  • Existing industry practices that comply with existing expectations for Suspicious Activity Reporting will generally satisfy the requirement to satisfy CDD Rule monitoring and updating requirements.

  • Whether an update of beneficial ownership information requires a re-certification depends on the nature of the update. For example, if the update was only a change of address then full re-certification would in all likelihood not be required. If, however, the update is to beneficial ownership, the new beneficial owner’s identity will need to be collected and verified and certified.

  • While FinCEN does not make a distinction between requirements for identifying and verifying beneficial owner information at the time of a new account opening and at the time of a triggering event, the breadth and sum of information may differ with respect to the collection and verification of beneficial ownership information depending on whether the information is being collected at account opening or in response to a triggering event.

Pooled Investment Vehicles and Multiple Trustees



  • In general, covered financial institutions are not required to look through a pooled investment vehicle to identify and verify the identity of individuals who own 25% or more of its equity interests. Notwithstanding however, covered financial institutions must collect beneficial ownership information for the pooled investment vehicle under the control prong.

  • Where a trust owns 25% or more of a legal entity customer, the beneficial owner of the legal entity customer under the ownership/equity prong of the CDD Rule is the trustee, regardless of whether the trustee is a natural person or legal entity. If there are multiple trustees, a covered financial institution must identify and verify the identity of at least one co-trustee. Under the control prong of the CDD Rule, the covered financial institution must also identify and verify the identity of a natural person in this situation.

Institutions That Are Not Considered “Legal Entity” Customers



  • Covered financial institutions are expected to address and specify, in their risk-based written policies and procedures, the type of information they will collect and reasonably rely upon to determine eligibility for exclusions from the definition of a legal entity customer. In general, the following are not considered legal entity customers:

    • Sole proprietorships and unincorporated associations

    • Charities and nonprofit entities

    • Companies traded publicly in the U.S.

Foreign companies and entities



  • Because legal entity customers listed on foreign exchanges are not excluded from the definition of legal customer under the CDD Rule, covered financial institutions may not take a “risk-based” approach to collecting beneficial ownership information, but may rely on public disclosures absent any reason to believe such information is inaccurate or not up to date.

  • Foreign financial institutions created in a non-U.S. jurisdiction where the foreign regulator collects and maintains beneficial ownership information are excluded from the definition of a legal entity customer.

  • Non-U.S. governmental departments, agencies, or political subdivisions thereof generally may not have an individual who is a 25% or more beneficial owner and is excluded from the definition of a legal entity customer, though identification of an individual under the control prong of the CDD Rule would still be required.4

Currency Transaction Reports



  • Financial institutions are required to aggregate multiple currency transactions if there is knowledge that the transaction requiring the filing is made by or on the behalf of the beneficial owner and results in cash totaling more than $10,000 during one business day.

Information for Customer Risk Profile



  • Financial institutions must implement risk-based procedures to demonstrate their understanding of the nature of a customer relationship, which can be developed by the type of customer, account, service, or product.

  • This information should be used to develop a baseline against which customer activity can be assessed for possible suspicious activity reporting.


What the FAQs Mean for Covered Financial Institutions
For the most part, the FAQs appear to address many of the industry’s concerns and questions regarding the CDD Rule, though there are some questions left unanswered. For example, the FAQs do not provide guidelines on the safeguarding of Personal Identifying Information, and expectations related to sharing of information obtained in overseas branches in jurisdictions with strict data privacy rules. The FAQs also do not specify the extent to which a financial institution should integrate technology changes to better use the information it obtains during CDD.

With the CDD Rule’s final applicability less than a month away, how should covered financial institutions address the FAQs given that one would assume that covered financial institutions have implemented or are in the final stages of implementing changes and enhancements to existing anti-money laundering/global sanctions compliance programs (AML/Sanctions Compliance Programs) to address the rule’s requirements? We recommend ensuring that your institution has undertaken the following actions:

  • Documented all changes and enhancements to AML/Sanctions Compliance Programs in a form that can be used to educate internal audits and bank examiners.
  • Conducted quality assurance testing to ensure that technology and systems enhancements will capture information required by the rule.
  • Clear guidance on what to do with the information once it is gathered and how it will be used to enhance your AML/Sanctions Compliance Programs (e.g., how will the information be integrated into your transaction monitoring or sanctions compliance program?).
  • Provided employee training and notice to customers of changes and enhancements to the AML/Sanctions Compliance Programs.
  • Ensured that your “front line” or relationship managers are not treating their CDD gathering duties as a “check the box” exercise.
  • Developed and documented a plan to review and assess the efficacy of changes and enhancements to the AML/Sanctions Compliance Programs.

Given that the FAQs do not contain any surprises, it seems logical to assume that the regulators are going to give covered financial institutions some room to work through difficulties encountered during implementation, provided that the institution has made good faith efforts to design and implement policies and procedures that meet the CDD requirements. Importantly, as the regulators understand how firms of all sizes are implementing the CDD rule, best practices and effective methodologies will evolve over time until there are generally accepted approaches based on the risks of the covered financial institution.


Learn More
Guidehouse’s CDD webpage contains information and insights from our team of AML/Sanctions experts, which includes former financial regulators, prosecutors, and law enforcement officials who have developed and documented AML/Sanctions regulations and investigated and prosecuted violations of those regulations and individuals with in-house compliance and operational experience. 

Our team has years of practical experience assisting financial institutions in implementing changes and revisions to their existing policies, procedures, and controls in response to regulatory changes and developments. Guidehouse can provide your institution with highly skilled resources for the short-term implementation of these regulatory changes until your financial institution has incorporated such changes as “business as usual.”

Note: The authors wish to thank Joseph Frenkel and Patrick Haig for their assistance.

1  See Frequently Asked Questions Regarding Customer Due Diligence Requirements for Financial Institutions, FIN-2018-G001 ( Also see FAQs issued on July 19, 2016 (

2  See Customer Due Diligence Requirements for Financial Institutions, May 11, 2016 (, amended September 28, 2017 (

3  This document is not intended to provide legal advice.  Covered financial institutions should consult counsel for legal advice.

Entities falling into this category generally include embassies or consulates, and entities that are instrumentalities of a foreign government, such as government-owned enterprises engaging in activities that are exclusively governmental in nature — that is, activities involving the direct exercise of legislative, executive, or judicial authority and which do not involve taking profits from the endeavor. Those state-owned enterprises engaged in profit-seeking activities, including, among others, sovereign wealth funds, airlines, or oil companies, would not qualify for the legal entity exclusion.

Covered financial institutions should be mindful of United States v. Esquenazi, No. 11-15331, (11th Cir. May 16, 2014) in which the U.S. Court of Appeals for the Eleventh Circuit, in United States vs. Esquenazi,  defined the term “instrumentality” of a foreign government under the U.S. Foreign Corrupt Practices Act.  

Guidehouse Inc. (“Navigant”) is not a certified public accounting or audit firm. Guidehouse does not provide audit, attest, or public accounting services. See for a complete listing of private investigator licenses.

This publication is provided by Guidehouse for informational purposes only and does not constitute consulting services or tax or legal advice. This publication may be used only as expressly permitted by license from Guidehouse and may not otherwise be reproduced, recorded, photocopied, distributed, displayed, modified, extracted, accessed, or used without the express written permission of Guidehouse.

Download the PDF

About the Experts

Back to top