FinCEN CDD Beneficial Ownership Rule

What is the FinCEN CDD Beneficial Ownership Rule?

The FinCEN Customer Due Diligence (CDD) Beneficial Ownership Rule — codified at 31 CFR § 1010.230 and parallel provisions across other covered sectors — is the US regulation that requires covered financial institutions to identify and verify the beneficial owners of their legal-entity customers. Adopted in 2016 and effective from 11 May 2018, the Rule strengthened the Bank Secrecy Act framework by closing a long-standing transparency gap that had allowed shell companies and opaque ownership structures to be used to disguise illicit funds, sanctioned wealth, and tax-evasion proceeds. The Rule introduced a uniform federal definition of beneficial ownership for AML purposes, formalised the "fifth pillar" of BSA compliance, and brought US practice broadly in line with FATF Recommendations 24 and 25.

The CDD Rule does not exist in isolation. It is one of three interlocking US frameworks addressing beneficial-ownership transparency: the FinCEN CDD Rule at the financial-institution end (CDD on legal-entity customers); the Corporate Transparency Act (CTA, 2021) at the entity end (entities themselves report beneficial-ownership information to FinCEN); and the USA PATRIOT Act Section 326 CIP rule at the customer-identification layer. Together these frameworks form the US response to FATF's beneficial-ownership standards — see our AML compliance complete guide and our writeup on the five pillars of an AML program.

Why the CDD Rule matters

Before 2018, US financial institutions had a general AML obligation to "know their customer" but no uniform federal rule requiring them to systematically identify the natural persons who ultimately owned or controlled legal-entity customers. The result was operational inconsistency, supervisory difficulty, and a continuing exposure to shell-company abuse. The CDD Rule replaced that patchwork with a single federal standard. For covered institutions, the Rule made beneficial-ownership identification a non-negotiable component of every legal-entity onboarding — and made the absence or inadequacy of beneficial-ownership records one of the most consistently cited findings in BSA examinations and enforcement actions.

Who must comply

The Rule applies to covered financial institutions as defined in the BSA: national and state-chartered banks, federal and state-chartered credit unions, savings associations, broker-dealers in securities, mutual funds, futures commission merchants (FCMs), and introducing brokers in commodities. Other covered financial institutions — such as money services businesses, casinos, and insurance companies — were not within scope of the original 2016 rule but operate under their own customer due-diligence frameworks. The CTA, by contrast, applies to the reporting entities themselves and reaches a much broader population.

The four core elements of CDD

The CDD Rule formalised what FinCEN has described as the four core elements of customer due diligence — together constituting the "fifth pillar" of BSA compliance. The first element is customer identification and verification (overlapping with the PATRIOT Act Section 326 CIP rule). The second is identification and verification of beneficial owners of legal-entity customers — the headline obligation of the CDD Rule. The third is understanding the nature and purpose of the customer relationship, enabling the institution to develop a customer risk profile. The fourth is ongoing monitoring to identify and report suspicious activity and, on a risk basis, to maintain and update customer information.

The beneficial-ownership definition: ownership and control prongs

The Rule's beneficial-ownership definition has two prongs that must both be applied. The ownership prong requires the institution to identify each individual who, directly or indirectly, owns 25% or more of the equity interests of the legal entity. The control prong requires the institution to identify a single individual with significant responsibility to control, manage, or direct the legal entity — typically a chief executive officer, chief financial officer, chief operating officer, managing member, general partner, or senior officer performing similar functions. The ownership prong may identify zero, one, or multiple beneficial owners (up to four, given the 25% threshold); the control prong always identifies exactly one. Together they produce up to five beneficial-owner records per legal-entity customer.

Triggering events for beneficial-ownership re-verification

CDD information is not only collected at onboarding. Covered institutions must also update beneficial-ownership information when there is a triggering event — a material change that suggests the existing information may no longer be accurate or sufficient. Common triggering events include receipt of information about a change in beneficial ownership, a significant change in transaction activity or behaviour, new sanctions or PEP exposure on a previously cleared customer, adverse media on the entity or its owners, regulatory or law-enforcement requests, and the customer's own notification of an ownership change. The Rule does not impose a fixed periodic refresh cadence at the federal level — that calibration is left to each institution's risk-based programme — but most institutions implement risk-based refresh cycles alongside event-driven re-verification, often with continuous sanctions screening against identified beneficial owners.

Exemptions from the Rule

The Rule provides several categories of exempted legal entities for which beneficial-ownership identification is not required (although CIP, ongoing monitoring, and risk-rating obligations still apply). Common exemptions include certain federally regulated financial institutions, US government departments, publicly traded companies listed on US securities exchanges, registered investment companies, certain regulated insurance companies, and pooled investment vehicles operated by regulated financial institutions. The exemption list is specific and should be applied cautiously — many entities that appear to qualify under one prong of the exemption framework are not in fact exempt under the precise definition.

Operationalising the CDD Rule

In practice, the CDD Rule has driven significant investment in beneficial-ownership data and tooling across US financial institutions. Onboarding flows now systematically capture beneficial-ownership information through structured forms; corporate-registry data and ownership-graph tools support drill-down through multi-layer structures; sanctions, PEP, and adverse-media screening runs against each identified beneficial owner via integrated AML screening platforms; and case-management systems retain the supporting evidence for the BSA recordkeeping minimum of five years. Many institutions automate the end-to-end workflow through a UBO check API that pulls registry data, runs drill-down, performs screening, and produces a single decisioning view. Step-by-step practical guidance is covered in our finding the UBO of a company guide.

CDD Rule and the Corporate Transparency Act

The 2021 Corporate Transparency Act (CTA) complements the CDD Rule by requiring reporting entities themselves — most US-formed corporations, LLCs, and similar entities — to file beneficial-ownership information directly with FinCEN. Where the CDD Rule places the obligation on financial institutions to identify their customers' beneficial owners, the CTA places the obligation on the entities to report their own beneficial owners to a federal registry. Implementation of the CTA has been complex, with significant litigation, court-ordered enforcement pauses, and policy revisions during 2024 and 2025. The CDD Rule continues to apply independently of the CTA's operational status.