New Age of Transparency: U.S. Announces Customer Due Diligence Requirements and Other Key Initiatives

Originally initiated in 2012, the long-anticipated CDD Rule was fast-tracked this year and finalized on May 6, 2016, just 33 days after the release of the “Panama Papers” created shock waves around the globe by revealing a secret world of shell companies used by wealthy individuals allegedly to hide assets. This is a major step in a new age of transparency to prevent tax evasion, confront terrorist financing and weapons proliferation, enforce sanctions, address corruption, and pursue drug traffickers and organized crime. This alert explains the context of the CDD Rule, its specifics, and the risks it exposes across all industries—and not just for financial institutions.

The CDD Rule and Its Effect on Requirements Under the Bank Secrecy Act

The Bank Secrecy Act, 31 U.S.C. § 5311, et seq. (BSA), was established in 1970 and is one of the most important tools in the fight against money laundering. FinCEN imposes anti-money laundering (AML) regulatory requirements on financial institutions pursuant to the BSA.

Unless exempted, financial institutions have been required to have AML programs that include, at a minimum, (i) the development of internal policies, procedures, and controls; (ii) the designation of a compliance officer; (iii) an ongoing employee training program; and (iv) an independent audit function to test programs. The requirements for AML programs include due diligence procedures, commonly referred to as “Know Your Customer” (KYC) policies, which generally include a Customer Identification Program (CIP), customer due diligence and ongoing monitoring.

The CDD Rule adds a new requirement that financial institutions identify and verify the beneficial owners or “natural persons” behind legal entity customers or “shell companies” and other corporate forms, including partnerships and limited liability companies. It also adds a fifth requirement to existing AML obligations: financial institutions must implement customer risk profiles and conduct ongoing monitoring for suspicious activity and, on a risk-basis, maintain and update customer information.

New Customer Due Diligence Requirements

In the wake of the “Panama Papers,” and in light of recent scrutiny on the use of shell companies to purchase real estate, promulgation of the CDD Rule was expedited and the rule announced on May 6, 2016 as part of a series of transparency initiatives.

Who is subject to the CDD Rule?

As of now, the CDD Rule applies to “covered financial institutions,” referring to banks; brokers or dealers in securities; mutual funds; and futures commission merchants and introducing brokers in commodities.

What does the CDD Rule Require?

The CDD Rule will focus on beneficial ownership of legal entities. It will: (A) require covered financial institutions to establish and maintain written procedures that are reasonably designed to identify and verify beneficial owners of legal entity customers; and (B) make explicit that AML programs require customer risk assessment and certain ongoing monitoring and, where appropriate, updates to beneficial ownership information.

Moreover, four core elements will now comprise the minimum standard of CDD. These elements are: (i) customer identification and verification; (ii) beneficial ownership identification and verification; (iii) an understanding of the nature and purpose of customer relationships to develop a customer risk profile; and (iv) ongoing monitoring and reporting of suspicious transactions and, on a risk-basis, maintain and update customer information.¹

Download: A New Age of Transparency: U.S. Announces Customer Due Diligence Requirements and Other Key Initiatives

1. The first requirement is already in existence. See 31 C.F.R. 103.121 (b) (setting forth the minimum requirements for the “Customer Identification Program”). The second requirement is new and introduced by the CDD Rule. The third and fourth requirements have been previously implicitly required under the BSA—vis-à-vis risk-assessments and Suspicious Activity Reporting—but are now expressly required under the CDD Rule.