The Customer Due Diligence (CDD) rule requires banks to identify and verify the beneficial owners of legal entity customers when an account is opened. There are two tests: the ownership prong, which captures each individual who owns 25% or more of the entity, and the control prong, which captures one individual with significant responsibility to control or manage the entity. The rule sits inside a broader CDD framework with four core elements that together form a pillar of every BSA/AML program.
Key Takeaways:
- The CDD rule requires identifying beneficial owners of legal entity customers at account opening
- Ownership prong: each individual owning 25% or more of the entity (there can be zero to four such individuals)
- Control prong: exactly one individual with significant managerial control, always required even if no one owns 25%
- The four CDD elements are customer identification, beneficial ownership identification, understanding customer relationships, and ongoing monitoring
- The CDD rule is found at 31 CFR § 1010.230; note the separate Corporate Transparency Act beneficial ownership reporting regime is distinct from this CDD requirement
The Two Beneficial Ownership Prongs
When a legal entity customer (a corporation, LLC, partnership, or similar) opens an account, the bank must identify the natural persons behind it using two tests applied together.
The Ownership Prong (25% Test)
You must identify each individual who, directly or indirectly, owns 25% or more of the equity interests of the legal entity. Depending on the ownership structure, this could be:
- Up to four individuals (four people each owning 25%)
- Fewer, if ownership is more concentrated
- None, if no single individual reaches 25% (ownership is widely dispersed)
The ownership prong looks through to the natural persons. If a company is owned by another company, you trace ownership up to the individuals who ultimately hold the interests.
The Control Prong
Regardless of ownership, you must identify one individual with significant responsibility to control, manage, or direct the legal entity, such as a CEO, CFO, managing member, or general partner. The control prong always produces exactly one person. Even when no one satisfies the 25% ownership test, the control prong still applies, so every legal entity customer yields at least one beneficial owner.
Together, the prongs mean a legal entity account has between one and five identified beneficial owners: zero to four from ownership, plus one from control.
What You Must Collect and Verify
For each identified beneficial owner, the bank must collect the same identifying information it collects for an individual customer under its Customer Identification Program (CIP):
- Name
- Date of birth
- Address
- A government identification number (such as an SSN for U.S. persons)
The bank must then verify the identity of each beneficial owner using risk-based procedures, similar to CIP verification. Note the distinction: you verify the identity of the beneficial owners, not necessarily their status as owners. You may rely on the information the customer certifies about who the beneficial owners are, absent knowledge of facts that would call it into question.
The certification is typically captured on a beneficial ownership form at account opening. Retaining that certification and the verification records is part of your BSA recordkeeping obligation.
The Four Pillars of Customer Due Diligence
The beneficial ownership requirement is one part of a broader CDD framework. The FFIEC describes CDD as resting on four core elements:
- Customer identification and verification (your CIP)
- Beneficial ownership identification and verification for legal entity customers (the rule above)
- Understanding the nature and purpose of customer relationships to develop a customer risk profile
- Ongoing monitoring to identify and report suspicious transactions and to maintain and update customer information
The fourth element is where CDD connects to your transaction monitoring and SAR program. A customer risk profile built at onboarding informs what "normal" looks like, which is what lets monitoring flag the abnormal. The FFIEC BSA/AML Examination Manual treats these four elements as a single integrated expectation, not separate boxes. The downstream reporting obligations are covered in our guide on SAR filing requirements and deadlines.
CDD Rule vs Corporate Transparency Act Reporting
A frequent point of confusion: the CDD rule and the Corporate Transparency Act (CTA) beneficial ownership reporting requirement are two different things.
- The CDD rule (31 CFR § 1010.230) is an obligation on banks to identify beneficial owners of their legal entity customers at account opening.
- The CTA created a separate obligation on companies themselves to report beneficial ownership information directly to FinCEN's beneficial ownership registry.
They cover overlapping concepts (who really owns a company) but impose obligations on different parties through different mechanisms. The CTA's reporting framework has been subject to significant legal and policy developments, so confirm the current status of CTA reporting requirements separately. For your bank's CDD obligations, the rule above is the governing requirement regardless of CTA developments.
Where Banks Get Cited on CDD
Examiners reviewing CDD and beneficial ownership commonly find:
- Missing control-prong identification when no one owns 25%, leaving the entity with no identified beneficial owner
- Failure to trace through layered ownership structures to the ultimate individuals
- No verification of beneficial owner identity, only collection of the certification
- Stale customer risk profiles that were never updated as the relationship changed, undermining ongoing monitoring
- Weak linkage between the CDD risk profile and transaction monitoring thresholds
- Incomplete records that can't demonstrate who was identified and how they were verified
The recurring theme is that CDD is not a one-time onboarding form. It is an ongoing obligation to understand the customer and keep that understanding current, which is what the fourth pillar requires. This fits within the broader program expectations in our BSA/AML requirements for community banks.
CDD is an onboarding-plus-monitoring obligation, and examiners test whether the profile stays current. See how Canarie ties CDD profiles to ongoing monitoring and evidence →
Frequently Asked Questions
What is the beneficial ownership rule?
The beneficial ownership rule, part of FinCEN's CDD rule, requires banks to identify and verify the individuals behind a legal entity customer when an account is opened. It uses two tests: an ownership prong capturing anyone owning 25% or more, and a control prong capturing one individual with significant managerial control.
What is the 25% beneficial ownership threshold?
Under the ownership prong, a bank must identify each individual who directly or indirectly owns 25% or more of a legal entity customer's equity. There can be up to four such individuals, or none if ownership is widely dispersed. The control prong still applies regardless, so every legal entity has at least one beneficial owner.
What are the four pillars of customer due diligence?
The four CDD elements are customer identification and verification, beneficial ownership identification and verification for legal entity customers, understanding the nature and purpose of customer relationships, and ongoing monitoring to identify suspicious activity and keep customer information current.
Do banks have to verify that someone is actually a beneficial owner?
Banks must verify the identity of each beneficial owner using risk-based procedures, similar to CIP. They are generally not required to verify the person's status as an owner and may rely on the customer's certification of who the beneficial owners are, absent knowledge of facts that call the certification into question.
Is the CDD rule the same as Corporate Transparency Act reporting?
No. The CDD rule obligates banks to identify beneficial owners of their legal entity customers at account opening. The Corporate Transparency Act created a separate obligation on companies to report beneficial ownership directly to FinCEN. They address similar concepts but apply to different parties, and CTA requirements have their own evolving legal status.
Keep CDD Current, Not Just Collected
The CDD rule fails most often not at onboarding but afterward, when customer risk profiles go stale and beneficial ownership records can't be reconstructed for an examiner. CDD is an ongoing obligation, and ongoing obligations need a system, not a filing cabinet.
Canarie maps your CDD obligations to onboarding and monitoring workflows, captures beneficial ownership certifications and verification, and keeps customer risk profiles linked to the monitoring that depends on them.