Blog Login
Compliance

What Is the Fifth Pillar of BSA Compliance? Customer Due Diligence Explained

A

Anzar Dewani

7 hours ago

FinCEN added a fifth pillar to BSA compliance in 2016 — Customer Due Diligence. Here is what CDD requires, how beneficial ownership rules apply, and what fintechs need to do to comply.

What Is the Fifth Pillar of BSA Compliance? Customer Due Diligence Explained

The Bank Secrecy Act has required financial institutions to maintain anti-money laundering programs for decades. For most of that time, a BSA/AML compliance program was defined by four core requirements — sometimes called the four pillars. In 2016, FinCEN added a fifth requirement: Customer Due Diligence, commonly called the CDD Rule. Understanding the fifth pillar and what it requires is essential for any fintech building a compliant BSA/AML compliance program.

The Original Four Pillars

Before examining the fifth pillar, it helps to understand the four that preceded it. A BSA/AML compliance program must include: (1) a system of internal controls — written policies and procedures designed to ensure BSA compliance; (2) independent testing — an audit function that assesses whether the program is working effectively; (3) a designated compliance officer — an individual responsible for day-to-day management of the BSA program; and (4) ongoing training — regular AML training for relevant employees.

These four requirements remain in effect. The fifth pillar adds to them — it does not replace any of the original four.

The Fifth Pillar — Customer Due Diligence

FinCEN's CDD Rule, which became effective for covered financial institutions in May 2018, formalized and expanded the requirements around knowing your customers. The fifth pillar has two distinct components.

Customer Due Diligence Procedures

The first component requires covered institutions to implement risk-based procedures for conducting ongoing CDD. This means understanding the nature and purpose of customer relationships to develop risk profiles for customers, and conducting ongoing monitoring to identify and report suspicious transactions and maintain and update customer information.

For fintechs, this means having documented procedures for how you assess the risk level of each customer at onboarding, how you assign risk ratings, how you monitor ongoing customer activity against their expected risk profile, and how you update customer information over time. For a comprehensive overview of what Customer Due Diligence requires, see our dedicated guide.

Beneficial Ownership Requirements

The second component — which has received the most attention — requires covered institutions to collect and verify the beneficial owners of legal entity customers. This is the requirement to look through business entities to identify the real people who own and control them.

The rule requires two categories of information. The ownership prong requires identification of all natural persons who own 25% or more of the equity interests of a legal entity customer. The control prong requires identification of one individual who controls, manages, or directs the legal entity — such as a CEO, CFO, COO, managing member, or general partner — regardless of their ownership stake.

For each identified beneficial owner, institutions must collect name, date of birth, address, and Social Security Number (or for foreign individuals, passport number and country of issuance), and must verify the identity of each beneficial owner using documentary or non-documentary methods. For a complete guide to beneficial ownership requirements, see our dedicated article.

Who Is Covered by the CDD Rule

The CDD Rule as written by FinCEN explicitly applies to banks, brokers-dealers, mutual funds, and futures commission merchants. However, FinCEN and regulators have consistently applied CDD principles to other covered financial institutions — including Money Services Businesses — as a matter of BSA compliance best practice and risk-based expectation. Sponsor banks universally require their fintech program managers to implement CDD programs consistent with the rule.

For fintech purposes, implementing the fifth pillar fully is not optional if you want to maintain sponsor bank relationships or satisfy FinCEN examiners.

The Fifth Pillar in Practice for Fintechs

For a fintech, implementing the fifth pillar means several concrete things.

Individual customer risk profiling — at onboarding, each customer receives a risk rating based on their identity information, account purpose, expected transaction patterns, and applicable risk factors. This risk rating is documented and drives the level of ongoing monitoring applied to that customer's activity.

Business customer beneficial ownership collection — for every business entity customer, the fintech must collect beneficial ownership information for all 25%+ owners and one control person. This information is typically collected through a certification form at onboarding.

Beneficial ownership verification — the identities of beneficial owners must be verified using your standard identity verification methods. This means running beneficial owners through your KYC procedures as if they were individual customers opening their own accounts.

Ongoing monitoring and profile updates — CDD is not a one-time onboarding exercise. Customer risk profiles must be updated when material new information comes to light, and transaction monitoring must be calibrated to each customer's expected activity profile.

Frequently Asked Questions

Does the fifth pillar require me to re-collect beneficial ownership for existing business customers?

When the CDD Rule came into effect, covered institutions were required to collect beneficial ownership information for new business entity customers but were not required to retroactively collect it for all existing business customers. However, existing customer relationships should be updated when material new information is obtained or when periodic reviews identify the need. For practical purposes, most institutions have implemented beneficial ownership collection for all business customers as part of periodic CDD reviews.

What happens if a business customer refuses to provide beneficial ownership information?

If a business entity customer refuses to provide the required beneficial ownership information, the institution should not open the account — or if an existing customer refuses to provide the information during a periodic update, the institution should exit the relationship. Documenting the refusal and the decision is important for examination purposes.

Do sole proprietorships need beneficial ownership verification?

The CDD Rule's beneficial ownership requirements apply to legal entity customers — corporations, LLCs, partnerships, and similar structures. Sole proprietorships that are not separate legal entities from the individual owner are not legal entity customers and do not require separate beneficial ownership collection. However, the individual operating the sole proprietorship must be verified under your standard KYC procedures.

How ComplyOne Helps

ComplyOne helps fintechs implement the fifth pillar — building CDD programs that meet regulatory expectations, beneficial ownership collection workflows for business customers, and ongoing monitoring frameworks that satisfy both FinCEN requirements and sponsor bank compliance standards.

 

 

Talk to the ComplyOne team to get started.

The information in this article is for general educational purposes and does not constitute legal or regulatory advice. Consult a qualified compliance professional for guidance specific to your situation.

Share this article:

Related Articles