FinCEN's Customer Due Diligence Rule — codified at 31 CFR 1010.230 and effective since May 2018 — is the regulatory framework most frequently misunderstood by compliance teams at growth-stage fintechs. The rule is not just a data collection requirement. It is a framework for understanding who your customers are, what they do, and whether their actual activity matches what you expected at onboarding. Getting that framework right matters both for regulatory standing and for the practical effectiveness of your AML program.
This article walks through the four core CDD elements under 31 CFR 1010.230, the beneficial ownership prongs that trip up fintech compliance programs, and how to structure a risk-based approach that holds up under examination.
The Four Elements of the CDD Rule
FinCEN's CDD Rule requires covered financial institutions to implement written procedures that address four minimum elements:
- Identifying and verifying the identity of customers — the CIP element, already required under prior rules but now explicitly incorporated into the CDD framework.
- Identifying and verifying the identity of beneficial owners of legal entity customers — the new 2018 addition, discussed in detail below.
- Understanding the nature and purpose of customer relationships — developing a customer risk profile at onboarding and using it to establish baseline expected activity.
- Conducting ongoing monitoring to identify and report suspicious transactions, and to maintain and update customer information — the active, dynamic component that most programs underinvest in.
The third and fourth elements are where most fintech compliance programs are weakest. Collecting a date of birth and SSN at onboarding satisfies element one. Understanding the nature and purpose of a customer relationship requires something more: an articulated rationale for why a customer with a specific profile, in a specific geography, at a specific income level, would be using your product in the ways you observe. That rationale becomes the baseline against which transaction monitoring alerts are evaluated.
Beneficial Ownership: The Ownership Prong and the Control Prong
The CDD Rule requires financial institutions to identify and verify the beneficial owners of each legal entity customer that opens a new account. There are two distinct prongs:
Ownership prong: Any individual who, directly or indirectly, owns 25% or more of the equity interests of a legal entity. There may be zero, one, or multiple individuals who qualify — an entity could have four equal 25% owners, or could have a structure where no individual holds 25%.
Control prong: A single individual with significant responsibility to control, manage, or direct the entity. This is a minimum-of-one requirement — there must always be at least one individual identified under the control prong, even if zero individuals qualify under the ownership prong.
The rule permits collection via a standard Certification Form, either the FinCEN-issued version or an institution-developed equivalent. Institutions may rely on the certifying individual's representations about beneficial ownership accuracy unless they have reason to doubt those representations. That "reason to doubt" language is not a loophole — if your onboarding process surfaces information inconsistent with the certification, you have an obligation to investigate.
A neobank targeting SMB accounts opened approximately 4,000 legal entity accounts in 2024. When their compliance team conducted a file review ahead of a state examination, they found that roughly 14% of those accounts lacked a completed beneficial ownership certification — because the onboarding workflow had routed single-member LLC applicants through the individual consumer flow rather than the legal entity flow, bypassing the certification step. Remediating 560 accounts required outbound contact, documentation re-collection, and a retroactive risk rating exercise. The root cause was a product engineering decision made without compliance input. That kind of gap is entirely preventable. A verification workflow designed with entity type detection at the entry point closes it before accounts are opened.
Risk-Based Approach: What It Means in Practice
The phrase "risk-based approach" appears throughout the CDD Rule and FinCEN guidance, but it is frequently misconstrued as permission to do less. It is not. A risk-based approach means calibrating the depth and frequency of due diligence to the assessed risk level of each customer — which means you need a working risk assessment methodology, not just a lower-tier bucket for most customers.
At a minimum, a risk-based CDD program should distinguish three tiers:
- Standard Due Diligence (SDD): Applied to lower-risk customers — domestic retail customers with straightforward employment income and product use patterns consistent with their stated purpose. CIP verification at onboarding, periodic refresh when triggering events occur, standard transaction monitoring thresholds.
- Standard CDD: The baseline for most customers. CIP plus nature-and-purpose assessment, risk profile documentation, and ongoing monitoring calibrated to expected activity.
- Enhanced Due Diligence (EDD): Applied to higher-risk customers — those in elevated-risk geographies, with complex ownership structures, in higher-risk business lines, or with PEP (Politically Exposed Person) status. EDD requires deeper documentation: source of wealth, source of funds, additional identity verification layers, and more frequent refresh cycles.
We are not saying that every customer needs EDD-level documentation — that would be operationally unsustainable and inconsistent with the rule's own risk-based framework. What we are saying is that your SDD/CDD/EDD tiering must be documented, consistently applied, and defensible when an examiner asks you to walk through how a specific customer was classified and why.
Ongoing Monitoring: The Most Underinvested Element
Of the four CDD Rule elements, ongoing monitoring receives the least operational attention at most fintechs. The first two elements — CIP and beneficial ownership — have clear triggers (account opening) and clear data collection steps. Ongoing monitoring is continuous, event-driven, and requires judgment calls at every stage.
Under the rule, ongoing monitoring means: detecting and reporting suspicious transactions consistent with SAR obligations under 31 CFR 1020.320 (or 31 CFR 1022.320 for MSBs), and maintaining and updating customer information when the institution becomes aware of information suggesting a change in risk profile. That second obligation — updating customer information — is frequently overlooked. If a customer's transaction patterns shift significantly from their onboarding profile, that is a trigger to refresh CDD, not just to evaluate the transaction in isolation.
Transaction monitoring systems should be calibrated to each customer's established baseline. An AML screening program that runs every customer through identical alert thresholds regardless of their stated business purpose will generate alert volumes that exceed any reasonable investigator capacity, producing case closure decisions under time pressure rather than genuine analysis.
What the Corporate Transparency Act Changed (and Did Not Change)
The Corporate Transparency Act (CTA), which took effect January 1, 2024 and has since been subject to ongoing litigation affecting its implementation, requires many companies to report beneficial ownership information directly to FinCEN's national registry. This is a company obligation to FinCEN, not a bank obligation under the CDD Rule.
The two regimes are related but distinct. The CDD Rule requires financial institutions to collect beneficial ownership information from customers at account opening. The CTA requires many companies to file that same information independently with FinCEN. The CTA does not relieve financial institutions of their CDD Rule obligations, and CDD Rule obligations continue regardless of the CTA's implementation status. Compliance officers at fintechs should track CTA litigation outcomes closely, but should not treat CTA uncertainty as grounds to defer CDD Rule compliance.
Documentation Standards That Hold Up Under Examination
Examiners evaluating a CDD program look at both policy and practice. A well-written CDD policy paired with inconsistent execution will receive findings. The documentation standards that matter most include:
- Customer risk rating methodology documented at a level of specificity that allows an examiner to apply it independently to a sample of accounts and arrive at the same rating you did
- Evidence that EDD was triggered and completed for high-risk customers — not just that EDD procedures exist in policy
- Timestamp-level records of when beneficial ownership certifications were collected and by whom
- Documented rationale for customer risk rating changes, including what triggered the review
The CDD Rule has been in effect long enough that there is a clear body of examination findings and enforcement actions from which compliance officers can learn. FinCEN's published enforcement actions consistently identify the same gaps: beneficial ownership not collected for legal entity customers, risk profiles not updated when triggering events occurred, and ongoing monitoring that existed on paper but not in practice. Building a program around those specific failure modes — rather than around abstract compliance ideals — is the most direct path to examination readiness. For fintechs operating at scale, the infrastructure to support defensible CDD at volume is not optional infrastructure — it is the foundation of the compliance program itself.