FinCEN CDD Rule: beneficial ownership for fintechs

The FinCEN Customer Due Diligence Rule (the "CDD Rule"), formally 31 CFR 1010.230, requires covered financial institutions to identify and verify the beneficial owners of legal-entity customers when those customers open new accounts. It is the U.S. operational backbone for know-your-business (KYB) — and it is the rule a fintech's KYB program is built to satisfy.

This page covers what the rule actually requires, who it applies to, the four-prong CDD obligation, the 25% beneficial-ownership threshold and its exceptions, how the rule interacts with the Corporate Transparency Act and FinCEN's Beneficial Ownership Information Reporting Rule, ongoing monitoring expectations, and the evidence infrastructure that makes a CDD program defensible during examination.

Who the rule applies to

The CDD Rule applies to "covered financial institutions" — banks, broker-dealers, mutual funds, futures commission merchants, and introducing brokers in commodities. It does not directly apply to fintechs unless they are themselves a covered institution, but it applies operationally because:

• A fintech operating behind a sponsor bank is responsible, contractually and operationally, for collecting CDD information that the sponsor bank then uses to satisfy its own obligation.
• Money services businesses (MSBs), including crypto exchanges and payment fintechs, have a parallel obligation under FinCEN regulations to perform customer identification and risk-based due diligence on legal-entity customers, including beneficial-ownership identification.
• State-licensed money transmitters, broker-dealers, and similar entities have analogous state-level obligations that broadly mirror the CDD Rule.

In practice, every fintech that opens accounts for legal-entity customers ends up running a CDD program either to satisfy its own direct obligation or to satisfy the sponsor bank's obligation as the front-line operator.

The four-prong CDD obligation

The rule lays out four core obligations a covered institution must perform when opening a new account for a legal-entity customer:

• Identification and verification of the customer. The legal-entity customer itself must be identified — name, address, taxpayer ID — and that identity verified through documentary or non-documentary means.
• Identification and verification of beneficial owners. The natural persons who are beneficial owners of the legal entity must be identified and verified — name, date of birth, address, taxpayer ID — through the same documentary or non-documentary means used for individual customers.
• Understanding the nature and purpose of the relationship. The institution must understand what the customer does, why it's opening this account, and what activity to expect. This becomes the baseline against which ongoing monitoring detects anomalies.
• Ongoing monitoring. The institution must monitor the relationship for suspicious activity and update customer information when changes are observed or reported. CDD is not a one-time onboarding check; it is the foundation of an ongoing relationship.

The 25% beneficial-ownership threshold

The CDD Rule defines a beneficial owner along two prongs:

• Ownership prong. Each natural person who, directly or indirectly, owns 25% or more of the equity interests of the legal entity.
• Control prong. One natural person with significant responsibility to control, manage, or direct the legal entity — typically the CEO, COO, managing partner, or similar officer.

At minimum, every legal-entity customer has at least one beneficial owner under the control prong. There may be zero, one, two, three, or four beneficial owners under the ownership prong (the maximum is four because no natural person can own less than 25% and no five non-overlapping individuals can each own 25% or more). Combined, between one and five beneficial owners are typically identified per legal-entity customer.

The rule allows the institution to rely on a written certification from the customer regarding beneficial ownership, signed by an individual authorized to open the account and accompanied by the underlying beneficial-owner identification information.

Exclusions and exemptions

Certain legal-entity types are excluded from beneficial-ownership identification under the rule. The most important categories:

• SEC-registered issuers and majority-owned subsidiaries thereof.
• Federally regulated financial institutions (banks, broker-dealers, mutual funds, etc.).
• Public accounting firms registered under Sarbanes-Oxley.
• State-regulated insurance companies.
• Certain state-regulated entities subject to substantial federal or state regulation.
• Entities whose common stock is listed on the NYSE, Nasdaq, or other major exchanges.

The exclusions reflect a regulatory judgment that these entities are subject to other regimes that achieve similar transparency. Even excluded entities still require customer identification and verification and the "nature and purpose" obligation; only the beneficial-ownership identification step is exempted.

How CDD interacts with the Corporate Transparency Act

The Corporate Transparency Act (CTA), enacted in 2021, created a separate beneficial-ownership reporting regime. Under the CTA, certain U.S. and foreign legal entities must report beneficial ownership information directly to FinCEN's Beneficial Ownership Information (BOI) database. The reporting obligation lies on the legal entity itself, not on a financial institution.

The CTA and the CDD Rule are complementary but separate:

• The CDD Rule requires financial institutions to collect beneficial-ownership information from customers at account opening.
• The CTA requires legal entities to report beneficial-ownership information directly to FinCEN.
• Financial institutions can, with customer consent, query the BOI database to support their CDD obligation. As of 2026, the BOI access framework is live but adoption by financial institutions is still ramping.

The CTA's implementation has been turbulent — court challenges, enforcement pauses, scope clarifications. As of mid-2026, the BOI reporting requirement applies to most newly-formed entities and most pre-existing entities that meet the reporting-company definition, with several categories of exemption that broadly mirror the CDD Rule's exclusions.

Ongoing monitoring

The fourth prong of CDD — ongoing monitoring — is the obligation most often under-implemented in practice. The rule requires the institution to:

• Maintain and update customer information based on monitoring results, customer-reported changes, and external information.
• Detect and report suspicious transactions.
• Periodically refresh CDD information on a risk-based schedule.

For high-risk customers, refresh cycles are typically annual or more frequent. For low-risk customers, refresh cycles can be every two to five years. Triggered refreshes — when the institution detects significant activity changes, ownership changes, or external information about the customer — happen outside the periodic schedule.

Ongoing monitoring under CDD is the bridge between the static onboarding KYB and the live transaction-monitoring program required under the broader BSA/AML regime.

Evidence and examination

Examiners testing CDD compliance specifically look at:

• Whether the institution has a written CDD policy that addresses all four prongs.
• Whether beneficial ownership has been collected for all in-scope legal-entity customers, with the underlying certification on file.
• Whether risk-rating decisions for legal-entity customers are documented with rationale that ties to the "nature and purpose" understanding.
• Whether ongoing-monitoring evidence — periodic refreshes, triggered updates, ownership changes — is captured.
• Whether the SAR filings referencing legal-entity customers connect back to the CDD information collected at onboarding.

The evidence infrastructure to satisfy examination needs the same four properties as the broader AML evidence stack: completeness (every CDD decision captured with the underlying inputs), tamper-evidence (records append-only or hash-chained), framework-tagging (records reference the CDD Rule control they satisfy), and exportability (a customer's complete CDD file produced on demand in minutes, not days).

Practical fintech implications

For a fintech operating behind a sponsor bank, the CDD Rule shows up as the operational backbone of the KYB onboarding flow:

• Registry verification establishes the legal-entity customer's identity (Secretary of State filings, EIN verification, registered agent confirmation).
• UBO collection is the customer-facing flow that gathers the names, dates of birth, addresses, and taxpayer IDs of beneficial owners under both prongs.
• Identity verification on the named beneficial owners runs the same KYC checks the fintech runs on individual customers.
• Risk rating assigns the legal-entity customer a tier based on the "nature and purpose" understanding plus the verified beneficial-owner attributes.
• Ongoing-monitoring schedule is set based on the risk rating, with re-verification and re-screening cadence appropriate to the tier.

A KYB orchestration platform — FinQub or a comparable system — operationalizes all five steps as one workflow with one evidence record per legal-entity customer, satisfiable by the institution itself or by a sponsor-bank examiner on demand.