In May of 2018, the new Customer Due Diligence Requirements for Financial Institutions (the “CDD Rule”) from the Financial Crimes Enforcement Network went into effect. Recognizing that some credit unions need additional time to implement changes to fully comply with the updated CDD Rule, the National Credit Union Administration (“NCUA”)  subsequently provided a grace period to credit unions. The NCUA has indicated that credit unions will not be subject to enforcement actions for violations of the new CDD Rule so long as they make a “good faith effort” to comply with the updated CDD Rule.
This grace period ends on December 31, 2018.  Credit unions should use this remaining grace period to become familiar with the new CDD Rule and update their policies, procedures, and processes.
The purpose of the CDD Rule is to enhance Bank Security Act (“BSA”) compliance by improving financial transparency.  To accomplish this, the CDD Rule contains four core requirements. A credit union must have in place a written policy and procedures reasonably designed to do the following:
First, “verify the identify of customers”;
Second, “identify and verify the identity of the beneficial owners of corporate customers opening accounts”;
Third, “understand the nature and purpose of customer relationships to develop customer risk profiles”; and
Fourth, “conduct ongoing monitoring to identify and report suspicious transactions and, on a risk basis, to maintain and update customer information.” 
The CDD Rule requires credit unions and other covered financial institutions to collect information to “identify and verify the identity” of any individual who owns 25% or more of legal entity opening an account and any individual who controls that legal entity.  These individuals are treated as the beneficial owners of the legal entity. Accordingly, this aspect of the CDD Rule is known as the Beneficial Ownership Rule.
Who Must Be Identified?
Under the Beneficial Ownership Rule, a credit union must establish and maintain written procedures that are reasonably designed to identify and verify beneficial owner(s) of legal entity customers and to include such procedures in its anti-money laundering compliance program.  This raises two questions that a credit union should consider.
First, does the account holder qualify as a “legal entity customer?” Under the new CDD Rule, a legal entity customer is defined as:
- a corporation;
- a limited liability partnership;
- a limited liability company;
- a general partnership;
- any other entity that is created by the filing of a public document with the Secretary of State or similar office; or
- any similar entity formed under the laws of a foreign country that opens an account 
Based on this definition, legal entity customers do not include estate-planning trusts, sole proprietorships, or natural persons opening accounts on their own behalf. Additionally, The Beneficial Ownership Rule lists several exclusions from the definition of legal entity customer, such as a bank regulated by a state bank regulator.  If the customer meets the definition of “legal entity customer,” the Beneficial Ownership Rule applies and the credit union must address the second question.
The second question is twofold. Beneficial ownership is determined under both a control prong and an ownership prong.
Control Prong: To comply with the control prong, a credit union will need to identify a single individual with significant responsibility to control, manage, or direct the legal entity customer.  At least one beneficial owner must be identified under the control prong for each legal entity customer. Examples of positions that would qualify under the control prong are chief executive officer, chief financial officer, chief operating officer, or president.  The person opening a new account on behalf a legal entity can choose who to identify.
Ownership Prong: To comply with the ownership prong, a credit union needs to assess who owns at least 25% of the legal entity. A beneficial owner is an individual who directly or indirectly, though any contract, arrangement, understanding, or relationship, owns 25% or more of the equity interests of a legal entity customer.  However, if no individual owns 25% or more, a credit union is not required to identify a beneficial owner under the ownership prong. 
For example, a credit union identifies an account opened for a limited liability company (“LLC”), a legal entity customer. The LLC is equally owned by Entities A, B, C, and D. It is important to remember that for purposes of the ownership prong the owner must be an individual or, in other words, a natural person. Thus, the credit union may need to cut through layers of the Entities. For the following scenarios, keep in mind that Entities A, B, C, and D each own 25% of the LLC.
Example 1: Each Entity is owned by a single individual. This means that the individuals each own 25%. Accordingly, the credit union must collect information from all four individuals from Entities A, B, C, and D.
Example 2: Entities A, B, and C are owned by a single individual, but Entity D is owned by multiple individuals. Because multiple individuals own Entity D, none can fully own it, and therefore, none can own 25% of the legal entity customer. Accordingly, the credit union would only need to collect information from the individual that owns Entities A, B, and C.
Thus, under the Benefit Ownership Rule, after determining that a customer is a legal entity, all legal entity customers will have a total of between one and five beneficial owners. There must be one individual under the control prong. There can be zero to four individuals (i.e., up to four 25% owners) under the ownership prong. While these are the minimum requirements, credit unions can implement stricter internal controls.
What Information Must Be Collected?
When a legal entity customer opens a new account after May 11, 2018, the credit union must collect certain information on the owners of the legal entity.
Credit unions must establish and maintain a written procedure detailing the identifying information that must be obtained for each beneficial owner of a legal entity customer opening a new account after May 11, 2018. For example, once a beneficial owner is identified, the credit union must obtain the following information:
- date of birth;
- address; and
- identification number, such as a social security number or taxpayer identification number. 
This information can be obtained through a completed certification form.  It must be completed by the person opening a new account on behalf of a legal entity.  Additionally, the credit union must verify the information  and establish recordkeeping procedures to maintain the identification information for at least five years after the date the account is closed.
It is important to note that credit unions are not required to conduct retroactive reviews to obtain beneficial ownership information on legal entity customers that were existing customers prior to May 11, 2018.  Nevertheless, if a credit union learns of changing beneficial ownership of existing customers through standard BSA compliance monitoring, it will be required to update the required information. 
The implementation of the CDD Rule mandates that credit unions identify and collect information from beneficial owners. Indeed, a credit union will need to familiarize itself with the new due diligence requirements. Regulators will not fully enforce the CDD Rule for the remainder of 2018, giving credit union personnel time to familiarize themselves with the new requirements. So long as a credit union makes a “good faith effort” to comply with the CDD Rule, it will not be exposed to enforcement if a violation does occur. It is important to consult experienced counsel to evaluate whether the efforts being made are in good faith and on track to be fully compliant by the deadline.
 The NCUA is the independent federal agency created by the U.S. Congress to regulate, charter, and supervise federal credit unions.
 Letter from J. Mark Watters to Federally Insured Credit Unions (August. 2018), https://www.ncua.gov/regulation-supervision/Pages/policy-compliance/communications/letters-to-credit-unions/2018/18-CU-02-examination-guidance-bank-secrecy-act.pdf.
 Information on Complying with the Customer Due Diligence (CDD) Final Rule, FIN. CRIMES ENF’T NETWORK, https://www.fincen.gov/resources/statutes-and-regulations/cdd-final-rule.
 See 31 C.F.R. 1010.230(a).
 See 31 C.F.R. 1010.230(e)(1).
 See 31 C.F.R. 1010.230(e)(2).
 See 31 C.F.R. 1010.230(d)(2).
 Letter from J. Mark Watters, supra n.1.
 See 31 C.F.R. 1010.230(d)(1).
 Letter from J. Mark Watters, supra n.1.
 31 C.F.R. 1010.230, Appendix A.
 See 31 C.F.R. 1020.220(a)(2)(ii) (discussing verification through documentary and nondocumentary methods). For example, the credit union may check an individual’s unexpired government-issued ID, such as a driver’s license or passport. 31 C.F.R. 1020.220(a)(2)(ii)(A)(1).
 Letter from J. Mark Watters, supra n.1.
This publication/newsletter is for informational purposes and does not contain or convey legal advice. The information herein should not be used or relied upon in regard to any particular facts or circumstances without first consulting a lawyer. Any views expressed herein are those of the author(s) and not necessarily those of the law firm's clients.