Table of Contents
SERIES 7 | SERIES 65 | FINANCIAL REGULATION COURSES
FINRA Regulatory Notice 17-40 — Customer Due Diligence Requirements for Financial Institutions — issued November 21, 2017, is FINRA's comprehensive guidance document advising member firms of their obligations under FINRA Rule 3310's anti-money laundering compliance programme requirements in light of the Financial Crimes Enforcement Network's adoption of the Customer Due Diligence Rule — commonly called the CDD Rule — which formally established a fifth pillar of anti-money laundering compliance by adding an explicit ongoing customer due diligence requirement to the existing four-pillar Bank Secrecy Act framework, and introduced for the first time a mandatory beneficial ownership identification and verification requirement compelling covered financial institutions including broker-dealers to identify and verify the natural persons who own or control legal entity customers at the time of account opening.
The CDD Rule was issued by FinCEN — the Financial Crimes Enforcement Network, the bureau of the United States Department of the Treasury responsible for administering the Bank Secrecy Act and its implementing regulations — on May 11, 2016, with a compliance date of May 11, 2018. Regulatory Notice 17-40 was issued approximately six months before the compliance deadline to give member firms sufficient time to understand the new requirements, update their written anti-money laundering policies and procedures, train their registered representatives and compliance staff, and implement the systems and processes needed to collect and verify beneficial ownership information from legal entity customers opening new accounts.
The notice addressed one of the most significant expansions of anti-money laundering compliance obligations in the securities industry since the USA PATRIOT Act's customer identification programme requirements were implemented in the aftermath of September 11 — a regulatory framework whose importance has only grown as the use of shell companies, nominee accounts, and other legal entity structures to conceal the true ownership of assets has continued to expand as a mechanism for money laundering, sanctions evasion, and other financial crimes.
The CDD Rule was adopted in response to persistent regulatory concerns that the existing anti-money laundering framework for financial institutions — while effective in many respects — had a significant gap in its coverage of legal entity customers. Before the CDD Rule financial institutions were required to identify and verify the identities of individual customers opening accounts but were not specifically required to look through the legal entity to identify and verify the identities of the natural persons — the human beings — who actually owned or controlled those entities.
This gap allowed sophisticated money launderers to use shell companies, trusts, partnerships, and other legal entity structures as intermediaries between their true identities and the financial system — opening accounts in the name of the entity and using the entity's legal separate identity to shield their own identities from financial institutions' customer identification processes. Law enforcement investigations of money laundering, corruption, and sanctions evasion cases consistently documented the use of legal entity intermediaries as a primary mechanism for concealing the true ownership of illicit funds.
The CDD Rule addressed this gap by requiring covered financial institutions — including banks, broker-dealers, mutual funds, futures commission merchants, and introducing brokers in commodities — to identify and verify the identities of the beneficial owners of legal entity customers at the time new accounts are opened, adding an explicit beneficial ownership component to the existing anti-money laundering compliance framework.
The CDD Rule identifies four components of comprehensive customer due diligence — building on and expanding the existing anti-money laundering framework that broker-dealers were already required to maintain under the Bank Secrecy Act and FINRA Rule 3310.
The first component is customer identification and verification — the requirement to identify customers using specified identifying information including name, date of birth for individuals, address, and identification number, and to verify that identity through documentary or non-documentary means. This component was already required for individual customers under the customer identification programme requirements of 31 CFR 1023.220 — the CDD Rule addressed the application of these requirements to legal entity customers in the context of the beneficial ownership framework.
The second component — the most significant new requirement of the CDD Rule — is beneficial ownership identification and verification — the requirement to identify and verify the identities of the natural persons who own or control legal entity customers at the time a new account is opened. This component had not previously been explicitly required by federal regulation — covered financial institutions had historically applied risk-based judgements about when to look through legal entity customers to their underlying ownership, without a uniform mandatory requirement. The CDD Rule transformed this risk-based option into a mandatory universal requirement.
The third component is understanding the nature and purpose of customer relationships for the purpose of developing a customer risk profile — the requirement to have sufficient understanding of each customer's business and the anticipated nature of their account activity to assess whether observed account behaviour is consistent with what would be expected for that type of customer. This component codified what FINRA and FinCEN had already stated was implicitly required by the suspicious activity reporting obligations of the Bank Secrecy Act.
The fourth component is ongoing monitoring for suspicious transactions and the maintenance and updating of customer information — the requirement to continuously monitor customer account activity for patterns that may indicate suspicious activity warranting investigation and potential Suspicious Activity Report filing, and to update customer information on a risk basis when changes in customer circumstances make the existing information no longer accurate or complete. This component similarly codified existing expectations under the suspicious activity reporting framework.
The most significant conceptual contribution of the CDD Rule — and the focus of much of the attention that Regulatory Notice 17-40 received — was the formal establishment of the third and fourth components of customer due diligence as a fifth pillar of the anti-money laundering compliance programme framework.
Before the CDD Rule the Bank Secrecy Act's anti-money laundering programme requirements for broker-dealers were organised around four pillars — internal policies, procedures, and controls, designation of a compliance officer, ongoing employee training, and independent testing. These four pillars — required by FINRA Rule 3310 as the foundational components of every member firm's AML programme — had governed the structure of broker-dealer AML compliance since the implementation of the USA PATRIOT Act's requirements in 2002.
The CDD Rule's fifth pillar — appropriate risk-based procedures for conducting ongoing customer due diligence including understanding the nature and purpose of customer relationships for the purpose of developing a customer risk profile and conducting ongoing monitoring to identify and report suspicious transactions and maintain and update customer information — formally elevated these activities from implied best practices to explicit regulatory requirements.
FINRA and FinCEN were careful to note in their respective guidance that the fifth pillar does not represent new law — broker-dealers were already expected to understand their customers and monitor account activity as implicit requirements of their suspicious activity reporting obligations. The fifth pillar makes explicit what was previously implicit — ensuring that the ongoing customer due diligence activities that effective anti-money laundering compliance requires are formally incorporated into every member firm's written AML programme with the same mandatory status as the original four pillars.
The beneficial ownership component of the CDD Rule — the most operationally demanding new requirement for broker-dealers — requires member firms to establish and maintain written procedures to identify and verify the identities of beneficial owners of legal entity customers at the time a new account is opened.
For purposes of the CDD Rule a beneficial owner is any natural person who meets either of two tests — the ownership test or the control test.
The ownership test identifies any natural person who directly or indirectly owns twenty-five percent or more of the equity interests of the legal entity customer. Under this test a limited liability company whose sole member is a natural person has one beneficial owner — the natural person member — and a corporation with four equal shareholders each owning twenty-five percent has four beneficial owners. If no natural person meets the twenty-five percent ownership threshold the ownership prong of the beneficial ownership test may result in no beneficial owners being identified — in which case only the control prong applies.
The control test identifies one natural person with significant responsibility for managing the legal entity customer — a chief executive officer, chief financial officer, chief operating officer, managing member, general partner, president, vice president, or treasurer, or any other individual who regularly performs similar functions. The control test ensures that at least one natural person — the individual responsible for directing the entity's activities — is identified regardless of the ownership structure.
The information required to identify and verify beneficial owners mirrors the information required for individual customers under the customer identification programme — name, date of birth, address, and identification number — with verification through documentary or non-documentary means consistent with the firm's existing customer identification programme procedures.
Regulatory Notice 17-40 outlines the specific steps that member firms needed to take to comply with the CDD Rule by the May 11, 2018 compliance date — and these implementation requirements remain ongoing obligations that member firms must continue to fulfil for all new legal entity accounts opened after the compliance date.
Member firms must update their written anti-money laundering programmes to incorporate the fifth pillar's ongoing customer due diligence requirements — specifically adding policies and procedures addressing the development of customer risk profiles, ongoing monitoring of account activity, and the risk-based maintenance and updating of customer information.
Member firms must establish and maintain written procedures to identify and verify beneficial owners of legal entity customers at account opening — including the collection of the required identifying information, the verification of that information, and the retention of the verification documentation in accordance with the Bank Secrecy Act's recordkeeping requirements.
Member firms must train their registered representatives and customer-facing compliance staff to understand the new beneficial ownership requirements — specifically to explain to customers why the information is being requested, what uses will be made of it, and the legal authority under which it is required. Many legal entity customers and their representatives were unfamiliar with the beneficial ownership requirement when it was first implemented — effective training of registered representatives enabled them to explain the requirement clearly and obtain cooperation from customers who might otherwise decline to provide the requested information.
Member firms must apply the beneficial ownership requirements to new accounts opened for legal entity customers — defined as corporations, limited liability companies, partnerships, and other entities that are not excluded from the definition. The CDD Rule's legal entity customer definition excludes several categories of entities whose ownership and regulatory status make the beneficial ownership requirement unnecessary — including entities publicly listed on a United States national securities exchange, registered investment companies, and certain regulated financial institutions whose ownership is already subject to regulatory transparency requirements.
Regulatory Notice 17-40 connects the CDD Rule's beneficial ownership requirement directly to the broader know your customer framework that underlies the FINRA regulatory structure — specifically to FINRA Rule 2090's essential facts requirement and FINRA Rule 4512's customer account information requirements.
The beneficial ownership information collected under the CDD Rule contributes to the member firm's understanding of its legal entity customers — enabling more informed customer risk profile development, more targeted suspicious activity monitoring, and more effective detection of the red flags that may indicate that an account is being used for money laundering or other financial crimes. A member firm that knows the natural persons who own and control each of its legal entity customers is far better positioned to identify inconsistencies between stated account purpose and actual account activity than one that has only the legal entity's name and registration information.
The trusted contact person requirement of FINRA Rule 4512 — addressed in detail in the FINRA Rule 4512 entry of this dictionary — represents a parallel but distinct concept of identifying a human being behind an account relationship. While the trusted contact is specifically focused on protecting individual retail customers from financial exploitation and diminished capacity, the beneficial ownership requirement serves the anti-money laundering purpose of identifying the natural persons responsible for legal entity accounts — the two frameworks together ensure that member firms have meaningful human contact information behind both their retail individual customer relationships and their legal entity customer relationships.
Regulatory Notice 17-40's guidance on the CDD Rule continues to be relevant to member firms' ongoing AML compliance obligations — the beneficial ownership requirement applies to every new legal entity account opened after May 11, 2018 and the fifth pillar's ongoing customer due diligence requirements apply continuously throughout every customer relationship.
FINRA's Annual Regulatory Oversight Reports — including those issued in 2024, 2025, and 2026 — have consistently identified AML compliance including beneficial ownership and customer due diligence as priority examination topics — with examination findings including failures to collect beneficial ownership information at account opening, inadequate customer risk profile development, insufficient ongoing monitoring of account activity, and failure to update customer information when changes in customer circumstances are identified.
The Corporate Transparency Act — enacted as part of the National Defense Authorization Act for fiscal year 2021 and whose beneficial ownership reporting requirements for corporations and limited liability companies have been subject to ongoing implementation and legal challenges — operates separately from the CDD Rule's beneficial ownership requirements but addresses the same fundamental transparency concern from the entity registration side. While the Corporate Transparency Act requires beneficial ownership reporting to FinCEN by the entities themselves — rather than by the financial institutions with which they open accounts — the two frameworks collectively advance the same goal of reducing the ability of bad actors to use legal entity structures to conceal their identities from financial institutions and law enforcement.
FINRA Regulatory Notice 17-40 is tested on the Series 7 and Series 65 examinations in the context of anti-money laundering compliance, the fifth pillar of AML programmes, beneficial ownership, and the CDD Rule's requirements for legal entity customers.
The key points to retain are these.
FINRA Regulatory Notice 17-40 — issued November 21, 2017 — provided member firms guidance on their obligations under FINRA Rule 3310 in light of FinCEN's Customer Due Diligence Rule, which became effective May 11, 2018. The CDD Rule identifies four components of customer due diligence — customer identification and verification, beneficial ownership identification and verification, understanding the nature and purpose of customer relationships to develop customer risk profiles, and ongoing monitoring for suspicious transactions and risk-based maintenance and updating of customer information.
The CDD Rule established the third and fourth components as a formal fifth pillar of the Bank Secrecy Act anti-money laundering compliance programme framework — adding to the original four pillars of internal policies and procedures, compliance officer designation, employee training, and independent testing. The fifth pillar does not represent new law — it codifies existing expectations under the suspicious activity reporting framework. The beneficial ownership requirement — the most operationally significant new obligation — requires member firms to identify and verify the identities of natural persons who own twenty-five percent or more of a legal entity customer's equity or who exercise significant management control, at the time new accounts are opened. Member firms must update their written AML programmes to incorporate the fifth pillar's ongoing customer due diligence requirements, establish written beneficial ownership identification and verification procedures, and train registered representatives to implement the new requirements effectively.
