KYC / CDD and the Beneficial Ownership Rule

Last lecture we verified who the customer is. Customer due diligence, or CDD, goes further: it asks who the customer really is, what they intend to do, and what 'normal' should look like for them, so that abnormal activity stands out. The controlling rule is FinCEN's Customer Due Diligence Rule at thirty-one C-F-R ten-ten point two-thirty, and the international standard, F-A-T-F Recommendation ten, mirrors it.

CDD is the bridge between onboarding and monitoring: the risk profile you build here is the baseline your monitoring will measure activity against. Get CDD thin, and monitoring has nothing to compare against. So this lecture is about building a real, risk-tiered understanding of your customers, including the part fintechs most often miss, beneficial ownership.

The CDD Rule is often summarized as four elements, and they map cleanly onto a fintech. One: identify and verify the customer, which is your CIP. Two: for customers that are legal entities, identify and verify their beneficial owners.

Three: understand the nature and purpose of the relationship in order to develop a customer risk profile. And four: conduct ongoing monitoring to identify and report suspicious transactions and to keep customer information current. Notice that the rule itself bakes monitoring in: CDD isn't a one-time gate at signup, it's a continuous process.

Fintechs that treat due diligence as a checkbox at onboarding, and never revisit it, are only doing one of the four elements.

Here's the piece fintechs most often overlook. When your customer is a legal entity, a company opening a business account, the Beneficial Ownership Rule requires you to look through the company to the real humans behind it. There are two prongs.

The ownership prong: identify each individual who directly or indirectly owns twenty-five percent or more of the entity. And the control prong: identify at least one individual with significant responsibility to control or manage the entity, an executive officer or senior manager. You collect and verify those beneficial owners, not just the company's paperwork.

The whole point is to stop bad actors from hiding behind a shell. A fintech that launches a business product but only verifies the company, never the owners, has missed a core BSA obligation, and shell-company misuse is exactly the abuse this rule exists to catch.

Once you understand a customer, you risk-rate them, because CDD is risk-based. A fintech risk model typically scores factors like the product used, geographies touched, customer type, expected versus actual behavior, and any negative information. Higher-risk customers get enhanced due diligence, or EDD: more information up front, an understanding of source of funds or wealth where appropriate, and closer, more frequent monitoring.

Lower-risk customers get a lighter touch. The disciplines that matter are documenting the model so it's defensible, and governing the overrides, because the dangerous pattern is a sales or growth team quietly downgrading a risky customer to keep them on the platform. Every override should be logged, justified, and reviewable.

An examiner will sample your high-risk customers and ask to see the EDD; empty files are a finding.

The fourth element, ongoing monitoring, is what keeps CDD from going stale. You refresh customer information on a risk-based cadence, more often for higher-risk customers, and you watch for activity that breaks the expected profile you built at onboarding. Event triggers matter: a sudden volume spike, payments to a new high-risk geography, a string of monitoring alerts, a change in the customer's business, each should prompt a review, and the outcome should feed back into the customer's risk rating and possibly enhanced due diligence.

This loop, profile, monitor, update, is where due diligence and transaction monitoring meet, and it's the engine that eventually produces suspicious-activity reports. A fintech with great onboarding but no refresh process has a customer file that describes who someone was on day one, not who they are today.

Let's lock it in. The CDD Rule at thirty-one C-F-R ten-ten point two-thirty has four parts: verify the customer, identify the beneficial owners of legal-entity customers at the twenty-five-percent ownership prong and the control prong, build a risk profile from the nature and purpose of the relationship, and monitor on an ongoing basis. Higher risk triggers enhanced due diligence, and overrides must be governed.

Self-check: when a company signs up for your business product, do you collect and verify the individual owners and a control person, and do you ever refresh that file afterward? If the answer is 'we verify the company once,' you've found two gaps at once. Next, we move from knowing your customer to watching their money: transaction monitoring at scale, and the model risk that comes with it.