While credit unions pride themselves on knowing their members, once the proposed Financial Crimes Enforcement Network due diligence rule goes into effect, they will likely have to get to know them just a little bit better.
The rule, Customer Due Diligence Requirements for Financial Institutions, published Aug. 4 in the Federal Register, seeks to clarify and strengthen customer due diligence requirements for banks and credit unions, brokers and dealers in securities, mutual funds, commodities and futures commission merchants.
Proposed under the Bank Secrecy Act, the rule contains explicit customer due diligence requirements and includes a new regulatory requirement to identify beneficial owners of legal enterprises, subject to certain exemptions. For credit unions, the new rule means having a clearer understanding of accountholders identities and practicing greater diligence in monitoring and reporting changes to their accounts.
The comment period for the rule ends Oct. 3 but a final implementation date has not been established.
"The proposal requires operational changes to account opening procedures, but the changes aren't as bad as we thought they would be," Deborah Crawford, a former banker and president of Gettechnical Inc., a Baton Rouge, La., training and consulting firm, said during a Sept. 15 BankWebinars.com presentation.
"You will have about a year to become compliant, but most will want to act more quickly than that," she added. "We don't expect too many changes to the original proposal."
The proposed rule is designed to increase transparency and provide more comprehensive information on financial institution customers, as well as the identities of various beneficial owners of enterprises that are customers of banks and members of credit unions.
The rule goes further, requiring institutions to better understand the nature and purpose of the business relationship with its customer or member. It also requires institutions to monitor customer and member activities, update information and report suspicious activities.
"This is already at work in your institution, and the new rule is more of a shift in emphasis," Crawford said. "Monitoring risk behavior will become part of the regulation, which it hasn't been in the past."
Read more: Four legs of the same table …
The proposed rule stands on what Crawford described as "four legs of the same table." The first leg consists of the Customer Identification Program requirements addressed in Regulation 1020, which has been in effect since 2003 and established CIP for banks, savings associations, credit unions, and certain non-federally regulated banks. The process of collecting and verifying member information, crosschecking against government lists and keeping accurate records will remain constant under the customer due diligence program, she noted.
The requirements regarding beneficial ownership, the second leg of Crawford's table, will introduce several new elements into the process for depository financial institutions and brings about the most changes. In the case of credit unions, beneficial ownership will largely but not exclusively refer to member-owned business borrowers and accounts.
Beneficial ownership requirements refer to any individuals who have 25% or more ownership of a business entity, called the ownership prong, or have significant responsibility to control, manage or direct the business's operations, called the control prong. This often includes executive staff, board members or anyone authorized to sign on behalf the account.
Under the ownership prong, no more than four individuals may be identified in having 25% ownership. If no single person owns 25% or more of an enterprise, there is no one to identify in this category. But Crawford stressed the importance of identifying individuals rather than holding companies or other corporate entities in order to satisfy the proposed rule.
"If an LLC is owned by another LLC, which is owned by yet another LLC, you're going to have to drill down and identify a person," she explained. "You are doing this anyway, even if it's not in a formal way. Your bank or credit union would certainly want to know who owns all these businesses."
While names under the ownership prong may vary in number, or not exist at all, there must be at least one person named under the control prong, Crawford said. However, the new requirements would not apply to beneficial owners of funds or assets in a payable-through account, since the owner of such funds or assets does not have an account relationship with the covered financial institution.
Despite its stringency, there are exemptions to the beneficial ownership rule, specifically anyone already exempt from CIP and anyone opening an ownership account whose information is readily available from other sources. The list includes securities issuers, investment companies and advisers, registered charities or nonprofit entities, exchange or clearing agencies or any entity registered with the SEC.
"The list also includes intermediary accounts or trust accounts," Crawford said. "If a credit union opens an account at a bank, for example, the credit union is exempt because it is a financial institution and regulated in other ways."
But like any regulations, there are instances that as a guideline may make sense, yet seem absurd in practice, Crawford said.
"Do you have to run beneficial ownership requirements on the local bowling league, Little League teams and family reunion groups (that have accounts at your institution)?" Crawford asked. "Apparently, you will have to do so and will have to ask if anyone has a 25% ownership, which seems sort of ridiculous to me."
Despite requiring a standard certification for beneficial owners, under the proposed rule the institution is under no obligation to verify their identities or status in the same way they do with individuals covered under CIP. In addition, account status need not be reviewed and updated unless a change in status occurs, Crawford said.
The third leg of the CDD table requires financial institutions to understand the nature and purpose of customer relationships in order to develop a customer risk profile. This is a necessary and critical step in complying with the existing requirement to identify and report suspicious transactions as required under the Bank Secrecy Act.
"This is like developing a baseline with your doctor," Crawford said. "We want to get a baseline for our account holders not because we're super-nosy, but if they start wiring funds to India or something we're going to want to know what has changed."
Such knowledge is critical to creating a customer or member risk profile, but not all institutions do it with the same degree of effectiveness, the consultant said.
"Needing to know this information isn't new to us, but some banks and credit unions only do it for business customers," Crawford said. "I don't want to be the bad-news bear here, but I don't think you can get away with that in the future."
Monitoring and reporting changes comprises the fourth leg of Crawford's CDD table. Much like the third leg, such monitoring is critical especially in the face of changes to the customer's or member's baseline of general activity. Automated systems must be adjusted for new requirements if they are going to continue to process data in a way that complies with the new requirements.
"Many of you have some kind of watchdog software that spits out any suspicious activity," Crawford said. "But if the setup of the model is incorrect, then the spit-out of the data is usually incorrect, so all the model's assumptions need to be correct. This should be reviewed annually."
Financial institutions will be required to comply within one year of the issuance of the final rule, Crawford said.
© 2025 ALM Global, LLC, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to [email protected]. For more information visit Asset & Logo Licensing.