The cost of compliance for banks: preparing for FinCEN’s customer due diligence rule

Last May, the Treasury Department issued new anti-money laundering requirements for U.S. banks and – with the clock ticking — banks are scrambling to ensure they comply. Known as the Customer Due Diligence (CDD) Rule, these new requirements go into effect in May 2018 and impose a number of new demands on financial institutions. Although the new rule ultimately may benefit banks by reducing their losses due to fraud, there will be a cost of compliance for banks; most institutions will need to invest significant amounts of budgets into revising their procedures and adopting new technologies to meet requirements.

This white paper will review the CDD Rule and assess the potential costs of compliance for banks. It will also describe how a culture of compliance supported by the appropriate technologies and industry solutions can position a bank to better its regulatory burdens while streamlining its procedures and raising its service levels.

Why the CDD rule?

For several decades now, regulators have attempted to limit the means by which bad actors launder money in an attempt to avoid sanctions and conceal ill-gotten gains. The U.S. Congress first addressed this issue in 1970 with the passage of the Bank Secrecy Act, which requires financial institutions to cooperate with U.S. government agencies to stem money laundering and fraud. Other anti-money laundering measures have followed, including the USA PATRIOT Act, signed into law in response to the terrorist attacks of Sept.11, 2001.

In 2012, the U.S. Department of the Treasury’s Financial Crimes Enforcement Network (FinCEN) announced work on a new due diligence rule that would compel collection of ultimate beneficial ownership (UBO) information. The publication of the Panama Papers in April 2016 accelerated the process, when the millions of leaked documents included in this trove detailed how offshore shell corporations have been used for money laundering, tax evasion and other illegal purposes. One month after they were released to the public, the Treasury Department issued its Customer Due Diligence Rule.

The CDD Rule sets out four key procedures for effective customer due diligence:

  1. Ascertaining and verifying customer identities
  2. Ascertaining and verifying ultimate beneficial ownership
  3. Analyzing the nature of the customer relationship
  4. Monitoring customer transactions

As detailed in the FinCEN regulations, identification and verification of customers and beneficial owners is not a one-off process, but requires a bank to identify and verify its business customers each time they open a new account. This applies even when the business in question already has an active account with the bank.

And while the agency does not require it, FinCEN strongly encourages banks to conduct their customer analysis and monitoring on an ongoing basis. Such regular screening ensures that records are current and that any suspicious activity can be quickly monitored and flagged for law enforcement officials. Since banks are legally liable for any criminal activity associated with an account, they have a strong incentive to include regular monitoring activities in their compliance processes.

FinCEN’s stated goal for the new CDD Rule is to improve financial transparency and make it easier for banks and law enforcement agencies to identify illicit money flows. Meeting this goal, however, will require financial institutions to invest significant resources, including budgets and time.

To justify the cost of compliance for banks, FinCEN conducted a regulatory impact assessment, or RIA, and concluded that the financial benefits of the CDD Rule would easily outweigh the costs.1

"Curbing only 0.45 percent of the estimated annual $300 billion annual flow of real illicit proceeds in each of the 10 years covered by the RIA,” says the agency’s Deputy Director Jamal El-Hindi, “would justify the costs of the rule and further protect the U.S. financial system from abuse and terrorist financing."2

The cost of compliance for banks

This is not to say that the CDD Rule will provide an equivalent financial benefit or offset the costs for every bank. The RIA offers up two categories of additional expenses that most banks can expect to incur:

  1. Costs associated with staff compensation. FinCEN expects the CDD Rule to increase the time it takes to open new business accounts by an estimated 15 to 30 minutes per account. More employee time will also be spent on monitoring accounts for suspicious activities and on responding to requests from law enforcement groups for information on customers.
  2. Costs associated with implementing new compliance programs. The Treasury Department maintains that financial institutions should be able to use existing technology to comply with the new rule. Still, many banks will want to improve their due diligence by upgrading their systems along with their procedures. Among other benefits, this will let them take fuller advantage of the registries and databases on beneficial owners that entities such as the European Union and some third-party software vendors are currently assembling.

FinCEN predicts that the CDD Rule will cost banks and their customers between $700 million and $1.5 billion over the next decade. However, for its regulatory impact study, the agency used the more “conservative” figure of $10 billion.3

To provide a better sense of what those costs might be at the institutional level, the FinCEN RIA quoted individual bank projections. For example, one large bank put its costs at $20 million to $50 million; a midsize bank pegged them at $3 million to $5 million, while a small credit union estimated that implementing the CDD Rule will cost it between $50,000 and $70,000.4

Higher expenses, but even greater risks

These costs of compliance for banks are substantial, but the risks of attempting to meet FinCEN’s new regulatory requirements with the systems and processes banks currently have in place are even greater.

These are highlighted by a 2016 Know Your Customer (KYC) survey conducted by Thomson Reuters. This and similar studies emphasize the substantial risk of losing business if a bank’s client onboarding process is too long and unwieldy. Specifically, the Thomson Reuters study revealed that banks are already spending an average of $60 million annually on KYC compliance, but it also showed that there is considerable duplication in documentation requests for opening new accounts. In one finding, banks were spending up to 48 days to onboard a new business client, while in another, business clients reported that they were contacted an average of eight times during the onboarding process. Thomson Reuters also found that 89 percent of corporate treasurers have had a bad experience with the KYC process, leading 13 percent of them to change banks. Which is not a positive experience for the end consumer should they have to change banks due to lengthy and time-consuming processes and procedures of the banks. 5

Any bank that simply attempts to implement the CDD Rule without upgrading its underlying infrastructure and workflow procedures will very likely exacerbate these inefficiencies, alienating its clients and putting the bank’s revenue at risk. A far better approach would be to use the new requirements as an opportunity for the bank to streamline its current CDD processes and enhance its systems, which would reduce the bank’s staffing costs while improving its clients’ experience.

Such an approach would also help the bank guard against reputational risks to its brand and the prospect of fines and penalties for non-compliance.

Reputational risk is the possibility that “negative publicity regarding an institution's business practices, whether true or not, will cause a decline in the customer base, costly litigation or revenue reductions,” according to the Federal Reserve Bank of Philadelphia. “It is regarded,” the bank states, “as the greatest threat to a company's market value.”6

Fines and penalties for non-compliance, in the meantime, have been surging. In 2015, the total reached $32 million for the 18 largest U.S. and European Union banks. For the first two months of 2016, the amount was $12 billion – a rate of increase more than double that of the previous year.7

Creating a culture of compliance

In the more than two years since the Federal Reserve Board finalized its enhanced prudential standards rule, many banks have yet to develop the risk governance and cultural framework they need to meet regulatory expectations. FinCEN’s new CDD Rule only amplifies this necessity.

The first step towards meeting those expectations is to establish what is commonly referred to as a “culture of compliance.” This means embedding core due diligence practices into an institution’s corporate culture.

Nearly all financial institutions provide some level of compliance training to their employees, but a culture of compliance goes beyond this by integrating a compliance mind-set into the bank’s everyday workflow. Doing so establishes guidelines and expectations for individual behavior across the organization, ensuring that employees are consistently informed and educated about company and regulatory policies - including the new CDD Rule.

The characteristics of such a culture can be leveraged for competitive advantage. An institution that embeds ethics into its core culture will bolster the confidence of both its clients and employees – as well as the bank’s regulators. And all of this ultimately will flow to the business’ bottom line.

How technology and managed services can help

There are a variety of offerings on the market that can support a bank’s efforts to comply with the CDD Rule, shorten its onboarding times and reduce its staffing costs:

  • Data services provide access to timely, accurate data that can help a bank confirm its customers’ identities, build a reliable picture of their business dealings and flag any suspicious transactions. These include a variety of public-record and self-certification tools that can be used to record the names, dates of birth, addresses and tax identification numbers of account holders during the onboarding process. Information sources can include local as well as international government records; media searches for adverse coverage, and hundreds of sanction, watch, regulatory and law enforcement lists.
  • Technology offerings such as analytics tools can unearth connections between different business entities, uncover hidden risks and help monitor suspicious activity. These tools also streamline the KYC process, reducing the time required for onboarding, periodic reviews and remediation where required.
  • Managed services can be used on behalf of a bank to verify its customers, screen and monitor their transactions, carry out collections and comply with the CDD Rule’s analytics and monitoring guidelines. Offerings include new risk-mitigation services that can build risk profiles of beneficial owners.

The best of these products and services can be integrated into a bank’s existing CRM system in order to facilitate case management and investigations. They will also capture case notes and discussions to help build an audit trail.

It should also be noted that no tool or service, however useful, should be deployed if it does not provide air tight security. Fortunately, many of the offerings from regulatory compliance specialists have been specially designed to protect sensitive customer and financial data.


Along with death and taxes, banks can add compliance to the basic realities of life, and FinCEN’s CDD Rule will add to this burden. However, by approaching it as an opportunity to strengthen and streamline their procedures, financial institutions can avoid costly pitfalls while improving their service levels. New compliance tools and anti-money laundering services and technologies can support these efforts and help banks burnish their brands and boost the confidence of their stakeholders.

1 Regulatory Impact Assessment for FinCEN Notice of Proposed Rulemaking: “Customer Due Diligence Requirements for Financial Institutions.” Docket No. FinCEN-2014-0001. December 2015.
2 McKendry, Ian. “Beneficial Ownership Plan Will Cost Banks Up to $1.5B, Treasury Says.” American Banker, Dec. 23, 2015.
3 Ibid
4 Ibid
5 KYC: A sound principle but complex reality, 2016.
6 Understanding Reputational Risk, William J. Brown, 2007.
7 CPG analysis for the year 2015 and YTD 2016.

Thomson Reuters is not a consumer reporting agency and none of its services or the data contained therein constitute a ‘consumer report’ as such term is defined in the Federal Fair Credit Reporting Act (FCRA), 15 U.S.C. sec. 1681 et seq. The data provided to you may not be used as a factor in consumer debt collection decisioning, establishing a consumer’s eligibility for credit, insurance, employment, government benefits, or housing, or for any other purpose authorized under the FCRA. By accessing one of our services, you agree not to use the service or data for any purpose authorized under the FCRA or in relation to taking an adverse action relating to a consumer application.