Beneficial Ownership Requirements Under BSA & AML Laws

Introduction

Financial institutions onboarding legal entity customers face a critical compliance obligation under BSA/AML law: identifying and verifying the individuals who ultimately own or control those entities — known as beneficial owners. Failure to collect and maintain this information is one of the most common triggers for regulatory enforcement actions. FinCEN assessed a record $1.3 billion penalty against TD Bank in 2024, noting the bank "failed to implement and maintain appropriate risk-based customer due diligence (CDD) procedures, which significantly impeded the Bank's ability to understand their customer base and associated risks."

This article covers what every fintech, bank, and money transmitter needs to know — from how the two-prong test works to which entities are exempt and what ongoing obligations follow account opening.

TLDR

  • Covered financial institutions must identify natural persons owning 25%+ of a legal entity customer (ownership prong) and the individual with significant management control (control prong).
  • The rule applies at account opening for legal entity customers and is codified under 31 CFR 1010.230 (FinCEN's CDD Rule).
  • Collect four data points per beneficial owner: name, date of birth, address, and government identification number.
  • Retain records for five years after account closure; update beneficial ownership when risk-relevant events occur, not on automatic periodic schedules.
  • Certain entity types — including publicly traded companies and regulated financial institutions — are excluded from this requirement.

What Is Beneficial Ownership Under BSA/AML Laws?

Beneficial ownership in the BSA/AML context refers to the natural persons who ultimately own or exercise significant control over a legal entity customer that opens an account at a covered financial institution. This differs fundamentally from nominal or registered owners. Shell companies and layered ownership structures are frequently used to conceal the true identity of account controllers — which is why regulators require disclosure of beneficial owners at account opening.

FinCEN's Customer Due Diligence (CDD) Final Rule, codified at 31 CFR 1010.230, made beneficial ownership identification a mandatory pillar of BSA/AML compliance for covered financial institutions starting May 11, 2018. The rule added beneficial ownership as the fifth pillar of AML programs, alongside:

  • Customer Identification Programs (CIP)
  • Customer due diligence (CDD)
  • Suspicious activity monitoring
  • Record retention

Regulators require this because legal entities — corporations, LLCs, partnerships — can obscure who is actually profiting from or directing illicit financial activity. As the 2016 Federal Register notice stated: "The abuse of legal entities to disguise involvement in illicit financial activity is a longstanding vulnerability that facilitates crime, threatens national security, and jeopardizes the integrity of the financial system."

Requiring beneficial owner disclosure makes it harder for money launderers and sanctions evaders to exploit opaque corporate structures. The collected data also directly supports SAR filing decisions and OFAC screening.

One point worth clarifying: FinCEN's CDD rule is often confused with a separate, newer obligation — the Corporate Transparency Act (CTA).

Critical Distinction: The CDD rule under 31 CFR 1010.230 governs what financial institutions must collect from their customers. The CTA governs what companies must self-report directly to FinCEN's national BOI database. These are parallel but distinct requirements. The BOI Access Rule explicitly states: "the Access Rule does not necessitate changes to BSA/AML compliance programs designed to comply with existing BSA requirements, such as the 2016 CDD Rule." The BOI reporting obligation has faced legal challenges and regulatory pauses — but the CDD beneficial ownership rule for banks and fintechs remains fully in effect.

The Two-Prong Test: Ownership Prong and Control Prong

Every legal entity customer opening a new account must be evaluated under both prongs. The FFIEC BSA/AML Examination Manual confirms: "Therefore, all legal entity customers will have a total of between one and five beneficial owner(s) – one individual under the control prong and zero to four individuals under the ownership prong." A single person can satisfy both prongs simultaneously.

Ownership Prong

The ownership prong captures any natural person who directly or indirectly owns 25% or more of the equity interests of a legal entity customer. Because there can be zero to four such individuals (since four people at 25% each equals 100%), no beneficial owner need be identified under this prong if no individual meets the threshold.

Indirect ownership chains must be calculated. A person who owns 60% of a holding company that owns 50% of the customer entity effectively owns 30% of the customer and qualifies. This calculation catches individuals who hide behind layered structures.

Special rule for trusts: If a trust directly or indirectly owns 25% or more of a legal entity customer's equity, the trustee is treated as the beneficial owner for purposes of the ownership prong.

Financial institutions may apply a lower threshold (for example, 10%) if their risk assessment indicates heightened risk for a particular customer or customer segment. FinCEN FAQs explicitly endorse this approach: "A covered financial institution may choose, however, to collect such information on natural persons who own a lower percentage of the equity interests of a legal entity customer... based on the financial institution's own assessment of its risk relating to its customer." Examiners routinely scrutinize whether institutions applied a lower threshold for high-risk customer segments.

Control Prong

The control prong requires identifying exactly one individual with significant responsibility to control, manage, or direct the legal entity. This includes:

  • Senior executives: CEO, CFO, COO, President, or Treasurer
  • Managing Member or General Partner
  • Any individual who regularly performs equivalent functions

Unlike the ownership prong, the control prong always yields at least one beneficial owner; it is mandatory for every legal entity customer.

The control prong is not about equity. A person with no ownership stake but who directs day-to-day operations and financial decisions qualifies. Conversely, a large shareholder who exercises no management role satisfies only the ownership prong.

Two-prong beneficial ownership test ownership versus control prong comparison

Collecting and Verifying Beneficial Ownership Information

For each beneficial owner, institutions must collect at minimum:

  • Full legal name
  • Date of birth
  • Residential or business address
  • Identification number (SSN/TIN for U.S. persons; passport number, alien ID card, or other government-issued ID number for non-U.S. persons)

This information is typically gathered via a certification form. The individual opening the account signs it on behalf of the legal entity and certifies its accuracy.

Verification Procedures

Institutions must establish written, risk-based procedures to verify each beneficial owner's identity within a reasonable period after account opening. The rule explicitly permits photocopies of government-issued ID for documentary verification. Non-documentary methods include:

  • Cross-checking information through third-party databases
  • Contacting the beneficial owner directly
  • Checking references
  • Reviewing financial statements

Institutions don't need to verify every element — they must establish a reasonable belief in each beneficial owner's true identity.

Multiple Accounts and Existing Customers

If a legal entity opens multiple accounts, the institution does not need to re-collect beneficial ownership information each time. The FFIEC Manual states: "If a legal entity customer opens multiple accounts a bank may rely on the pre-existing beneficial ownership records it maintains, provided that the bank confirms (verbally or in writing) that such information is up-to-date and accurate at the time each account is opened."

The same principle applies when an individual named as a beneficial owner is already an existing customer. The institution may rely on previously collected CIP records, provided the information is current and the entity's representative confirms its accuracy.

When Verification Fails

Institutions must have documented procedures for scenarios where identity cannot be confirmed. These procedures should specify:

  • Conditions under which an account should not be opened
  • Terms for allowing limited account activity while verification is pending
  • When the account should be closed
  • When a Suspicious Activity Report (SAR) must be filed

The FFIEC Manual notes: "bank staff who know, suspect, or have reason to suspect that equity holders are attempting to avoid the reporting threshold may, depending on the circumstances, be required to file a SAR."

Which Entities Must Comply — and Which Are Exempt?

Covered financial institutions under the rule include:

  • Banks, credit unions, savings associations
  • Mutual funds
  • Brokers or dealers in securities
  • Futures commission merchants
  • Introducing brokers in commodities

Fintech companies operating under bank partnerships or holding their own licenses may also fall within scope depending on their regulatory classification. However, money services businesses (MSBs) and money transmitters are not "covered financial institutions" under 31 CFR 1010.230.

Covered financial institutions under BSA CDD Rule beneficial ownership requirements list

BaaS Models: Sponsor Bank Responsibility

While fintech partners may not directly bear the obligation, sponsor banks in Banking-as-a-Service arrangements retain full regulatory responsibility. The 2024 OCC/FDIC/FRB Joint Statement is explicit: "The bank also remains responsible for its various other compliance requirements, such as Anti-Money Laundering and Countering the Financing of Terrorism (AML/CFT) compliance program requirements."

In practice, this means sponsor banks must ensure their fintech partners facilitate strict beneficial ownership compliance — not assume the partner handles it independently.

Not every entity opening an account triggers collection requirements. The following are excluded entity types (not subject to beneficial ownership collection):

  • Federally or state-regulated financial institutions
  • Publicly traded companies listed on major U.S. exchanges and their majority-owned domestic subsidiaries
  • SEC-registered investment companies and advisers
  • CFTC-registered entities
  • State-regulated insurance companies
  • Government departments and agencies
  • Non-U.S. governmental bodies engaged solely in governmental activities

Beyond full exclusions, some entities receive partial exemptions — the ownership prong doesn't apply, but the control prong still does:

  • Pooled investment vehicles operated by non-excluded financial institutions
  • Nonprofit corporations that have filed organizational documents with state authorities

Certain account types are also exempt from beneficial ownership collection, regardless of the legal entity involved:

  • Point-of-sale credit products up to $50,000
  • Postage financing
  • Insurance premium financing
  • Equipment financing

These exemptions fall away if the account allows third-party payments or carries any possibility of cash refunds.

Ongoing Monitoring, Updates, and Recordkeeping

Updating beneficial ownership information is a risk-driven obligation, not a calendar-driven one. FinCEN's 2020 guidance is explicit on this point:

"There is no categorical requirement that financial institutions update customer information on a continuous or periodic schedule. The requirement to update customer information is risk based and occurs as a result of normal monitoring."

If a financial institution becomes aware of information suggesting a change in ownership, a shift in control, or other facts that would materially affect the customer's risk profile, it must collect updated information and re-verify accordingly. A simple address change may require only an update; a change in ownership requires a new certification and verification.

Five-Year Recordkeeping Requirement

Institutions must retain:

  • All identifying information collected
  • The certification form (if used)
  • A description of any documents relied upon for verification
  • Results of non-documentary verification methods
  • Records of how any discrepancies were resolved

All records must be kept for five years following account closure.

Five-year beneficial ownership recordkeeping requirements checklist for financial institutions

Reliance on Another Institution

A financial institution may rely on another covered financial institution to satisfy the beneficial ownership requirements, provided:

  • The reliance is reasonable
  • The relied-upon institution is subject to an AML program requirement under 31 USC 5318(h)
  • It is regulated by a federal functional regulator
  • The institutions have entered into a written agreement certifying annual AML program compliance

Building a Compliant Beneficial Ownership Program

Every covered institution needs these core program components:

Written beneficial ownership procedures integrated into the AML program that specify:

  • How to identify and verify beneficial owners under both prongs
  • Risk-based verification methods
  • Account opening decision criteria
  • SAR-filing triggers related to beneficial ownership

Certification form and collection process that captures:

  • All four data elements for each beneficial owner
  • Signature and date from the entity representative
  • Documentation of verbal or written confirmation when relying on existing records

Documented risk-based verification methods that detail:

  • When documentary verification is sufficient
  • When non-documentary methods are required
  • Acceptable documents and databases
  • Verification timeframes

Policies for handling unverifiable identities:

  • Account opening restrictions
  • Limited activity provisions
  • Account closure criteria
  • SAR filing requirements

Monitoring trigger framework defining:

  • Risk events requiring beneficial ownership updates
  • Who is responsible for identifying triggers
  • Documentation requirements
  • Re-verification procedures

Recordkeeping procedures with defined retention timelines and systems.

Six core components of a compliant beneficial ownership AML program framework

Common Implementation Failures

Fintechs and early-stage banks frequently make these mistakes:

  • Collecting ownership data without calculating indirect ownership chains correctly — missing beneficial owners hidden behind holding companies
  • Failing to refresh beneficial ownership on account renewals or rollovers — treating these as "existing accounts" when they trigger new collection obligations
  • Applying the ownership prong exemptions too broadly — misclassifying entity types or account types
  • Lacking a documented risk-based rationale for when a lower-than-25% threshold applies — applying stricter standards inconsistently

These gaps are rarely accidental — they reflect the resource constraints that growth-stage companies face when compliance ownership is unclear or spread thin.

For growth-stage fintechs, money transmitters, and embedded finance companies without a dedicated BSA compliance officer, building a sound beneficial ownership program requires more than a template. Fraxtional provides fractional BSA Officer services, giving companies direct access to experienced compliance leadership. That means designing and implementing beneficial ownership procedures, preparing for regulatory examinations, and sustaining program effectiveness — without the overhead of a full-time hire.

Frequently Asked Questions

What is beneficial ownership in anti-money laundering?

Beneficial ownership in AML is the requirement for covered financial institutions to identify the natural persons who ultimately own or control a legal entity customer — capturing both equity holders above the 25% threshold and the individual with significant managerial control — as part of their customer due diligence obligations under BSA/AML law. This applies at account opening and must be updated when relevant changes occur.

Is BOI no longer required for FinCEN?

BOI reporting under the Corporate Transparency Act has faced legal challenges and regulatory pauses. That is separate from the BSA/AML beneficial ownership rule under 31 CFR 1010.230, which requires financial institutions to collect ownership information from legal entity customers at account opening. That obligation remains fully in force.

What is BSA and AML compliance?

The BSA (Bank Secrecy Act) is the primary U.S. law requiring financial institutions to maintain records and file reports to detect and prevent money laundering. AML refers to the broader framework of policies and controls — including beneficial ownership collection, SAR filing, and transaction monitoring — institutions must implement to comply.

Who qualifies as a beneficial owner under the 25% ownership rule?

Any natural person who directly or indirectly owns 25% or more of a legal entity's equity interests qualifies under the ownership prong. Indirect stakes held through holding companies or intermediate entities must be calculated and aggregated when determining whether the threshold is met.

How long must beneficial ownership records be retained under BSA rules?

Financial institutions must retain all beneficial ownership identification and verification records — including the certification form, documents relied on, verification results, and discrepancy resolutions — for a minimum of five years after the date the account is closed.

What happens if a financial institution cannot verify a beneficial owner's identity?

Institutions must have documented procedures covering three scenarios:

  • Declining or limiting account opening when verification fails upfront
  • Closing an existing account after repeated failed verification attempts
  • Filing a Suspicious Activity Report (SAR) with FinCEN when circumstances warrant