The AML “Fifth Pillar”

Those professionals in the financial industry should be familiar with the Anti-Money Laundering (“AML”) rules, which that have been in effect since 2003. Through the Bank Secrecy Act “BSA” (31 U.S.C. 5318(g)) and the USA Patriot Act, the government has been able to concentrate efforts on stopping the flow of illegal funds through the monetary world. These ill-gotten funds continue to account for world-wide terrorist financing, tax evasion and general money laundering. As AML laws become more of a staple to financial industry regulation, so too have the acronyms of KYC (“Know Your Client/Customer”), CIP (“Customer Identification Program”) and AML CO (“Anti-Money Laundering Compliance Officer”) become every day terms. Today, firms can add CDD (“Customer Due Diligence”) and EDD (“Enhanced Due Diligence) to that list, which constitutes the “fifth pillar” of AML compliance programs.

The Pillars

In its Notice to Members 17-40,FINRA refers to the first four pillars as the foundation to a broker-dealers written AML program, and includes:

  • Designation of an AML CO;
  • Creating a system of internal controls;
  • Ongoing training; and
  • Independent testing.

The newest or “fifth” pillar supports customer due diligence controls already in place (i.e., identifying and verifying who your customer is, defining the customer relationship, identifying beneficial owners and monitoring for suspicious transactions), but now adds an additional focus. Specifically, the rule requires covered financial institutions2 to adopt certain risk-based procedures to “identify and verify the identity of the beneficial owners of all legal entity customers at the time a new account is open.” [emphasis added]

With the adoption of this rule, FINRA requires its member firms to update their AML programs to comply with these standards by May 11, 2018. This month’s JLG Risk Management Tip will review the new CDD and EDD requirements and provide practical tips and considerations for firms to implement to help comply with these new standards.

Background on the New CDD and EDD Requirements

Under the CDD rule, covered financial institutions are required to obtain information to verify the customer’s identity and assess the risk of that customer relationship. The standards set forth for EDD includes a more intrusive investigation of the customer, which occurs if the CDD reveals that a customer is of a higher risk category.

As mentioned, the fifth pillar focuses on legal entity customers. For purposes of the CDD rules, a “legal entity” is defined as a corporation, limited liability company, general partnership or other entity created by the filing of a public document with a Secretary of State or similar office or any similar entity that was formed under the laws of a foreign jurisdiction. Legal entities also include sole proprietorships and business trusts, but do not include sole proprietorships, unincorporated associations, personal trusts or natural persons.

Certain legal entities are excluded from this and include any financial institution that is regulated by a federally functional regulator or bank regulated by a state regulator.

Risk Management Tip: If a regulated entity is required to have their own AML procedures and the institution (and not their customers) is your customer, the member firm should request an attestation from that financial institution that their customers were vetted pursuant to AML laws as an additional internal control measure.

Legal Entity Customers

For firms to incorporate the fifth pillar into their AML programs, they must design and establish written procedures, which will determine and verify the identity of the beneficial owners of legal entity customers. By implementing the fifth pillar, financial institutions will be able to identify and mitigate risks, enhance AML controls and advance the reporting of suspicious activities.

To begin, firms should identify and certify the beneficial owners of the entity (which must include a natural person opening the account) and verify the accuracy of the information. Although there is no template form, per the CDD Rule, identifying information relating to the beneficial owner, such as name, social security number and other personal information, must be captured in the firm’s books and records. Many firms have chosen to adopt FinCEN’s sample certification forms, as it does meet the requirements of documented information for firm maintain records.

Based on the protocols used, the firms must capture this risk-based procedure in the financial institution’s CIP procedures (which are generally contained within the entity’s written supervisory procedures or “WSPs”). The policy should capture the CIP procedures used to verify the beneficial owner’s identity, the timing for completing the CDD (which must be within a reasonable time after opening the account), and internal controls in place for updating this information, as necessary, whenever a change of ownership or control occurs.

Customer Risk Profiles and Monitoring

The CDD Rule also requires a certain level of understanding and nature of each client relationship. Consequently, the CDD rule requires organizations to develop a customer risk profile, which enables firms to distinguish questionable or suspicious activity. These profiles contain a lexicon of relevant activity information regarding the nature and habits of a client to form a baseline of comparison for suspicious activity. Information relevant to understanding the nature and purpose of the customer relationship may be self-evident and, depending on the facts and circumstances, may include such information as the type of customer, account or service offered, and the customer’s income, net worth, domicile, or principal occupation or business, as well as, in the case of existing customers, the customer’s history of activity.3

Risk Management Tip: As part of the customer risk profile, consider implementing an individualized risk score to better help distinguish and capture the risk posed by a particular customer.

Once the firm develops and implements a customer risk profile system, such profile information should be used to monitor the actions of the institution’s customers, in order to determine suspicious actions.

EDD for Ownership and Control Persons

EDD is required for two types of beneficial owners: those that have Ownership and those who have Control. For purposes of this rule, Ownership is defined as persons who have a 25% or more ownership in the company (either directly or indirectly). If there are multiple owners but none with 25% or more ownership, then firms are not required to delve any deeper. For 25% or more owner(s), firms must investigate such persons’ source of income. Moreover, covered financial institutions also are responsible for determining whether a customer is acting as an agent on another’s behalf; and if so, they must obtain information about that source.

For non-publicly traded legal entities (such as trusts or foundations), firms must obtain information about the structure and ownership in order to determine if the customer account should be labeled a heightened risk. For example, if a new account opener is a trustee, the firm must obtain information about the trust structure (i.e., living trust, irrevocable trust, etc.) as well as the source of funds and any persons or entities that control such funds or have the power to remove or change trustees.

A Control person is one who has significant management responsibility and can “control” the direction of the legal entity. Generally, this involves “C-Level” executives, including the CEO, CFO, CCO, COO and Managing Directors (or their equivalents). Information relating to this risk profiles must be obtained, maintained and monitored.


The addition of the fifth pillar may create more documentation due to its deeper dive into due diligence, but in return, offers better risk profiling for covered institutions. In turn, this additional requirement assists in the regulation and investigation of ill-sourced funds. Every year, FINRA’s priority letter lists AML as a prime target for examiners and enforcement. Firms should take heed of the fifth pillar’s intent and assess whether staff is sufficiently trained, independent review are timely completed and AML policies and procedures are updated and adequately designed to fulfill the requirements set forth by the new CDD and EDD rules.

For more information on this and other risk mitigation approaches, please contact Jacko Law Group, PC at (619) 298-2880 or at

Author: Michelle L. Jacko, Esq., Firm Managing Partner and David Sobel, FINRA Specialist; Editor: Jacko Law Group, PC. JLG works extensively with investment advisers, broker- dealers, investment companies, hedge funds, banks and corporate clients on securities and corporate counsel matters.

The information contained in this article may contain information that is confidential and/or protected by the attorney-client privilege and attorney work product doctrine. This email is not intended for transmission to, or receipt by, any unauthorized persons. Inadvertent disclosure of the contents of this article to unintended recipients is not intended to and does not constitute a waiver of attorney-client privilege or attorney work product protections.

The Risk Management Tip is published solely based off the interests and relationship between the clients and friends of the Jacko Law Group P.C. (“JLG”) and in no way be construed as legal advice. The opinions shared in the publication reflect those of the authors, and not necessarily the views of JLG. For more specific information or recent industry developments or particular situations, you should seek legal opinion or counsel.

You hereby are notified that any review, dissemination or copying of this message and its attachments, if any, is strictly prohibited. These materials may be considered ATTORNEY ADVERTISING in some jurisdictions.

1 See

2 A covered financial institution is defined as an insured bank, a commercial bank, a trust company, a broker or dealer registered (or required to be registered) with the SEC, a mutual fund and others as defined in 31 CFR 1010.605(e) of the USA Patriot Act as found at

3 See CDD Rule Release at 29422.

Leave a Reply

Your email address will not be published. Required fields are marked *