Read our Guide to Customer Onboarding
Discover our guide to find out how to effectively manage challenges faced during the customer onboarding process.
Learn moreIn order to understand the money laundering risks that they face, banks and financial institutions, and obligated financial service providers must verify the identities of their customers, and the nature of the business in which they are involved. The process of establishing customer identities is known as customer due diligence (CDD).
Customer Due Diligence (CDD) is the act of collecting identifying information to verify a customer’s identity and more accurately assess the level of criminal risk they present. At a basic level, CDD requires firms to collect a customer’s name and address, information about the business in which they are involved, and how they will use their account. In order to ensure that customers are being honest, companies should then verify that information with reference to official documents such as driving licenses, passports, utility bills, and incorporation documents.
CDD is a foundation of the Know Your Customer (KYC) process, which requires companies to understand who their customers are, their financial behavior, and what kind of money laundering or terrorism financing risk they present. All Financial Action Task Force (FATF) member states must implement CDD requirements as part of their domestic AML/CFT legislation – as set out in Recommendation 10 of the FATF’s 40 Recommendations.
Customer Due Diligence involves the following basic regulatory obligations:
Discover our guide to find out how to effectively manage challenges faced during the customer onboarding process.
Learn moreInstitutions should implement KYC/AML and CDD measures under the following circumstances:
Following FATF guidance, companies should implement risk-based CDD measures that reflect the specific level of AML/CFT risk that individual customers present. Risk-based due diligence is a way for companies to balance their compliance obligations with their budget and resource requirements and preserve customer experiences. Under a risk-based approach, firms may deploy faster and more efficient CDD for low risk customers, and slower, more intensive, enhanced due diligence (EDD) for high risk customers – which may entail negative effects on customer experiences.
With that in mind an effective CDD process should involve the following steps:
Prior to beginning a business relationship, companies should establish the identity and business activities of their new potential customer, with the goal of identifying bad actors as early as possible.
Once a customer has been identified to a sufficient degree of confidence, companies should categorize their risk level. This information should be stored in a digitally secure location where it can be easily accessed for future regulatory checks.
FATF standards permit companies to engage third parties to carry out Customer Due Diligence processes on their behalf, including the verification of customer identities, beneficial ownerships, and the nature of business relationships. Third parties may also provide CDD record-keeping facilities.
It is important to remember that regulatory responsibility for CDD remains with the company rather than the third party. Accordingly, companies should ensure that their CDD service provider fulfills certain compliance criteria, and is able to:
After establishing a customer’s risk category, companies should determine whether more intensive enhanced due diligence measures are needed.
Under a risk-based approach to compliance, high risk customers should be subject to enhanced due diligence (EDD). Examples of high risk customers include politically exposed persons (PEPs) and customers that are the target of economic sanctions. Intended to give companies a deeper understanding of their customers’ AM/CFT risk, EDD measures generally involve a more intensive level of CDD scrutiny, including requirements to:
CDD regulations typically include a requirement for companies to maintain records of the information they collect for at least five years. This includes copies of all identification documents (driving licenses, passports, birth certificates, etc.) and business documentation. Companies should be able to comply quickly and efficiently with requests for records from competent authorities, and enable those authorities to reconstruct individual transactions, including details of the amounts of money and types of currency involved.
Ongoing monitoring refers to the continuous scrutiny of business relationships to ensure that information about customers and their risk rating is up-to-date. This process matters because, while occasional transactions may not initially present as suspicious, they may reveal a pattern of behavior over an extended period of time which necessitates a change to a customer’s risk profile. Ongoing monitoring involves:
Ongoing monitoring should apply to all business relationships but, like other CDD measures, may be scaled to reflect the customer’s risk profile.
Where CDD measures create suspicion or reasonable grounds to suggest that a customer is involved in criminal activity, companies must report that information in a timely manner to their jurisdiction’s financial intelligence unit (FIU), via a suspicious activity report (SAR).
AML/CFT legislation includes measures that protect employees, company directors, and officers from any criminal and civil liability incurred by disclosing suspicious activity to the authorities in good faith. Following FATF standards, that protection is applied regardless of contractual, legislative, or administrative provisions and “even if the reporting parties did not know precisely what the underlying criminal activity was, and regardless of whether the illegal activity actually occurred”.
Similarly, employees, company directors, and officers are prohibited from tipping off customers that a SAR has been filed against them.
Ultimately, effective CDD and KYC measures are built on a combination of technology and expertise. As risk profiles and criminal threats evolve, financial institutions must be prepared to be as flexible and innovative with their approach to CDD as any other aspect of their AML/CFT policy.
With a robust AML KYC solution that screens against the world’s only real-time risk database of people and companies, firms can enhance their CDD process and exceed regulatory requirements. When continuously monitoring a business relationship, firms should ensure they have autonomous systems in place that refresh entity profiles within minutes of a change, lest a customer becomes subject to sanctions or adverse media.
While technology provides useful tools to facilitate CDD processes, human vigilance remains vital to spotting and addressing new threats.
Originally published 24 June 2019, updated 27 February 2023
Disclaimer: This is for general information only. The information presented does not constitute legal advice. ComplyAdvantage accepts no responsibility for any information contained herein and disclaims and excludes any liability in respect of the contents or for action taken based on this information.
Copyright © 2023 IVXS UK Limited (trading as ComplyAdvantage).