In order to understand the money laundering risks that they face, banks and financial institutions, and obligated financial service providers must verify the identities of their customers, and the nature of the business in which they are involved. The process of establishing customer identities is known as customer due diligence (CDD).
What is Customer Due Diligence?
Customer Due Diligence (CDD) is the act of collecting identifying information to verify a customer’s identity and more accurately assess the level of criminal risk they present. At a basic level, CDD requires firms to collect a customer’s name and address, information about the business in which they are involved, and how they will use their account. In order to ensure that customers are being honest, companies should then verify that information with reference to official documents such as driving licenses, passports, utility bills, and incorporation documents.
CDD is a foundation of the Know Your Customer (KYC) process, which requires companies to understand who their customers are, their financial behavior, and what kind of money laundering or terrorism financing risk they present. All Financial Action Task Force (FATF) member states must implement CDD requirements as part of their domestic AML/CFT legislation – as set out in Recommendation 10 of the FATF’s 40 Recommendations.
Customer Due Diligence Basics
Customer Due Diligence involves the following basic regulatory obligations:
- Customer Identification: Companies must identify their customers by obtaining personal information and data, including name, photographic ID, address, and birth certification, from a reliable, independent source.
- Beneficial Ownership: When a company or third-party is acting on behalf of someone else, companies should seek to establish ultimate beneficial ownership (UBO). This refers to the individual(s) who benefit from the activities of a person or group of persons.
- Business Relationship: In addition to personal and beneficial ownership identification, companies must also establish the nature and purpose of the business relationship into which they are entering with the customer.
Customer Onboarding Guide
Read our Guide to Customer Onboarding
Discover our guide to find out how to effectively manage challenges faced during the customer onboarding process.
When is CDD Required?
Institutions should implement KYC/AML and CDD measures under the following circumstances:
Customer Due Diligence Checklist
Following FATF guidance, companies should implement risk-based CDD measures that reflect the specific level of AML/CFT risk that individual customers present. Risk-based due diligence is a way for companies to balance their compliance obligations with their budget and resource requirements and preserve customer experiences. Under a risk-based approach, firms may deploy faster and more efficient CDD for low risk customers, and slower, more intensive, enhanced due diligence (EDD) for high risk customers – which may entail negative effects on customer experiences.
With that in mind an effective CDD process should involve the following steps:
1. Establish the identity of the customer
Prior to beginning a business relationship, companies should establish the identity and business activities of their new potential customer, with the goal of identifying bad actors as early as possible.
2. Secure the information
Once a customer has been identified to a sufficient degree of confidence, companies should categorize their risk level. This information should be stored in a digitally secure location where it can be easily accessed for future regulatory checks.
3. Consider third party CDD
FATF standards permit companies to engage third parties to carry out Customer Due Diligence processes on their behalf, including the verification of customer identities, beneficial ownerships, and the nature of business relationships. Third parties may also provide CDD record-keeping facilities.
It is important to remember that regulatory responsibility for CDD remains with the company rather than the third party. Accordingly, companies should ensure that their CDD service provider fulfills certain compliance criteria, and is able to:
- Meet the compliance standards set out in FATF Recommendation 10
- Make copies of CDD data available upon request
- Meet FATF record-keeping requirements
- Meet location-based regulatory compliance standards
4. Determine if EDD measures are needed
After establishing a customer’s risk category, companies should determine whether more intensive enhanced due diligence measures are needed.
Under a risk-based approach to compliance, high risk customers should be subject to enhanced due diligence (EDD). Examples of high risk customers include politically exposed persons (PEPs) and customers that are the target of economic sanctions. Intended to give companies a deeper understanding of their customers’ AM/CFT risk, EDD measures generally involve a more intensive level of CDD scrutiny, including requirements to:
- Obtain additional customer identification materials
- Establish the source of funds or wealth
- Apply closer scrutiny to the nature of the business relationship or purpose of a transaction
- Implement ongoing monitoring procedures
5. Maintain CDD Records
CDD regulations typically include a requirement for companies to maintain records of the information they collect for at least five years. This includes copies of all identification documents (driving licenses, passports, birth certificates, etc.) and business documentation. Companies should be able to comply quickly and efficiently with requests for records from competent authorities, and enable those authorities to reconstruct individual transactions, including details of the amounts of money and types of currency involved.
What is Ongoing Monitoring?
Ongoing monitoring refers to the continuous scrutiny of business relationships to ensure that information about customers and their risk rating is up-to-date. This process matters because, while occasional transactions may not initially present as suspicious, they may reveal a pattern of behavior over an extended period of time which necessitates a change to a customer’s risk profile. Ongoing monitoring involves:
- Monitoring transactions throughout the course of a business relationship to ensure a client’s risk profile matches their behavior.
- Maintaining responsiveness to any changes in risk profile, or any factors which might raise suspicion.
- Keeping relevant records, documents, data, and information that may be needed for CDD purposes.
Ongoing monitoring should apply to all business relationships but, like other CDD measures, may be scaled to reflect the customer’s risk profile.
Reporting Suspicious Transactions
Where CDD measures create suspicion or reasonable grounds to suggest that a customer is involved in criminal activity, companies must report that information in a timely manner to their jurisdiction’s financial intelligence unit (FIU), via a suspicious activity report (SAR).
AML/CFT legislation includes measures that protect employees, company directors, and officers from any criminal and civil liability incurred by disclosing suspicious activity to the authorities in good faith. Following FATF standards, that protection is applied regardless of contractual, legislative, or administrative provisions and “even if the reporting parties did not know precisely what the underlying criminal activity was, and regardless of whether the illegal activity actually occurred”.
Similarly, employees, company directors, and officers are prohibited from tipping off customers that a SAR has been filed against them.
Technology and Expertise for an Effective Customer Due Diligence Process
Ultimately, effective CDD and KYC measures are built on a combination of technology and expertise. As risk profiles and criminal threats evolve, financial institutions must be prepared to be as flexible and innovative with their approach to CDD as any other aspect of their AML/CFT policy.
With a robust AML KYC solution that screens against the world’s only real-time risk database of people and companies, firms can enhance their CDD process and exceed regulatory requirements. When continuously monitoring a business relationship, firms should ensure they have autonomous systems in place that refresh entity profiles within minutes of a change, lest a customer becomes subject to sanctions or adverse media.
While technology provides useful tools to facilitate CDD processes, human vigilance remains vital to spotting and addressing new threats.
Originally published 24 June 2019, updated 27 February 2023