If you haven’t prioritized your customer due diligence or CDD processes, it’s time to change that. According to Forbes, financial institutions that didn’t take their compliance and anti-money laundering (AML) due diligence checks as seriously as they should have were fined a total of $2.7 billion in 2021. The scary thing is, some of the offenders included large known institutions that we use such as Deutsche Bank and Capital One.
In the case of Capital One, the U.S. Department of Treasury's Financial Crimes Enforcement Network (FinCEN) fined them $390 million for failing to submit suspicious activity reports when they knew that one of their customers was involved in criminal activity. This is a lesson for us all — the government won’t hold back when it comes to CDD. But don’t worry. We’re here to tell you what CDD is, when you need it, and how it works.
What Is Customer Due Diligence (CDD)?
Customer due diligence (CDD) is also known as “know your customer” (KYC) methodology. It’s a way of assessing a new customer’s potential risk to your business and in general in relation to illegal activities and financial crimes like money laundering, fraud, bribery, corruption, and terrorist financing.
Customer due diligence is where you do checks to verify the identity of your customer. It’s the process of analyzing and investigating them to make sure they are safe to do business with. As part of your CDD process, you may do standard simple checks in cases where the customer is of low risk to you. Or, you may have to do enhanced due diligence when you establish that the client is high-risk.
CDD became a big deal four years after the 1929 stock market crash when it was decided that there needed to be some kind of transparency in the financial markets so that companies would be careful about who they got involved with. In many cases, CDD is now a regulatory requirement.
When Do You Need CDD?
The Financial Action Task Force (FATF) says that financial institutions need to do CDD when they are:
1. Creating new business relations.
2. Involved in transactions above USD/EUR 15,000 or where they involve high-risk foreign countries.
3. Suspicious of money laundering or terrorist financing.
4. Doubtful of whether the customer identification data is adequate or not.
A financial institution is any company that is involved in money exchange, lending, financial leasing, investing, trading, and many other business activities. It’s worth checking out the FATF’s definition to see if you fall into this category.
4 Steps to Complete CDD
You don’t want to be the next victim of money laundering, let alone the next victim of a hefty government fine, that’s for sure. So let’s talk about how you should do CDD to keep in line with the regulations.
According to the Customer Due Diligence Final Rule, there are some main requirements for CDD:
1. Identify and Verify Your Customers
Before beginning any kind of potential customer relationship, you need to start by verifying their identity.
Different processes will be needed depending on whether your customer is an individual or a company. If they are an individual, unless they are someone in a high political position (called a politically exposed person or PEP for short), they will likely be a lower risk. Of course, you can double check they’re not being investigated or have criminal charges by searching online yourself or through an independent platform such as Accuity World Compliance.
The first step is to ask them for identification such as a passport or driving license with their full name, a picture, date of birth, address, and nationality. You can also request proof of their address to confirm they are who they say they are. You could use identity verification software to automatically find and check a new customer’s identity. This helps ensure checks are secure and enhances the customer experience because it’s more streamlined. It saves you a whole load of time and resources too.
If the customer is a company, the FATF says that you need to take reasonable steps to identify the ultimate beneficial owner (UBO) of the company. An ultimate beneficial owner is any individual that owns more than 25% of the company.
You need this customer information to know who is controlling your client’s company. Your customer could be owned by a company that operates in a high-risk jurisdiction where AML checks are not required. This could mean that they don’t fit your standards and you could be aiding them in committing financial crimes without even knowing.
FinCEN has a 330-page rule which won’t actually come into effect until January 2024 but is worth knowing about. FinCEN is tightening the rules surrounding ultimate beneficial ownership after saying it’s getting too easy for bad actors to launder money through shell companies. There will be a few changes enforced but notably, more companies will need to report UBO information including LLPs, business trusts, LPs and LLCs.
You can find out who owns your customer company by asking your point of contact for company incorporation documents, a hierarchy chart, or shareholder documents confirming who holds percentages in the company. You can also do your own checks on EDGAR, the SEC website that has company filings where you can get legal entity information.
Don’t forget to store all the information you gather about your customer in a secure place where it can be accessed by all your staff and easily referred to if you have regulatory audit checks. Remember, a failure to show you’re compliant with CDD measures can lead to serious consequences.
2. Get to Know the Purpose of Your Customer Relationships
To be able to work out the risk level of your customer, you need to know what the business relationship will look like. You can ask questions like, what are you doing for the customer? Are you advising them on regulatory requirements or are you acting on their behalf? Is it a one-off transaction or a long-term relationship? Is the relationship virtual or face-to-face? What type of business activities are they involved in? Do they operate in high-risk sectors like gambling?
3. Create Customer Risk Profiles
Once you have identified your customers and the purpose and nature of your relationship with them, the next step is to create customer risk profiles. First, you’ll need to create risk categories and score the related risk levels. This is where you use risk assessments to identify risks.
The FATF says that there may be cases where customers pose a higher risk of money laundering or terrorist financing such as non-resident customers, cash-intensive businesses, or countries subject to sanctions. Lower risk customers may be financial institutions, as they’re subject to scrutinous checks by their regulator or public companies listed on the stock exchange.
You can conduct a risk assessment once you’ve gathered all relevant customer information. Then, you can score your customer based on different factors like PEP involvement, the industry/sector they operate, country of origin/nationality, sanctions, the nature of the business relationship, and whether they have any negative press attention that could cause reputational harm.
If your customer risk profile shows that you have a high-risk customer on your hands, your customer due diligence process should involve enhanced due diligence (EDD) checks. This helps you investigate further to work out whether the customer is safe to do business with.
4. Do Continuous Monitoring and Maintain Records
All risk management processes should include ongoing monitoring, which means the continuous surveillance of business relationships. The reality is that things can change. Companies that were once low-risk can become higher-risk customers. Perhaps they get taken over by a UBO that’s a PEP, or the country that they are based in gets put on the sanctions list.
This is why you should monitor your customer relationships and keep their customer risk profiles up-to-date. This includes keeping hold of updated information like a change of address, change of business nature, new UBOs, or majority shareholders. If anything changes, update your risk assessment. This may involve asking for additional information from your customer, to make sure all your records are accurate.
Depending on whether you consider a customer to be of high or low risk, you may do another risk assessment six months, 12 months, 18 months, or 24 months down the line. However, there may be other instances where you need to do ongoing monitoring sooner than you thought. Maybe there’s a war outbreak or changes in national regulations which affect your business relationship.
According to FATF, all CDD records must be kept for at least five years after the business relationship has ended.