As a business, you already know that your due diligence processes should be watertight. But in reality, do many organizations go beyond what is legally required of them to comply with regulations? Apparently not, according to the American Bar Association. They say that due diligence doesn’t seem to be at the top of the list when it comes to privacy and security in merger transactions. However, understanding whether you’re getting into any “risky business” is key, especially in an environment of rapidly changing global risk levels.
Stick around, because we’re going to delve into when you really need enhanced due diligence (EDD) and how you conduct this process.
What Is Enhanced Due Diligence?
Enhanced due diligence (EDD) is a type of in-depth client or customer due diligence (CDD) that’s a crucial part of your risk management process. It involves investigating and assessing key players in your business to make sure they’re all safe to work with.
So, your enhanced due diligence processes should be included in many aspects of your business like acquisitions, customer onboarding, or when onboarding suppliers.
It is particularly important for high-risk customers. They can be based in risky jurisdictions or doing business in some notoriously high-risk industries (we’ll give you some examples of these later). If they’re involved in criminal activity, you may be called out for not performing the right risk checks, which can lead to penalties and reputational damage.
EDD should be part of your “know your customer” (KYC) checks so that you really understand who you’re getting into business with and have fewer nasty surprises.
Ultimately, EDD and your overall KYC process are all part of a grander plan to protect against general financial crimes like money laundering, terrorist financing, fraud, and corruption.
When Should You Perform Enhanced Due Diligence?
Generally speaking, you should conduct EDD when doing new business relationships and when you’re doing ongoing monitoring so that you’re up to date with any change in risk exposure. But other triggering events can also cause a greater risk to you, prompting you to do advanced checks. These could be suspicious transactions or deals with third countries, among other events. So the message is to always have risk management on your mind.
You’ll find that, depending on the type of company you work in and which third parties you do business with, you may be exposed to different risks and risk levels. In this sense, the situations that cause you to conduct EDD will be subjective. In some cases, EDD may be a legal requirement, but we’ll explain these more throughout the next four steps.
1. High-Risk Jurisdictions
High-risk jurisdictions may have political instability, an unstable/unreliable economy, or may lack strong enough anti money laundering (AML) procedures and guidelines. This gives companies a higher risk of money laundering.
The Financial Action Task Force (FATF) centralizes efforts to address money laundering and corruption around the world. AML regulations are in place around the world to help detect suspicious activity. In fact, having to do EDD is usually linked to AML legal requirements, as high risk people, sectors or countries can lead to a higher risk of money laundering.
In the case of high-risk jurisdictions, FATF lists higher risk countries (third countries) and highly monitored jurisdictions to help businesses decide when they need to do enhanced due diligence.
It also updates the list by constantly evaluating risk factors involved with each country. Using a platform like Certa that automatically notifies you of such changing risk factors in real-time can help you understand relevant risk ratings.
For example, in October 2022 FATF removed Nicaragua and Pakistan from the list and increased monitoring on the Democratic Republic of the Congo, Mozambique, and Tanzania. Burma was also made a high-risk jurisdiction, which means EDD has to be done along with OFAC sanctions checks.
2. Politically Exposed Persons (PEPs)
PEPs are people in powerful political positions. The reason why you need EDD when PEPs are involved is because these positions can be easily abused for the purpose of money laundering or corruption. This doesn’t mean that all PEPs are shady, of course. But doing your checks will help you better understand who’s safe to work with.
According to FATF, there are three types of PEPs: foreign, domestic, and international. Foreign PEPs, people who do public functions for a foreign country, are always considered high-risk according to FATF, meaning EDD is always necessary. On the other hand, domestic PEPs are only considered to be high risk if you find any red flags during your risk assessment. The same goes for international PEPs, those who work for international organizations, like directors or board members.
When you’re assessing PEPs to satisfy AML compliance and EDD regulations, you’ll need updated information about the PEP like their address and identifying documents. You may want to ask for additional information to build a risk profile, including what organizations they’re involved in, where they live, and whether they’re associated with other high-risk family members.
You can do internet and media searches to check their media coverage and see if there are ongoing investigations against them. You should also request to see their source of funds to ensure their wealth hasn’t been earned illegally.
You can find out whether someone is a PEP by checking PEP lists which some governments publish. Some companies have internal PEP databases that they can check too. The PEP FATF guidance tells you about the red flags to watch out for with PEPs.
As part of your enhanced due diligence procedures, you must check the government’s sanctions list as a regulatory requirement. OFAC screening requires you to review ultimate beneficial owners (UBOs) who have the largest interest percentage in your customer or supplier.
Bear in mind that the OFAC 50% rule means that if companies are owned 50% or more by an individual or company on the sanctions list, you can’t legally do business. EDD comes into play when you find sanctioned individuals and companies who own a high percentage in the third-party company that isn’t quite 50%. In these cases, you may wish to take on a risk-based approach when assessing whether they’re safe to do business with.
4. High-Risk Sectors
You may need to do EDD on companies that operate in risky industries such as real estate, finance, mining, oil and gas, or gambling where there is a lot of money and high net worth transactions involved.
Depending on the sector you operate, you may be subject to different regulations and may have to do extra EDD checks. For instance, broker-dealers and financial institutions are subject to the Bank Secrecy Act (BSA), which gives a basic framework for the AML checks they must do on customers.
This includes keeping certain records, reports, and following mandatory information sharing to identify customers and build a customer’s risk profile to flag any threats. For example, gambling companies are subject to the BSA and need to follow EDD processes to make sure they’re not being used as a vehicle to launder money. Failing to do so can lead to huge fines and penalties.
How Do You Conduct EDD?
Now you know when you need to do EDD, let’s talk about what additional steps to follow so that you’re keeping compliant.
1. Ask for Additional Information
EDD may involve requesting extra information, documentation, or clarification. For example, if you receive a large payment, you may ask to see bank statements to make sure the money hasn’t come from illegitimate sources. If the funds have come from a high-risk country, you may have to trace this back even further.
2. Assess Business Activity
Keep an eye on the business activity and transactions and assess whether they’re normal. For example, if your customer usually pays you in monthly installments and then suddenly asks to pay your fee upfront for the year, this is suspicious. In extreme cases, this could suggest that they’re attempting to launder money.
Some companies have to report to the government when they find unusual business activity. For instance, financial institutions must submit Suspicious Activity Reports (SARs) to detect and prevent money laundering where they suspect criminal behavior.
Other factors that may trigger you to conduct EDD are a change in company owner, third parties that are unwilling to provide extra information, or money coming from unusual sources.
3. Take a Risk-Based Approach
A risk-based approach is where you assess all the risks to your company and put measures or controls in place to manage those risks. To do this, you’ll need to consider all your risk categories such as operational risk, strategic risk, company ownership, company industry, PEP involvement, or jurisdiction. Then, you’ll weigh whether the risk level can be mitigated, or whether it is too much to take on.
When presented with a risk like your supplier being owned by a PEP, you’ll conduct EDD and CDD to decide whether the PEP is a risk to your business. Perhaps they are sanctioned or even just hanging out with Pablo Escobar. You’ll then decide whether you should continue to do business with that organization based on the risk posed to you.
Let’s say your vendor is under investigation for criminal activity but no evidence has been found. You might wish to wait until the end of the investigation to decide whether to work with them. Taking a risk-based approach may prompt you to do further monitoring checks on completion of the investigation or until further information is published.
4. Keep Compliance in Mind With Ongoing Monitoring
You should be updating your risk assessments and due diligence on third parties as part of your monitoring strategy. Depending on their risk level, you may conduct ongoing checks at different times, maybe every year or every six months.
Make sure all your staff are on the same page so that they’re aware of red flags by providing ongoing training to stay up to date with regulations. The FATF gives training sessions and courses to help organizations better understand what is required of them.