Customer Due Diligence – The Cornerstone of Compliance
July 9th, 2021
When thinking of all the necessary pieces that comprise a functional risk-based AML process, one would be shocked to find Customer Due Diligence (CDD) not on that list. Yet, how important is CDD in the overall view of AML?
CDD is the control procedure that financial services organizations (FSOs) apply to understand and conduct risk assessments of their customers, allowing them to identify and mitigate potential customer risks. CDD is the first line of defense in stopping bad actors from gaining access to global financial services, so there is a lot at stake for getting it wrong.
If FSOs do not apply stringent enough CDD procedures to protect themselves from financial crime, then they run the risk of breaching financial crime regulations, which can result in financial penalties or even civil or criminal litigation.
Other than the risk of monetary penalties, implementing CDD procedures aims to uncover potential risk to financial institutions in doing business with any specific individual or organization by analyzing information from a variety of sources:
- The customer themselves, who needs to provide certain information in order to do business with the FSO
- Any sanctions or other screening lists published by governments or territories
- Adverse media
- Public data sources, such as company listings
- Private data sources from third-party data providers
By compiling data from multiple sources and measuring the risk factors associated with each, FSOs can gain a much better understanding of the customer and the risks they pose. Not only will this help FSOs meet and exceed Know Your Customer (KYC) standards, ensuring that they’re adhering to global best practices, but it will also help them identify risks and take steps to mitigate their exposure to these risks.
The Standard Flow of AML CDD
FSOs normally begin their CDD process by obtaining basic information about a customer or business during onboarding, such as:
- Full name
- Residential address and/ or corporate address
- Contact number(s) and an email address
- Place and date of birth
- Gender
- Nationality
- Marital status
- Government-issued identification and tax number
- Occupation
- Specimen signature
- Nature of business
- Source of funds
- Source of wealth
After an FSO obtains all the basic data points, it can then screen and analyze the information to determine the relative risk associated with the customer. All this data is checked against name-screening databases that feed into the risk profile of the customer. At this point, the institution determines which degree of due diligence the new client will be subjected to, such as the process remaining unchanged, if the process will be eased, or if the process will be reinforced even further due to a high risk level.
How Each CDD Level Differs
Now that we’re familiar with the concept of what CDD is and how a standard CDD flow operates, next we want to tackle what each level represents and when it’s appropriate to apply each to your own processes.
- Simplified Due Dilligence (SDD): This is the lowest level of due diligence that an FSO can conduct on a customer. SDD is conducted where the customer, their anticipated activity and products are considered a low risk for money laundering. This type of due diligence is most common for public authorities or company which is listed on a regulated market with high legislative requirements. With simplified due diligence, FSOs are only required to identify the customer and there is no requirement do conduct detailed verification checks.
- Standard Due Diligence or Customer Due Diligence (CDD): This is the most common type of due diligence. With CDD, there is a requirement to obtain sufficient information from your customer verify the customer is who they say they are. There is also a requirement to understand the nature of the business relationship, the corporate structure (if applicable) and understand expected activity of the customer such as income. This information will help to determine whether additional due diligence is required.
- Enhanced Due Diligence (EDD): When a customer or situation is flagged having a higher risk of money laundering, then EDD is required. Identified risks can include customer being identified as a politically exposed person (PEP), having connections to high-risk countries or high transaction amounts and/or involvement in high-induced risk activities. Additional EDD checks will depend on the circumstance of the identified heightened risk, but additional measures can range from requests for more information to identity verification, adverse media searches or independent source of income verification. Approval of relationships identified as high risk and requiring EDD need to be approved by a senior executive at the FSO.
Depending on the level that is triggered for any particular case of CDD, a relationship cannot begin with a customer until the checks are conducted, no matter the amount of friction it brings – especially in EDD cases.
CDD Doesn’t End Once the Onboarding Process is Complete
With the process of CDD completed at the time of onboarding, it doesn’t mean that the FSO will never perform additional monitoring on the customer and their risk throughout the relationship. In a perfect world, a customer will continue with their initial activities, never prompting the need to change their customer profile and thus never triggering a change in risk alert by the FSO.
Unfortunately, the dynamic activities of any customer is a reliable constant, and the probability for a customer to engage in risky behavior is never zero. Historically, as per regulatory requirements, FSOs performed static periodic reviews of their customers, which often ranged from between one to five years, depending on the risk posed by the customer. This is now considered insufficient by most FSOs, as they are required to consistently monitor customer activity and the risk it poses. A large number of FSOs are now looking to move to trigger-based alerting to ensure that they can remain proactive, not reactive, with problematic situations to protect the business, while still remaining compliant with regulators.
To learn more about NICE Actimize CDD solutions, click here.