In a fast-moving world, getting to know your customer is the best way to keep them. It helps you make better and more effective business decisions based on their changing needs. But also, knowing your customer is an essential part of anti-money laundering due diligence, helping prevent criminals from taking advantage of your organisation and the financial sector in general.
Thankfully, the European Banking Authority (EBA) has issued a set of guidelines for financial institutions to follow in order to minimise their risk when they enter into a business relationship with a customer. This article explores the best practices for due diligence and how your organisation can apply them to customers in order to safeguard your operations from financial crime.
What is Customer Due Diligence (CDD)?
At its most basic level, Customer Due Diligence (CDD) is the process of verifying the identity of a customer in order to be sure that an organisation is confident it knows who it is doing business with. In the financial world, there is a risk of onboarding clients who are involved with money laundering (ML) or terrorist financing (TF).
The EBA sets out factors that organisations should consider when assessing their risk from ML and TF, as well as details on how to scale their CDD efforts in order to counter the risks they have identified.
The three areas of initial CDD that should be performed in every case are:
Verify the Customer’s Identity
Source reliable information from an independent source on the personal identifying details of the customer.
Verify the Beneficial Owner’s Identity
Discovering the identity of the person who is ultimately in charge or control of the business with which you are entering a relationship.
Establish the Business Relationship
Understanding the type and purpose of the business relationship in question.
When is CDD Required?
The EBA states that CDD is required ahead of banks and other financial operations entering into both sporadic and regular business dealings. It says: “Before entering into a business relationship or carrying out an occasional transaction, firms should apply initial CDD in line with Article 13(1)(a), (b) and (c) and Article 14(4) of Directive (EU) 2015/849.”
Besides the initial checks before entering into a business relationship, institutions are required to monitor these relationships on a regular basis. This includes keeping all the basic information about the customer up to date and analysing transactions involving the client.
In addition, anyone selling goods worth €10,000 and more in cash must perform their own CDD in order to minimise the risk of money laundering.
Different Types of Customer Due Diligence
The type of customer due diligence you apply is risk-based, so might vary from client to client. Below are the different types of CDD.
Standard Customer Due Diligence
For most customers, you will need to perform standard CDD. This involves verifying the customer’s identity, establishing the nature of the business relationship, identifying the beneficial owner of the business and resolving to continuously monitor these elements throughout the relationship.
However, there are situations in which you might decide to loosen or strengthen the Know Your Customer (KYC) and Anti Money Laundering (AML) measures.
Simplified Customer Due Diligence
For customers that you deem low-risk, you can perform simplified CDD. Reasons that you might find for settling on SDD could relate to the nature of the business or the product in question. If you enter into business with a local authority, for example, there may already be a requirement for them to disclose information relating to AML and TF matters. This means they are likely to pose a much lower risk of engaging in money laundering and terrorist funding.
You still have to perform CDD, but you can take these additional SDD measures:
- Delay verification of the customer until the relationship is established or transactions reach a certain level.
- Reduce the amount of information you require for CDD. This might include using just one reliable source for verification or assuming the nature of the relationship due to the product in question only having one use. A shopping centre gift card, for example.
- Adjust the quality or source of information. This could encompass using the company itself as a source for the identity of the beneficial owner. Alternatively, it could mean using the source of funds to meet some identifying requirements or to provide the nature of the relationship (for example, if they were state benefit payments).
- Changing the frequency monitoring of the business relationship. You might choose only to check when certain trigger events happen. For instance, when the client takes out a new product.
- Adjusting the frequency of transaction monitoring. You could opt to only analyse transactions over a certain value.
Enhanced Due Diligence
The European Union’s 4th Anti Money Laundering Directive dictates that you should enact enhanced due diligence (EDD) if your assessments deem the customer to be high risk and in any one of a number of set situations. These are:
- When the customer or its beneficial owner is a politically exposed person (PEP). A PEP is someone with a high profile role in politics or other public position. This is deemed to leave them more at risk of bribery or corruption.
- When you enter into a relationship with a respondent institution from a third country. In other words, an organisation from outside the European Economic Area (EEA).
- When the customer deals with people or entities in high-risk third countries.
- When there is a complex or unusually large transaction, or there are “unusual patterns of transactions, that have no obvious economic or lawful purpose.”
There are different EDD measures to take, depending on the risk factor identified.
- For PEPs, you should establish the source of their funds, seek senior approval for the relationship and increase ongoing monitoring reviews in line with the risk assessed.
- For third-country respondent institutions, you should examine closely the nature of their business, research publicly available information on their reputation, assess their existing AML measures and seek senior approval.
- For customers dealing in high-risk third countries, you should seek to increase the amount of information required for CDD, as well as its quality. You should also review the relationship more frequently.
- For unusual transactions, there should be systems in place to spot these transactions and you should take measures to understand their origin and funding. You should also learn more about the business to try and understand why these might occur. For EDD, you need to perform these checks with a greater frequency than with standard CDD.
How to Perform CDD
This is the general process for performing CDD.
1. Identify and verify customers
Collecting data on customers is the first step in performing CDD. For individuals, this includes the customer’s name, residential address, phone numbers, email addresses, gender, marital status, nationality, race and occupation. For legal entities, you should find out the name of the business, details of the incorporation, management structure, articles of association and details of its constitution.
You then need to verify this data with trusted and reliable sources. For an individual, this could be a government agency, in the form of a passport or other photo ID, or a utility provider to prove their address. For an organisation, you might ask to see the articles of association or the certificate of incorporation.
2. Identify and verify beneficial owners of companies
You must look into the control structure of the company to ascertain the identity of the beneficial owner of the business. This is the person that owns 25% or more of the shares or voting rights in the company. They can appoint or remove the majority of the directors or can otherwise exert control and influence over the organisation.
This step can involve a large amount of investigative work, from looking through shareholding data to sifting through public sources to uncover the identity of the ultimate beneficial owner.
3. Create customer risk profiles
Your analysts can run processes such as name screening to check on the background of the customer. They will look to see if the individuals in question are PEPs and whether they have been sanctioned, have a criminal record, have been involved with terrorism or have been associated with any dubious behaviour in the press.
Following these processes, the analysts can create a customer risk profile relating to money laundering and terrorist financing. If the entity is a government organisation that has its own AML compliance processes in place, it may be flagged as low risk, whereas a business where a high-ranking politician has beneficial ownership may be flagged as high risk.
From these results, you can assess the best form of due diligence to instigate, whether that is standard, simplified or enhanced.
4. Conduct ongoing monitoring
Ongoing monitoring of the account is key to maintaining security. This means constantly reviewing transactions and other account activity for indicators of money laundering. In addition, you should ensure that, if there is a change to the nature of the business relationship, it is not one that leaves you open to unwittingly allowing money laundering to occur. Keeping your Know Your Customer or KYC process documentation up to date is essential.
Tips To Streamline Anti Money Laundering Customer Due Diligence
✅ Verify identity before doing business
Verifying the identity of a client before entering into a business relationship means you start off knowing that you can trust they are who they say they are. The ID Proof tool from Evidos allows your new customers to identify themselves using their locally available electronic identities (eIDs). This enables you to work with overseas clients with complete confidence.
Every transaction with the client provides you with an identification file backed by independent evidence and verified by an NFC chip reader or a passport selfie.
Timely customer identification can speed up your due diligence and prevent hours spent manually investigating and verifying customers.
✅ Improve record-keeping
Your record-keeping of CDD material is essential for compliance with AML legislation. You should be able to prove that you carried out due diligence and the reasons why you assigned the customer the risk profile, and therefore the type of due diligence you performed.
Keeping detailed records of risk factors, suspicions and names of beneficial owners for clients and prospective clients helps to inform the decisions your analysts make. It helps other departments in your organisations perform their risk assessments if the client wants to work with them, too.
Using artificial intelligence (AI), such as Robotic Process Automation, to scour publicly available information and internal data enables you to create easily accessible and digestible records on a person or business for future reference.
✅ Employ third-party databases
Ensuring you keep a database of third parties allows you to cross-reference vital information that could inform your risk profile. By noting down all of the countries in which the customer operates, you can easily identify high-risk customers. When a country is felt to become ‘high risk’ the database can show you all the customers that are connected with that territory.
By investigating the owner, directors and senior management separately, you can easily spot connections between all the customers related to someone who becomes blacklisted. When you update customer information, you can immediately identify suspicious connections.
What is the difference between CDD and EDD?
CDD is Customer Due Diligence, relating to the concept of collecting data about the customer in order to verify who they are and to mitigate the risks that they may pose in relation to money laundering and terrorist funding. EDD is enhanced due diligence and encompasses the measures financial institutions should take to ensure that customers with a higher risk of money laundering are not connected with such activities.
Is there a limit at which CDD is not required?
Financial institutions must employ CDD measures for all of their customers. The only exception appears in Article 2 of the AML regulation, where it is said that EU member states can choose to exempt organisations that only occasionally offer financial products to clients. In this case, the organisation must adhere to a number of criteria, including that the sums should be lower than €1,000, making it an inefficient vessel for money laundering.
Understanding anti money laundering customer due diligence measures helps you assess and manage the risks that your customers pose in relation to criminal activity. Tools such as RPA and ID Proof from Evidos streamline and enhance your AML investigations, making identity verification in the financial world easier and faster. For implementing electronic identification as part of your due diligence requirements, talk to our sales team today.