When it comes to onboarding new clients, KYC Customer Due Diligence (CDD) is a crucial process. This key mechanism enables you to minimise the risk of your organisation being used to launder money or as part of a terrorist financing scheme.
To help you with electronic identification and the other steps you need to take for anti-money laundering (AML) compliance, we have created this KYC CDD checklist. You can also use it to ensure you are perfectly placed to manage risk with the fullest possible knowledge of your clients.
What is CDD in the KYC Process?
CDD is the process that enables you to prove you have complied with your KYC obligations. Performing due diligence on clients tells you exactly who they are, whether a company you intend to do business with has an ultimate beneficial owner (UBO), and the risks the customer poses in terms of AML and counter-terrorist funding (CTF).
As set out in the various European Union Anti-Money Laundering Directives (AMLD), your initial CDD should involve the following steps:
Verify the Identity of the Customer
Establish the personal identifying details of the customer, whether it is an individual or an organisation. This requires the use of an independent online identification provider.
Verify the Identity of the Ultimate Beneficial Owner
By using trusted third-party sources, such as the UBO registers that exist in many EU member states, find out the identity of the person who has ultimate control over the organisation in question.
Establish the Business Relationship
Understand the purpose of the relationship with this new client, as well as the nature of the relationship, including the source of funds, the kinds of transactions they will undertake, and so on.
Once you have established the identity of the customer and assessed their risk level, you can choose whether to continue using the standard CDD procedures, which will most likely be the case for the majority of clients or opt for Simplified Due Diligence (SDD) or Enhanced Due Diligence (EDD).
Following these initial steps, CDD requires you to continuously monitor the account for unusual activities, transactions and changes in the customer’s risk profile.
The Ultimate KYC CDD Checklist and Template
There are some important steps to take when performing your KYC CDD duties with a new customer. Here is an example Customer Due Diligence checklist.
☑️ Ensure the risk profile of the customer fits your policies before entering a relationship
This is the basis of CDD. It involves understanding all you can about the identity of the customer and, if applicable, their UBO. You should check:
- Their full name and residential address for individuals or the business address for legal entities.
- Their photographic identification. For example, using ID Proof from Evidos allows you to accept a passport selfie or other local electronic identification check.
- Whether there is a UBO. If so, you must confirm their identity and understand their relationship with the customer.
- The nature of the intended relationship between the organisation and the customer. This includes their planned transactions and the origin of their funds.
- The customer’s own anti-money laundering policies. For example, a government agency is likely to have clear, defined and robust AML rules as a result of being a public body. This would reduce the risk profile of the agency.
- The customer’s inclusion on any lists that might suggest an increased risk. These include sanction lists, blacklists, lists of Politically Exposed Persons (PEP).
From the above information, you can build an overview of the risk profile of the client and establish whether they would be an acceptable fit for your business.
☑️ Access third-party databases (with caution)
Much of the information you need in order to establish the risk profile of your clients comes from third parties. Combing through these lists and databases is a necessary task for your analysts, but you should be aware that the responsibility for gauging the accuracy of the information lies with you in terms of compliance.
These third parties could include the country’s UBO database, other financial institutions or legal professionals, auditors and accountants.
☑️ Establish the Form of Customer Due Diligence Required
At this point, you should have a good idea about the type of CDD required in this case to suit the risk category of the client. The options are:
- Standard Customer Due Diligence: This involves the steps set out above, along with continual monitoring during the course of the relationship.
- Simplified Due Diligence (SDD): If you deem the customer to be low risk, you can loosen the AML measures. SDD can be chosen based on the type of customer — for example, an EU member state, or the product — pensions that are deducted at source. You could opt to only analyse transactions worth more than a certain amount, lower the frequency with which you monitor the account or reduce the amount of information you require to verify the relationship with the client.
- Enhanced Due Diligence (EDD): If you deem the customer to be high risk, you need to strengthen the AML measures. This could be based on the type of customer. For example, it might be a PEP and, therefore, more susceptible to blackmail and bribery. It might also be due to the nature of their business, such as if it is cash intensive or it could relate to the high-risk country in which they do business. EDD may include more strict checks of funds and transactions, more frequent monitoring of the account and in-depth research of publicly available sources for clues about the reputation of the customer. You might also want to continuously reassess the relationship between your organisation and the client.
☑️ Keep Hold of CDD Records
In the event of an audit or an investigation, you need to show that you did everything you could to mitigate the risk of money laundering. This is why it is important to keep hold of the CDD records that your analysts created during the process.
You should be able to show the trail of the research and the reasons why you took the decisions that you did, based on thorough and trusted research.
☑️ Ensure Your Data Storage Solutions are GDPR Compliant
The General Data Protection Regulation (GDPR) in the EU requires you to meet strict requirements when storing and processing data. As the CDD process involves both of these activities in order to perform the due diligence and to maintain records of customer profiles for possible future inspection by regulators, you should ensure you have the correct protocols in place.
☑️ Set in Place Procedures for Ongoing Monitoring
CDD doesn’t end when your customer signs up for their account. It is an ongoing process and you need to have the procedures in place. You must monitor accounts and particularly unusual transactions as a matter of course.
Not only should you have the procedures mapped out, but you have to have the correct technology to make this process easier. Having automatic notifications for suspicious transactions helps you investigate immediately and in the most efficient manner possible.
For templates that you download and use in your CDD processes, take a look at Mayari.
Challenges of Customer Due Diligence
The EU bases its AML regulations on the international standards set by the Financial Action Task Force (FATF) but also continues to update, refine and add to those regulations. This means that, as an organisation, you have to be agile and vigilant for the latest changes in the legislation. As more requirements come into force, the CDD process becomes more complex and time-consuming.
When performing electronic identification, you can find it more challenging if you are based in a different market than your customers. Each country has its own favoured identification methods, which are not always compatible with other countries’. This can be a common issue if you are working with customers in the EU because it is a single market with legislation that varies by member state.
If you are looking for an EU-wide solution, ID Proof from Evidos can help. It is regularly updated to ensure it works with the identification methods in all of the major European markets, including the UK.
Many financial institutions also find that they receive a large number of false positives when checking names against sanction lists. This is when a name matches with someone deemed high risk, but it is an incorrect match. Although the process for checking names against these lists of PEPs, blacklisted individuals and other high-risk clients is automated, sorting through the 75 – 85% that typically turn out to be false positives is a manual job and drains resources.
What information is required for CDD?
Companies must obtain personal information about their customers, including their name, address and birth certification. These should come from a reliable, independent source. They should also provide photographic identification.
For companies, you should request information about the business’s name and trading address, its control structure, constitution, registration number. You also need to establish whether the person you are dealing with is authorised to act on behalf of that company.
What Does CDD (Customer Due Diligence) Mean for Banks and Financial Institutions?
Financial institutions process millions of transactions every day, and it would be easy to miss those relating to AML. This is why the sector must put itself in the best possible position to avoid unwittingly facilitating criminal behaviour by getting to know its customers before they onboard and monitor them for the life of their contract.
By assessing the risk of the customer in advance, including beneficial ownership information, you can dedicate resources to those that are more likely to cause issues, saving precious time and work hours by treating low-risk clients with a light touch.
We hope this KYC CDD checklist will help you stay compliant with the latest AML regulations in the EU. They involve rigorous checks and procedures, but, with money laundering said to account for up to 1.2 per cent of the EU’s annual GDP (€197.2 billion), it is easy to see why the legislation is in place and is regularly updated. For an easy and secure way to run your customer identification program using independent and trusted sources, we invite you to try ID Proof.