Customer due diligence

Do your due diligence. That's a fundamental rule of business and basically comes down to knowing who you are dealing with. For any financial institution, one of the first assessments made is whether you can trust a potential client; Customer Due Diligence (CDD) is a critical element of effectively managing your risks and protecting yourself against potential financial crimes and nefarious activities.

Know Your Customer (KYC) is the process of a business verifying a client’s identity, and, if you are a financial institution, it's more than a good idea, it's enshrined in legislation. For Anti-Money Laundering (AML) purposes, KYC rules curtail financial activities of criminals and terrorists, and ensure that politically exposed persons (PEPs) are not getting caught up in bribery or corruption.

After all, where there’s money, there are also criminals lurking to take advantage wherever they can. By limiting financial activities, AML laws hit them where it hurts. And there’s a lot of money to go after; the United Nations Office on Drugs and Crime estimates that 2 to 5 percent of GDP, or $800 billion to $2 trillion, is laundered annually.

Besides being the right thing to do morally, the Customer Due Diligence (CDD) process is a smart business strategy to avoid heavy losses due to fraud, hefty fines, and sanctions, as well as bad publicity. Not knowing your customer in today’s financial world is a non-starter.

Due diligence around the world

While caveat emptor (buyer beware) has been around since Roman days, the concept was first codified into law in the U.S. Security Act of 1933, where the phrase due diligence came into being. Cut to 2001, and the U.S. Patriot Act, where the idea of due diligence was applied to knowing your customers. Since then, the U.S. has strengthened CDD requirements, and similar laws have been passed around the world.

There are generally three steps in the KYC process:

  1. Identify your customer, through a proper Customer Identification Program (CIP)
  2. Understand the customer activities
  3. Assess money laundering risk

Taken together, steps 2 and 3 are the basis of CDD.

As of 2016, according to PwC, at least 92 countries have AML legislation with some form of CDD requirements. Here is a sampling:

Due diligence in China
Type I
This account type is the most basic of the three, with transaction limits for outgoing transfers set to just over a total of $150, which includes transfers to the user’s own bank account. However, satisfying the KYC requirements for this account only requires an online identity check. Once exceeding the limit, the customer must undergo additional identity checks to continue using the account.

Type II
For a Type II account, the KYC requirements are more stringent. To open this type of account requires an in-person identity verification or three external identity database checks. With this higher level of security in place, there is also a higher limit for outgoing transactions, at just over $15,000 annually. Additionally, this limit does not apply to transfers to the user’s own bank account. This allows eCommerce merchants to use this type of account to receive and withdraw funds with no restrictions.

Type III
With a limit set to just over $30,000 per year, the Type III account would be suitable for investments as well as for making purchases. Because of the higher limit, the KYC requirements are, by far, the strictest. To open a Type III account requires either an in-person identity check or five external identity database checks. Like Type II accounts, transfers to a user’s own bank account do not apply to the annual transaction limit.

Due diligence in South Africa

Like many other Financial Action Task Force (FATF) member countries, part of the standard KYC process requires Customer Due Diligence checking. Also, Enhanced Due Diligence (EDD) procedures are mandatory in South Africa for both foreign and domestic PEPs, which describes anyone entrusted with a prominent public function or anyone who is closely related to such an individual.

Due diligence in Mexico

On April 16, 2019, Mexico updated its AML law, the Federal Law for the Prevention and Identification of Transactions with Funds from Illicit Sources.

Regulated parties, according to the FATF, “are generally prohibited from opening or maintaining anonymous accounts.” An exception is made to promote financial inclusion for deposits of pesos into individual accounts that don’t exceed a threshold. For financial transfers above USD $1,0000, basic information is required, while amounts over $5,000 require more detailed customer information. Further regulations and AML provisions vary based on the industry and regulator.

Mexican identity verification has grown in the past few years. While there has not been a legal requirement for independent verification, copies of identification are generally provided upon account openings. Furthermore, verification of Mexican identities is important for many U.S. businesses.

Due diligence in Canada

Canada has updated its Proceeds of Crime (Money Laundering) and Terrorist Financing Act (PCMLTFA), with most amendments coming into force as of June 1, 2020. The definition of acceptable documents to ascertain identification has been changed from “original, valid and current” to “authentic, valid and current,” enabling the use of document verification as a fully legal process to help establish identity.

Going forward, there are three acceptable methods for identity verification:

  • Government-issued photo identification method where the document must be authentic, valid and current
  • Credit file method where the information must be valid and current
  • Dual-process method where the information must be valid and current and from different sources

According to FINTRAC, a reliable source is either an originator or issuer of information that can be trusted to verify a client’s identity. FINTRAC gives a few examples of what it considers reliable sources, including all levels of government, crown corporations, financial institutions and utilities.

Canada’s existing rules already require that regulated financial service businesses monitor foreign PEPs. Those same requirements also apply to domestic PEPs as well as the heads of international organizations and family members and close associates of such persons.

Due diligence in Europe

Customer authentication
Most significantly, PSD2 (Payment Service Directive) calls for considerably tougher rules on verifying the identities of payment service users. PSPs must apply “strong customer authentication” for senders who initiate electronic payments. Based on the definition given in the Directive, this means that two-factor authentication will be the minimum standard. Unless the senders themselves have committed fraud, PSPs that do not comply with this requirement will be responsible for any losses due to identity fraud.

In August 2016, the European Commission amended their due diligence requirements in AMLD 4.1:

The Due Diligence requirements are now more stringent. There are fewer scenarios where SDD (Simplified Due Diligence) for eMoney are allowable. There are more situations where CDD (Customer Due Diligence) need to be re-done. And, there has been an expansion of the definition of high risk, wherein enhanced due diligence is necessary (including remote transactions).

Due diligence in the U.S.

The Final Rule refers to new FinCEN rules with the applicability date of May 11, 2018 regarding Customer Due Diligence (CDD) requirements. Under the FinCEN CDD Rule, collecting, maintaining and reporting of beneficial ownership information is now a requirement for financial institutions:

Covered financial institutions must collect from the legal entity customer the name, date of birth, address, and social security number or other government identification number (passport number or other similar information in the case of foreign persons) for individuals who own 25% or more of the equity interest of the legal entity (if any), and an individual with significant responsibility to control/manage the legal entity at the time a new account is opened.

In general, there are four elements the FinCEN considers crucial when performing due diligence:

(1) Customer identification and verification,

(2) beneficial ownership identification and verification,

(3) understanding the nature and purpose of customer relationships to develop a customer risk profile,

(4) ongoing monitoring for reporting suspicious transactions and, on a risk-basis, maintaining and updating customer information.

Different risk profiles

As the types of financial accounts, and account holders, vary widely, so does the risk profile. Many jurisdictions take these different risk profiles into account when considering Customer Due Diligence and create different CDD levels.

Simplified Due Diligence

In some situations, if the risk for money laundering or terrorist funding is low, a full CDD is not necessary. In these cases, a Simplified Due Diligence (SDD) process is enough to satisfy legal requirements.

For example, low-transaction-value accounts limit the opportunity to use the account for illegal purposes. Therefore, to reduce friction to customers and financial institutions for these small value accounts, they are exempt from a stringent CDD. Each jurisdiction will have its own maximum limit for different types of accounts that can fall under the rules for SDD.

Another class of activities that can possibly use SDD are accounts that are already reporting under other checks and reporting systems. If a bank, for example, is under the same jurisdictional rules, it is already on record for its due diligence, so it does not face further requirements. Or a public company, which has its records already in the public domain, has its financial activities already monitored, and need not face full due diligence requirements.

Enhanced Due Diligence

On the other hand, there are types of activities or account holders that require extra scrutiny. If an account type or account owner has a higher risk of money laundering or terrorist funding, then it is subject to Enhanced Due Diligence (EDD).

For example, most jurisdictions require PEPs to go through the EDD process. Other factors that might trigger EDD are high-transaction-value accounts, accounts that deal with high-risk countries, or accounts that deal with high risk activities.

In the end, while some EDD factors are specifically enshrined in a country’s legislations, it’s up to a financial institution to determine their risk and take measures to ensure that they are not dealing with bad customers.

As always, CDD laws are subject to change.

“Trulioo is all about simplifying the complexities of identity verification,” said Kim Hong, SVP of marketing at Trulioo. “We take great pride in keeping you up-to-date on the latest regulations, technologies and best practices to help you fulfill your compliance requirements, lower your risk of fraud, and improve your customer experience.”

Whitepaper-KYC

Download [White Paper] Digital KYC: compliance, convenience, and Customer Due Diligence

Find out how digital identity verification enables financial institutions to comply with tough industry regulations without burdening customers.