What exactly is Customer Due Diligence (CDD)? And why is it so important? CDD is a critical element of effectively managing risk and protecting you (and your business) against potential association or involvement with bad actors and financial crimes. CDD processes are crucial for Know Your Customer (KYC), and while they vary around the world, in most cases, they involve identifying your customer and understanding their activities. This then allows you to assess their risk profile.
Sometimes, Enhanced Due Diligence (EDD) is needed. This involves collecting additional information on high-risk customers to provide a deeper understanding of customer activity and to mitigate risk. Customer assessments can be used to determine which level of due diligence is required, a crucial step in creating an effective risk-based approach as part of a robust compliance program.
To ensure that your business is following best practices, we have put together the following five-step checklist to help improve your CDD processes.
Step 1: Verify customer identities
Perform CDD measures before entering into business relationships with customers to detect potential bad actors early in the process. Creating barriers to prevent financial criminals from accessing accounts on your system helps avoid questionable activities before they can even begin.
How? Ascertain the identity and location of the potential customer, and gain a good understanding of their business activities. This can be as simple as verifying their name and address. However, with increases in online fraud, collecting more information or running additional identity checks might also be advisable. Some information sources that can help the identity process include:
- Date of birth
- Telephone number
- National ID number
- Identity documents
- Mobile network data
- Live video
- Third-party account verification
Business and other legal entity customers also require verification to ensure the legitimacy of the business and that the account holders have the proper authority to act on behalf of the business. The business verification process examines information like:
- Business registration number
- Company name
- Operational status
- Key management personnel
- Date of incorporation
Why? You have to first decide whether a client or customer fits your established risk profile, before entering into a business relationship with them. You can only do this by undertaking the appropriate CDD measures. This ensures that identity theft and any potential forgeries can be detected and dealt with early.
Step 2: Assess third-party information sources
Strengthen your processes when vetting third parties.
How? You may rely on third parties — from banks, to lawyers, to auditors — to help you perform due diligence, however it’s important to choose these third parties wisely because the ultimate responsibility for CDD measures remains with you, not the third party.
Why? Sometimes, the only way to get the information required for CDD is through a trusted third party, so it’s important to ensure that their standards and best practices are aligned with your business. At the end of the day, you are liable and will be fined or penalized for non-compliance.
Systematically thinking about your business relationships, the potential exposures they could incur, what steps you need to implement, and then how you can operationalize and review those procedures makes good business sense — and helps ensure proper compliance.
Step 3: Secure your information
Ensure that pertinent information has been collected and stored securely.
How? When authenticating or verifying a potential customer, classify their risk category and define what type of customer they are, before securely storing this information and any additional documentation digitally. While keeping personally identifiable information (PII data) might be necessary, there are often strict legal requirements regarding how that information is collected, stored and shared; beyond any legal necessity, protecting customer data is crucial to avoid any reputational damage.
Why? Having a meticulous and comprehensive process for documenting CDD-related information is highly effective and also mitigates any potential risk for you as a business.
Step 4: Take any necessary additional measures
Detect if there is a need for EDD.
How? Beyond basic CDD, it’s important that you carry out the correct processes to ascertain whether EDD might be necessary. This can be an ongoing process, as customers have the potential to transition into higher-risk categories over time so, conducting periodic due diligence assessments can be beneficial.
For example, most jurisdictions require politically exposed persons (PEPs) to go through the EDD process. Other factors that might trigger EDD are accounts with high transaction values, accounts that deal with high-risk activities and adverse media mentions. Factors to consider to determine whether EDD is required include, but are not limited to:
- The person’s location
- Their occupation
- Transaction types
- Expected activity patterns in terms of transaction types, dollar values and frequencies
- Expected payment methods
If the account is for a business, additional EDD considerations include:
- Identifying any connected entities and Ultimate Beneficial Owners (UBOs)
- Performing AML/KYC checks on UBOs to verify their identities
- Downloading official company records to act as a Record of Authority
- Screening the company and its owners against global watchlists and sanctions lists
Why? Again, this protects you and your business against any involvement with nefarious activities and also ensures that you’re meeting various KYC and Anti-Money Laundering (AML) regulatory requirements.
Step 5: Ensure you’re audit ready
Keep historical records on hand.
How? Store records of instances of CDD and EDD securely, in a digital format.
Why? Keeping records of all the CDD and EDD performed on each customer, or potential customer, is necessary in case of future regulatory obligations (for example, an external audit).
With robust digital records in place, internal audit processes can account for deeper data sets, can re-run and re-analyze situations to decrease risk, improve performance and better guard against problematic accounts. These records are another line of defense to help protect the entire compliance process, as they can be used to double-check accounts that have passed onboarding checks. These checks also allow the auditing team to hone their strategy and tactics, test assumptions and otherwise optimize compliance procedures.
The digital audit trail is a cornerstone of creating a resilient, standardized, testable compliance program. Rising above the inconsistencies of individual people running and being responsible for account compliance, a systematic compliance program helps protect the company, besides being scalable and adaptable.
The key to effective, ongoing CDD is to have set policies and processes for various contingencies. Anticipating scenarios helps to clarify which approaches are best and speeds up responses.
For forward-looking organizations, compliance is a competitive advantage, not just a regulatory checkbox exercise. Effective ongoing compliance lessens risk, increases knowledge of customers and enables adaptable systems. Establishing values and procedures that promote constant vigilance and respect for regulatory obligations helps create a transparent organization with solid governance.
This post was originally published on February 22, 2018. It has been updated to reflect the latest industry developments and best practices.