Customer Due Diligence: Ensuring You Know Your Customer
Do your due diligence. That’s a fundamental rule of business and basically comes down to knowing who you are dealing with. For any financial institution, one of the first analysis made is to determine if you can trust a potential client. You need to make sure any potential customer is worthy; customer due diligence (CDD) is a critical element of effectively managing your risks and protecting yourself against potential financial crimes and nefarious activities.
Know your customer (KYC) is the process of a business verifying a clients identity, and, if you are a financial institution, it’s more than a good idea, it’s enshrined in legislation. For anti-money laundering (AML) purposes, KYC rules curtail financial activities of criminals, terrorists, and ensure that Politically Exposed Persons (PEPs) are not getting caught up in bribery or corruption.
After all, where there’s money, there are also criminals lurking to take advantage wherever they can. By limiting financial activities, AML laws hit them where it hurts. And, there’s a lot of money to go after; the US Treasury estimates that over 300 billion dollars in illicit activity occurs in the US annually.
Besides being the right thing to do morally, the customer due diligence (CDD) process is a smart business strategy to avoid heavy losses due to fraud, hefty fines and sanctions, as well as bad publicity. Not knowing your customer in today’s financial World is a non-starter.
Due Diligence Around the World
While caveat emptor (buyer beware) has been around since Roman days, the concept was first codified into law in the US Security Act of 1933, where the phrase due diligence came into being. Cut to 2001, and the US Patriot Act, where the idea of due diligence was applied to knowing your customers. Since then, the US has strengthened CDD requirements, and similar laws have been passed around the World.
There are generally three steps in the KYC process:
- Identify your customer, through a proper Customer Identification Program (CIP)
- Understand the customer activities
- Assess money laundering risk
Taken together, steps two and three are the basis of CDD.
As of 2013, according to PwC, at least 74 countries have AML legislation with some form of CDD requirements. Here is a sampling:
Due Diligence in China
This account type is the most basic of the three, with transaction limits for outgoing transfers set to only just over a total of $150, which includes transfers to the user’s own bank account. However, to satisfy the KYC requirements for this account only requires an online identity check. Once exceeding the limit, the customer must undergo additional identity checks to continue using the account.
For a Type II account, the KYC requirements are more stringent. To open this type of account requires an in-person identity verification or three external identity database. With this higher level of security in place, there is also a higher limit for outgoing transactions, at just over $15,000 annually. Additionally, this limit does not apply to transfers to the user’s own bank account. This allows eCommerce merchants to use this type of account to receive and withdraw funds with no restrictions.
With a limit set to just over $30,000 per year, the Type III account would be suitable for investments as well as for making purchases. Because of the higher limit, the KYC requirements are, by far, the strictest. To open a Type III account requires either an in-person identity check or five external identity database checks. Like Type II accounts, transfers to a user’s own bank account do not apply to the annual transaction limit.
Due Diligence in South Africa
Like many other Financial Action Task Force (FATF) member countries, part of the standard KYC process requires customer due diligence checking. Also, enhanced due diligence procedures are mandatory in South Africa for both foreign and domestic PEPs, which describes anyone entrusted with a prominent public function or anyone who is closely related to such an individual.
Due Diligence in Mexico
Mexico applies KYC policies but has been more interested historically in customer and business management rather than AML measures. Local regulations require businesses to rank their customers as either low or high risk. In 2013, new AML rules came into effect in Mexico that cover transactions that take place outside of financial institutions such as donations, construction and property development, and professional services. Further regulations and AML provisions vary based on the industry and regulator.
Mexican identity verification has grown in the past few years. While there has not been a legal requirement for independent verification, copies of identification are generally provided upon account openings. Furthermore, verification of Mexican identities is important for many U.S. businesses.
Due Diligence in Canada
Going forward, successful identity verification requires meeting any two of the following three criteria:
- Successful verification of a person’s name and address by referring to a reliable source
- Successful verification of a person’s name and date of birth by referring to a reliable source
- Successful verification of a person’s name and deposit, loan, or credit card account information with a Canadian financial institution
According to FINTRAC, a reliable source is either an originator or issuer of information that can be trusted to verify a client’s identity. FINTRAC gives a few examples of what is considers reliable sources, including all levels of government, crown corporations, financial institutions, and utilities.
While the new guidelines provide a comprehensive list of what is considered acceptable as an independent and reliable source, they also make it very clear what is not acceptable.
For example, as briefly mentioned above FINTRAC rules out the use of online document verification.
According to the guidelines, “It is not acceptable to view photo identification online, through a video conference or through any virtual type of application. You cannot accept a copy or a digitally scanned image of the photo identification.”
Canada’s existing rules already require that regulated financial service businesses monitor foreign PEPs. Once the proposed regulations come into effect, those same requirements will also apply to domestic PEPs as well as the heads of international organizations and family members and close associates of such persons.
Due Diligence in Europe
Most significantly, PSD2 (Payment Service Directive) calls for considerably tougher rules on verifying the identities of payment service users. PSPs must apply “strong customer authentication” for senders who initiate electronic payments. Based on the definition given in the Directive, this means that two-factor authentication will be the minimum standard. Unless the senders themselves have committed fraud, PSPs that do not comply with this requirement will be responsible for any losses due to identity fraud.
Different Risk Profiles
As the types of financial accounts, and account holders, vary widely, so does the risk profile. Many jurisdictions take these different risk profiles into account when considering customer due diligence and create different CDD levels.
Simplified Due Diligence
In some situations, if the risk for money laundering or terrorist funding is low, a full CDD is not necessary. In these cases, a simplified due diligence (SDD) process is enough to satisfy legal requirements.
For example, low transaction value accounts limit the opportunity to use the account for illegal purposes. Therefore, to reduce friction to customers and financial institutions for these small value accounts, they are exempt from a stringent CDD. Each jurisdiction will have its own maximum limit for different types of accounts that can fall under the rules for SDD.
Another class of activities that can possibly use SDD are accounts that are already reporting under other checks and reporting systems. If a bank, for example, is under the same jurisdictional rules, it already is on record for its due diligence, so does not face further requirements. Or, a Public Company, which has its records already in the public domain, has its financial activities already monitored, need not face full due diligence requirements.
Enhanced Due Diligence
On the other hand, there are types of activities or account holders that require extra scrutiny. If an account type or account owner has a higher risk of money laundering or terrorist funding, then it’s subject to enhanced due diligence (EDD).
For example, most jurisdictions require PEPs to go through the EDD process. Other factors that might trigger EDD are high transaction value accounts, accounts that deal with high-risk countries, or accounts that deal with high risk activities.
In the end, while some EDD factors are specifically enshrined in a countries legislations, it’s up to a financial institution to determine their risk and take measures to ensure that they are not dealing with bad customers.
As always, the CDD Laws are subject to change. In July 2016, FinCEN (US Treasury Financial Crimes Enforcement Network) now requires due diligence on the beneficial owner of the account:
Covered financial institutions must collect from the legal entity customer the name, date of birth, address, and social security number or other government identification number (passport number or other similar information in the case of foreign persons) for individuals who own 25% or more of the equity interest of the legal entity (if any), and an individual with significant responsibility to control/manage the legal entity at the time a new account is opened.
In August 2016, the European Commission amended their due diligence requirements in AMLD 4.1:
The Due Diligence requirements are now more stringent. There are fewer scenarios where SDD (Simplified Due Diligence) for eMoney are allowable. There are more situations where CDD (Customer Due Diligence) need to be re-done. And, there has been an expansion of the definition of high risk, wherein enhanced due diligence is necessary (including remote transactions).
“Trulioo is all about simplifying the complexities of identity verification”, said Kim Hong, VP of Marketing at Trulioo. “We take great pride in keeping you up-to-date on the latest regulations, technologies and best practices to help you fulfill your compliance requirements, lower your risk of fraud, and improve your customer experience.”
To keep up with changes in customer due diligence and other compliance factors, subscribe to Trulioo’s newsletter today!