For any financial institution, Customer Due Diligence (CDD) is par for the course; you need to take steps to Know Your Customer (KYC) to comply with Anti-Money Laundering laws (AML), as well as protect yourself from bad actors and fraud. What effective Enhanced Due Diligence (EDD) procedures can you use to minimize risk and maintain effective compliance standards when onboarding high-risk customers?
Risk management procedures often differentiate based on a customer’s risk profile. It starts by taking steps to ensure you know who you are dealing with, understanding their activities and assessing their risk of money laundering.
A proper Customer Identification Program (CIP) — whether it’s identifying an individual or business — is the starting point. After all, if you don’t know who you are dealing with, how can you vet them? Gathering fundamental identifying information and validating that information is the first step to CDD compliance and reducing risk.
After that, you need to determine what is normal and expected activity for that prospective account holder? These determinations might be based on a customer classification system that you have put in place or on the type of account; either way, with a risk-based approach, clearly defined policies make it easier for staff to implement analysis and for compliance staff to report to regulators, if necessary.
Enhanced Due Diligence factors
In a guest post by Michael Volkov regarding KYC due diligence best practices, he notes that factors to consider if a potential account requires Enhanced Due Diligence (EDD) include:
- Location of the business
- Occupation or nature of business
- Purpose of the business transactions
- Expected pattern of activity in terms of transaction types, dollar volume and frequency
- Expected origination of payments and method of payment
- Articles of incorporation, partnership agreements and business certificates
- Understanding of the customer’s customers
- Identification of beneficial owners of an account or customer
- Details of other personal and business relationships the customer maintains
- Approximate salary or annual sales
- AML policies and procedures in place
- Third-party documentation
- Local market reputation through review of media sources
In many cases, there are explicit legal specifications that automatically call for EDD. For example, in Europe under Article 18 of 4AMLD, any business located in a country on the High-Risk Third Countries list requires EDD. Similarly, any politically exposed persons (PEPs) or their close associates or family members must also go through the more thorough examination process.
Industries that have a higher risk of money laundering, such as gambling, often have EDD requirements. Many jurisdictions have threshold limits for transaction amounts that, if exceeded, trigger EDD. Certain relationships, such as with shell banks, also call for EDD; there are many other situations where local regulations for EDD come into play, so knowing the exact details of your jurisdiction is prudent.
In other cases, prescriptive rules for EDD are not published by the regulator. Rather, they rely on the regulated entity to have proper risk assessment and control procedures in place. For example, in the U.S., FinCEN notes “a spectrum of risks may be identifiable and due diligence measures may vary on a case-by-case basis.” Therefore, it is up to the institution to have a program “sufficiently detailed to distinguish between significant variations in the risks of its customers.”
Enhanced Due Diligence measures
So, what do you do when you get a client that requires EDD? Of course, you could just deny their business. Many institutions have implemented such de-risking strategies, but that turns away many legitimate businesses, resulting in a loss of opportunity and revenue.
In general, the FATF recommends a risk-based approach, “the amount and type of information obtained, and the extent to which this information is verified, must be increased where the risk associated with the business relationship is higher.” With this approach, blanket rejections aren’t necessary as your procedures adapt to the situation.
There are other advantages of the risk-based approach; it’s adaptable to the size and strengths of your institution; it considers the customer and their associated risk from a holistic view; and it’s flexible as conditions, technology and other factors change.
Some EDD practical steps, suggested by the FATF, include:
- Obtaining additional identifying information from a wider variety or more robust sources and using the information to inform the individual customer risk assessment
- Carrying out additional searches (for example, verifiable adverse media searches) to inform the individual customer risk assessment
- Commissioning an intelligence report on the customer or beneficial owner to understand better the risk that the customer or beneficial owner may be involved in criminal activity
- Verifying the source of funds or wealth involved in the business relationship to be satisfied that they do not constitute the proceeds from crime
- Seeking additional information from the customer about the purpose and intended nature of the business relationship
Of course, it’s not just good enough to run checks once and be done with this; a risk-based monitoring strategy that catches suspicious activity or changes in the risk profile is another FATF recommendation: “Enhanced monitoring should be required for higher risk situations, while banks may decide to reduce the frequency and intensity of monitoring where the risks are lower.”
Beneficial ownership EDD requirements
Increasingly, checking the Ultimate Beneficial Ownership (UBO) structure is becoming an EDD requirement. To the extent an account holder engages in international transactions, financial institutions need to know the beneficial owners of the account holder in order to comply with OFAC (Office of Foreign Assets Control) sanctions requirements or to conduct meaningful due diligence of the account.
From an FCPA (Foreign Corrupt Practices Act) perspective, a company has to identify the beneficial owners of its third-party intermediaries. A company cannot satisfy its compliance programs by simply checking the name of a private company in its database without checking the beneficial owners, officers and directors of the same company.
In Europe, 4AMLD states that “Member States should therefore ensure that entities incorporated within their territory in accordance with national law obtain and hold adequate, accurate and current information on their beneficial ownership, in addition to basic information such as the company name and address and proof of incorporation and legal ownership.”
In the U.S., similar beneficial ownership disclosures are a part of the FinCEN Customer Due Diligence Final Rule. According to FinCEN Guidance FIN-2016-G003, “the CDD Rule outlines explicit customer due diligence requirements and imposes a new requirement for these financial institutions to identify and verify the identity of beneficial owners of legal entity customers, subject to certain exclusions and exemptions.”
The FATF, in an analysis of beneficial ownership best practices, noted the issue of tracing UBO information when dealing with foreign ownership or directorship and suggests enhanced measures for these types of entities. In some countries, the “individual/legal person is required to provide a comprehensive set of information, including on the financial standing of the foreign individual/legal person, the ownership and control structure of the foreign legal person, and copies of founding documents and agreements regulating the powers to bind the legal person.”
Beneficial ownership procedures
Previously, verifying a business entity was a low-tech and cumbersome process for both the financial institution and business entity. Business entities were required to submit official documentation to the financial institution, which was accepted as the Record of Authority for the business. For business entities that required additional due diligence based on the risk assessment performed, financial institutions would then carry out additional analyses, such as ordering official company documents from the official registry to verify information submitted by accountholders; identifying the Ultimate Beneficial Owners; and performing a KYC check on each individual ultimate beneficial owner.
Now, using the GlobalGateway Business Verification service, Ultimate Beneficial Ownership and structure are identified using artificial intelligence (AI), natural language processing (NLP) and optical character recognition (OCR). These technologies provide the ability to locate, decipher and extract shareholder information contained in official company documents purchased in real time from government registers. This enables organizations to determine natural-persons who have an ownership or a management stake.
Note that it’s not enough to determine the UBO — EDD requirements state that you must check the individuals themselves. For example, under the Final Rule, “you are required to conduct OFAC scans on the beneficial owners and take appropriate action on the legal entity if you get a hit.” That’s where the identity verification processes of GlobalGateway kick in, as running AML checks is integrated into the Business Verification workflow.
The need for EDD
Expanding EDD requirements is becoming more and more the norm. While the scope and details for these due diligence procedures are expanding, the technologies to handle them are becoming more capable. There are solutions to handle the risk, maintain compliance and grow your business. It’s a matter of investigating and integrating new processes that serve your business, clients and regulators, keeping everyone on track.
This post was originally published on Dec. 17, 2017 and updated to reflect the latest industry news, trends and insights.