Enhanced Due Diligence Procedures for High-Risk Customers
For any financial institution, customer due diligence (CDD) is par for the course; you need to take steps to Know Your Customer (KYC) to comply with Anti-Money Laundering laws (AML), as well as protect yourself from bad actors and fraud. What are effective enhanced due diligence procedures you can use to minimize risk and maintain effective compliance standards when onboarding high-risk customers?
Risk management procedures often differentiate based on a customer’s risk-profile. It starts by taking steps to ensure you know who you are dealing with, understanding their activities and assessing their risk of money laundering.
A proper customer identification program (CIP) — whether it’s an individual or business — is the starting point. After all, if you don’t know who you are dealing with, how can you vet them? Gathering fundamental identifying information and validating that information is the first step to CDD compliance and reducing risk.
After that, you need to determine what is normal and expected activity for that prospective account-holder? These determinations might be based on a customer classification system that you have put in place or on the type of account; either way, with a risk-based approach, clearly defined policies makes it easier for staff to implement analysis and compliance staff to report to regulators, if necessary.
Enhanced Due Diligence Factors
In a guest post by Michael Volkov regarding KYC due diligence best practices, he notes factors to consider if a potential account requires enhanced due diligence (EDD) includes:
- Location of the business
- Occupation or nature of business
- Purpose of the business transactions
- Expected pattern of activity in terms of transaction types, dollar volume, and frequency
- Expected origination of payments and method of payment
- Articles of incorporation, partnership agreements and business certificates
- Understanding of the customer’s customers
- Identification of beneficial owners of an account or customer
- Details of other personal and business relationships the customer maintains
- Approximate salary or annual sales
- AML policies and procedures in place
- Third-party documentation
- Local market reputation through review of media sources
In many cases, there are explicit legal specifications that automatically call for EDD. For example, in Europe under Article 18 of 4AMLD, any business located in a country on the High-Risk Third Countries list requires EDD. Similarly, any Politically Exposed Persons (PEPs) or their close associate or family members also must go through the more thorough examination process.
Industries that have a higher risk of money laundering, such as gambling, often have EDD requirements. Many jurisdictions have threshold limits for transaction amounts that, if exceeded, trigger EDD. Certain relationships, such as with shell banks, also call for EDD; there are many other situations where local regulations for EDD come into play, so knowing the exact details of your jurisdiction is prudent.
Enhanced Due Diligence Measures
So, what do you do when you get a client that required EDD? Of course, you could just deny their business. Many institutions have implemented such de-risking strategies, but that turns away many legitimate businesses, resulting in a loss of opportunity and revenue.
In general, the FATF recommends a risk-based approach, “the amount and type of information obtained, and the extent to which this information is verified, must be increased where the risk associated with the business relationship is higher.” With this approach, blanket rejections aren’t necessary as your procedures adapt to the situation.
There are other advantages of the risk-based approach; it’s adaptable to the size and strengths of your institution; it considers the customer and their associated risk from a holistic view; and it’s flexible as conditions, technology and other factors change.
Some EDD practical steps, suggested by the FATF, include:
- Obtaining additional identifying information from a wider variety or more robust sources and using the information to inform the individual customer risk assessment
- Carrying out additional searches (e.g., verifiable adverse media searches) to inform the individual customer risk assessment
- Commissioning an intelligence report on the customer or beneficial owner to understand better the risk that the customer or beneficial owner may be involved in criminal activity
- Verifying the source of funds or wealth involved in the business relationship to be satisfied that they do not constitute the proceeds from crime
- Seeking additional information from the customer about the purpose and intended nature of the business relationship
Of course, it’s not just good enough to run checks once and be done with this; a risk-based monitoring strategy that catches suspicious activity or changes in the risk-profile is another FATF recommendation: “Enhanced monitoring should be required for higher risk situations, while banks may decide to reduce the frequency and intensity of monitoring where the risks are lower.”
Beneficial Ownership EDD Requirements
Increasingly, the requirement to check the Ultimate Beneficial Ownership (UBO) structure is becoming an EDD requirement. To the extent an account holder engages in international transactions, financial institutions need to know the beneficial owners of the account holder in order to comply with OFAC (Office of Foreign Assets Control) sanctions requirements or to conduct meaningful due diligence of the account.
From an FCPA (Foreign Corrupt Practices Act) perspective, a company has to identify the beneficial owners of its third party intermediaries. A company cannot satisfy its compliance programs by simply checking the name of a private company in its database without checking the beneficial owners, officers and directors of the same company.
In Europe, 4AMLD states “Member States should therefore ensure that entities incorporated within their territory in accordance with national law obtain and hold adequate, accurate and current information on their beneficial ownership, in addition to basic information such as the company name and address and proof of incorporation and legal ownership.”
In the US, similar beneficial ownership disclosures are a part of the upcoming FinCEN Customer Due Diligence Final Rule, taking effect May 11, 2018. According to FinCEN Guidance FIN-2016-G003, “the CDD Rule outlines explicit customer due diligence requirements and imposes a new requirement for these financial institutions to identify and verify the identity of beneficial owners of legal entity customers, subject to certain exclusions and exemptions.”
Beneficial Ownership Procedures
Previously, verifying a business entity was a low-tech and cumbersome process for both the financial institution and business entity. Business entities were required to submit official documentation to the financial institution, which was accepted as the record of authority for the business.
For business entities that required additional due diligence based on the risk assessment performed, financial institutions would then carry out additional analyses, such as ordering official company documents from the official registry to verify accountholder-submitted information; identifying the ultimate beneficial owner(s), and performing a KYC check on each individual ultimate beneficial owner.
Now, using Trulioo’s Business Verification service, Ultimate Beneficial Ownership and structure are identified using Artificial Intelligence (AI), Natural Language Processing (NLP) and Optical Character Recognition (OCR). The implementation of these technologies provides the ability to locate, decipher and extract shareholder information contained in official company documents purchased in real-time from government registers. This enables organisations to determine natural-persons who have an ownership or a management stake.
Note, it’s not enough to determine the UBO — EDD requirements state that you must check the individuals themselves. For example, under the Final Rule, “you are required to conduct OFAC scans on the beneficial owners and take appropriate action on the legal entity if you get a hit.” That’s where Trulioo’s identity verification processes of Trulioo’s GlobalGateway kicks in, as running AML checks in integrated into the Business Verification workflow.
The Need for EDD
Expanding EDD requirements is becoming more and more the norm. While the scope and details for these due diligence procedures are expanding, the technologies to handle them are becoming more capable. There are solutions to handle the risk, maintain compliance and grow your business. It’s a matter of investigating and integrating new processes that serve your business, clients and regulators, keeping everyone on track.
Trulioo Whitepaper: Who Are You Doing Business With?
Download our comprehensive guide to business verification and ultimate beneficial owners (UBOs). Learn the importance of verifying the identity of businesses that you interact with, and how advancements in digital technologies and virtual data sets can assist in solving verification challenges.