Client due diligence (CDD) is a critical step required of any business that is affected by KYC and AML regulations. Depending on various factors like customer risk profile (for instance, if they are politically exposed), jurisdiction, or type of transaction, there are different types of CDD ranging from simplified CDD to enhanced due diligence (EDD) that will be applicable.
What is CDD (client due diligence)?
Customer due diligence is a process used by financial institutions and other regulated entities to assess and understand their customers, including their identity, financial activities, and the risk they pose in terms of money laundering and other illicit activities.
CDD involves collecting and verifying information about customers to assess the risk they pose in terms of money laundering. This process typically includes:
- Customer identification: Verifying the identity of the customer through reliable and independent documents, data, or information
- Understanding the purpose and nature of the business relationship: Determining the nature of the customer’s business and the expected activity to assess whether they are consistent with the institution’s knowledge of the customer
- Ongoing monitoring: Keeping customer information up-to-date and conducting periodic reviews of the customer’s risk profile and transactions
- Enhanced due diligence (EDD): Conducting additional scrutiny for higher-risk customers, which may involve obtaining additional information and monitoring risk profiles more closely
CDD is crucial for financial institutions and other regulated entities to comply with AML regulations and to prevent their services from being used for illicit purposes. It helps in creating a risk profile for each customer and enables firms to tailor their AML efforts based on the level of risk posed by the customer.
When must CDD measures be applied?
Customer Due Diligence (CDD) measures must be applied at various stages of a business relationship or when certain transactions occur. The specific requirements can vary by jurisdiction, but generally, financial institutions and regulated entities are expected to implement CDD in the following situations:
- At the point of customer onboarding: CDD measures should be applied when establishing a new business relationship with a customer. This involves collecting and verifying customer identity information and understanding the nature and purpose of the relationship.
- Occasional transactions: CDD measures may be required for certain occasional transactions, especially if they are large or unusual to ensure your firm has a clear understanding of the transaction and the parties involved.
- Doubt about customer information: If there is a reasonable doubt about the veracity or adequacy of previously obtained customer identification information, additional CDD measures should be applied.
- Change in risk profile: If there is a significant change in the customer’s risk profile or the nature of the business relationship, enhanced or updated CDD measures may be necessary.
- Complex or unusual transactions: CDD measures should be applied for complex, unusually large transactions, or transactions that have no apparent economic or visible lawful purpose.
- Politically Exposed Persons (PEPs): Financial institutions often need to apply enhanced due diligence measures for customers who are identified as Politically Exposed Persons (PEPs) due to the higher risk associated with such individuals.
- High-risk countries: For customers from or transactions involving high-risk jurisdictions (such as those on the FATF’s black or grey lists), additional CDD measures may be required.
What is continuous client due diligence?
Customers, and clients of all types, often undergo changes to their personal and professional circumstances, over a period of time – that’s just life and human nature. The task of CDD programmes is to establish that any of these identified changes in status, behaviour and anything else relevant to your relationship with them, are innocent and relevant to their circumstances. Maybe they got married and changed their name; maybe they lost their phone and had to get a new number; or maybe they changed their bank because they were offered a better deal? Any of these changes, and many more besides, are most likely to be innocent, but they all need to be fact-checked to establish their veracity.
This part of the process is often referred to as monitoring and remediation. Monitoring is the process of establishing that something relevant to their circumstances and your business with them has changed, and ideally flagging whether the change is innocent or suspicious. Remediation is the process of investigating any suspicious changes, establishing the facts and categorising them. Often, bulk remediation projects such as, reviewing your entire database for PEPs, (Politically Exposed Persons) or Sanctions if a new sanctions list is published. An example of this has been the various sanctions against Russian entities throughout 2022.
If the changes are found to be innocent and bona fide, the customer record can be flagged as such and allowed to remain in the database. If investigations turn up suspicious or fraudulent activity, then it’s likely that you can no longer do business with them and their details will need to be referred to the relevant criminal and/or regulatory bodies, normally under a SAR (Suspicious Activity Report).
Why is ongoing CDD so important?
By not carrying out monitoring and remediation, through an ongoing CDD programme, regulated entities can be put at risk in a number of ways:
- Regulatory scrutiny: As a regulated entity, you will be subject to scrutiny by your regulator(s), who will look at your processes, your data and your actions. For companies who have strong onboarding, monitoring and remediation practices in place, with a track record of identifying and managing any suspicious activity, these checks will be easily managed. For those with less efficient processes, and who may have faced issues with data irregularities in the past, much more in-depth scrutiny is likely to take place, potentially causing business disruption and tying up valuable resources in areas already under pressure.
- Sanctions and/or fines: If a regulator finds evidence of sloppy practices, or suspicious records that haven’t been identified, they have the power to issue sanctions and fines. In extreme cases, the regulator has the power to shut a business down, temporarily at least, if it is felt that criminal activity has taken place and the company is at fault for not identifying it. They can also impose fines on both the company and individual company officers, and even prosecute those officers if it is felt that serious negligence has taken place.
- Business continuity: If criminal activity goes undetected for any length of time, serious harm can be done to a company’s finances. In extreme cases, this financial harm can put a company’s operational capabilities at risk.
- Reputational standing: Companies who become known for receiving sanctions and fines, for misdemeanours or serious errors in process, are at risk of having their professional and public reputations called into question. In a retail or interpersonal environment, this can lead to serious reductions in customers wishing to do business with them.
These are just some of the risks that companies take when they do not have robust and ongoing processes in place, designed to combat fraud and other criminal financial activity.
How do I achieve client due diligence monitoring?
All regulated entities, despite seeing the need (both professional and moral) for ongoing CDD, look at the cost implications of the various options open to them, to find a solution that will fit their preferred short term spend limit levels. On the face of it, this is good corporate practice, but, in reality, it is a short-sighted approach to what is a critical part of their corporate functionality. Short-changing the CDD process, with a mixture of manual, partly manual and automated processes, is a trade-off against potential errors and criminal infiltration, with consequent levels of fines and sanctions.
To achieve ongoing CDD, you need firstly to have an efficient and effective KYC/KYB onboarding process, to ensure that new customers and clients are who they say they are. You then need a monitoring process, to ensure that this data is kept up-to-date and clean, and flagging any records that have suspicious activity or changes. And, finally, you need some form of remediation process – because there is no point in identifying suspicious records and then not doing anything about them.
Automated client due diligence solutions
In an ideal world, these three parts of the end-to-end process should be aligned, and automated. Using manual or partly manual systems introduces human intervention at a time when automation can best cope with the intricacies and volumes of data involved. Human intervention is necessary at certain points, but only to analyse output and to take the necessary action to investigate and rectify situations.
In this world of Big Data, the number of records that need checking, analysing and managing rises exponentially from what it may have been 15-20 years ago, and human resources teams are rarely able to cope effectively with the rigours required for the process. Automated, end-to-end systems guard against expensive errors and deliver not only analysis and reporting, but also clearly defined audit trails that serve to satisfy the keenest regulator.
AI and Machine Learning, can deliver far more accurate results in a much smaller time frame. In this ‘always on’ society, customers expect instant gratification and have no time for companies who say that they will have to wait for days for results. Automated systems provide the benefit of Remote Verification, shortening the delays that can happen with manual interventions.
Fully automated software systems are most certainly very cost-efficient for companies dealing with a high volume of customers and requiring a wide range of personal checks. Automated systems will also deliver their results very quickly, reducing your onboarding time and increasing the satisfaction levels of your customer base. And happy customers equate to profitable customers, especially where there is potential for up-selling and cross-selling.
Last updated: Thursday 16th November 2023