Customer Due Diligence
Customer Due Diligence – Key Takeaways
- CDD is a mandatory AML obligation which requires organisations to verify the identity of prospective customers before establishing a business relationship with them.
- It helps entities in preventing the ML/TF or PF-associated risks and meeting regulatory requirements to remain compliant.
- CDD acts as a cornerstone of risk-based AML controls through its ability to verify the customer’s identity, efficiently assessing the risks associated with the customer, and implementing effective mitigation measures.
What is Customer Due Diligence?
Customer Due Diligence (CDD) is a regulatory requirement under the AML/CFT compliance program, which requires organisations to verify the identity of their prospective customer (natural person or legal entity) before establishing a business relationship.
This verification process involves collecting valid ID documents of the customer, such as passports, visas, address proof, trade license, etc. CDD also includes identifying and verifying beneficial owners of legal entity customers. CDD helps businesses assess ML/TF or PF risks, provides risk rating and develops customer risk profiles to apply effective controls.
Financial Action Task Force (FATF), FinCen, and EU AMLD mandate regulated entities to undertake CDD measures to combat ML/TF or PF risks. This includes adopting a risk-based approach, verifying beneficial ownership and conducting ongoing due diligence.
Since every customer possesses a different risk rating, CDD is applied accordingly. Simplified Due Diligence (SDD) applies to low-risk customers with reduced measures, standard Customer Due Diligence (CDD) applies to medium-risk customers with baseline verification, and Enhanced Due Diligence (EDD) applies to high-risk customers requiring Source of Funds (SoF) and Source of Wealth (SoW) verification.
Customer Due Diligence Risk Typologies and Common Abuse Scenarios
Weak CDD measures make businesses vulnerable to ML/TF or PF risks. Criminals attempt to exploit gaps in compliance and bypass KYC checks by using synthetic identities and complex structures. This facilitates them to obscure the origin of funds, enabling money laundering, sanctions evasion and fraud.
Politically exposed persons (PEPs) in influential positions, non-resident customers with difficulty tracing the source of funds, and complex ownership structures that facilitate hiding true owners, pose a high risk for ML/TF activities.
Criminals commonly use shell companies, front persons and create nominee arrangements, including bearer shares, to hide their real identities and obscure the source of funds. Failing to comply with CDD requirements may lead the organisations to hefty administrative penalties and reputational damage.
Red Flags and Indicators Identified Through Customer Due Diligence
The following red flags and signs indicate ML/TF activities:
- Customers’ reluctance to provide documents when asked during the KYC process and inconsistencies in the provided documents.
- Inconsistencies may appear in identity data, beneficial ownership disclosures, or explanations regarding the source of funds.
- An entity with unreasonably complex structures and unusual transaction patterns.
- Customers delay or show reluctance to provide updated KYC information.
- Entities detect anomalies in transaction patterns, unexplained transactions involving high-risk jurisdictions, and irrelevant involvement of third parties.
Identifying the above red flags requires entities to perform Enhanced Due Diligence (EDD) to mitigate ML/TF risks.
Regulatory Expectations and Best Practices for Customer Due Diligence
FATF, under its Recommendation No. 10, has outlined core requirements for Customer Due Diligence (CDD) and Know Your Customer (KYC), such as verifying the customer’s identity, finding the beneficial owner and conducting Ongoing Monitoring.
Different jurisdictions, including the European Union, the USA, the UK and other jurisdictions, have their own set of regulations for CDD measures, requiring risk-based customer assessment.
Recordkeeping is an essential requirement across every jurisdiction, which might vary in terms of timeline. It helps the entities in remaining compliant while audits or inspections are carried out by regulatory authorities.
Overall, CDD is a risk-based compliance measure as it helps the entities to mitigate the potential ML/TF or PF risks without affecting the business operations.
How Citadel365 Transforms Customer Due Diligence Workflows
Citadel365 automates the CDD process and makes the customer onboarding seamless through its advanced tech-driven AML solutions, and helps in assessing the customer risk with a dedicated risk scoring mechanism.
CDD process involving Name Screening to Transaction Monitoring, Citadel365 provides end-to-end solutions with advanced API-based integration. Its case management feature helps entities to organise all the customer data efficiently, which significantly enhances data accessibility.
Customer Due Diligence FAQs for AML Professionals
Customer Identification Program (CIP) requires the full name of the individual or the entity, nationality, date of birth or incorporation date for the entity, and their current address. This information can be extracted from government-issued ID documents such as passports, driver’s licenses, and visas for individuals. For entities, certificates of incorporation, trade licences, memorandum and articles of association (MoA and AoA) can be relied upon.
Regulated entities must refresh CDD when there are any changes in customer risk profile, beneficial ownership, or business activity.
CDD escalates to EDD when the risk of the customer changes from low or medium to high due to several factors, such as a change in PEP status, expansion of business operations in high-risk jurisdictions, and others.
Technology significantly enhances the effectiveness of CDD through automating compliance processes, minimising human errors and reducing compliance teams’ workload.
Inadequate CDD or AML onboarding checks can affect the business operations, from financial losses to severe enforcement actions, including administrative penalties and reputational damages.