One of the most important tools to have in your operational AML toolkit is a customer due diligence program.
The origin of Customer Due Diligence Requirements
You might have already guessed quite correctly, that having a customer due diligence program originates from the FATF. In one of their recommendations, they say that, in particular, financial institutions, should be required to undertake customer due diligence. Now, depending on the jurisdiction where you are living in, the requirement to conduct proper customer due diligence might not only be limited to financial institutions, but to extended to a variety of businesses, organizations, and professionals.
The Customer Lifecycle
First of all, let us establish when customer due diligence should be conducted. As a reference for this, image the typical lifecycle a customer goes through when doing regular business with you.
A typical customer relationship might start very non-binding, where you’re just having explores with a prospective customer, explaining your product or service offering.
If you’re successfully meeting the needs of this prospective customer, he will want to become an actual customer of yours eventually.
Right at the moment when the prospective customer is about to become an actual customer of yours, when your signing the contract, make the agreement or whatsoever, is the first time to conduct customer due diligence.
6 Elements of the Customer Due Diligence Program
There are several measures that you want to undertake in that moment as part of your customer due diligence program.
The first thing is to identify the customer. This can be as basic as figuring out the first and last name.
Most of the times, you will also want to verify the customer’s identify using reliable, independent source documents, data or information. For individuals you could for example verify the ID card or a passport.
In case the customer is a legal entity or the individual acts on behalf of another person, you will also want to identify the beneficial owner and take reasonable measures to verify the identity of the beneficial owner. Particularly for legal persons and arrangements, this should include financial institutions understanding the ownership and control structure of the customer.
The identification and verification of the customer’s or beneficial owner’s identity, is an incredibly crucial thing for every CDD program. This simple sounding concept is called Know Your Customer or KYC. In the recent years there is been a special attention and anxiety in organizations around KYC. This is for the reason that there has been a particular attention of regulators and law-enforcement agencies on enforcing the related AML regulation – and there have been hefty fines around it. For example, 12 of the world’s top 50 banks were fined for non-compliance with AML violations in 2019 – many of them including KYC violations. Customers where oftentimes not at all or not appropriately identified.
If you think about it, this makes perfect sense from an AML enforcement perspective. One of the main purposes of AML regulation is to avoid financial crimes and money laundering itself. But if organizations make mistakes in identifying their customers, which might potentially be involved in crimes, there is only a limited chance to prosecute the criminals.
3) Nature of Relationship
The next thing you want to understand as part of your customer due diligence program if not already evident is the purpose and intended nature of the business relationship. What does the customer want from your or achieve with you and what are the products or service that you offer the customer to achieve the objectives.
4) Additional Information
The information you ask for from the customer might also include things such as the customer’s location, the occupation in case of an individual, the types of business dealings they want to do with you, payments methods, geographical regions, the industry they operate in, and potentially some more. As you see from this brief list, the information that you want can be quite different. Some apply to individuals, other apply to legal entities.
You should make sure to document these information correctly. Ideally, you have an IT system in place that supports this. This might, by the way, also help you later on in terms of the customer relationship. The more you know about a customer, the better you can serve them. So, the value in getting and documenting all these information is not limited to complying with regulatory requirements, but you do have the opportunity to generate future business with it.
6) AML Risk Scoring
Now that you have all the information at hand, it’s time to figure out what potential money laundering risk this new customer imposes on your organisation. For this risk scoring, there are many dedicated risk scoring engines available that factor in multiple information. For example, these engines might perform automated searches in databases, news outlets, and criminal records. They will also factor in the products and services the customer wants to use, the geographical region, and many more. This really is a sophisticated risk modelling that takes place here. At the bottom line, you will then get a risk score for the customer. Let’s assume you have a three-part risk methodology.
Application of Customer Due Diligence according to the AML Risk Scoring
If the customer has a low risk of potential money laundering, you might be able to apply simplified customer due diligence. For a normal or moderate risk profile, you typically apply the regular customer due diligence. For a high risk, you typically apply enhanced due diligence. These different forms of customer due diligence differ in terms of their requirements that the organizations needs to fulfil. Apparently, simplified customer due diligence requires less measures than enhanced due diligence. There is one particular factor that drives that potential money laundering risk right to high risk and therefore to enhanced due diligence. This is the so-called PEP status. Later on, in this book, you will find a dedicated chapter on these PEPs.
But wait a moment. We apply customer due diligence to know what customer due diligence we have to apply? Well, yes indeed. This is in the light of the continuing customer life cycle. So now that the prospective customer has become your customer, you need to conduct ongoing customer due diligence throughout the time the customer stays your customer.
This is for the reason to ensure that the activities being conducted are consistent with the organization’s knowledge of the customer, their business and risk profile, including, where necessary, the source of funds.
We will find elements of this ongoing customer due diligence later on in this book, namely by the means of AML screening and the monitoring of activities and transactions.
Ongoing Due Diligence
Another thing to mention here is after a certain period of type you would typically re-engage with your customer and validate the information you have initially collected. This correlates again with the initial risk scoring of your customer. For low risk customers, you would typically do this every 3 to 5 years, for medium risk customers you would typically do this every 2 to 3 years and for high risk customers you would typically do this every year. Again, this might differ from one jurisdiction to another or from one industry to another.