What are CDD and KYC? For any organization, especially for organizations and financial institutions, one of the first analyses is to determine if you can trust a potential client. It would be best if you made sure a potential customer is trustworthy.
What Are CDD And KYC?
You might have already guessed quite correctly that having a customer due diligence program originates from the FATF. In one of their recommendations, they say that, in particular, financial institutions should be required to undertake customer due diligence. Now, depending on the jurisdiction where you are living, the requirement to conduct proper customer due diligence might not only be limited to financial institutions, but extending to a variety of businesses, organizations, and professionals.
Customer Due Diligence (CDD)
So, let’s look at customer due diligence programs in a bit more detail.
First of all, let us establish when customer due diligence should be conducted. As a reference for this, imagine the typical lifecycle a customer goes through when doing regular business with you.
A typical customer relationship might start very non-binding, where you’re just having explorations with a prospective customer, explaining your product or service offering. Suppose you’re successfully meeting the needs of this prospective customer. In that case, he will want to become an actual customer of yours eventually. Right at the moment when the prospective customer is about to become an actual customer of yours when you are signing the contract, agree, or whatsoever, is the first time to conduct customer due diligence.
Customer Due Diligence Program
You want to undertake several measures at that moment as part of your customer due diligence program.
- Identification: The first thing is to identify the customer. This can be as basic as figuring out the first and last name.
- Verification: Most of the time, you will also want to verify the customer’s identity using reliable, independent source documents, data, or information. For individuals, you could, for example, verify the ID card or a passport.
- In case the customer is a legal entity or the individual acts on behalf of another person, you will also want to identify the beneficial owner and take reasonable measures to verify the beneficial owner’s identity. This should include financial institutions understanding the customer’s ownership and control structure, particularly for legal persons and arrangements.
- Identifying and verifying the customer’s or beneficial owner’s identity is an incredibly crucial thing for every CDD program. This simple-sounding concept is called Know Your Customer or KYC. In recent years there has been special attention and anxiety in organizations around KYC. This is because there has been particular attention of regulators and law-enforcement agencies on enforcing the related AML regulation – and there have been hefty fines around it. For example, 12 of the world’s top 50 banks were fined for non-compliance with AML violations in 2019 – many of them including KYC violations. Customers were frequently not at all or not appropriately identified.
- If you think about it, this makes perfect sense from an AML enforcement perspective. One of the main purposes of AML regulation is to avoid financial crimes and money laundering itself. But suppose organizations make mistakes in identifying their customers, which might potentially be involved in crimes. In that case, there is only a limited chance to prosecute the criminals.
- Nature of Relationship: The next thing you want to understand as part of your customer due diligence program, if not already evident, is the purpose and intended nature of the business relationship. What does the customer want from you or achieve with you and the products or service you offer to achieve the objectives.
- Additional Information: The information you ask for from the customer might also include things such as the customer’s location, the occupation in case of an individual, the types of business dealings they want to do with you, payments methods, geographical regions, the industry they operate in, and potentially some more. As you see from this brief list, the information that you want can be quite different. Some apply to individuals; others apply to legal entities.
- Documentation: You should make sure to document this information correctly. Ideally, you have an IT system in place that supports this. This might, by the way, also help you later on in terms of the customer relationship. The more you know about a customer, the better you can serve them. So, the value in getting and documenting all this information is not limited to complying with regulatory requirements. Still, you do have the opportunity to generate future business with it.
- AML Risk Scoring: Now that you have all the information at hand, it’s time to figure out what potential money laundering risk this new customer imposes on your organization. For this risk scoring, there are many dedicated risk scoring engines available that factor in multiple information. For example, these engines might perform automated searches in databases, news outlets, and criminal records. They will also factor in the products and services the customer wants to use, the geographical region, and many more. This is a sophisticated risk modeling that takes place here. At the bottom line, you will then get a risk score for the customer. Let’s assume you have a three-part risk methodology.
Suppose the customer has a low risk of potential money laundering. In that case, you might be able to apply simplified customer due diligence. For a normal or moderate risk profile, you typically apply regular customer due diligence. For high risk, you typically apply enhanced due diligence. Simplified customer due diligence requires fewer measures than enhanced due diligence. One particular factor drives that potential money laundering risk right to high risk and, therefore, enhanced due diligence. This is the so-called PEP status.
But wait a moment. We apply customer due diligence to know what customer due diligence we have to apply? Well, yes indeed. This is in the light of the continuing customer life cycle. Now that the prospective customer has become your customer, you need to conduct ongoing customer due diligence throughout the time the customer stays your customer.
This is because the activities being conducted are consistent with the organization’s knowledge of the customer, their business, and risk profile, including, where necessary, the source of funds.
Customer Due Diligence Periodicity
Another thing to mention here is after a certain period of time, you would typically re-engage with your customer and validate the information you have initially collected. This correlates again with the initial risk scoring of your customer. For low-risk customers, you would typically do this every 3 to 5 years. You would typically do this every 2 to 3 years for medium-risk customers. For high-risk customers, you would typically do this every year. Again, this might differ from one jurisdiction to another or from one industry to another.
Every day, the financial system processes millions of transactions, so it is critical for your company to ‘Know Your Customer.’ KYC, also known as Customer Due Diligence (CDD), collects information about your customers in order to assess the extent of any risk they pose to the company. This does not simply imply bringing a copy of one’s passport to prove one’s identity.
CDD checks entail analyzing the customer lifecycle from onboarding to recognizing key changes over time and conducting regular reviews. Understanding your customer makes good business sense because it allows you to respond to their needs, but it is also a powerful tool in anti-money laundering, preventing terrorist financiers and other criminals from exploiting your organization and the wider financial system.