What Is CDD And KYC? For any organization, especially for organizations and financial institutions, one of the first analyses is to determine if you can trust a potential client. It would be best if you made sure a potential customer is trustworthy.
You might have already guessed quite correctly that having a customer due diligence program originates from the FATF. In one of their recommendations, they say that, in particular, financial institutions should be required to undertake customer due diligence.
Now, depending on the jurisdiction where you are living, the requirement to conduct proper customer due diligence might not only be limited to financial institutions, but extending to a variety of businesses, organizations, and professionals.
What Is CDD And KYC?
KYC (or know your customer) checks are background checks that should be conducted as part of your risk-based strategy. The KYC process entails verifying the customer’s identity with documents such as photographic ID, proof of date of birth, and proof of address. This can be done manually with physical documentation, but doing it electronically with data sourced online is faster and more reliable.
Customer due diligence, or CDD, is a longer process that continues after a customer has been onboarded and includes checks such as sanctions and PEP screenings to continuously assess the risk that a customer poses to a business.
KYC and CDD are both critical components of AML compliance. Regulated firms must identify and verify anyone with whom they work to avoid unknowingly becoming involved with a business or individual with a history of financial crime or sanctions.
Customer Due Diligence Program
So, let’s look at customer diligence programs in a bit more detail.
First of all, let us establish when customer due diligence should be conducted. As a reference for this, image the typical lifecycle a customer goes through when doing regular business with you.
A typical customer relationship might start very non-binding, where you’re just having explores with a prospective customer, explaining your product or service offering. Suppose you’re successfully meeting the needs of this prospective customer. In that case, he will want to become an actual customer of yours eventually. Right at the moment when the prospective customer is about to become an actual customer of yours when you are signing the contract, agree, or whatsoever, is the first time to conduct customer due diligence.
You want to undertake several measures at that moment as part of your customer due diligence program.
- Identification: The first thing is to identify the customer. This can be as basic as figuring out the first and last name.
- Verification: Most of the time, you will also want to verify the customer’s identity using reliable, independent source documents, data, or information. For individuals, you could, for example, verify the ID card or a passport.
- In case the customer is a legal entity or the individual acts on behalf of another person, you will also want to identify the beneficial owner and take reasonable measures to verify the beneficial owner’s identity. This should include financial institutions understanding the customer’s ownership and control structure, particularly for legal persons and arrangements.
- Identifying and verifying the customer’s or beneficial owner’s identity is an incredibly crucial thing for every CDD program. This simple-sounding concept is called Know Your Customer or KYC. In recent years there has been special attention and anxiety in organizations around KYC. This is because there has been particular attention of regulators and law-enforcement agencies on enforcing the related AML regulation – and there have been hefty fines around it. For example, 12 of the world’s top 50 banks were fined for non-compliance with AML violations in 2019 – many of them including KYC violations. Customers were frequently not at all or not appropriately identified.
If you think about it, this makes perfect sense from an AML enforcement perspective. One of the main purposes of AML regulation is to avoid financial crimes and money laundering itself. But suppose organizations make mistakes in identifying their customers, which might potentially be involved in crimes. In that case, there is only a limited chance to prosecute the criminals.
- Nature of Relationship: The next thing you want to understand as part of your customer due diligence program, if not already evident, is the purpose and intended nature of the business relationship. What does the customer want from your or achieve with you and the products or service you offer to achieve the objectives.
- Additional Information: The information you ask for from the customer might also include things such as the customer’s location, the occupation in case of an individual, the types of business dealings they want to do with you, payments methods, geographical regions, the industry they operate in, and potentially some more. As you see from this brief list, the information that you want can be quite different. Some apply to individuals; others apply to legal entities.
- Documentation: You should make sure to document this information correctly. Ideally, you have an IT system in place that supports this. This might, by the way, also help you later on in terms of the customer relationship. The more you know about a customer, the better you can serve them. So, the value in getting and documenting all this information is not limited to complying with regulatory requirements. Still, you do have the opportunity to generate future business with it.
- AML Risk Scoring: Now that you have all the information at hand, it’s time to figure out what potential money laundering risk this new customer imposes on your organization. For this risk scoring, there are many dedicated risk scoring engines available that factor in multiple information. For example, these engines might perform automated searches in databases, news outlets, and criminal records. They will also factor in the products and services the customer wants to use, the geographical region, and many more. This is a sophisticated risk modeling that takes place here. At the bottom line, you will then get a risk score for the customer. Let’s assume you have a three-part risk methodology.
Suppose the customer has a low risk of potential money laundering. In that case, you might be able to apply simplified customer due diligence. For a normal or moderate risk profile, you typically apply regular customer due diligence. For high risk, you typically apply enhanced due diligence. These different forms of customer due diligence differ in their requirements that the organizations need to fulfill. Simplified customer due diligence requires fewer measures than enhanced due diligence. One particular factor drives that potential money laundering risk right to high risk and, therefore, enhanced due diligence. This is the so-called PEP status.
But wait a moment. We apply customer due diligence to know what customer due diligence we have to apply? Well, yes indeed. This is in the light of the continuing customer life cycle. Now that the prospective customer has become your customer, you need to conduct ongoing customer due diligence throughout the time the customer stays your customer.
This is because the activities being conducted are consistent with the organization’s knowledge of the customer, their business, and risk profile, including, where necessary, the source of funds.
Another thing to mention here is after a certain period of the type; you would typically re-engage with your customer and validate the information you have initially collected. This correlates again with the initial risk scoring of your customer. For low-risk customers, you would typically do this every 3 to 5 years. You would typically do this every 2 to 3 years for medium-risk customers. For high-risk customers, you would typically do this every year. Again, this might differ from one jurisdiction to another or from one industry to another.
What Is The Difference Between KYC and CDD?
There are some similarities between KYC and CDD. The first enables the company to create a risk profile for a customer by retrieving its data prior to beginning a business relationship. The CDD, on the other hand, states whether the information provided by them is correct or incorrect. It also necessitates background and ultimate utility ownership checks. Previous KYC controls for regulated entities have now evolved into CDD programs.
Apart from the emphasis on financing, the main difference between KYC and CDD is that CDD controls are carried out in a process, and communication with the customer continues. Furthermore, it provides a framework for continuous assurance, which is especially useful for organizations that handle a high volume of day-to-day transactions, such as banks and real estate.
They employ sophisticated software designed to monitor fund movements and detect suspicious situations or “red flags.” As a result, it maintains the good work done with KYC from the beginning to the end of the customer relationship and stakeholder activity and has always provided assurance that the organization’s systems are not used to launder criminal proceeds.
Customer Due Diligence is a subtype of “Know Your Customer.” KYC assists CDD in validating customer information. Transactions for previous KYC procedures have now been converted into CDD transactions.
Know Your Customer (KYC) is a risk-identification and risk-prevention procedure used by financial institutions that provide financial services to existing and new customers. The KYC checklist’s control processes ensure that the business has the necessary information about the customer to open an account and that the customer’s risk level is determined.