The dictionary definition of due diligence is descriptive, referring to the research and analysis of a company or organization in preparation for a business transaction. However, as with any simple definition, reducing an understanding of due diligence to a few words of description paints an incomplete picture of its significance in a business transaction.
Most of us base our day-to-day consumer decisions on purchasing goods or engaging in services, trying a new restaurant, downloading a smartphone app, buying the latest high-definition television, hiring a lawyer, and on informal due diligence processes. Though we rarely think of it this way, we routinely perform various types of due diligence, legal, financial, technology, personal, and environmental, depending on the products and services we consider buying for ourselves.
Simplified Due Diligence, Regular Due Diligence, and Enhanced Due Diligence
These examples of due diligence in our everyday lives suggest that the essence of due diligence is educating ourselves adequately before buying a product or engaging the services of a third party. In our specific case, we will talk about customer due diligence in establishing business relations because such a type of due diligence is a regular activity for compliance officers in financial and non-financial institutions.
Simplified Due Diligence
Customer due diligence performs basic background checks of the potential customer, client, or entity. Usually, this is the minimum investigative process that satisfies the regulations, which can differ from institution to institution depending upon the risk factor.
Adequate due diligence on new and existing customers is crucial for compliance risk management. Without this due diligence, companies and financial institutions can become subject to reputational, operational, legal, and concentration risks, resulting in high financial costs.
Essential due diligence is based on companies’ risk management and control procedures. It should be connected to such crucial elements as:
- Customer acceptance policy,
- Customer identification,
- On-going monitoring of high-risk accounts, and
- Risk management.
In the case of customer identification, the compliance officer should pay attention not only to the procedure of establishing customer identity but also monitor its activity to determine those red flags that do not conform with the usual or expected behavior for that customer or type of activity.
The minimum responsibilities of any company or financial institution regarding a Customer Identification Program or CIP are as follows:
- Verify the identity of any person seeking to establish business relationships to a reasonable extent.
- Maintain records of the information used to verify a person’s identity.
- Maintain a description of the type of information it will obtain from the customer.
- Have procedures for verifying the identity of those customers to the extent that is reasonable and practicable and within a reasonable time before or after establishing business relationships.
- Have procedures for making and maintaining records related to the CIP.
- Have procedures for determining whether the prospective customer appears on any government list of known or suspected terrorists or terrorist organizations.
- Have procedures for providing notice to customers before establishing business relationships that additional information may be necessary to verify their identity.
- Have procedures detailing the institution’s actions when it cannot adequately verify the prospective customer’s identity.
- Consult government lists of known or suspected terrorists or terrorist organizations.
Essential documents for individuals identifications should contain the following information:
- Date of birth
- Place of birth
- Actual address
- Identification number (for example, a taxpayer identification number, passport number, country of issuance, alien identification card number, or number and country of issuance of any other government-issued document evidencing nationality or residence and bearing a photograph or similar safeguard, etc.)
Each institution should have written procedures that establish the acceptable documents that they will allow for the Customer Identification Program.
Regular Due Diligence
The customer identification process applies naturally at the outset of the relationship. There is a need for companies and financial institutions to undertake regular reviews of existing documents to ensure that records remain up-to-date and relevant. An appropriate time to do so is when a transaction of significance occurs when customer documentation standards change substantially or when there is a material change in how the client uses companies’ assets or services.
However, suppose the company or financial institution becomes aware that it lacks sufficient information about an existing customer. In that case, it should ensure that all relevant information is obtained as quickly as possible.
Any institution must develop clear standards on what records must be kept on customer identification, individual transactions, and their retention period. Such a practice is essential to permit a company to monitor its relationship with the customer, understand the customer’s ongoing business, and, if necessary, provide evidence in the event of disputes, legal action, or a financial investigation that could lead to criminal prosecution.
As the starting point and natural follow-up of the identification process, the company should obtain customer identification papers and retain copies for at least five years after closing business relationships. In the case of financial institutions, the compliance officer should pay attention that the organization keeping all financial transaction records for at least five years after the financial transaction has taken place.
Finally, regardless of trigger events or a material change in the customers” information, each activity must be reviewed according to a schedule. The schedule is usually created depending on the risk that the customer poses. For example, a high-risk client should be reviewed annually. It is also good practice to review a medium-risk client every two to three years and a low-risk customer every three to five years.
Enhanced Due Diligence
Enhanced due diligence or EDD means a detailed investigation of the background of a person or entity. It clarifies who the customer is, the purpose of transactions, or the source of funds. EDD measures are performed because the customer may pose a higher risk of money laundering.
Banks that offer private banking services are particularly exposed to reputational risk and should apply enhanced due diligence to such operations. Private banking accounts, which involve a considerable measure of confidentiality, can be opened in the name of an individual, a commercial business, a trust, an intermediary, or a personalized investment company.
The reputational risk may arise in each case if the bank does not diligently follow established Know Your Customer or KYC procedures. Besides the private banking relationship manager, at least one person should approve all new clients and accounts of appropriate seniority. Suppose safeguards are put in place internally to protect the confidentiality of private banking customers and their businesses. Banks must still ensure that at least equivalent scrutiny and monitoring of these customers and their business can be conducted. For example, they must be open to review by compliance officers and auditors.
The company or financial institution would perform enhanced due diligence as part of its Customer Identification Program in two dimensions:
- Horizontal analysis is a transaction or client activity timeline, and
- Vertical analysis of the customer and other similar customers comparing activity to find regularities.
All findings should be described and grounded on evidence, especially in cases with a high probability of legal actions or criminal charges.
Finally, it is important to remember that the appropriate due diligence procedure depends not only on the goals set by the company but also on the available resources. Therefore, it is essential to record in writing all necessary practices and policies and establish internal and external audits to assess the effectiveness of due diligence procedures.
Simplified Due Diligence is a lower level of customer due diligence performed on a person who poses a low risk of money laundering or terrorist financing. Individuals in Simplified Due Diligence pose a lower risk than customers in Standard Due Diligence and far less risk than customers in Enhanced Due Diligence.