What is KYC and CDD? The term know your customer or KYC and the core concepts of this, is one of the most important AML/CFT requirements. Know Your Customer is part of the Customer Due Diligence or CDD measures, which enables the organization to know the credentials, and background of the prospective customer. Organizations such as financial institutions are required to perform the KYC process before onboarding the customer and update the KYC later on different stages, such as during the process of periodic compliance reviews or investigations.
What is KYC and CDD Process?
The KYC process protects an organization from being used for money laundering or terrorist financing activities, which may be performed by the customer, after getting onboarded by the organization, such as a financial institution. KYC enables the organization to avoid the risk of onboarding the criminals such as money launderers or persons associated with criminals in any manner. Onboarding the criminals causes the entity to face reputational losses, and imposition of penalties from the regulator. KYC process is a mandatory process that is followed at the time when the customer contacts the organization either physically or through online portals, for opening an account, or provision of any services.
A customer relationship or business relationship is defined as being formed when two or more parties engage to conduct regular business or to perform a ‘one-off’ transaction. The term ’business relationship’ applies where a professional, commercial relationship will exist with an expectation by the firm that it will have an element of duration. The application of CDD is required when a firm covered by money laundering regulations ‘enters into a business relationship’ with a customer or a potential customer.
KYC process is also performed when the customer or walk-in customer conducts a random transaction, international wire transfer, or when there is a suspect of money laundering or when there is a doubt regarding the accuracy of previously collected consumer’s identity data or information.
Organizations develop the KYC policy which is approved by the Board of Directors and implemented down the line for compliance purposes. KYC policy serves as part of the overall Compliance Program of the organization, the purpose of which is to ensure that the organization takes appropriate measures, to prevent the onboarding of unknown customers or persons, from any jurisdiction.
KYC process usually is a detailed process that may use the technology to combat financial crimes such as money laundering, fraud, and related scams. KYC procedures help better understand the prospective customers and their intentions for opening the account with the organization. KYC regulatory requirements apply to various types of organizations which include banks, money service businesses (MSBs), Payment Gateways, Remittance Businesses, Rea Estate Agents, Dealers of precious stones, etc.
The KYC Regulatory Requirements
The KYC regulatory requirements help in detecting the risk of suspicious intentions and transactions at a very early stage which may be the stage before actual onboarding the customer and providing the services. KYC is the procedure of customer identification and verifying that they are who they claim to be. This involves understanding a customer’s identity, financial activity, and the risk which they face.
In the broader sense, the KYC process includes the following:
- Client’s identification using initial documents, provided by the customer.
- Identifying the true beneficial owner of the customer and taking appropriate measures to verify his or her identification. If the beneficial owner is a legal person, trust, company, foundation, or similar legal arrangement the organizations are required to take reasonable measures to understand the ownership and control structure of that legal person, trust, company, foundation, or similar legal arrangement.
- Understanding the objective of opening the account or establishing the relationship
Identification and verification of the client and true beneficial owner is part of the Board-approved KYC policy. Identity verification of the prospective customer should be appropriate and reasonable to meet the applicable regulatory requirements. The purpose is to onboard only identified and verified customers. Verification of the information of the customer is also performed through utilizing the information from independent sources such as media news, websites, and other readily available public information.
Customer Due Diligence (CDD)
Customer Due Diligence or CDD is a process performed by the organization to obtain the facts about a customer that should enable an organization to assess the extent to which the customer exposes it to a range of risks. These risks include money laundering and terrorist financing risks. Due diligence aims to identify, and verify the prospective customers, before on-boarding, or establishing business relationships.
A customer relationship or business relationship is defined as being formed when two or more parties engage to conduct regular business or to perform a ‘one-off’ transaction.
The term ’business relationship’ applies where a professional, commercial relationship will exist with an expectation by the firm that it will have an element of duration. The application of CDD is required when a firm covered by money laundering regulations ‘enters into a business relationship’ with a customer or a potential customer.
Organizations need to know their customers for several reasons, which are mentioned as follows:
- To comply with the requirements of relevant AML/KYC legislation and regulations.
- To be reasonably certain that the customers are who they say they are, and that it is appropriate to provide them with the products or services requested.
- To guard against fraud, including impersonation and identity fraud.
- to help the organization to identify, during a continuing relationship, what is unusual and to enable the unusual to be examined.
- To enable the organization to assist law enforcement, by providing available information on customers being investigated following the making of a suspicion report to the financial intelligence unit (FIU).
Knowing a customer enables the organization to pro-actively satisfy the legitimate needs of honest customers, and good compliance also equates to good business. A prohibition on setting up anonymous accounts or relationships is the baseline for the international CDD and KYC standards, with many jurisdictions prohibiting the provision of unverified, or accounts for shell banks.
The Fourth European Union Directive on Money Laundering (4MLD) requires that CDD measures should be applied on a risk-sensitive basis, depending on the type of customer, business relationship, or nature of the transaction or activity. Organizations must, however, be able to demonstrate to the supervising authorities that the extent of the measures is appropriate to the perceived risks of money laundering, and terrorist financing. In line with the Financial Action Task Force (FATF) requirements, the 4MLD outlines the four parts of CDD, including an explicit requirement for ‘ongoing monitoring’.
The organization must apply the customer due diligence measures if the person:
- Establishes a business relationship.
- Carries out an occasional or significant transaction that amounts to a transfer of funds exceeding 1,000 dollars.
- Suspects money laundering or terrorist financing.
- Doubts the veracity or adequacy of documents or information previously obtained for identification or verification.
An organization must also apply the customer due diligence measures if the person carries out an occasional transaction that is significant or unusual, whether the transaction is executed in a single operation or in several operations which appear to be linked.
A high-value dealer must also apply the customer due diligence measures if that dealer carries out an occasional transaction in cash that amounts to 10,000 dollars or more, whether the transaction is executed in a single operation or in several operations which appear to be linked.
The organization must identify the customer unless the identity of that customer is known to, and has been verified by, the organization, and the appropriate measures must be taken to verify the customer’s identity unless the customer’s identity has already been verified by the organization either at the time of onboarding or during the process of a previous occasional transaction.
The organization must assess, and where appropriate obtain information on, the purpose and intended nature of the business relationship or occasional transaction.
Where the customer is a body corporate, then the organization is required to obtain and verify:
- The name of the body corporate, its company number, or another registration number.
- The address of its registered office, and if different, its principal place of business.
The organizations are required to take reasonable measures to determine and verify the law to which the body corporate is subject, and its constitution (whether set out in its articles of association or other governing documents, the full names of the board of directors (or if there is no board, the members of the equivalent management body) and the senior persons responsible for the operations of the body corporate.
Where the customer is beneficially owned by another person, the organization must:
- Identify the beneficial owner.
- Take reasonable measures to verify the identity of the beneficial owner so that the relevant person is satisfied that it knows who the beneficial owner is.
If the beneficial owner is a legal person, trust, company, foundation, or similar legal arrangement the organizations are required to take reasonable measures to understand the ownership and control structure of that legal person, trust, company, foundation, or similar legal arrangement.
When CDD measures cannot be performed by the organization to identify the customer, then the account should not be opened for that particular customer. Organizations are required not to open anonymous accounts, in any case.
Know-your-customer (KYC) and Customer Due Diligence (CDD) guidelines are a critical component of a bank’s risk management practices and customer risk monitoring, as well as a legal requirement for compliance with anti-money laundering (AML) laws.
KYC and CDD, in their most basic form, refer to the steps taken by a financial institution or business to establish customer identity by collecting and documenting a customer’s name, date of birth, and address. Financial institutions and/or businesses then verify that information, create a risk profile for the customer, and continuously monitor the customer’s transaction behavior.