What is Customer Due Diligence and Know Your Customer?
The terms Customer Due Diligence (CDD) and Know Your Customer (KYC) are often used interchangeably, though their scope is subtly different.
CDD is generally recognised as being a process that captures the identification and verification of a customer (KYC), and other risk factors such as the rationale for the relationship and plausibility of the many aspects that all form part of the overall client relationship and risk profile.
What is Customer Due Diligence?
In brief, CDD is a process of due diligence that is performed to:
- Confirm that the ‘person’, either a natural person, legal entity or legal arrangement, actually exists.
- Confirm that the ‘customer’ that wishes to use the services of the firm is indeed that ‘person’.
- Identify the level of financial crime risks associated with the relationship, and whether the acceptance of a new relationship, or continuation with an existing relationship, is likely to present higher or lower risks that are acceptable according to the firm’s risk appetite.
- Identify any attempt to launder the proceeds of crime, finance terrorism or to conduct a form of fraud, such as impersonation fraud and/or loan fraud.
KYC/CDD not a one-off event that is performed only when entering into a new relationship. It is an ongoing process that is strongly related to each step and phase of a business relationship.
The regulations require a firm to perform KYC/CDD when it:
- Enters into a new business relationship.
- Performs periodic reviews of existing relationships.
- Conducts event-driven reviews, such as receiving a suspicious activity report.
- Completes remediation of customer records in response to trigger events, such as a fraud incident or other criminal activity and losses that are identified.
- Is suspicious or doubts the veracity of the KYC/CDD already held.
What laws and regulations apply?
Regardless of the terms used, KYC/CDD is the cornerstone and crucial component of managing the risks of each relationship, and therefore a firm’s anti-money laundering and financial crime compliance framework of systems and controls.
How important is KYC/CDD?
Well, according to the Basel Committee, “sound KYC procedures have particular relevance to the safety and soundness of banks, in that:
- They help to protect banks’ reputation and the integrity of banking systems by reducing the likelihood of banks becoming a vehicle for or a victim of financial crime and suffering consequential reputational damage.
- They constitute an essential part of sound risk management (e.g., by providing the basis for identifying, limiting and controlling risk exposures in assets and liabilities, including assets under management)”.
What are the FATF 40 recommendations?
The Financial Action Task Force (FATF) has devised the 40 Recommendations (first published in February 2012 and updated in October 2020) to guide risk and compliance professionals as to the global standards that are required to be performed to ensure that there is a benchmark of international KYC/CDD standards. New for 2012 was the explicit requirement to manage customer risks according to the risk-based approach (“RBA”). The RBA model of compliance requires a firm to assess the financial crime risks associated with a relationship using a range of operational and company-specific factors, and at least five general classes of risk factors:
- Product and Service
- Channel of Delivery
The FATF 40 Recommendations have been cascaded globally into locally applicable laws and regulations, such as the EU 4th, 5th and 6th AML Directives, and the FINCEN CDD rules of 2018 in the USA.
In the UK, the Money Laundering Regulations of 2017 (as amended in 2019) enacted the EU 4th AMLD to introduce new requirements and the requirement to manage risks relating to certain higher-risk third countries. On 10th January 2020, these regulations were further enhanced to widen the scope of the applicable regulations to include cryptoassets firms and also to firm’s that perform specific activities relating to the art market and the letting of property.
What rules are firms subject to CDD/KYC regulations bound by?
Regardless of the jurisdiction, or the activity that is conducted, a firm that is subject to CDD/KYC regulations is required to comply with some basic rules. These include:
1. Collect information on:
- The identity and wealth profile of the applicant or customer.
- The beneficial owners, especially those with more than 25% equitable ownership or who have a significant influence over the conduct of the firm (“controlling mind”).
- The persons purporting to act on behalf of the customer, for example the director, signatory or other official acting under a Power of Attorney.
- The ownership structure.
- The purpose and rationale for the company.
- Confirmation of how the ‘person’ proposes to use the services or products of the regulated firm.
2. Take steps to verify the details in point 1 above by using independent sources of data and information. These can include (not intended to be exhaustive):
- Official documentation, ideally from a verifiable source such as the government, regulated bank or utility provider.
- Electronic registers and other similar verification.
- Data provided by the firm’s own staff, such as a Client Relationship Manager who meets with a client at their place of residence or who visits the offices of a company.
- Sources of information held publicly on the Internet (OSINT).
3. Assess the inherent and absolute financial crime risks of each relationship and allocate a risk assessment that is used to determine whether the relationship must be declined or accepted and managed as a low risk, standard risk or higher risk.
4. All higher risk relationships, for example those held with Politically Exposed Persons (“PEPs”), their families and close business associates, or relationships and transactions that are associated with ‘high risk third countries’, or which are conducted non-face-to-face, are subject to enhanced due diligence (“EDD”) controls and procedures. In order to comply with EDD regulations, a firm is required to:
- Conduct deeper and more forensic investigation and verification of financial crime risks.
- Perform more frequent ongoing monitoring checks during the term of the relationship.
- Allocate a more senior and qualified staff to manage these relationships.
- Obtain senior manager approval.
- Document all of the above!
5. Of course, mistakes will be made, and so a company must have records to explain the rationale for decision making. Where the records help to demonstrate that ‘reasonable’ and proportionate steps were taken to identify and manage the risks, then the company is less likely to suffer regulatory or legal enforcement action.
New developments in the process of conducting KYC/CDD
A new development in the process of conducting KYC/CDD, and explicitly for performing EDD, has been the expectation that firms identify and use open-source information that is available on the Internet to verify identity, wealth profile, even location of customers.
Widely referred to as Open-Source Investigation Techniques, or OSINT, regulators such as the European Banking Authority (“EBA”) and the Financial Conduct Authority (“FCA”), have recommended the use of OSINT as a best practice for managing higher risks.
According to the UK MLR and Regulation 33 ‘Obligation to apply enhanced customer due diligence’, “credit institutions and financial institutions must also take account of any guidelines issued by the European Supervisory Authorities under Article 18.4 of the fourth money laundering directive.”
On 1st March 2021 the EBA publishes final revised Guidelines on money laundering and terrorist financing risk factors. Within the EBA Guidelines, it states under ‘Enhanced customer due diligence’:
“To comply with Article 18a in respect of relationships or transactions involving high-risk third countries, firms should apply the EDD measures set out in this regard in Title I.
In other higher risk situations, banks must also apply EDD. As part of this, banks should consider whether performing more thorough due diligence checks on the transaction itself and on other parties to the transaction (including non-customers) would be appropriate.
Checks on other parties to the transaction may include: Taking steps to better understand the ownership or background of other parties to the transaction, in particular where they are based in a jurisdiction associated with higher ML/TF risk or where they handle high-risk goods.
This may include checks of company registries and third-party intelligence sources, and open-source internet searches.” **
** The new online and on-demand OSINT course that is provided by GCAL provides the skills and awareness that are required to fulfil this regulatory performance.