The terms Customer Due Diligence (CDD) and Know Your Customer (KYC) are often used interchangeably, though their scope is subtly different.
CDD is generally recognised as being a process that captures the identification and verification of a customer (KYC), and other risk factors such as the rationale for the relationship and plausibility of the many aspects that all form part of the overall client relationship and risk profile.
In brief, CDD is a process of due diligence that is performed to:
KYC/CDD not a one-off event that is performed only when entering into a new relationship. It is an ongoing process that is strongly related to each step and phase of a business relationship.
The regulations require a firm to perform KYC/CDD when it:
Regardless of the terms used, KYC/CDD is the cornerstone and crucial component of managing the risks of each relationship, and therefore a firm’s anti-money laundering and financial crime compliance framework of systems and controls.
Well, according to the Basel Committee, “sound KYC procedures have particular relevance to the safety and soundness of banks, in that:
The Financial Action Task Force (FATF) has devised the 40 Recommendations (first published in February 2012 and updated in October 2020) to guide risk and compliance professionals as to the global standards that are required to be performed to ensure that there is a benchmark of international KYC/CDD standards. New for 2012 was the explicit requirement to manage customer risks according to the risk-based approach (“RBA”). The RBA model of compliance requires a firm to assess the financial crime risks associated with a relationship using a range of operational and company-specific factors, and at least five general classes of risk factors:
The FATF 40 Recommendations have been cascaded globally into locally applicable laws and regulations, such as the EU 4th, 5th and 6th AML Directives, and the FINCEN CDD rules of 2018 in the USA.
In the UK, the Money Laundering Regulations of 2017 (as amended in 2019) enacted the EU 4th AMLD to introduce new requirements and the requirement to manage risks relating to certain higher-risk third countries. On 10th January 2020, these regulations were further enhanced to widen the scope of the applicable regulations to include cryptoassets firms and also to firm’s that perform specific activities relating to the art market and the letting of property.
Regardless of the jurisdiction, or the activity that is conducted, a firm that is subject to CDD/KYC regulations is required to comply with some basic rules. These include:
1. Collect information on:
2. Take steps to verify the details in point 1 above by using independent sources of data and information. These can include (not intended to be exhaustive):
3. Assess the inherent and absolute financial crime risks of each relationship and allocate a risk assessment that is used to determine whether the relationship must be declined or accepted and managed as a low risk, standard risk or higher risk.
4. All higher risk relationships, for example those held with Politically Exposed Persons (“PEPs”), their families and close business associates, or relationships and transactions that are associated with ‘high risk third countries’, or which are conducted non-face-to-face, are subject to enhanced due diligence (“EDD”) controls and procedures. In order to comply with EDD regulations, a firm is required to:
5. Of course, mistakes will be made, and so a company must have records to explain the rationale for decision making. Where the records help to demonstrate that ‘reasonable’ and proportionate steps were taken to identify and manage the risks, then the company is less likely to suffer regulatory or legal enforcement action.
A new development in the process of conducting KYC/CDD, and explicitly for performing EDD, has been the expectation that firms identify and use open-source information that is available on the Internet to verify identity, wealth profile, even location of customers.
Widely referred to as Open-Source Investigation Techniques, or OSINT, regulators such as the European Banking Authority (“EBA”) and the Financial Conduct Authority (“FCA”), have recommended the use of OSINT as a best practice for managing higher risks.
According to the UK MLR and Regulation 33 ‘Obligation to apply enhanced customer due diligence’, “credit institutions and financial institutions must also take account of any guidelines issued by the European Supervisory Authorities under Article 18.4 of the fourth money laundering directive.”
On 1st March 2021 the EBA publishes final revised Guidelines on money laundering and terrorist financing risk factors. Within the EBA Guidelines, it states under ‘Enhanced customer due diligence’:
“To comply with Article 18a in respect of relationships or transactions involving high-risk third countries, firms should apply the EDD measures set out in this regard in Title I.
In other higher risk situations, banks must also apply EDD. As part of this, banks should consider whether performing more thorough due diligence checks on the transaction itself and on other parties to the transaction (including non-customers) would be appropriate.
Checks on other parties to the transaction may include: Taking steps to better understand the ownership or background of other parties to the transaction, in particular where they are based in a jurisdiction associated with higher ML/TF risk or where they handle high-risk goods.
This may include checks of company registries and third-party intelligence sources, and open-source internet searches.” **
** The new online and on-demand OSINT course that is provided by GCAL provides the skills and awareness that are required to fulfil this regulatory performance.