The GDC Blog
In the past, the team at GDC has written on how customer due diligence (CDD) is the backbone of any Know Your Customer (KYC) compliance program. However, over the last several years, we have seen a trend where regulatory bodies are putting increased pressure on financial institutions to improve their customer due diligence programs beyond the on-boarding process.
But what exactly does this regulatory pressure for enhanced diligence programs mean for consumers and corporate clients?
What is Enhanced Customer Due Diligence?
While customer due diligence is par for the course for financial institutions and businesses of all industries, there is a difference between customer due diligence and these enhanced due diligence programs being recommended for high-risk and high-net-worth individuals.
Customer Due Diligence, or CDD, happens mainly during the customer on-boarding process. Once a customer’s information is collected, the identity of the individual is verified using the information they provided, such as name, date of birth, SSN, or address.
Enhanced customer due diligence, or ECDD, happens after that initial verification during onboarding. These enhanced, or expanded, checks are designed to help minimize compliance violations and risk, and prevent financial crimes, such as money laundering or terrorist financing from occurring. These programs should be applied to both consumer and corporate clients and applied to customers (either individuals or businesses) that are deemed ‘high risk.’
Here are some commonly suggested procedures to follow when implementing enhanced customer due diligence:
- Require the customer to provide additional information from a wider variety of sources
- Perform risk assessment to create risk profiles for all customers, and enforce risk monitoring based on the profile of the individual
- Verify the information provided and the source of funds of the individuals or businesses
- Gain a better understanding of what the customer is looking to get out of the business relationship
Verification Options for Due Diligence
Before diving into requirements surrounding enhanced due diligence checks, it’s important to understand the different options businesses have when verifying the identity of their new and existing customers.
The first, and most expensive option, is in-person verification. This is when, as the name suggests, a customer or entity shows up in person to be verified. Customers will be asked to appear with their relevant documentation and be cross-checked against the provided information or identification documents.
The second option is document verification. This is when a team of experts will thoroughly examine identity verification documents for authenticity. Customers, in most instances, are asked to submit a copy of key documents, such as birth certificate or a social security card.
The final option, and preferred option by many companies, is electronic identity verification (eIDV). This is when a business will use private and public personal identification databases and resources to quickly and seamlessly verify someone is who they say they are. eIDV can be used to verify new customers to create less friction during the onboarding process, as well as check your existing customers.
Enhanced Customer Due Diligence Requirements & Measures
Why is Enhanced Customer Due Diligence Required?
ECDD programs become an ever-growing need as companies do more and more transactions through multiple digital channels. These types of programs have become a focus for regulators, governments, and agencies to slow the funds for criminals, terrorists, and tax cheats looking to hide funds and assets to avoid detection and arrests. These programs, like regularly verifying customer identities, are also used to help firms improve their fraud detection and prevention efforts such as identity theft or financial fraud.
Particular legislation, such as the 4th Anti-Money Laundering Directive (4MLD), came into force as a way to upgrade and expand the current approaches and checks to meet money laundering and compliance guidelines. These directives and laws from the EU and other regulatory agencies lay the groundwork for robust and rigorous enhanced due diligence programs.
When is Enhanced Customer Due Diligence Required?
Determining when enhanced due diligence is required is not “one size fits all.” The simple answer of when ECDD is required would be all the time, but how often checks happen will be determined on your particular compliance department’s process and who is the entity that needs to be checked.
The reason it’s difficult to give a one size fits all answer to this question is due to the fact that every bank or financial institution will have their own workflow for determining who is needed to undergo these enhanced checks.
A Risk-Based Approach to Enhanced Customer Due Diligence
The recommended approach to interpreting and implementing policy is through creating customer risk profiles or completing a customer risk assessment.
After onboarding, many institutions will use compliance analytics to determine the customers’ money laundering risk. While the process is different for every institution, these are common factors considered when determining the risk of a customer:
- Location of a customer or business
- Types of transaction
- Frequency of transactions
- Who this business serves
- Salary or annual sales numbers
- Partnership agreements and business certificates
- Origins of customer payments
- Is the individual a politically exposed person
- Have they been entrusted with a prominent public function?
- Compliances policies
- For example, AML policies and procedures or KYC requirements.
During this process, compliance departments will take into account “reasonable assurance.” This means that they will acknowledge that based on this assessment, there is no such thing as a ‘no-risk’ customer. This understanding allows for compliance departments to design procedures that are as effective to their needs and unburdensome to the customer as possible.
Generally speaking, after the compliance teams have finished their risk assessment, customers are then grouped by if they are a low, medium, or high risk. According to the risk level of someone, firms will then determine how they want to handle individuals deemed high-risk.
For example, in some situations, institutions may choose to end the relationship with a customer because they are deemed too high of a risk. And some will even not allow individuals to open an account because of the risk they pose to an institution. This is known as a ‘de-risking’ measure, and while it can keep your organization’s overall risk potential down it can leave money on the table by turning away legitimate business or customers to protect your own institution.
Most firms, however, will choose to further investigate high-risk individuals in more detail and depth. This process of looking into a customer in more detail, as mentioned above, will vary from company to company, but will often include procedures such as:
- Electronic identity verification (eIDV)
- Continuous monitoring of the activity of this individual or business
- Seeking additional information if suspicious activity arises
- If the customer is a business, determining and doing your due diligence on any beneficial owners.
When customer information is escalated to the compliance department for further review, this customer has been determined to need enhanced due diligence. This is known as taking a risk-based approach to determining enhanced customer due diligence customers and overall gives financial firms a better insight into how someone could increase their overall compliance and risk exposures. With this approach, institutions are also able to determine the best plan of action moving forward with a customer.
Beneficial Ownership & Enhanced Customer Due Diligence
With the expansion of needs for enhanced customer due diligence, there have been more types of checks added to help firms improve their fraud detection and prevention efforts such as identity theft or financial fraud.
One such aspect of these more detailed checks for enhanced customer due diligence is determining “beneficial ownership” of the business entity.
Beneficial ownership information identifies the individuals that directly or indirectly own or control a legal entity of the firm. A beneficial owner is defined as an individual who directly or indirectly owns 25% of more of a legal entity customer (defined as “ownership”) or individuals that have the responsibility to manage or direct a legal entity customer, such as a senior manager or executive officer (defined as “control”).
Beneficial ownership analysis and monitoring is designed to discover and prosecute criminals, kleptocrats, and other bad actors that look to hide illegal proceeds in the financial system anonymously.
High profile media cases such as The Panama Papers have helped keep the focus on eCDD and beneficial ownership as they helped to provide a behind-the-scene view of the legal practices, transaction flows and (lack of) documentation used by large corporations and high-profile individuals to avoid regulatory compliance.
In response to these cases, the newer beneficial ownership rules and increased scrutiny are designed to help financial institutions and law enforcement gain access to more detailed information.
For example, this increased scrutiny can be seen in the 4th Anti-Money Laundering Directive in Europe and the FinCEN Customer Due Diligence Final Rule in the US. Each of these rules explicitly outline that checks for beneficial ownership is required in accordance with national law. In the US, in particular, this was seen as a new requirement for beneficial ownership checks.
Enhanced customer due diligence is becoming more and more the norm for institutions in all industries. With regulations surrounding KYC and AML, the scope and details of what necessary checks are required is always expanding. And it’s becoming clear that antiquated, manual processes just won’t keep up as the volume of digital transactions increases. Luckily, technology and solutions are available to help institutions remain on track and compliant. As the requirements surround enhanced Customer Due Diligence expands, we will continue to explore this topic and what customer can do to keep up.