Conducting customer due diligence or CDD is a skill every AML Compliance Officer should have. A typical investigation into a potential suspicious transaction will begin with CDD. In most countries with robust AML/CFT framework, it is compulsory for a financial institution to conduct CDD during the onboarding stage before establishing business relations with a potential customer.
Definition and objective
CDD is the process where pertinent information of the customer’s profile is collected and evaluated for any potential money laundering or terrorist financing red flags. Upon completion of due diligence, the customer may be given a risk rating. Examples of a risk rating can either be a Low/Medium/High or a numeric value derived from a complicated risk matrix listing out the score based on a specific set of criteria.
A risk rating helps a company in deciding how and when to apply stringent checks, treatment, and controls that are appropriate to the level of risk. This framework is also known as the risk-based approach, which allows a company to allocate resources accordingly.
The first step to CDD is to obtain information from the customer. The following points outline the general information that should be collected.
Customer Profile (Individual):
- Full name, including any aliases
- Residential address, mailing address
- Contact numbers, email addresses
- Place of birth, date of birth
- Marital status
- Government-issued identification number
- Government-issued tax identification number
- Specimen signature
- Parental consent form (where the individual is a minor)
Customer Profile (Entity):
- Name of corporation
- Type of corporation
- Date of incorporation
- Place of incorporation
- Board resolution on authorised signatories
- Certificate of Incumbency
- Articles of Association
- Certificate of Incorporation
- Annual report
- Senior Management
- Ultimate Beneficial Owners (see: List of Company Registers Around the World)
Customer Profile (Trust):
- Settlor’s information
- Trustee’s information
- Beneficiaries information
- Protector’s information
- Relationship between settlor, trustee, protector and beneficiary
- Ultimate beneficial owner‘s information
Independent verification of collection
The second step is to verify the information collected from the customer to ensure accuracy. Many of the information collected can be verified by documents issued by a government or an independent reputable agency.
- Government-issued photo identification card
- Government-issued passport
- Tax bill
- Phone/power/water bill to prove residential address
- Business profile issued by a government regulator for business entities
- Certificate of incorporation from a country’s official company register
- Articles of association, or memorandum of association
Name screening is the next step where a Compliance Officer performs a check via a name-screening database and/or an internal blacklist to determine if a customer poses a risk to the financial institution. Typically, the objective is to ascertain if the customer is known to be the following:
- Politically Exposed Persons (PEPs)
- Sanctioned individual/entity
- Reported in media to be involved in any activity that is adverse in nature
A Compliance Officer may then provide a recommendation to outline the customer’s risk level to the company and proposes certain controls when establishing business relationship with the customer. Should the case be necessary, a Compliance Officer may recommend refusing to establish business relations. Declining a business relationship may be tricky, and Compliance Officers must be careful not to tip-off the customer or, de-risk a segment of customers.
Part of the evaluation may involve understanding the circumstances of the customer, such as:
- The source of their funds
- The nature of their circumstances
- The reasons why they have chosen the company to establish a relationship
- The anticipated and expected level of activity
Enhanced Customer Due Diligence (ECDD)
ECDD is where the customer has been evaluated to be at a heightened risk to the company. The Financial Action Task Force (FATF) 40 Recommendations suggest that companies adopt a risk management system to determine if the customer presents a higher risk.
Part of the process of conducting ECDD is to obtain senior management approval before establishing a relationship, and take reasonable measures to establish the source of wealth and the source of funds. Examples of higher risk customers/transactions include but not limited to:
- Politically Exposed Person (PEP)
- Customer who are positively identified to have adverse profiles on watchlists
- Non-face to face account opening
- Correspondent Accounts
- Customers located in high-risk locations
CDD does not stop after the onboarding of customers. On a regular basis, transactions and account activity should be scrutinized for suspicious activity and that the behaviour of the transaction and accounts are in line with the expectation of the company, as well as the customer profile. This is an ongoing responsibility as clients’ risk profiles may change over time. To better perform ongoing monitoring, a Compliance Officer must take into consideration on the customer’s account activity and ensure that CDD documents are kept up-to-date.
Part of performing a proper customer due diligence is ensuring that all records are retained as per the company’s retention policy. The exact length of time to keep such records are usually mandated by law and differs between countries.
Record keeping helps the company understands the company over the entire relationship with the customer. Also, record keeping helps the company deal with its reporting obligation in submitting documents to the local financial intelligence unit for suspicions on money laundering or terrorist financing.