Conducting customer due diligence, or CDD, is a skill every Anti-Money Laundering/Countering the Financing of Terrorism (AML/CFT) analyst should have. A typical investigation into a potential suspicious transaction will begin with CDD. In most countries with a robust AML/CFT framework, it is compulsory for a financial institution to conduct CDD during the onboarding stage when establishing business relations with a potential customer.
Definition and objective
CDD is the process where pertinent information of a customer’s profile is collected and evaluated for potential money laundering or terrorist financing risks. Upon completion of CDD, the customer may be given a risk rating in accordance with the risk he or she may present to the company. Risk ratings can be in the form of a category, such as “low risk” or “high risk”, or a numeric value derived from a risk matrix based on a pre-defined set of criteria.
A risk rating helps a company in deciding how and when to apply the appropriate checks, treatment, and controls that commensurate to the level of risk. This methodology is also known as the risk-based approach, which allows a company to prioritise resources accordingly to areas that require more attention.
The first step of CDD is to obtain information from a customer. The following points outline the general information that should be collected.
Customer Profile (Individual):
- Full name, including any aliases
- Residential address, mailing address
- Contact numbers, email addresses
- Place of birth, date of birth
- Marital status
- Government-issued identification number
- Government-issued tax identification number
- Specimen signature
- Parental consent form (where the individual is a minor)
Customer Profile (Entity):
- Name of corporation
- Type of corporation
- Date of incorporation
- Place of incorporation
- Board resolution on authorised signatories
- Certificate of Incumbency
- Articles of Association
- Certificate of Incorporation
- Annual report
- Senior Management
- Ultimate Beneficial Owners (see: List of Company Registers Around the World)
Customer Profile (Trust):
- Settlor’s information
- Trustee’s information
- Beneficiaries information
- Protector’s information
- Relationship between settlor, trustee, protector and beneficiary
- Ultimate beneficial owner‘s information
Independent verification of collection
The second step is to verify the information collected from the customer to ensure accuracy and legitimacy. Majority of the information can be verified by documents that are issued by a government body or an independent reputable agency. Examples include:
- Government-issued photo identification card
- Government-issued passport
- Tax bill
- Phone/power/water bill to prove residential address
- Business profile issued by a government regulator for business entities
- Certificate of incorporation from a country’s official company register
- Articles of association, or memorandum of association
Name screening is the next step where an analyst performs a check via a name-screening and/or an internal blacklist database to determine if a customer is known to be of heightened risk and thereby posing a risk to the financial institution. Typically, the objective is to ascertain if the customer is known to have any of the following profiles:
- Politically Exposed Persons (PEPs)
- Sanctioned individual/entity
- Reported in media to be involved in any activity that is adverse in nature
The analysts may then provide a recommendation to outline the customer’s risk level to the company and propose certain controls after establishing a business relationship with the customer. Should the case be necessary, the analysts may decide to decline to establish business relations. However, declining to establish a business relationship may be counter-productive, and analysts must take note not to tip-off the customer or, de-risk a segment of customers thereby forcing them to turn to unregulated and illegal sources for their financial needs.
The evaluation process may involve understanding the circumstances and profile of the customer, such as:
- The source of their funds and source of wealth
- The nature of their circumstances
- The reasons why they have chosen the company to establish a relationship
- The anticipated and expected level of activity
Enhanced Customer Due Diligence (ECDD)
ECDD is where the customer has been evaluated to be at a heightened risk to the company. Part of the Financial Action Task Force (FATF) 40 Recommendations suggests that companies adopt a risk management system to determine if the customer presents a higher risk.
The main process of conducting ECDD is to obtain senior management approval before establishing a relationship and to take reasonable measures to establish the source of wealth and the source of funds. Examples of higher risk customers/transactions include but not limited to:
- Politically Exposed Person (PEP)
- Customer who are positively identified to have adverse profiles on watchlists
- Non-face to face account opening
- Correspondent accounts
- Customers located in high-risk locations
CDD should not stop after establishing a relationship with the customer. On a regular basis, transactions and account activities should be scrutinized for money laundering or terrorist financing risks. The behaviour of the customer, his transaction and accounts should be in line with the expected level of activity. Ongoing monitoring is crucial as a customer risk profile may change over time. To better perform ongoing monitoring, an analyst must take into consideration the customer’s account activity and ensuring Know-your-customer (KYC) documentation are kept up-to-date.
Part of performing a proper customer due diligence is ensuring that all records are retained in accordance with the company’s retention policy. The exact length of time to keep such records are usually mandated by law and differs between countries.
Record keeping helps the company understands the entire relationship with the customer. In addition, a systematic record keeping workflow helps the company meets its reporting obligations in retrieval and submission of appropriate data to their local financial intelligence unit or regulators.
Perhaps one of the challenges of performing CDD is where critical information is not available, resulting in an inconclusive report. As a prudent measure, analysts should set controls to re-visit the customer’s profile upon the trigger of new information, or on a regular basis, whichever is earlier.