Customer due diligence (CDD) is the process of verifying a customer's identity, assessing the risk of doing business with them, and then monitoring that risk level throughout their lifecycle. The goals of CDD are to prevent identity theft, money laundering, and other financial crimes.
Customer due diligence (CDD) is an essential part of compliance with anti-money laundering (AML) and anti-bribery and corruption laws. Typically a CDD process involves collecting data to verifying someone's identity and assessing the risk of working with them. CDD happens before a new customer is onboarded and then at regular intervals throughout their lifecycle.
During CDD, you might check key documentation, such as a passport or driving licence, to prove someone is who they claim to be. If a significant risk factor is identified, you may also run additional checks, known as enhanced due diligence (EDD). This goes beyond verifying someone's identity and into a wider risk assessment, which might happen because an individual has been flagged as a higher risk. Perhaps the customer holds a passport from a sanctioned country, or the device they are applying from has been identified with fraudulent activity in the past.
These due diligence processes are designed to protect regulated businesses from transacting with criminals like money launders and fraudsters, and it proves to regulators and auditors they are operating ethically and legally.
Important elements in CDD
There are many ways to verify someone's identity - one way is to ask them for government-issued identification like a birth certificate or passport. Another way is to set up automated ID checks with leading data providers like Moody’s Analytics.
You might ask a customer to scan or produce in person a bank statement or utility bill as proof of address, or you could integrate an automated check to look for proof of address and return that to your compliance team via a solution like PassFort.
Identifying ultimate beneficial owners
When onboarding and monitoring corporate customers, understanding who the ultimate beneficial owners (UBOs) of a business are is crucial to CDD. UBOs are people who ultimately own or control a legal entity. To comply with anti-money laundering (AML) laws, regulated businesses have to understand corporate structures and screen UBOs. This typically involves EDD, uncovering the ownership framework and then collecting ID data on the UBOs and screening for politically exposed persons (PEPs), sanctions, and adverse media to gauge the risk of doing business with them.
Understanding a customer's business
Again, when onboarding corporate customers, regulated businesses want to understand the nature of a customer's business. This includes its line of business, the transactions they typically conduct, and the expected frequency and volume of those transactions. This information adds to the customer's risk profile and dictates whether they are onboarded and what kind of monitoring activity is required. Ongoing monitor identifies changes in a company's risk profile, and perpetual KYC helps uncover risk on a continual basis.
Regulated businesses are required to have procedures in place for the ongoing monitoring of customers, both individual and corporate. This includes rerunning know your customer (KYC) checks to update risk information and see whether anything material has changed. If there are concerns about a customer raised through this review process, appropriate action can be taken to mitigate the risk. The outcomes could be terminating a relationship, conducting additional due diligence, resetting the review process, reporting the matter to the relevant authorities, or continuing with business as usual.
How do you conduct CDD?
There are different ways to go about conducting customer due diligence. Some companies rely on manual methods but the downside to this is they are time-consuming and prone to human error - plus it's not a great experience for the customer involved. Manual CDD can cause onboarding to be slow and inconvenient, and it can cause failures in risk monitoring. Additionally, manual KYC processes are costly, as businesses must invest in staff to manually verify customer information and add to the compliance team as the business grows.
It's best practice to use automation to create smoother, more seamless CDD processes, which minimize errors and maximise efficiency. Automated KYC systems like PassFort can be used to gather customer data from trusted sources, bringing results back into one platform to create a 360-degree view of customer information and a profile of risk. This is a more accurate and consistent way of performing CDD, which avoids human error and creates better experiences for customers. Additionally, automation helps speed up processes, increasing efficiency, and ensuring economies of scale i.e., if you want to onboard more customers, you don’t have to employ more compliance staff to do it.
And when onboarding and monitoring corporate clients, digital KYC solutions help simplify the process of clarifying corporate structures and screening UBOs. Integrated data checks take place, with documentation and decisions stored in one place. Reports on decisions are available and can be presented to internal stakeholders or auditors.
While automation is powerful in a CDD process, it is important to bring compliance professionals in where they add value for judgement calls, analysis, and decision making. There are scenarios and nuances associated with risk analysis that automation alone can’t handle. People are irreplaceable when it comes to the “sniff test” i.e. when an experienced professional senses something doesn’t seem right, they probably know best.
How often should you undertake CDD?
There is no definitive answer to the question of how often you should undertake customer due diligence. Regulation requires risk management and risk monitoring take place to prevent money laundering, conflicts of interest, and other types of financial crime, but the frequency of CDD is not mandated. CDD typically happens before onboarding a customer, and then review periods are often proportionate to a customer's risk level. For low-risk customers, reviews may only happen once every three years, every two years for customers considered medium risk, and every year for high-risk customers.
Ultimately, it is up to you and your business how often you understand CDD. However, as the world of compliance and risk management becomes increasingly digital, firms are turning to perpetual KYC or pKYC to highlight risks across their business network. pKYC involves continuous monitoring of risk factors, which help you keep up with material changes to a customer's risk profile. By using a continuous approach to maintaining risk records, you can provide better customer support and better protection for your firm.
Customer due diligence is a key part of compliance with anti-financial crime laws for regulated businesses. Verifying a customer's identity and assessing the risk they may pose to your company is essential. How and when CDD is conducted is down to you, and what level of risk you assume is also your choice.
Using an automated KYC solution, you can complete CDD at onboarding and then throughout the customer lifecycle in a more efficient way. You create better experiences for customer while avoiding potential risks and non-compliance issues for your business.
PassFort, a Moody’s Analytics company, is able to integrate the latest sources of data for ID verification, PEPs, sanctions, and adverse media screening into an automated CDD workflow processes. Use the information returned to create an overall picture of risk for any type of customer anywhere in the world. Then automate risk monitoring at set periods or on a continual basis through pKYC with decisions and records held in one location. And, with PassFort, your compliance team can collaborate in the platform, coming into a due diligence process when they add value for analysis, decision making, or judgement calls.
Please get in touch to discuss your CDD program – we would love to help.