Customer due diligence (CDD) is required of any business that interacts with customers and is covered by know your customer (KYC) and anti-money laundering (AML) regulations. Its purpose is to prevent financial crime and uncover any risks to your organization that could arise from doing business with certain customers.
There are different types of CDD, from simplified CDD to enhanced due diligence. In this article we will focus on standard CDD requirements.
What is CDD?
Customer due diligence (CDD) is a series of checks to help you verify your customers’ identities and assess their risk profiles.
CDD is a regulatory requirement for companies entering into business relationships with a customer and is a big part of anti-money laundering (AML) and Know Your Customer (KYC) directives.
CDD involves analyzing information from different sources, including the customer, sanctions lists as well as public and private data sources. The information you collect depends on the risk profile of your customer, but basic customer due diligence requires the following:
- Information about the identity of your customers, such as their name, address and a photograph of an official identity document
- An overview of your customer’s activities and the markets they operate in
- An overview of any other entities that your customer does business with
CDD meaning: the different types of CDD
CDD is an important part of your businesses’ risk management. Different customers pose different levels of risk, therefore CDD is carried out through a risk-based approach.
You should assess the potential risk level of each customer, and adjust your due diligence approach accordingly. For the majority of clients, standard due diligence practices — which require you to identify and verify customer identities — are appropriate.
In certain lower-risk scenarios, simplified due diligence may suffice. When carrying out simplified due diligence, you only need to identify your customers rather than identify and verify them.
On the other hand, there might be instances where standard due diligence isn’t sufficient. In this case, you’d need to adopt enhanced due diligence.
Customer due diligence for banks
Financial institutions must take a risk-based approach to customer due diligence as part of KYC and other regulations. This is to ensure that the organization remains compliant with the local laws and regulations of the markets that they operate in.
The level of CDD in banking will depend on the type of business-customer relationship and the customer’s risk profile. But broadly, banks must take necessary steps to make sure that the customer is really who they say they are so that they can prevent fraudulent activity such as identity fraud or impersonation.
When do you need to apply CDD in banking?
- Establishing a business relationship: Ahead of a new customer-business relationship, banks must perform due diligence to check the customer’s risk profile, verify who they are and ensure they aren’t using a fake identity.
- Occasional transactions: Certain transactions might require further CDD measures. For example, transactions over a certain monetary amount (USD/EUR 15,000) or if the customer is transacting with high-risk persons or regions.
- Suspicious activity: Banks must implement CDD checks if the customer is suspected of activity related to money laundering or financing terrorism.
- Unreliable identification: If the information your customer has provided is unreliable, suspicious or doesn’t meet requirements, banks should implement additional CDD measures.
What are the 4 customer due diligence requirements?
In the United States the FinCEN Customer Due Diligence Rule requires financial institutions to establish and maintain policies around four specific activities:
- Identifying and verifying customer identities.
- Identifying and verifying the identity of companies’ ownership.
- Understanding the nature and purpose of customer or client relationships in order to develop customer risk profiles.
- Conducting ongoing monitoring to identify and report suspicious activities or transactions, and maintaining and updating customer information as it relates to risks and risk levels.
Customer due diligence checklist
Conduct basic customer due diligence
The first step is to conduct simple investigations, such as identifying and verifying a customer’s identity. Businesses are required to verify the identity of their customers before or during the start of that business-customer relationship. These requirements apply to all new customers as part of Know Your Customer (KYC) regulations.
There are several ways that businesses can verify customer identities. One approach is online document verification, which involves digitally assessing the legitimacy of a customer’s identity document as part of onboarding processes.
In addition to identity verification, businesses should also consider a customer’s financial information (both current and previous) as well as their business activity.
Select any third parties
Often businesses will opt to work with third parties when conducting customer due diligence. This could be lawyers, auditors, or providers of CDD solutions such as online identity verification. Businesses should ensure that any third parties they work with are reliable and trusted.
Decide if enhanced due diligence (EDD) is needed
If the customer is considered high risk, the business might need to carry out enhanced due diligence (EDD) checks. EDD is necessary if you’re entering into a business relationship with a politically exposed person (PEP), if the transaction involves a person from a high-risk country or any other situation where there’s a high risk of money laundering.
Secure all record-keeping
By law, businesses must now keep a record of all financial transactions for at least five years. This includes any information collected through CDD measures, account files and business correspondence, as well as any related analysis.
Businesses must also securely document and store any such information obtained during the previous steps. As this information is often sensitive, it would be problematic if it were ever lost or leaked.
Maintain up-to-date records
If the circumstances of your customers ever change, as a business you’ll need to amend their risk assessment and carry out further due diligence if necessary. Examples of when this might happen are if there was a change in ownership or structure of a business.
Customer due diligence solutions
Any approach to CDD must allow you to collect and verify basic information about your customer. Including their name, date of birth and photograph of an official document that confirms their identity and residential address.
One way to do this is to ask for a government-issued identity document like a passport or driver’s license. Onfido’s solution — which combines a document check with a biometric check — first verifies that this ID is genuine. We then compare the photo on the identity document with a person’s biometric to ensure that the document belongs to a real human, and hasn’t been stolen.
Businesses can then layer other checks and signals on top of this step. For example, requesting bank statements or other official documents, or capturing information from the electoral register.
An approach like Onfido’s builds higher assurance in your customers’ identities than many other outdated and less secure approaches, such as database checks. Effective CDD and KYC solutions are built on a combination of technology and expertise. As digital threats and the way we approach business-customer relationships evolve, businesses should consider innovating their approach to CDD.