How to perform customer due diligence: Best practices and requirements
Table of contents
In 2022 alone, banks and other financial organizations were fined almost $5 billion for failing to conduct proper customer due diligence.
Customer due diligence (CDD) is what every financial institution must conduct. Together with Know Your Customer (KYC) and Anti-Money Laundering (AML) regulations, it is one of the three essential components in the fight against financial crimes. Failure to perform adequate CDD may result in reputational damage and significant fines.
In this article, we explore the steps for performing CDD, provide you with practical tips and best practices, and explain the importance of compliance with these regulations.
What is customer due diligence?
Customer due diligence (CDD) is a series of checks that helps organizations assess and verify the identity of their customers. It aims to mitigate risks associated with money laundering, terrorism financing, fraud, and sanctions busting.
The customer due diligence process typically includes the following stages:
- Establishing customer identities
- Performing a customer risk assessment
- Collecting additional information (if required)
- Reporting suspicious activity
To collect necessary information for CDD, organizations turn to different sources, including the customer, sanctions lists, and public and private data sources.
There are three types of customer due diligence, each tailored to specific customer risk levels: standard, simplified, and enhanced. By selecting the most appropriate CDD level, organizations maintain a robust yet flexible approach to customer verification.
Primarily, customer due diligence is applied to financial institutions, but it’s also a requirement for all non-financial businesses operating in countries that are members of the Financial Action Task Force (FATF). These businesses must adhere to the guidelines outlined in the FATF’s 40 Recommendations document.
When to apply CDD, and which type to use?
Let’s identify the cases when customer due diligence is required:
- New business relationship. When an individual or entity establishes a new business relationship with a financial institution, CDD is necessary. In this case, a potential customer should provide information on the origin of funds they will be using, financial statements, and details of the relationships between signatories and any underlying beneficial owners.
- Occasional transactions. This kind of transactions occurring outside of established business relationships and exceeding €10,000 require CDD (this figure has been reduced from €15,000). This requirement also extends to linked transactions, deliberately broken down into smaller parts to avoid CDD checks. Additionally, CDD applies for occasional transactions below €15,000 involving high-risk customers or regions.
- Unusual customer’s activity. When the customer’s activities are unusual, and a financial institution suspects money laundering or financing terrorism, CDD measures are essential.
- Doubtful customer’s identification information. When there are doubts about a customer’s identification information and the provided documentation seems unreliable, conducting customer due diligence is a must.
Each case may undergo a standard, simplified, or enhanced due diligence process, depending on the customer risk profiles:
Type of DD | When to apply | Description | Customer’s risk profile* |
1.Standard due diligence | Applied to determine and verify a new customer’s identity and gain initial insight into its risk profile. | It aims to ensure that at least essential checks are performed before a customer onboarding process. | Applied to all customers |
2.Enhanced due diligence | When a customer isn’t physically present during identification checks. When establishing a business relationship with a politically exposed person (PEP), i.e. an individual entrusted with a prominent public function. For example, a foreign or domestic member of parliament, a government minister, or their family members. A PEP typically presents a higher risk for potential involvement in bribery and corruption. When engaging in financial transactions with an individual from a high-risk third country. In any other situation where money laundering risks are high. | It involves obtaining and verifying additional customer information and conducting more thorough background checks. | High-risk customers |
3.Simplified due diligence | When the customer poses very low risks of money laundering, terrorist financing, or other financial crimes. | It entails a less strict approach in certain check aspects. | Low-risk customers |
*Every financial institution, based on its location and area of focus, creates its own processes and procedures. Together with internal controls, they help organizations assign a risk level to each customer.
Customer due diligence checklist
Now, let’s explore the customer due diligence checklist to learn what steps to take.
1. Establish customer identities
The first step is to conduct basic customer due diligence, which involves establishing the identity of potential customers by collecting and evaluating relevant information. This is important as it helps to identify fraud, ensure customers are indeed who they claim to be, and comply with AML regulations.
The following steps help to verify customer identities:
- Collect the customer’s information through an online form or KYC questionnaire. Gather essential data, including full name, date of birth, and residential address.
- Obtain copies of identity documents to verify the provided information.
At this step, it’s also recommended to review sanctions lists to ensure you’re not doing business with a sanctioned party. Failure to do so may result in substantial fines and legal proceedings.
2. Perform a customer risk assessment
Now, it’s time to assess a customer’s profile according to associated risks. This assessment further defines what type of due diligence a customer requires, simplified or enhanced.
To conduct a customer risk assessment, evaluate customers based on whether they come from a low or high-risk country, their industry, and their financial history. This information gives you an idea of whether a client requires a more rigorous CDD process.
If not, opt for simplified due diligence, which involves loosening several aspects of the checks. For example, you can:
- Modify the timing of CDD
- Adjust the quantity of obtained information
- Review the frequency and intensity of transaction monitoring
3. Collect additional information (if required)
If, after risk assessment, you find it necessary to conduct enhanced due diligence, continue with the following steps:
- Obtain additional identifying information
- Conduct background checks by searching online databases or hiring a professional service
- Analyze the purpose of a transaction
- Analyze the origin of funds
- Check media to identify any adverse mentions
- Examine the customer’s social media accounts
- Request references from other companies that have had dealings with the customer
- Arrange on-site visits if necessary
- Perform ongoing monitoring, especially of higher-risk customers
Note: Pay close attention to the last point, as even after completing the due diligence, ongoing monitoring of customer profiles is crucial. It helps to ensure customer activities remain compliant and free from suspicious transactions. Employ the following steps to monitor customer activity:
- Regularly review the customer’s business account statements and transaction history.
- If anything unusual is observed, take appropriate steps, such as contacting the customer or reporting questionable activities to the relevant authorities.
4. Report suspicious activity
If you have reason to believe a customer is involved in money laundering or any other illicit activity, report it immediately. In this case, organizations don’t just follow the best practices, they fulfill their legal obligations.
The process of reporting suspicious activity varies depending on the country. The most common way is to file a Suspicious Activity Report (SAR) to a jurisdiction’s financial intelligence unit (FIU).
Note: It’s not allowed to disclose to customers that a SAR has been filed against them.
Tip: Consider employing a third-party Certain data may only be accessible through third-party sources, such as banks, legal specialists, or auditors. These experts can provide guidance and verify the accurate execution of all CDD processes. To hire a required specialist, search online or seek recommendations from a professional network. Once potential candidates are found, review their qualifications and conduct interviews to choose the best fit for this job. |
Introducing the 4 main CDD requirements
In the UK alone, the Financial Conduct Authority (FCA) imposed fines of over £52 million in 2023. These fines are issued for a range of reasons, including non-compliance with anti-money laundering regulations and failure to conduct proper CDD checks. This not only leads to financial losses but also poses a considerable reputational risk for the entities involved.
That’s why it’s essential each institution adheres to a rigorous CDD process. Even though each country may have its specific AML regulations, there are four standard, core customer due diligence requirements:
- Customer identification and verification. The first core pillar of CDD involves thorough customer identity verification and investigation. This requires collecting and confirming personal details, such as name, date of birth, address, and identification numbers.
- Beneficial ownership identification and verification. Beyond individual customers, financial institutions must identify and verify the company’s beneficial owners, i.e. individuals who ultimately own or control the business.
- Defining the purpose of the business-customer relationships. This involves understanding and documenting the reasons for the relationships between financial institutions and their customers. This helps in creating risk profiles and ensures the business interactions align with their intended purposes.
- Ongoing monitoring. It involves regularly reviewing customer account activity to detect transactions that appear suspicious or unusual. When such transactions are identified, they must be reported to the relevant authorities.
Tip: Consider using automated customer due diligence solutions Automated solutions streamline the CDD process, reduce manual errors, and provide more efficient risk assessment. |
The importance of a customer due diligence process
To exemplify how expensive and harmful it is not to stick to customer due diligence requirements, let’s consider the following cases:
- Danske Bank. In 2022, Danske Bank failed to implement effective CDD measures, which resulted in a fine of over $2 billion. “Danske Bank lied to U.S. banks about its deficient anti-money laundering systems, inadequate transaction monitoring capabilities, and its high-risk, offshore customer base in order to gain unlawful access to the U.S. financial system”, commented the Justice Department’s Criminal Division.
- Equifax Limited. In October 2023, Equifax Limited faced a fine of over £11 million from the FCA as a result of one of the most significant cybersecurity breaches in history that exposed consumers to financial crime risks. The situation was described as “entirely preventable,” underlining the need for robust CDD practices.
Thus, the importance of customer due diligence can’t be overestimated as it helps banks and other financial institutions with:
- Legal compliance. Adhering to CDD requirements is essential for complying with anti-money laundering (AML) and counter-terrorism financing (CTF) regulations, avoiding heavy fines, and preventing legal consequences.
- Reputation protection. Proper due diligence protects a business’s reputation by ensuring ethical and transparent dealings and maintaining customer trust.
- Financial security. It also helps protect a company’s financial health by preventing losses resulting from fraudulent activities or regulatory penalties.
Risk-based approach in customer due diligence
A risk-based approach (RBA) is a strategic method that focuses on proactive risk management to combat financial crime. It’s widely recognized in AML compliance and includes the following aspects:
- Proactive risk management. Instead of reacting to financial crimes after they occur, a risk-based approach anticipates and addresses potential risks in advance, making it a preventive strategy.
- Customization within frameworks. Anti-money laundering compliance guidelines provide specific frameworks, but they offer flexibility for businesses to choose which measures best suit their needs. This customization is a crucial feature.
- Compliance with global standards. The RBA aligns with international AML standards and guidelines, including those set by the Financial Action Task Force (FATF). This ensures that businesses adhere to best practices recognized worldwide.
- Client-centric approach. It focuses on individual clients, recognizing that not all customers pose the same level of financial crime risk. This approach makes sure AML measures correspond to the risk associated with each client.
Key takeaways
- Customer due diligence helps businesses verify customer identities and assess risks to prevent financial crimes like money laundering and terrorism financing.
- The CDD process involves four stages, including establishing customer identities, performing risk assessments, collecting additional information, and reporting suspicious activities.
- There are three types of CDD: standard and simplified CDD for low-risk customers and enhanced CDD for high-risk cases.
- Key customer due diligence requirements include customer identification and verification, beneficial ownership identification, defining the purpose of business-customer relationships, and conducting ongoing monitoring.
Revolutionize your deal management
Begin your 30-day full-access free trial today