What Is Customer Due Diligence (CDD)?
CDD checks help verify customer identity and assign the correct risk level to an organization or financial institution. CDD checks are a core requirement in regulations and laws enforcing anti-money laundering (AML) compliance. In addition, CDD is part of a broader compliance requirement called Know Your Customer (KYC).
Here are a few examples of regulatory authorities that require CDD:
- US Federal Financial Institutions Examinations Council on Customer Due Diligence (FFIEC)
- Financial Action Task Force (FATF)
- Financial Crimes Enforcement Network (FinCEN)
The goal of CDD is to help organizations obtain information from their customers, which can help them avoid business relationships that may be related to criminal activity - such as money laundering, tax evasion, and financing of terrorist organizations. CDD can also help financial institutions identify customers with low credit ratings.
In this article:
- Importance of CDD
- Customer Due Diligence Levels
- When Is CDD Required?
- What Is the Risk-Based Approach?
- Four Best Practices for Running an Effective KYC and CDD Program
- Customer Acceptance Policy
- OCDD (Ongoing Customer Due Diligence)
- Establish Clear, Documented Procedures
- Verify Customer Identities
- Customer Due Diligence with BlueCheck
Importance of CDD
According to a Thomson Reuters report, major financial institutions spend $150 million per year on average on KYC compliance to prevent money laundering and other financial crimes. Money laundering affects 2-5% of global GDP each year. You can avoid the risk of such financial crimes in your organization by conducting due diligence.
Failure to comply with anti-money laundering (AML) guidelines can result in significant fines. Global authorities issued over $13 billion in penalties to organizations for violating AML laws, and the number is rapidly growing from year to year. For example, the UK Financial Conduct Industry (FCA) recently fined London Commercial Bank over $37 million for violating anti-money laundering guidelines.
In an environment of growing financial crime, it is necessary to identify customers’ risk levels preemptively. This can help fight financial crime and ensure the safety of your assets. However, failure to do customer due diligence can also lead to reputational issues. Remember that a single money laundering or terrorist financing event can irreparably damage a company's reputation.
Related content: Read our guide to customer due diligence in banking (coming soon)
Customer Due Diligence Levels
It is common to apply customer due diligence differently to different groups of customers, according to the level of compliance risk they present:
- Standard—CDD process performed on all customers by default.
- Simplified—this is a less severe form of due diligence that should apply to customers deemed at lower risk.
- Enhanced due diligence will apply to customers whose identity cannot be found or in situations with a high risk of financial crimes such as money laundering. Enhanced due diligence involves collecting and verifying additional documents from the customer.
When Is CDD Required?
CDD is primarily needed when a company enters a business relationship or performs a transaction with a customer or prospect. For example, if the business relationship falls under AML regulation, the company needs to assess its risk profile and verify its identity.
Companies are typically required to perform KYC and CDD in these cases:
- New business relationships—before establishing business relationships, companies must perform due diligence to ensure customers are consistent with the required risk profile and are not using a false identity.
- Special transactions—specific types of transactions may warrant CDD. For example, this may include transactions with foreign entities over a certain amount of transactions with high-risk parties.
- Suspicion of financial crimes—if there is reason to suspect that a transaction may be part of a money-laundering attempt or may be related to the financing of terrorist organizations, the company must perform CDD.
- Untrusted documents—if the identifying documents provided by the customer are unreliable or insufficient, the company must conduct an additional CDD review.
What Is the Risk-Based Approach?
KYC and CDD should be applied based on the evaluated risk of each customer. Businesses should assess the risk of AML and adjust their due diligence review accordingly. Most customers should be subject to standard CDD measures, requiring identification, verification, and evaluation of the business relationship. In low-risk scenarios, it may simplify due diligence and require only identification with no proof required.
4 Best Practices for Running an Effective KYC and CDD Program
Use the following best practices to ensure your KYC and CDD efforts are more effective.
Customer Acceptance Policy
Your organization should have a KYC policy, which outlines the requirements customers must meet before registering for your products or services. The policy should also outline the type of risk that a particular customer may pose.
High-risk customers, such as politically exposed customers, require a rigorous CDD process. The policy should include control over this process. There should be checks and balances to ensure that acceptance policies are not too restrictive, negatively impacting disadvantaged customers.
OCDD (Ongoing Customer Due Diligence)
The key to an effective and sustainable CDD program has policies in place for every situation. In addition, anticipating scenarios with customers can help clarify in advance which CDD method is best, speeding up response times.
Compliance is not only about implementing regulatory checkboxes but also about competitive advantage. Effective and ongoing compliance can reduce risk, increase knowledge about customers and enable adaptive business processes. In addition, establishing values and procedures that promote vigilance and respect for regulatory obligations will help build more transparent organizations with more robust governance.
Establish Clear, Documented Procedures
A good KYC plan needs clear, well-documented procedures to work effectively. The responsibilities of all business roles should be clarified, with clear channels for reporting suspicious activity. Companies also need internal processes that describe the course of action employees should take if a risk arises. Procedures should be subject to regular evaluations, including internal audits and extensive external audits.
Verify Customer Identities
Adopt CDD protection as early as possible to detect potentially malicious individuals before establishing business relationships with them. Put barriers in place to prevent financial criminals from accessing your accounts, thus avoiding suspicious activity before it starts.
The best way to do this is to evaluate potential customers and gain insight into their business activities. For example, this can be as simple as verifying a name and address. However, with online scams and fraud growth, gathering more information and performing additional identification checks are recommended.
Personal identification process
Valuable sources of information for the identification process include the name, address, birth date, ID number and identity documents, telephone number and data from mobile networks, geolocation, automated identity verification via selfie and/or live video, and third-party proof of identifying documents.
Business identification process
Businesses and other business customers must also verify the legality of the business and ensure that the account holder has the appropriate authority to act on behalf of the business. A business identification process focuses on company registration number, date of incorporation, company type, company name and address, management personnel, and operational status.
Early detection and handling of falsification of personal or business information can avoid risks and exposure to AML violations.
Customer Due Diligence with BlueCheck
BlueCheck’s industry-leading identity verification infrastructure enables merchants to grow their business faster. As BlueCheck serves a wide variety of industries, our solutions are custom-tailored to the unique needs of our customers, including PACT Act and eCommerce compliant offerings.