There’s more to CDD than anti-money laundering checks
Customer due diligence (CDD) is the process of identifying and verifying a client’s identity. Together with assessing the risks associated with providing services to that client it’s a key component of anti-money laundering (AML) compliance for regulated professionals.
But to stay compliant, this process needs to go beyond simply checking a client’s ID using online anti-money laundering checks.
It should enable you to understand who your clients are, where their funds come from and what risks they may pose. This protects the integrity of the UK financial system and prevents your business from being used to facilitate financial crimes.
Performing thorough CDD is also legal requirement for regulated professionals under AML regulations. Failure to comply can result in severe penalties, prosecution and damage to your business’ reputation.
More than AML checks
Many regulated professionals think of CDD as simply performing anti-money laundering checks on a client’s identity. ID verification checks a box. But it does little to equip you with meaningful knowledge about the client that could reveal unwanted risks.
Proper CDD is a process of gaining a holistic understanding of your client and getting insights into their reputation, nature of business, legitimacy of funds, potential ties to concerning jurisdictions, and other important factors. This needs to happen before you start a new client relationship.
It enables you to truly know who you’re dealing with – not just confirming that they are who they claim to be on paper, which is all many of the anti-money laundering checks you buy online do.
It involves assessing the money laundering (ML), terrorist financing (TF) and proliferation financing (PF) risks posed by a client and establishing appropriate ongoing monitoring.
Under AML regulations and sector guidance, CDD must be conducted on a risk-based approach. This means the CDD measures applied should be tailored to the ML, TF and PF risks posed to your business by each individual client.
Higher risk clients require enhanced due diligence (EDD), which involves gathering additional information and performing further verification steps. You can apply simplified due diligence (SDD) for lower risk clients.
So let’s get started…
Sometimes overlooked is the need to prove that someone has the right to the identity that they are claimed. Check that how any online searches do that or use consider a biometric check to verify that someone facially matches the photograph on a government issued document.
Identifying the ultimate beneficial owner
Identifying the ultimate beneficial owner (UBO) and understanding who has ownership and control, beyond just the registered legal entity, is crucial.
It helps to give you transparency on your client’s corporate structures, allowing you to see beyond the surface level of company ownership and shedding light on the individuals who actually control the financial and operational dealings of a company.
This is essential in combating money laundering, as illicit actors often hide behind layers of corporate entities to obscure their activities from law enforcement and regulatory oversight.
Failure to identify the UBO, and therefore fail to comply with AML regulations, can lead to significant legal and financial repercussions.
Client risk assessment
Put simply the CDD and risk assessments are intrinsically linked.
The extent of your CDD is determined by a risk assessment for each client, along with your own business-wide risk assessment. You need to complete the risk assessments to determine what level of CDD you need to perform on the client.
However, the understanding you get of your client by completing the CDD steps might reveal hidden risks – this is insight that anti-money laundering checks can’t give you. You then need to go back to the risk assessment and adjust the risk levels.
The importance of a client risk assessment cannot be overstated. Firstly, it forms the foundation for fulfilling the regulatory requirements set by the UK’s AML regime, assessing the specific risks presented by each client to ensure that appropriate measures are taken to manage and mitigate those risks.
Secondly, a thorough risk assessment is key to implementing a risk-based approach, as recommended in current AML directives and legislation. The risk-based approach allows you to allocated resources efficiently and effectively towards clients who pose a higher risk. Don’t lose sight that any steps to mitigate any identified risks should be taken, to both follow guidance and to protect your business.
Understanding your client
Who are they, what do they do and where is their money is coming from? Answering these questions is a critical part of the CDD process for regulated professionals to comply with AML regulations. To get this information, you need to go through processes like:
- identifying sources of wealth and funds. How did they acquire their money and assets?
- identifying the ultimate beneficial owner, and understanding who has ownership and control – not just the registered legal entity.
- understanding the client’s business, including their industry, products, customers, geographic reach and more.
- screening clients against sanctions lists, adverse media and politically exposed persons databases.
Doing this just once isn’t enough. You need to regularly review and update your client profiles as their and your business’ circumstances change over time.
Source of funds and wealth
Understanding where your client’s funds originate from and how they acquired their wealth is a critical part of the CDD process. This helps identify any potential risks or warning signs associated with the client.
When onboarding a new client, you should ask questions to understand:
What is the source of the funds being used, for example salary, inheritance, sale of assets etc? Documentation should be obtained to verify this.
What is the origin of the client’s overall wealth, for example property investments, business ownership, inheritance etc? Supporting documentation should again be gathered.
Does the client’s wealth and source of funds seem reasonable given their occupation, assets, country of residence etc? Any inconsistencies could indicate risks.
Do the client’s funds originate or pass through high-risk jurisdictions with limited AML regulations? This would warrant further due diligence.
Are the client’s funds derived from any potentially illegal source or activity? If so, the engagement should likely be declined.
Scrutinising source of funds and wealth provides assurance that the client’s activities are legitimate. It also ensures the advisor does not become part of arrangement to launder money. Ongoing monitoring of source of funds and wealth should continue throughout the client relationship.
Understanding your client’s business
Different industries and markets have varying levels of exposure to ML, TF and PF risks. By understanding the specifics of a client’s business, you can tailor your AML policies, controls and procedures (PCPs) to address the unique risks presented by each client’s business operations and sector.
Not only does this allow you to take a measured approach to your risk, it’s an obligatory part of your AML compliance. To adhere to the UK’s AML regulations and sector guidance, you must not only identify and assess the risks associated with each client but also monitor their business transactions and patterns regularly.
Your knowledge of the client’s industry, products and customer base also needs to monitored regularly, so that you can spot and report suspicious activities effectively.
PEP and sanctions screening
As part of your CDD, you must screen clients against politically exposed persons (PEP) lists. PEPs are individuals who hold prominent public positions and may be more vulnerable to corruption. This includes positions like heads of state, senior officials in government, judicial or military officials, senior executives of state-owned corporations, and political party officials.
The purpose of PEP screening is to identify if a client matches any individual on a PEP list. If a client appear on a PEP list, you must assess the risk level and determine appropriate measures.
Keep in mind that a client may need treating as PEP even if they don’t hold the relevant political office themselves. The PEP obligations extend to close know associates and family members.
Similarly, sanctions screening involves checking clients and beneficial owners against sanctions lists to identify any known criminals or individuals and entities subject to restrictions.
Though not technically part of AML, sanctions screening usually sits in AML procedures. This is because the methods used to try to bypass sanctions restrictions are often similar to money laundering measures.
Sanctions screening mitigates the risk of you doing business with people who are legally restricted from doing business in the UK or making transactions using the UK financial system. Matches from the screening process should raise alarm bells with senior management immediately as providing services a sanctioned individual could lead to criminal or civil penalties for your business.
Adverse media screening
This involves screening clients against publicly available information to uncover any potential involvement in criminal activity or other adverse media. Some key things to look out for during adverse media screening:
- News reports linking the client to financial crime, fraud, corruption, or other illicit activity
- Inclusion of the client on any government sanctions or watchlists
- Evidence of the client concealing ownership of assets or companies
- Client named in leaks or investigations like the Panama Papers
- Lawsuits or legal cases alleging financial misconduct by the client
- Suspicious corporate structures or complex ownership designed to mask identity
- Connections to politically exposed persons or high-risk jurisdictions
- Signs the client is trying to obscure the source of funds or wealth
Thorough adverse media screening provides critical intelligence for risk-rating clients and determining the appropriate level of monitoring required.
Record keeping
You must keep detailed records of all the CDD steps you’ve carried out and attach them to the individual risk assessment. This is a key part of demonstrating compliance to your supervisor or in case of any later investigations by law enforcement. These are some of the common records you need to keep relating to CDD:
- Copies of all documents gathered for identity verification, such as passports and utility bills
- Details of all checks done to verify customer identity
- Information about the purpose and intended nature of the business relationship
- Details of all payments made and transactions carried out
- Any changes made to CDD information over time, such as a change of address
- Notes from ongoing monitoring of the relationship and transactions
- Details of any additional due diligence for high risk relationships
- Information about the source of funds and source of wealth
- Screening checks done for PEPs, sanctions lists and adverse media
- Client Risk Assessments
Keeping detailed records is vital for showing regulators and law enforcement that comprehensive CDD has been performed in line with regulations. These records must be kept for 5 years after the end of the business relationship.
Proper CDD record keeping demonstrates that a professional has taken appropriate measures to prevent money laundering through customer accounts. This protects the reputation of your business and reduces the risk of fines for non-compliance.
Ongoing monitoring
CDD is not a one-time check, but an ongoing process. To be compliant with AML regulations, you must monitor your business relationships on a continuous basis. This means regularly reviewing existing records and updating the information.
The purpose of ongoing monitoring is to keep the CDD information relevant and correct, this means up to date. It allows you to detect unusual transactions or activities that may indicate ML, TF or PF.
Some examples of ongoing monitoring include:
- reviewing transactions to check consistency with the client’s business and risk profile.
- identifying changes to CDD information, such as contact details or ownership structure.
- screening client records against new databases in case of new sanctions, criminal convictions, etc.
- analysing the client’s transactional behaviour for developing risks.
- assessing whether the risk profile of the client has changed over time.
AMLCC gives you every tools you need to complete all your business’ AML obligations, including CDD. Explore our product features to discover how or book a discovery call with one of our AML-qualified advisors who will show you around the platform.