Customer Due Diligence for Dummies
Customer Due Diligence (“CDD”) or Know Your Customer (“KYC”) – a daunting topic and task for some. You may ask: What is the difference between CDD and KYC? What does CDD actually entail? What purpose does CDD serve? What are the three different levels of CDD? In this month’s article we will have a look at exactly these questions.
Firstly, what is the difference between CDD and KYC?
We often see the use of the two separate terms, CDD and KYC, being used either interchangeably or as two distinctive terms.
These two terms really are interrelated and there are opposing opinions as to whether KYC is part of CDD or whether CDD is part of KYC.
Anna Stylianou has managed to encapsulate a good basic distinction between the two terms in one of her LinkedIn posts, which distinction was formulated based on the Financial Action Task Force’s (“FATF”) Recommendations and the ACAMS glossary.
The distinction reads as follows:
“KYC refers to the initial identification and verification measures taken by an entity on onboarding to be able to specify what is the “normal and expected” account movement while CDD uses KYC information and applies it taking into consideration the ML/TF/FC (money laundering, terrorist financing and overall financial crime) risk of each and every client.”
Ultimately both KYC and CDD involves the identification and verification of a customer’s identity and the jurisdiction as well as the context of your organization’s Anti-Money Laundering program will inform and define each of the two terms (if the organization elects to use both or just one of the two).
What is CDD and what purpose does it serve?
CDD is an integral component in the fight against financial crime and essentially entails a process whereby information is collected in order for the organization to:
- identify and verify who the organization will be conducting business with;
- understand what what purpose the business relationship will serve;
- assess the level of risk that a particular customer poses to the organization;
- mitigate the established risks posed by a particular customer.
There are various official and unofficial sources that i) provide guidance and recommendations on what CDD is and how to conduct it, and ii) impose a legal obligation on certain organizations to conduct CDD.
From a Dutch perspective for example, the Wet ter voorkoming van witwassen en financieren van terrorisme (“Wwft”) outlines the requirement for certain identified entities to conduct CDD.
There are three levels of CDD:
- Standard Due Diligence
- Simplified Due Diligence and
- Enhanced Due Diligence.
Standard Due Diligence
Standard Due Diligence is performed when an organization has to establish the nature and the purpose of a potential business relationship with a customer and involves the accurate identification and verification of such customer.
It involves the gathering, checking, and recording of basic information such as:
- who the ultimate beneficial owner is;
- whether the customer is acting in a personal or representative capacity; and
- what purpose the business relationship will serve.
in order to determine the risk level of the customer and to establish whether the organization is required to conduct further Enhanced Due Diligence.
Simplified Due Diligence
Simplified Due Diligence is a more basic form of CDD and is typically applied in instances where information on a customer’s identity and beneficial owners are available to the public and where the ML/TF risk that a customer poses is significantly lower.
In instances where a customer is suspected of ML/TF or a specific high risk scenario is relevant to the customer in question, Simplified Due Diligence will not be considered acceptable.
Enhanced Due Diligence
Enhanced Due Diligence pertains to higher or increased risk customers and entails an in-depth investigation into the customer. Some of these risk factors that may increase the ML/TF risk posed by a customer include:
- The customer is incorporated in/operates in a high risk third country;
- The customer is a politically exposed person (“PEP“), related to a PEP or associated with a PEP;
In the end, the level of CDD to be applied will be determined by the customer’s risk assessment which is informed by numerous factors, including (but not limited to) the type of customer, the products and/or services the customer provides, the jurisdiction in which the country is situated/operates in.