Financial crime isn’t just about finance. It’s also about knowing your customer.
Jump to ↓
| What is customer due diligence? |
| Understanding the implications |
| The process of customer due diligence |
| Best practices for customer due diligence |
 |
Highlights
|
Businesses don’t like to admit that they’ve been defrauded. But in the digital age, word gets around, and it gets around fast. A fraudulent customer can cause more than financial losses (though for smaller businesses, such losses can be devastating). A fraud event can also result in lost future business. And other fraudulent actors may find out and decide that the defrauded organization is an easy mark.
Businesses can verify customer identities and assess and mitigate fraud risks, including exposure to money laundering with a process called customer due diligence (CDD). Disciplined CDD procedures can thus protect businesses from financial crime, regulatory penalties, and reputational damage.
CDD has been particularly essential for financial services firms, but companies in other industries should also familiarize themselves with these practices since just about every organization is at risk of fraud. (And in many cases, businesses can and should apply CDD to potential vendors as well as customers.)
What is customer due diligence?
Customer due diligence (CDD) is the process of verifying a customer’s identity and assessing their risk level through background checks, document verification, and monitoring of their business activities to ensure compliance with regulatory requirements and prevent financial crimes.
CDD describes the process of performing background checks and other screening on potential customers before they are onboarded. The CDD process typically involves these steps:
- Identification. The organization begins by gathering information about the customer, including name and address, details about the business in which it’s involved, and what kinds of transactions it will be conducting with the organization.
- Verification. Companies then verify the information that the customer provides through official documents such as driver’s licenses, passports, utility bills (in the case of individuals), and incorporation documents (where the potential customer is another business).
- Monitoring. The CDD process doesn’t end when the customer is onboarded. An organization should engage in ongoing monitoring of the customer’s activities and behaviors, especially when the customer is identified as high-risk (a term we’ll define shortly).
Why is customer due diligence important?
CDD can reduce and mitigate many of the risks that businesses must monitor and manage, primarily those involving fraud and financial crime. And by detecting these fraud risks early on, organizations can save themselves significant amounts of money.
One of those cost savings can include avoiding penalties for not complying with U.S. and global know-your-customer (KYC) and anti-money laundering (AML) regulations. Yet another benefit of a CDD program is protecting an organization’s reputation. Demonstrating proven fraud prevention capability can provide a competitive advantage in the organization’s marketplace.
Differences with enhanced due diligence
Enhanced due diligence (EDD) is a more advanced risk management process than CDD, and it’s used specifically for identifying and verifying high-risk customers. What counts as “high-risk”? The term can describe companies based in what have been identified as high-risk countries, Most high-risk nations are located in Africa and Mideast, though the list also includes Croatia, Monaco, and Bulgaria.
Another example of a high-risk customer is a business that employs or includes in its ownership structure a politically exposed person (PEP). A PEP is someone who holds or has recently held a prominent public or government position. PEPs can include heads of state, high-ranking government officials or military officers, and leaders of state-owned enterprises.
EDD involves gathering much more documentation and other information than CDD to determine whether the business and its owners are truly what or who they claim to be. Because of this, it requires more staff and more financial outlay. And given the level of investigation needed, conducting EDD also involves a longer timeline.
Understanding the implications
As we noted, any organization should use CDD to identify and monitor high-risk customers, even if its process doesn’t go as in-depth as EDD. An organization conducting CDD on a high-risk potential customer will want to verify its beneficial ownership information (BIO). In addition, it should take a closer look at potential customers operating in high-risk businesses such as investment services, gambling, and correspondent banking services (for instance, wire transfers and check clearing).
Regulatory requirements
By developing CDD processes, organizations can better comply with industry or legislative regulations created to prevent money laundering and terrorism financing. Financial institutions also need to be in compliance with federal KYC and AML regulations such as those promulgated by the U.S. Financial Crimes and Enforcement Network (FinCEN) requiring customer identification programs (CIPs).
Organizations doing business globally should familiarize themselves with key international KYC standards. The European Union (EU) has several stringent regulations, including the Electronic Identification, Authentication and Trust Services (eIDAS) rules established to oversee electronic identification and trust services for digital transactions within EU countries. In 2020, the EU’s Fifth Anti-Money Laundering Directive put in place additional AML rules. Regardless of where an organization does business, effective CDD procedures include keeping abreast of new KYC and AML rules and regulations.
 |
The process of customer due diligence
The EDD process begins with a checklist. Here is a representative example, one that organizations can tailor based on their specific requirements, resources, risks, and customer bases:
A checklist is invaluable for conducting CDD, especially in industries such as banking, finance, real estate, and others where regulatory requirements for customer onboarding are particularly stringent. A checklist typically includes these steps:
- Customer identification. This involves verifying customer identities using documents including government-issued IDs, passports, utility bills, and documents such as articles of incorporation and business licenses.
- Document verification. The CDD process should also verify the authenticity of these documents and other identifying information through cross-checking and investigative technology.
- Risk assessment. This step involves conducting a thorough risk assessment based on factors including customer information, their geographic location, and their transaction history. The organization can use this information to categorize potential customers by different levels of risk. This can help determine how much due diligence is required for each customer. With those demonstrating a higher level of risk, the business should consider conducting the depth of investigation that the EDD process provides.
- Monitoring. Once CDD is finished and the customer onboarded, a business should regularly review and update customer information, particularly those that change location frequently or whose transactions suddenly show deviation from their regular patterns.
- Record keeping. The organization needs to keep thorough records of all customer interactions, documents, identification checks, and risk assessments. It should also maintain a strict internal reporting procedure.
Best practices for enhanced due diligence
Creating and following such a checklist is in itself a CDD best practice. That’s in large part because a well-thought-out checklist incorporates best practices regarding documentation as well as standards for ongoing monitoring. Many CDD best practices also are listed in the framework of recommendations established and regularly updated by the Financial Action Task Force (FATF), an international standard-setting body dedicated to combating money laundering and terrorist financing. Other CDD best practices that organizations should consider include training staff in how to conduct thorough CDD. The use of digital data-gathering and investigative tools represents yet another best practice.
Technology is critical because an effective CDD program requires rigorous procedures, and many organizations don’t have sufficient staff resources to dedicate to them. Technology can allow the organization to automate many of these protocols. Given the essential importance of CDD in protecting organizations from fraud and other financial risks, organizations must ascertain that the technology tools they choose can deliver reliable information. These tools should also integrate easily with the organization’s existing IT network. Because these capabilities are so crucial to preventing fraud, identifying the right tech solution requires its own due diligence.
Thomson Reuters has developed technology for financial institutions that allows organizations to quickly and accurately verify a potential customer’s details—and thoroughly investigate identities that may be suspicious or high-risk. It incorporates CLEAR, Thomson Reuters’ digitally based public records access and investigation tool that can help businesses of all kinds construct a more self-protective customer onboarding process.
 |
Thomson Reuters is not a consumer reporting agency and none of its services or the data contained therein constitute a ‘consumer report’ as such term is defined in the Federal Fair Credit Reporting Act (FCRA), 15 U.S.C. sec. 1681 et seq. The data provided to you may not be used as a factor in consumer debt collection decisioning, establishing a consumer’s eligibility for credit, insurance, employment, government benefits, or housing, or for any other purpose authorized under the FCRA. By accessing one of our services, you agree not to use the service or data for any purpose authorized under the FCRA or in relation to taking an adverse action relating to a consumer application.
