Customer Due Diligence (CDD) is a critical business activity that most firms should perform. Still, ensuring AML compliance during client onboarding is generally seen as a time-consuming task for companies in all industries.

If truth be told, most companies are rarely excited about new legal requirements. However, the frustration of ensuring compliance does not come from an unwillingness to conduct business legally. In reality, what challenges businesses are the administrative burdens and high costs associated with regulatory changes.

Therefore, it comes as no surprise that organizations often rush into reviewing their compliance procedures when expecting an audit or dreading a hefty fine.

This article helps you understand Customer Due Diligence and outlines a six-step process to meet this essential AML requirement.

What is customer due diligence (CDD)?
What is the difference between KYC and CDD?
What are the Customer Due Diligence requirements?
How does the customer due diligence process work?
    1. Collect identifying information
    2. Collect information on the purpose and intended nature of the business relationship
    3. Determine the risk level of the customer
    4. Apply the appropriate due diligence measures for the risk level of the customer
    5. Verify the legitimacy of the data collected
    6. Monitor the business relationship and update the customer information
How can Penneo help you comply with CDD requirements?


What is customer due diligence (CDD)?

Customer Due Diligence (CDD) refers to the process of doing background checks on your customer to determine their identity and the level of risk they pose. To this end, pertinent information about a customer is collected and evaluated to assess the potential money laundering or terrorist financing risks the customer might present.


What is the difference between KYC and CDD?

Know Your Customer (KYC) and Customer Due Diligence (CDD) both refer to processes intended to assess the identity of customers. While people often use the two expressions interchangeably, their meanings are quite different.

Know Your Customer controls originated in the Markets in Financial Instruments Directive (MiFID). Their primary purpose was to check the suitability of the customer and asset management. Banks and financial institutions were required to perform KYC to provide their clients with the best advice and prepare an investment portfolio tailored to their risk profile.

On the other hand, Customer Due Diligence measures are regulated within the legal framework on anti-money laundering and terrorist financing laws. CDD aims to assess the risk a client presents (how likely they are to engage in or use your business for financial crimes).

Eventually, the initial scope of KYC checks expanded to other industries at high risk of being exploited for money laundering, such as audit and accounting, real estate, the legal sector, etc. As a result, former MiFID KYC controls are now part of CCD measures.


What are the Customer Due Diligence requirements?

There are four essential CDD requirements:

  • Identification of the customer (and beneficial owner/s if the customer is a legal entity) and verification of their identity through document collection and data screening
  • Collection of information on the purpose and intended nature of the business relationship
  • Determination of the risk level of the customer and application of the due diligence measures appropriate to the risk level
  • Ongoing monitoring of the business relationship

To meet these requirements, you first need to understand how the CDD procedure works.


How does the customer due diligence process work?

To perform an AML-compliant CDD process, you should follow the steps below:


1. Collect identifying information

The first step is obtaining information from the customer. You can either collect the information in person or digitally via email or forms. However, the crucial part here is to find the right balance between AML and GDPR compliance. In other words, you need to ensure the collection of all the necessary data while also protecting its privacy.

Generally, essential information you should gather includes:

If the customer is an individual:

  • Full name
  • Residential address and mailing address
  • Contact numbers and email addresses
  • Place and date of birth
  • Gender
  • Nationality
  • Marital status
  • A government-issued identification number and tax identification number
  • Occupation
  • Specimen signature

If the customer is a legal entity:

  • Company name, type, status, address
  • Date and place of incorporation
  • Board resolution on authorized signatories
  • Company control structure: Directors, Shareholders, Senior Management
  • Company ownership structure: the Ultimate Beneficial Owner/s (UBOs) – i.e., the person/s holding a minimum of 10-25% of the capital or voting rights in the company (depending on the jurisdiction) – are to be identified and their personal information (listed above) is to be collected.

Note that the information to be collected may vary across jurisdictions.


2. Collect information on the purpose and intended nature of the business relationship

As a business, you need to understand why a customer wants to enter a business relationship with your company. Most of the time, the customer needs the services that your company provides. Sometimes, however, this is just smoke and mirrors.

To clearly understand the purpose and nature of the business relationship, you need to gather the following information:

  • details about the employment of the customer (if they are an individual) or their business (if they are a company);
  • the nature and purpose of the relationships between the company, customer, and underlying beneficial owners;
  • the anticipated level, frequency, and nature of transactions that are going to be performed by your firm for the client during the business relationship.

A deeper understanding of why a prospect wants to become your customer is crucial to detect any suspicious activity throughout the business relationship. Moreover, understanding the intended nature of the business relationship is strictly connected to the monitoring requirement.


3. Determine the risk level of the customer

Although the identity of all customers must be verified, AML laws acknowledge that some customers may present a higher risk of money laundering or financial crimes compared to others.

Thus, once you conclude the identification phase, you need to establish whether the customer has a low-, standard-, or high-risk profile. This assessment is fundamental because you must apply different due diligence measures according to the risk level posed by the customer.

To rate the risk level of the customer, you should conduct the following background checks:


Name screening

You need to check official databases to find out if the customer falls in any of the categories below:

  • Individual or entity sanctioned for money laundering or financing terrorism;
  • Individual or entity reported in media to be involved in any illicit activity;
  • An individual classified as a Politically Exposed Person (PEP);

A PEP is a person who holds or used to hold prominent public functions domestically or abroad (or is the family member or close associate of a PEP, so-called Relative or Close Associate, RCA). The position and influence of PEPs might entail a higher potential for involvement in corruption. As a result, they are considered high-risk customers.

To perform these background checks, you must rely on trusted data sources, such as EU AML watch lists and EU sanctions lists (or relevant national registers), and EU or national PEP lists.


Risk factors

Additional elements need to be taken into account to categorize the customer in terms of the risk level, such as:

  • the type of customer;
  • the country or geographic area of the customer;
  • the products, services, transactions, or delivery channels of the customer.

Generally, a customer presents a lower degree of risk if either of the following circumstances applies:

  • the customer does not fall in one of the risk categories listed above;
  • the customer is a public administration or enterprise, or a public company listed on a stock exchange and subject to disclosure requirements of transparency;
  • the customer is located in an EU member state, or in a third country that has an effective AML/CFT system or a low level of corruption and other criminal activity, or in a geographical area of lower risk;
  • their product, services, and transactions pose a low risk of money laundering and terrorist financing.

On the other hand, a customer presents a higher degree of risk if either of the following circumstances applies:

  • the customer falls in one of the risk categories listed above;
  • the ownership structure of the company appears unusual or excessively complex given the nature of its business;
  • the customer is established in a third country included in the EU Commission’s list of high-risk third countries (or relevant national list);
  • their products, services, and transactions pose a high risk of ML/TF because the company runs a cash-intensive business or involves private banking.
  • payments come from unknown or unassociated third parties, or the company products or transactions might favor anonymity or non-face-to-face business relationships or transactions.


4. Apply the due diligence measures appropriate for the risk level of the customer

Based on the customer risk assessment, you should then implement adequate due diligence measures. The law defines three types of customer due diligence:


Standard Due Diligence (CDD)

Standard Customer Due Diligence measures apply if the risk level of the customer is neither high nor low. These measures include customer identification, identity verification, and ongoing monitoring.


Simplified Due Diligence (SDD)

When a customer has a low-risk level, Standard Due Diligence is unnecessary. In such cases, you can perform Simplified Due Diligence (SDD). SDD only consists of customer identification and monitoring. Therefore, you can skip identity verification.

This simplified process is allowed by law to reduce friction and exempt low-risk customers from complex CDD checks.

Remember that each jurisdiction has different requirements regarding when a client falls into SDD. Thus, make sure you are aware of the specific provisions set out in your country.


Enhanced Due Diligence (EDD)

For a high-risk customer, Standard Due Diligence is not enough. As a result, you should implement Enhanced Due Diligence (EDD) measures. These measures can include:

  • Collection of additional identification materials from the customer such as bank statements for individuals and recently filed business accounts, certificate of incorporation, articles of association, and annual reports for companies.
  • If the customer is a PEP, collect details about the position they hold or held, their level of influence, how long the PEP has/had been holding the position. If the customer is a PEP’s close associate or family member, establish their identity, title, role, and level of proximity to public office.
  • Collection of information about the wealth profile and net worth of the client, such as the source of wealth, source of funds, and annual income.
  • On top of that, you need documents supporting such information, especially when cash is involved. This documentation needs to confirm all legitimate assets like salary, the sale of a house or shares, inheritance, receipt of a personal injuries award, or a win from gambling activities. The purpose of the examination is to reveal any discrepancies between income, source of wealth, and overall net worth.
  • Closer scrutinization of the nature and purpose of the business relationship or transaction.
  • Enhanced ongoing monitoring procedures.

Remember that each jurisdiction has different requirements regarding when a client must be subject to EDD. Hence, make sure you are aware of the specific provisions set out in your country.

You can always perform EDD if you deem it appropriate based on the risk profile of the client. Accordingly, you can also apply EDD to cases where the law does not specifically require it.


5. Verify the legitimacy of the data collected

After collecting the customer information and assessing their risk level, you need to verify that the gathered data is truthful. As mentioned before, this step is not necessary for low-risk customers where simplified due diligence applies.

To verify the legitimacy of the data, you should collect official documents issued by a government body or a reputable independent agency.

For individual customers (and UBOs), you should assess that the information provided by the customer matches with the data retrieved from official ID documents, such as:

  • government-issued photographic ID card or passport;
  • tax statements;
  • utility bills to prove residential address.

For companies, you should check the accuracy of the information provided on the company and its control structure by consulting national business registers and the UBO register.

This verification is crucial to evaluate whether other people need to be involved in the CDD process. Sometimes it might be necessary to verify the identity of more persons – like other agents or additional beneficial owners.


6. Continuously monitor the business relationship and update the customer information

Performing an initial identification and screening is not enough to meet CDD rules. The law requires you to conduct ongoing monitoring of your customer, their business, and risk profile. This constant control is critical to ensure the information you hold about your clients is always accurate and reliable.

You need to update the customer information whenever monitoring reveals that changes have occurred:

  • in the ownership structure of the company;
  • in the risk profile of the customer or UBO;
  • in the type, location, or business of the customer that are relevant to their risk level.

Moreover, you need to ensure that the customer behavior is consistent with your knowledge regarding the nature and purpose of your business relationship.

For example, take a client who opened a bank account at a Danish bank claiming to deposit funds up to 10 times a year to other banks within the country and then carries out numerous high-size transactions to different accounts abroad. In this case, the initial information collected on the intended nature of the relationship is in contrast with the customer’s behavior. As a result, the bank must investigate the suspicious activities and eventually report the customer to the relevant national authority.

To promptly detect such behavior changes, you should periodically review the customer information and not only when trigger events occur. As a rule of thumb, the frequency of the reviews should depend on the risk level of the customer. However, we recommend you to still update all the information you have on customers at least once a year.


How can Penneo help you comply with CDD requirements?

If you follow these steps, you can rest assured that your CDD measures will fully comply with AML provisions.

Unfortunately, most firms do not have the necessary in-house know-how to carry out this task by themselves. Besides, things get even more complicated in an age where organizations rarely interact with their customers face-to-face. On top of that, going through these steps manually and documenting them on paper is a challenging task, requiring a lot of work.

To address these challenges, more and more firms are leveraging digital solutions. These solutions improve CDD activities from at least three perspectives: speed, security, and efficiency.

The Penneo KYC solution will drastically reduce the time and effort required to perform customer due diligence. With our user-friendly, digital platform, you can:

  • collect information about your clients and other required documents
  • verify their identity
  • screen them against national registers
  • understand the ownership structure of the company to make sure that the right people are involved in the process

Our KYC solution handles the entire CDD workflow and stores your customer data securely – all in one place. On top of that, the platform helps you increase the reliability and quality of CDD results and document that regulatory obligations have been met.