Customer Due Diligence (CDD) has become an essential part of running a business today. The Internet is an indispensable tool for getting your name out in the world of commerce and customers may come from any corner of the world and never even meet you. This is why it is important to know who you are dealing with – which is what CDD is all about.

There are lots of reasons to do this: preventing money laundering, making sure potential customers aren’t too risky to take on, and even preventing the financing of terrorism. We’ve narrowed down 5 key steps in the process of CDD to help you protect your business and remain compliant with your anti-money laundering requirements. 

Before getting into the nitty gritty details, the first thing to figure out is when you actually need to carry out CDD. The law cannot cater for the infinite business scenarios that might come up, so there are legally binding rules in place to assist businesses in implementing procedures according to a risk-based approach. It is generally recommended that businesses conduct CDD when establishing new business relationships, for certain occasional transactions, when transactions seem unusual, or even to check that everything with existing customers is in order. The law also sets out scenarios where EDD (Enhanced Due Diligence) has to be applied, such as when dealing with Politically Exposed Persons (PEPs). 

Step 1: Who is your customer? 

This one seems like a no-brainer, but the answer to this question isn’t always that straightforward. A customer is a person (natural or legal) who wants to either carry out an occasional transaction with you or to form an ongoing business relationship.

Where the customer is just a natural person acting on their own behalf, that’s brilliant and you can pretty much move on to Step 3. However, things get a little more complicated if you’re dealing with an agent (as shall be discussed in Step 2) or a legal person.

Legal persons include setups like companies, trusts, foundations, and commercial partnerships. These generally involve many individuals, so identifying the customer means figuring out who ultimately benefits from the business. The rule of thumb here is to go through the percentages of ownership until you reach the major beneficiaries – these are the people you need to run checks on.

In the case of companies, these are normally persons holding, directly or indirectly, over 25% of the ultimate ownership and/or voting rights. Alternatively, they can be persons who can be shown to exercise control via other means. If none of these apply, any natural person of the senior management of the company should be considered the customer. You also need to identify the directors of the company. A similar procedure applies when examining a commercial partnership – here the administration should be identified along with the beneficial owners.

In terms of trusts, the settlor, trustees, protector, beneficiaries, and any other natural person exercising ultimate control over the trust should be viewed as the beneficial owners. For other similar legal arrangements, such as foundations, the persons holding positions equivalent to those found in the trust model are the beneficial owners.

To make life a little easier, regulations require an organogram  to be drawn up showing all related beneficiaries.

Step 2: Are they acting on their own behalf?

So, let’s say a potential customer has an agent or an attorney that carries out transactions on their behalf. This could range from a firm setting up a company for an individual to an investment agent promoting a business. In this case, it can be seen that the agent is not the ultimate beneficiary. What is important to check is whether or not that agent has the right to act in the name of the beneficiary. Probably, you would need to request documents that show that they are allowed to conduct business on your users behalf, like a power of attorney or a resolution stating as much.

Step 3: Verifying the details

You have now understood who the people you are dealing with are, but this information needs to be backed up by proof from authentic, independent sources. This step is known as “verification”, and requires an eye for detail, since you have to make sure that all the details provided make sense and conform with evidence.

Firstly, you should request identity documents, typically an ID card or passport (though other documents may be valid). Naturally, all the documents cannot be expired! You can check their validity by having a look at the expiry date and also by using tools to check out the MRZ code.

The customer’s address also needs to be verified. This can be done by asking for a bank statement, utility bill or government issued document that is not older than 6 months. It’s important to remember that it needs to be linked to a residence, so something like a mobile bill is an absolute no! 

You may also feel the need to request further documents on the customer. For natural persons, one might request a bank reference, a certificate of good conduct, or even another piece of evidence for the same fact (e.g. asking for a utility bill and residence card for a proof of address). In addition, one can verify a customer’s claim to be of good repute by referencing sanctions lists, as well as general browser searches.

When a legal entity seeks to do business, it too has to be verified. You can do this by collecting one or more legal documents associated with the company, such as the certificate of incorporation, memorandum and articles of association, bank statements (not more than 6 months old), or audited financial statements to verify the beneficiaries, etc. You need to also check a company’s reputation online as well. 

Tip: when a director isn’t a beneficial owner, you do not need to verify their identity, but merely identify them.

This step ensures that the person is who they say they are! Valid and up to date documents are super important. 

Step 4: What’s their business and should I work with them?

Nature of the business

The crucial part of entering into business is deciding whether or not potential customers are good news or not. You need to weigh up all the risks involved, which means not only knowing who you are doing business with but also establishing what kind of business relationship they want.

Sometimes, this is obvious, (e.g. a customer opening an account on a gaming website). Other times, things are a bit tougher, and you’ll need more information. Where necessary, verify the customer’s business and business plans, their source of wealth (e.g. inheritance, income), and the origin of funds to be used for the business (e.g. investment). 

Should I work with them? – Risk Assessment

When you think you have enough information to identify the customer, any beneficial owner/s, whether agents are involved, why the customer wants your services, where the cash is coming from and, after you have verified the required details, you can form a business and risk profile for the customer. 

To paint a picture, you have to put all the details together. Is your customer from a low or high-risk country? Do they have a reputation or a criminal record? Are they a PEP? Is their cash clean? Are there conflicts from any other businesses they’re involved in? Do their activities seem normal? Can unusual behaviour be explained?

All your information should be analysed together to conclude whether you can handle the risk presented by the customer, as well as what kind of risk-reducing measures you can adopt.

Depending on how the questions popping up can be answered, you need to weigh up all your facts to see if the business is worth the risk, or if perhaps it’s best to just let it be – you might even need to report this to the proper authorities if something is extremely suspicious.

A customer’s risk and business profile also tells you when you should next check up on them, and the level of risk can become lower or higher in risk according to what changes you find.

To verify the level of risk exposed you should ideally use a risk scoring model that is reasonable, consistent and aligned with your risk appetite.  Subscribers of StartKYC PEP and Sanction screening services may make use of a risk calculator that has recently been made available.

Step 5: Ongoing Monitoring 

You’ve verified your customer, you know who they are, you’ve checked all the countries they have ties with, and they seem like they get their money through legitimate ways. Everything was all well and good until you’re customer changed career and is now a politician. To be sure this news doesn’t just spring up, conducting regular checks is a must.

One way is to scrutinise transactions – if a transaction or payment method suddenly changes, you should investigate it to see what’s going on.

Let’s say a verified customer who has consistently paid you with yearly bank transfers suddenly decides to start paying in small frequent transactions in cash without warning – This sudden change should be looked into, just to make sure that nothing is amiss. 

Alternatively, if a customer starts a new business project with you, you’ll have a new set of transactions to keep tabs on, adding to what you know about the customer.

Keeping up to date and accurate records is another part of monitoring. If, after six months, you request a new proof of address from a customer and realise they are now living in a very reputable jurisdiction, this might lower the risk associated with them when looking at the broader view.

All documents must be stored properly and need to be easily accessible. Keeping electronic copies in separate customer files, even of certified true originals, is good practice in case of external investigations, as well as for your own ease.

Ongoing monitoring also lets you figure out whether or not the risk level of a customer has changed. You wouldn’t really know that unless you had a look every so often and run your necessary checks!

The good news is that ongoing monitoring happens as often as you like. You decide how often you need to run the necessary checks – it all depends on the type and scale of risks that come with your business and customers. 

What? That’s it? 

Yup, that’s it. Don’t get us wrong, each business needs to specially tailor its own CDD process, because this allows you to keep safe and remain compliant without overdoing or underdoing things. To make checks as often and in as much detail as is appropriate, you need to make sure that the tools you use are up to scratch. After all, if you’re properly equipped to monitor the more mundane or repetitive things you can focus on analysis and expansion and make the process, as well as your whole business, more streamlined and productive for both you and your customer.