Customer due diligence (CDD) is a fundamental component of an effective AML compliance program. It involves the collection of relevant customer information, which is then evaluated for potential money laundering and terrorist financing risks to the financial institution. The implementation of risk-based CDD policies, procedures, and processes is not only a regulatory requirement but also helps institutions avoid fines and penalties, financial loss, increased expenses, and other associated risks.
Customer Due Diligence: An Overview
Conducted properly, CDD enables financial institutions to ensure that their customers are indeed who they say they are. The objective of CDD processes and procedures is to allow institutions to understand the nature and purpose of customer relationships, including the types of transactions in which a customer is likely to engage. This aids in the detection and reporting of unusual or suspicious activity. CDD consists of four core requirements which are codified in FinCEN’s “Customer Due Diligence Requirements for Financial Institutions” (also known as the CDD Rule). Under these requirements, financial institutions are required to:
- identify and verify the identity of customers;
- identify and verify the identity of the beneficial owners of companies opening accounts;
- understand the nature and purpose of customer relationships in order to develop customer risk profiles; and
- conduct ongoing monitoring to identify and report suspicious transactions and, maintain and update customer information on a risk basis.
FinCEN’s CDD Rule
FinCEN’s CDD Rule, which became effective in May 2018, essentially created what has come to be known as the “fifth pillar” of a BSA/AML compliance program. The rule was created in order to mitigate risks associated with the lack of transparency around the beneficial ownership of certain business entities, such as anonymous shell companies, which have increasingly been used to launder illicit proceeds due to vulnerabilities and inconsistencies associated with company formation.
The CDD Rule formalizes existing supervisory expectations with regard to CDD requirements for U.S. banks and other covered financial institutions. It also adds a new requirement for these institutions to identify and verify the identity of natural persons (known as beneficial owners) of legal entity customers who own, control, and profit from companies when those companies open accounts. Under the CDD Rule, a legal entity customer is a corporation, limited liability company, general partnership, limited partnership, business trust, or other entity created by the filing of a public document with a secretary of state or similar office.
Beneficial Ownership
Contained within the four components of CDD is FinCEN’s beneficial ownership requirement. More specifically, financial institutions must collect and verify the beneficial ownership information of each person who meets the definition of a beneficial owner under the CDD Rule’s two-pronged approach—the ownership prong and the control prong.
Under the ownership prong, a beneficial owner is any individual who owns 25 percent or more (whether directly or indirectly) of a legal entity. Under the control prong, a beneficial owner is any individual who has significant responsibility or control of the legal entity, including an executive officer or senior manager. For example, this may include a chief executive officer, chief financial officer, chief operating officer, managing member, general partner, president, vice president, treasurer, or any other individual who regularly performs such functions.
Under this definition, a legal entity will have a total of one to five beneficial owners (one person under the control prong and zero to four persons under the ownership prong). However, the rule recognizes that there may be instances when no single individual owns 25 percent or more of the equity interest in a legal entity. In such cases, the institution is still required to collect the required information for one individual who controls, manages, or directs the legal entity customer.
Customer Due Diligence Requirements
In accordance with regulatory requirements, covered financial institutions must develop and implement risk-based CDD policies, procedures, and processes that are commensurate with the institution’s BSA/AML risk profile. These must be written and include a heightened focus on higher-risk customers, such as Politically Exposed Persons (PEPs) and others.
Furthermore, a strong CDD program should include specific procedures for reviewing and approving changes to customer status and risk profile, as well as standards for conducting and documenting analysis associated with the due diligence process. It should also include guidance for resolving issues when insufficient or inaccurate information is obtained. Additionally, a clear statement outlining management and staff responsibilities, as well as the extent of their authority, should be included.
Creating a Customer Risk Profile
The customer identification process generally begins with the collection of customer information. This occurs at the onboarding stage when a business relationship is first established with a potential customer.
Once customer information is collected and evaluated, the customer should be assigned a risk rating in accordance with the risk that he or she may present to the institution. Applicable regulations do not specify the type, category, or values to be used in determining a customer risk rating. Therefore, risk ratings can be classified as ranging from “low risk” to “high risk,” or they may be given a numeric value based on predefined criteria.
Rating customers based on risk helps an institution to decide how and when to apply appropriate checks and controls that are commensurate with the level of risk and allows institutions to prioritize and allocate resources to areas that require greater attention. This concept is also referred to as the customer risk profile.
Similar to an institution’s overall risk assessment, the assessment of customer risk is also specific to each institution and will vary based on a number of factors, such as the institution’s size and complexity. In determining a customer’s risk profile, the institution should take into account a number of risk categories as they relate to the customer relationship.
These categories are substantially similar to the risk categories considered when evaluating the institution’s overall risk profile and may include products and services, customers and entities, and geographic locations.
In order to make a proper risk evaluation, the specific risks presented by each customer or category of customers should be identified. An analysis of all pertinent information should then be conducted in order to develop the customer’s risk profile.
As with the risk assessment, some factors may be weighted more heavily than others. For instance, certain products and services used by the customer, the nature of the customer’s business, or the geographic location where the customer conducts business, may present a greater risk of money laundering or terrorist financing. Also, actual or anticipated activity in a customer’s account may be used in determining the customer risk profile.
Nonetheless, a financial institution’s process for determining customer risk profiles should be sufficiently detailed to distinguish between notable differences in the risks presented by its customers.
Gathering Customer Information
Gathering and analyzing relevant customer information enables financial institutions to demonstrate that they have an understanding of the customer relationship, including its nature and purpose.
Customer information should be collected and maintained not only for purposes of developing a customer risk profile but also to enable the institution to conduct ongoing monitoring of the customer and to identify and report suspicious transactions, a process that should continue throughout the lifecycle of the customer relationship.
This includes the collection of beneficial ownership information for legal entity customers in accordance with FinCEN’s CDD Rule. It also includes updating customer information on a risk basis. This may involve triggering events such as a change in the customer’s business or occupation, a relocation to a higher-risk jurisdiction, or a substantial change in income.
The following list constitutes general customer information that may need to be collected at onboarding in order to develop customer profiles for individual and entity customers.
Individual Customer Profile Information
- Full name, including any aliases
- Residential address, and mailing address (if different)
- Contact numbers, such as home and work telephone numbers, mobile numbers, and email addresses
- Date of birth
- Place of birth
- Gender
- Marital status
- Nationality
- Race
- Government-issued identification number, such as a social security number, passport number, or tax identification number
- Genuine photograph from a government-issued document, such as a passport or driver’s license
- Employment status
- Business/Occupation
- Annual income
- Source of wealth
- Source of funds
- Purpose of account/planned transactions
- Signature
- Parental consent form (where the individual is a minor)
- Confirmation against PEP lists and sanctions lists, such as OFAC’s Specially Designated Nationals (SDN) List
Legal Entity Customer Profile Information
- Name of legal entity
- Type of legal entity (e.g., corporation, LLC, partnership)
- Date of incorporation
- Place of incorporation
- Principal place of business
- Copy of relevant entity documentation (e.g., Article of Incorporation, Certificate of Organization, Certificate of Partnership)
- Annual report
- Officers and Directors
- Ultimate beneficial owners
- Source of wealth
- Source of funds
- Purpose of account/planned transactions
- Depending on the nature and type of entity, other documents may include: Board Resolutions, Certificate of Incumbency, Constitution, Articles of Association, Certificate of Good Standing, etc.)
- Confirmation against PEP lists and sanctions lists, such as OFAC’s Specially Designated Nationals (SDN) List
Trust Customer Profile Information
- Settlor’s/Grantor’s identification information
- Trustee’s identification information
- Beneficiary’s identification information
- Trust protectors’ identification information
- Relationship between settlor/grantor, trustee, trust protector, and beneficiaries
- Ultimate beneficial owner’s identification information
- Source of wealth
- Source of funds
- Purposed of account/planned transactions
- Confirmation against PEP lists and sanctions lists, such as OFAC’s Specially Designated Nationals (SDN) List
Higher Risk Customers
The amount and type of customer information collected by the financial institution should be commensurate with the customer’s risk profile. For example, customers classified as high risk (i.e., have a higher customer risk profile) present an increased risk of exposure to financial institutions.
Therefore, institutions should collect more information from these customers. This may be necessary both at onboarding and on an ongoing basis. Likewise, less information may be required from customers that pose a lower risk (i.e., have a lower customer risk profile).
Accordingly, CDD policies, procedures, and processes should define both when and what additional customer information will be collected based on the customer risk profile and the specific risks posed.
Enhanced Due Diligence
Enhanced due diligence (EDD) refers to the process of collecting additional information, conducting extra checks, and performing more thorough reviews of customers that pose an increased risk to the financial institution.
Even within categories of higher-risk customers, there may be a range of risks. Therefore, the extent of EDD may vary on a case-by-case basis.
Additional information to be collected in these cases may include things such as financial statements, location of branches and subsidiaries of legal entity customers, description of the business customer’s primary trade area, whether transactions are expected to be domestic or international, expected volumes of such transactions, description of business operations, such as total sales and volume of currency transactions, and information about third parties, such as major customers and suppliers.
Extra checks may involve things such as conducting negative media searches, screening additional blacklists, searching corporate databases for entity customers, and verifying additional data.
Furthermore, information collected from higher-risk customers should be reviewed more thoroughly at account opening and more frequently throughout the course of the customer relationship.
Conducting an appropriate level of customer due diligence in accordance with the customer’s risk profile will enable the financial institution to understand what constitutes normal and expected account activity for each customer and to identify and report potentially suspicious transactions, as well as mitigate risks posed to the institution.
Ongoing Monitoring
Ongoing monitoring of customer relationships includes the requirement to maintain and update customer information, including beneficial ownership information of entity customers, on a risk basis, and to identify and report suspicious transactions.
This includes written procedures containing criteria that describe when and by whom customer relationships will be reviewed when customer information will be updated, and when and by whom customer profiles will be reassessed.
Although there isn’t a requirement that customer information be updated on a continuous or periodic basis, this should be done on an event-driven basis. According to the FFIEC BSA/AML Exam Manual, some factors that may be considered in determining when to review a customer relationship include things such as:
- Significant and unexplained changes in account activity;
- Changes in employment or business operation;
- Changes in ownership of a business entity;
- Red flags identified through suspicious activity monitoring;
- Receipt of law enforcement inquiries and requests such as criminal subpoenas, National Security Letters (NSL), and section 314(a) requests;
- Results of negative media search programs; and
- Length of time since customer information was gathered and the customer risk profile assessed.
Finally, an institution’s CDD policies, procedures, and processes should adequately describe how the institution ensures that its customer information is both current and accurate.
Conclusion
Recent regulatory and enforcement actions illustrate that AML compliance violations largely stem from deficiencies in one or more of the five pillars of a BSA/AML compliance program.
Customer due diligence comprises the crucial fifth pillar and is an area where exam deficiencies are commonly identified. Therefore, maintaining robust and effective CDD is critical, particularly as financial institutions continue to face increased risks of fraud and other financial crimes during the ongoing pandemic.
Moreover, regulators have repeatedly expressed expectations for up-to-date procedures, appropriate allocation of resources, including prioritization of high-risk areas, and incorporation of technology in AML compliance programs.
To learn how your institution can meet these challenges and conduct more effective, risk-based CDD, contact the experts at Alessa today.