What an Effective EDD Program Looks Like
Organizations need to fully understand the implications of engaging any new customer, supplier or other third-party, and not only identify potential risk at the on-boarding stage, but also monitor for change on an ongoing basis. The consequences of failure to comply with regulatory requirements are significant, and include enforcement action, hefty fines and potentially lasting reputational damage.
To manage these risks, an Enhanced Due Diligence (EDD) program is a must. But what does EDD really look like and how do you conduct it properly?
The presentation will review the steps in an effective EDD program, whether you are a financial institution or a corporation engaging with global suppliers. Topics covered include:
- What is the difference between customer due diligence (CDD) and EDD
- Role of technology-enabled EDD in entity, vendor and third-party risk management
- Why EDD is much more than a sanctions and watch list screen
- How to enhance the EDD process – what to do when and how
- How EDD can be used for FCPA and other anti-bribery, anti-corruption programs
Here are the questions and answers from the session:
Q: How long is EDD required for a person who is considered a PEP?
A: Belani: In my previous roles, we would still look at the PEP for quite some time, depending upon the jurisdiction. I don’t have strict numbers. I would say refer to the BSA FFIEC manual because I do not want to misspeak in terms of what the EDD look back or monitoring should be around a PEP. In my experience, we always took note of a former PEP, but it was somewhat dependent upon the jurisdiction.
Someone who was the mayor of a small town in the U.S. is not necessarily an issue. It might ping in a database, but obviously, someone who is the son of the president of a different country has a different level of risk associated.
Q: Is a variable name search applied to sanctions only or to negative news as well?
A: Belani: I think you should always be conducting numerous iterations in the name. It’s dependent upon your internal research methodology, but you have to think about transliteration issues, you have to think about people going by variations on their name so, I would always run multiple variations.
It hearkens back to the kind of Boolean research techniques, when in doubt, when you have a name, boil it down, if reasonable, to the most common aspects. My name is Nicholas. If you do not know if I go by Nicholas with a CK or a CH, boil down to NIC for the first name and then obviously Belani for the last name.
Always err on the side of inclusion with variable names.
Simpson: When you submit the name, and that goes for the EDD researchers, they will deal with the variations. If you are doing your own sanctions, PEP, or OFAC type screening within the platform, then the platform depending on how you set it up, should be configured to do stuff like that.
So, it would recognize that Nicholas and Nick Belani are the same person, like Andrew and Andy. There is always the matter of the different names in different languages and so on. So the software itself should be handling that for you, as well.
Q: This is the first that I have heard about ESG Due Diligence. Is this being done in the U.S. or international? Are FIs performing this process against customers only or customers and third party providers?
A: Belani: We are seeing it in the U.S. and internationally as well. We are seeing a fair amount from private equity firms, from certain financial institutions, as well as non-financial institutions conducting this kind of sustainability and ESG research, to get a handle on how companies are looking at environmental, social and governance issues.
Especially with things like climate change, different social issues that have been brought up recently as well as governance.
So it is kind of with the general regulatory push that is moving more into the ESG space.
Q: During COVID, we have refused a particular client for acceptance of a wire, from her bank account, held in Canada, as we have risk rated her as a high risk due to our EDD noting that they are a foreign PEP. We reviewed FINTRAC brochure around foreign PEPs with client who stated that they are not, when our EDD has proven otherwise. When we re-open, can we provide a politically correct suggestion on how to de-risk the client without tipping them off that we consider them high risk? Despite client funds even emanating from a Canadian bank, it would be the original source funds that are in question as well as our proven EDD that they are a foreign PEP.
A: Simpson: In terms of how you go about de-risking the customer, that is just based on your own risk methodology or on risk appetite and how you communicate back, so as not to tip your hand. You should just should be driven by your own internal policies. And I do not think that it necessary has anything to do with whether they are a PEP or whatever. But within your own AML on the risk management program, you should definitely just have your internal policies and procedures on how to handle de-risk. Also, review how to deal with onboarding a customer.
Belani: I agree that should be more driven by the internal policies and procedures, in terms of how to handle de-risking, and how to communicate that to a potential client.
In terms of not tipping your hand, as Andrew had alluded to, obviously, you want to soften the edges, and as you de-risk and figure that out, I would defer that to the internal policies and procedures around potential client communication.
Q: Given EDD may differ across sectors or industries, for example, real-time versus periodic screening of all transactions, should screenings still be viewed as part of EDD?
A: Belani: Screening is required for those who you want to have it in real time, or need to have in real time. There are a lot of great screening tools out there, but it is not always going to give you the deep diving picture. It will let you know in real time of a change to someone’s profile and ideally their risk profile. It is something that should be tethered to EDD because it will promote a continued understanding of the riskier enterprise and a continued understanding of how you mitigate that risk.
I think monitoring is obviously a great way for you to lessen the load on your analysts and on your compliance department. Because you can be, not necessarily reactive, because it is in real time, but it will, obviously, promote that continued understanding of that client’s risk level.
So, I think monitoring should be a part of the EDD process.
Q: We went through the difference between CDD and EDD. However, it appears that there is some fluidity on what would be considered basic CDD for lower risk customers, versus higher risk customers. When does CDD stop and EDD start?
A: Belani: The stricter definition has CDD being the kind of baseline consideration and EDD ideally, being the escalation for high-risk clients. But what we are actually seeing in the market is it is typically based on industry and your risk appetite.
We are seeing CDD expand gradually. But there is definitely a fluidity between the two wherein more of the research elements that historically would have it considered a kind of escalation to EDD. Specifically, EDD research elements are now becoming part of baseline CDD procedures to effectively vet and get the most fulsome view. Which, previously, would probably would not have been as fulsome.