CDD information comprises the facts about a customer that should enable an organisation to assess the extent to which the customer exposes it to a range of risks. These risks include money laundering and terrorist financing. Organisations need to ‘know their customers’ for a number of reasons:
- to comply with the requirements of relevant legislation and regulation
- to help the firm, at the time the due diligence is carried out, to be reasonably certain that the customers are who they say they are, and that it is appropriate
- to provide them with the products or services requested
- to guard against fraud, including impersonation and identity fraud
- to help the organisation to identify, during the course of a continuing relationship, what is unusual and to enable the unusual to be examined;
- if unusual events do not have a commercial or otherwise straightforward rationale they may involve money laundering, fraud, or handling criminal or terrorist property
- to enable the organisation to assist law enforcement, by providing available
- information on customers being investigated following the making of a suspicion report to the FIU.
Consequently a prohibition on setting up anonymous accounts or relationships is the baseline for the international standards.
The basic European and domestic standard
The Third European Directive requires that CDD measures should be applied on a risk-sensitive basis, depending on the type of customer, business relationship or nature of the transaction or activity. Firms must however ‘be able to demonstrate to the supervising authorities that the extent of the measures is appropriate to the risks of money laundering and terrorist financing‘. In line with the FATF requirements the Directive outlines the four parts of customer due diligence, including an explicit requirement for ongoing monitoring. There is a specific requirement to identify the beneficial owners of legal entities and structures and to undertake enhanced due diligence on higher risk customers.
Who is the customer and what is meant by the identification of beneficial owners?
The application of CDD is required when a firm covered by money laundering regulations, ‘enters into a business relationship’ with a customer or a potential customer. This will include occasional ‘one off’ transactions even though this may not constitute an actual business relationship as it is defined below. A customer/business relationship is defined as being formed when two or more parties engage for the purposes of conducting regular business or to perform a ‘one off’ transaction. The term ’business relationship’ applies where a professional, commercial relationship will exist with an expectation by the firm that it will have an element of duration.
The risk-based approach to CDD
International standards require that a risk-based approach is applied to CDD.
Consequently, the measures should be applied on a risk-sensitive basis depending on the type of customer, business relationship or nature of the transactions or activity. Higher risk categories should be subject to enhanced due diligence.
The risk assessment will determine how much of the information collected needs to be independently verified, as the following examples indicate.
- Only simplified or basic account opening information may need to be collected for a low-balance, low-turnover deposit account. The extent of information that is verified can be restricted to the identification evidence and information concerning source of the funds and the expected frequency of deposits and withdrawals.
- For standard-risk customers, i.e. those who are permanently resident in the country, with a salaried job or other transparent source of income, only the standard information provided may need to be verified.
- Enhanced due diligence should be applied to higher-risk customers/clients. Enhanced due diligence must also be applied to the beneficial owners or controllers of higher-risk companies or structures.
- Quoted companies and their wholly-owned subsidiaries are considered to be lower-risk, requiring only simplified due diligence.
Privately owned companies and other entities, e.g. trusts, are generally assessed as higher risk than quoted companies because they are exposed to a lower level of external scrutiny than those that are publicly owned. For such relationships, the identities of the beneficial owners and controllers must also be verified in addition to verifying the identity of the corporate entity. Beneficial owners may also be executive directors or the settlors of trusts.
Learn more about anti money laundering and compliance with ICA qualifications.