CDD information comprises the facts about a customer that should enable an organisation to assess the extent to which the customer exposes it to a range of risks. These risks include money laundering and terrorist financing. Organisations need to ‘know their customers’ for a number of reasons:
Consequently a prohibition on setting up anonymous accounts or relationships is the baseline for the international standards.
The Third European Directive requires that CDD measures should be applied on a risk-sensitive basis, depending on the type of customer, business relationship or nature of the transaction or activity. Firms must however ‘be able to demonstrate to the supervising authorities that the extent of the measures is appropriate to the risks of money laundering and terrorist financing‘. In line with the FATF requirements the Directive outlines the four parts of customer due diligence, including an explicit requirement for ongoing monitoring. There is a specific requirement to identify the beneficial owners of legal entities and structures and to undertake enhanced due diligence on higher risk customers.
The application of CDD is required when a firm covered by money laundering regulations, ‘enters into a business relationship’ with a customer or a potential customer. This will include occasional ‘one off’ transactions even though this may not constitute an actual business relationship as it is defined below. A customer/business relationship is defined as being formed when two or more parties engage for the purposes of conducting regular business or to perform a ‘one off’ transaction. The term ’business relationship’ applies where a professional, commercial relationship will exist with an expectation by the firm that it will have an element of duration.
International standards require that a risk-based approach is applied to CDD.
Consequently, the measures should be applied on a risk-sensitive basis depending on the type of customer, business relationship or nature of the transactions or activity. Higher risk categories should be subject to enhanced due diligence.
The risk assessment will determine how much of the information collected needs to be independently verified, as the following examples indicate.
Privately owned companies and other entities, e.g. trusts, are generally assessed as higher risk than quoted companies because they are exposed to a lower level of external scrutiny than those that are publicly owned. For such relationships, the identities of the beneficial owners and controllers must also be verified in addition to verifying the identity of the corporate entity. Beneficial owners may also be executive directors or the settlors of trusts.