Customer Due Diligence (CDD) information comprises the facts about a customer that should enable an organisation to assess the extent to which the customer exposes it to a range of risks. These risks include money laundering and terrorist financing. Organisations need to ‘know their customers’ for a number of reasons:
Consequently a prohibition on setting up anonymous accounts or relationships is the baseline for the international standards.
The fifth European Anti-Money Laundering Directive (AMLD 5) was published on 19 June 2018. It extends the scope to virtual currency platforms and wallet providers, tax related services and traders of art. It also grants access to the general public to beneficial ownership information of EU based companies and makes it obligatory to consult the beneficial ownership register when performing AML due diligence.
The EU has introduced strict enhanced due diligence measures for financial flows from high-risk third countries and further enhanced the powers of the FIUs and facilitates cooperation and information exchange among authorities. EU member states are obliged to transpose the modified regulations into national law by latest 20 January 2020.
The application of customer due diligence is required when a firm covered by money laundering regulations, ‘enters into a business relationship’ with a customer or a potential customer. This will include occasional ‘one off’ transactions even though this may not constitute an actual business relationship as it is defined below.
A customer/business relationship is defined as being formed when two or more parties engage for the purposes of conducting regular business or to perform a ‘one off’ transaction. The term ’business relationship’ applies where a professional, commercial relationship will exist with an expectation by the firm that it will have an element of duration.
International standards require that a risk-based approach is applied to customer due diligence.
Consequently, the measures should be applied on a risk-sensitive basis depending on the type of customer, business relationship or nature of the transactions or activity. Higher risk categories should be subject to enhanced due diligence.
The risk assessment will determine how much of the information collected needs to be independently verified, as the following examples indicate.
Privately owned companies and other entities, e.g. trusts, are generally assessed as higher risk than quoted companies because they are exposed to a lower level of external scrutiny than those that are publicly owned. For such relationships, the identities of the beneficial owners and controllers must also be verified in addition to verifying the identity of the corporate entity. Beneficial owners may also be executive directors or the settlors of trusts.