What fintechs need to know about CDD
Risk and compliance management are key focus areas for fintechs. But, how do you make sure that your customer is who they say they are and your business is not being used to launder money?
Understanding customer due diligence (CDD) is crucial for effectively managing risk and compliance in your business. As the fintech industry grows, it is important that all players maintain its sanctity by ensuring proper CDD and enhanced due diligence (EDD) processes. CDD and EDD are both terms that describe the process of assessing the risks associated with a customer. CDD is an umbrella term for this assessment. EDD on the other hand refers to a detailed review of the risks posed by a customer or prospect in the event that the initial assessment carried out in the process of CDD shows they are high risk.
Let's get into it.
Customer due diligence (CDD) explained
CDD is the ongoing process of identifying and assessing risks connected to a customer from the time of onboarding and throughout the duration of the business relationship. This process covers everything from validating basic KYC and KYB requirements to analysing customer risk through fraud identifiers. This leads on to carrying out EDD where necessary. The thing most companies get wrong about CDD is that they view it as a one-off task. But CDD is not just something you do as part of customer onboarding and never again. CDD is a process that happens continually, throughout your relationship with the customer, and shouldn’t be neglected at any point as long as the customer is actively doing business with you.
SDD vs. CDD vs. EDD
When carrying out due diligence, using a risk-based approach helps you understand the type of information you need to collect from a business or individual. Section 18 of the Money Laundering Regulations outlines some of the factors you will need to consider when performing an initial risk assessment, including the countries in which your potential customer operates, the nature and size of their business, their customer base, the types of products and services they offer, and their delivery channels. You should also carefully consider how you expect the customer to interact with your products and services, taking into account:
- the purpose of the account to be set up
- the expected nature, volume and frequency of transactions to be carried out
- the projected length of the business relationship
Once you’ve assessed this information, you can decide which due diligence approach is right for your customer:
- Simplified due diligence: This is the lowest level of due diligence that can be done on a customer. This approach is only taken when there is almost zero chance or risk of your customer being involved in money laundering or terrorist financing. The service provided and business conducted by the customer also have to qualify as very low risk. A UK government agency, for example, would qualify for simplified due diligence. At this level, the customer only has to pass identity verification.
- Customer due diligence: CDD is conducted where some risks have been identified but overall it is quite unlikely that those risks pose a threat to your business. At this level, you are required to not only identify and verify your customer, but gather relevant information on their business and operating model and the nature of their products and activities. This will include screening checks for adverse media, politically exposed persons (PEPs), sanctions, and fraud. Your reviews should provide you with the confidence that your own business will not be used to launder money or finance terrorism. As with all due diligence approaches, a continuous and ongoing assessment of the customer is required as long as the business relationship exists. This is important to help flag risks that may arise at a later stage of the relationship - if the company’s ownership changes hands for example, or they introduce a new business activity that could be considered high risk.
- Enhanced due diligence: EDD is required where a customer or prospect is considered high risk following an initial risk assessment. This is typically because the nature of the business service, product or transaction is risky, i.e. prone to being used for money laundering and terrorist financing. EDD is an even more detailed review into the prospect and their business and includes identity and verification, gathering information on the customer's business and activities, screening checks for adverse media, politically exposed persons (PEPs), sanctions, and fraud. This level of due diligence will involve gathering more information than you would have in the SDD and CDD processes. It should provide comfort that the risks that have been identified are unlikely to occur.
But remember, the approach to due diligence you chose when you first onboarded a customer may not always be the most appropriate for later reviews. For example, if your customer expands their operation to a new jurisdiction, this could increase their risk profile and so should trigger increased scrutiny of the customer’s activities.
CDD and your regulatory obligations
There is no one-size fit all approach to CDD. But Section 28 of the Money Laundering Regulations sets out clear guidance for ensuring that your process is thorough, including identity and verification, the type of information to be collected for individuals and corporate bodies, and identifying beneficial owners and control structures. Section 27 details when CDD should be carried out - not only when a business relationship is established, but also whenever:
- an occasional transaction that amounts to a transfer of funds exceeding 1,000 euros is carried out
- there is suspicion of money laundering or terrorist financing; or
- there is a doubt in the veracity or adequacy of documents or information previously obtained for the purposes of identification or verification.
The regulations are also very clear that you must perform ongoing monitoring and keep comprehensive records. To make sure that the transactions in the business relationship are consistent with your understanding of the customer, their business, and the risk profile, you must carefully review the transactions made throughout the life of the relationship (including, if necessary, the source of funds). Additionally, you should conduct checks of current records and keep them up-to-date to maintain the integrity of any data gathered through CDD.
Why strong CDD is better for your business
Too many fintechs view CDD as a regulatory hurdle that slows them down. But the truth is that strong CDD is better for your business and it’s often beneficial to have CDD processes in place that go above and beyond your regulatory requirements. A solid approach to CDD can help you avoid:
- damage to your reputation due to association with illicit businesses.
- financial losses as a result of your damaged reputation.
- genuine customers avoiding or leaving your business because they don’t trust you, or because association with you could potentially damage their reputation.
- overall poor customer experience.
And that’s all before you’re potentially facing fines from your regulator for failing to have robust anti-money laundering (AML) and counter-terrorist financing (CTF) controls in place.
Ultimately, the goal of CDD is to help you answer the following questions:
- Is my customer/prospect who they say they are?
- Do I understand the risks associated with working with them?
- Can I make a confident decision to do business (or not) with this customer based on the information I have gathered?
- Have I unearthed any information that I need to report to the regulator?
- Am I confident that this business relationship is not associated with money laundering or terrorist financing?
Being able to confidently answer each of these questions (and show your reasoning with well-kept records) will ultimately make your business stronger, help build a trust-based relationship with your regulator, and protect one of your most valuable business assets - your reputation - from harm.
Using Verify in your CDD process
We’ve established that CDD is important and that a proper risk assessment can help streamline your approach to CDD. But, CDD is still a lot of work, with many companies still doing desk-based reviews where they manually check the customer’s information against multiple data sources. With Verify, you can automate this process and carry out customer due diligence against industry-leading pre-integrated data sources in a matter of minutes. Our solution allows you to run ID&V, AML and anti-fraud checks and also screen for sanctions, PEP and adverse media matches.
You can also set up automatic accept or reject decisioning based on your risk appetite, and create flags for cases that need to be reviewed by a human. Verify keeps a record of all check results and decisions, meaning you get access to a comprehensive audit trail and can easily demonstrate compliance to your stakeholders and regulators.
Interested in learning more about emerging trends and best practices in CDD? Sign up for our webinar with Xapien to hear our Money Laundering Reporting Officer (MLRO), Alex Nash and other panellists discuss why and how fintechs can be nimble and embrace CDD automation.
The session takes place on Wednesday, 8 February at 2:00pm. Click here.
- The Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017
- Checking customer due diligence and ongoing monitoring
- CDD starts at the beginning of a customer relationship (usually during onboarding) and is continuous and ongoing.
- EDD is a more detailed assessment of a customer or prospect that is considered as high risk
- The approach to due diligence is determined by an initial assessment to determine the risk profile of the customer - this is called a risk-based approach.
- Manual CDD can be time-consuming, but automated solutions such as Verify can speed things up and help with record keeping.