As white-collar office workers largely shifted to work-from-home during the last two years, financial institutions around the globe saw an unexpected rise in new accounts opened. Following reports issued by watchdog organizations in the U.K. and the U.S. in 2021, it became clear that the surge in new accounts had concealed a parallel increase in money laundering and other criminal activities that rely on financial services.
In the U.K. alone, suspicious activity reports in 2021 came in at 20% over 2020 and 2019 totals. In response, government offices responsible for the prevention and prosecution of financial crimes such as the U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC) and Australia’s Serious Financial Crime Taskforce (SFCT) are tightening their requirements for compliance with customer due diligence (CDD) processes.
Financial institutions in affected countries have already begun enhancing their CDD procedures, with some collecting over 600 unique fields of information.
At the end of the more strident processes, it would be no exaggeration to say that the vetting financial institution may know more about their clients than their own friends and family. With CDD requirements evolving rapidly – and generally becoming more complex – financial institutions should prioritize developing a comprehensive understanding of the different kinds of CDD processes.
5 Types of Customer Due Diligence
CDD is the process of verifying and authenticating a client’s identity and quantifying the risks they may introduce in business relationships.
CDD processes begin before institutions provide clients with services and, in some cases, may continue at regular intervals throughout the client’s tenure. The purpose of CDD requirements is to prevent financial crimes such as money laundering and identity theft.
Financial institutions use five kinds of CDD procedures based on initial client risk assessments.
1. Standard CDD
Standard CDD applies to clients who present no significant risks on initial assessment. Standard CDD requires personally identifiable information about the client, beneficial owners, and any persons authorised to act on behalf of the client. This information should include:
- Full names
- Dates of birth
- Relationship to the client in cases of authorised persons
- Business and home addresses
- Designation of the proposed business relationship
- Any data required by applicable regulations
For best practices to make initial assessments and verify information provided, institutions can consult the guidelines prescribed in Australia’s 2006 Anti-Money Laundering and Counter-Terrorism Financing Act.
2. Simplified CDD
Typically, financial institutions only approve simplified CDD for clients that have prior obligations to transparency and public disclosure such as government entities, local authorities, and public service agencies. The 18(2) of the AML/CFT Act lists qualified client types for reference. This process requires that institutions:
- Confirm that the client meets the simplified CDD criteria
- Identify the nature and purpose of the proposed business relationship
- Identify all authorised parties associated with the client entity
3. Enhanced CDD
Enhanced CDD applies to clients assessed to be at high risk for financial crimes. Typical high-risk triggers include the following circumstances:
- The client has a trust or other separate financial instrument containing personal assets
- The client owns or has control over a company with nominee shareholders
- The client is a politically exposed person (PEP)
- The client is a non-resident in the country where the financial institution is headquartered and has citizenship or permanent resident status in a country with minimal or ineffective anti-money laundering and anti-terrorism financing laws.
When enhanced CDD is required, institutions should gather all information required by standard CDD procedures and supplement the file with a detailed exposition of the client’s sources of wealth and funds. Records of this investigation and disclosure should clearly indicate that the institution took reasonable steps to verify all claims regarding the sources of funds.
4. Delayed CDD
While financial institutions typically cannot begin any work for clients prior to satisfying CDD requirements, a few exceptions exist to allow institutions to begin work processes essential to preventing the interruption of ongoing business operations. These exceptions are only available to clients with low-risk assessments. Delayed CDD has three requirements:
- The institution must complete know your customer (KYC) requirements
- Identity verification must be completed as soon as is reasonably possible
- If the client does not meet verification requirements, the institution must stop work and report any suspicious findings associated with the client.
5. Ongoing CDD
Institutions should practice ongoing CDD with all clients at intervals indicated by the client’s risk status. Low-risk clients require CDD confirmation once a year. Medium to high-risk clients should undergo the process every six months. Additionally, institutions should apply CDD procedures any time significant changes are made to the existing business relationship.
Secure Document Collection with FileInvite
FileInvite offers financial institutions a document collection platform and file sharing service with bank-grade security and KYC templates. FileInvite maintains SOC 2 Type 2 compliance and employs 256-bit encryption in client portals.
Want to learn more about protecting your clients', and their information? Download a copy of our free guide 3 Ways to Protect Your Clients' Personally Identifiable Information.