With CDD requirements becoming more complex, financial institutions must understand the different kinds of CDD processes. Here are 5 types of CDD...
Customer Due Diligence for Banks: How Can Technology Accelerate This Process?
Use technology to streamline rote manual tasks in your CDD and KYC processes by gathering and analyzing customer information efficiently.
With bank fraud and money laundering risks riding a third consecutive year-over-year increase, the cost of financial crime compliance and customer due diligence (CDD) for banks has ballooned since 2019. By the end of Q4 2021, the average annual cost of financial crime compliance for institutions holding at least $10 billion in assets had risen to $27.8 million, up 36% from 2020 and a staggering 95% since 2019.
Financial crime prevention requirements for banks in the U.S. fall under the umbrella of the anti-money laundering (AML) and anti-terrorism financing provisions of the 2001 Patriot Act. AML regulations apply to businesses in many industries, but in the finance industry, the primary compliance controls consist of the know your customer (KYC) process and its subset process, CDD.
The CDD Rule
Since 2018, the U.S. Financial Crime Enforcement Network’s (FinCEN) CDD Rule has involved four core requirements financial institutions are obligated to meet for compliance. The CDD Rule applies whenever financial institutions acquire new customers or when existing customers change the nature of the existing business relationship, and at regular intervals with existing customers in varying degrees according to risk assessments.
The four requirements of the CDD Rule are that institutions take reasonable steps to:
- Verify customer identities
- Verify the identities of all beneficial owners of account-holding companies
- Define the nature of business relationships with customers to develop customer risk assessments
- Perform regular monitoring activities, update customer information, and report suspicious activities to authorities
The Standard CDD Process for Banks
A Standard CDD process starts with an initial KYC evaluation, also known as a Customer Identification Program (CIP), where the banks typically gather the PII and PIFI as listed below.
Then, this PII is cross-checked with governmental IDs such as driver’s licences, passports and/or visas in the case of individuals, licences or registration numbers in the case of businesses, or trustee and tax filing information in the case of charities and non-profit organisations.
This PII can be gathered manually or using electronic and/or automated methods. The former is more time-consuming and prone to human error.
If the potential client passes the CIP without raising any flags, then the second step begins. This is a quantification of the individual or organisation’s financial risk, usually summarised as a single risk score, and is done through credit reports in the case of individuals, or examinations of quarterly filings in the case of public companies or spreadsheets in the case of private firms.
Once that risk is quantified and combined with the CIP-generated risk profile, the bank may decide to proceed with on-boarding the customer, rejecting them, and/or filing a suspicious activity report (SAR) to the relevant regulator.
Sometimes a Standard CDD is delayed or shortened. This happens with low-risk customers such as governmental agencies like the police or navy, or registered financial institutions. Both already have stringent prior obligations for transparency and public disclosure. For these customers, onboarding may begin immediately with a Delayed CDD afterwards, or an abbreviated KYC review in the case of a Simplified CDD. Subsequent KYC and AML checks can be done on a more sporadic schedule.
Note that the leaders of such organisations, whether they are non-governmental organisation (NGO) leaders, prominent politicians, or famous CEOs, themselves typically do not qualify for Delayed or Simplified CDDs. In fact, such individuals often appear on global lists of Politically Exposed Persons (PEPs), and actually undergo Enhanced CDD screenings due to the higher risk of their involvement in corruption.
Enhanced CDD (ECDD or EDD) screenings are also required for individuals with:
- Personal assets in a trust and/or other financial bodies
- Ownership or control of a company with nominee shareholders
- Residence and/or citizenship in a country with minimal or ineffective AML and anti-terrorism financing laws
When an Enhanced CDD is required, banks should supplement their standard in-house CDD with a detailed exposition of the potential client’s sources of wealth and funds, financial risk profile, and ties to sanctioned countries and organisations. Organisations with complicated corporate structures and potential ties to sanctioned countries may also face an Enhanced CDD.
An Enhanced CDD is usually done by expert third parties that can validate the identity of Ultimate Beneficial Owners (UBOs) and perform other in-depth investigations. Armed with these results, the bank can either enter into a customer relationship while building the necessary monitoring controls, turn down the customer, and/or file an SAR report.
Whether a new customer is low or high risk, Perpetual or Ongoing CDD will always be required. For CDD is never done. KYC data should be refreshed periodically — every six months for riskier customers, annually for standard ones, and every two to three years for low-risk customers.
Moreover, the appearance of out-of-the-ordinary transactions or a significant change in the customer’s business or organisation should trigger a fresh KYC check or in-depth AML investigation.
Perpetual and Ongoing CDD can be extremely time-intensive if done manually in-house, and expensive if 100 percent outsourced to independent firms. Many banks are adopting automated software and cloud solutions to reduce the time and cost of their ongoing CDD checks.
Collecting and Verifying CDD and KYC Information
Banks and other financial institutions complete CDD and KYC processes by requesting client documentation. Although CDD and KYC requirements vary by institution, the minimum attributes to establish client identity will include:
- Full name
- Date of birth
- Relationship to the customer for authorized persons
- Home and business addresses
- Description of business relationship with the financial institution
To meet identification requirements, clients must submit a variety of documents containing personally identifiable information (PII) such as:
- Passports, driver’s licenses, or other government-issued IDs
- Utility and insurance bills
- Bank account statements
- Tax returns
Banks rely on clients to submit identity documentation on their own, through hard copy, email, or a secure file-sharing service. Once client identities are established, banks compare identities to lists of individuals and organizations known to law enforcement agencies to be involved in or suspected of, financial crimes. In this process, banks commonly consult:
- US Department of State sanctions list
- Specially Designated Nationals and Blocked Person Lists (SDN)
- Financial Action Task Force lists (FATF)
- State Sponsors of Terrorism list
Streamlining CDD Compliance with FileInvite’s KYC Templates
As compliance costs for CDD and other KYC/AML requirements continue to rise, banks are increasingly looking for new developments in technology and process automation to improve efficiency and mitigate losses. Just a few years ago, studies showed that software-as-a-service (SaaS) platforms for secure file sharing and document process automation were scarce and lacked sufficient security and standardization to warrant widescale adoption in the financial industry.
Today, FileInvite offers a file-sharing and document collection platform with bank-grade security that significantly streamlines many rote manual tasks in CDD and KYC processes.
For example, the CDD Rule’s first two requirements – customer and beneficial owner identification and verification – have traditionally involved prolonged, ad hoc document exchanges through email attachments and delivery of hard copies. With FileInvite’s secure document portal, customers can upload all compliance documents directly to a central repository where both customers and their representatives can monitor ongoing progress. The platform also includes:
- Mobile compatibility for customers to take and directly upload photos required in identification processes
- Standardized CDD and KYC templates – containing comprehensive lists of required customer documentation used throughout the industry – that organizations can use to jumpstart their processes
- Configurable templates for institution-specific KYC requirements – as U.S. law only provides broad guidelines rather than a definitive enumeration of requirements that applies in all cases
- Settings for automated notifications to clients and their representatives regarding impending deadlines for application documentation
- SOC (service organization control) 2 Type 2 compliance, ensuring end-to-end 256-bit encryption for all sensitive documentation in transit and at rest
For new customers, these capabilities radically reduce onboarding time – by as much as 80% in the document collection phase. As onboarding difficulties result in abandonment by 63% of new banking customers, faster processing times drive both customer acquisition and satisfaction.
For an institution’s existing customers, ongoing CDD and KYC processes – whether routine or for modifications to existing business relationships – can be a tedious time sink. With FileInvite, banks can automate document requests and notifications for ongoing verification tasks, allowing customers to upload documents at their convenience and without the risk and inconvenience of email and hard copy exchanges.