Businesses that fail to comply with CDD and EDD requirements risk AML fines or regulatory penalties such as license suspensions or revocations. Customer due diligence (CDD) and enhanced due diligence (EDD) are two levels of know-your-customer (KYC) processes that businesses perform on their customers. They are required by regulatory organizations in a variety of industries but are most common in financial services. Regulation varies depending on where you are in the world and the industry you work in – and you should always seek local advice depending on your specific circumstances – but there are some broad similarities regardless of geography or industry.
Let us look at the Differences and Applications of Customer Due Diligence (CDD) AND Enhanced Due Diligence (EDD) through this blog!
CDD, EDD, and KYC
Certain businesses are required by law to know with whom they do business. This includes financial institutions subject to AML rules under the Bank Secrecy Act and related laws, such as banks, insurers, lenders, cryptocurrency exchanges, and fintech companies. However, it also includes companies that operate in other regulated industries, such as online gambling, travel, and age-restricted commerce.
Know Your Customer processes are typically used by these businesses to meet these requirements (KYC). Customer due diligence is only one component of KYC (along with customer identity verification and continuous monitoring). Enhanced due diligence is also only one component of CDD.
What is Customer Due Diligence (CDD)?
Customer due diligence (CDD) is a collection of KYC processes used to assess customer risk. While regulations vary by country, the majority adhere to Financial Action Task Force (FATF) recommendations.
CDD is enforced in the United States by FinCEN, which requires financial institutions to meet four key requirements:
- All customers or clients must be identified and verified.
- Identify and verify all beneficial owners of companies with which you wish to do business. (This includes anyone who controls the company and/or owns 25% or more of it.)
- Recognize the nature and purpose of customer relationships in order to create customer risk profiles.
- Continuously monitor customer activity and transactions in order to detect and report suspicious activity.
In practice, customer due diligence typically entails gathering personal information about customers, such as their name, date of birth, Social Security Number, physical address, and any other information that may be required.
In a process known as documentary verification, the collected information is frequently verified against one or more external documents. The specific document(s) required will vary depending on your business, but typically include at least one form of government-issued identification such as a driver’s license, mobile driver’s license, state ID, or passport.
Where applicable, the information provided may then be validated by issuing database verification in addition to or instead of documentary verification.
At this stage, a number of screenings are also required. A common example is negative media screenings. These screenings look for negative news or media coverage of a person or business entity and typically include print, online, radio, and television sources. Furthermore, sanctions and watchlist screenings ensure that the individual is not a sanctioned entity (or is associated with a sanctioned entity), whereas politically exposed persons (PEP) screenings specifically look for political associations that may indicate increased risk.
It is critical to recognize that all businesses, industries, customers, and use cases are unique, and as a result, one CDD program may appear slightly different from another. Having said that, the typical CDD program will most likely include at least some of the steps outlined above.
Businesses may use alternative levels of due diligence when an individual or transaction is deemed to be at a lower or higher risk than the “standard.” This includes the following:
- Simplified due diligence employs simplified frameworks and processes for low-risk transactions or customers with known and reliable funding sources. Identity verification is still required, but with fewer checks.
- Enhanced due diligence, which is used on high-risk individuals and transactions and is discussed in greater detail below.
What is Enhanced Due Diligence (EDD)?
EDD refers to protocols that are followed when an individual or transaction is thought to be at a higher risk of money laundering or other financial crime. Businesses are required to conduct an additional layer of verification in these cases. What exactly is high risk? Common factors that may necessitate increased due diligence include when an individual:
- Is he politically active? (PEP)
- Has previously been linked to financial crime
- Is the subject of negative media?
- Has a large fortune or is a celebrity/public figure
- Works in a high-risk industry for money laundering, such as gambling.
- Is it on a sanctions list, or is associated with a company or country that has sanctions lobbied against it
- Is situated in a dangerous country
The specific EDD processes you implement, like CDD, will be determined by your business, industry, specific jurisdiction in which you operate, use case, risk tolerance, and other factors. Furthermore, these processes should ideally be tailored to each customer’s unique risk profile, taking into account the factors that necessitated enhanced due diligence in the first place.
EDD vs CDD
KYC processes include CDD and EDD. CDD entails identifying the customer by comparing provided data to databases or solutions such as document and biometric verification. This is usually required when opening an account and allowing high-risk transactions.
If a customer is deemed low risk, they may be subject to simplified customer due diligence, which requires only that the customer be identified but not verified.
For customers deemed high-risk, EDD is required as an additional type of step-up KYC process. Due to their location, profession, or political exposure, a customer may be deemed high-risk. The requirements for completing EDD vary depending on local regulations, but it is typically required when entering into a business relationship with a politically exposed person (PEP), when the transaction involves a person from a high-risk or sanctioned country, or in any other situation where there is an increased risk of money laundering.
Stricter Identity Verification
Identity verification in the context of customer due diligence typically entails gathering specific information from the individual and then cross-referencing that information against a document, such as a government-issued ID, or a database, such as DMV records.
In cases where enhanced due diligence is deemed necessary, additional checks to verify the individual’s identity are typically performed. This could include:
- Requesting additional documentation
- Selfie verification is being added.
- Including database validations
- Adding more database verifications (if you already do database verifications)
- Increasing the frequency of identity verification
- Or any combination of the foregoing.
Other Screenings
The goal of enhanced due diligence is to learn more about the individual, their reputation, and their risk. Screening the individual against additional reports and data sources such as social media reports, address lookups, or email and phone risk reports is one way to accomplish this.
Constant monitoring
Enhanced due diligence is not a one-time occurrence. Things do, after all, change. Just because someone isn’t on a sanctions list or isn’t in the news today doesn’t mean they won’t be tomorrow.
As a result, continuous monitoring is an essential component of enhanced due diligence. At the very least, this should include monitoring transactions for suspicious activity that could indicate a financial crime. However, it can also include steps such as re-screening high-risk individuals on a regular basis to determine if their risk factors have changed.
Conclusion
Both standard and enhanced due diligence are critical components of well-designed KYC processes. However, by understanding when enhanced due diligence is required and when it isn’t, you can tailor the amount of friction during your onboarding process to each individual circumstance and provide your users with the best experience possible. To learn more about the AML KYC process you can join Certified AML KYC Compliance Professional by Vskills.
Vskills offers the Certified AML-KYC Compliance Officer program, which is designed to improve the quality of compliance with RBI guidelines in combating illegal operations and the movement of funds through banking channels. You can use the Practice Tests to determine whether you are prepared to face the most recent Interview Questions!