Customer Due Diligence checklist — five steps to improve your CDD

What exactly is Customer Due Diligence (CDD)? And why is it so

important? CDD is a critical element of effectively managing risk and
protecting you (and your business) against potential association or
involvement with bad actors and financial crimes. CDD processes are
crucial for Know Your Customer (KYC), and while they vary around the
world, in most cases, they involve identifying your customer and
understanding their activities. This then allows you to assess their risk
profile.

Sometimes, Enhanced Due Diligence (EDD) is needed. This involves

collecting additional information on high-risk customers to provide a deeper
understanding of customer activity and to mitigate risk. Customer
assessments can be used to determine which level of due diligence is
required, a crucial step in creating an effective risk-based approach as part
of a robust compliance program.

To ensure that your business is following best practices, we have put

together the following five-step checklist to help improve your CDD
processes.

Step 1: Verify customer identities

Perform CDD measures before entering into business relationships with

customers to detect potential bad actors early in the process. Creating
barriers to prevent financial criminals from accessing accounts on your
system helps avoid questionable activities before they can even begin.

How? Ascertain the identity and location of the potential customer, and

gain a good understanding of their business activities. This can be as
simple as verifying their name and address. However, with increases in
online fraud, collecting more information or running additional identity
checks might also be advisable. Some information sources that can help
the identity process include:

 Name
 Address
 Date of birth
 Telephone number
 National ID number
  Identity documents
 Mobile network data
 Geolocation
 Selfie
 Live video
 Third-party account verification

Business and other legal entity customers also require verification to

ensure the legitimacy of the business and that the account holders have
the proper authority to act on behalf of the business. The business
verification process examines information like:

 Business registration number

 Company name
 Address
 Operational status
 Key management personnel
 Date of incorporation

Why? You have to first decide whether a client or customer fits your

established risk profile, before entering into a business relationship with
them. You can only do this by undertaking the appropriate CDD measures.
This ensures that identity theft and any potential forgeries can be detected
and dealt with early.

Step 2: Assess third-party information sources

Strengthen your processes when vetting third parties.

How? You may rely on third parties — from banks, to lawyers, to auditors

— to help you perform due diligence, however it’s important to choose
these third parties wisely because the ultimate responsibility for CDD
measures remains with you, not the third party.

Why? Sometimes, the only way to get the information required for CDD is
through a trusted third party, so it’s important to ensure that their standards
and best practices are aligned with your business. At the end of the day,
you are liable and will be fined or penalized for non-compliance.

Systematically thinking about your business relationships, the potential

exposures they could incur, what steps you need to implement, and then
how you can operationalize and review those procedures makes good
business sense — and helps ensure proper compliance.

Step 3: Secure your information

Ensure that pertinent information has been collected and stored securely.

How? When authenticating or verifying a potential customer, classify their

risk category and define what type of customer they are, before securely
storing this information and any additional documentation digitally. While
keeping personally identifiable information (PII data) might be necessary,
there are often strict legal requirements regarding how that information is
collected, stored and shared; beyond any legal necessity, protecting
customer data is crucial to avoid any reputational damage.

Why? Having a meticulous and comprehensive process for documenting

CDD-related information is highly effective and also mitigates any potential
risk for you as a business.

Step 4: Take any necessary additional measures

Detect if there is a need for EDD.

How? Beyond basic CDD, it’s important that you carry out the correct
processes to ascertain whether EDD might be necessary. This can be an
ongoing process, as customers have the potential to transition into higher-
risk categories over time so, conducting periodic due diligence
assessments can be beneficial.

For example, most jurisdictions require politically exposed persons (PEPs)

to go through the EDD process. Other factors that might trigger EDD are
accounts with high transaction values, accounts that deal with high-risk
activities and adverse media mentions. Factors to consider to determine
whether EDD is required include, but are not limited to:

 The person’s location

 Their occupation
 Transaction types
  Expected activity patterns in terms of transaction types, dollar values
and frequencies
 Expected payment methods

If the account is for a business, additional EDD considerations include:

 Identifying any connected entities and Ultimate Beneficial Owners

(UBOs)
 Performing AML/KYC checks on UBOs to verify their identities
 Downloading official company records to act as a Record of Authority
 Screening the company and its owners against global watchlists and
sanctions lists

Why? Again, this protects you and your business against any involvement
with nefarious activities and also ensures that you’re meeting various KYC
and Anti-Money Laundering (AML) regulatory requirements.

Step 5: Ensure you’re audit ready

Keep historical records on hand.

How? Store records of instances of CDD and EDD securely, in a digital

format.

Why? Keeping records of all the CDD and EDD performed on each

customer, or potential customer, is necessary in case of future regulatory
obligations (for example, an external audit).

With robust digital records in place, internal audit processes can account
for deeper data sets, can re-run and re-analyze situations to decrease risk,
improve performance and better guard against problematic accounts.
These records are another line of defense to help protect the entire
compliance process, as they can be used to double-check accounts that
have passed onboarding checks. These checks also allow the auditing
team to hone their strategy and tactics, test assumptions and otherwise
optimize compliance procedures.

The digital audit trail is a cornerstone of creating a resilient, standardized,

testable compliance program. Rising above the inconsistencies of
individual people running and being responsible for account compliance, a
systematic compliance program helps protect the company, besides being
scalable and adaptable.

Ongoing CDD

The key to effective, ongoing CDD is to have set policies and processes for
various contingencies. Anticipating scenarios helps to clarify which
approaches are best and speeds up responses.

For forward-looking organizations, compliance is a competitive advantage,

not just a regulatory checkbox exercise. Effective ongoing compliance
lessens risk, increases knowledge of customers and enables adaptable
systems. Establishing values and procedures that promote constant
vigilance and respect for regulatory obligations helps create a transparent
organization with solid governance.

This post was originally published on February 22, 2018. It has been
updated to reflect the latest industry developments and best practices.