Customer Due Diligence (CDD) is a mandatory process that regulated entities such as financial institutions (e.g. banks and investment fund managers), and other businesses like law and accountancy firms, must conduct on their clients to understand the money laundering and terrorist financing risk posed by the client.
Understanding each client, the services you provide them, and assessing their risk involves identifying and verifying the individuals who are the beneficial owners. In this article, we'll explore:
- What Customer Due Diligence is,
- How it's conducted,
- The different levels of CDD,
- and, ongoing due diligence.
What is Customer Due Diligence (CDD)?
In the UK, CDD is a requirement of the Money Laundering Regulations 2017 (MLR 2017) and the Proceeds of Crime Act 2002 (POCA), which place certain obligations on regulated entities, like accountants, to detect exposure to money laundering and terrorist financing risk associated with their clients.
The main purpose of CDD is to understand the nature and purpose of the business relationship based on the services provided to your client and gather sufficient information about the client's beneficial owners by identifying and verifying them, and in certain situations, understanding the source of their wealth or funds. This allows informed decision-making about the risk level of their activities and whether to establish a business relationship with them.
There are various levels of CDD, and specific transactions or associations come with elevated risks requiring more information. The three tiers of CDD include simplified, standard, and enhanced – we'll examine what these different tiers involve and when you might need to use them later.
Carrying out CDD is crucial to ensure that the individuals behind the client you are engaging are who they claim to be and not involved in any illegal activities like money laundering, terrorist financing, or fraud. It helps regulated entities meet their statutory obligations and minimises the risk of inadvertently facilitating criminal activities.
How is CDD conducted?
CDD involves a series of steps that are usually part of the onboarding/KYC process, beginning with collecting information from the customer and verifying its authenticity, the process itself includes the following three steps:
1️⃣ Identifying the customer
Collecting relevant information, such as the structure of the customer’s entity to identify beneficial owners and those acting for the customer, their name, address, date of birth, identifying documents, and any other necessary particulars.
2️⃣ Verifying the customer
Validating the customer's identity by reviewing authentic documents such as a passport, driver's licence, or government-issued ID for each person of significant control (PSC), sometimes referred to as a beneficial owner or person acting on behalf of the customer.
3️⃣ Assessing the customer’s risk
Analysing the customer's activities, intended transactions, and where relevant the source of funding to check if they pose any threat to the reporting entity or expose it to potential legal or regulatory risk.
Levels of CDD
Earlier we mentioned that not all CDD is made equal, and this will all be dependent on the type of customer and the services provided to the customer, the reality is that for an accounting firm, it’s extremely unlikely that simplified CDD is ever going to fly due to the nature of the work and transactions you’re dealing with.
📝 Simplified CDD
This relates to specific types of customers like publicly listed companies, state-owned enterprises or crown entities. You need to record the full legal name of the company and a brief explanation of how it qualifies for simplified CDD. You also need to collect information about the nature and purpose of your proposed business relationship with the company.
🔒 Standard CDD
This is the norm for most customers and involves understanding the structure of the company and verification of beneficial owners to ensure the details you might have collected so far are true and aren’t misleading or fraudulent or on sanctions lists for example. At this point, you’ll often have enough information to be able to understand the nature and purpose of the proposed business relationship and the potential risk of who you’re dealing with – if you’re comfortable with this, you may not need to ask for any further documentation.
🚨 Enhanced CDD
In certain circumstances, additional information is required about the customer, perhaps due to the type, or complexity of the customer or if the service requested is unusual or complex. This will involve understanding the source of wealth or source of funds, and perhaps more sophisticated measures will be required to obtain and verify beneficial owners of the customer.
Ongoing Due Diligence (ODD)
Running CDD as part of your onboarding/KYC process is only one part of the puzzle – you’re also expected to monitor your clients on an ongoing basis, this is to ensure that you are on top of any emerging or evolving risk.
Not only does it help you make sure you continue to meet your AML obligations but it also ensures that you have a good understanding of the potential exposure to risk that your firm might be holding at any given time.
At the moment, the expectation is that you perform ODD either periodically or when a transaction/interaction requires it, this might involve checking the structure of the customer, updating IDs, or re-checking the source of funds, for example. There are other situations, such as a change in control where ODD is equally pertinent, an example of that might be when a new shareholder or director is appointed. Whilst there is software out there to help you monitor financial transactions in an automated manner, the reality for an accounting firm is that it’s unlikely you’ll need to have seriously complex systems in place, especially given you’re probably not “setting and forgetting” your relationship with your client, instead it’s likely you’ll be regularly dealing with their tax affairs and their transactions, so if something seems out of sorts when you’re doing other work, that’s a good time to consider how you might want to follow up.
For example, if one of your clients is a Fish and Chip shop or a Barbers, you’d expect regular cash deposits into their bank accounts as people typically are more likely to use cash in these environments, but if you’re seeing large cash deposits from an online retailer who sells exclusively over the internet, that might seem a little odd, and raise a few eyebrows – this is where your internal process and understanding of your customer comes into play.
Wrap-up
At its core, CDD is all about managing risk and getting to know your customers in a way you can best serve them – building a robust onboarding process will help you to have confidence in your approach and that you’re meeting the compliance obligations you need to. As we’ve spoken about, how you monitor, maintain and carry out CDD is ultimately your decision, as long as you meet the requirements of the various laws and regulations that govern regulated entities such as the MLR 2017 and POCA, which we’ve already mentioned, and any specific requirements from your supervising body.
(NB: This article doesn't constitute legal advice and is intended for general informational purposes only. Always consult with a legal expert or compliance consultant for guidance specific to your firm.)
