The Essential Guide to Customer Due Diligence

Know your customer (KYC) is a process that banks and other financial institutions use to verify the identity of potential clients, as mandated in the 1970 U.S. Bank Secrecy Act and the 2001 USA PATRIOT Act. In the first phase of KYC, the financial organization collects documents to identify a potential customer (sometimes called a customer identification program, or CIP). In the second stage, they perform customer due diligence (CDD), in which the bank verifies that documents are legitimate, then quantifies the level of risk that customer is involved in illegal activities, based on certain factors. When the risk level is high enough, the financial institution is required to implement enhanced due diligence (ECDD).

A bank or financial institution can perform CDD before or after establishing the business relationship and generally invokes the practice when it expects an ongoing relationship. However, one-off transactions may also require CDD.

Customer due diligence is most commonly associated with banking and financial services, but the term due diligence is also used in real estate, mergers and acquisitions, and securities sales. The concept of due diligence even comes up in day-to-day life, when people evaluate prospective employers, dates, vacation spots, or restaurants.

CDD has become more prevalent in the last couple of decades, and financial institutions and governments have realized the need for stronger anti-money-laundering (AML) and Countering the Financing of Terrorism (CFT) regulations. In the United States, the Financial Crimes Enforcement Network (FinCEN), which is part of the Treasury Department, collects and analyzes financial information and looks for evidence of money laundering, terrorist financing, and other financial crimes, both domestic and international. In addition, the Federal Financial Institutions Examinations Council on Customer Due Diligence (FFIEC) creates guidelines on CDD.

Financial institutions gather information during CDD and use it to monitor the customer’s transactions and look for questionable activity. When the institution finds questionable activity, it reports the incident or incidents to the relevant authorities.

CDD can be ongoing, so financial transactions through the customer's account must stay consistent with the bank’s knowledge of the customer, their business, their risk profile, and the source of funds. Additionally, the continuing nature of the process helps keep all documents and information up to date.

For more information on KYC, CDD, AML, and CFT, read this 2018 white paper by Jagannathan Vasudevan, a certified anti-money-laundering and audit specialist.

First and foremost, CDD protects the business from dealing with a customer involved in illegal or questionable activity. It also helps detect this activity if it starts to occur.

Risks of Unverified Customers

Potential customers who appear risky at first may turn out to be stable. However, it’s smart to be proactive and attempt to verify their risk level. When customers are not verified, a financial institution or bank could become the target of legal or regulatory actions stemming from customer activities like money laundering, terrorist financing, and corruption.

Without performing CDD, a financial institution risks harming its reputation if the customer’s business is involved in money laundering, terrorist financing, or corruption. The financial organization could be the target of legal or regulatory actions, or it may suffer financial loss. If the risk is too great and can't be mitigated, the bank can decline a relationship with the customer.

Enhanced customer due diligence (ECDD) is required when a potential customer poses a higher risk of associations with money laundering, terrorist financing, or other financial crimes. The threshold varies, based on the bank’s location and area of focus.

A customer with any of these characteristics may pose a higher risk:

• Links to a politically exposed person (PEP), terrorists, or criminals, or an individual or entity on a sanctioned list
• Appears on a watchlist
• Runs business operations in high-risk locations
• Requests a non-face-to-face account opening and conducts all business remotely
• Questionable source of assets or funds
• Questionable nature of business activity
• Questionable ownership structure
• Associations with offshore banks or private banking institutions

The bank could request the following information in cases of enhanced due diligence, both at the creation of the account and on a recurring basis after (this list is not comprehensive):

• Purpose of the account and expected types of business transactions
• Type of businesses conducted by the customer and all individuals with ownership or control over the account
• Financial statements
• Proximity of the bank to the customer’s residence, place of business, and place of employment
• Expectations of routine international transactions
• Description of business operations, anticipated volume of transaction, and total sales
• Major customers and suppliers
• Explanations for changes in account activity

Standard CDD is an examination of a predefined set of factors to determine the risk level of potential customers. Each bank or financial institution has its own process and procedures, based on their location and area of focus. These processes, combined with internal controls, help the institution assign a risk level to each customer. If that risk level is above a threshold (again, based on the bank’s location and area of focus), then ECDD is required.

See the checklists and templates below for more information.

Once the organization collects the information, it begins the verification process. You should include the following steps in the verification process:

• Contact information-reporting agencies.
• Check with banking references (for larger accounts).
• Initiate correspondence and telephone conversations with the customer.
• Visit the customer’s place of business.
• Contact third-party references.
• Research public information (e.g., on the internet or in commercial databases).

Beyond what the customer provides, the bank should also review the web and news sources for any negative mentions of the customer. They could be red flags.

You can think of simplified due diligence as the opposite of enhanced due diligence: a less rigorous version of standard due diligence. The bank or financial institution can implement it when the customer poses a very low risk for money laundering, terrorist financing, or other financial crimes. This term is more prevalent in the EU and a few Asian countries than it is in the United States.

Simplifying Due Diligence

It’s difficult (and probably not advisable) to remove steps from a customer due diligence process (standard, enhanced, or simplified). The best way to simplify due diligence is to automate as many steps as possible, using software.

Customer acquisition due diligence is the process of performing CDD when a customer first enters into a business relationship with a bank or financial institution.

Ongoing customer due diligence (OCDD) is the process of revisiting and reverifying the information gathered during CDD, then asking for explanations of red flags that appear through activity monitoring, as well as periodically requesting updates to previously provided documents or information. A customer can be verified with standard CDD when opening the account, but the bank or financial institution may still have to perform ECDD on that customer for activities that occur after initial contact.

This checklist contains common red flags that you should look for during OCDD. Should any surface, investigate them promptly.

Download Ongoing Customer Due Diligence Template

Excel | PDF

The high-level process flow below shows how the steps should occur. During CDD, assign a risk rating to each customer. High-risk customers should be sent through ECDD.

Keep the following in mind:

1. Use a risk rating scale (e.g., low risk, medium risk, high risk, 1-10); where a customer lands on the scale determines whether or not you need to perform ECDD.
2. If you use third parties for the verification step, make sure they are reliable and independent.

A customer due diligence form is a document that a bank or financial institution creates for gathering information during the CDD process. It could be a checklist to verify that the organization has collected the correct documents, an online form to request verification of information provided, or simply a form that helps gather data to notify law enforcement of suspicious activity.

Customer Due Diligence Best Practices

The CDD process should be risk-sensitive, so the financial institution should apply the appropriate treatment, checks, and controls as commensurate with the level of risk. The treatment, checks, and controls should also depend on the type of customer, business relationship, nature of activity, and nature of transactions. These steps allow you to prioritize resources in areas that require more attention based on risk sensitivity.

To make the CDD and ECDD processes stronger and more efficient, incorporate these other steps and ideas:

• For standard-risk customers, verify only the standard information provided.
• Only collect basic account information for a low-balance, low-turnover deposit account.
• Public companies and their wholly owned subsidiaries are considered lower-risk, while privately owned companies and other entities (like trusts) are generally assessed as higher risk.
• Apply CDD and ECDD to beneficial owners.
• Don’t allow anonymous business relationships.
• Report any suspicious activity.
• Keep all historical records related to the CDD/ECDD process.
• When relying on third parties to perform verification, ensure they are reliable and independent sources.
• Continuously monitor media for negative mentions.

Benefits of Customer Due Diligence

Practicing customer due diligence provides a number of benefits to the bank or financial institution, including the following:

• Compliance with safe banking practices, such as those established by the Financial Action Task Force (FATF), and legislative and regulatory requirements
• Learning the customer's risk profile and assessing their risk level before the account is open
• Ensuring that customer needs can be legally met through product and service offerings
• Ability to focus more attention on high-risk customers
• Guarding against identity fraud and other kinds of scams
• Easier prediction of activities the customer is likely to engage in (and identification of unusual or illegal activity during the course of the business relationship)
• Enabling the business to assist law enforcement when needed
• Avoiding criminal exposure for customers’ actions

Challenges of Customer Due Diligence

Running a good due diligence program for customers is not an easy process. Below are some of the bigger challenges:

• Proper verification of customer identification and documentation (especially if the customer is dishonest or hiding something)
• Determining where on the risk scale a customer falls
• Investigating suspicious transactions (they may turn out to be innocuous)
• Maintaining vigilance throughout the duration of the customer relationship
• Compliance with laws and regulations (especially when multiple countries and jurisdictions are involved)

When a bank or financial institution starts a relationship with a new customer, due diligence helps the bank determine the customer’s risk level of engaging in future financial crimes. By performing strong CDD, the bank shields itself from association if the customer is later targeted for legal action. It also means that higher-risk customers receive more scrutiny than lower-risk clients.

Financial institutions should apply customer due diligence to all potential customers, but the choice to perform standard, simplified, or enhanced due diligence is based on the type of customer, the bank’s policies, and the laws and regulations covering them.

FinCEN created the Customer Due Diligence Final Rule, effective May 11, 2018. The rule mandates collecting, maintaining, and reporting of beneficial ownership information for banks and financial institutions. Like CDD itself, this requirement is intended to prevent terrorism financing, money laundering, and other financial crimes, and the rule closes some loopholes.

While this article is U.S.-centric, CDD is common around the world. The European Union (EU) and its countries have their own laws and practices.

The EU's fourth AML directive (which replaced the third directive in 2017) spells out what needs to be done with other CDD items, including how to determine when ECDD should be used (following a risk-based approach), when KYC should kick in, how to treat beneficial owners, and how to electronically verify identification.

As with the United States, European law requires financial institutions to report suspicious activity and send it to national Finance Intelligence Units (FIU). Even in the EU, countries have their own laws and regulations. For example, in Ireland alone, the following organizations may be involved in making rules that affect CDD: Irish Banking Federation, Irish Insurance Federation, Irish Funds Industry Association, Irish Stock Exchange, Consultative Committee of Accountancy Bodies Ireland, Irish League of Credit Unions, and An Post.

Many businesses use CDD software to automate parts of the CDD and ECDD process. The software should be able to do the following:

• Collect and store documents
• Collect and store other information
• Scan for deviations from expected activities
• Automate workflow and reports

Examples of CDD software include Nice Actimize, SAS Customer Due Diligence, KYC Portal, NetReveal, and Abrigo Due Diligence Manager.

Empower your people to go above and beyond with a flexible platform designed to match the needs of your team — and adapt as those needs change. 

The Smartsheet platform makes it easy to plan, capture, manage, and report on work from anywhere, helping your team be more effective and get more done. Report on key metrics and get real-time visibility into work as it happens with roll-up reports, dashboards, and automated workflows built to keep your team connected and informed. 

When teams have clarity into the work getting done, there’s no telling how much more they can accomplish in the same amount of time. Try Smartsheet for free, today.