Customer due diligence (CDD) is the cornerstone for all BSA/AML programs, a core principle of the 3rd EU Money Laundering Directive, and a common requirement under all AML regimes irrespective of geography. In the last year, the regulatory focus on CDD has increased considerably. As with most areas that sit under the regulatory spotlight, we are more likely to see discussion of poor program implementation as part of enforcement actions, than discussion of how well implemented CDD programs can lead to significant business benefits both within and beyond compliance teams.
At the heart of CDD are the fundamental principles of knowing a customer, defining the context in which it is acceptable to do business with a customer, and understanding the basis in which the ongoing customer relationship develops. The principles of CDD are simple and, historically, have been a key requirement for good banking practice—where customers are known, business interactions are understood, and business relationships grow within a well-controlled web of trust and understanding. Given this context, why then is CDD considered by some firms an expensive AML regulatory burden and not a principle function, the cornerstone, of any successful business?
In this article we look at strategies for successful CDD, how the benefits of CDD programs can be realized, how CDD processes can be more widely applied to additional business areas, and how best practices in CDD provide direct benefits across an institution's AML program.
Regulatory Guidance
We are not short on regulation and regulatory guidance associated with CDD. For instance, eight out of the FATF 40 Recommendations relate directly to customer due diligence, with key recommendations for commercial and correspondent institutions. Additionally, the newly re-organized Chapter X of the FinCEN Code of Federal Regulations Title 31 CFR 1010.220 deals with the requirements of customer identification, Title 31 CFR 1010.610 details requirements for correspondent banking, and Title 31 CFR 1010.620 provides requirements for private banking. CDD is also the subject of Chapter 2 of the 3rd EU Money Laundering Directive; the Bank for International Settlements provides its own guidance associated with KYC for client on-boarding; and the UK JMLSG provides additional specific guidance on CDD.
Two recent publications have considered the many complexities associated with CDD. In May 2011, the FinCEN SAR Activity Review provided an assessment of benefits of effective CDD programs, with a significant focus on the challenges associated with foreign politically exposed persons (current or senior foreign political figures, their families, and their associates) identification, a pain point for most institutions. The report also considered the impact associated with foreign corruption, an area of significant relevance given events of the Arab Spring—Tunisia, Egypt, Libya, and Syria.
Following on from these themes, in June 2011 the UK Financial Services Authority (FSA) published its report on "Banks' Management of High Risk Money Laundering Situations." This report contrasts both the good and the bad, and considers some systematic issues associated with the treatment of high risk customers and PEPs, customer on-boarding, risk assessment of customers, and enhanced monitoring requirements of high-risk relationships. The report highlights that of the firms considered, one-third inadequately managed due diligence records, one-third failed to adequately identify PEPs, and one-half of banks visited failed to apply meaningful enhanced due diligence (EDD) Although focused on UK firms, the results highlight practice issues commonplace across the global banking industry.
Requirements for Customer Due Diligence
At the heart of CDD is the concept of customer understanding, performed at account opening, at the start of a business relationship, and on an ongoing basis. Simplified due diligence reduces the obligations for customer understanding associated with certain accounts and customer types but, in general, CDD requires manual or automated customer identification procedures and an extension of these procedures for specific business relationships and beneficial ownerships common in commercial and correspondent accounts. Institutions need to understand the economic rationale for the business relationship and capture the customer's anticipated behavioural characteristics, with risk assessment performed for each customer in relation to their presented characteristics and their mix of products and services.
For select customer relationships, financial institutions need to put in place EDD procedures, for instance, for private bank-ing and high-risk customers or those customers identified as PEPs. Additionally, EDD is also a pre-requisite for non-face-to-face businesses and a requirement for many modern institutions whose customer relationships are conducted entirely remotely—i.e., over the internet, by telephone or, in some cases as technology develops, across mobile banking platforms.
CDD Implementation Challenges
Over time, business environments have become increasingly complex—with multi-national operations and numerous interaction channels. However, customers expect banking products and services to be delivered consistently, irrespective of where and how these services are consumed. As businesses grow in size — with respect to global presence, introduction of new products and services, and increasing number of customers — firms face numerous complexities in CDD risk assessment as the process is often manual, inefficient, operationally expensive, and lacks consistency. In order to maintain regulatory compliance and reduce negative customer impacts, firms should consider ways in which they can automate manual due diligence processes and implement a CDD approach that allows for increased agility and responsiveness to change.
Successful CDD Strategies
There are three core elements of successful CDD programs:
- Process automation
- Systematic customer risk assessment
- Common platform for investigation
and reporting
Process automation is key to reduce or eliminate manual processes for customer on-boarding and ongoing CDD. Process automation should be used to automate customer identity verification, sanctions screening, and PEP and negative news checks. The focus on CDD should be to provide manual response only when risks exceed acceptable levels, where information anomalies exist, or where regular customer review is otherwise required. Process automation at this level reduces the on-boarding cost for new customers, speeds processing, and streamlines and enhances customer experience. This can further improve process cost efficiencies and increase business competitiveness. However, effective process automation is dependent on accurate customer risk assessment.
A successful CDD program requires a business to perform classification and quantification of customer risk. The first step in this process is a systematic assessment of business risks that exist independent of any customer characteristics, for instance based on the knowledge of business units and services, product offerings, or operational geographies. Secondly, these risks are mapped against the customer's characteristics and anticipated patterns of product use. Combining the risk assessment across these two levels allows customers to be grouped into risk tiers for further assessment and review. Low risk tiers require little or no human scrutiny, with increasing levels of diligence and frequency of review required for customers ranked in higher risk tiers. This approach to risk assessment allows appropriate risk-based treatments to be applied to all customers, reducing the burden of review for low risk customers and focusing CDD resources at customers that represent the highest business risks. This risk-based approach also aligns with regulatory drivers and leads to operational efficiencies, both for CDD and also through the application of the risk tiers as part of transaction monitoring.
A successful CDD program requires a business to perform classification and quantification of customer risk
Risk assessment can be performed interactively as part of on-boarding, with dynamic questions based on customer characteristics, products and services to be used, and the calculated degree of risk. Dynamic forms adapt based on customer and product requirements, reducing the need for staff or customers to fill in unnecessary form fields and ensuring that essential data elements, documents, and identification materials are appropriately captured. In addition to ensuring accurate information capture, correctly applying dynamic question and answer methods reduces the possibility of information leakage in relation to risk policy and minimizes information misuse. This helps to mitigate the concerns that arise associated with system manipulation by relationship managers and branch staff and supports customer suitability assessment for products.
A common technology platform, that supports process automation and systematic risk assessment, can capture and record complete customer details in a common repository and provide a single, comprehensive view of customer interactions and activity for investigations and other CDD business processes. Automated technology systems allow active, ongoing customer risk assessment so that risk re-assessment is actively managed by the system, as customer interactions occur, behaviours change, and policies are updated to address changing business and regulatory needs. These systems highlight the risks that need manual review and further investigation by the operations teams, to ensure resources are well managed and risks appropriately mitigated. A common platform secures and controls access and also audits and records access and investigations, enforcing business policies and providing regulatory proof of implementation.
In a customer centric organization, the technology requirements for a CDD solution are similar to the customer views required for relationship management and the data stored can support fraud processes. For instance, if your customer has told you that they will not be using Internet payment channels shouldn't this information be used to detect anomalies or support fraud investigations beyond the scope of AML? An integrated technology system and platform can provide additional benefits for businesses, by enabling information re-use and supporting business needs for AML risk assessment, credit risk assessments, fraud detection, CRM and other marketing activities. For instance, customers can be screened against SAR reports and the outcomes of previous investigations; business and transactional linkages can be better understood; and records can be maintained for both internal customers as well as related external parties.
Future of Customer Due Diligence
Effective customer due diligence is about the systematic risk assessment of customers, allowing firms to apply risk-based policies across the complete AML program. Customer-centric organizations are beginning to recognize how CDD can be used to provide additional business insight and are using it as a basis to increase customer understanding and improve business practices. Firms are looking to consolidate their electronic view of a customer to enable a holistic approach to customer credit and AML risk assessment, product suitability and other elements of customer lifecycle management.
The scope of customer due diligence is widening, with almost every aspect of business interaction requiring some level of due diligence. Anti-bribery and corruption requirements call for due diligence associated with supplier relationships; Foreign Account Tax Compliance Act requirements call for foreign financial institutions to enhance their due diligence processes for the identification of U.S. account holders; and application fraud detection methods pivot on reliable information capture, linkage and analysis associated with new accounts.
Far from being a regulatory burden, the future of due diligence—for customers, suppliers and other business relationships—is embedded at the heart of successful business practices. With compliance first at the table in terms of defining the requirements for systems and processes, firms should leverage this opportunity to create wider business benefit from AML processes and procedures. This will enable an integrated approach to mitigating AML risks and a holistic approach to customer understanding, positively impacting the bottom line and successfully winning executive support.
