What are KYC and CDD? Complete guide to compliance and AML risk assessment

Financial service providers are required to conduct customer identification procedures to assess risks and prevent possible illegal transactions effectively. GetBlock AML Research explains the rules governing compliance.

The term “know your customer” (KYC) and the basic ideas behind it are among the most important requirements in the fight against money laundering and terrorist financing. KYC is part of a set of measures called Customer Due Diligence (CDD). These measures help an organization learn the credentials and background of a potential customer. Institutions such as financial organizations are required to conduct KYC procedures before accepting a customer and to update the data at various stages, such as during periodic compliance checks or investigations.

How is KYC implemented?

The KYC process protects an organization from being used for money laundering or terrorist financing. This refers to cases where a customer engages in illegal activities after entering into a relationship with an organization (for example, after opening a bank account). KYC helps the organization prevent criminals — people involved in money laundering or those associated with them — from using its services. If the organization mistakenly “lets in” such people, it can lead to a loss of reputation and fines from the regulator. The KYC process is mandatory: it is carried out when a customer contacts the organization — in person or via the Internet — to open an account or receive a service.

A business relationship is considered to be established when two or more parties begin to conduct business regularly or carry out a single large transaction. The term “business relationship” applies when the interaction is expected to be of some duration. CDD measures are required when an organization subject to anti-money laundering rules “enters into a business relationship” with a customer or potential customer.

The KYC process is also carried out when a customer, or a person who comes to the “window,” conducts a one-off large transaction, an international transfer, or when there is suspicion of money laundering or doubts about the accuracy of previously collected customer identity data.

Organizations develop KYC policies, which are approved by the board of directors and then implemented for compliance purposes. KYC policies are part of a company’s overall compliance program; their purpose is to ensure that the organization takes appropriate measures and does not allow unknown or questionable customers from any jurisdiction to use its services.

The KYC process is usually quite detailed and often uses technology to combat financial crimes such as money laundering, fraud, and other related schemes. KYC procedures help to better understand potential customers and their goals when opening an account with an organization. KYC requirements apply to different types of organizations: banks, money transfer services, payment gateways, money transfer companies, real estate agents, jewelry dealers, and others.

Regulatory KYC requirements

Regulatory KYC requirements help detect early signs of suspicious intentions and transactions before a customer is fully accepted for service. KYC is a procedure for identifying a customer and confirming that they are who they say they are. It involves understanding the customer’s identity, financial activity, and the level of risk they pose to the organization.

In a broader sense, the KYC process includes the following: identifying the customer based on primary documents provided by the customer themselves determining the true beneficiary and taking measures to verify their identity; if the beneficiary is a legal entity, trust, company, fund, or similar structure, the organization is required to use reasonable means to establish the ownership and control structure of that legal entity; understanding the purpose of opening an account or establishing a relationship.

Identifying and confirming the identity of the customer and the beneficial owner is part of the KYC policy approved by the board of directors. Confirmation of the identity of a potential customer must be adequate and reasonable in order to comply with current regulatory requirements. The goal is to only accept identified and verified customers for service. Customer information can also be verified using independent sources such as media news, websites, and other publicly available information.

How does CDD work?

Customer Due Diligence, or CDD, is a process that allows an organization to gather facts about a customer and understand how much risk they may pose to the organization. Risks include money laundering and terrorist financing. The purpose of due diligence is to identify and verify potential customers before connecting with them or establishing a business relationship.

A business relationship is considered to be established when two or more parties begin to conduct business regularly or perform a one-time transaction. The term “business relationship” is used when professional, commercial interaction with an element of duration is expected. CDD is required when a firm subject to anti-money laundering regulations “enters into a business relationship” with a customer or potential customer.

Organizations need to know their customers for several reasons. First, to comply with applicable anti-money laundering and KYC legislation. Second, to be reasonably confident that the customer is who they say they are and that the requested services can be provided to them. Third, to protect against fraud, including impersonation and identity theft. It also helps the organization to notice and investigate unusual transactions during the ongoing relationship.

In addition, knowing your customer allows you to assist law enforcement agencies by providing information upon request in the event of an investigation following a suspicious activity report. Understanding your customer helps your organization meet the legitimate needs of honest customers in advance; a good compliance system is also good business. Prohibiting anonymous accounts or relationships is a basic requirement of international CDD and KYC standards; many jurisdictions prohibit providing blank or unverified accounts, including for shell banks.

The European Union’s Fourth Anti-Money Laundering Directive (4MLD) requires risk-based CDD measures to be applied depending on the type of customer, business relationship, or nature of the transaction. The organization must be able to demonstrate to regulators that the scope of measures is commensurate with the perceived risks of money laundering and terrorist financing. In line with FATF requirements, 4MLD identifies four parts of CDD and explicitly requires “ongoing monitoring.”

The organization is required to apply customer verification measures if the customer:

• establishes a business relationship;
• makes a random or significant transaction that equals or exceeds a transfer of funds in excess of $1000;
• raises suspicion of involvement in money laundering or terrorist financing;
• raises doubts about the authenticity or adequacy of previously obtained documents or information for identification or verification purposes.

The organization must also apply CDD measures if a person conducts a single transaction that is significant or unusual, regardless of whether it is carried out in a single transaction or in several related transactions.

A dealer in high-value commodities is also required to apply CDD measures if it conducts a single cash transaction of $10 000 or more, whether in a single transaction or in several related transactions.

The organization must identify the customer if their identity was not previously known and verified by the organization, and take appropriate measures to verify their identity. If this was not done previously when entering into the relationship or during a previous single transaction.

The organization must assess and, if necessary, obtain information about the purpose and intended nature of the business relationship or one-time transaction.

How is CDD conducted?

If the customer is a legal entity, the organization is required to obtain and verify: the company name, its registration number or other registration identifier; the address of the registered office and, if different, the address of the principal place of business. Organizations must take reasonable measures to determine and verify the legal status of the legal entity and its founding documents (articles of association or similar provisions). They must also provide the full names of the members of the board of directors (or, if there is no board of directors, the persons performing management functions) and senior employees responsible for the company’s operations.

If the beneficial owner belongs to another person, the organization is required to: identify the true beneficial owner; take reasonable measures to verify the identity of that beneficial owner to be sure who they are. Suppose the beneficiary is a legal entity, trust, company, foundation, or similar legal structure. In that case, organizations are required to take reasonable measures to understand the ownership and control structure of this structure.

If an organization is unable to conduct CDD measures to identify a customer, an account for that customer should not be opened. Organizations are required to refrain from opening anonymous accounts under any circumstances.

Conclusion

Know Your Customer (KYC) and Customer Due Diligence (CDD) recommendations are a critical part of a bank’s risk management and customer risk monitoring practices, as well as a legal requirement for compliance with anti-money laundering laws.

In their simplest form, KYC and CDD are steps taken by a financial institution or business to establish a customer’s identity: collecting and documenting the customer’s name, date of birth, and address. Financial institutions or companies then verify this information, create a risk profile for the customer, and continuously monitor their transaction activity.