Effective Customer Due Diligence (CDD) and Enhanced Due Diligence (EDD) procedures to Know Your Customer (KYC) are incredibly important for businesses to protect themselves against becoming exploited by criminals and exposed to fines from Regulators. According to Fenergo, global regulators issued financial institutions with more than $10 billion in Anti-Money Laundering (AML) fines, up 26 per cent on 2019. Of this total, UK authorities issued the second highest number of fines at $199,306,927. In one case, they fined the German Bank Commerzbank, $47 million. In addition, HMRC handed out a record £23.8 million in fines in 2020. The UK is rated as having the most robust procedures for tackling money laundering in the world by the Financial Action Task Force.
But it is more than just the possibility of being fined; if a business is found to be handling money gained from criminal activities, it can be very damaging for its reputation, and it could be inadvertently aiding the promotion and financing of terrorism. But on a more positive note, EDD can lead to insights into your customers that help you serve them better and improve customer satisfaction and revenue.
In this best practices guide and checklist, we therefore explain: the stages of customer due diligence; where enhanced due diligence fits in; which institutions need to do enhanced due diligence: and best practice for cost-effectively carrying it out whilst ensuring the maximum level of protection.
When people talk about enhanced due diligence and customer due diligence in conjunction with large fines and regulations, it can be scary and confusing. After all, due diligence is a very common term and in fact something we all do daily. If we buy a new sofa, it is our job to read reviews to do our due diligence on the product. Businesses will also do it across all their operations and supply chain to make sure they are aware of risks and have contingency plans in place for price rises and natural disasters, among other things.
In this case, we are talking about customer due diligence; be that straightforward low risk or enhanced “Know Your Customer” (KYC) profiling. Businesses need to conduct enhanced and simplified KYC for a multitude of reasons. For example, a business may want to carry out due diligence on its customers for things like links to modern slavery or unethical practices. In the gambling and gaming industries, operators need to carry out EDD to ensure customer spending accords with their “affordability”; however, for the purpose of this blog we are looking at enhanced due diligence obligations in line with the Money Laundering Act and subsequent anti-money laundering (AML) regulations.
Not every business is bound by money laundering regulations, but the ones below are, and it extends beyond just financial institutions:
If you fit into one of the above sectors, then you must be monitored by a supervisory authority. In the case, of businesses authorised by the Financial Conduct Authority (FCA) or belonging to the Law Society, there will be supervision as a matter of course, but for the other sectors they will have to register with HMRC.
Enhanced due diligence checks are, as the name states, additional, more thorough checks than basic customer due diligence.
When you go to the bank or register online to open a new account you will be asked to prove you are who you say you are, by showing a photo ID and usually a supporting bill verifying your address. Unless you send off a risk trigger that invites enhanced checks, the bank will carry out simple customer due diligence on you rather than enhanced due diligence. The reason is that the Financial Action Task Force (FATF) expects that all countries and businesses operate using a risk-based approach to anti-money laundering precautions. This applies to every aspect of AML compliance, including Enhanced Due Diligence, meaning EDD is only required for customers who could be considered high-risk, or high net worth.
For the above example, in the absence of any other risk triggers, it would be deemed that the level of due diligence is sufficient. However, if risk is identified, then enhanced due diligence is necessary to do more to prove that the individuals is who they say they are and are not on any government watchlists or sanctions lists – For example, for money laundering or terrorist activity.
Unfortunately, as FATF builds flexibility into the system, deciding the risk factors that should trigger enhanced due diligence – and the level of EDD, which we will discuss later – are not always obvious. In Europe, under Article 18 of 4AMLD, any business located in a country on the High-Risk Third Countries list requires EDD. Similarly, any politically exposed persons (PEPs) or their close associates or family members must also go through the more thorough examination process. However, other triggers are not necessarily so clearly mandated, but it is a good idea to take the below into consideration:
– The customer is a Politically Exposed Person (PEP)
– The customer is a Special Interest Person (SIP)
– Any person or entity with a sanction
– A large amount of adverse media or news
– High net-worth
– Customers associated with unusual, complex or purposeless transactions
– Countries which have sanctions or embargoes levelled against them
– High-risk third countries
– A country on the FATF list of Other Monitored Jurisdictions (greylist)
– A country on the FATF list of Call for Action Jurisdictions (blacklist)
– Any countries which have proscribed terrorist organisations within them
Fines can be imposed for not referring appropriate cases for EDD checks, not having a rigorous approach and for not investigating them in enough detail; therefore, it is extremely important to make sure you have best-in-class processes for EDD investigations and checks.
There are no official guidelines on what enhanced due diligence should entail, what the report should look like, and how much information on a customer it is necessary to collect. However, there are a number of things you can do to help protect yourself if you are audited by the relevant supervisory body for your industry.
Without an official set of guidelines, you must show that you have tried to find information on the person from across various different data sources. For example, if the customer is trying to deposit a large amount of money, your objective should be to show that it is within their means to have that money legitimately and you have verified the source of funds. Some of the ways you might do that are to show they have numerous businesses they have run for a while, that they have property, or that they have a high paying job. This might be shown from land registry documents, companies house, and from financial data from Experian, TransUnion or Equifax.
Adverse media or open-source intelligence (OSINT) is also extremely helpful as it may reveal details around recent inheritances, a wealthy background, that they were an ex-professional footballer or singer, or any other thing that could justify your decision.
It is not enough to just gather a lot of information from various sources if they don’t plausibly address the risk. It is therefore essential for you to clearly state why you collected from these sources above others and risk score the finding.
Your investigation should show that when false positives have arisen that those avenues have been thoroughly investigated and discounted rather than ignored.
Your entire process should be documented and all evidence and research auditable with sources attributed in a standardised report. This is particularly important as you may be asked to provide that report a long period after it is initially written, necessitating the need to also make sure all sources are still available, and your report is up-to-date.
As links and suspicious activity needs to be thoroughly investigated, you should ask yourself as a business if you have the in-house skills to carry out credible, professional EDD checks. If not, you should look to employ a consultant or business that has this expertise.
Understand the level of risk and match it with more enhanced levels of due diligence. If you have a Politically Exposed Person (PEP), they are a higher risk because of the potential to be used for money laundering.
Assume your customer is legitimate and ask them to help with the EDD check by answering questions and providing further evidence.
As the status of a customer can change at any time, it shouldn’t be the case that you just do the check while onboarding or after a large deposit. You should build ongoing monitoring into your processes to check for changes to the risk triggers.
Manually doing this kind of check across multiple data sources is an extremely time-consuming exercise, fraught with human error as you have to copy and paste and explore suspicious activity red flags over numerous data sources. A software solution that can automate this process allows you to get the research done for an EDD check much faster, leaving you with more time to make the right decision. In addition, it will allow you to generate a standardised and auditable report to present to the relevant authorities when called upon to do so.
Synalogik’s software platform, Scout®, is a one-of-a-kind efficiency solution when multiple disparate data sources are needed for EDD checks and investigations. Scout is data agnostic, integrating internal, open source and out-of-the-box most 3rd party data providers, allowing you to seamlessly automate search and reporting across all the datasets you use, not just the ones included from your solution provider. Our 3rd party integrations include Equifax, W2 Global, LexisNexis, Creditsafe, TransUnion, GBG and many more.
Our open approach means it is possible to have more complete automation across all your datasets, delivering greater efficiency and insight.