A complete guide to effective customer due diligence

Companies are vulnerable to financial crimes and used as channels for facilitating or carrying out illegal activities, such as money laundering (ML), financing of terrorism (FT), and proliferation financing (PF) of weapons of mass destruction. Thus, it is crucial for them to undertake an effective Customer Due Diligence process to mitigate the ML/FT and PF risks posed by customers. Here is a complete guide to effective customer due diligence to help you fight ML/TF risks.

Customer Due Diligence (CDD) is an essential element of UAE’s AML/CFT regulatory framework, which assesses the ML/FT and PF risks that arise from various factors such as customers, geographies to which customers belong, delivery channels, modes of transaction, etc.

CDD enables businesses to check the legitimacy of their prospective customers by identifying and verifying their identity details and ensuring that the customers are indeed the persons or entities they claim to be. This safeguards their businesses against potential financial crime threats.

What is Customer Due Diligence?

Customer Due Diligence (CDD) is all about identifying potential customers and checking their authenticity and legitimacy. In addition, it means cross-verification of the details provided by the customer for their legal validity and accuracy.

The CDD meaning remains the same, but the procedures change across the industries. In total, there are four aspects of CDD, namely, simplified, standard, enhanced, and ongoing.

By conducting CDD, businesses aim to mitigate the potential for financial crimes such as ML/FT and PF. Additionally, this multifaceted approach serves as a foundational element in establishing trust, credibility, and regulatory compliance within the business landscape.

UAE AML/CFT Regulations for CDD

The UAE has established robust AML laws to combat financial crimes, including ML/FT and PF. These robust regulatory frameworks include Federal regulations, which are aligned with international standards set out by the Financial Action Task Force (FATF).

Additionally, as part of the AML/CFT legal landscape, the regulated authorities in the UAE have released various guidelines supporting the primary regulations for undertaking effective measures.

The UAE’s regulatory framework necessitates CDD measures for every customer. The framework governing CDD is also based on FATF recommendation No. 10, which lays down the principle of undertaking a customer due diligence process. This includes disclosure of beneficial ownership and verification of identities.

Furthermore, Anti-Money Laundering and Combating the Financing of Terrorism and Illegal Organisations Guidelines for Designated Non-Financial Businesses and Professions mandate DNFBPs to undertake CDD measures in assessing and combating risk associated with customers based on the risk-based approach taken by the entities.

Role of CDD in AML Regulatory Framework

As a crucial measure of UAE’s AML/CFT regulatory framework, regulated entities are required to undertake CDD measures, which include a thorough process of identifying and verifying customers, assessing their risk profile, and monitoring them throughout their customer lifecycle. Implementation of an effective CDD process helps reporting entities determine the different levels of risk associated with different customers and further establish the appropriate CDD measures for risk mitigation.

The CDD process provided under the UAE’s Regulatory Framework lays down a comprehensive framework for addressing potential ML/FT and PF threats when engaging with both new and existing customers. Therefore, CDD plays an important role in assisting reporting entities in maintaining regulatory compliance and safeguarding themselves against financial crimes.

Reporting Entities subject to CDD in the UAE

The legal framework governing AML/CFT in UAE applies to all financial institutions, banks, insurance companies, Designated Non-Financial Businesses and Professions (DNFBPs), and Virtual Asset Services Providers (VASPs). Furthermore, these DNFBPs include:
  • Dealers in precious Metals and Stones
  • Real Estate Agents and Brokers
  • Trust and Corporate Service Providers
  • Auditors & independent Accountants
  • Lawyers, Notaries & Other Legal Professionals
Therefore, every reporting entity in UAE needs to adopt an effective AML/CFT framework in order to mitigate and manage ML/FT and PF risks.

When is CDD required?

The need to apply the AML CDD process comes into the picture when a business organisation is required to abide by AML/CFT regulations and intends to establish a business relationship with a potential customer.

In line with the Customer Due Diligence Policy and Procedures, businesses try to understand the following and take adequate CDD measures:

  • Why is an account being opened?
  • How will it be used?
  • What will be the nature of transactions?
  • What will be the volume and frequency of transactions?
The business must verify the customer’s identity and assess the risk profile. Therefore, DNFBPs/FIs must carry out the Know Your Customer (KYC) procedure as part of CDD compliance procedures in the following situations.
  • Customer Due Diligence becomes mandatory and simply inevitable at the time of entering a new business relationship with an individual or a legal entity. This is important in order to verify the identity of the customer. When undertaking the CDD process for a new customer, the customer’s risk profile is also assessed, and the applicability of enhanced due diligence is determined.
  • Various occasional transactions warrant customer due diligence measures. An occasional transaction equal to or exceeding AED 55,000/- requires regulated entities to perform proper due diligence on customers.
  • An occasional wire transfer for an amount equal to or exceeding AED 3,500/- requires proper performance of CDD measures.
  • Business organizations who suspect the involvement of their customers or proposed customers in activities such as money laundering or financing of terrorism should impose KYC, CDD checks.
  • When it is observed that the identification documents provided by potential customers are inadequate, unreliable, or suspicious, KYC and CDD measures must be undertaken.

When is CDD conducted?

CDD is conducted:
  1. Before entering into a business relationship or
  2. During the course of entering into a business relationship or
  3. Before opening an account or
  4. During the course of opening an account or
  5. Before carrying out a transaction with a new customer
  6. Before entering into occasional transactions exceeding monetary thresholds
  7. When there is a suspicion as to ML/TF
  8. When the previously obtained customer identification data is not proper or adequate.

Fundamentals of Customer Due Diligence

At the initial level, CDD starts by verifying the identity of the customer and understanding the nature of its business. The entire CDD process involves certain steps and a few regulatory obligations imposed on DNFBPs under AML/CFT regulations, as follows:

1. Identification of customer

DNFBPs should first identify their customers by seeking personal information like name, date of birth, nationality, and address. This should further be backed by conclusive evidence issued by the Government in the form of a passport, ID Card, Driving License, etc. Businesses need to implement a comprehensive customer identification program (CIP) to comply with legal requirements.

2. Beneficial ownership

Customer Due Diligence measures should identify the beneficial owner of the customer or proposed transaction. This includes understanding the customer’s ownership control or the organisation’s structure.

3. Business Relationship

After verifying the customer and identifying business ownership, DNFBPs should focus on obtaining information related to the nature of the business relationship the client intends to establish.

Step-by-Step CDD Process

1. KYC - Identification and Verification

The foremost step of the CDD process is identifying and verifying the identities of customers before entering into business relationships with them. This process is what we call Know-Your-Customer (KYC). KYC is a fundamental element of the CDD process.

KYC is further divided into two steps: identification and verification of the customer.

a) Identification and collection of customer information

The first step of CDD is to get the essential information from customers or potential customers. A Know Your Customer Form or KYC form can be maintained for this purpose. The information to be obtained for the purpose of AML due diligence includes the following:

– KYC for Natural Persons

Here is the list of information to be sought from the customer:

  • Complete Name
  • Address of the customer
  • Contact numbers
  • Additional/ alternative contact numbers
  • Legit, accessible, and working email address
  • Place of birth
  • Date of birth
  • Nationality
  • Gender
  • Government-issued identification number
  • Occupation
  • Signature

Along with the above, at a minimum, a copy of the ID document and proof of address are also obtained.

– KYC for Legal Entities

Here is the list of information to be sought from the customer who is a business entity:

  • Name of the business entity
  • Type of the business entity
  • Nature of business the entity is into
  • Date and place of establishment
  • Information related to the board of directors
  • Certificate of establishment/incorporation
  • Information related to shareholders or ultimate beneficial owners
  • Annual report for the previous year
  • Information pertaining to senior management

Along with the above, a copy of the trade license, Memorandum of Association, Articles of Association, address proof, UBO details, and organisation chart are also obtained.

In high-risk situations, source of funds and source of wealth information is also obtained.

b) Verification of the customer

The second step of the KYC under the CDD program is to verify all the information that has been collected in the identification step. Again, it is essential to note that most of the collected data can be confirmed with the help of a government agency’s site or any reputable independent institution. For instance, documents like identity cards, tax receipts, and passports can be verified on the respective government portals based on the unique number associated with them.

2. Name Screening

Name screening is done in order to identify if the customer is a sanctioned individual or entity, a politically exposed person or a person with a criminal history and adverse media references. The primary objective behind carrying out the process of name screening is to check that the customers do not fall under the following categories:
  • Sanctioned individual or an entity
  • Politically Exposed Persons (PEPs)
  • Reported in Media with alleged involvement in any criminal activities

3. Customer Risk Profiling

At this stage, the AML Compliance Officer determines the risk level of each customer or potential customer based on various factors. While performing risk-based customer due diligence, the following risk factors are taken into consideration:
  • Type and nature of business relationship/transaction
  • Nationality of the customer
  • Political exposure of the customer
  • Mode of payment (Cash, Bank Transfer, Cheque)
  • Net worth of the individual
  • Documentary evidence available
  • Amount of transaction
  • The complexity of business structure
  • Local/international business
  • Transaction with a customer based in a blacklisted country
  • Transaction with a customer based in a grey-listed country etc.

Customer Risk Rating

Once the customer risk profile is identified, DNFBPs and FIs can decide the type of monitoring and level of controls to be imposed on such customers. The customers are classified into low-risk, medium-risk, and high-risk categories to determine the extent and frequency of monitoring required.

4. Ongoing Monitoring

Once the Customer Due Diligence process is completed and necessary decisions around risk classification have been made, regular monitoring of the customer’s risk profile cannot be overlooked. Monitoring should be carried out regularly for identified accounts for all financial transactions. The customer’s behaviour, along with accounts and transactions, must be compatible with the usual activities, and this needs to be tracked or overviewed at all costs. Depending upon the risks associated, ongoing due diligence frequency is determined.

5. Reporting Suspicion

During employing CDD measures, if the reporting entity comes across any suspicion or reasonable grounds that suggest that a customer is involved in criminal activity, it must take a thorough investigation and must report that information on the goAML platform via suspicious activity report (SAR). It should be noted that all employees, company directors, and officers are prohibited from tipping off customers if a SAR/STR has been filed against them.

Additionally, they need to report other reports, like HRC and HRCA, when engaging with a customer belonging to a high-risk country.

6. Record Keeping

This is the final stage of the entire AML CDD process. At this stage, one has to maintain the CDD-related records in accordance with the retention policies of the business organisation and as prescribed under AML/CFT regulation. In the UAE, AML/CFT regulations require maintenance of Client Due Diligence and other AML/CFT-related records for the period of 5 years from the relevant dates.

However, the record keeping duration varies from one supervisory authority to another.

  • The Virtual Assets Regulatory Authority (VARA) mandates Virtual Assets Service Providers (VASPs) to maintain records for a duration of 8 years
  • Dubai International Financial Centre (DIFC) requires DNFBPs to maintain AML/CFT compliance and CDD records for 6 years.
  • Abu Dhabi Global Market (ADGM) requires DNFBPs and VASPs to maintain AML/CFT compliance and CDD records for 6 years.
A systematic record-keeping facilitates the DNFBPs to meet its reporting obligation under AML/CFT regulations and furnish such details to the relevant supervisory authorities as and when demanded in the context of any Suspicious Transaction Report filed by the DNFBP.

What risks does a reporting entity face if it fails to carry out CDD?

If a reporting entity like a financial institution, DNFBP, or VASP does not carry out Customer Due Diligence, it harms its reputation and exposes itself to various risks like ML/FT and PF. It may also be subjected to administrative penalties. Further, a regulated entity must not enter into a business relationship if it fails to carry out customer due diligence and consider filing SAR/STR with the UAE FIU.

Types of Customer Due Diligence

Reporting entities deal with different types of customers, having different backgrounds, reasons for business establishment, wealth structures, etc. Similarly, risks associated with customers also vary, requiring different kinds of measures to deal with them.

To enhance the overall capabilities of the AML framework, reporting entities need to undertake different CDD procedures.

The following are different types of CDD processes that the reporting entity needs to undertake:

1. Simplified Due Diligence

The process of simplified customer due diligence comes into the picture when the customer belongs to a low-risk category. The Designated Non-Financial Business and Professions (‘DNFBP’) is required to know the customer’s identity and basic details under a simplified customer due diligence process, and there is no need to carry out detailed due diligence.

2. Standard Due Diligence

Generally, DNFBPs adopt Standard Customer Due Diligence procedures for the majority of the customers. As a part of this process, the identity of the respective customer is verified from several reliable sources. In addition to that, DNFBPs also determine and evaluate the nature of the customer’s business or the customer’s purpose for entering into a transaction with the DNFBP.

3. Enhanced Due Diligence

Enhanced Due Diligence is usually required for only those customers who have a high-risk quotient and are more likely to get involved with money laundering or financing of terrorism. There are undoubtedly quite a few factors that clearly establish that a particular customer hails from a high-risk background. For instance, Politically Exposed People (PEPs) are usually categorised as high-risk customers and require enhanced customer due diligence.

With the help of enhanced customer due diligence, the information of the customers is verified, and critical information like the origin or the source of their funds, source of wealth, and the primary purpose of the transaction is obtained.

Further, as a part of the enhanced CDD measures, it is ensured that the customer makes the payment from the bank account in his own name.

It is also required to obtain approval from senior management before entering into a transaction with high-risk customers. Once you meet the above Enhanced Due Diligence Requirements, you can carry out transactions with the customer.

Ongoing Due Diligence

The risks associated with a customer change over a period of time. One needs to have a proper monitoring system in place to detect changes in customer profiles. Ongoing due diligence should aim at discovering changes in the attributes related to a customer. Say a customer becomes a Politically Exposed Person or is placed on a Sanctions list. The KYC software should trigger alerts for the compliance officer the moment it detects changes in the customer profile, which necessitates a change in the risks associated with them.

Unless regulated entities require customers to provide their KYC documents on a regular basis, it becomes difficult to detect changes in their risk profile. A change in risk profile would also be reflected in the transaction patterns associated with a customer.

If the customer happens to be a High-risk customer, he should be placed under more frequent monitoring and CDD refresh.

Here’s a checklist of circumstances requiring KYC refresh:
  1. Changes in the beneficial owner
  2. Customers making unusual transactions not aligned with their profile
  3. Changes in a business relationship with a customer
  4. Changes in ownership structure at the customer’s end

Why is CDD necessary?

As mentioned above, CDD is a crucial process for assessing risks associated with customers and ensuring compliance with regulatory compliance.

Here’s a list of reasons that make undertaking the CDD process necessary:

Take a Risk-Based Approach

It is important for reporting entities to adopt the risk-based approach to help them assess risks based on different factors like geographical location, nature of business, etc. CDD facilitates taking a risk-based approach by adopting measures that assess the level of risk associated with the customers, which allows them to tailor their risk management strategies and allocate resources to high-risk customers where they are most needed.

Prevent Financial Crimes

It is important for reporting entities to employ measures that help prevent and detect illicit crimes, including ML/FT and PF. For this purpose, reporting entities undertake CDD measures, which aid in identifying and mitigating the ML/FT and PF risks. Further, it also helps them to easily detect and prevent suspicious activities by verifying the identities of customers and understanding the nature of their transactions.

ML/FT Risk Management

The whole reason why reporting entities adopt an AML framework is to effectively manage ML/FT and PF risks. The CDD process helps them to effectively manage the ML/FT and PF risks associated with customers. Additionally, by implementing robust CDD procedures, reporting entities can identify high-risk customers and transactions and, based on that, implement appropriate control measures and report suspicious activities.

Maintain Reputation

It is essential for reporting entities to maintain their reputation in order to grow and keep doing business. Undertaking CDD practices helps reporting entities to effectively detect and deter ML/FT and PF risks associated with customers, which further aids them in maintaining their reputation in the eyes of regulators and customers, which is essential for long-term success.

Maintain Financial Integrity

The business of reporting entities depends highly on the financial sector in which they are working. For this reason, they need to take actions that help maintain financial integrity. Employing effective CDD processes prevents illicit activities, which aids in maintaining and upholding the integrity of their operations and financial system and further contributes to a safer and more transparent financial environment.

Comply with Regulations

Reporting entities are mandated to comply with the regulatory framework. In UAE, the AML/CFT legal framework requires reporting entities to comply with regulations. Therefore, undertaking CDD practices helps them fulfil their regulatory obligations and avoid penalties, legal consequences, and reputational damage.

Benefits of Effective CDD Measures

Implementing robust CDD measures helps reporting entities to effectively measure the risks associated with customers.

The following are some points highlighting the benefits of undertaking an effective CDD process:

Risk Mitigation

CDD helps reporting entities check the background and activities of customers, which helps them to easily assess the ML/FT and PF risks associated with customers and accordingly take mitigation measures.

Regulatory Compliance

Conducting CDD measures is a regulatory requirement. Therefore, reporting entities must undertake effective CDD processes to comply with regulatory requirements, which is essential to avoid fines, penalties, and legal actions.

Decision Making

Employing CDD measures helps reporting entities get valuable insights about customer identities, which aid in decision-making about onboarding, monitoring, or terminating customer relationships. Furthermore, it helps them assess whether customers align with their risk appetite and business objectives.

Prevention of Financial Crime

CDD helps reporting entities to identify and verify the identities of customers, which further prevents financial crimes such as ML/FT and PF thus safeguarding the integrity of the financial system.

Adoption of a Risk-Based Approach

CDD measures facilitate reporting entities to adopt a risk-based approach to the AML compliance framework. This helps them to employ focused measures for high-risk customers and transactions while applying less-intensive measures to lower-risk ones.

Base for Enhanced Due Diligence

CDD processes help identify high-risks, such as PEPs or sanctioned individuals. This forms the basis for conducting EDD to gather additional information and mitigate associated risks.

Facilitates Ongoing Monitoring

CDD is a continuous process that monitors customer activities for any suspicious behaviour or changes in risk profile. This helps reporting entities to comply with ongoing compliance and risk management.

Limitations of CDD:

Although CDD is one of the important elements of the AML/CFT framework, there are various limitations of CDD in combating financial crimes and ensuring regulatory compliance.

Here’s the list of limitations of CDD:

Complexity

CDD requires undertaking thorough processes and procedures to gather and analyse various types of information about customers, their transactions, and potential risks. This makes the entire CDD process intricate and complex.

Reliance on Third Party

The main element of the CDD process is collecting and verifying data. For this purpose, reporting entities need to gather information from external sources, which introduces their dependencies on third parties, increases potential inaccuracies in the data, and further makes the verification process lengthy and complex.

Resource Intensive

Undertaking thorough investigations and monitoring processes, especially for large volumes of customers or transactions, requires significant resources in terms of time, experts, and technology to conduct. Therefore, CDD takes up a lot of resources, which indirectly impacts the efficiency of the reporting entities.

Difficulty in identifying UBOs

Reporting entities deal with various kinds of customers. Determining the true beneficiaries or owners of complex corporate structures from such numbers of customers can be challenging for them, especially in cases of shell companies or foreign entities.

Dynamic Nature of Risk

Financial crimes keep evolving, and criminals find new ways to facilitate their activities, including ML/FT and PF. This requires the reporting entity to take additional measures to adapt and stay updated to effectively mitigate these risks, making the CDD process more complicated and lengthier.

Dynamic Regulatory Framework

Compliance requirements and regulations related to CDD may change frequently to combat the dynamic nature of financial crimes. This evolving legal landscape makes it difficult for reporting entities to stay consistently compliant.

Privacy Issue

CDD process is about collecting, verifying, and maintaining customer information. However, this often leads to resistance from customers who are concerned about sharing their personal information due to privacy reasons. This reluctance poses a significant challenge, as it can make the CDD process seem intimidating and unwelcoming to customers.

Time Consuming

A thorough CDD process requires undertaking various processes and practices, which can be time-consuming. This leads to delays in onboarding new customers or processing transactions, which not only impacts customer experience but also affects the overall efficiency of business operations.

Best Practices for Effective CDD Program

Employing CDD is of utmost importance for the reporting entities to combat the ML/FT and PF risks. However, the CDD program should be effective and capable of detecting and preventing risks associated with customers or transactions. Therefore, to adopt an effective CDD program, they need to incorporate a few best practices.

Here are some practices that reporting entities can employ for adopting a comprehensive CDD program:

Adopting a Risk-Based Approach

Reporting entities engage with various customers who pose different levels of risk. Therefore, they need to adopt tailored CDD measures based on the customer’s risk profile. For this purpose, they should implement a risk-based approach while employing CDD measures that consider various risk factors like their industry, geographical location, transaction volume, and the products or services they use. Risks must be prioritised for their impact, and commensurate controls must be put in place.

Establishing CDD measures

CDD is a thorough program that requires undertaking CDD measures. Therefore, reporting entities should clearly define the steps and requirements of processes for undertaking CDD on new and existing customers.

Name Screening for Sanctions, PEP, and Adverse Media Checks

CDD is all about assessing the risk associated with customers by identifying and verifying their profiles and activities. As part of the CDD screening process, reporting entities should implement robust screening processes to identify any matches with sanction lists, politically exposed persons (PEPs), or adverse media coverage. This helps them mitigate the risk of customers involved in illegal or high-risk activities.

CDD Process Automation

Reporting entities should automate their CDD process using modern solutions and technologies to retrieve and evaluate data, determine risk levels, and make customer onboarding decisions based on results. This automation helps them to streamline their AML compliance efforts, which reduces manual errors and enhances the effectiveness of their risk management strategies in countering ML/FT and PF risks.

Data Security Measures

The main element of the CDD measure is collecting information from customers. However, maintaining information becomes challenging due to customers being hesitant about their private information. Therefore, to safeguard customer information and sensitive data, reporting entities can install effective data security measures such as encryption, access controls, regular security audits, and compliance with data protection regulations.

Regulatory Reporting

Reporting entities are required to assess suspicious activities and ensure compliance with relevant regulatory requirements by accurately reporting them to the appropriate authorities. They should be attentive when conducting CDD practices that assess customer risk about any suspicious activities or transactions. Further, based on the assessment, they should file STR/SAR reports or other regulatory filings on the goAML portal as soon as possible.

Periodic Reviews

Onboarding customers, as well as engagement with customers, is an ongoing process. Therefore, reporting entities should conduct regular reviews of customer information and transaction activity to ensure ongoing compliance with CDD requirements. They should also update customer profiles as necessary based on changes in risk profile or regulatory requirements.

CDD Training Programs

Conducting CDD requires expertise. For this purpose, reporting entities should provide comprehensive training to employees involved in the CDD process so they can easily understand their roles and responsibilities. These training programs should cover regulatory requirements, risk assessment methodologies, and the use of CDD tools and systems.

Record Keeping

It is a compliance requirement that reporting entities should keep a record of AML measures. Therefore, they need to maintain thorough and accurate records of CDD activities, including KYC documents, risk assessments, and transaction records. This documentation is essential for audit purposes, submission to regulated authorities when intimated, and demonstrating compliance with regulatory requirements.

AML Customer Due Diligence Checklist

Here is the CDD checklist that the compliance team must follow to ensure that they don’t miss out on any of the customer due diligence steps:
  1. Collect Customer ID and Residential Proof
  2. Verify Customer ID and Residential Proof
  3. Perform screening against the UAE Local Terrorist List and UNSC Sanctions List
  4. Perform Customer Risk Assessment
  5. Ongoing Monitoring of Business Relationships with Customer
  6. Record Keeping for 5 Years

Final Words on Effective CDD Process

Anti Money Laundering Customer Due Diligence is an important element of an effective AML CFT Program. Customer Due Diligence is the primary responsibility of the compliance team and frontline employees. Customer Due Diligence checks help identify red flags and counter ML/TF risks.

AML UAE provides consulting services on customer onboarding, KYC processes, CDD, and risk profiling of customers. If you are looking to automate your CDD functions, we can help you with the customer due diligence software. We also provide training on customer due diligence procedures and help you comply with UAE AML laws and regulations.

About the Author

Linkedin

Pathik Shah

FCA, CAMS, CISA, CS, DISA (ICAI), FAFP (ICAI)

Pathik is a Chartered Accountant with more than 26 years of experience in governance, risk, and compliance. He helps companies with end-to-end AML compliance services, from conducting Enterprise- Wide Risk Assessments to implementing the robust AML Compliance framework. He has played a pivotal role as a functional expert in developing and implementing RegTech solutions for streamlined compliance.