Excellence in EDD for high-risk customers: Common slip-ups You can’t Afford to Commit

This article provides insights into achieving excellence in EDD for high-risk customers and sheds light on the common slip-ups you can’t afford to commit to.
Not all your customers are the same. Their requirements differ. Their expectations for support services vary. Similarly, their risk profiles are also distinct. Some pose a higher risk to your business, while some are safe to transact with.
As a business entity in India with strict AML measures, knowing which of your customers are high-risk and which are low-risk is essential.
For high-risk customers, you need Enhanced Due Diligence (EDD). You need to conduct thorough investigations and deep dive into customer profiles. With more data on such high-risk customers, you can identify the degree of the risk involved and determine whether the same can be managed and its nexus with the business’s risk appetite.
However, entities make some common mistakes while conducting EDD. If you know them, you’ll avoid committing these mistakes. So, in this blog, we list these mistakes by reporting entities while conducting EDD process for high-risk customers.
But before that, we’ll try to understand the characteristics of high-risk customers.

Characteristics of High-Risk Customers in India

Let’s look at the critical aspects that may make a customer high-risk.
  • Person associated with sanctioned individuals or businesses
  • Person identified as the terrorists or associated with one
  • Politically Exposed Persons (PEPs) and their close relatives
  • High-net-worth customers
  • Non-resident Indians (NRIs)
  • Foreign nationals
  • Customer with complicated business structure involving subsidiaries and business units
  • Individuals or entities with unexplained wealth, earnings, or net worth
  • Customers with bases in high-risk countries or with no or weak AML regulations
  • Non-face-to-face customers
  • Shell corporations
  • Companies with close family members as shareholders or beneficial owners without any business rationale
  • Firms with sleeping partners
  • Customers once identified as involved in a suspicious transaction or have any negative media references against them
  • Relationship with a company registered in a country where it has no physical presence and is not affiliated with any regulated group
  • Trusts, NGOs, and charities receiving donations
  • Pooled accounts
  • Virtual currency transactions
Moreover, customers insisting on the below types of transactions may also be classified as posing high-risk:
  • Large or complicated transactions
  • Transactions involving multiple parties, which are unknown to you
  • Cash-only transactions

Regulations for Enhanced Due Diligence in India

India is at the forefront of devising initiatives to reduce the threats of financial crimes. Strict regulations exist under the Prevention of Money Laundering Act, 2002 and the IFSCA (AML, CTF, and KYC) Guidelines, 2022, around KYC, KYT, due diligence, and other AML measures. Even for Enhanced Due Diligence, these AML regulations mention some key provisions.
Entities must conduct EDD for high-risk customers. In such cases, entities must verify the identities of customers prior to the commencement of business relationship. As part of the EDD process, you must apply additional measures to gather the following information and data on customers with reference to the following:
  • Understanding the customer’s source of funds involved in the transaction
  • Rigorous checks on the beneficial owners of the customer
  • Overall financial position of the customer, including verifying their source of wealth
  • Making detailed inquiries about the purpose and background of the transaction
  • Obtaining senior management approval, apprising them of the risk involved and seeking their go-ahead
  • Increasing the degree and frequency of monitoring transactions with high-risk customers
  • Ensuring that the customer makes the first payment towards the goods or services through their own account (specifically provided in the IFSCA Guidelines as one of the measures for managing the high-risk)
As part of EDD, once the additional information is gathered, verify them by using reliable, independent sources. You can use public registries, credible third-party databases, or other sources for verification, including seeking government-issued documents from the customer.
Drop the business relationship if the high-risk customer fails to submit the requested documents and details necessary to carry out the EDD process effectively. In case of failure to successfully conclude the EDD process on the high-risk customers, you must consider whether such a situation involves any suspicion and the necessity to report the same to FIU-IND by filing a Suspicious Transaction Report (STR).
The EDD measures must be enough to meet the AML compliance requirements in India. The entity must ensure that it has implemented the necessary measures against high-risk customers. This proves the entity’s risk-based approach in managing the risk in accordance with PMLA and the IFSCA Guidelines.
You must record the EDD records to show to the concerned authorities when requested. You must maintain the records of EDD results for five years from the transaction date or the end of the business relationship with high-risk customers. This requirement is six years for an IFSCA-regulated entity.
You must follow these EDD regulatory requirements in India to ensure AML compliance. If you miss doing so, you might increase your business’s money laundering risks, including ending up facing adverse consequences such as reputation loss and penalties for non-compliance. So, adopt the best practices of EDD and proceed with it. Ensure you do not make the common errors enumerated in the section below.

Usual slip-ups in Enhanced Due Diligence Procedure

Inadequate data on customers for enhanced investigation

EDD requires a lot of additional information about the customer. This includes personal, occupational, and financial. You must have data on the following aspects of your customer:
  • Full name
  • Registration details and office address in case of corporate customer
  • Residential address of an individual customer
  • Details of the beneficial owners and senior management in case of corporate customer
  • Details of the customer’s occupation or business activities
  • Sources of funds and source of wealth, including overall financial position
  • Coverage in negative media or sources
You will need all these details to thoroughly complete the verification of your high-risk customers. It helps you confirm the legitimacy of the customer, be it individual or corporate.
You can check customers’ financial position by checking the source of funds and wealth and determine whether the proposed transaction is in line with these details. With background checks, you can discover the client’s reputation in the market and come to know about their past involvement in illegal activities.
The information might be incomplete or inaccurate if you are lackadaisical in your approach. Collect all these data points on your customers or through independent research for a smooth EDD process.

No reference to reliable data sources to verify customers’ identities

You collect all the information from customers. But are you sure of its genuineness? Have your customers submitted actual documents for verification?
You cannot be dependent only on the data submitted by the customers. You need to check and verify the legitimacy of the data from reliable and independent data sources. Use government databases, publicly available sources, or renowned third-party data providers.
Information or data declared by the customer may not be reliable because customers might fake them or manipulate some details. In such cases, EDD will be inaccurate, leading to transactions with high-risk customers without applying necessary safeguarding measures. These are risky for your business and AML compliance.

Trusting only technology over humans or vice versa

Technology systems can help make the process faster, accurate, and complete. You can be sure of your results and that you haven’t missed anything. But what about the touch of human thinking and analysis in your EDD process? It’s necessary to have humans analyse the risks for a nuanced view of them.
Only humans managing the EDD process may also be erroneous because they might miss data or make errors while evaluating the huge volume of information or documents. So, you cannot ignore technology as well.
The optimal solution is to combine the expertise of technology and humans for the best results. You can run the data on technological solutions, and then experts can scan through them.

Conducting Due Diligence only once during the entire relationship

The risk profiles of customers keep changing. So, you cannot base your decision on one such instance of due diligence conducted at the time of customer onboarding. You must keep it going.
Engage in frequent monitoring of high-risk customers. It must be an ongoing process so that you can track the changes in customers’ risk profile. Also, with new transactions with these customers, you continue with transaction monitoring and ensuring that the transactional pattern aligns with the customer’s profile known to you.
So, never make the mistake of only doing Enhanced Due Diligence once. Make it a frequent exercise to capture the variations in the factors involved and ensure that you stay on top of the customer’s ever-changing risk profile.

Using outdated lists of PEPs, sanctions, and terrorists to match customers

While conducting EDD, you compare customers against lists of sanctions, PEPs, and other watchlists, including adverse media. If you use outdated lists, your results will be redundant. You must have the latest watchlists from the reliable sources for up-to-date and relevant results.
So, make it a practice to check for the latest lists.
In the case of adverse media checks, ensure that the oldest and the latest news sources are checked. You can find negative connotations about the customer from any year. Also, you must track all possible media sources for negative news. Make all this possible to produce accurate results on your customers’ EDD.

Failure to retain records of EDD

Your EDD results are critical for your business. You might need them later in your AML procedures. So, create proper records and maintain them for at least five years as instructed under the PMLA (or for six years as required under the IFSCA Guidelines).
Also, you must keep these records in proper formats. Maintain consistent standards to keep all year records in the same template. You must update them as and when you repeat your investigations, as part of an ongoing review or upon changes in the customer’s profile. So, practice maintaining accurate, complete, up-to-date, and consistent records of EDD.
In the case of missing EDD records, you will not have enough proof when asked by authorities. Also, you might not have past documents to refer to while conducting further investigations.

Forgetting to build a collaborative environment for an efficient EDD process

The EDD process is not the responsibility of a single team. The customer-facing team needs to gather data from all customers. The compliance team will collect data from reliable third-party sources and assess all the data points from different sources and conclude.
Different teams will carry out all these procedures. But they must collaborate and cooperate on the smooth execution of this process. They must maintain clear communication to facilitate effective results from EDD. You must train the employees on handling processes to ease the EDD execution.

Overlooking the escalation of suspicious cases of transactions with high-risk customers

EDD is for investigating high-risk customers. So, what about the EDD results? What do you do with them? Just sit, happy that you have identified your high-risk customers.
Having carried out additional verification checks on the customer, you must notify about such high-risk customers to your senior management and seek their approval to establish and continue the business relationship with them.

Missing to plan for data protection and confidentiality

For EDD, you will collect a good amount of customer information. You’ll have details on their finances, job, and access to other sensitive information. Customers’ biggest fear is data leakage or access by a third party.
So, you must make it a practice to plan for data privacy and protection. You must adopt every possible way and technology to keep data safe and secure. Safeguarding customer information in the most secure way and retaining it for future use. Restrict the accessibility of this data only to a few trustworthy people in your company.

Not investing in the audit and quality review of EDD procedures

Are you happy with your EDD procedures? Are you confident of the EDD measures and its capability to manage your increased risks? Does it reflect the changes in laws and industry practices?
If the answer is no, you must realise it’s high time for a quality assurance check.
You must audit the EDD process to assess its effectiveness. Ensure that EDD procedure and results contribute to achieving AML compliance in India. For this, you must put in place a quality assurance program for frequent checks of the EDD process.
Based on the results of these checks, you must update your EDD policies. These changes and updates must align EDD with PMLA and the relevant AML guidelines, including the FATF recommendations. Also, these policies should resonate with business goals and the sector’s AML best practices. Thus, continuous improvement is essential to adapt to the changing conditions and emerging risks.
You must avoid these significant slip-ups while performing EDD for high-risk customers. If you need help in performing EDD, AML India is right here.

Niyeahma contribution to your AML compliance

Niyeahma is a reliable provider of all kinds of services to help your business become AML compliant. We help entities have a smooth transition from non-compliance to compliance. You can partner with us for all AML services to prevent ML/TF threats.
We help entities conduct customer due diligence and identify high-risk customers. After this, we will conduct enhanced due diligence for further investigations into such customers. Thus, we adopt all the necessary best practices to avoid the risks of financial crimes.

About the Author

Jyoti Maheshwari

CAMS, ACA

Jyoti has over 7+ years of hands-on experience in regulatory compliance, policymaking, risk management, technology consultancy, and implementation. She holds vast experience with Anti-Money Laundering rules and regulations and helps companies deploy adequate mitigation measures and comply with legal requirements. Jyoti has been instrumental in optimizing business processes, documenting business requirements, preparing FRD, BRD, and SRS, and implementing IT solutions.