Editor note: article originally published in August 2021, and has been updated in August 2024 to reflect regulatory changes.
Customer Due Diligence (CDD) is not on top of most people’s list of fun things to do, but it has become an essential part of daily working life for those of us who need to verify customer’s identity and/or source of wealth and/or funds.
Here at tic company we have carried out thousands of identity verifications and use our AMLOnline portal to make life easier, but even with great technology to help us it is important to understand the different types of customer due diligence and how and when to carry them out.
Here we dive into the five different types of customer due diligence and what it means for businesses.
What is customer due diligence?
To put it simply, customer due diligence is the process of collecting customer data to ensure customers are who they say they are, and to determine the level of risk they may present to your business. Identifying data can include official documents with the customers name and photograph which confirms their identity, birth date and residential address.
- Documentary verification
- Electronic verification
Verification of address can be done using documents, data or information issued by a reliable and independent source.
When is customer due diligence required?
CDD is required when a business which is bound by AML regulations starts a business relationship with a customer or a potential customer, or their relationship with an existing customer ‘materially changes’ and they need to verify customer identity and risk profile.
The Financial Action Task Force (FATF) advise customer due diligence should be carried out when:
- establishing business relations;
- carrying out occasional transactions: (i) above the applicable designated threshold which is currently $10,000; or (ii) that are wire transfers in the circumstances covered by the Interpretative Note to Special Recommendation VII;
- there is a suspicion of money laundering or terrorist financing;
- you have doubts about the veracity or adequacy of previously obtained customer identification data.
For many businesses dealing with financial transactions this means carrying out due diligence checks on hundreds of customers every year. And CDD checks are not just restricted to the actual customer but also other people who are associated with your customer who may be acting on behalf of the customer, have effective control, are beneficial owners, nominee Directors or shareholders to name a few.
Who do businesses need to include in their due diligence process?
In many cases you will not only need to carry out customer due diligence on your client but will also need to include:
- any beneficial owner of a client (the person who ultimately owns or controls the customer),whether directly or indirectly; and
- any person who owns a prescribed threshold of the customer or persons acting on behalf of a client (the person operating or transacting on an account or facility that is held by your customer).
The reason for these inclusions is so that you can verify identities and relationships associated with your customer, to remove the ability for the ownership to be hidden which may then suggest a higher level of ML/TF risk.
This can all seem a bit daunting and time consuming when you have a million tasks to get through each day but compliance is essential to ensure you comply with the AML/CFT Act. Not doing so can have serious financial consequences for your business. In May 2021 we saw the Reserve Bank file legal action against TSB for breaches of the AML/CFT Act which resulted in TSB agreeing to pay $3.85 million in penalties. This is just one case but there are many businesses who have experienced formal warnings, and/or fines for non-compliance.
Having a compliance officer in your business who understands what needs to be done to comply with regulations and/or working with a reputable AML company can help you stay on track and guide you through AML audits as well as ensuring you are following the correct customer due diligence processes.
Types of customer due diligence
There are different types of customer due diligence processes and it is important to use the right one for any given situation:
- Standard CDD
- Simplified CDD
- Enhanced CDD
- Delayed CDD
- Ongoing CDD
Standard CDD
Use standard customer due diligence when you need to obtain information about the nature and purpose of the proposed business relationship and your customer has not been assessed as high risk (note, if your customer is a trust this automatically triggers enhanced customer due diligence as they are considered, by the Supervisors, to be high risk).
What you need to do
Identify entities – gather identifying information on your customer, the beneficial owner(s), and any person acting on behalf of your customer. Data to be obtained includes:
- the person’s full name; and
- the person’s date of birth; and
- if the person is not the customer, the person’s relationship to the customer; and
- the person’s address or registered office; and
- nature and purpose of the proposed business relationship; and
- any information prescribed by regulations.
Determine risk – decide on the level of money laundering and terrorist financing risk involved. Collect sufficient information to determine whether enhanced CDD needs to be conducted on the customer.
Verify information –according to that level of risk, verify the identity of relevant persons, including natural persons using the Explanatory Note: Electronic Identity Verification Guideline July 2021. This Explanatory Note provides best practice advice for businesses carrying out name and date of birth identity verification on customers (that are natural persons) that have been assessed to be low to medium risk.
Simplified CDD
Generally, simplified customer due diligence relates to customers that are already subject to transparency and public disclosure. These are prescribed entities as identified in 18(2) of the AML/CFT Act such as government entities, local authorities or public service agencies.
What you need to do
Meet the criteria – identify and record that the customer meets the criteria for simplified CDD. Check it on the list in section 18(2) of the AML/CFT Act.
Nature and purpose – obtain information about the nature and purpose of the proposed business relationship between you and the customer.
Identify entities – record the full name of the entity in question and a brief explanation of how it falls within the section. Information needs to be gathered about the identity of a person acting on behalf of the entity.
Determine risk – according to that level of risk, verify the identity of the person and their authority to act on behalf of the local authority using the Amended Identity Verification Code of Practice.
Enhanced CDD
Enhanced customer due diligence is used for high risk clients. This may be when:
- Your customer has a trust or another vehicle for holding personal assets.
- Your customer is a non-resident client from a country that has insufficient anti-money laundering and countering financing of terrorism systems or measures in place.
- Your customer has a company with nominee shareholders or shares in bearer form.
- Your customer is a politically exposed person (PEP).
- Your customer is a company with 1 or more nominee directors
- Your customer has a business relationship with a limited partnership with a nominee general partner.
- Your customer wants to carry out complex, unusually large transactions or an unusual pattern of transactions that appear to have no lawful or economic purpose.
- A business relationship with a customer that involves new or developing technologies or products that allow anonymity.
- A customer seeking to conduct an occasional transaction or activity that involves new ort developing technologies or products that could favour anonymity.
- You consider that the level of risk involved is such that enhanced CDD should apply.
These requirements fall under section 22 of the AML/CFT Act.
What you need to do
Confirm risk– determine the level of risk your customer poses. Consider the location of your customer, the types and frequency of transactions, whether they are a politically exposed person, use a trust or other vehicles such as limited partnerships, companies with nominee directors or shareholders to keep personal assets.
Nature and purpose – obtain information about the nature and purpose of the proposed business relationship between you and the customer.
Identify and verify identities – identity information must be gathered about a customer, the beneficial owner(s), and a person acting on behalf of a customer and verify their information.
Source of Wealth/Funds –obtain information about your customer’s source of wealth or source of funds. You must record this information and take reasonable steps, according to the level of risk involved, to verify this information using other reliable and independent sources. You must document in your Compliance Programme circumstances when you will collect Source of Funds, Source of Wealth or both.
Since legislation changes introduced in June 2024 you now also need to collect additional information where you have grounds to report suspicious activity, or in certain cases relating to business relationships.
Additional measures include:
- Obtaining further information from the customer in relation to a transaction;
- Examining the purpose of a transaction;
- Conducting enhanced monitoring of a business relationship; and
- Obtaining senior management approval for transactions, or to continue the business relationship.
Delayed CDD
Generally, you must not commence work until client verification has been completed. However, in some circumstances you may begin work before completing customer due diligence if it is essential work required to prevent the interruption of normal business practice, and there is little risk of money laundering or terrorist financing occurring.
What you need to do
Customer must be identified – you must still be able to satisfy the know your customer (KYC) requirements and be aware of the entity you are entering into a relationship with and any beneficial owners or effective controllers.
Complete as soon as possible – verification of identity must be completed as soon as is practicable once the business relationship has been established.
Respond appropriately – if you are unable to complete the verification checks required or changes occur you must take appropriate action. If you identify anything suspicious you must file a Suspicious Activity Report (SAR) with the Financial Intelligence Unit (FIU).
Ongoing CDD
Use ongoing customer due diligence systematically so that you can ensure your customer’s activities and/or transactions are consistent with the information and data you have previously acquired.
In the ordinary course of business where a customer is considered low risk the CDD process should be carried out every 12 months, where the customer is considered medium to high risk this should occur every 6 months plus any other reasonable time. For example, every time there is a material change in your customers transactions, CDD should be undertaken.
Be sure to record in your compliance programme how often and when ongoing customer due diligence should take place.
What you need to do
Confirm consistency – ensure that the business relationship and the transactions relating to that business relationship are consistent with your knowledge about the customer and the customer’s business and risk profile.
Maintain records – make sure that you have up to date records relating to the customer and any entities with beneficial ownership or effective control. Your verification records must be up to date.
Regular review – you must consider (a) the type of customer due diligence conducted when the business relationship with the customer was established; and (b) the level of risk involved to determine if you need to redo your CDD checks.
Respond to changes – if the nature and purpose of your relationship with the customer changes you must respond appropriately and complete checks at the necessary level. If you identify anything suspicious you must file a SAR with the FIU.
Customer Due Diligence in Summary
While taking care of customer due diligence can be time consuming you can make it easier by following the correct processes and getting the right foundations in place:
- Designate someone in your business as an AML/CFT compliance officer.
- Assess and document the money laundering and terrorist financing risks your business may face.
- Document in your AML/CFT compliance programme how you’ll detect and manage these risks.
On an ongoing basis:
- Verify the identity of customers before providing any service covered by the AML/CFT Act. In some circumstances (such as if they represent a company or trust), you may also need to ask for information about where money came from and the other people involved.
- Monitor customers (you will have to monitor the transactions) to identify potential warning signs of money laundering and terrorism financing.
- Report any suspicious activity to the FIU.
- Submit an annual report to the supervisor of your sector.
- Regularly review your risk assessment and compliance programme.
- Have your risk assessment and compliance programme audited regularly.
And you don’t have to do this alone. The FMA, DIA and FIU provide guides on AML/CFT compliance, legislation and codes of practice. These can be accessed through the relevant authority.
You can also consider outsourcing your AML compliance activity which will help you stay AML compliant, reduce the AML burden and will generally be quicker and less intrusive for both you and your customer. Our guide on how to choose the right AML provider outlines the things to ask and look for, or get in touch with us to discuss your requirements.