Enhanced Due Diligence procedures for high-risk customers
For financial institutions, Customer Due Diligence (CDD) is an element of Know Your Customer (KYC) steps to comply with Anti-Money Laundering laws (AML), as well as protect your organization from financial crime. Enhanced Due Diligence (EDD) are additional procedures for accounts or activities that pose a higher risk.
What effective EDD procedures can you use to minimize risk and maintain practical compliance standards when onboarding high-risk customers?
Risk management procedures often differ based on a customer’s risk profile. It starts by taking steps to ensure you know who you are dealing with, understanding their activities and assessing their risk of money laundering.
A proper Customer Identification Program (CIP) — whether it’s identifying an individual or business — is the starting point. After all, if you don’t know who you are dealing with, how can you vet them? Gathering essential identifying information and validating that information is the first step to CDD compliance and reducing risk.
After that, you need to determine what a normal and expected activity for that prospective account holder is. These determinations might be based on a customer classification system that you have put in place or on the type of account. With clearly defined policies, a risk-based approach makes it easier for staff to implement analysis and compliance staff to report to regulators, if necessary.
Enhanced Due Diligence KYC factors
In a guest post by Michael Volkov regarding KYC due diligence best practices, he notes that factors to consider if a potential account requires EDD include:
- Location of the business
- Occupation or nature of business
- Purpose of the business transactions
- Expected pattern of activity in terms of transaction types, dollar volume and frequency
- Expected origination of payments and method of payment
- Articles of incorporation, partnership agreements and business certificates
- Understanding the customer’s customers
- Identification of beneficial owners of an account or customer
- Details of other personal and business relationships the customer maintains
- Approximate salary or annual sales
- AML policies and procedures in place
- Third-party documentation
- Local market reputation through review of media sources
In many cases, explicit legal specifications automatically call for EDD. For example, in Europe, under Article 18 of 4AMLD, any business located in a country on the High-Risk Third Countries list requires EDD. Similarly, any politically exposed persons (PEPs) or their close associates or family members must also undergo a more thorough examination process.
There’s additional pressure from 6AMLD compliance, as negligence or irresponsibility by enabling the flow of illicit funds can result in individuals and corporations being criminally charged and/or fined. With the 2022 sanctions on certain Russian companies and persons, there’s also been extra scrutiny on ensuring that watch lists are up-to-date and complete.
Industries with a higher risk of money laundering, such as gambling, often have EDD requirements. Many jurisdictions have threshold limits for transaction amounts that, if exceeded, trigger EDD. Certain relationships, such as with shell banks, also call for EDD; there are many other situations where local regulations for EDD come into play, so knowing the exact details of your jurisdiction is prudent.
In other cases, prescriptive rules for EDD are not published by the regulator. Instead, they rely on the regulated entity to have proper risk assessment and control procedures. For example, in the U.S., FinCEN notes that “a spectrum of risks may be identifiable and due diligence measures may vary on a case-by-case basis.” Therefore, it is up to the institution to have a program “sufficiently detailed to distinguish between significant variations in the risks of its customers.”
In an April 2022 Consent Order, the Office of the Comptroller of the Currency (OCC) highlights the need for sufficient EDD policies and procedures and ongoing due diligence for high-risk customers, including:
- Maintaining an accurate and complete list
- Evidence of transactional analysis, including unexpected activities, the source and use of funds and trends
- Critical analysis of the information, including significant disparities and investigating and documenting high-risk indicators and suspicious activity
Enhanced Due Diligence measures
So, what do you do when you get a client that requires EDD? Of course, you could just deny their business. Many institutions have implemented such de-risking strategies, but that turns away many legitimate companies, resulting in a loss of opportunity and revenue.
In general, the FATF recommends a risk-based approach, “the amount and type of information obtained, and the extent to which this information is verified, must be increased where the risk associated with the business relationship is higher.” With this approach, blanket rejections aren’t necessary as your procedures adapt to the situation.
There are other advantages of the risk-based approach; it’s adaptable to the size and strengths of your institution; it considers the customer and their associated risk from a holistic view; and it’s flexible as conditions, technology and other factors change.
Some EDD practical steps suggested by the FATF, include:
- Obtaining additional identifying information from a wider variety or more robust sources and using the information to inform the individual customer risk assessment
- Carrying out additional searches (for example, verifiable adverse media searches) to inform the individual customer risk assessment
- Commissioning an intelligence report on the customer or beneficial owner to understand better the risk that the customer or beneficial owner may be involved in criminal activity
- Verifying the source of funds or wealth involved in the business relationship to be satisfied that they do not constitute the proceeds from crime
- Seeking additional information from the customer about the purpose and intended nature of the business relationship
Of course, it’s not just good enough to run checks once and be done with it. Another FATF recommendation is a risk-based monitoring strategy that catches suspicious activity or changes in the risk profile:
Enhanced monitoring should be required for higher-risk situations, while banks may decide to reduce the frequency and intensity of monitoring where the risks are lower.
Monitoring companies for transactional, structural or ownership changes is one method to help discover potential new risks.
Beneficial ownership EDD requirements
Increasingly, checking the Ultimate Beneficial Ownership (UBO) structure is becoming an EDD requirement. To the extent an account holder engages in international transactions, financial institutions need to know the beneficial owners of the account holder to comply with OFAC (Office of Foreign Assets Control) sanctions requirements or to conduct meaningful due diligence of the account.
From an FCPA (Foreign Corrupt Practices Act) perspective, a company has to identify the beneficial owners of its third-party intermediaries. A company cannot satisfy its compliance programs by simply checking the name of a private company in its database without checking the beneficial owners, officers and directors of the same company.
In Europe, 4AMLD states that “Member States should therefore ensure that entities incorporated within their territory in accordance with national law obtain and hold adequate, accurate and current information on their beneficial ownership, in addition to basic information such as the company name and address and proof of incorporation and legal ownership.”
In the U.S., similar beneficial ownership disclosures are a part of the FinCEN Customer Due Diligence Final Rule. According to FinCEN Guidance FIN-2016-G003, “the CDD Rule outlines explicit customer due diligence requirements and imposes a new requirement for these financial institutions to identify and verify the identity of beneficial owners of legal entity customers, subject to certain exclusions and exemptions.”
Once the Corporate Transparency Act (CTA) takes full effect, the Secretary of the Treasury will have one year to revise the Final Rule to conform to the CTA. At that point, “persons who form corporations or limited liability companies in the United States (must) disclose the beneficial owners of those corporations or limited liability companies.”
The FATF, in an analysis of beneficial ownership best practices, noted the issue of tracing UBO information when dealing with foreign ownership or directorship and suggests enhanced measures for these types of entities. In some countries, the “individual/legal person is required to provide a comprehensive set of information, including on the financial standing of the foreign individual/legal person, the ownership and control structure of the foreign legal person, and copies of founding documents and agreements regulating the powers to bind the legal person.”
Beneficial ownership procedures
Previously, verifying a business entity was a low-tech and cumbersome process for both financial institutions and business entities. Business entities were required to submit official documentation to the financial institution, which was accepted as the Record of Authority for the business. For business entities that required additional due diligence based on the risk assessment performed, financial institutions would then carry out further analyses, such as:
- Ordering official company documents from the official registry to verify information submitted by account holders
- Identifying the UBOs
- Performing a KYC check on each ultimate beneficial owner
Now, using the GlobalGateway Business Verification service, Ultimate Beneficial Ownership and structure are identified using artificial intelligence (AI), natural language processing (NLP) and optical character recognition (OCR). These technologies locate, decipher and extract shareholder information from official company documents purchased in real-time from government registers. Business Verification enables organizations to determine natural persons with ownership or a management stake.
Note that it’s not enough to determine the UBO — EDD requires you to check the individuals themselves. For example, under the Final Rule, “you are required to conduct OFAC scans on the beneficial owners and take appropriate action on the legal entity if you get a hit.” That’s where the identity verification processes of GlobalGateway kick in, as running AML checks is integrated into the Business Verification workflow.
The need for EDD
Expanding EDD requirements is becoming more and more the norm. While the scope and details for these due diligence procedures are expanding, the technologies to handle them are becoming more capable. There are solutions to address the risk, maintain compliance and grow your business. It’s a matter of investigating and integrating new processes that serve your business, clients and regulators, keeping everyone on track.
This post was originally published on Dec. 17, 2017 and updated to reflect the latest industry news, trends and insights.