Companies are vulnerable to financial crimes and used as channels for facilitating or carrying out illegal activities, such as money laundering (ML), financing of terrorism (FT), and proliferation financing (PF) of weapons of mass destruction. Thus, it is crucial for them to undertake an effective Customer Due Diligence process to mitigate the ML/FT and PF risks posed by customers. Here is a complete guide to effective customer due diligence to help you fight ML/TF risks.
Customer Due Diligence (CDD) is an essential element of UAE’s AML/CFT regulatory framework, which assesses the ML/FT and PF risks that arise from various factors such as customers, geographies to which customers belong, delivery channels, modes of transaction, etc.
CDD enables businesses to check the legitimacy of their prospective customers by identifying and verifying their identity details and ensuring that the customers are indeed the persons or entities they claim to be. This safeguards their businesses against potential financial crime threats.
What is Customer Due Diligence?
Customer Due Diligence (CDD) is all about identifying potential customers and checking their authenticity and legitimacy. In addition, it means cross-verification of the details provided by the customer for their legal validity and accuracy.
The CDD meaning remains the same, but the procedures change across the industries. In total, there are four aspects of CDD, namely, simplified, standard, enhanced, and ongoing.
By conducting CDD, businesses aim to mitigate the potential for financial crimes such as ML/FT and PF. Additionally, this multifaceted approach serves as a foundational element in establishing trust, credibility, and regulatory compliance within the business landscape.
UAE AML/CFT Regulations for CDD
The UAE has established robust AML laws to combat financial crimes, including ML/FT and PF. These robust regulatory frameworks include Federal regulations, which are aligned with international standards set out by the Financial Action Task Force (FATF).
Additionally, as part of the AML/CFT legal landscape, the regulated authorities in the UAE have released various guidelines supporting the primary regulations for undertaking effective measures.
The UAE’s regulatory framework necessitates CDD measures for every customer. The framework governing CDD is also based on FATF recommendation No. 10, which lays down the principle of undertaking a customer due diligence process. This includes disclosure of beneficial ownership and verification of identities.
Furthermore, Anti-Money Laundering and Combating the Financing of Terrorism and Illegal Organisations Guidelines for Designated Non-Financial Businesses and Professions mandate DNFBPs to undertake CDD measures in assessing and combating risk associated with customers based on the risk-based approach taken by the entities.
Role of CDD in AML Regulatory Framework
As a crucial measure of UAE’s AML/CFT regulatory framework, regulated entities are required to undertake CDD measures, which include a thorough process of identifying and verifying customers, assessing their risk profile, and monitoring them throughout their customer lifecycle. Implementation of an effective CDD process helps reporting entities determine the different levels of risk associated with different customers and further establish the appropriate CDD measures for risk mitigation.
The CDD process provided under the UAE’s Regulatory Framework lays down a comprehensive framework for addressing potential ML/FT and PF threats when engaging with both new and existing customers. Therefore, CDD plays an important role in assisting reporting entities in maintaining regulatory compliance and safeguarding themselves against financial crimes.
Reporting Entities subject to CDD in the UAE
The legal framework governing AML/CFT in UAE applies to all financial institutions, banks, insurance companies, Designated Non-Financial Businesses and Professions (DNFBPs), and Virtual Asset Services Providers (VASPs). Furthermore, these DNFBPs include:
- Dealers in precious Metals and Stones
- Real Estate Agents and Brokers
- Trust and Corporate Service Providers
- Auditors & independent Accountants
- Lawyers, Notaries & Other Legal Professionals
Therefore, every reporting entity in UAE needs to adopt an effective AML/CFT framework in order to mitigate and manage ML/FT and PF risks.
When is CDD required?
The need to apply the AML CDD process comes into the picture when a business organisation is required to abide by AML/CFT regulations and intends to establish a business relationship with a potential customer.
In line with the Customer Due Diligence Policy and Procedures, businesses try to understand the following and take adequate CDD measures:
- Why is an account being opened?
- How will it be used?
- What will be the nature of transactions?
- What will be the volume and frequency of transactions?
The business must verify the customer’s identity and assess the risk profile. Therefore, DNFBPs/FIs must carry out the Know Your Customer (KYC) procedure as part of CDD compliance procedures in the following situations.
- Customer Due Diligence becomes mandatory and simply inevitable at the time of entering a new business relationship with an individual or a legal entity. This is important in order to verify the identity of the customer. When undertaking the CDD process for a new customer, the customer’s risk profile is also assessed, and the applicability of enhanced due diligence is determined.
- Various occasional transactions warrant customer due diligence measures. An occasional transaction equal to or exceeding AED 55,000/- requires regulated entities to perform proper due diligence on customers.
- An occasional wire transfer for an amount equal to or exceeding AED 3,500/- requires proper performance of CDD measures.
- Business organizations who suspect the involvement of their customers or proposed customers in activities such as money laundering or financing of terrorism should impose KYC, CDD checks.
- When it is observed that the identification documents provided by potential customers are inadequate, unreliable, or suspicious, KYC and CDD measures must be undertaken.
When is CDD conducted?
CDD is conducted:
- Before entering into a business relationship or
- During the course of entering into a business relationship or
- Before opening an account or
- During the course of opening an account or
- Before carrying out a transaction with a new customer
- Before entering into occasional transactions exceeding monetary thresholds
- When there is a suspicion as to ML/TF
- When the previously obtained customer identification data is not proper or adequate.
Fundamentals of Customer Due Diligence
At the initial level, CDD starts by verifying the identity of the customer and understanding the nature of its business. The entire CDD process involves certain steps and a few regulatory obligations imposed on DNFBPs under AML/CFT regulations, as follows:
1. Identification of customer
DNFBPs should first identify their customers by seeking personal information like name, date of birth, nationality, and address. This should further be backed by conclusive evidence issued by the Government in the form of a passport, ID Card, Driving License, etc. Businesses need to implement a comprehensive customer identification program (CIP) to comply with legal requirements.
2. Beneficial ownership
Customer Due Diligence measures should identify the beneficial owner of the customer or proposed transaction. This includes understanding the customer’s ownership control or the organisation’s structure.
3. Business Relationship
After verifying the customer and identifying business ownership, DNFBPs should focus on obtaining information related to the nature of the business relationship the client intends to establish.
Step-by-Step CDD Process
1. KYC - Identification and Verification
The foremost step of the CDD process is identifying and verifying the identities of customers before entering into business relationships with them. This process is what we call Know-Your-Customer (KYC). KYC is a fundamental element of the CDD process.
KYC is further divided into two steps: identification and verification of the customer.
a) Identification and collection of customer information
The first step of CDD is to get the essential information from customers or potential customers. A Know Your Customer Form or KYC form can be maintained for this purpose. The information to be obtained for the purpose of AML due diligence includes the following:
- KYC for Natural Persons
Here is the list of information to be sought from the customer:
- Complete Name
- Address of the customer
- Contact numbers
- Additional/ alternative contact numbers
- Legit, accessible, and working email address
- Place of birth
- Date of birth
- Nationality
- Gender
- Government-issued identification number
- Occupation
- Signature
Along with the above, at a minimum, a copy of the ID document and proof of address are also obtained.
- KYC for Legal Entities
Here is the list of information to be sought from the customer who is a business entity:
- Name of the business entity
- Type of the business entity
- Nature of business the entity is into
- Date and place of establishment
- Information related to the board of directors
- Certificate of establishment/incorporation
- Information related to shareholders or ultimate beneficial owners
- Annual report for the previous year
- Information pertaining to senior management
Along with the above, a copy of the trade license, Memorandum of Association, Articles of Association, address proof, UBO details, and organisation chart are also obtained.
In high-risk situations, source of funds and source of wealth information is also obtained.
b) Verification of the customer
The second step of the KYC under the CDD program is to verify all the information that has been collected in the identification step. Again, it is essential to note that most of the collected data can be confirmed with the help of a government agency’s site or any reputable independent institution. For instance, documents like identity cards, tax receipts, and passports can be verified on the respective government portals based on the unique number associated with them.
2. Name Screening
Name screening is done in order to identify if the customer is a sanctioned individual or entity, a politically exposed person or a person with a criminal history and adverse media references. The primary objective behind carrying out the process of name screening is to check that the customers do not fall under the following categories:
- Sanctioned individual or an entity
- Politically Exposed Persons (PEPs)
- Reported in Media with alleged involvement in any criminal activities
3. Customer Risk Profiling
At this stage, the AML Compliance Officer determines the risk level of each customer or potential customer based on various factors. While performing risk-based customer due diligence, the following risk factors are taken into consideration:
- Type and nature of business relationship/transaction
- Nationality of the customer
- Political exposure of the customer
- Mode of payment (Cash, Bank Transfer, Cheque)
- Net worth of the individual
- Documentary evidence available
- Amount of transaction
- The complexity of business structure
- Local/international business
- Transaction with a customer based in a blacklisted country
- Transaction with a customer based in a grey-listed country etc.
Customer Risk Rating
Once the customer risk profile is identified, DNFBPs and FIs can decide the type of monitoring and level of controls to be imposed on such customers. The customers are classified into low-risk, medium-risk, and high-risk categories to determine the extent and frequency of monitoring required.
4. Ongoing Monitoring
Once the Customer Due Diligence process is completed and necessary decisions around risk classification have been made, regular monitoring of the customer’s risk profile cannot be overlooked. Monitoring should be carried out regularly for identified accounts for all financial transactions. The customer’s behaviour, along with accounts and transactions, must be compatible with the usual activities, and this needs to be tracked or overviewed at all costs. Depending upon the risks associated, ongoing due diligence frequency is determined.
5. Reporting Suspicion
During employing CDD measures, if the reporting entity comes across any suspicion or reasonable grounds that suggest that a customer is involved in criminal activity, it must take a thorough investigation and must report that information on the goAML platform via suspicious activity report (SAR). It should be noted that all employees, company directors, and officers are prohibited from tipping off customers if a SAR/STR has been filed against them.
Additionally, they need to report other reports, like HRC and HRCA, when engaging with a customer belonging to a high-risk country.
6. Record Keeping
This is the final stage of the entire AML CDD process. At this stage, one has to maintain the CDD-related records in accordance with the retention policies of the business organisation and as prescribed under AML/CFT regulation. In the UAE, AML/CFT regulations require maintenance of Client Due Diligence and other AML/CFT-related records for the period of 5 years from the relevant dates.
However, the record keeping duration varies from one supervisory authority to another.
- The Virtual Assets Regulatory Authority (VARA) mandates Virtual Assets Service Providers (VASPs) to maintain records for a duration of 8 years
- Dubai International Financial Centre (DIFC) requires DNFBPs to maintain AML/CFT compliance and CDD records for 6 years.
- Abu Dhabi Global Market (ADGM) requires DNFBPs and VASPs to maintain AML/CFT compliance and CDD records for 6 years.
A systematic record-keeping facilitates the DNFBPs to meet its reporting obligation under AML/CFT regulations and furnish such details to the relevant supervisory authorities as and when demanded in the context of any Suspicious Transaction Report filed by the DNFBP.
What risks does a reporting entity face if it fails to carry out CDD?
If a reporting entity like a financial institution, DNFBP, or VASP does not carry out Customer Due Diligence, it harms its reputation and exposes itself to various risks like ML/FT and PF. It may also be subjected to administrative penalties. Further, a regulated entity must not enter into a business relationship if it fails to carry out customer due diligence and consider filing SAR/STR with the UAE FIU.
Types of Customer Due Diligence
Reporting entities deal with different types of customers, having different backgrounds, reasons for business establishment, wealth structures, etc. Similarly, risks associated with customers also vary, requiring different kinds of measures to deal with them.
To enhance the overall capabilities of the AML framework, reporting entities need to undertake different CDD procedures.
The following are different types of CDD processes that the reporting entity needs to undertake:
1. Simplified Due Diligence
The process of simplified customer due diligence comes into the picture when the customer belongs to a low-risk category. The Designated Non-Financial Business and Professions (‘DNFBP’) is required to know the customer’s identity and basic details under a simplified customer due diligence process, and there is no need to carry out detailed due diligence.
2. Standard Due Diligence
Generally, DNFBPs adopt Standard Customer Due Diligence procedures for the majority of the customers. As a part of this process, the identity of the respective customer is verified from several reliable sources. In addition to that, DNFBPs also determine and evaluate the nature of the customer’s business or the customer’s purpose for entering into a transaction with the DNFBP.
3. Enhanced Due Diligence
Enhanced Due Diligence is usually required for only those customers who have a high-risk quotient and are more likely to get involved with money laundering or financing of terrorism. There are undoubtedly quite a few factors that clearly establish that a particular customer hails from a high-risk background. For instance, Politically Exposed People (PEPs) are usually categorised as high-risk customers and require enhanced customer due diligence.
With the help of enhanced customer due diligence, the information of the customers is verified, and critical information like the origin or the source of their funds, source of wealth, and the primary purpose of the transaction is obtained.
Further, as a part of the enhanced CDD measures, it is ensured that the customer makes the payment from the bank account in his own name.
It is also required to obtain approval from senior management before entering into a transaction with high-risk customers. Once you meet the above Enhanced Due Diligence Requirements, you can carry out transactions with the customer.
Ongoing Due Diligence
The risks associated with a customer change over a period of time. One needs to have a proper monitoring system in place to detect changes in customer profiles. Ongoing due diligence should aim at discovering changes in the attributes related to a customer. Say a customer becomes a Politically Exposed Person or is placed on a Sanctions list. The KYC software should trigger alerts for the compliance officer the moment it detects changes in the customer profile, which necessitates a change in the risks associated with them.
Unless regulated entities require customers to provide their KYC documents on a regular basis, it becomes difficult to detect changes in their risk profile. A change in risk profile would also be reflected in the transaction patterns associated with a customer.
If the customer happens to be a High-risk customer, he should be placed under more frequent monitoring and CDD refresh.
Here’s a checklist of circumstances requiring KYC refresh:
- Changes in the beneficial owner
- Customers making unusual transactions not aligned with their profile
- Changes in a business relationship with a customer
- Changes in ownership structure at the customer’s end
Why is CDD necessary?
As mentioned above, CDD is a crucial process for assessing risks associated with customers and ensuring compliance with regulatory compliance.
Here’s a list of reasons that make undertaking the CDD process necessary:
Take a Risk-Based Approach
It is important for reporting entities to adopt the risk-based approach to help them assess risks based on different factors like geographical location, nature of business, etc. CDD facilitates taking a risk-based approach by adopting measures that assess the level of risk associated with the customers, which allows them to tailor their risk management strategies and allocate resources to high-risk customers where they are most needed.
Prevent Financial Crimes
It is important for reporting entities to employ measures that help prevent and detect illicit crimes, including ML/FT and PF. For this purpose, reporting entities undertake CDD measures, which aid in identifying and mitigating the ML/FT and PF risks. Further, it also helps them to easily detect and prevent suspicious activities by verifying the identities of customers and understanding the nature of their transactions.
ML/FT Risk Management
The whole reason why reporting entities adopt an AML framework is to effectively manage ML/FT and PF risks. The CDD process helps them to effectively manage the ML/FT and PF risks associated with customers. Additionally, by implementing robust CDD procedures, reporting entities can identify high-risk customers and transactions and, based on that, implement appropriate control measures and report suspicious activities.
Maintain Reputation
It is essential for reporting entities to maintain their reputation in order to grow and keep doing business. Undertaking CDD practices helps reporting entities to effectively detect and deter ML/FT and PF risks associated with customers, which further aids them in maintaining their reputation in the eyes of regulators and customers, which is essential for long-term success.
Maintain Financial Integrity
The business of reporting entities depends highly on the financial sector in which they are working. For this reason, they need to take actions that help maintain financial integrity. Employing effective CDD processes prevents illicit activities, which aids in maintaining and upholding the integrity of their operations and financial system and further contributes to a safer and more transparent financial environment.
Comply with Regulations
Reporting entities are mandated to comply with the regulatory framework. In UAE, the AML/CFT legal framework requires reporting entities to comply with regulations. Therefore, undertaking CDD practices helps them fulfil their regulatory obligations and avoid penalties, legal consequences, and reputational damage.
Benefits of Effective CDD Measures
Implementing robust CDD measures helps reporting entities to effectively measure the risks associated with customers.
The following are some points highlighting the benefits of undertaking an effective CDD process:
Risk Mitigation
CDD helps reporting entities check the background and activities of customers, which helps them to easily assess the ML/FT and PF risks associated with customers and accordingly take mitigation measures.
Regulatory Compliance
Conducting CDD measures is a regulatory requirement. Therefore, reporting entities must undertake effective CDD processes to comply with regulatory requirements, which is essential to avoid fines, penalties, and legal actions.
Decision Making
Employing CDD measures helps reporting entities get valuable insights about customer identities, which aid in decision-making about onboarding, monitoring, or terminating customer relationships. Furthermore, it helps them assess whether customers align with their risk appetite and business objectives.
Prevention of Financial Crime
CDD helps reporting entities to identify and verify the identities of customers, which further prevents financial crimes such as ML/FT and PF thus safeguarding the integrity of the financial system.
Adoption of a Risk-Based Approach
CDD measures facilitate reporting entities to adopt a risk-based approach to the AML compliance framework. This helps them to employ focused measures for high-risk customers and transactions while applying less-intensive measures to lower-risk ones.
Base for Enhanced Due Diligence
CDD processes help identify high-risks, such as PEPs or sanctioned individuals. This forms the basis for conducting EDD to gather additional information and mitigate associated risks.
Facilitates Ongoing Monitoring
CDD is a continuous process that monitors customer activities for any suspicious behaviour or changes in risk profile. This helps reporting entities to comply with ongoing compliance and risk management.
Limitations of CDD:
Although CDD is one of the important elements of the AML/CFT framework, there are various limitations of CDD in combating financial crimes and ensuring regulatory compliance.
Here’s the list of limitations of CDD:
Complexity
CDD requires undertaking thorough processes and procedures to gather and analyse various types of information about customers, their transactions, and potential risks. This makes the entire CDD process intricate and complex.
Reliance on Third Party
The main element of the CDD process is collecting and verifying data. For this purpose, reporting entities need to gather information from external sources, which introduces their dependencies on third parties, increases potential inaccuracies in the data, and further makes the verification process lengthy and complex.
Resource Intensive
Undertaking thorough investigations and monitoring processes, especially for large volumes of customers or transactions, requires significant resources in terms of time, experts, and technology to conduct. Therefore, CDD takes up a lot of resources, which indirectly impacts the efficiency of the reporting entities.
Difficulty in identifying UBOs
Reporting entities deal with various kinds of customers. Determining the true beneficiaries or owners of complex corporate structures from such numbers of customers can be challenging for them, especially in cases of shell companies or foreign entities.
Dynamic Nature of Risk
Financial crimes keep evolving, and criminals find new ways to facilitate their activities, including ML/FT and PF. This requires the reporting entity to take additional measures to adapt and stay updated to effectively mitigate these risks, making the CDD process more complicated and lengthier.
Dynamic Regulatory Framework
Compliance requirements and regulations related to CDD may change frequently to combat the dynamic nature of financial crimes. This evolving legal landscape makes it difficult for reporting entities to stay consistently compliant.
Privacy Issue
CDD process is about collecting, verifying, and maintaining customer information. However, this often leads to resistance from customers who are concerned about sharing their personal information due to privacy reasons. This reluctance poses a significant challenge, as it can make the CDD process seem intimidating and unwelcoming to customers.
Time Consuming
A thorough CDD process requires undertaking various processes and practices, which can be time-consuming. This leads to delays in onboarding new customers or processing transactions, which not only impacts customer experience but also affects the overall efficiency of business operations.
Best Practices for Effective CDD Program
Employing CDD is of utmost importance for the reporting entities to combat the ML/FT and PF risks. However, the CDD program should be effective and capable of detecting and preventing risks associated with customers or transactions. Therefore, to adopt an effective CDD program, they need to incorporate a few best practices.
Here are some practices that reporting entities can employ for adopting a comprehensive CDD program:
Adopting a Risk-Based Approach
Reporting entities engage with various customers who pose different levels of risk. Therefore, they need to adopt tailored CDD measures based on the customer’s risk profile. For this purpose, they should implement a risk-based approach while employing CDD measures that consider various risk factors like their industry, geographical location, transaction volume, and the products or services they use. Risks must be prioritised for their impact, and commensurate controls must be put in place.
Establishing CDD measures
CDD is a thorough program that requires undertaking CDD measures. Therefore, reporting entities should clearly define the steps and requirements of processes for undertaking CDD on new and existing customers.
Name Screening for Sanctions, PEP, and Adverse Media Checks
CDD is all about assessing the risk associated with customers by identifying and verifying their profiles and activities. As part of the CDD screening process, reporting entities should implement robust screening processes to identify any matches with sanction lists, politically exposed persons (PEPs), or adverse media coverage. This helps them mitigate the risk of customers involved in illegal or high-risk activities.
CDD Process Automation
Reporting entities should automate their CDD process using modern solutions and technologies to retrieve and evaluate data, determine risk levels, and make customer onboarding decisions based on results. This automation helps them to streamline their AML compliance efforts, which reduces manual errors and enhances the effectiveness of their risk management strategies in countering ML/FT and PF risks.
Data Security Measures
The main element of the CDD measure is collecting information from customers. However, maintaining information becomes challenging due to customers being hesitant about their private information. Therefore, to safeguard customer information and sensitive data, reporting entities can install effective data security measures such as encryption, access controls, regular security audits, and compliance with data protection regulations.
Regulatory Reporting
Reporting entities are required to assess suspicious activities and ensure compliance with relevant regulatory requirements by accurately reporting them to the appropriate authorities. They should be attentive when conducting CDD practices that assess customer risk about any suspicious activities or transactions. Further, based on the assessment, they should file STR/SAR reports or other regulatory filings on the goAML portal as soon as possible.
Periodic Reviews
Onboarding customers, as well as engagement with customers, is an ongoing process. Therefore, reporting entities should conduct regular reviews of customer information and transaction activity to ensure ongoing compliance with CDD requirements. They should also update customer profiles as necessary based on changes in risk profile or regulatory requirements.
CDD Training Programs
Conducting CDD requires expertise. For this purpose, reporting entities should provide comprehensive training to employees involved in the CDD process so they can easily understand their roles and responsibilities. These training programs should cover regulatory requirements, risk assessment methodologies, and the use of CDD tools and systems.
Record Keeping
It is a compliance requirement that reporting entities should keep a record of AML measures. Therefore, they need to maintain thorough and accurate records of CDD activities, including KYC documents, risk assessments, and transaction records. This documentation is essential for audit purposes, submission to regulated authorities when intimated, and demonstrating compliance with regulatory requirements.
AML Customer Due Diligence Checklist
Here is the CDD checklist that the compliance team must follow to ensure that they don’t miss out on any of the customer due diligence steps:
- Collect Customer ID and Residential Proof
- Verify Customer ID and Residential Proof
- Perform screening against the UAE Local Terrorist List and UNSC Sanctions List
- Perform Customer Risk Assessment
- Ongoing Monitoring of Business Relationships with Customer
- Record Keeping for 5 Years
Final Words on Effective CDD Process
Anti Money Laundering Customer Due Diligence is an important element of an effective AML CFT Program. Customer Due Diligence is the primary responsibility of the compliance team and frontline employees. Customer Due Diligence checks help identify red flags and counter ML/TF risks.
AML UAE provides consulting services on customer onboarding, KYC processes, CDD, and risk profiling of customers. If you are looking to automate your CDD functions, we can help you with the customer due diligence software. We also provide training on customer due diligence procedures and help you comply with UAE AML laws and regulations.
FAQs - Customer Due Diligence
Why is customer due diligence important?
Customer due diligence is important to avoid dealing with customers that can be a threat to your business in terms of money laundering or terrorism financing. CDD process helps verify the identity of customers, analyse their risk profile, and check their presence in Sanction lists to comply with AML/CFT regulations.
How to conduct customer screening effectively to maximise the efficiency and accuracy of the CDD program?
Effective screening requires accurate data preparations, comprehensive investigation, and sophisticated matching. Here are the critical requirements for effective screening:
- Identification of applicable sanctions lists
- Collating and auditing the source data ahead of the screening
- Define roles, responsibilities, and procedures for sanctions screening
- Precise screening against a wide variety of risk sources
- Screening of international data
- Systematically screening around the complete business enterprise
- Integrating data collected from multiple sources
- Customizing match rules and workflows
- Eliminating the scope of false positives
- Demonstrating enhanced customer due diligence
- Eliminating unnecessary repetition of review work
How can customer due diligence be improved?
To improve customer due diligence, apply a risk-based approach to enable corrective actions as per the risk profile of customers. Look out for red flags during the journey of forming a business relationship with your clients and keep documenting to avoid missing out on any unusual activity.
Why is Customer Due Diligence (CDD) essential for the financial institutions and Designated Non-financial Businesses and Professions (DNFBPs)?
- It makes sure that the customer or potential customer is the one he claims to be
- It protects the ecosystem and business environment from any sort of fraudulent activities like impersonation or identity fraud
- It makes sure that the organization remains compliant with the established laws and regulations of the regions or markets of operations
- Businesses can assist law enforcement in a hassle-free and straightforward manner
What are the 4 customer due diligence requirements?
The 4 customer due diligence requirements are:
- Customer identification and verification
- Ascertaining the nature and purpose of the business relationship
- Ultimate Beneficial Owner (UBO) identification and verification. PEP identification and verification.
- Ongoing transaction monitoring
What is CDD in compliance?
Customer Due Diligence (CDD) is a compliance process of identifying customers and ensuring they are who they claim to be.
What is CDD in KYC process?
Customer Due Diligence (CDD) in Know Your Customer (KYC) process is the foundation based on which businesses collect and verify information pertaining to a customer and determine the money laundering risks associated with them.
What is the purpose of CDD?
Customer Due Diligence (CDD) is a control mechanism employed by a business to adhere to the risk-based approach adopted by it in relation to money laundering risks. It helps identify the money laundering risks associated with a customer and decide whether to onboard, reject or report a customer to the AML regulatory bodies of the country.
Under what situation is ongoing customer due diligence completed by a business?
Businesses follow a risk-based approach while identifying and mitigating their money laundering risks. Depending upon the nature and size of the business and the risk profile of a customer, ongoing customer due diligence is undertaken by a business. helps them identify, manage, and mitigate their money laundering and terrorist financing risks.
What is an effective transaction monitoring program?
Here are the characteristics of an effective transaction monitoring program:
- An effective transaction monitoring program is based on the Business Risk Assessment (BRA) performed by the business, taking into account its money laundering, terrorist financing, and proliferation financing risks
- An ongoing monitoring program is regularly audited and maintained to ensure that it effectively operates and helps keep risks within the risk appetite of a business, and applies to all transactions and services provided by a business
- It helps identify and mitigate ML/TF issues
- It establishes accountability to ensure that the money laundering and terrorist financing typologies are reviewed in a timely manner
- An effective transaction monitoring program is regularly managed to ensure that red flags are appropriately addressed and risk-adjusted
- It ensures that the business relationship is always monitored
When are we supposed to identify and verify a customer?
As per UAE AML Laws, FIs, DNFBPs, and VASPs are supposed to identify and verify a customer before entering into a business relationship with them.
Who is responsible for carrying out the Customer Due Diligence (CDD) Process?
DNFBPs, FIs, and VASPs are required to carry out the Customer Due Diligence (CDD) Process. The reporting entities appoint Money Laundering Reporting Officer or AML Compliance Officer to oversee the overall AML compliance function. The MLRO/AML Compliance Officer ensures that the CDD process is clearly laid out and operating as intended.
For how long do we have to maintain records related to Customer Due Diligence (CDD)?
As per UAE AML Laws, reporting entities are required to maintain Customer Due Diligence Records for a minimum period of 5 years.
What is customer due diligence in banking?
Banks and Financial Institutions carry out KYC or Customer Due Diligence (CDD) process before onboarding a customer and during the course of a business relationship. It’s vital for banks to know the kind of money laundering and terrorist financing risks carried by a customer. Banks collect identification documents and verify them to ensure that the customer is the one who they claim to be. Further, it continuously monitors the business relationship with the customer and analyses key changes to ML risks over time, and applies necessary controls to mitigate those risks.
Why is CDD Necessary?
- CDD is necessary to identify ML/TF risks associated with a customer
- Customer Due Diligence is necessary to comply with the AML Laws of UAE
- CDD is necessary to establish a business relationship with a customer
- CDD is necessary to detect suspicious activities and transactions and report them to AML regulatory authorities
- CDD is necessary to apply controls commensurate with the risks associated with a customer
For whom is a CDD policy important?
All Financial Institutions, DNFBPs, and VASPs need to have a clearly defined Customer Due Diligence policy and procedures.
How do I successfully implement a CDD policy?
Documenting and following a Customer Due Diligence (CDD) policy is a legal requirement. However, it isn’t easy to carry out CDD checks manually. Customer Due Diligence software can help you meet legal requirements, manage risks, and make informed decisions. Automation is the key to successfully implementing CDD policy and procedures.
Why are adverse media searches or negative news searches important while performing CDD of a customer?
Adverse media searches or negative news searches help reporting entities carry out a risk assessment of a customer. Sometimes a customer who has cleared all the CDD checks, including identification, verification, PEP, and UBO, is found to be a criminal. A plain Google search can provide valuable information about a customer while determining their risk profile.
Is there a requirement under the UAE AML Laws to use a specific method to carry out the customer risk assessment?
The UAE AML Laws provide a broad framework under which FIs, DNFBPs, and VASPs have to operate. Reporting entities are free to define their own policies and procedures to carry out the customer risk assessment. As per globally accepted best practices, various factors like product, service, geographic location, and customer profile are considered to arrive at the risk rating associated with a customer. However, businesses are free to employ their own methodology depending upon the nature and size of their business to carry out the customer risk assessment, and it can differ on a case-to-case basis as long as the methodology considers the risks associated with money laundering, terrorism financing, and proliferation financing. To conclude, there is no prescribed methodology including risk factors and categories, and hence the number and detail of the risk assessment criteria can vary.
Do the UAE AML Laws require reporting entities to perform reKYC of their customers at a specific interval?
There is no specific requirement that reporting entities have to update their customer information at a specific interval. The FIs, DNFBPs, and VASPs have to employ a risk-based approach and carry out reKYC on a regular or periodic basis.
Can a DNFBP or a VASP adopt more stringent written internal policies and procedures for the collection of beneficial ownership of its customers as a part of its CDD process under UAE AML Laws?
Yes, UAE AML Laws require DNFBPs and VASPs to adopt a risk-based approach while establishing business relationships with their customers. There is no common standard that the reporting entities have to follow while collecting information about the ultimate beneficial owner as a part of the CDD process. As per the globally accepted best practices, anyone owning 25% or more of the equity shares in the company is considered to be a UBO. However, nothing in the law restricts a reporting entity from collecting information about individuals who own less than 25% of the shareholding in the company.
What is the ultimate purpose of customer risk assessment as a part of the CDD program?
The reporting entities are required to obtain a lot of information while onboarding a customer as part of the CDD program. Based on the KYC documents, screening, and various risks associated with the customer, the customer’s risk profile is developed. This risk assessment needs to be used as a baseline against the customer’s business activities. Ongoing transactions with customers will throw light on the average value, frequency, nature, location, payment methods, and delivery channels associated with the business activities of the customer. Any business transaction that deviates from the risk rating of the customer requires a fresh risk assessment, suspicious activity report (SAR), or Suspicious Transactions Report (STR) filing with the UAE goAML portal.
Does the Customer Due Diligence (CDD) requirement under AML laws apply to all businesses in UAE?
No. Customer Due Diligence (CDD) requirements under the UAE AML laws apply only to Financial Institutions (FIs), Designated Non-Financial Businesses and Professions (DNFBPs), and Virtual Asset Service Providers (VASPs).
Are reporting entities in UAE required to include the procedures for identifying and verifying the identity of the customers and beneficial owners of legal entity customers in the AML Policy Manual of the company?
Yes. As per the UAE AML laws, the Customer Due Diligence (CDD) procedures must be part of the AML Policy Manual of the company.
What are the important risk factors to consider while performing a risk assessment of customers?
Reporting entities in UAE must consider the following risk factors while performing the risk assessment of customers:
- Type of business
- Source of Funds
- Source of Wealth
- The expected volume of cash transactions
- Nationality of customer
- Place of business of customer
- Place of residence of the customer
- Other criteria depending on the nature and size of business
While performing CDD, in what circumstances should a reporting entity request an additional identification document from a customer?
The reporting entity should request an additional identification document in the following circumstances:
- When the identification document or photo is illegible or unclear
- When there is a signature difference between the KYC form and the documentary evidence submitted
- When the identification document is no longer valid due to its expiry
- For any other reason that the AML compliance officer deems fit to ask for the additional ID document.
What is Standard Due Diligence in KYC?
Standard Due Diligence entails identifying the customer and verifying their identity. Reporting entities perform background checks on the customer and screen them against the sanctions list. They also perform adverse media searches and risk assessment for the customer. In the majority of the cases, reporting entities end up performing Standard Due Diligence as a part of their CDD program.
What is Enhanced Due Diligence (EDD) in the Customer Due Diligence process?
Enhanced Due Diligence entails additional verification for customers classified as high-risk customers or Politically Exposed Persons (PEPs). Such high-risk customers are more likely to get involved in money laundering or terrorist financing. Reporting entities in UAE adopt a risk-based approach while carrying out the due diligence of their customers. This approach requires additional control measures to be applied on a case-by-case basis.
In addition to standard due diligence requirements, reporting entities also obtain the following information while performing EDD:
- Source of Funds and or Source of Wealth
- Independent review of customer’s website and adverse media search
- Independent third-party confirmations if sufficient information is not available
- Reporting entities should also ascertain the legitimacy and credibility of the documents provided by the customer
- Lastly, senior management’s approval is obtained before entering into a transaction with a high-risk customer
What is ongoing due diligence? What is ongoing transaction monitoring?
The ongoing due diligence/transaction monitoring entails monitoring of business activities of the customers on a regular basis. Ongoing Due Diligence ensures that the transactions made by the customers are in sync with their risk profile. Ongoing transaction monitoring is an integral part of effective KYC Due Diligence.
What type of information and documents are obtained from individual customers as a part of the KYC and CDD process?
In case of individual customers, the following information is obtained:
- Complete Name
- Address of the customer
- Contact numbers
- Additional/ alternative contact numbers
- Legit, accessible, and working email address
- Place of birth
- Date of birth
- Nationality
- Gender
- Government-issued identification number
- Occupation
- Signature
What type of information and documents are obtained from corporate customers as a part of the KYC and CDD process?
In case of legal entities, the following information is obtained as a part of the KYC and CDD process:
- Name of the entity
- Type of the entity
- Nature of business
- Date and place of establishment
- Information related to the board of directors
- Certificate of establishment/incorporation
- Information related to shareholders and ultimate beneficial owners
- Annual report for the previous year
- Information pertaining to senior management
What do I do if a customer identified to be a low-risk customer subsequently becomes high-risk or PEP?
Due to changes in circumstances, if a customer subsequently becomes a PEP or high-risk customer, then the AML compliance officer should carry out Enhanced Due Diligence (EDD) and obtain senior management’s approval before entering into a transaction with such a customer.
Can I onboard a customer that does not meet the requirements of the customer acceptance policy?
As long as the requirements of the customer acceptance policy are met, a customer can be onboarded. If for some reason, the risks associated with a customer are beyond the risk appetite of the reporting entity, the AML compliance officer/MLRO should record his reasons in writing and reject the customer and also check if a suspicious transactions report or suspicious activities report needs to be submitted with the FIU UAE.
Do reporting entities have to carry out the KYC and CDD process in all cases?
No. If the AML Compliance Officer is of the view that performing the KYC and CDD process would tip off a suspicious person then he may instead submit the Suspicious Activity Report (SAR) with the FIU UAE stating reasons why customer due diligence was not performed.
Why is it important to screen customers on a daily basis as a part of a robust CDD mechanism?
Screening customers on a daily basis helps identify instances like customers becoming sanctioned, PEPs, or high-risk and apply suitable control measures to remain compliant with the requirements of the AML/CFT Laws in UAE.
What are the requirements for sanction screening as a part of CDD procedures in UAE?
Customer name screening is one of the essential aspects of Customer Due Diligence (CDD) under the anti-money Laundering regulations of UAE. Accordingly, reporting entities in UAE must screen their customers, suppliers, and third parties regularly and perform name screening before entering into a new transaction. At a minimum, they have to perform sanction screening against the following lists:
- UNSC Sanctions List
- UAE Local Terrorist List
Can a reporting entity in UAE rely on third parties for customer due diligence and outsource KYC and CDD functions to them?
Reporting entities have to carry out due diligence on the outsourcing partner and ascertain their fitness for the purpose. Further, the third party must adhere to UAE AML/CFT laws. Reporting entity has to ensure that the third party is regulated and supervised, and adheres to the CDD measures towards Customers and record-keeping provisions. The reporting entity has to keep in mind that although the CDD function is outsourced, the primary responsibility to adhere to the AML/CFT laws in UAE remains with it, and it has to take reasonable measures to ensure data security and storage.
What is the risk-based approach in CDD?
FIs, DNFBPs, and VASPs collect customer information, identify the customer and verify the documents collected. They also perform screening. The extent and detail of customer due diligence depend on the risks associated with the customer. Higher the risk, the higher the control.
Hence, based on customer profile, geography, nature of business, transactions, products, and services, a risk rating is assigned to the customer. If the customer happens to be a low-risk customer, simplified due diligence is performed. If the customer happens to be a low-medium risk customer, then standard due diligence is performed, and enhanced due diligence is performed for high-risk customers. The adoption of a risk-based approach in CDD helps reporting entities in channelizing their efforts in minimizing the risks. The risk-based approach helps ensure that the controls are in sync with the level of risk.
What is an example of customer due diligence?
Reporting entities in UAE obtaining customer information, including their name, address, ID, date of incorporation, and information about partners/directors/shareholders, is an example of entities performing customer due diligence as per the requirements of AML/CFT laws.
What is the difference between CDD and EDD?
The main difference between CDD and EDD lies in the extent of detailed verification performed by a reporting entity while carrying out customer due diligence. EDD entails a stricter customer verification process as compared to CDD, and it includes verification of source of funds and or source of wealth. Further, all high-risk customers and PEPs undergo an Enhanced Due Diligence Process where senior management’s approval is obtained before entering into a transaction with them.
What is the difference between CIP and CDD?
What are the challenges of due diligence?
What is PEP in due diligence?
What is Customer Due Diligence information used for?
The Customer Due Diligence information is used for:
- Identifying and verifying the customer and their transactions
- Identifying Beneficial Ownership
- Identifying the control structure of the company
- Monitoring transactions
- Assisting law enforcement by providing information pertaining to customers, activities, and transactions
Share via :
Add a comment
About the Author
Pathik Shah
FCA, CAMS, CISA, CS, DISA (ICAI), FAFP (ICAI)
Pathik is a Chartered Accountant with more than 26 years of experience in governance, risk, and compliance. He helps companies with end-to-end AML compliance services, from conducting Enterprise- Wide Risk Assessments to implementing the robust AML Compliance framework. He has played a pivotal role as a functional expert in developing and implementing RegTech solutions for streamlined compliance.