What is customer due diligence (CDD)? Meaning & process

Customer due diligence (CDD) is the process of verifying a customer's identity, assessing the risk of doing business with them, and then monitoring that risk level throughout the lifecycle of the relationship. The goals of CDD are to establish trust and prevent crimes such as money laundering and terrorist financing.

Customer due diligence (CDD) is carried by regulated firms to comply with anti-money laundering (AML), counter-terrorist financing (CTF), and anti-bribery and corruption (ABC) laws. Typically, a CDD process involves collecting data to verifying someone's identity and any potential risks of working with them as a customer. CDD happens before a new customer is onboarded and then at regular intervals throughout the lifecycle of the relationship.

During CDD, compliance teams might check documentation, such as a passport or driving license, to prove someone is who they claim to be. If a significant risk factor is identified, additional checks might be run, known as enhanced due diligence (EDD).

EDD goes beyond verifying someone's identity and into a wider risk assessment, which might happen because an individual has been flagged as a higher risk. Risk factors can vary from a customer being identified as a politically exposed person (PEP) to perhaps holding a passport from a sanctioned country. EDD would also typically be performed as part of any corporate onboarding process when the customer is an entity with potentially multiple ultimate beneficial owners or UBOs who need to be assessed for risk.

Due diligence processes are designed to meet compliance standards dictated by law, and to protect regulated businesses from transacting with criminals, like money launders and fraudsters.

‍There are many ways to verify someone's identity - one way is to ask them for government-issued identification like a birth certificate or passport. Another way is to set up automated ID checks with leading solutions providers like Moody’s Analytics KYC.

Organizations performing CDD might ask a customer to scan or produce in person a bank statement or utility bill as proof of address or integrate an automated check to look for proof of address and return that to the compliance team via an online customer profile.

When onboarding and monitoring corporate customers, UBO discovery is crucial. UBOs are people who ultimately own or control a legal entity. To comply with AML and CTF laws, regulated businesses must understand corporate structures and screen UBOs. This typically involves EDD, uncovering the ownership framework and collecting data on the UBOs - screening for PEPs, sanctions, and adverse media to gauge risk exposure.‍

Again, when onboarding corporate customers, regulated businesses want to understand the nature of a customer's business. This includes its line of business, the transactions they typically conduct, and the expected frequency and volume of those transactions. This information adds to the customer's risk profile and dictates whether they are onboarded and what kind of monitoring levels are required. Ongoing monitor identifies changes in a company's risk profile, and perpetual KYC helps uncover risk on a continual basis.

Regulated businesses are required to have procedures in place for ongoing customer monitoring, whether individual or corporate customers. Monitoring can include rerunning know your customer (KYC) data checks to update risk information and see whether anything material has changed. If there are concerns about a customer raised through this review process, appropriate action can be taken to mitigate the risk. The outcomes could be terminating a relationship, conducting enhanced due diligence, resetting the review process, reporting the matter to the relevant authorities, or continuing with business as usual.

‍There are different ways to go about conducting customer due diligence. Some companies rely on manual methods but the downside to this is they are time-consuming and prone to human error - plus it can be a sub-optimal experience for the customer. Manual CDD can cause onboarding to be slow and inconvenient, and it can cause failures in risk monitoring later in the lifecycle. Additionally, manual KYC processes are costly, as businesses must invest in staff to manually verify customer information and add to the compliance team as the business grows.

It's best practice to use automation to create smoother, more seamless CDD processes, which minimize errors and maximize efficiency. Automated KYC can be used to gather customer data from trusted sources, bringing results back into one platform to create a 360-degree view of customer information and to maintain a risk profile. This is a more accurate and consistent way of performing CDD, which avoids human error and creates better experiences for customers. Additionally, automation helps speed up KYC processes, increasing efficiency, and ensuring economies of scale i.e., if a business wants to onboard more customers, they don’t have to employ more compliance staff to do it.

When onboarding and monitoring corporate customers, digital KYC solutions help simplify the process of understanding a corporate structure, identifying UBOs, and screening through EDD. Integrated data checks take place, with documentation and decisions stored in one place. Reports on decisions are available to share and can be presented to internal stakeholders or auditors.

While automation is powerful in a CDD process, it is important to bring compliance professionals in where they add value for judgement, analysis, and decision-making. There are scenarios and nuances associated with risk analysis that automation alone can’t handle. Compliance professionals are irreplaceable when it comes to the “sniff test” for example - when an experienced professional senses something doesn’t seem right, they probably know best.

There is no definitive answer to the question of how often you should undertake customer due diligence. Regulation requires risk management and risk monitoring take place to prevent money laundering, conflicts of interest, and other types of financial crime, but the frequency of CDD is not mandated.

CDD typically happens before onboarding a customer, and then review periods are often proportionate to a customer's risk level. For low-risk customers, reviews may only happen once every three years, every two years for customers considered medium risk, and every year for high-risk customers.

Ultimately, it is up to each organization how often CDD is performed. However, as the world of compliance and risk management becomes increasingly digital, firms are adopting perpetual KYC or pKYC for continual risk assessment across a business network.

pKYC involves continuous monitoring of risk events and factors, which help organizations keep up with material changes to a risk profile. By using a continuous approach to maintaining accurate records, organizations can provide better customer support and better protection from financial crime.

KYC (know your customer) refers to the process of identifying and verifying who a customer is, such as confirming their name, date of birth, and identity documents.

CDD (customer due diligence) is the broader ongoing process of assessing and understanding a customer’s risk. It includes KYC checks but might also cover activities like understanding the nature and purpose of the relationship, monitoring transactions, and keeping customer information up to date.

KYC is a key part of CDD. KYC may tend to focus on identity and verification, while CDD may focus more on managing customer risk over time.

CDD (customer due diligence) is the standard process firms use to understand who a customer is and assess their risk. It includes identifying and verifying the customer, understanding the nature and purpose of the relationship, and monitoring activity over time.

EDD (enhanced due diligence) applies to customers or relationships that present a higher risk of money laundering or terrorist financing. It involves deeper checks and closer ongoing monitoring than standard CDD, such as gathering additional information or applying more frequent reviews.

CDD can be applied to all customers, while EDD is an intensified form of due diligence used where higher risk is identified.

A CDD (Customer Due Diligence) profile is a structured record of information collected about a customer to support anti-money laundering (AML) compliance. It may bring together key details such as the customer’s identity, ownership or control information, the nature and purpose of the relationship, and the assessed level of money‑laundering or terrorist‑financing risk.

The CDD profile can be used as a reference point for ongoing monitoring and updated when customer circumstances or risk indicators change.

A CDD profile may provide a documented view of who the customer is, how they are expected to “behave”, and the level of risk they present.

Customer due diligence is a key part of compliance with anti-financial crime laws for regulated businesses. Verifying a customer's identity and assessing the risk they may pose to a company is essential. How and when CDD is conducted is down to each organization, and what level of risk it is willing to accept is also down to the individual organization.

Using an automated KYC solution, means CDD can be completed at onboarding and then throughout the customer lifecycle in a more efficient way. It can lead to better experiences for customer while avoiding potential risks and non-compliance issues.

Moody’s KYC solutions offer data, analytics, and workflows that support risk and compliance activities across the customer lifecycle. These capabilities are designed to help organizations build a clearer view of customer relationships and associated risk indicators.

To find our more about how Moody’s KYC solutions may be used for your customer due diligence (CDD) or ongoing KYC processes, please get in touch any time.