Customer Due Diligence (CDD) is an obligation that reporting entities like financial institutions (think💡 banks and investment fund managers like KiwiSaver providers), and other regulated businesses such as accounting and law firms, must conduct on their customers to understand the money laundering and terrorism financing risk their customers pose to the reporting entity.
Knowing each customer, the services you will provide them, and assessing the risk they pose means identifying and verifying the people who are the beneficial owners. In this article we’ll discuss:
- What CDD is,
- How’s it conducted,
- The different levels of CDD,
- Ongoing CDD.
What is Customer Due Diligence?
In New Zealand, CDD is a requirement of the Anti-Money Laundering and Countering Financing of Terrorism Act 2009 (the AML/CFT Act) and its regulations place certain obligations on reporting entities to detect exposure to their customer risk of money laundering and terrorism financing. The ultimate goal of carrying out CDD is to understand the nature and purpose of the business relationship based on the services you will provide your customer, and to gather sufficient information about the customer's beneficial owners by identifying and verifying them, and in some scenarios, understanding the source of their wealth or funds. This allows informed decision-making about the risk level of their activities and whether or not it’s wise to enter into a business relationship with them.
Not all CDD is made equal and certain transactions, or associations come with heightened risks that require more information. There are three levels of CDD that you can carry out which include simplified, standard, and enhanced (EDD) – we’ll dive into what those different levels involve, and when you might need to use them later in the article.
Carrying out CDD is crucial to ensure that the people behind the customer you are engaging are who they claim they are and they're not involved in any illegal activities like money laundering, terrorist financing, or fraud. It helps reporting entities meet their statutory obligations and reduces the risk of you unwittingly facilitating criminal activities.
How is CDD conducted?
CDD involves a series of steps that are usually part of the onboarding/KYC process, beginning with collecting information from the customer and verifying its authenticity, the process itself includes the following three steps:
1️⃣ Identifying the customer
Collecting relevant information, such as the structure of the customer’s entity to identify beneficial owners and those acting for the customer, their name, address, date of birth, identifying documents, and any other necessary particulars.
2️⃣ Verifying the customer
Validating the customer's identity by reviewing authentic documents such as a passport, driver's licence, or government-issued ID for each beneficial owner or person acting on behalf of the customer.
3️⃣ Assessing the customer’s risk
Analysing the customer's activities, intended transactions, and where relevant the source of funding to check if they pose any threat to the reporting entity or expose it to potential legal or regulatory risk.
Levels of CDD
Earlier I mentioned that not all CDD is made equal, and this will all be dependent on the type of customer and the services provided to the customer, the reality is that for both accounting and law firms, it’s extremely unlikely simplified CDD is ever going to fly due to the nature of the work and transactions you’re dealing with.
📝 Simplified CDD
This relates to specific types of customers like publicly listed companies, state-owned enterprises or crown entities. You need to record the full legal name of the company and a brief explanation of how it qualifies for simplified CDD. You also need to collect information about the nature and purpose of your proposed business relationship with the company.
🔒 Standard CDD
This is the norm for most customers and involves understanding the structure of the company and verification of beneficial owners to ensure the details you might have collected so far are true and aren’t misleading or fraudulent, or on sanction lists for example. At this point, you’ll often have enough information to be able to understand the nature and purpose of the proposed business relationship and the potential risk of who you’re dealing with – if you’re comfortable with this, you may not need to ask for any further documentation.
🚨 Enhanced CDD
In certain circumstances, additional information is required about the customer, perhaps due to the type, or complexity of the customer or if the service requested is unusual or complex. This will involve understanding the source of wealth or source of funds, and perhaps more sophisticated measures will be required to obtain and verify beneficial owners of the customer.
Ongoing Due Diligence (ODD)
Running CDD as part of your onboarding/KYC process is only one part of the puzzle – you’re also expected to monitor your clients on an ongoing basis, this is to ensure that you are on top of any emerging or evolving risk.
Not only does it help you make sure you continue to meet your obligations to the AML/CFT Act, but it also ensures that you have a good understanding of the potential exposure to risk that your firm might be holding at any given time.
At the moment, the expectation is that you perform ODD either periodically or when a transaction/interaction requires it, this might involve checking the structure of the customer, updating IDs, or re-checking the source of funds, for example. There are other situations, such as a change in control where ODD is equally pertinent, an example of that might be when a new shareholder or director is appointed. Whilst there is software out there to help you monitor financial transactions in an automated manner, the reality for an accounting firm is that it’s unlikely you’ll need to have seriously complex systems in place, especially given you’re probably not “setting and forgetting” your relationship with your client, instead it’s likely you’ll be regularly dealing with their tax affairs and their transactions, so if something seems out of sorts when you’re doing other work, that’s a good time to consider how you might want to follow up.
For example, if you’re the registered office for a Fish and Chip shop or a Barbers, you’d expect regular cash deposits into their bank accounts as people typically are more likely to use cash in these environments, but if you’re seeing large cash deposits from an online retailer who sells exclusively over the internet, that might seem a little odd, and raise a few eyebrows – this is where your internal process and understanding of your customer comes into play.
Ultimately CDD is all about managing risk and getting to know your customers in a way you can best serve them – building a robust onboarding process will help you to have confidence in your approach and that you’re meeting the compliance obligations you need to. The Financial Marketing Authority (FMA) has a number of downloadable assets that can help you build out your AML/CFT programme for you – here you’ll find guidance for CDD when working with Companies, and this document talks about the specifics for dealing with Trusts. As we’ve spoken about how you monitor, maintain and carry out CDD is ultimately your decision, as long as you meet the requirement of the AML/CFT act – with that in mind we’ve summarised the Department for Internal Affairs (DIA) requirements to meet the AML/CFT act in this article.