When considering onboarding processes, there can sometimes be confusion between KYC and CDD because the terms are so closely linked. Simply put, KYC (Know Your Customer) checks tend to refer to those carried out at the beginning of a relationship, to initially establish and verify the identity of the subject you are onboarding. CDD (Customer Due Diligence), on the other hand, refers to the ongoing process of retaining confidence in the data you have collected, making any changes and identifying any issues that may be suspicious, and may require further investigation.
Customers, and clients of all types, often undergo changes to their personal and professional circumstances, over a period of time – that’s just life and human nature. The task of CDD programmes is to establish that any of these identified changes in status, behaviour and anything else relevant to your relationship with them, are innocent and relevant to their circumstances. Maybe they got married and changed their name; maybe they lost their phone and had to get a new number; or maybe they changed their bank because they were offered a better deal? Any of these changes, and many more besides, are most likely to be innocent, but they all need to be fact-checked to establish their veracity.
Ongoing CDD monitoring for compliance
This part of the process is often referred to as monitoring and remediation. Monitoring is the process of establishing that something relevant to their circumstances and your business with them has changed, and ideally flagging whether the change is innocent or suspicious. Remediation is the process of investigating any suspicious changes, establishing the facts and categorising them. Often, bulk remediation projects such as, reviewing your entire database for PEPs, (Politically Exposed Persons) or Sanctions if a new sanctions list is published. An example of this has been the various sanctions against Russian entities throughout 2022.
If the changes are found to be innocent and bona fide, the customer record can be flagged as such and allowed to remain in the database. If investigations turn up suspicious or fraudulent activity, then it’s likely that you can no longer do business with them and their details will need to be referred to the relevant criminal and/or regulatory bodies, normally under a SAR (Suspicious Activity Report).
Why is ongoing CDD monitoring so important?
By not carrying out monitoring and remediation, through an ongoing CDD programme, regulated entities can be put at risk in a number of ways:
- Regulatory Scrutiny: As a regulated entity, you will be subject to scrutiny by your regulator(s), who will look at your processes, your data and your actions. For companies who have strong onboarding, monitoring and remediation practices in place, with a track record of identifying and managing any suspicious activity, these checks will be easily managed. For those with less efficient processes, and who may have faced issues with data irregularities in the past, much more in-depth scrutiny is likely to take place, potentially causing business disruption and tying up valuable resources in areas already under pressure.
- Sanctions and/or Fines: If a regulator finds evidence of sloppy practices, or suspicious records that haven’t been identified, they have the power to issue sanctions and fines. In extreme cases, the regulator has the power to shut a business down, temporarily at least, if it is felt that criminal activity has taken place and the company is at fault for not identifying it. They can also impose fines on both the company and individual company officers, and even prosecute those officers if it is felt that serious negligence has taken place.
- Business Continuity: If criminal activity goes undetected for any length of time, serious harm can be done to a company’s finances. In extreme cases, this financial harm can put a company’s operational capabilities at risk.
- Reputational Standing: Companies who become known for receiving sanctions and fines, for misdemeanours or serious errors in process, are at risk of having their professional and public reputations called into question. In a retail or interpersonal environment, this can lead to serious reductions in customers wishing to do business with them.
These are just some of the risks that companies take when they do not have robust and ongoing processes in place, designed to combat fraud and other criminal financial activity.
How do I achieve ongoing CDD monitoring?
All regulated entities, despite seeing the need (both professional and moral) for ongoing CDD, look at the cost implications of the various options open to them, to find a solution that will fit their preferred short term spend limit levels. On the face of it, this is good corporate practice, but, in reality, it is a short-sighted approach to what is a critical part of their corporate functionality. Short-changing the CDD process, with a mixture of manual, partly manual and automated processes, is a trade-off against potential errors and criminal infiltration, with consequent levels of fines and sanctions.
To achieve ongoing CDD, you need firstly to have an efficient and effective KYC/KYB onboarding process, to ensure that new customers and clients are who they say they are. You then need a monitoring process, to ensure that this data is kept up-to-date and clean, and flagging any records that have suspicious activity or changes. And, finally, you need some form of remediation process – because there is no point in identifying suspicious records and then not doing anything about them.
End-to-end customer due diligence
In an ideal world, these three parts of the end-to-end process should be aligned, and automated. Using manual or partly manual systems introduces human intervention at a time when automation can best cope with the intricacies and volumes of data involved. Human intervention is necessary at certain points, but only to analyse output and to take the necessary action to investigate and rectify situations.
In this world of Big Data, the number of records that need checking, analysing and managing rises exponentially from what it may have been 15-20 years ago, and human resources teams are rarely able to cope effectively with the rigours required for the process. Automated, end-to-end systems guard against expensive errors and deliver not only analysis and reporting, but also clearly defined audit trails that serve to satisfy the keenest regulator.
AI and Machine Learning, can deliver far more accurate results in a much smaller time frame. In this ‘always on’ society, customers expect instant gratification and have no time for companies who say that they will have to wait for days for results. Automated systems provide the benefit of Remote Verification, shortening the delays that can happen with manual interventions.
Automated Customer Due Diligence
Fully automated software systems are most certainly very cost-efficient for companies dealing with a high volume of customers and requiring a wide range of personal checks. Automated systems will also deliver their results very quickly, reducing your onboarding time and increasing the satisfaction levels of your customer base. And happy customers equate to profitable customers, especially where there is potential for up-selling and cross-selling.