Best Practices for Conducting AML Customer Due Diligence

Customer Due Diligence (CDD) is an important regulatory requirement in the UAE. The DNFBPs and VASPs must conduct Customer Due Diligence before onboarding customers. This article provides insights into the best practices for conducting AML customer due diligence.

What is Customer Due Diligence (CDD)

Customer Due Diligence, shortly called CDD, is the process of assessing and verifying who your customers are. The logic of carrying out CDD is to understand the nature and volume of transactions expected from the customer and what might be the potential risk factors associated with the business relationship.

At its basic level, the CDD procedure involves collecting information such as a customer’s name, address, work site details, and intentions with respect to the utilisation of his account. Other information, such as official documents, which include driving license, passport, and incorporation documents, is collected to ensure that the customer is being truthful and has no malicious intentions.

CDD is based on the idea that it is better for an institution to know about its clients to effectively prevent anti-money laundering (AML) activities.

The Financial Action Task Force (FATF) states that financial institutions should carry out CDD procedures under the following circumstances:

1. Establishing new business relationships
2. In case they suspect any Money Laundering or Terrorist Financing activities
3. They are sceptical about the client’s identify
4. Carrying out occasional transactions exceeding USD 15,000, depending on the nature of the transaction and the circumstances.

Types of Customer Due Diligence

If while carrying out the Due Diligence process, the customer seems high-risk, then regulated entities have to undertake a more extensive CDD procedure. Customer Due Diligence takes place in three different yet correlated ways, namely – Simplified, Standard, and Enhanced.

Simplified Due Diligence

Simplified Due Diligence is a streamlined procedure to assess the risk associated with a particular transaction.

It is a basic level of investigation to verify essential information, such as the identity of parties involved, regulatory compliance, and any potential red flags.

In the case of Simplified Due Diligence, the regulated entity generally relies on readily available information to make informed decisions while ensuring compliance with relevant regulations and standards.

Standard Due Diligence (SDD)

Standard Due Diligence involves a thorough examination of all aspects of a customer.

The regulated entity undertakes in-depth investigations into financial, legal, operational, and strategic dimensions to identify any potential risks.

The Standard Due Diligence process involves a detailed review of the customer’s profile.

Enhanced Due Diligence (EDD)

There are certain factors about the customer that hint at a higher risk of Money Laundering or Terrorist Financing, for example, clients who are the target of Economic Sanctions or Politically Exposed Persons (PEP).

In such cases, it becomes mandatory for regulated entities to take Enhanced Due Diligence (EDD).

In the case of EDD, the following factors may be evident when identifying a high-risk client. In these cases, the regulated entity is obliged to conduct EDD measures:

1. A client has a nominee shareholder in bearer form
2. The client has a cash-intensive business
3. In the case of the Complex ownership structure of a company
4. The client has an unusual way of conducting his business and establishing relationships
5. The country of residence is different from the financial institution
6. Using legal persons or asset-holding vehicle

There are other factors, such as Geographic Risk factors and Transaction Risk Factors, where undertaking Enhanced Due Diligence (EDD) becomes crucial.

These factors are:

Geographic Risk Factors:	Transaction Risk Factors:
Countries that represent a high risk are indicated by the following: Inadequate Anti-Money Laundering system Funding or supporting Terrorist motives High rate of financial crime and corruption.	Transactions indicating risk factors are: Non-face-to-face dealings Receiving payments from unidentified third parties Anonymous transactions

Key Components of CDD

CDD procedures have these measures as their key components:

1. Customer Identification and Verification

In February 2016, the Basel Committee, which sets global standards for banking regulations, published a set of recommendations that tell financial institutions how to verify the identity of their clients.

Here is a step-by-step guide to identifying customers who want to open an account. The committee has further divided it into two lists. The first list is for natural persons, and the second one is for legal entities.

The list of details that need to be obtained from the client in the case of natural persons is as follows:

• Name
• Address
• Contact details and alternative contact details
• Gender
• Date and place of birth
• Nationality and country of residence
• Occupation
• Workplace details – working email address, employer name
• Type of account and banking relationship
• Government-issued identification number
• Signature

For legal persons:

• Name, legal form, and evidence of incorporation
• Permanent address and other registered addresses
• Identification of natural persons authorised to manage the account
• Identification of beneficial owners
• Powers governing the legal entity
• Nature and intent of activities
• Expected use of the account, sources, and destination of funds in the account.

Verification of the Identity of Natural Persons:

Regulated entities can verify these details by taking the following steps:

• Using current official documents with the customer’s photo
• Using current official documents to confirm the date and place of birth
• Asking an authorised person to verify the authenticity of official documentation
• Confirming the residential address
• Checking references from other financial institutions
• Public registers and other independent verification processes are used.

Verification of the Identity of Legal Entities:

Regulated entities can verify the identity of customers who are legal persons by employing these measures:

• Obtain a copy of the certificate of incorporation, partnership agreements or any other agreements.
• Examine a corporation’s financial statements
• Conduct commercial enquiries to confirm that the legal person is still operational
• See independent sources such as lawyers, accountants, or corporate registers
• Verify and validate the legal entity identifier and relevant data
• Acquire prior bank references
• Pay a visit to the corporate entity

2. Sanctions Screening

Sanctions screening involves checking individuals, entities, and transactions against the list of sanctioned parties to prevent interaction with prohibited parties (UAE Local Terrorist List, UN Consolidated List).

It is crucial for compliance with respect to international regulations and local laws. This procedure utilises specialised sanctions screening software to compare data against the sanctions list produced by the regulatory authorities.

If a match is found, a Funds Freeze Report or Partial Name Match Report is submitted to the FIU. In the case of suspicion as to ML/TF, a Suspicious Transactions Report (STR) or Suspicious Activity Report (SAR) is submitted with the goAML portal.

3. Customer Profile Management

The regulated entity gathers all the relevant information about the customer, including his business, occupation, income level, value, and volume of transactions, and develops a comprehensive customer profile.

4. Customer Risk Assessment

Customer Risk Assessment under Anti-Money Laundering regulations involves evaluating the potential risk posed by a customer. The regulated entity takes into consideration various risk factors like geography, product, service, transaction, delivery channel, customer, technology, etc., to assess the risks associated with the customer.

5. Customer Acceptance

As per the customer acceptance policy, the customer is onboarded, and if the risks associated with a customer are unacceptable, the business relationship with the customer is not established.

6. Ongoing Monitoring

What we mean by “Ongoing Monitoring” is the ongoing assessment of business relationships. This step is crucial because, while certain transactions might not initially seem suspicious, they could, over time, hint at a pattern of irregular behaviour that necessitates changing a customer’s risk profile.

The following are included in continuous monitoring:

• Monitoring a client’s financial transaction during a business affiliation to confirm that their risk tolerance is appropriate for the work they do.
• Remaining alert to any possible changes in the risk profile or any other factors that might raise questions
• Preserving all relevant records, papers, data, and information that might be needed for CDD purposes in a secured place

All business engagements should follow the best practice of continuous monitoring, but like other CDD measures, it can be tailored to the customer’s risk profile.

7. Investigation

If a customer enters into suspicious transactions or conducts suspicious activities, the investigation is conducted, and STR or SAR is filed with the FIU.

8. Documentation

As per the Federal AML/CFT Laws, regulated entities are required to maintain AML/CFT records for a period not less than 5 years. Documentation of the CDD procedures and related records play a huge role in fulfilling this obligation.

9. Staff Training

Employee training and awareness around CDD requirements is a must to fulfil the legal obligations around customer onboarding.

Why is Customer Due Diligence Required?

• CDD guarantees that the regulated entity uses risk-aware CDD procedures.
• CDD process offers an extensive understanding of the ML/TF risk involved in a business relationship.
• CDD procedures allow the regulated entity to identify the beneficial owners in order to understand the rationale behind a customer using a complicated corporate structure.
• In cases where customers are unable to produce common forms of identification, the CDD process provides a degree of flexibility and alternate means for customers to verify their identities without negatively affecting the business.

Legal Obligations of DNFBPs to Carry Out Customer Due Diligence

DNFBPs stands for Designated Non-Financial Businesses and Professions. DNFBPs are entities that are not financial institutions but are still vulnerable to being used for Money Laundering purposes (e.g., real estate agents involved in the sale and purchase of real estate, dealers in precious metals, companies providing accounting and auditing services, lawyers, notaries, etc.)

Keeping the scope of DNFBP practices and its exposure to several risk areas relating to Money Laundering and Terrorist Financing (ML/FT), the following legal obligations arise:

• DNFBPs must identify and verify the identity of their customers before establishing a business connection to carry out any transaction.
• DNFBPs must understand the nature of their customers’ businesses and the objective behind the intended transaction. This helps in understanding the risks associated with them.
• Continuous monitoring is required to report any unusual or suspicious activity promptly.
• DNFBPs are obligated to maintain up-to-date records of customer’s identity and transactional activity. These records should be preserved as per regulatory requirements.
• Abide by any other regulations as and when required.

Failure to abide by these regulations results in administrative and financial penalties for DNFBPs, which could be as grave as the institution’s license being cancelled.

Customer Due Diligence Best Practices

The best Customer Due Diligence practice involves a systematic and thorough approach to assessing and managing risks associated with clients. Key aspects include:

1. Crafting CDD Policies and Procedures:

Developing a clear CDD policy outlining criteria for assessing risks, customer identification and verification process, and other protocols

2. CDD Policies and Procedures Implementation

Assigning responsibility for effectively implementing CDD procedures to designated personnel. Deploy appropriate KYC software, Screening Software, Customer Risk Assessment Software, and Case Management Software to support CDD processes effectively.

3. Staff Training

Educating staff on CDD policies, procedures, and regulatory requirements. Providing necessary training on recognising suspicious activities and unusual customer behaviour.

4. Sanctions Screening

Integrate the name-screening software into customer onboarding processes for real-time screening. The software helps in efficient and accurate sanctions screening, further aiding in reduced onboarding time and increased automated flow, leading to straight-through processing

5. PEP Screening

Under the CDD process, PEP screening identifies any prominent political personality, either domestic or international. It helps determine if a customer is a PEP or a relative or close associate of a PEP and whether there is any risk associated with that person with respect to carrying out transactions.

6. Adverse Media Checks

Adverse media checks, or, say, Negative News Screening, is a crucial step in identifying any negative information associated with customers. Open sources can be utilised to monitor relevant news and events.

Conclusion

AML Customer Due Diligence serves as a robust mechanism in safeguarding DNFBPs against money laundering and terrorist financing activities. Be it simplified, standard, or enhanced, CDD plays a crucial role in combating financial fraud. It aids in catching red flags at an early stage and prevents regulated entities from engaging in illegal transactions.