Customer due diligence (CDD) is an important part of complying with Know Your Customer (KYC) and anti-money laundering (AML) requirements. But there are times and situations when standard CDD processes are not enough. In those cases, it’s critical that your business has a well-designed enhanced due diligence (EDD) protocol in place.
But what, exactly, is enhanced due diligence, and how does it compare against standard CDD procedures?
Below, we take a look at both customer due diligence and enhanced due diligence, exploring how they work and when each is necessary. We also zoom out to view the bigger picture of how CDD and EDD fit into the larger KYC and AML regulations.
CDD, EDD, and KYC
Certain businesses are required by law to know who they are doing business with. This includes financial institutions — such as banks, insurers, lenders, cryptocurrency exchanges, and fintech companies — which are subject to AML rules under the Bank Secrecy Act and related laws. But it also includes businesses that operate in other regulated industries, such as online gambling, travel, and age-restricted commerce, amongst others.
The processes that these businesses implement to meet these requirements are usually called Know Your Customer (KYC). Customer due diligence is just one part of KYC (along with customer identity verification and continuous monitoring). Enhanced due diligence is likewise just one part of CDD.
What is customer due diligence?
Customer due diligence (CDD) refers to a set of KYC processes designed to assess customer risk. While regulations can vary by country, most follow Financial Action Task Force (FATF) recommendations.
In the US, CDD is enforced by FinCEN, which requires financial institutions to meet four key requirements:
- Identify and verify all customers or clients
- Identify and verify all beneficial owners of companies you want to do business with. (This includes any individual who controls the company and/or owns 25% or more of the company.)
- Understand the nature and purpose of customer relationships to develop customer risk profiles
- Conduct continuous monitoring of customer activity and transactions to identify and report suspicious activity
In practice, customer due diligence usually involves collecting personal information about customers, such as their name, date of birth, Social Security Number, physical address, and other information as necessary.
The collected information is often then verified against one or multiple external documents in a process known as documentary verification. The specific document(s) will depend on your business, but typically include at least one form of government-issued ID like a driver’s license, mobile driver’s license, state ID, or passport.
Where applicable, the information provided may then be verified through issuing database verification, either in addition to or in place of documentary verification.
A number of screenings are also required at this stage. Adverse media screenings are a common example. These screenings specifically look for negative news or media coverage of an individual or business entity and typically include print, online, radio, and television sources. Additionally, sanctions and watchlist screenings ensure that the individual is not a sanctioned entity (or associated with a sanctioned entity), while politically exposed persons (PEP) screenings specifically check for political associations, which may indicate increased risk.
It’s important to acknowledge that all businesses, industries, customers, and use cases are of course different, and as a result, one CDD program may look somewhat different from another. That being said, the average CDD program is likely to include at least some of the steps outlined above.
In cases where an individual or transaction is deemed to be lower or higher risk than the “standard,” businesses may leverage alternative levels of due diligence. This includes:
- Simplified due diligence, which leverages simplified frameworks and processes for low-risk transactions or customers with known and reliable sources of funds. It still involves identity verification, but typically with fewer checks.
- Enhanced due diligence, which is applied to high-risk individuals and transactions, and which we explore in greater depth below.
What is enhanced due diligence?
Enhanced due diligence (EDD) refers to protocols that are followed when an individual or transaction is deemed to carry a higher risk of money laundering or other financial crime. In these cases, businesses are required to conduct an additional layer of verification.
What constitutes high risk? Common factors that may trigger the need for enhanced due diligence include when an individual:
- Is a politically exposed person (PEP)
- Has been linked to financial crime in the past
- Is the subject of adverse media
- Has a high net worth or is a celebrity/public figure
- Works in an industry with a high risk of money laundering, such as gambling
- Is on a sanctions list, or is tied to a company or country with sanctions lobbied against them
- Is located in a high-risk country (such as those known to harbor terrorist organizations or those tied to regimes known to engage in money laundering).
Like CDD, the specific EDD processes you implement will depend on your business, industry, specific jurisdiction that you operate within, use case, risk tolerance, and more. Additionally, these processes should ideally be tailored to the unique risk profile of each customer, taking into consideration the factors that made enhanced due diligence necessary in the first place.
That being said, EDD may include any combination of the following methods:
More stringent identity verification
Identity verification as it pertains to customer due diligence typically involves collecting certain information from the individual and then verifying that information against a document, such as a government-issued ID, or database, such as DMV records.
In cases where enhanced due diligence is deemed to be necessary, however, you would typically perform additional checks to verify the individual’s identity. This may include:
- Asking for additional documents
- Adding selfie verification
- Adding database verifications
- Adding additional database verifications (if you're already doing database verifications)
- Conducting identity verification more often
- Or any combination of the above
The purpose of enhanced due diligence is to gain a better understanding of the individual, their reputation, and their risk. One way to do this is by screening the individual against additional reports and data sources such as social media reports, address lookups, or email and phone risk reports.
Source of funds verification
Depending on the situation, it may be necessary to also verify the individual’s source of funds to ensure that they have not come from the proceeds of a crime.
Source of funds can be verified in a number of ways, including via collection of relevant documentation. Pay stubs, tax statements, bank statements, investment transaction statements, sales contracts, loan agreements, and other documents can all be used to understand where the individual’s wealth and income have come from.
Enhanced due diligence isn’t a one-off event. After all, things change. Just because someone is not on a sanctions list or is not the subject of adverse media today doesn’t mean they won’t be tomorrow.
For this reason, continuous monitoring is an essential piece of enhanced due diligence. At a minimum, this should include monitoring transactions to identify suspicious activity that might point to financial crime. But it can also include steps such as regularly re-screening high-risk individuals to understand if their risk factors have changed.
It’s not an either/or situation
The question of CDD vs EDD isn’t a question of which is better, or which is necessary for your business. Standard and enhanced due diligence are both essential pieces of well-designed KYC processes. But by understanding when enhanced due diligence is required and when it isn’t, you can tailor the amount of friction during your onboarding process to each individual circumstance and provide your users with the best possible experience.
Persona’s Dynamic Flow allows you to customize your identity verification and customer due diligence processes based on each individual’s unique risk profile, empowering you to build a robust KYC program without sacrificing user experience.