Customer due diligence is both a compliance issue and a challenge that fraudsters love to solve.
In this guide, we’ll show you how fraudsters fool KYC checks, and why sourcing alternative data is one of the best solutions to flag them. But first, a quick recap of the key terms.
What Is Customer Due Diligence?
Customer due diligence (CDD) means collecting, verifying and analyzing key information about a customer or client as a background check – so you can be confident they are who they claim to be. It is a form of risk management and can include the verification of identity documents (IDV), collection of alternative data, as well as data enrichment.
CDD is a legal requirement for certain industries – especially banks and neobanks, who must therefore comply with CDD regulations to avoid fines. It is generally split into two types: SDD (simplified CDD) and EDD (enhanced CDD).
Customer Due Diligence Requirements
Certain types of organizations, including banks, fintech firms, and investment companies, are required to conduct customer due diligence in a variety of scenarios. The below table shows some of these scenarios and the customer due diligence requirements that they relate to.
|Type of CDD Requirement||Example of Relevant Scenario||Explanation|
|Customer identification program (CIP)||a new customer starts a business relationship with an organization that they wish to sign up to||a customer carries a transaction over a certain threshold and/or arouses suspicion by being on a blacklist, PEP list, watchlist, or other form of sanctions list|
|Ongoing due diligence (ODD)||an organization needs to carry out regular (e.g. annual) due diligence checks to ensure that their customer records are accurate and up-to-date||CDD not only applies during the customer onboarding stage: Organizations must also, over time, carry out ODD to ensure that they are updated of any changes, or even discrepancies, in their customers’ personal information over time, or to monitor for suspicious transactions.|
|Customer risk profiling (CRP)||a prospective customer is flagged as a potential money laundering risk by an organization’s AML/CFT (countering the financing of terrorism) measures||An organization that is considering serving a customer who has been flagged as a potential money laundering risk will need to go through a process where they can decide the extent to which that person is a small, medium, or high risk. In fact, potential and existing customers are often required to assign a customer risk profile even to people they think are no risk at all to their business.|
|Enhanced due diligence (EDD)||a customer carries a transaction over a certain threshold and/or arouses suspicion by being on a blacklist, PEP list, watchlist, or otherwise||EDD is when an organization has decided there is reason to escalate the level of customer due diligence, which may be due to the prospective customer having a higher-than-average customer risk profile. EDD can involve checks related to the person’s business associates, source of funds, and so on.|
As reflected above, there are many types of customer due diligence requirements, and their stringency often depends on the level at which the organization finds the given customer to be law-abiding or suspicious.
With that said, the nature of CDD requirements depends on each organization’s policy, jurisdiction, and many other factors such as the risk appetite of the business itself.
What Is the Difference Between CDD and KYC?
Both Customer Due Diligence and KYC are required by law in some sectors, such as banking. CDD includes KYC checks, but also adds a focus on the source of funds, for purposes to do with money laundering and terrorism financing concerns.
Importantly, KYC is a process that takes places when a new customer signs up. On the other hand, CDD checks need to be ongoing throughout your relationship with the user.
The KYC verification happens at the onboarding stage. Its three key components include a first and last name, date of birth and residential address, but CDD typically looks into more than this.
|When?||At signup and at regular intervals||When the customer signs up|
|What?||Source of funds, intentions, name, address, DoB||Name, address, DoB|
|Who?||Those at risk of money laundering, terrorism financing, corruption, bribery||Age-restricted products and services, certain financial services & anyone who chooses to|
Partner with SEON to reduce fraud rates in your business with real-time data enrichment, whitebox machine learning, and advanced APIs.
Ask an Expert
Customer Due Diligence for Banks
Banks have traditionally been the primary organizations concerned with CDD requirements, as authorities expect them to continuously confirm who their customers are and where their funds come from.
When a new customer joins a bank by opening an account or buying a financial product, the bank will be required to do due diligence by verifying the customer’s identity, address, source of funds, etc.
One of the key concerns of banks’ legal departments is to ensure full compliance with CDD, AML and other related legislation, inclusive of any updates to it, so that the bank can avoid fines or licensing issues.
The Relation Between CDD & AML
CDD is part of AML, but AML includes many more procedures. Both CDD and AML are ongoing concerns for companies and organizations that are deemed to be of high risk of enabling money laundering and terrorism financing.
Anti-money laundering (AML) is a set of regulations and measures to limit money laundering. Defined by local authorities as well as international bodies, AML asks certain types of companies, such as banks and fintechs, to have procedures in place that allow them to know who they are doing business with, and flag any suspicious or high-value transactions.
Doing CDD on their clients and customers – including businesses and private individuals – at regular, defined intervals, allows companies to fulfill one of their AML compliance requirements. but keep in mind that CDD alone does not fully satisfy these.
How to Perform Customer Due Diligence
The customer due diligence process is a legal requirement and it must be performed for new business relationships (new customers), for transactions over a certain threshold, upon money laundering suspicion, or if a user presents unreliable documentation.
It is a four-step process, which sees companies:
- Establish and verify a customer’s identity and address. This involves collecting and verifying official documentation such as a passport, utility bill, driver’s license, etc.
- The business must also understand what business activities the customer plans on doing. Financial background information may be required, or a statement to be signed by the customer.
- Store the customer information in an appropriate and secure location, so that regulators may be able to access it in case of an investigation.
- Determine if a next step is needed, such as Enhanced Due Diligence (EDD), which also looks at information such as PEPs (politically exposed persons), understanding a source of funds in more depth, or adding ongoing monitoring procedures.
When the customer is a company, there may be additional concerns. For example, you will want to establish the ultimate beneficial owner (UBO) of the organization, or even check whether the business is subject to any sanctions, including those stemming from the 50/50 rule.
To complete the picture of their users, risk managers have begun leveraging open banking data. Networked rather than centralized accounts facilitate numerous processes such as switching banks or integrating third-party financial products. It also allows lenders to easily access someone’s payment and transaction history, spending patterns, credit score, etc.
Open banking APIs work fast, allowing you to build an alternative credit scoring system in real-time. But unfortunately, such data may be stale or inaccurate, obsolete or ineffective against hacked accounts and money mules. To make matters worse, alternative data is simply inexistent in emerging markets, or in countries like the USA where 25% of households are considered unbanked or underbanked.
So what else should you look at if even the financial institution’s data isn’t helpful? Well, in the digital age, our email address is akin to our passport. So there is alternative information you can gather by enriching data from an email address, phone number or IP address – what we call digital footprint analysis, as well as looking into the customer’s device and behavior.
- Email analysis: Checking if the used email address has been used before on social media, if it has been newly created, and if the domain is trustworthy.
- Phone number analysis: Checking its validity, the country of carrier, social media presence, whether they are using a virtual SIM card, etc…
- IP analysis: Understanding if the traffic comes from a VPN, proxy or Tor, where the connection comes from vs where the customer has said they are based, etc.
- Device fingerprinting: Learning how users access your platform in terms of both software and hardware. Are they suspiciously switching browsers? Using emulators to spoof mobile devices?
The key is to gather data that is fresh, up-to-date and relevant. Even complex device configuration is easy enough to emulate. But a whole social media history creates a high barrier for fraudulent organizations who want to scale their operations.
Partner with SEON to reduce fraud rates in your business with real time data enrichment that only lets good users through to KYC and CDD.
Ask an Expert
How to Save on CDD Costs with SEON
By offering one of the most advanced customer intelligence solutions on the anti-risk market, SEON can help you spend less on CDD checks. Leverage digital footprint analysis as a pre-KYC and pre-CDD step to block bad actors from gaining access, thus reducing your CDD workload.
Using a single email address or phone number, SEON checks 50+ social media and digital platforms. You will get access to public information on user profiles, bios and avatars, and even a “last seen” date – hundreds of data points about a user.
This means that you can weed out many criminals before they even reach CDD. IDV providers charge per CDD or KYC check. With SEON, you end up conducting fewer checks, more of which will be approvals.
The data enrichment information can be aggregated via manual query, API call or even a Chrome browser extension. Working in the background, this wall of defense can streamline CDD while also keeping an organization safe from all manner of fraud.
By building a fuller user profile using SEON’s fresh alternative data, you’ll:
- know exactly who you’re dealing with
- spot hidden connections between customers
- remove the risk of onboarding money launderers
- spend less on KYC and AML
- Help automate your KYC
- Improve AML fraud detection.
All with zero extra user friction, and a choice of integration that works with your business. SEON also provides AML checks, ensuring your customer is not on any watchlists, sanctions lists, blacklists or PEP lists.
Frequently Asked Questions
A due diligence checklist is a series of steps your organization must complete to ensure it remains legally compliant. The checklist steps may vary from one industry to the next, but they always include some form of identity and financial information verification.
Customer due diligence requirements vary from one industry to another, however, you will commonly find that a business must establish a user’s: 1) identity, 2) financial information, 3) residential address, 4) money-laundering risk.
While customer due diligence is a broad term, it can also be broken into different processes such as KYC (know your customer) checks, AML checks (anti-money laundering), or EDD (enhanced due diligence).
Showing all with `` tag
Speak with a fraud fighter.
Communication Specialist | Florian helps tech startups and global leaders organise their thoughts, find their voices, and connect with customers worldwide.
Sign up for our newsletter
The top stories of the month delivered straight to your inbox