Customer Due Diligence (CDD): What It Is and Best Processes

Customer due diligence is both a compliance issue and a challenge that fraudsters love to solve.

In this guide, we’ll show you how fraudsters fool KYC checks, and why sourcing alternative data is one of the best solutions to flag them. But first, a quick recap of the key terms.

What Is Customer Due Diligence?

Customer due diligence (CDD) means collecting, verifying and analyzing key information about a customer or client as a background check – so you can be confident they are who they claim to be. It is a form of risk management and can include the verification of identity documents (IDV), collection of alternative data, as well as data enrichment.

CDD is a legal requirement for certain industries – especially banks and neobanks, who must therefore comply with CDD regulations to avoid fines. It is generally split into two types: SDD (simplified CDD) and EDD (enhanced CDD).

Customer Due Diligence Requirements

Certain types of organizations, including banks, fintech firms, and investment companies, are required to conduct customer due diligence in a variety of scenarios. The below table shows some of these scenarios and the customer due diligence requirements that they relate to.

As reflected above, there are many types of customer due diligence requirements, and their stringency often depends on the level at which the organization finds the given customer to be law-abiding or suspicious.

With that said, the nature of CDD requirements depends on each organization’s policy, jurisdiction, and many other factors such as the risk appetite of the business itself.

What Is the Difference Between CDD and KYC?

Both Customer Due Diligence and KYC are required by law in some sectors, such as banking. CDD includes KYC checks, but also adds a focus on the source of funds, for purposes to do with money laundering and terrorism financing concerns.

Importantly, KYC is a process that takes places when a new customer signs up. On the other hand, CDD checks need to be ongoing throughout your relationship with the user.

The KYC verification happens at the onboarding stage. Its three key components include a first and last name, date of birth and residential address, but CDD typically looks into more than this.

More specifically:

Customer Due Diligence for Banks

Banks have traditionally been the primary organizations concerned with CDD requirements, as authorities expect them to continuously confirm who their customers are and where their funds come from.

When a new customer joins a bank by opening an account or buying a financial product, the bank will be required to do due diligence by verifying the customer’s identity, address, source of funds, etc.

One of the key concerns of banks’ legal departments is to ensure full compliance with CDD, AML and other related legislation, inclusive of any updates to it, so that the bank can avoid fines or licensing issues.

The Relation Between CDD & AML

CDD is part of AML, but AML includes many more procedures. Both CDD and AML are ongoing concerns for companies and organizations that are deemed to be of high risk of enabling money laundering and terrorism financing.

Anti-money laundering (AML) is a set of regulations and measures to limit money laundering. Defined by local authorities as well as international bodies, AML asks certain types of companies, such as banks and fintechs, to have procedures in place that allow them to know who they are doing business with, and flag any suspicious or high-value transactions.

Doing CDD on their clients and customers – including businesses and private individuals – at regular, defined intervals, allows companies to fulfill one of their AML compliance requirements. but keep in mind that CDD alone does not fully satisfy these.

How to Perform Customer Due Diligence

The customer due diligence process is a legal requirement and it must be performed for new business relationships (new customers), for transactions over a certain threshold, upon money laundering suspicion, or if a user presents unreliable documentation.

It is a four-step process, which sees companies:

1. Establish and verify a customer’s identity and address. This involves collecting and verifying official documentation such as a passport, utility bill, driver’s license, etc.
2. The business must also understand what business activities the customer plans on doing. Financial background information may be required, or a statement to be signed by the customer.
3. Store the customer information in an appropriate and secure location, so that regulators may be able to access it in case of an investigation.
4. Determine if a next step is needed, such as Enhanced Due Diligence (EDD), which also looks at information such as PEPs (politically exposed persons), understanding a source of funds in more depth, or adding ongoing monitoring procedures.

When the customer is a company, there may be additional concerns. For example, you will want to establish the ultimate beneficial owner (UBO) of the organization, or even check whether the business is subject to any sanctions, including those stemming from the 50/50 rule.

To complete the picture of their users, risk managers have begun leveraging open banking data. Networked rather than centralized accounts facilitate numerous processes such as switching banks or integrating third-party financial products. It also allows lenders to easily access someone’s payment and transaction history, spending patterns, credit score, etc.

Open banking APIs work fast, allowing you to build a modern digital credit scoring system in real-time. But unfortunately, such data may be stale or inaccurate, obsolete or ineffective against hacked accounts and money mules. To make matters worse, alternative data is simply inexistent in emerging markets, or in countries like the USA where 25% of households are considered unbanked or underbanked.

So what else should you look at if even the financial institution’s data isn’t helpful? Well, in the digital age, our email address is akin to our passport. So there is alternative information you can gather by enriching data from an email address, phone number or IP address – what we call digital footprint analysis, as well as looking into the customer’s device and behavior.

• Email analysis: Checking if the used email address has been used before on social media, if it has been newly created, and if the domain is trustworthy.
• Phone number analysis: Checking its validity, the country of carrier, social media presence, whether they are using a virtual SIM card, etc…
• IP analysis: Understanding if the traffic comes from a VPN, proxy or Tor, where the connection comes from vs where the customer has said they are based, etc.
• Device fingerprinting: Learning how users access your platform in terms of both software and hardware. Are they suspiciously switching browsers? Using emulators to spoof mobile devices?

The key is to gather data that is fresh, up-to-date and relevant. Even complex device configuration is easy enough to emulate. But a whole social media history creates a high barrier for fraudulent organizations who want to scale their operations.

How to Save on CDD Costs with SEON

By offering one of the most advanced customer intelligence solutions on the anti-risk market, SEON can help you spend less on CDD checks. Leverage digital footprint analysis as a pre-KYC and pre-CDD step to block bad actors from gaining access, thus reducing your CDD workload.

Using a single email address or phone number, SEON checks 50+ social media and digital platforms. You will get access to public information on user profiles, bios and avatars, and even a “last seen” date – hundreds of data points about a user.

This means that you can weed out many criminals before they even reach CDD. IDV providers charge per CDD or KYC check. With SEON, you end up conducting fewer checks, more of which will be approvals.

The data enrichment information can be aggregated via manual query, API call or even a Chrome browser extension. Working in the background, this wall of defense can streamline CDD while also keeping an organization safe from all manner of fraud.

By building a fuller user profile using SEON’s fresh alternative data, you’ll:

• know exactly who you’re dealing with
• spot hidden connections between customers
• remove the risk of onboarding money launderers
• spend less on KYC and AML
• Help automate your KYC
• Improve AML fraud detection.

All with zero extra user friction, and a choice of integration that works with your business. SEON also provides AML checks, ensuring your customer is not on any watchlists, sanctions lists, blacklists or PEP lists.

Frequently Asked Questions

Sources

• Thales Group: Annual Report Ebook
• Identity Force: What Are the Odds of Getting Your Identity Stolen?
• CNBC: 25% of households are either banked or unbanked