Customer due diligence is more than collecting identification documents. A risk-based approach, supported by good documentation and ongoing monitoring, is essential for effective AML compliance.
In her recent webinar, AML - Beneficial Ownership and Customer Due Diligence, Lungi Sepotokele explained that customer due diligence (CDD) sits at the heart of anti-money laundering (AML) compliance. While many firms have established onboarding procedures, questions often arise around how much evidence is enough, when enhanced checks are required, and how beneficial ownership fits into the wider process.
The Criminal Justice Act requires designated persons to understand who their customers are, assess the risks they present, and apply the appropriate level of due diligence before establishing a business relationship. Just as importantly, firms must be able to demonstrate how those decisions were reached.
Customer due diligence is a risk-based process
The starting point for every client relationship is understanding who you are dealing with and why they require your services.
Rather than relying on a standard checklist for every client, the legislation requires firms to apply a risk-based approach. This means assessing each customer individually before deciding whether simplified, standard or enhanced due diligence is appropriate.
When assessing risk, consider factors such as:
- The nature of the customer and their business
- The services you will provide
- Geographic risk
- Industry or sector risk
- How the client relationship is conducted
The objective is not simply to gather documents. It is to understand whether the relationship presents any money laundering or terrorist financing risk and to retain evidence supporting your conclusion.
Engagement letters are an important part of AML compliance
One area that is frequently overlooked is documenting the purpose of the business relationship.
An engagement letter does more than define the scope of work. It also demonstrates what services will be provided and supports your customer due diligence records.
Even where clients only engage your firm occasionally, there should still be documentation explaining the relationship and the services being delivered.
Without this, firms may struggle to demonstrate that they fully understood the nature of the engagement if their AML procedures are reviewed.
Simplified due diligence does not mean no due diligence
A common misconception is that low-risk clients require very little documentation.
That is no longer the case.
Where a client has been assessed as low risk, firms may apply simplified customer due diligence. However, they must still obtain and retain sufficient information to identify the customer and justify why the lower-risk approach was appropriate.
Examples of lower-risk indicators may include:
- Public companies listed on recognised exchanges
- Certain public sector organisations
- Customers based in lower-risk jurisdictions
- Products or services that present lower money laundering risk
The level of ongoing monitoring may be reduced, but firms are still expected to keep appropriate records and review relationships over time.
Standard customer due diligence remains the default
Unless a customer clearly qualifies for simplified or enhanced due diligence, standard customer due diligence should be applied.
This typically involves:
- Verifying the customer's identity
- Confirming address information
- Understanding the ownership and control structure
- Identifying any beneficial owners
- Assessing the source of funds where appropriate
- Completing and documenting a customer risk assessment
The key point is that documentation should support the firm's judgement rather than simply satisfy a checklist.
When enhanced due diligence is required
Some clients require additional scrutiny because they present a higher level of risk.
Enhanced customer due diligence may apply where customers include:
- Politically exposed persons (PEPs)
- Customers connected with high-risk third countries
- Certain correspondent banking relationships
- Business relationships identified as presenting a higher money laundering or terrorist financing risk
In these situations, firms should gather additional information, obtain evidence regarding source of funds or wealth where appropriate, increase monitoring, and ensure senior management approval is documented before proceeding.
Enhanced due diligence should also continue throughout the client relationship rather than ending once onboarding is complete.
Understanding beneficial ownership
Knowing who ultimately owns or controls an organisation is another essential part of customer due diligence.
A beneficial owner is generally the natural person who ultimately owns or controls more than 25% of an entity, whether directly or indirectly, or who exercises control through other means.
Identifying beneficial owners involves more than reviewing company documentation. Firms should understand the ownership structure, verify relevant information where appropriate, and ensure records remain up to date throughout the relationship.
Where beneficial ownership changes, organisations also have separate obligations to update the relevant registers within the required timeframes.
Good record keeping makes monitoring easier
Strong AML compliance is built on consistent documentation.
Records should demonstrate:
- How the customer risk assessment was completed
- Why a particular level of due diligence was selected
- The evidence used to verify identity
- Any ongoing monitoring performed
- Updates made during the relationship
Firms should also keep customer information current, including identification documents, address verification, company information and engagement terms.
Good documentation makes it significantly easier to demonstrate compliance during regulatory monitoring visits.
Practical takeaway
Customer due diligence should be viewed as an ongoing process rather than a one-off onboarding exercise.
Applying a documented risk-based approach, maintaining accurate records, understanding beneficial ownership and regularly reviewing client information all help strengthen your firm's AML procedures while supporting compliance with legislative requirements.
The contents of this article are meant as a guide only and are not a substitute for professional advice. The authors accept no responsibility for any action taken, or refrained from, as a result of the material contained in this document. Specific advice should be obtained before acting or refraining from acting, in connection with the matters dealt with in this article.