top of page
Search

Customer Due Diligence Requirements

Updated: 7 days ago

The article provides a step-by-step explanation of customer due diligence requirements (CDD) that anti-money laundering (AML) and countering the financing of terrorism (CFT) obligated institutions should apply.

Customer Due Diligence Requirements

Customer due diligence requirements, as outlined in the 4th EU AML Directive: (EU) 2015/849, Chapter 2, Section 1, Article 13 and FATF Recommendation 10, form the core of an AML/CFT program that every obligated institution must implement. These requirements consist of a set of actions that must be performed for both new and existing customers to mitigate the risks of money laundering and terrorist financing.


1. Identification and verification of the customer's identity

Remember that identification and verification are not the same. Almost every company, regardless of the industry, collects customer data. However, there is a key difference between non-regulated entities and those subject to AML/CFT regulations. Obligated institutions are required to conduct both customer identification and, more importantly, mandatory verification of their customers' data - whether individual or institutional. Relevant national legislations, based on either EU AML/CFT directives or FATF recommendations, typically specify which data (including, but not limited to, customer information) must be identified and verified.


The primary goal of customer identification is to prevent relationships with high-risk individuals or companies, such as those listed on sanctions lists. Another key objective is to ensure the organization is prepared to provide customer data to relevant state authorities during an investigation. Even if a customer does not appear suspicious within the organization, they may still be linked to illegal activities. If identification and verification are not conducted properly, inquiries from authorities, such as financial intelligence units (FIUs), may be ineffective.


AML/CFT legislations define specific data requirements for individuals and businesses that must be identified (collected) and verified (confirmed). It is important to clarify from the outset that collecting data refers to storing it in the customer’s record. Every obligated institution must maintain such records, which include identification details for both individual and institutional clients.


Identifying customer data, whether for an individual or a business, is relatively straightforward. Typically, the customer fills out a designated form - a familiar process commonly used in various situations. Almost every time we create an account on a website or make an online purchase, we are required to provide certain personal details. However, in most cases, these entities are not obligated to verify the accuracy of the data provided.

This distinction highlights what sets obligated institutions apart from non-obligated ones: data verification. Verification is both costly and time-consuming, as it requires ensuring that the data provided by the customer matches official records, such as those found on an identity document or in a business registry.


2. Identification of the ultimate beneficial owner (UBO) and verification of their identity

Beneficial Owner

The Ultimate Beneficial Owner (UBO) is a natural person who directly benefits from a company's activities. Typically, a UBO is someone who significantly controls the company, such as by owning more than 25% of the shares.

It is important to note that this is not the only criterion. A company can be controlled in other ways, such as by holding an executive position on the board or performing similar decision-making duties. A UBO can also be someone who is not formally connected to the organization.


There are many cases where official roles, such as board members or shareholders, are filled by so-called "nominees," while the actual control of the company lies with someone else. Many of us have likely heard about companies controlled by oligarchs. The word "controlled" is key here because, in many cases, these companies are not officially owned by those individuals. Instead, board members or shareholders may be stand-ins acting on behalf of the true beneficial owner.


This is why, in my view, the key criterion for identifying the ultimate beneficial owner is not their official role but rather their actual control over the company. It is also important to remember that an ultimate beneficial owner can only be a natural person.


Why is Identifying the Ultimate Beneficial Owner (UBO) So Important?


Company-related information, such as its name, address, industry, or identification numbers, is only part of the puzzle. To fully understand the situation, we need to determine who truly benefits from the company's activities - especially financially.


When a company is used for money laundering (remember, crimes are committed by people, not companies), it is crucial to identify who gains the most from these activities. This is why we must uncover the identities of the individuals who control the company and profit from its operations. Simply put, a company cannot be arrested - justice can only be served against individuals.

Protip:

A customer’s declaration of the UBO is the least reliable source of information, especially when more authoritative sources, such as a corporate register or a UBO register, provide UBO details. Relying solely on a customer’s declaration may be difficult to justify during an audit or regulatory inspection.


3. Assessment and, if necessary, the obtaining of information on the purpose and intent of the business relationship.


AML Risk Assessment

This point involves assessing whether the products or services a customer uses or intends to use raise any suspicions. In other words, it examines whether the products or services involved in the relationship make sense for the customer. In cases of money laundering or terrorist financing, criminals often disregard costs associated with a particular product, as their primary goal is to use it as a tool for laundering illicit funds. High fees or commissions are simply seen as a necessary expense for laundering money. In practice, criminals are sometimes willing to lose up to 50% of their funds in the process of laundering them.


In my experience, this CDD requirement is often surrounded by a certain level of ambiguity, making it unclear what it actually entails. This may be due to the fact that publicly available information on the topic tends to be quite generic. I hope the following example, which explains how to assess business relationships and what steps to take in case of doubts, will serve as a valuable addition to existing resources.:


A customer of an obligated institution repeatedly takes out loans with high fees, only to repay them within a very short period (e.g., one month after disbursement). Interestingly, the customer never requests a proportional refund of the fees.


The rationale behind this behavior is questionable, as each repayment results in a financial loss of several or even tens of thousands of euros for the customer. Perhaps this is simply their way of managing finances, or perhaps it is the cost of money laundering.

Turning a blind eye (or, as I loosely translate wilful blindness, "un-seeing") to such activity is not an option.


Therefore, we assess the business relationship and, as appropriate, obtain relevant information:


  • What is the purpose of these loans, and why are they being repaid so quickly?

  • In justified circumstances, we investigate the source of funds (SOF), applying enhanced due diligence (EDD) as needed.

  • It's important to remember that verifying the source of funds goes beyond simply stating, "from my account at another bank" or checking a box in a declaration that says "savings." After all, if the funds come from savings, why take out a loan in the first place?


If doubts remain, the very least we should do is implement enhanced monitoring (again, applying EDD measures). The case may ultimately lead to a suspicious activity report (SAR) being submitted to the FIU.


Other examples may involve real estate, cars, or artwork. For instance, repeated transactions at significantly undervalued or overinflated prices, along with a general lack of interest in the asset being exchanged.


4. Ongoing monitoring of business relationships

Transaction Monitoring

I believe this CDD measure is the most costly component of an obligated institution’s AML/CFT program. It requires continuous monitoring of transactions and customer behavior to detect suspicious anomalies. At the same time, it is the core of an effective AML/CFT system.



Through monitoring, institutions can fulfill their legal obligations and report suspicious transactions to the Financial Intelligence Unit (FIU). In a way, filing a suspicious transaction/activity report (STR/SAR) is the final “product” of an institution’s AML/CFT program. Additionally, monitoring customer behavior serves as the basis for suspending transactions, freezing accounts, or even terminating a customer relationship.


Without a doubt, monitoring methods vary across different obligated institutions. It is easy to imagine that banks, payment institutions, and other large entities serving thousands or even millions of customers must rely on advanced analytical tools to effectively detect suspicious activities.


In other entities, these processes will look different, particularly because many obligated institutions do not maintain customer accounts. In some cases, there is no need for automated transaction monitoring tools.


For example, a notary office, in its efforts to comply with the AML/CFT requirements is more likely to analyze individual notarial acts for suspicious activities rather than conduct continuous transaction monitoring through a database.


Monitoring the customer relationship also includes examining the source of their wealth/funds (SOW/SOF) in justified circumstances. This applies when a higher risk of money laundering or terrorist financing is identified, such as when dealing with a politically exposed person (PEP). To mitigate this risk, institutions should obtain relevant information about the origin of the customer's funds.

The final aspect of monitoring involves implementing processes to ensure up-to-date customer information. Simply collecting customer data once is not sufficient. It must be continuously updated. As a general rule, data for higher-risk customers should be reviewed and updated more frequently.


Conclusion


Customer due diligence measures are not just legal requirements outlined in the AML/CFT regulatory acts. They are, above all, practical solutions designed to mitigate the risks of money laundering and terrorist financing.


These methods are not simply legislative inventions. While they originate from EU regulations and global standards, their implementation is a requirement for many countries. A secure financial system that effectively combats money laundering and terrorist financing represents a major civilizational advancement. However, this can only be achieved when obligated institutions move beyond mere "paper compliance" with AML/CFT regulations. A genuine and diligent approach is what truly strengthens the integrity of the AML/CFT framework.


I sincerely hope, dear Reader, that this article has been thorough and has provided clear, concrete answers to your questions.


 
 
 

Comments

bottom of page