In this article, we’ll explore the various elements involved in carrying out CDD and EDD, how they are different – and most importantly, when they need to be applied.
Let’s start with a hypothetical anecdote:
You’re looking to hire a new employee for your business. Your first interviewee arrives in your office, greets you and sits across your desk.
In front of you, you have a printed version of the resume they provided with key information regarding who they are: their name, their address, their qualifications and their work experience.
You start the conversation by asking them about how this background makes them qualified for the position they are applying for. Their answers will likely determine whether you:
- Have a positive or negative impression of them
- Believe their story
- Are convinced (or not) that they may be a good fit for the position
This interview was essentially an exercise in basic due diligence: using relatively simple tools (in this case, your own experience and acumen) to assess whether a person is who they say they are, and whether they will be valuable or risky to have in your organization.
Sometimes, this first step may be enough to hire someone, especially if it is an entry level position that does not demand extensive or specialized knowledge and experience.
However, if you are considering this person for a demanding position that will require extensive investment of resources from your side, you will want to know more about your applicant than what they simply say to you during an interview – after all, hiring them will carry more risk.
In such a scenario, you’ll probably want to test them with an assignment, possibly get in touch with their previous employers for a reference, and get notarized copies of their degrees or qualifications. This would in many ways be an exercise in EDD.
When it comes to offering financial or virtual asset services to individual or business customers, these two levels of a) understanding who someone is, and b) ensuring that the value they bring to you outweighs any potential risks – are in many ways what CDD and EDD are all about.
Of course, compliance with financial regulations as a regulated business is also quite different to making a new hire – so let’s take a look at what CDD and EDD involve for financial services and VASPs.
CDD: Understanding a Customer’s Risk Profile
On a basic level, CDD is a Know Your Customer (KYC) process that involves gathering and verifying information related to a customer, their identity and their regulatory status.
This includes processes that:
- Verify the identity of a customer, whether they are an individual or a business
- If the customer is a business, to evaluate who its Ultimate Beneficial Owners (UBOs) are
- Assess the location, transactions and corporate relationships of the customer in order to develop a risk profile
- Carry out continuous monitoring on an onboarded customer to keep track of any changes in that may affect their risk profile
The first step in any CDD process is gathering personal or unique identifier information on a customer, such as their name, date of birth (or incorporation for a company), their address, ID number(s), and other unique information.
Submitted ID documents can have their data analyzed through automated processes such as OCR extraction. This data can then be cross-checked against verified government registries and databases in order to confirm the data’s authenticity. This process is often referred to as ID Verification (IDV).
After establishing that a person or entity is who or what they claim to be, typical CDD processes involve running some other checks, which can be used to establish their risk profile.
These additional checks include:
- Adverse media screenings that check if a prospective customer has been the subject of adverse reporting or commentary in the public domain.
- Sanctions and watchlist screening, which searches lists that compile data from national and international law enforcement and sanctioning bodies.
- Politically Exposed Person (PEP) screening, which searches national and international lists of individuals who hold or have held government office or positions with state-owned/managed companies and organizations, as well as their immediate family and business associates. Holding political office or positions with state-controlled entities qualifies any potential customer as having a higher risk profile, due to their closer access to public funds.
Of course, the precise design and configuration of a CDD process will depend on a wide range of different factors and contexts.
For this reason, it’s of critical importance for any financial service company or VASP to have a flexible approach to compliance that is able to quickly adapt to the unique variables of each customer – as well as the constantly-evolving threats posed by financial criminals and fraudsters.
One of the most important functions of CDD is to determine a customer’s risk profile. The CDD process needs to be designed in a way that gives an onboarding business a reliable understanding of the level of risk a potential customer presents.
If a customer is deemed to be low risk, this can often allow a business to expedite the onboarding process – a low risk customer can just be onboarded using simplified due diligence that verifies their identity, place of residence/registration, and that they do not present a moderate or high risk of being involved or used as a conduit for financial crime.
For potential customers that are deemed to be higher risk, it is usually necessary to carry out additional checks. This process of expediting the onboarding of low-risk customers and applying additional checks on moderate or high risk customers is known as a risk-based approach (RBA). It’s also where EDD comes into play.
EDD: Investigating and Mitigating Risk
EDD protocols are a subset of AML, KYC and CDD. In the context of financial services and/or VASPs, they involve more stringent and detailed checks on a potential customer or service recipient, in order to gain a better understanding of their risk profile: if a potential customer is deemed to be higher risk, it is necessary to understand why that is the case, and whether onboarding them truly poses a threat to your business.
As mentioned above, factors that can lead to a potential customer having a higher risk profile include:
- Being a PEP
- Being referenced in adverse media
- Having a record of being involved in financial crimes in the past
- Having a high net worth or being a celebrity/public figure
- Being listed on a sanctions list or watchlist
- Being registered in a jurisdiction that is on a sanctions list or has a track record of harboring financial criminals and/or terrorists
Like KYC and CDD, EDD processes are most effective when they are carried out by treating each subject as unique, and taking into consideration their individual circumstances and the onboarding business’ own risk tolerance.
Once a potential customer has been deemed to be higher risk, an onboarding party can carry out EDD checks on them that include:
- Requesting additional documents to verify their identity
- Processing them with selfie / Passive Liveness verification
- Cross-checking their ID data with additional database verifications
- Requesting source of funds documentation
- Requesting official shareholder/UBO data for companies
- Carrying out social media screening
- Any combination of the above
If these EDD checks do not uncover any reasons to suspect that the potential customer might engage in financial crimes or bring a level of risk to your business that outweighs the benefits of having them as a customer, then an internal compliance team or professional can usually take the decision to onboard them.
However, higher risk customers should also be subjected to ongoing monitoring, in order to keep track of any changes in their risk profile. For instance, an individual customer may change location to a jurisdiction with a higher risk profile, assume political office, or become the subject of adverse media after they have been onboarded – in short, a wide range of factors can affect changes in a risk profile long after someone or an entity has been accepted as a customer.
Ongoing / continuous monitoring can be easily executed with automated KYC / CDD solutions such as KYC-Chain, which can be configured to carry out risk profile assessments of onboarded customers at predetermined intervals.
KYC, CDD & EDD: They are all connected
Implementing an effective AML program that ensures your business remains compliant with global regulations while protecting it against the risk of fraud and other financial crimes can be a highly complex undertaking.
Effectively meeting regulatory requirements and carrying out a full suite of KYC, CDD and EDD manually requires large and resource-intensive human compliance teams that are simply out of reach for many businesses.
The good news is, it’s no longer necessary to carry out the full suite of AML checks manually. By using automated compliance and onboarding solutions such as KYC-Chain, businesses can quickly and efficiently comply with global regulations, onboard customers safely and ensure their resources are focused on what matters most: the business itself.
In need of an end-to-end onboarding solution that can carry out all of your AML, KYC, CDD & EDD needs? Get in touch with us and we can tell you more about how KYC-Chain can make it happen.