Know Your Customer (“KYC”) Due Diligence Best Practices
Financial institutions have a lengthy list of Anti-Money Laundering compliance requirements. They face a mountain of risks from a large number of financial transactions, each of which can carry significant risks.
AML compliance programs are built on a systematic review of a large number of financial transactions. The focus of this review has to be on triggers that identify suspicious transactions or customers.
Know Your Customer procedures are a critical function to assess and monitor customer risk.
“KYC” refers to the steps taken by a financial institution (or business) to:
- Establish the identify of the customer
- Understand the nature of the customer’s activities (primary goal is to satisfy that the source of the customer’s funds is legitimate)
- Assess money laundering risks associated with that customer for purposes of monitoring the customer’s activities
A best-practices KYC program will include the following elements:
- Customer Identification Program (CIP): collection, verification and record keeping of customer identification information and screening of customers against lists of known criminals.
A CIP is the starting point for any KYC process. In the financial institution context, a best practice is for the relationship manager to initiate the CIP process but coordinate and communicate with the due diligence manager.
- Basic Customer Due Diligence (“CDD”) is information obtained for all customers to verify the identity of a customer and asses the risks associated with that customer.
- Enhanced Due Diligence (“EDD”) is additional information collected for higher-risk customers to provide a deeper understanding of customer activity to mitigate associated risks. Customer risk assessments can be used to determine which level of due diligence to apply (CDD v. EDD).
In implementing this component, clear, defined process are essential. A consistent method of onboarding third parties indicates that an organization takes KYC seriously. All processes should be thoroughly documented to create a strong audit trail of decisions made. A company should keep an internal database with approved and disapproved third parties, vendors and suppliers to avoid duplication of effort.
At a minimum, due diligence should confirm beneficial owners, sanctions list screening of beneficial owners and relevant entities, politically exposed persons (“PEP”) involvement, and other government database checks.
In determining what level of due diligence is appropriate (CDD v. EDD), a company should look for “red flags” relating to:
- Location of the business
- Occupation or nature of business
- Purpose of the business transactions
- Expected pattern of activity in terms of transaction types, dollar volume, and frequency
- Expected origination of payments and method of payment
- Articles of incorporation, partnership agreements and business certificates
- Understanding of the customer’s customers
- Identification of beneficial owners of an account or customer
- Details of other personal and business relationships the customer maintains
- Approximate salary or annual sales
- AML policies and procedures in place
- Third-party documentation
- Local market reputation through review of media sources
EDD steps may include senior management approval, additional due diligence investigations, on-site visits, contractual certifications, third-party audits, source of funds certifications,
Conducting EDD on all customers is burdensome and undermines the purpose of a risk-based AML Program. By nature, some customers will inevitably present lower risks than others.
- Ongoing Monitoring: The ongoing monitoring function includes oversight of financial transactions and accounts based on thresholds developed as part of a customer’s risk profile.
Best practices for financial institutions include transaction monitoring systems and refreshing due diligence information every six to twelve months.