KYC and Due Diligence

Know Your Customer Compliance Fundamentals

Know Your Customer (KYC) and Customer Due Diligence (CDD) are essential components of an obliged entity’s Anti-Money Laundering (AML) framework. Compliance with AML regulations requires institutions to perform both KYC and CDD procedures; failure to do so may result in significant regulatory sanctions. Although closely related, KYC and CDD serve distinct functions and objectives within the broader AML system.

For banks and other obliged entities, implementing effective KYC and CDD measures is vital. These procedures support adherence to AML obligations established by the Financial Action Task Force (FATF) and other competent authorities, enabling the detection and prevention of illicit financial activities.

What is Customer Identification Process (CIP) or  Know Your Customer (KYC)?

When a potential client seeks to open an account, the initial step for an obliged entity is to verify the customer’s identity. This verification process is fundamental in preventing financial crimes such as fraud, money laundering, and terrorist financing, while ensuring compliance with AML regulations and avoiding potential regulatory penalties.

In essence, KYC is the process of confirming that a customer is genuinely who they claim to be and assessing the potential risks associated with the relationship. It involves collecting and verifying comprehensive information about the individual’s identity, background, and financial profile.

What is Customer Due Diligence (CDD)?

Customer Due Diligence forms a core part of the KYC framework. It focuses on assessing the level of risk a customer may pose to the institution. This process begins with gathering identifying details—such as name, date of birth, and address—and extends to evaluating the customer’s source of funds, business activities, and the purpose of their relationship with the institution.

Through CDD, obliged entities gain an understanding of a customer’s typical financial behaviour and transaction patterns. This knowledge enables them to detect and report unusual or suspicious activities that might indicate potential money laundering or other illicit conduct.

Types of Due Diligence

Customer Due Diligence (CDD) is applied at varying levels depending on the assessed risk associated with each customer. Obliged entities adjust the depth and frequency of their checks according to how likely a customer is to be involved in suspicious or illicit activity.

  1. Simplified Due Diligence (SDD)
    Simplified Due Diligence is applied to customers considered to present a low or negligible level of risk. In such cases, the extent of verification and ongoing monitoring is limited, as the likelihood of money laundering or terrorist financing is minimal.
  2. Standard Due Diligence (SDD)
    This category applies to the majority of customers whose risk profile is moderate. For these clients, institutions perform standard verification procedures, collecting essential identification and background information. Their transactions and account activities are reviewed periodically to ensure they remain consistent with the customer’s known profile and expected behaviour.

  3. Enhanced Due Diligence (EDD)
    Enhanced Due Diligence is required when a customer presents a higher level of risk, such as an increased likelihood of involvement in money laundering, corruption, or other illicit activities. This category often includes politically exposed persons (PEPs), individuals with complex financial structures, or those operating in high-risk jurisdictions.

Under EDD, obliged entities must obtain additional documentation and information to verify the customer’s identity, understand the origin of their funds, and determine the purpose of their transactions. These customers are also subject to more rigorous and ongoing monitoring, including frequent reviews and continuous screening against international and domestic sanctions lists, watchlists, and adverse media sources.

KYC vs. CDD: Key Components and Processes

While Know Your Customer (KYC) and Customer Due Diligence (CDD) are closely related, they differ primarily in scope and depth. KYC focuses on verifying a customer's identity through basic information and documentation, whereas CDD goes further - examining the customer's background, financial background, and potential risk exposure over the course of the business relationship. 

1. KYC Process

Customer Identification:
Collect fundamental personal details such as the customer’s full name, date of birth, residential address, and official identification (e.g., passport, national ID card, or driver’s licence).

Verification:

  • Document-Based: Confirm the authenticity of provided information through reliable documents such as government-issued IDs, recent utility bills, or bank statements.
  • Biometric Verification: Use advanced tools like facial recognition or fingerprint verification to strengthen identity validation and reduce impersonation risk.

Record Keeping:
Maintain comprehensive, accurate, and up-to-date records of all identification data, verification steps, and communications. Ensure these records are securely stored, easily retrievable for inspections, and fully compliant with legal and regulatory standards.

2. CDD Process

Enhanced Identification and Verification:
For higher-risk customers, collect more extensive information—including the nature of their business, the origin of their funds, and the intended purpose of their accounts or transactions.

Ongoing Monitoring:
Continuously review customer transactions to identify anomalies or suspicious activities that deviate from established patterns. Update customer profiles periodically to reflect any changes in personal details, financial behaviour, or risk classification.

Risk Assessment and Mitigation:
Assess each customer’s risk level based on geographic exposure, business sector, transaction size and frequency, and other relevant factors. Implement proportionate controls—such as transaction monitoring, enhanced review frequency, or additional verification requirements—to manage and mitigate identified risks effectively.