The other week, we took a deep dive into technology capabilities for due diligence of your business partners. Today, let’s take a different pass at that same broad subject: how you should manage and perform customer due diligence.
Customer due diligence (CDD) is a specific branch of due diligence programs. It differs somewhat from the due diligence a company might perform on overseas agents or joint venture partners, both in the questions you might ask and how you’d gather the information. But it’s also still a crucial part of effective compliance programs and something that businesses need to get right.
So let’s take a look at what that entails.
What Is Customer Due Diligence?
Customer due diligence is due diligence that you perform on your customers. What distinguishes this type of due diligence from other due diligence you might conduct is why you’re checking up on your customers’ history and ethical standing.
Customers pose a different set of compliance risks than the distributors or resellers your business might use overseas. The compliance risks of distributors and resellers are that someone within your business might be using those third parties to violate anti-corruption laws. In contrast, your customers might be using your company for their own nefarious purposes.
Customer due diligence is most often driven by financial regulators looking to stamp out money laundering, terrorism funding, tax avoidance, or sanctions violations. So historically, the firms with the greatest need for customer due diligence programs have been banks, broker-dealers, and other financial firms engaging in transactions with customers around the world. (Although other businesses increasingly need to pay attention to this type of due diligence too, a point we’ll explore shortly.)
What Does Customer Due Diligence Entail?
The lead regulator in the United States for customer due diligence is the Financial Crimes Enforcement Network (FinCEN), which published its Customer Due Diligence Rule in 2016. This is the rule that spells out what your customer due diligence program should entail, and it outlines four basic points:
- Verify the identity of customers.
- Verify the identity of the beneficial owners of companies opening accounts with your firm.
- Understand the nature and purpose of customer relationships to develop customer risk profiles.
- Conduct ongoing monitoring to identify and report suspicious transactions and, on a risk basis, maintain and update customer information.
Right away we can see a few compliance challenges that emerge from those goals. For example, to verify the identity of customers, you’ll need to have sufficient customer onboarding procedures — such as requiring customers to provide a passport or other government-issued ID when opening an account, and having staff document that information properly. To identify the beneficial owners of companies opening accounts with your business, you’ll need effective due diligence screening tools to identify who’s truly behind that corporate shell company knocking on your door.
The third and fourth points above get even more tricky. To understand the purpose of a customer relationship, so you build the requisite customer risk profile, you’ll need questionnaires that ask the customer about his or her business, ties to any foreign governments, and so forth.
Alas, FinCEN offers no standard model or method for companies to perform these risk assessments. In guidance the agency issued in 2020, FinCEN specifically said companies can use whatever risk analysis models or techniques you believe work best for your own firm. On one hand, that gives you flexibility — but on the other, it gives you precious little assurance that you’re doing what the regulators want.
One final and important point is that however you design your program, you also need to assure that employees actually follow it. That’s the difference between a compliance program’s design (it looks good on paper) and the program’s implementation (it actually produces desired actions and results).
Plenty of companies have been brought before regulators for a compliance program that’s well-designed, but poorly implemented. So other program capabilities such as training, monitoring, audits of the compliance program, data analytics, and so forth are all still crucial to your program’s success.
What Are the Benefits of Customer Due Diligence?
The foremost benefit of customer due diligence is that you stay on the right side of FinCEN and other regulators. Poor customer due diligence can lead to problems with money laundering, where the potential penalties for a poor anti-money laundering compliance program are huge. It can also lead to problems with economic sanctions or anti-corruption laws, which can veer into criminal investigations from the Justice Department, or civil investigations from numerous regulators, or both; and global companies can also face enforcement from overseas regulators.
That’s also why even non-financial companies need to think about customer due diligence. Yes, their exposure to money laundering risks might be lower than that of a bank, and the specifics of FinCEN’s customer due diligence rule might not apply to those outside financial services — but strong customer due diligence capability is still important because customers can still cause you all manner of compliance headaches.
For example, manufacturers might end up shipping components to customers whose true owners reside in Iran or North Korea, subject to international sanctions. You might sell real estate to shell companies owned by high-net worth individuals looking to avoid taxes or hide ill-gotten proceeds.
Your company doesn’t need to be sucked into another person’s misconduct. Especially in our modern world saturated with social media, the reputation risks of dealing with an unsavory customer are seldom worth the potential benefits.
How Can Technology Help the Process?
Technology is important for effective customer due diligence in several ways.
First, customer due diligence historically has been a very manual, paper-based process: a sales executive sitting in a branch office, meeting a client, and then pulling out forms for the client to fill out and making photocopies of identity documents.
Today those manual processes are no longer sufficient. The sheer number of customers is too voluminous, and the types of information you need have grown more complex.
What you want is a technology that can formalize and automate a lot of that workflow; a process that can guide your employee through the appropriate due diligence questions to ask, and collect all the necessary documentation digitally. You also need technology that can pull other due diligence data — criminal background checks, for example — from external sources; and then combine all that data into a complete customer risk profile.
You also need technology for all the other components of a customer due diligence program: the data analytics for better reporting; training for your own employees; audits to assure that your program works. All of those things provide more insight into whether your policies and procedures work, and whether your program is keeping pace with the risks your business has.
Don’t Delay
Customers and clients are third parties to your business — so they pose third-party risk management challenges just like any other outside party. The wise course of action is to build a technology-driven customer due diligence capability, so you can keep those risks in check and keep clients happy with an onboarding process that’s as minimally invasive as possible.
Matt Kelly is an independent compliance consultant and the founder of Radical Compliance, which offers consulting and commentary on corporate compliance, audit, governance, and risk management. Radical Compliance also hosts Matt’s personal blog, where he discusses compliance and governance issues, and the Compliance Jobs Report, covering industry moves and news. Kelly was formerly the editor of Compliance Week. from 2006 to 2015. He was recognized as a "Rising Star of Corporate Governance" by the Millstein Center in 2008 and was listed among Ethisphere’s "Most Influential in Business Ethics" in 2011 (no. 91) and 2013 (no. 77). He resides in Boston, Mass.