CIP, CDD, & EDD: The Core Elements of KYC

In brief: 

• A Customer Identification Program (CIP), Customer Due Diligence (CDD), and Enhanced Due Diligence (EDD) are components of the overarching anti-financial crime systems, Know Your Customer (KYC) and Know Your Business (KYB).
• A CIP is concerned with identifying a businesses’ customers and ensuring those identities are unique and valid.
• CDD and EDD, in contrast, are about investigating a customer’s identity and background to understand their behavioral patterns and assess the risks they represent.

Customer Identification Programs (CIPs) are mandatory screening processes for US financial institutions (FIs) and Fintechs. They are meant to ensure FIs are able to determine that their customers are real entities with valid and unique corresponding identities. However, they aren’t the only regulatory requirements for FIs when it comes to preventing financial crime.

Customer due diligence (CDD) and enhanced due diligence (EDD) — along with periodic identity and ongoing monitoring — are also key parts of overarching anti-financial crime systems: Know Your Customer (KYC) and Know Your Business (KYB). This article explores the differences between CIP, CDD, and EDD through the lens of how they fit within KYB and KYC.

We begin by explaining how CIP and KYC are functionally different within a financial institution.

‍

In principle, CIPs and KYC/KYB are sometimes thought to refer to similar processes. However, CIPs are more about a financial institution identifying a customer: collecting their identity credentials, determining whether these credentials are valid, and checking that the credentials actually belong to the entity submitting them.

KYC/KYB is more about a financial institution knowing a customer as a whole rather than simply identifying them. It gets into understanding things like what they’re trying to get out of being a customer, whether or not they’re getting their assets from legitimate sources, and what other potential risks they represent to an FI’s operations.

In short, having a CIP is just the first step in implementing the broader security and compliance frameworks that are KYC and KYB.

‍

‍

In the US, there are two other core components of the KYC/KYB process besides a CIP. These are customer due diligence (CDD) and enhanced due diligence (EDD). Though not always explicitly included in this list, ongoing monitoring plays an important role as well.

Here, we’ll briefly explain the differences between the main pillars of KYB and KYC: CIP, CDD, and EDD.

Customer Identification Program (CIP)

A customer identification program, or CIP, is a specific US legal requirement (though there are similar requirements elsewhere) for financial institutions to both identify their customers and verify these identities. When implementing a CIP, an FI must fulfill the following six conditions:

1. Give customers notice that their ID information is needed
2. Collect customer ID information
3. Verify customer ID information
4. Screen customer ID information against US sanctions lists
5. Retain customer ID information until no longer needed for compliance
6. Draft a written version of the CIP that details the above processes

For business customers, FIs must collect and verify identifying information for not only the business itself, but also all of its ultimate beneficial owners (UBOs) and other leaders.

Customer Due Diligence (CDD)

After a financial institution runs a customer through a CIP, it must next run that customer through the process of customer due diligence (CDD). In contrast to the identity verification objectives of a CIP, CDD requirements focus more on understanding a customer’s behavioral patterns and assessing how much risk they represent. Through checking various trusted information sources, an FI should attempt to answer questions such as:

• How wealthy is the customer?
• What does the customer claim is the purpose behind opening an account?
• Is the customer from a country that’s at high risk for financial crime?
• Is the customer in a politically exposed position, or closely tied to someone who is?
• Is the customer sanctioned or under closer financial monitoring elsewhere in the world?
• How has the customer interacted with other financial institutions?
• Has the customer previously been involved in crime, especially of a financial nature?
• Is the customer being covered by the news for alleged illegal or unethical activity?

Again, for business customers, FIs need to conduct CDD on not only the business itself, but also its UBOs and leadership group.

Enhanced Due Diligence (EDD)

Beyond a CIP and CDD, EDD (enhanced due diligence) is another process financial institutions need to have in place. If the first two KYC steps turn up too much inconsistent or high-risk information on a customer, an FI needs to conduct EDD: a more in-depth investigation into the customer’s background. This can include details about their relationships with PEPs, previous transactions, adverse media coverage, and the relationship between their property and income.

For business customers in particular, it involves taking a look at organizational structures to gain a thorough understanding of who owns, runs, and/or funds a business. That includes the relationships between the business and its parent company, subsidiaries, suppliers, and clients. It can even involve visiting the business in person to verify it exists and is operational, and perhaps also to request any missing information or supporting documents.

Ongoing Monitoring

Even if a customer passes all of the above checks, parts of their identity and risk profile can still be subject to change. So the identity verification and risk assessment procedures in CIP, CDD, and EDD need to be repeated on a routine basis.

On the identity side, the customer may change their name, move their residence, or change their contact methods. Business customers may move their headquarters, rebrand, go through a merger/acquisition, open/close branches in different jurisdictions, gain/lose industry-specific licensing, or need to update their tax information. An FI needs to be aware of these changes, verify that the changes are legitimate, and make any necessary updates.

The risk side of things can be even more volatile. News stories, court cases, civic elections/appointments, regulatory agency announcements, and other sources of information can all signal a customer — including someone associated with a business customer — presenting increased (or sometimes decreased) risk. Again, an FI must stay on top of these developments and decide whether they warrant reviewing a customer’s risk profile — or even the relationship itself.

‍

In brief, the difference between CIP vs. CDD is one of identity verification vs. risk assessment. 

A CIP involves a financial institution collecting inherent identity information from customers. The aim is for the FI to be able to reasonably tell that customers are actual people or businesses, and that they are not impersonating another entity. This includes outlining what ID information is necessary for verification (based on the FI’s risk profile and risk appetite), and how different pieces of ID information will be validated (e.g. checking against identity documents, institutional records, and/or biometric attributes).

In contrast to a CIP, CDD is about an FI looking at a customer’s assets, privileges, relationships, and behavior (financial and otherwise). The goal is to analyze who (or what) a customer is and what they do for signs they have been, are, or are likely to become involved in illegal or unethical activity that would create risks for the FI.

To put it another way, think of CIP and CDD as an FI asking two different sets of questions: 

CIP – “Who is this customer? How can I reasonably conclude they’re telling the truth about being who (or what) they say they are?”

CDD – “Will a customer’s status and activity – past or present – damage my reputation, disrupt my operations, or even get me in legal trouble? Do these attributes point to a greater chance the customer will present risks in the future?”

‍

Get help covering your financial institution’s CIP, CDD, and EDD obligations with Middesk

KYC and KYB requirements consist of a blend of the identity verification of a CIP, the risk assessment of CDD/EDD, and the periodic reapplication of these processes. Middesk’s Business Verification and Business Underwriting solutions can help FIs streamline all three of these components: 

• Verifying details about their business customers (and their associated people, including UBOs)
• Checking for risk signals on businesses and related people in watchlists, adverse media, industry classifications, web footprints, and liens
• Monitoring the status of customer identity and risk information, and alerting the FI to changes

Find out more about what Middesk can do to help your FI stay compliant by asking our sales team for a demo.