KYC vs CDD: Differences & Requirements in Financial Compliance

In brief: 

• Know Your Customer (KYC) and Know Your Business (KYB) are risk management processes in financial institutions. They involve verifying prospective or existing customers’ identities; assessing their situations and backgrounds for financial risk indicators; and developing ongoing monitoring plans for suspicious activity or changes in their risk profiles. 
• Customer Due Diligence (CDD) in KYC or KYB evaluates a client’s financial risk, which can determine whether an FI wants to do (or continue doing) business with that customer. It can involve checking transaction histories, sanctions lists, criminal records, administrative elections/appointments, news outlets, and more for indicators of risk.
• Various regulations make KYC and KYB, including CDD, mandatory processes in FIs. They also outline minimum standards for effective CDD, KYC, and KYB programs.

Know Your Customer (KYC), Know Your Business (KYB), and Customer Due Diligence (CDD) are common regulatory requirements that businesses – especially financial institutions – need to know about and comply with. However, there is sometimes confusion regarding how they are different, and what the relationship between them is. This article will explain the role CDD plays as part of KYC and KYB, and discuss some of the regulations mandating these processes.

Let’s first define what CDD and KYC are, how they differ, and what roles they play in financial regulatory compliance.

‍

KYC is “Know Your Customer”, a financial institution process for validating and authenticating customers’ identities, as well as evaluating their financial risks. CDD is “Customer Due Diligence”, the process of FIs checking information sources for signs a customer might pose elevated financial risk.

The primary difference between CDD and KYC is that CDD is a specific part of KYC. It involves an FI analyzing a client’s identity and activities – especially compared against risk-related information such as sanctions lists, financial watchlists, criminal records, administrative appointments/elections, and negative press coverage – for indicators that they are risky to conduct business with. 

KYC includes CDD, but refers to a broader overall client risk management system. That includes identity verification and authentication, as well as monitoring of transactions and other activity. A client having fake/inconsistent identity information, or making suspicious financial moves, can increase their risk profile as much as (or more than) them having a valid ID that may raise risk concerns because of their status.

What is CDD in the KYC process?

CDD can be thought of as the middle portion of a three-part process that is KYC. The first part of KYC is identity verification and authentication. This is where a financial institution checks a customer’s identity credentials to ensure they correspond both to a real person (and company, in the case of KYB) and to the particular client (or company representative, in the case of a business client) presenting them.

If the client’s identity is found to be valid and authentic, the next step is CDD. This is where an FI examines a client’s profile and background – wealth, citizenship, civic history, previous financial activity, and so on – for signs that they present a higher risk of being (or becoming) involved in financial crime. 

As part of CDD, an FI will consult additional information sources for risk indicators. These sources include credit reports, sanctions lists, lists of politically exposed persons (PEPs), criminal records, other financial watchlists, and even credible news outlets for negative coverage.

If a client presents an acceptable level of risk, an FI will either proceed with the onboarding (or retention) process, or conduct enhanced due diligence (EDD) if the risk is significantly high. If a client passes through the onboarding (or retention) process – including EDD, if necessary – an FI must implement the third step of KYC: developing (or modifying) an ongoing monitoring program to keep a watch on the client’s transactions and other activities.

Is CDD part of KYB (Know Your Business) as well?

Yes. “Know Your Business” refers to an FI validating a business client’s operating credentials, as well as identifying the company’s beneficial owners and assessing their financial risk levels. So CDD for KYB requires researching and evaluating information on both a company AND each of its owners.

‍

For KYB and KYC, CDD and EDD are integral processes. Even if a client proves they are who they say they are, their past actions and present status provide more useful clues as to how likely they are to be (or become) involved in financial crime. And those clues can inform what an FI should watch for in the client’s future transactions and activities.

Here’s how CDD and EDD fit into KYC and KYB processes.

1. Verify and authenticate identities of clients and any related entities

Before assessing a client for financial risk, an FI has to first find out exactly who they’re dealing with. For an individual, that means checking that – at minimum – their full name, date of birth, residential address, and a government-issued identification document they own are both legitimate and correspond to the person under scrutiny.

A business being inspected for KYB needs to have the following information validated: 

• Formal name
• Alternative trade names (including “doing business as” names)
• Registration address
• Jurisdiction-specific registration or creation documentation
• Industry-specific licensing documentation (if applicable)
• A unique government-issued identification number (such as a TIN) 

An FI also has to find out who the business’s beneficial owners are and verify each one’s full name, business-related title, date of birth, country of residence, home address, citizenship, and a government-issued identification document they own.

2. Conduct CDD for each relevant entity

For KYB analysis of a company, one thing to look at is where it’s located. Certain jurisdictions can be highly risky, or even illegal, to do business with. In addition, lack of an operating address at all may indicate a shell corporation: a company with no physical presence or active operations often used to illegally hide or move money, and so often presents elevated risk. 

Another high-risk factor is a company having a corporate structure with vague position titles that make it difficult to differentiate between owners and managers. A business may also be high-risk if it operates in an industry known to be risky, such as gambling or firearm manufacturing.

For KYC screening of an individual, including a beneficial owner of a company, an FI needs to look at various sources for potential risk indicators. Some questions to ask include: 

• How much money do they have overall, or at least plan to put in a new account?
• What do they claim is the purpose of opening or maintaining an account? 
• Have any of their past transactions seemed suspicious, or formed suspicious patterns? 
• Have they ever held a public administration position, or been close to someone who has?
• Are they on a sanctions list or other financial watchlist, or from a country that’s on one?
• Do they have a criminal history, especially one involving previous financial crimes?
• Are they in the news because they’re suspected of unlawful or unethical activity?

These considerations help an FI build risk profiles for individual customers (in KYC), or client companies and their owners (in KYB). This, in turn, aids an FI in deciding how (or even whether) to continue business relationships with its clients.

3. Perform EDD if it’s deemed necessary

If a CDD process determines a client – or beneficial owner of a client business, in the case of KYB – is within an FI’s risk appetite, but is still concerningly high-risk, the FI must have a plan in place for conducting EDD. Sometimes, whether or not to conduct EDD is totally up to the FI’s discretion. Other times, regional regulations require FIs to conduct EDD when a client meets certain risk-related criteria (like being from a country on a financial watchlist).

Enhanced due diligence can involve steps such as: 

• Collecting information on the client’s close associates (which can include a business’s customers and suppliers in KYB)
• Tracing the client’s sources of income and comparing them against the value of the client’s real assets
• Looking more closely at details of the client’s transactions: who the counterparty was, what the purpose was, how it was accomplished, how long it took, how much value each party got out of the transaction, etc.
• Consulting credible news sources for historical, suspected, or confirmed involvement in illegal or immoral activity by the client
• Visiting the client in person to confirm their address, and perhaps also request hard copies of identification documents
• Creating an overall risk profile report on the client

4. Monitor customer transactions and activity to determine when further CDD is needed

CDD needs to be periodically repeated as a client’s circumstances change. One of the most obvious examples is if they begin exhibiting suspicious financial activity or patterns. That could include suddenly having a lot of money that they didn’t have before, or initiating transactions that seem to lack a practical purpose.

It can also include other changes that would affect the client’s risk profile. They may move to a riskier jurisdiction, attain a public administrative position (or someone close to them might), be charged with a crime, modify their identifying information (legally or otherwise), or receive some bad press. This may cause an FI to reconduct CDD on the client to determine how much their risk level has changed, and if this change justifies adjusting the business relationship or even terminating it altogether.

‍

KYB, KYC, and CDD requirements and KYC rules can vary from place to place. However, there are some facets that are common across the US, as well as in other jurisdictions. Here are a few.

1. Customer Identification Program (CIP) – Mandated by the USA PATRIOT Act in 2001, FIs have to develop policies for how customers can open an account, what ID information (at minimum) must be collected from them in the process, and how the FI will verify customer identities in light of its operational risks. 
2. FinCEN CDD Final Rule – A 2016 amendment to the Bank Secrecy Act that basically created the necessity for KYB. FIs onboarding businesses as clients must verify and assess the risks of not only the company’s operating credentials, but also the identities of the company’s beneficial owners.
3. PEP/RCA screening – Checking client identities against lists of people who hold public administrative influence, including their family members and close associates. These people tend to be high-risk because they have unique opportunities to commit financial crime, and are also more likely to be targeted by it. Definitions and regulations vary by jurisdiction, but most countries require this as part of CDD, AML, and KYC programs.
4. OFAC and other sanctions/watchlist screening – Checking client identities to see if they are on, or based in a country that is on, a sanctions list or other financial regulatory watchlist. Dealing with these entities or within these countries is considered high-risk, or even illegal. So an FI needs to avoid doing so if possible (or required by law), or else at least exercise enhanced due diligence in the process. In the US, the primary sanctions management agency is the Office of Foreign Assets Control.

CDD is an essential part of both KYC and KYB, and each of these processes are needed by FIs to comply with their regulatory obligations. But they are difficult – if not impossible – to perform efficiently at scale without the help of digital tools. That’s what Middesk’s Business Verification is for: pulling all the CDD-relevant information about a client – especially if they’re a business – into a unified dashboard, so you can accurately evaluate their level of risk and develop your business relationship accordingly. To learn more, talk to our sales team.