Concepts in

Customer Due Diligence:

Meeting the Challenge of Regulatory Expectations
By: Debra Geister
LexisNexis® Risk & Information Analytics Group
Concepts in Customer Due Diligence: Meeting the Challenge of Regulatory Expectations
Customer due diligence is one of the best defenses a financial institution can maintain to guard
against the dangers of money laundering and other financial crimes. Sometimes referred to as
“knowing your customer,” customer due diligence encompasses other aspects of an AML (Anti-
Money Laundering) program, such as customer identification and enhanced due diligence
(EDD). Moreover, the need for customer due diligence is integral to suspicious activity reporting
requirements because the data collected during the CDD process gets transferred to the report.
The primary best practices on customer due diligence can be found in several documents by
international organizations. Such a best practice can be found in the Financial Action Task Force
“40+9 Recommendations,” a document that was created by the Financial Action Task Force on
Money Laundering (FATF), an inter-governmental body whose purpose is the development of
international standards and the promotion of policies aimed at combating money laundering and
terrorist financing.
Another main contributor to customer due diligence standards is the Basel Committee on Banking
Supervision, which is a committee under the Bank for International Settlements. The committee
published their guidance “Customer Due Diligence for Banks” in 2001.
Additionally, there are several sets of AML principles on topics such as correspondent and private
banking, and the risk-based approach, outlined by the Wolfsberg Group, an association of 12 global
banks who publish best practices for anti-money laundering.
Many jurisdiction’s laws and regulations are based on the practices that were outlined in these
documents, as are the concepts detailed below.

Concept 1 – A Risk-Based Approach

It is important to keep in mind that CDD begins at account opening and that the process of
determining the level of AML risk that your new customer poses to your institution should also be a
fundamental part of this process.
The first step in efficient CDD is getting as much information as possible at the beginning of your
institution’s relationship with the customer. Having a senior management approved customer
identification program (CIP) that includes thorough information gathering and verification
procedures is essential for assuring that you have enough data to assign an accurate level of risk to
your new customer. Not having enough information or having inaccuracies in the information that
you do collect is likely to create a “domino effect” that may lead to your institution being used to
launder funds and a subsequent regulatory or criminal penalty.
In addition to having a risk-based approach, regulators expect your institution’s written CIP to have
processes for verifying customer data. This can be done both through physical documents or non-
documentary methods. The first method requires the collection of a driver’s license, passport, or other
government-issued identification. Methods for the latter include speaking to the customer, consumer
credit-reporting agencies, the internet, other financial institutions, and publicly available databases.
Documentary methods today are not enough to cover the entire spectrum of risk. You should also
review non-documentary methods that are consistent with your institution’s policies. If the identity of


your customer cannot be verified, your CIP should also include policies that detail when an account
should not be opened, when it should be closed and when a suspicious activity report should be filed.
Government watch lists have become an integral part of the fight against terrorist financing and
money laundering. In addition to U.S. Office of Foreign Assets Control (OFAC) lists, the United
Nations, the European Union, the Bank of England, and other organizations issue separate lists.
Periodic scrubs of your customer database against PEP (Politically Exposed Persons) lists should also
be a vital part of your program.
It should be documented in your CIP to which lists your customers are compared. This can be
done either manually or through the use of software, depending on your institution’s needs. Some
institutions do both; preferring to manually compare those customers that have a higher risk rating.
Finally, all of the information collected at account opening should be kept for five years after
the account is closed. These records should include copies of IDs, an explanation of any non-
documentary methods that were used, and the outcome of any verification discrepancies that may
have occurred during the CIP process.

Case Study
A cease and desist order issued in 2006 to a Nevada bank by the U.S. Federal Deposit Insurance
Corporation (FDIC) clearly illustrates the link between good risk-based account opening procedures,
customer due diligence and suspicious activity monitoring. The bank was cited for having serious
deficiencies in its BSA (Bank Secrecy Act) compliance that were found in its affiliated trust company
during an examination. According to the enforcement action, the bank had to review its CDD
procedures to make sure that the information gathered when an account was opened was sufficient
to ensure proper monitoring for suspect behavior.
The FDIC also ordered the bank to include in their CDD written program procedures for assessing
the risk of their customers and ensuring that the transaction monitoring software that they chose
had the ability to perform according to that assessment. Additionally, the written program had to be
approved by the board of directors of the bank.

Regulatory Expectations
A sound customer identification program should have procedures intended to give your institution
as much information necessary in order to make an accurate evaluation of who a customer is and
what to expect from them. It should be risk-based and approved by management. All related records
should be kept, organized and accessible; and above all else should convey that your institution
understands the connection between customer identification and the ability to efficiently monitor for
suspicious activity.
If a regulator is examining your CIP program it is likely that they will request the following records:
• A copy of the CIP that covers all products, services and regulatory requirements;
• A copy of board minutes approving the CIP (or BSA program that includes CIP);
• A copy of audit procedures for CIP and any audit reports;


• A copy of the CIP training program (or BSA training program that includes CIP);
• List of accounts opened with an application for a tax identification number (TIN);
• List of accounts opened where verification is incomplete or exceptions were made;
• List of accounts identified as high-risk by the institution;
• Names of any institutions relied on for CIP, whether they are required to maintain an AML
program and regulated by a U.S. agency; copies of contracts; the CIP procedures used and
certifications made;
• Names of third party agents or service providers that perform CIP; copies of contracts, CIP procedures
used by the third party, and policies/procedures for ensuring adequate third party performance.

Meeting the Challenge

Many institutions find it difficult to risk rate a customer on account opening. And in some cases,
the risk that you associate with a new customer will change after transactions are made. However,
it is necessary to have a clear picture of the type of activity to expect from the customer in order to
properly monitor the account later. The largest challenge around this type of requirement is making
sure that policy is clearly identified and moved into a process. However, some of these processes can
be very manual and time consuming.
Transactional information that is important to know includes the source of funds; frequency of
anticipated transactions; dollar volume; or if foreign or domestic wire transfers are expected.
Some institutions have implemented an up front questionnaire that they give to a potential customer
in order to better meet their needs and to better advise them on products and services. This is a great
way to make the customer feel more comfortable, conduct your customer identification, and at the
same time gather some marketing and sales intelligence. On the other hand, it can also feel invasive
to the customer and present additional manual steps and time to the process.
Once you obtain that information you can begin to quantify the risk associated with that customer.
Characteristics such as where a customer resides or what type of business that customer is in are
instrumental in gauging how much of a possible threat that person or company poses. For instance,
Figure A, taken from the 2006 BSA/AML Examination Manual, shows how a non resident customer
or a small business are at a higher risk level than that of a resident consumer account. The graph also
portrays how the risk rating affects the amount of due diligence that is necessary to perform on the
account. The challenges of this type of risk ranking are also very obvious. In addition to the manual
processes, many of the factors used to determine what constitutes risk are subjective. Without very
clear and granular definitions and directions, staff will be left to make their own judgment calls.
Using a model like this, an institution can pen policies that detail when escalation to enhanced due
diligence is required. Again, clearly defining those escalation points and minimizing the amount of
subjectivity is key to a successful process.
The chart is perhaps oversimplified, however, as it is difficult to keep track of all the information
collected from new customers – especially in larger institutions or those with several different
components such as the Nevada Bank mentioned above. One way that this overwhelming amount of
data can be better organized and managed is through an automated CDD solution.


Figure A: Courtesy of 2006 BSA/AML Examination Manual


Concept 2 – Enhanced Due Diligence
Enhanced due diligence (EDD) is a process that has come under greater scrutiny with the passing of
the regulations set out by the USA Patriot Act Section 312 and the implementation of the Third EU
Money Laundering Directive into Member State’s domestic legislation. Both mandate an increased
level of monitoring for customers who are considered high-risk.
The EU Third Directive calls for EDD in the case of non face-to-face customers, correspondent
banking relationships, and politically exposed persons (PEP); whereas Section 312 focuses on foreign
correspondent bank accounts and foreign private bank accounts, particularly if they might be linked
to a PEP.
A PEP is a person who is or has been in an influential political position, as well as family members
or close associates of that person. Although this definition blurs when institutions try to interpret how
long after retiring from office is a PEP still a PEP, or if domestic PEPs should also be considered PEPs.
Typically institutions err to the side of caution, however it is crucial that you clearly state your PEP
policies in your written procedures and get them approved by upper management.
Regardless, regulators and examiners have come to expect EDD on all customers that are considered
as posing a higher risk. For example, the “2006 Federal Financial Institutions Examination Council’s
BSA/AML Examination Manual,” published in the U.S., states that these customers and their
transactions should be reviewed more closely at account opening and more frequently during their
relationship with the institutions. It also lists other examples of risky customers, including:
• Foreign financial institutions, including banks and money services businesses (MSBs);
• Non-bank financial institutions, such as casinos, MSBs, securities dealers, pawnbrokers, auto
dealers, boat dealers, jewelers, and travel agencies;
• Nonresident alien accounts, particularly if they are from a high-risk jurisdiction;
• Foreign corporations, particularly offshore corporations;
• Businesses that are cash intensive including bars and restaurants, privately owned ATMs, parking
garages, laundromats and car washes;
• Foreign and domestic charities or non-governmental organizations;
• Professional service providers such as real estate agents, insurance agents, mortgage brokers,
lawyers, and accountants;

Case Study
Another cease and desist order issued by the FDIC in 2007, specifically instructs a South Florida
bank to determine the appropriate levels of enhanced due diligence for customers deemed to be
of higher risk through an assessment. The bank had failed to hire appropriate staff and implement
effective systems to properly monitor high risk accounts, according to the regulatory action.
The regulator further details what enhanced due diligence procedures should entail, including
processes for confirming the identity and business activity of the customer; understanding the
expected transaction activity; and ensuring the identification of the customer for the purpose of
reporting suspicious activity.


Regulatory Expectations
When an examiner comes to your institution, they will require assurance that your EDD procedures
include steps for obtaining the correct information on high-risk customers. Your written CDD
program should also include specific details describing the decision making process for deciding
whether an account is subject to EDD.
If the customer warrants EDD, the purpose of the account, source of wealth, beneficial
ownership, bank references, and explanations for changes in account activity should all be
included in their profiles.
Customer types to which regulators pay special attention include foreign correspondent accounts,
PEPs, corporate vehicles, and non-bank financial institutions.

Meeting the Challenge

Each of the four customer types listed above require specific EDD measures. For the first example,
the foreign correspondent account, financial institutions should identify the owners of the foreign
bank, conduct enhanced scrutiny of the account, and find out if the foreign correspondent bank
provides correspondent accounts to other foreign banks. This is above and beyond the normal
requirements for correspondent accounts, which include checking for certification.
PEPs should also be scrutinized; steps that should be taken particularly in the realm of private
banking to conduct EDD on a potential PEP include seeking information from the account holder,
identifying the country of residence, obtaining employment or source of funds information, checking
references, collecting data on immediate family members and close associates, and determining the
purpose of the account. Institutions should check the account holder’s name against public sources
of information. Many institutions rely on vendor databases for this purpose, such as LexisNexis®.
Additional high-risk customers that have been in the spotlight lately are corporate vehicles or
business entities. These businesses include international business corporations and limited liability
companies. The articles of incorporation should be collected upon account opening, as well as
clear documentation of expected account activity that can later be used as a basis for transaction
monitoring. Efforts should be made to identify the beneficial owner of these companies. Your
institution’s CDD program should also contain guidance on what steps should be taken if beneficial
ownership information is not available or cannot be verified.
Lastly, EDD on non-bank financial institutions should include obtaining the information necessary to
ensure an accurate risk assessment of the business. Questions that should be asked include:
• What types of products and services does it offer?
• Where is the institution located and what markets does it serve?
• What type of activity is anticipated on the account?
• What is the purpose of the account?

Concept 3 – Using Technology

With all the requirements today for identifying customers, conducting due diligence and enhanced
due diligence, and monitoring transactions, it would be nearly impossible to comply without the


assistance of a high-tech system designed specifically for that purpose. Major financial institutions
are extremely complex entities with vast branches in numerous cities and states. Under the law, in
order to “know their customers” banks and others must monitor countless transactions, often made
with little or no face-to-face contact. To do so without an equally complex and yet flexible computer
system would be impractical.
However, when choosing these systems you must also perform due diligence, but this time on
your vendor.

Case Study
A bank in Missouri received a cease and desist order from the FDIC in 2006 that specifically
addressed the need to have proper procedures in place to manage technological solutions. The
action listed that the bank was in violation for operating with an inadequate BSA and OFAC program,
as well as a faulty information technology program. The enforcement action ordered the institution to
perform a technology risk assessment, as well as develop vendor management policies.
The FDIC also required the bank to create an IT committee, who would meet monthly with the
board of directors. Items that the committee was mandated to address include methods for the
identification, development, acquisition and maintenance of IT solutions; the development of IT
policies and procedures; the testing of solutions, and the rectifying of negative technology related
audit or examination results.

Regulatory Expectations
Guidance published by the FDIC in 2004, “Computer Software Due Diligence Guidance on
Developing an Effective Computer Software Evaluation Program to Assure Quality and Regulatory
Compliance,” marked the first time a U.S. regulatory agency weighed in on the reliance by financial
institutions and businesses on software technology to guard against money laundering.
The guidance suggested that financial institutions include a “regulatory requirement clause” in its
licensing agreements with software providers that would require vendors to maintain applications
that comply with pertinent regulations.
The FDIC also recommended two steps that should be taken when evaluating software: buyers
should validate the process by which the product has been developed; and evaluate the quality and
functionality of the product.

Meeting the Challenge

If you do choose to use a vendor to aid your institution in performing its customer due diligence duties,
you must make sure that you are not wasting money. But even more so, you must be positive that the
CDD technology does not put your institution at regulatory risk.
One way of performing due diligence on your vendor is to ask around before you buy; people to ask
include colleagues at other institutions or even your regulator. Although a regulator cannot endorse a
specific product, they do possess industry knowledge of CDD technology and may be able to discuss
general options with you.


Items that should be collected from the vendor include:
• Proof of liability insurance
• At least three references
• Financial statement that ensures financial viability
• Proof of sufficient qualified staff to perform services

Additionally, in order to be effective, a customer due diligence solution must be easily customizable,
have flexible risk-scoring capabilities, manage sanctions lists, have a user friendly work-flow process,
and integrated research tools. Though this step seems rudimentary, ensure that your institution’s
definition of CDD is in sync and commensurate with the vendor or provider. If your vendor’s
approach to due diligence does not reflect your written BSA program, you run the risk of negative
regulatory scrutiny.

Return on Information = Return on Investment

An ever increasing percentage of an institution’s budget goes towards AML compliance and customer
due diligence. However, instead of being seen as a drain on your institution’s assets, a good due
diligence program with a technological component can actually increase your profits.
The information that is collected during the customer identification process, customer and enhanced
due diligence procedures can be used for targeted marketing and sales; in order to up-sell and cross-
sell to already existing clients. In this way, CDD products can turn your return on information into a
return on investment.
In addition, making an initial investment in a reliable CDD product may save your institution from
incurring much larger regulatory and reputational costs in the future. Besides the potential revenue
drain caused by civil money penalties in the millions, such as those incurred by ABN Amro, Riggs, and
AmSouth, an institution can also lose millions daily from damage done to its reputation. For instance,
a publicly announced cease and desist order such as those detailed here can cause investors and
customers to lose trust in an institution leading to funding withdrawals and business loss.
Also the cost of the corrective actions that are mandated in these enforcement actions can far
outweigh the price of proactive compliance. A good example of this is the “lookback,” which has
recently been a favored demand by regulators in cease and desist orders. These transactional reviews
done by independent consulting firms can be a huge drain on a financial institution’s budget.
When all of these factors are analyzed for cost effectiveness it is clear to see that an investment in
thorough customer due diligence compliance is far less expensive than the alternative. The concepts
laid out here will assist you and your institution in this venture, which will result in regulatory approval
and even increased profits. Regulatory expectations can be challenging but are not impossible. The
implementation cost, both in time and money, of adequately assessing risk, properly conducting
enhanced due diligence, and choosing the appropriate CDD solution is well worth it. In the end, these
steps may ultimately save your institution’s reputation and millions of dollars in lost revenue.


Please contact Debra Geister at Debra.Geister@lexisnexis.com
for more information or visit www.risk.lexisnexis.com/diligence

Debra is the Director, Fraud Prevention & Compliance Solutions at

LexisNexis® Risk & Information Analytics Group.

LexisNexis and the Knowledge Burst logo are trademarks of Reed Elsevier Properties Inc., used under license.
©2008 LexisNexis Risk & Information Analytics Group Inc. All rights reserved.


 Actionable intelligence to help make critical
decisions throughout your customer lifecycle.

Customer Development
• Acquire and retain profitable customers
• Manage customer relationships through their life stages
• Score and reduce credit/lending risk
• Assess risk and identify opportunities
Collections Authentication
Management & Screening
• Skip and locate right party • Mitigate liability of acquiring
contacts and assets and retaining customers and
associates
• Score and segment
portfolios • Authenticate identity
• Help ensure regulatory
• Screen and monitor compliance
accounts
• Screen applicants
• Facilitate litigation to manage hiring
Fraud Prevention and retention

• Prevent, detect and investigate fraud

• Assess and score fraud
• Manage claims
• Conduct due diligence and investigations

Contact a LexisNexis®
Representative for more information:
1-888-332-8244 l www.risk.lexisnexis.com

LexisNexis and the Knowledge Burst logo are registered trademarks of Reed Elsevier Properties Inc., used under license. Other products and services may be trademarks or registered
trademarks of their respective companies. ©2008 LexisNexis Risk & Information Analytics Group Inc. All rights reserved.