CDD Checklist for KYC—4 Steps to Stay Compliant

Customer Due Diligence is a multi-step process that involves collecting and verifying information about a customer during onboarding. We’ve compiled a checklist to help companies streamline this process while ensuring full compliance with regulations. Read on to learn more. 

The CDD checklist

CDD helps companies minimize the number of illegal activities conducted through their platform, including identity fraud or money laundering. 

In case a company fails to implement efficient CDD procedures, criminals may abuse it for money laundering and other crimes. And if this occurs, the company may be held liable. 

To stay safe and compliant, companies need to ensure they perform essential CDD procedures, which are covered in the list below: 

#1. Collect necessary data

A company should decide whether a client suits an established risk profile before establishing any kind of relationship with them. Most jurisdictions require the following information to be collected during the onboarding process: 

• Full name;
• Date of birth;
• Residential address.

If identifying a business, regulators usually require companies following to collect:

• Full name;
• Registered office in the country of incorporation;
• Principal business address.

After collecting personal information, the company should verify it through comparison with government-issued documents. 

How: Companies can conduct verification manually or with an automated solution. Manual solutions can allow companies more control over the verification process, while automated solutions can process large amounts of data and onboard more customers. Sumsub’s experience shows that automated approaches can save up to 40% on verification.

Suggested read: Managing KYC Dilemmas: In-house vs. Outsourced Solutions.

#2. Employ third-party providers

Some data needed for CDD is only accessible through reliable third-party sources, such as banks, lawyers, or auditors. These can improve a company’s ability to verify customer information and determine their involvement in criminal activity.

How: It should be noted that companies need to ensure that their third-party providers are trustworthy and that the shared information is reliable. This is because companies can be held liable for mistakes made by third parties. Therefore, it’s essential to check the third-party data provider’s certification prior to hiring them.

#3. Determine the customer’s risk level and take additional measures

Based on the customer’s risk level, companies should choose between two types of due diligence: Simplified Due Diligence (SDD) for low-risk clients and Enhanced Due Diligence (EDD) for high-risk clients. 

How: When a company implements the EDD process, it should include the following steps:

• Employing a risk-based approach;
• Obtaining additional identifying information;
• Analyzing source of funds;
• Transaction monitoring;
• Adverse media and negative checking;
• On-site visit;
• Ongoing monitoring.

If using SDD, companies can loosen the checks by adjusting:

• The timing of CDD;
• The quantity of information obtained for identification, verification, or monitoring purposes;
• The quality or source of obtained information;
• The frequency of CDD updates and reviews of the business relationship;
• The frequency and intensity of transaction monitoring.

More information about detecting and dealing with low- and high-risk customers is available in our complete guide to the UK (which also applies elsewhere).

#4. Organize secure and compliant data storage

Not only does a company need to verify its customers, it also needs to store the collected information in case regulators request it. 

How: Each country sets a timeframe during which all information about customers and their transactions must be kept. The minimum period recommended by the FATF is five years. 

For example, in the US, India, and China, companies are obliged to retain information about clients for five years after the end of the customer relationship or five years after the completion of an occasional transaction. Other countries, such as Saudi Arabia and Qatar, have established a period of ten years. In El Salvador it’s even longer, at 15 years under the Bitcoin Law.

Frequently Asked Questions

• Risk assessment and the risk-based approach

  It’s a list of steps that a company needs to implement as part of its internal controls to simplify identification and verification processes and ensure compliance with regulations.

• What are some customer due diligence requirements?

  CDD requirements include:

  • Conducting customer identification and verification;
  • Defining the purpose of the business-customer relationship;
  • Identifying and verifying the beneficial owner;
  • Implementing ongoing monitoring for suspicious activities.

• What’s the difference between Customer Due Diligence (CDD) and Know Your Customer (KYC)?

  Customer Due Diligence (CDD) is a range of measures aimed at collecting and assessing information relevant to a customer.. KYC is one of the essential elements of CDD, specifically covering identification and verification of the customer. KYC is also frequently implemented by non-AML-regulated companies that may still need to know who their clients are.

• Why is CDD important?

  Customer Due Diligence (CDD) is an essential aspect of an Anti-Money Laundering (AML) compliance program. The CDD process is a critical part of a company’s Know Your Customer policies. Companies have to implement CDD procedures to effectively manage risks and protect them from potential involvement in criminal activities and stay compliant with the regulations.