Customer Due Diligence Requirement under IFSCA AML Guidelines
As an international financial hub, the International Financial Service Centre in India provides a platform for businesses operating within to increase their customer base and expand their reach on a global scale. With global exposure, the risk of such businesses being used as vehicles or channels for furthering the movement of illicit proceeds or carrying out illegal activities (such as money laundering (ML), financing of terrorism (FT) and proliferation financing (PF) of weapons of mass destruction) also increases. Thus, the performance of adequate Customer Due Diligence measures is an integral part of the IFSCA anti-money laundering (AML) framework.
The ML/FT and PF risks may arise from various factors such as customers, geographies to which customers belong, delivery channels, modes of transaction, etc. The IFSCA has issued IFSCA Anti-Money Laundering, Counter-Terrorist Financing and Know Your Customer Guidelines, 2022 (IFSCA AML Guidelines), which provide for entities operating in the IFSC to conduct Customer Due Diligence process to mitigate the ML/FT and PF risks posed by customers.
Customer Due Diligence (CDD) enables businesses to check the legitimacy of their prospective customers by identifying and verifying their identity details and ensuring that the customers are indeed the persons or entities they claim to be. This safeguards their businesses against potential financial crime threats.
What is Customer Due Diligence?
Customer Due Diligence is a process that includes identifying and verifying the customer and the beneficial owner (in the case of corporate customers) using reliable and independent sources. The CDD measures are focused on customer identification to check their authenticity and legitimacy. It includes a set of internal controls that help businesses establish a customer’s identity, determine the nature and purpose of transactions that the customer is likely to engage in and assess associated ML/FT, and PF risks the businesses may face when dealing with such customers.
Further, depending on the risk-based approach, the degree of strictness and scrutiny of the CDD measures shall vary according to the ML/FT and PF risks posed by various customers.
Role of CDD in AML regulatory compliance
CDD is a crucial element of the IFSCA AML Guidelines as it helps verify the identity of customers, assess their risk profiles, and monitor their transactions to detect and prevent financial crimes. With the implementation of the CDD procedures, regulated entities can determine the varying levels of risk associated with different customers and establish the appropriate CDD measures for risk mitigation.
The CDD process provided under the IFSCA AML Guidelines maps out a comprehensive framework for addressing potential threats of ML/FT when engaging with both new and existing customers. Thus, it assists regulated entities in safeguarding themselves and maintaining compliance with regulatory requirements.
When is CDD required?
The CDD process is a must before establishing the business relationship to establish the identity of the prospective customer. Additionally, the regulated entity must undertake CDD measures on an existing customer if there are doubts regarding the authenticity and legitimacy of provided documents, data, or information. Further, CDD measures should be undertaken if the regulated entity comes across suspicions of ML/FT, a change in the customer’s risk rating, or any material change in the customer’s circumstances.
Thus, CDD is also crucial on an ongoing basis, in the course of the business relationships, to ensure that the customer’s identified profile holds good and that any changes in the identification details are immediately identified, which may pose an increased risk to the business.
Who all are subject to CDD by the IFSC regulated entities?
As per the IFSCA AML Guidelines, CDD measures must be adequately applied to all customers, whether individuals, legal persons, or legal arrangements, including the beneficial owners of such legal persons or arrangements.
Decoding the Customer Due Diligence Process
Customer Due Diligence is a necessary procedure that must be undertaken in a structured manner with utmost due care to better comply with the IFSCA AML Guidelines while achieving its objective of safeguarding the business against potential financial criminals. Here is a detailed note on the elements of the CDD process that you need to keep in mind:
Data Collection and Verification (Know Your Customer)
The first level of CDD involves identifying and verifying the customer’s identity and understanding the nature of the business. This process is generally known as “Know Your Customer” (KYC). The regulated entity must undertake the KYC process and seek information from its natural and legal customers.
After collecting the data, CDD’s next step is to verify all such customer information. It is essential to verify the information provided to check its adequacy and establish the authenticity of the customer and proposed business relationship. A customer with ill intentions of routing illicit funds may furnish information that may not be legitimate. Therefore, verification becomes crucial so that the regulated entity can mitigate risk by knowing the true identity of a customer and understanding the purpose of the transaction.
The critical components of the KYC are as follows:
1. Customer Identification and Verification
A regulated entity must collect KYC information from the customers, whether a natural person or a legal structure.
a. Natural Person
This information typically includes a natural person’s full name, Unique Identification Number, date of birth, nationality, address, and contact details.To verify a natural person’s identity and resident address, a regulated entity must obtain that contains a photograph of the customer, name, unique identification number, date of birth, and nationality.
Additionally, a regulated entity can verify residential addresses based on OVD or recent utility bills, bank statements, etc.
b. Legal Person
A legal person established in whatever form must provide KYC information containing the full name and trading name, Unique Identification Number, registered or business address, principal place of business, date and place of incorporation. Furthermore, in cases where the customer is a legal person or legal arrangement, a regulated entity shall also identify the legal form, constitution and powers that regulate and bind the legal person or legal arrangement.
The regulated entity shall verify the legal form, proof of existence, constitution, and document defining regulatory powers. For such purposes, a regulated entity must obtain a certificate of incorporation, partnership deed/agreement, trust deed, constitutional document, certificate of registration or any other document.
2. Identification and Verification of the Natural Person appointed to act on behalf of the Customer
A natural or legal person may appoint one or more natural persons to deal with on its behalf for business purposes. Therefore, a regulated entity needs to identify and verify such a person. All documents specified above should be obtained from appointed natural persons acting on behalf of the customer. Additionally, documents authorising the appointment of such a natural person should also be obtained, including power of attorney, resolutions passed by the governing body, etc.
3. UBO Identification and Verification
CDD measures should also use relevant information to identify the beneficial owner of the customer, who is a legal person or legal arrangement. This includes understanding the customer’s control or ownership structure.
For legal persons, the regulated entity should identify the natural persons exercising control over the entity through ownership. In case of uncertainty or no natural person owning the legal person, the regulated entity should identify the natural persons having effective control over it.
For legal arrangements like trusts, the information regarding beneficial owners includes the trust’s author, trustee, beneficiaries having a significant interest, and any other person exercising control over the trust.
The IFSCA AML Guidelines have prescribed certain percentage thresholds for varying legal structures to determine ownership or control rights. For example, a beneficial owner of a corporate entity is a person who holds more than 10% of the entity’s shares.
4. Information on the Purpose and Intended Nature of business relationship
When gathering customer information, a regulated entity must also obtain information regarding the purpose and intended nature of a customer’s business relationship. To collect such information, a regulated entity should employ methods that align with the risk level and complexity of the regulated entity’s business.
Name Screening
Sanction screening is a process to ensure that the regulated entity does not deal with the organisations and individuals sanctioned under the Ministry of Home Affairs, United Nations Security Council, and other relevant sanction lists, as per the firm’s risk-based approach.
Thus, name screening is performed primarily to check whether customers are designated under any local or international list of banned or sanctioned persons. For name screening, the regulated entity must scan the customer against the national list issued by the Ministry of Home Affairs, the UNSC sanctions list, or any other international sanction lists relevant to the particular business relationship.
Additionally, screening must be undertaken to identify if any customer is a Politically Exposed Person (PEP) or has connections with financial crime as captured in reliable adverse media sources.
The regulated entities must conduct the sanctions screening to reinforce the KYC process and identify any additional details that may impact the customer’s risk profile.
Customer Risk Profiling
The risk landscape related to customers is multifaceted and affected by various factors. Thus, customer risk profiling is essential as it establishes the customer’s risk profile and helps determine the level of due diligence required of every customer. The IFSCA AML Guidelines mandate that regulated entities assess the risk posed by each customer. In accordance with risk assessment, the regulated entity applies mitigation measures, adopting a risk-based approach.
Thus, the regulated entities must assess the level of ML/FT risk the customer poses to the business and determine its risk profile while establishing the business relationship or executing a transaction. Here is the list of parameters that must be considered to assess the customer risk systemically:
- Timing and seasonality of transactions
- Involvement of counterparties and intermediaries
- Customer’s financial profile
- Ownership and management structure
- Nature and purpose of the business relationship
- Location of customer
- Nature of customer’s activities
- Estimated size or value of the transaction
Based on these parameters, the regulated entities must determine the degree of customer involvement in a business relationship and classify the customers as high, medium, or low. With this risk allocation, the regulated entities can tailor the risk mitigation strategies for each customer to effectively mitigate the risk while staying compliant with the AML regulatory framework.
Here are the required or permitted modifications to the standard CDD measures as per IFSCA AML Guidelines, depending upon the degree and severity of the ML/FT risks:
Enhanced Customer Due Diligence (ECDD)
When a customer is identified as high-risk, there is increased ML/FT risk associated with them. Therefore, additional identity checks and verification measures are to be applied. These additional measures to be applied under ECDD include identifying and verifying the customer’s source of funds and wealth and seeking senior management approval before onboarding the customer or executing the transaction.
Simplified Customer Due Diligence (SCDD)
Simplified Due Diligence means applying relaxed identification checks and measures to manage risk when customers are designated low-risk. Therefore, SCDD measures allow regulated entities to adopt a process where lower ML/FT risk is adequately managed with optimal resource utilisation.
Ongoing Customer Due Diligence
The ongoing monitoring of the business relationship offers the regulated entity an opportunity to determine if the risks originating from the customer are still the same as identified at the time of customer onboarding. The ongoing CDD process allows for the regulated entities to monitor their customers’ profiles on an ongoing basis and assists the entities in timely spotting any fluctuation or change in the risks, empowering them to take prompt mitigation actions.
Periodic Updating of CDD
As part of ongoing CDD, the regulated entities must periodically review and update the customer’s documents and CDD information to reflect any necessary updates, such as a change in address or renewal of an important document such as a passport. Thus, as part of ongoing CDD, this period of CDD update measures shall ensure that customer information gathered remains updated and relevant to determine the customer’s existing risk profile.
The regulated entities should adopt a risk-based approach to conducting periodic CDD updates. According to the IFSCA AML Guidelines, the frequency of periodic CDD updates varies based on customers’ risk levels.
|
Customer Based on Risk |
Periodic Update Timeline |
|
High-risk customers |
Annually |
|
Medium-risk customers |
Once every three (3) years |
|
Low-risk customers |
Once every five (5) years |
Record Keeping
What happens when CDD is not performed?
Onboarding customers without applying any CDD or inadequate measures can subject a regulated entity to severe risks such as reputation loss, compliance risk, and financial loss. It is mandated that a regulated Entity establishes a business relationship only after employing adequate CDD measures to identify the customer and associated risk. When a regulated entity cannot perform or complete the CDD process for a customer, the IFSCA AML Guidelines impose certain restrictions on the regulated entities, such as:
- It should avoid opening an account and provide a service to the customer.
- It must not conduct a transaction with or for the customer whose CDD has not been conducted.
- When CDD measures are not undertaken, a Regulated Entity must terminate or suspend any business relationship with the customer.
- A regulated entity must return any funds or assets received from the customer.
Furthermore, in such cases, it is crucial to assess whether the lack of CDD requires the submission of a Suspicious Transaction Report (STR).
Imposing these restrictions on a regulated entity where the CDD process is not properly conducted is to protect the business from inadvertently facilitating any transactions leading to ML/FT crimes.
Best Practices for Implementing Effective CDD Program
Including CDD program into internal AML Policy and Procedures
The regulated entity should incorporate CDD procedures into its AML/CFT policies, procedures and controls to improve consistency in CDD measures implementation across the organization. The CDD program must detail the KYC process, the details to be obtained, the documents and sources to be relied upon for verification of the customer identity, the frequency of ongoing CDD and periodic review, etc.
The AML policy should also define staff roles and responsibilities in conducting CDD. This will promote clarity and compliance with regulatory requirements.
Appointing a competent person to conduct CDD
It is essential that the person overseeing compliance with regulatory requirements is skilled and has the expertise to conduct CDD procedures.
Customer-facing CDD staff should know basic CDD procedures, associated red flags, and ML/FT and PF typologies. Employing such a skilled person for CDD measures enhances the productivity and accuracy of the CDD process and brings efficiency to the AML efforts to protect the business.
Implementing Software and tools for conducting CDD
A regulated entity must consider employing suitable tools to streamline and improve the CDD process. These software include various aspects such as identity verification systems, collecting information from different sources, sanctions screening, systematic customer risk assessment, and ongoing transaction monitoring.
Employing Data Security Measures
CDD collects customers’ data, which needs to be handled carefully. Thus, while conducting CDD procedures, a regulated entity should include encryption protocols, controlled access to the data, and audits to prevent data breaches. Data security measures help businesses gain the trust of their customers and protect their data from unauthorised access. By implementing and making its customers aware of the regulated entity’s Data Protection and Privacy Policy, the regulated entity ensures it utilises and stores customer data solely for regulatory compliance, ensuring transparency and accountability in data handling practices.
Periodic CDD Reviews and Updates
As mentioned above, the IFSCA AML Guidelines provide for the periodic review of customers’ CDD files. A regulated entity must include a methodology and a system to conduct periodic reviews to keep up with changes related to customers’ business, wealth, and overall profile. Keeping up with new updates helps businesses be more vigilant towards suspicious activities and proactively identify and manage the risk.
CDD Training and Awareness Programs
As a regulatory requirement, the regulated entity must conduct regular training sessions and awareness programs to educate staff about processes, procedures, and the importance of CDD. This helps update employees with emerging AML trends and clarify their roles and responsibilities in ensuring compliance with regulations. Furthermore, training programs should be tailored to employees’ specific needs and roles, such as training programs for senior management, operational staff, and managers.
Conclusion
CDD is an essential factor for mitigating risks associated with ML/FT. An IFSCA-regulated entity that implements CDD practices can establish the identity of its customers, understand the nature of its business relationships, and assess the potential risks involved in the particular business relationship. Additionally, for better performance, best practices in CDD should be employed, such as incorporating a CDD program within the documented AML policy, employing adequate AML software to empower the CDD process, and conducting AML training for the staff.
Therefore, prioritising CDD not only helps organisations comply with regulatory requirements but also safeguards their financial integrity and reputation.
FAQs on Customer Due Diligence Requirement under IFSCA AML Guidelines
CDD means identifying customers, verifying their identities through information from reliable sources, assessing the risk the customer poses to the business and deploying the right risk mitigation measures.
CDD measures are undertaken on all customers. However, depending on the risk associated with each customer, different types of CDD are undertaken. Along with Standard CDD, the IFSCA AML Guidelines provide for three more types of CDD: Enhanced Customer Due Diligence, Simplified Customer Due Diligence, and Ongoing CDD.
A regulated entity must conduct CDD measures on its customers, whether they are natural persons, legal persons, or legal arrangements. CDD is also undertaken for both new and existing customers.
About the Author
Jyoti Maheshwari
CAMS, ACA
Jyoti is a Chartered Accountant and Certified Anti-Money Laundering Specialist (CAMS) with over 7 years of experience in regulatory compliance, policymaking, risk management, RegTech solution consultancy, and implementation. With an understanding of the different jurisdictional AML regulations, including PMLA, 2002 and IFSCA (AML, CFT, and KYC) Guidelines, has been closely working with clients to implement Anti-Money Laundering measures, including conducting Enterprise-Wide Risk Assessments, imparting AML training, etc.
