CDD/EDD for Smaller Institution with Higher Risk Business Customers

Part of the Early Career Professional Series

The purpose of the Early Career Professional Series of articles is to help professionals who are new to second line of defense topics such as AML/CFT, Sanctions, Fraud, consumer regulatory compliance, vendor management, and other risk management areas understand the foundational concepts that support risk management.

Customer Due Diligence (CDD) and Enhanced Due Diligence (EDD) are important topics at every institution, but even more so at an institution that banks higher risk business customers. Questions on this topic come up constantly during the Q&A segment of webinars and during other training sessions. Part of what leads to confusion about CDD and EDD is that collecting information about business customers (the ‘what’) must be risk-based – based upon the risk of a customer engaging in money laundering or terrorist financing. And even after an institution has figured out the ‘what’ of CDD and EDD, they must still figure out the ‘how’ and ‘in what manner.’

Too often, smaller institutions craft their CDD and EDD gathering procedures based on the size of their institution. They think: “The similarly sized institution down the street does it this way, so we should, too.” That might not be a good approach because that similarly sized institution down the street might bank business customers that pose different risk. Each institution should craft their own CDD and EDD policies and procedures.

How should a smaller institution begin crafting their CDD and EDD policies and procedures?

First, it’s back to the basics. Remember that institutions collect CDD and EDD so that staff can risk rating the business customer properly. CDD represents the basic information needed to know business customers. EDD represents the additional information needed to get to know higher risk business customers, and it usually differs based on the higher risk customer type.

Institutions need to risk rate business customers so that they can craft the nature, scope, and frequency of monitoring to perform on them. Monitoring includes transaction monitoring and periodic high-risk reviews.

Second, check guidance. Guidance simply informs institutions that customers can’t all be at the same risk and that institutions need to monitor customers differently based upon risk. That is the extent of the guidance institutions receive. In May 2024, guidance was published for community banks interacting with third parties, such as Fintechs, to offer services to customers. However, this guidance did not cover Customer Due Diligence (CDD) and Enhanced Due Diligence (EDD) when the institution is actually banking the Fintech.

Third, determine which customer types are higher risk. Higher risk business customer types can include MSBs, MRBs, NBFIs, International NGOs, Crypto Companies, customers with privately owned ATMs onsite, customers that fill and service ATMs, and Fintechs. It can also include customers unique to an institution’s mission, such as government contractors and title companies. Every institution will take a different path for collecting CDD and EDD on business customers. And none of the above implies that every customer in a certain higher risk customer type group is at higher risk.

The path forward for small institutions:

Determine what to capture: Determine what information is important to gather in order to risk rate business customers. There’s information that’s nice to have, and then there’s information that’s considered a must have. Make a list of each and determine how each piece of CDD and EDD will be used in the risk-rating process. Below are some examples of CDD and EDD.

Typical Business CDD questions:

• Beneficial Ownership information, Business Structure
• Locations of the business offices, stores, etc.
• Geographies of the business customer’s customer

Higher Risk screening questions:

(If any of these are a “yes,” additional EDD questions will cascade in.)

• Does business engage in any money service businesses?
• Does business have privately-owned ATMs onsite
• Does business directly deal with cryptocurrencies
• Does business process payments for others?
• Do they process payments for an entity that processes payments for others?
• Does business provide online gambling services?
• Does the business engage in any cannabis activities? If yes, indicate hemp-CBD, hemp-fiber, or marijuana.

Sample EDD questions for an MSB that will cascade in:

• Is this business registered with FinCEN? (Verify on FinCEN MSB website)
• Does the business have a state/local license? (Verify on state licensing website)
  • If yes, indicate the license number and expiration date, license number, expiration date
  • If yes, indicate the state and country of registration, state, country
• Does the business have written BSA/AML Program? (request program)
• Enter name and phone number of BSA/AML contact?
• Is this business an agent of another MSB?
  • If yes, indicate the other MSB (i.e., Western Union, MoneyGram, etc.).
  • Obtain a copy of the agreement/contract and attach it to this form)

Determine how to capture it: Most banking core software systems come with some type of CDD capture routine that will capture and store the basic CDD attributes (beyond KYC), but the CDD fields are likely hard-coded, and there is little opportunity to add additional fields for EDD. On the other hand, AML systems tend to have CDD capture routines that are more flexible, along with robust EDD capture routines, but the smaller institution may perceive this functionality to be too involved. Last, we can’t forget about institutions that don’t capture or store CDD and EDD information in the core system or in their AML system and instead use a questionnaire (custom routine or fillable PDF) that is custom-developed by the institution and filled in by the member service representative and member at the time of account opening. Sometimes this same questionnaire is also used to risk-rate the member.

Determine in what manner: Smaller institutions may collect CDD and EDD at account opening via interview; they may collect it online during online account opening; and they may collect it using a variety of third-party tools for KYC/CDD/EDD. Smaller institutions might also compare the new business customer’s name to lists that can be purchased to determine if the customer is really a marijuana-related business. They may use a tool such as Instant Street View to see the front of a convenience store to determine if they have an ATM sign. CDD and EDD information may be collected through one or more of the aforementioned methods. Smaller institutions may also enhance their diligence by subscribing to a negative news service, which allows the institution to upload member names and receive notifications when there are adverse reports associated with those members. With the right interface, this data can upload directly into the CDD system.

Because guidance doesn’t prescribe how an institution should capture CDD and EDD, all an institution must do is make their procedures reasonable, risk-based, and effective with two caveats described below:

• Regardless of what CDD and EDD an institution gathers, how it’s gathered, or in what manner, the institution will want to ensure that CDD and EDD information is available to AML staff as they carry out their day-to-day activities. Otherwise, the CDD and EDD information serves no purpose.
• Failure to capture CDD and EDD at all could be seen as a pillar violation, which could lead to enforcement activity – even at a smaller institution.

The overall goal is to demonstrate for an auditor or examiner that a CDD and EDD procedure is in place, that it’s used to “know the customer,” that it’s used to risk-rate the customer, and that the customer’s risk-rating is impacting the frequency and nature of monitoring. If a smaller institution can demonstrate this, it will likely be seen as being in compliance with the Bank Secrecy Act’s CDD and EDD requirements.