Due Diligence is a cornerstone of compliance, and understanding how stringent to be with a new or ongoing relationship is key. Here Coinfirm briefly delves into some of the nuances and their respective requirements of different forms of Due Diligence (DD).
The initial DD that is applied on all potential clients is Regular DD, where certain information on the client is obtained, both from the client directly, such as ID, proof of address (POA) etc, and via different means such as obtaining the IP address among others. After the information is collated, from both sources (client and inhouse applied methods) a risk rating is assigned and based on its severity level different levels of DD are applied; SDD (Simple Due Diligence), regular DD or EDD (Enhanced Due Diligence).
Regulations governing SDD, CDD and EDD such as the European Union’s 4th and 5th AMLD and guidelines set by the Financial Action Task Force (FATF), such as the global AML/CFT watchdog’s 12-Month Review Revised FATF Standards Virtual Assets VASPS Recommendations, and the Updated Guidance to a Risk-Based Approach to VAs and VASPs, detail the necessary steps to be taken by compliance officers.
Firstly, the VASP should collect the customer’s information. This includes the customer’s name, identification document, contact details, residential address, occupation, tax ID, average income and more.
The obliged entity should identify the customer’s risk profile and assessment. Being identified as high, medium or low risk depends upon a customer’s location, identity and type of business they are in, among others. If they are identified as being High Risk (HR), they are marked for EDD (should they become a client) or marked for SDD – on a case by case basis – if deemed to be Low Risk (LR).
For legal persons and arrangements, obliged entities must identify the ownership and control structure of the business, ensuring they have a clear understanding of who the Ultimate Beneficial Owners (UBOs) are, by identifying and verifying their identity, what business sector the entity activates in, its source of funds and other information that satisfies the obliged entity that they have a good understanding of who they are entering a business relationship with.
Ongoing monitoring is applied once the client is onboarded and carries on until the end of the business relationship. Through this process the obliged entity ensures they keep updated client data (such as identification documents among others), monitor clients’ activity and transactions and should there be a deviation from the customer profile additional verification of this occurrence need be applied. Depending on the severity of the incident (such as a client whose profession is a teacher starts transacting amounts above their declared income), different DD measures may be applied.
Of all the DD processes within compliance, Enhanced Due Diligence is the most important to avoid regulatory and law enforcement action. Oversight failures of following protocols in this discipline can cost a company in fines, reputation and even prison sentences if the failings are egregious enough.
EDD requires VASPs to take a more cautious approach and is only applied when there is a high risk of money laundering and terrorist financing. For PEPs (Politically Exposed Persons), this entails collecting the title, details and level of influence of the position as well as the source of wealth. In regards to family members or close associates of PEPs, this means knowing the level of proximity to the public official.
Examples of circumstances in which a customer initially presents a heightened risk and thus EDD must be utilised is when a customer presents a risk of;
Through OM (ongoing monitoring) the level of DD can change based on behaviour pattern deviations, transactions that are not in line with the client’s profile, transaction patterns to/from entities/individuals which have been identified as carrying some indication of high risk, such as they’re licensed/operate in an unreputable jurisdiction with AML/CFT deficiencies.
Some customers can move to a higher risk category if their behaviour changes and raises red flags or regulatory risk exposure. For instance, a customer that incorporated an account with an exchange whilst residing in a FATF member state relocating to a non-member state with a high level of corruption or a customer initially conducting transactions in small amounts and suddenly changing their behaviour to conduct large transactions.
Financial Intelligence Units (FIUs) are the authorities that typically dictate in which situations SDD may be applied, and it can and will differ from jurisdiction to jurisdiction, and between business sectors. SDD represents a less rigorous and at longer time intervals verification of the client. SDD does not imply that CDD/OM does not need to be applied. OM is applied at all times irrespective of the DD level. Through OM the obliged entity can tell if a client’s activity/behaviour etc changes and more rigorous verification needs to be applied.
SDD refers to the likelihood of ML/TF occurring being extremely improbable. Clients who fall under SDD may be those that have low-value accounts, making few transactions (as opposed to low value accounts making many transactions out or in with the values perpetually being under a certain threshold in some jurisdictions for reporting requirements (a clear indication of ‘smurfing’)).
Obliged entities must monitor and analyse client behaviour patterns on an ongoing basis. If their behaviour changes during OM, their risk profile could change.
A client who has been identified as being from an HR jurisdiction at the onboarding process and is assigned an HR level and thus EDD on their future activity and the case of a client from a reputable jurisdiction, assigned LR based on other criteria considered as well, not just based on jurisdiction which qualified them for SDD.
However, during the OM process, if it is revealed that the HR client is actually a desirable client as their activity is in line with their profile, maybe they may not even be that active, whereas the LR client has proved to conduct transactions in volumes that do not fit the profile. In such cases, the HR one will remain HR and EDD may be applied just as a precaution due to the jurisdiction, but as time goes by CDD may be applied along with enhanced Ongoing Monitoring. And in the case of the initially LR one, they will be moved to HR and SDD is replaced with EDD.
EDD can be triggered from the beginning in high-risk situations such as PEPs or when a potential client is from an HR jurisdiction but they still fall under the obliged entity’s risk appetite. When onboarding a client, the flow would be this: CRA (Customer Risk Assessment) with basic CDD is applied prior to establishing a business relationship in order to ensure the obliged entity does not accept a sanctioned individual/entity/individual from a sanctioned country or any other client which presents a risk indicator or a cumulation thereof which falls out of their risk appetite (e.g. PEP). The FATF provides guidelines on CRA and CAP (Compliance Assurance Process) and jurisdictions introduce them in their own national legislation which are then applied by market participants. The level at which they choose to accept and scrutinise their potential/active clients may depend on their level of risk appetite on top of being in line with AML/CFT legislation.
Whilst in the past most crypto-asset exchanges’ clients were individuals, with the growing mass adoption of the asset class of crypto, more corporations are using VASPs as an entry point to crypto, such as Tesla’s purchase of 1.5 billion USD of BTC from Coinbase last year.
Thus, the EDD points applicable to business clients are becoming more pertinent to obliged entities as they had been in the past.