LibraryblogThe different levels of due diligence

The different levels of due diligence

In order to ensure that customers are being honest, companies will verify official documents such as driving licenses or passports. However, the approach taken should always be risk-based, and there’s no one-size-fits-all approach to due diligence.

Header image
October 12, 2022
Blog Post

The customer due diligence process involves identifying your customers and checking that they’re exactly who they’re claiming to be. This process usually involves collecting information from the customer and asking them for a copy of their official government-issued identity document, which can be used to verify their identity.  

There are three levels of due diligence. Although these are sometimes known as level 1, level 2 and level 3 due diligence, they’re more commonly referred to as simplified, standard, and enhanced due diligence. 

Here, we’ll take a look at what each of these levels of due diligence involves in greater detail. We’ll also examine which level of due diligence you need and how we can support your due diligence checks. But, before we dig into the details about the different levels of due diligence, let’s first look at when due diligence is required.

When is due diligence required?

Institutions should carry out customer due diligence measures under the following circumstances:

  • Establishing new business relationships: When a company starts a new relationship with a customer or another business, they must use due diligence to gather information and perform a risk assessment. They must also ensure that the customer is not using a fake or forged identity to access their services
  • Occasional transactions: Certain financial transactions also require accompanying due diligence checks to be carried out. This includes transactions that involve amounts of money that exceed regulatory thresholds, or transactions that involve entities in high-risk foreign countries
  • Money laundering suspicion: If one of your customers is suspected of being involved in money laundering or terrorist financing, you must implement additional customer due diligence checks
  • Unreliable documentation: If a customer provides you with unreliable or inadequate identification documents, then this is a potential red flag. Due to this, you should apply further customer due diligence measures so you can investigate and resolve any discrepancies you’ve identified
  • Ongoing monitoring: Customer due diligence is not a one-off obligation and businesses must perform customer due diligence periodically throughout their relationship with a customer. By doing this, your company can ensure that the customer’s actions are consistent with their risk profile and intended use

Due diligence obligations

When carrying out due diligence, companies must meet the following regulatory obligations:

  • Customer identification: As part of the due diligence process, a company must identify their customers. This is achieved by obtaining personal information from the customer, including their full name, address, and date of birth. This data is usually then checked against a government-issued ID, such as a passport or driving license
  • Beneficial ownership: When a company or third-party is acting on behalf of someone else, you should seek to establish ultimate beneficial ownership (UBO). This refers to the individuals who benefit from the activities of a person or group of persons
  • Business relationship: On top of this, companies must also establish the nature and purpose of the business relationship into which they are entering with the customer

Once you’ve gathered the identification information outlined above, you can sort your customers by risk level (usually low, medium and high) to indicate how much money laundering risk they pose. This risk profile determines how much due diligence is required. High-risk customers need a more in-depth due diligence process than low-risk customers.

Level 1 - simplified due diligence

Simplified due diligence is the lowest level of due diligence. It can be applied when a risk assessment has determined that there is a particularly low or negligible risk of money laundering and terrorist financing. Simplified due diligence is usually used for well-known public enterprises, individuals who have a reliable source of funds, and customers who only make small transactions.

When carrying out simplified due diligence, you only need to identify the customer. There is no need to then verify their identity. However, that said, you must also provide proof that this customer was eligible for simplified due diligence and you may decide that it’s still best to verify the identity of the individual anyway to ensure the customer is being honest. This can also protect your business and prevent fraudsters from accessing your services.

Once the simplified due diligence process has been completed, you must also continually monitor the business relationship for trigger events that may create a requirement for further due diligence to be carried out.

A number of different factors can help you determine whether the situation only requires simplified due diligence. These factors include the service or the product being offered and the type of customer you’re engaging with. 

For example, customers that are required to disclose information regarding their ownership structure and business activities, or companies that are subject to money laundering regulations, are seen to be less risky than those that do not have to disclose this information.

Level 2 - standard due diligence

Standard due diligence is the most common level of check. It involves not only identifying the customer, but also verifying their details. If your customer is acting on someone else’s behalf, then you must also verify this individual’s identity before doing any business with them.

To ensure that the customer is exactly who they’re claiming to be, you must collect their information, including at least their full name, their date of birth, and their address. Following this, you must also ask them for a copy of a government-issued identity document and a selfie. This way, you can verify their identity and check their identity against third-party databases, which will flag any potential issues. If the customer is another business, you must ask for additional identifying information about the customer’s business model, source of funds, and beneficial ownership.

On top of this, during standard due diligence, you must also establish the purpose and intended nature of the business relationship or transaction.

Once you’ve onboarded the customer, you must then monitor their transactions on an ongoing basis. In doing so, you must check that the customer’s activity is in line with their risk level and how you expected them to use your products and services.

Level 3 - enhanced due diligence

Enhanced due diligence is reserved for high-risk customers, such as politically exposed persons (PEPs) and people who are the target of economic sanctions. Enhanced due diligence is rigorous and intensive, with additional measures including:

  • Gathering additional identifying information from the customer
  • Obtaining additional information regarding the source of funds or source of wealth
  • Learning more about the intended nature of the business relationship
  • Discovering more about the purposes of the customer’s transactions
  • Subjecting the customer to additional ongoing monitoring procedures

On top of this, the enhanced due diligence process must take into consideration all relevant adverse information. Any information that pertains to money laundering or corruption must be considered.

Requirements for ongoing monitoring

Although most businesses are primarily concerned with the different levels of due diligence when onboarding customers, ongoing monitoring is required at all levels of due diligence.

When conducting ongoing monitoring, the business must check that the client’s activities and transactions are consistent with their risk profile. By continually checking this, the business can also uncover patterns of behavior that may reveal that the customer’s activities are suspicious or that their risk profile has changed and that further due diligence checks need to be carried out. Ongoing monitoring involves:

  • Monitoring a customer’s transactions and ensuring that their pre-established risk profile matches their behavior
  • Ensuring the company is responsive to any changes in the risk profile and any factors which may suddenly raise suspicion
  • Keeping relevant records, documents, data, and information that regulators may require

Although ongoing monitoring applies to all business relationships, the amount of ongoing monitoring required should be scaled to reflect that customer’s risk profile. For example, customers who are seen as a high risk should be monitored more closely and more regularly than those that are low risk.

What level of due diligence do you need?

Customer due diligence is a foundation of the Know Your Customer (KYC) process. This process requires companies to understand who their customers are, their financial behavior, and what kind of money laundering or terrorism financing risk they present. All Financial Action Task Force (FATF) member states must implement customer due diligence requirements as part of their domestic AML/CFT legislation.

Generally speaking, when onboarding most customers, firms will need to collect a customer’s name and address, information about the business in which they are involved, and how they will use their account. In order to ensure that customers are being honest, companies will then verify that information with reference to official documents such as driving licenses or passports. However, the approach taken should always be risk-based, and there’s no one-size-fits-all approach to due diligence.

The importance of a risk-based approach

According to guidance from the Financial Action Task Force (FATF), anti-money laundering measures must take a risk-based approach that reflects the specific AML/CFT risk posed by each customer.  

By conducting a risk-based approach to due diligence, a company can balance its compliance obligations with its budget and its resource requirements. Plus, this risk-based approach can also preserve the customer experience, ensuring that the onboarding process isn’t too onerous for low-risk customers.

This is because, as part of a risk-based approach, a business can deploy faster and more efficient customer due diligence for low-risk customers, and slower, more intensive, enhanced due diligence for high-risk customers. If all customers were subjected to enhanced due diligence, the customer experience would be adversely affected and conversion rates would be lower.

As a result, you need to make sure that your customer due diligence processes are as streamlined as possible and that each customer is only subjected to necessary checks. To do this, ensure your customer due diligence process includes all of the following steps:

  1. Before the business relationship begins, you must establish the identity of the potential customer and their business activities. This should be done with the intention of identifying bad actors as early as possible
  2. When you’ve identified the customer to a sufficient degree of confidence, you should then categorize the level of risk that customer poses. This information should then be stored in a digitally secure location where it can be easily accessed for future regulatory checks
  3. When the level of risk the customer poses has been accurately identified and categorized, you must then determine whether more intensive enhanced due diligence measures are required, or whether the customer due diligence checks you’ve carried out so far are sufficient for onboarding
  4. Once the customer has been onboarded, you must then monitor their transactions and activities on an ongoing basis to ensure they’re keeping with that customer’s risk profile. Remember that while occasional transactions may not present as suspicious, they may reveal a pattern of behavior over an extended period of time which necessitates a change to a customer’s risk profile.

Finally, you should also create risk assessments and process flows that demonstrate exactly how your business handles due diligence and why it takes the steps that it does. While national risk assessments highlight money laundering risks in general (such as whether one nation poses a particularly high level of money laundering risk), every financial organization must complete its own company-wide risk assessment as well as a risk assessment for each customer and area of the business.

A risk assessment must include:

  • Written money laundering policies and procedures that take the firm’s risk assessment into consideration
  • The names and the responsibilities of the internal audit teams, who can test the internal policies, controls and procedures
  • What training is in place for members of staff who conduct risk-based customer due diligence and ongoing monitoring
  • Documentation that shows risk assessments are conducted and kept up to date. These documents should take into account risk factors including those relating to their customers, countries or geographic areas, products, services, transactions, or delivery channels

How Veriff can support with due diligence checks

Here are Veriff, we’ve developed a range of products that can help support your due diligence efforts. With the help of our AML and KYC compliance solution, you can employ the checks you need to ensure regulatory compliance while also making the onboarding process as smooth and efficient as possible for your customers.

Our AML and KYC compliance solution starts with identity verification. Thanks to leading identity fraud prevention and automated and accurate decision making, you can ensure that your customers are who they say they are and fight identity fraud.

Following this, we can ensure that you’re complying with regulations and fighting financial crime by screening your customers against global sanctions and politically exposed persons lists. To ensure accuracy and confidence, our list coverage is updated in real-time.

But, we also understand that predicate crimes can indicate increased risk. As a result, we screen for negative information and news to help you accurately assess the potential AML risk exposure of their customers.

Finally, to help with your ongoing monitoring efforts, we continually screen customer lists against PEP watchlists, global sanctions lists, and adverse media. You’re then notified with automated screening if something changes with your existing or previously onboarded customers.

Speak with the due diligence experts at Veriff

If you’re interested in learning more about the different levels of due diligence and how our solutions can help you scale your due diligence efforts, then contact our experts today.

Our dedicated and experienced due diligence experts would love to provide you with a personalized demonstration that shows you exactly how our solutions can help you perform due diligence and meet your regulatory requirements.