Customer Due Diligence Best Practice for Payment Institutions

Customer Due Diligence (CDD) is a cornerstone of effective anti-money laundering (AML) and counter-terrorist financing (CTF) regimes, particularly crucial for payment institutions operating in the United Kingdom. Regulatory expectations are high, and the penalties for non-compliance can be severe, extending beyond financial costs to reputational damage and potential loss of licence. This article delves into the best practices payment institutions should adopt to ensure their CDD frameworks are robust, compliant, and genuinely effective in mitigating financial crime risks.

Why is Customer Due Diligence Crucial for Payment Institutions?

Customer Due Diligence (CDD) is crucial for payment institutions to combat financial crime, protect their reputation, and comply with UK regulatory obligations, primarily stemming from the Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017 (MLR 2017). Payment institutions, by their very nature, facilitate rapid movement of funds, which can make them attractive targets for money launderers and terrorist financiers. The regulatory landscape demands that these firms not only identify their customers but also understand the nature of their business, the source of funds, and the purpose of transactions. Failure to conduct adequate CDD can lead to significant fines, enforcement actions from the Financial Conduct Authority (FCA), and severe reputational damage. Consider the FCA’s fines against firms that have demonstrated systemic weaknesses in their AML controls; these serve as stark reminders of the consequences of neglecting CDD. Effective CDD helps payment institutions to proactively identify and manage risks, thereby safeguarding the integrity of the financial system and their own operations.

What Constitutes Effective Customer Due Diligence for a Payment Institution?

Effective Customer Due Diligence for a payment institution constitutes a comprehensive, risk-based approach that goes beyond mere identification to truly understand the customer and their financial activities. This is mandated by Regulation 28 of the MLR 2017, which specifies the requirement for firms to apply CDD measures when establishing a business relationship, carrying out an occasional transaction, suspecting money laundering or terrorist financing, or doubting the veracity or adequacy of previously obtained identification data.

Here are the core components:

• Identifying the customer and verifying their identity: For individuals, this typically involves obtaining names, dates of birth, and addresses, and verifying these with independent, reliable sources such as passports, driving licences, or utility bills. For corporate entities, this means understanding the company structure, identifying its directors and ultimate beneficial owners (UBOs), and verifying their identities.
• Identifying the beneficial owner(s) and taking reasonable measures to verify their identity: This is a critical step, especially for complex corporate structures or trusts. Firms must look beyond the immediate customer to understand who ultimately controls or benefits from the funds. The MLR 2017 defines a beneficial owner for a corporate body as any individual holding more than 25% of the shares or voting rights, or otherwise exercising control.
• Assessing and obtaining information on the purpose and intended nature of the business relationship: This requires understanding *why* the customer wants to use your services and how they intend to do so. What types of transactions will they conduct? What are the expected volumes? This information is vital for ongoing monitoring.
• Conducting ongoing monitoring of the business relationship: CDD is not a one-off exercise. Firms must continuously scrutinise transactions throughout the course of the relationship to ensure they are consistent with the firm’s knowledge of the customer, their business, and risk profile. This involves reviewing transaction patterns, periodically updating customer information, and sanction screening.

Crucially, the depth of CDD should be proportionate to the risk posed by the customer, as outlined in Regulation 28(12) of the MLR 2017, which states that firms “must determine the extent of the measures on a risk-sensitive basis”.

How Should Payment Institutions Implement a Risk-Based Approach to CDD?

Payment institutions should implement a risk-based approach to CDD by first conducting a robust firm-wide risk assessment and then tailoring their CDD measures accordingly, as elaborated in Regulation 18 of the MLR 2017. This means understanding the specific money laundering and terrorist financing risks inherent in their business model. The FCA’s guidance on financial crime, alongside the Joint Money Laundering Steering Group (JMLSG) guidance, provides further detail on how to conduct such an assessment.

Key elements of a risk-based approach include:

• Firm-wide Risk Assessment: This foundational step involves identifying and assessing risks across your customer base, geographical exposure, products/services offered, and delivery channels. For example, a payment institution offering international remittances to high-risk jurisdictions would inherently face greater geographical risk than one exclusively operating domestic payments for low-value transactions.
• Customer Risk Profiling: Each customer should be assigned a risk rating (e.g., low, medium, high) based on factors such as their geographic location, occupation, source of funds, purpose of transaction, and the products/services they use. A customer identified as a Politically Exposed Person (PEP), for instance, would automatically be considered high-risk, triggering Enhanced Due Diligence (EDD).
• Tiered CDD Measures:
• Ongoing Monitoring: The risk assessment should inform the frequency and intensity of ongoing monitoring. High-risk customers will warrant more frequent and in-depth reviews of their activity and updated CDD information.

The effectiveness of this approach lies in its dynamic nature; firms must regularly review and update their risk assessments and customer profiles to reflect changes in risks, regulations, and their business operations.

What Technology Solutions Can Enhance CDD Processes?

Technology solutions can significantly enhance CDD processes for payment institutions, improving efficiency, accuracy, and the capability for ongoing monitoring. Modern RegTech tools offer sophisticated capabilities that automate many elements of the CDD lifecycle, thereby freeing up compliance officers to focus on complex, high-risk cases.

Key technological enhancements include:

• Digital Identity Verification (IDV) and Biometrics: Solutions that automate the verification of identity documents, checking against national databases and using biometric authentication (e.g., facial recognition via live video or photos) can expedite onboarding while increasing security. These tools can also detect document tampering and synthetic identities.
• Automated Sanctions, PEP, and Adverse Media Screening: Dedicated platforms can continuously screen customers and beneficial owners against global sanctions lists (e.g., HM Treasury’s consolidated list), PEP databases, and adverse media sources. This automates a traditionally manual and time-consuming process, providing real-time alerts to potential risks.
• Transaction Monitoring Systems: These systems use rules-based logic and increasingly artificial intelligence (AI) and machine learning (ML) to monitor customer transactions for unusual patterns, deviations from expected behaviour, or attempts to structure transactions to avoid reporting thresholds. They generate alerts that compliance teams can investigate.
• Know Your Business (KYB) and Ultimate Beneficial Ownership (UBO) Verification Tools: For corporate customers, specialized tools can link into company registries, public data sources, and proprietary databases to automatically map complex ownership structures and identify UBOs, reducing manual research.
• Case Management and Workflow Automation: Dedicated compliance platforms provide a centralised environment to manage CDD tasks, track case progress, store documentation securely, and ensure audit trails. Workflow automation can guide compliance officers through the correct steps for different risk profiles.
• Data Analytics and Reporting: Advanced analytics can reveal insights into customer behaviour, identify emerging risk trends, and generate comprehensive reports for management and regulators, demonstrating adherence to CDD requirements.

While technology offers substantial benefits, it is crucial that payment institutions still exercise human oversight and judgment. Technology should augment, not replace, the expertise of compliance professionals. Moreover, firms must ensure that any third-party solutions used are robust, secure, and compliant with relevant data protection regulations such as the UK General Data Protection Regulation (UK GDPR). For further reading on leveraging technology, see our insight on Automating Compliance for Fintechs.

What are the Documentation and Record-Keeping Requirements for CDD?

The documentation and record-keeping requirements for CDD are stringent, serving as a critical aspect of demonstrating compliance to regulatory bodies like the FCA. Regulation 40 of the MLR 2017 mandates firms to keep records of the evidence obtained to verify customer identity for five years after the business relationship has ended. Furthermore, records of all transactions undertaken are to be kept for five years from the date of the transaction.

Comprehensive documentation should include:

• All information obtained during the identification and verification process: This includes copies of identity documents, verification references, and details of any checks performed (e.g., electoral roll searches, company house extracts).
• Risk assessments: Records should clearly show the customer’s initial risk rating, the rationale behind it, and any adjustments made during the relationship.
• Rationale for CDD decisions: If Simplified Due Diligence (SDD) was applied, the justification for deeming the customer low-risk must be recorded. Conversely, if Enhanced Due Diligence (EDD) was performed, all steps taken and the reasons for them must be documented.
• Ongoing Monitoring records: Details of regular reviews, transaction monitoring alerts, investigations, and any Suspicious Activity Reports (SARs) filed with the National Crime Agency (NCA) must be maintained.
• Internal policies and procedures: Firms must retain up-to-date versions of their AML policies, procedures, and controls, demonstrating how CDD is integrated into their overall compliance framework.
• Training records: Evidence that staff members have received appropriate and regular training on AML and CDD obligations.

Maintaining impeccable records is not merely a bureaucratic exercise; it is fundamental for audit trails during regulatory inspections, for enabling internal reviews, and for demonstrating to authorities that the firm has met its legal obligations. Poor record-keeping is a common failing identified by the FCA during supervisory visits and can lead to adverse findings and enforcement actions. Ensure records are readily accessible, securely stored, and protected against unauthorised access or loss.

How Can Payment Institutions Maintain a Strong CDD Compliance Culture?

Payment institutions can maintain a strong CDD compliance culture by embedding AML principles into the firm's ethos, from the board level down to every front-line employee, underpinned by robust governance, training, and communication. A strong culture ensures that CDD is seen not just as a regulatory burden but as an integral part of risk management and responsible business practice.

Key strategies for fostering such a culture include:

• Strong Tone from the Top: Leadership must consistently demonstrate a commitment to AML compliance. This means the board and senior management actively engaging with AML strategy, ensuring adequate resources are allocated, and taking accountability for compliance failures. The Senior Managers and Certification Regime (SMCR), while not directly applying to all payment institutions initially, sets a clear expectation of individual accountability for compliance.
• Clear Policies and Procedures: Develop unambiguous, practical, and regularly updated AML/CDD policies and procedures that are easily accessible and understood by all relevant staff. These should clearly outline responsibilities and escalation paths.
• Comprehensive and Ongoing Training: Implement mandatory initial and refresher training programmes for all staff, tailored to their roles. Training should cover the latest regulatory requirements, typologies of financial crime relevant to payment institutions, and practical application of CDD procedures. This is a perpetual obligation under Regulation 21(1)(a) of the MLR 2017.
• Empowered and Resourced Compliance Function: Ensure the compliance team, particularly the Money Laundering Reporting Officer (MLRO), has the necessary authority, independence, and resources (both human and technological) to effectively oversee and implement the CDD framework.
• Internal Communication and Awareness Campaigns: Regularly communicate regulatory updates, financial crime trends, and internal policy reminders to keep CDD top of mind for employees. Utilise internal newsletters, workshops, and team meetings.
• Performance Management and Accountability: Integrate CDD compliance into performance objectives for relevant staff. Implement a system where non-compliance or failure to follow procedures has clear consequences.
• Regular Reviews and Audits: Conduct independent internal audits and engage external experts to periodically assess the effectiveness of the CDD framework, identify weaknesses, and ensure continuous improvement. The findings of these audits should be acted upon promptly.
• Encouraging a ‘Speak Up’ Culture: Foster an environment where employees feel comfortable raising concerns or reporting suspicious activity without fear of reprisal. This is vital for early detection of potential financial crime.

By systematically implementing these measures, payment institutions can cultivate a culture where CDD is deeply embedded in daily operations, thereby enhancing their resilience against financial crime and ensuring sustained regulatory compliance. Ensuring your staff are well-versed in the practical application of CDD will be critical when facing situations such as described in our insight on Unfreezing Your Account with a PPI Complaint.