Know Your Customer (KYC) vs. Customer Due Diligence (CDD): What's the difference?
For the ever-growing number of businesses interacting with customers solely in the digital world — from insurance agencies to cryptocurrency exchanges — ensuring reliable identity verification (IDV) processes is an absolute must.
Cautionary tales of failed identity verification are not hard to come by: in 2022, Credit Suisse was embroiled in a rolling wave of scandals for failing to verify the identities of criminals, corrupt politicians, and drug traffickers using its services.
The only way to avoid such failures is to understand two key customer identification processes: Know Your Customer (KYC) and Customer Due Diligence (CDD).
What are KYC and CDD?
Know Your Customer (KYC) is a process that involves verifying current or prospective customers’ identities. It’s sometimes referred to as “Know Your Client” or simply “identity verification.” KYC can be applied to both individual users and businesses (though business verification is called Know Your Business (KYB) or corporate KYC and has slightly different requirements).
Many countries legally require specific industries — such as cryptocurrency exchanges, banks, and gambling companies — to meet certain KYC compliance standards to aid in the detection, reporting, and ultimate reduction of fraud and financial crimes.
Customer due diligence (CDD) is a set of ongoing processes designed to assess customer risk, and is a key component of KYC. In the US, CDD is enforced by FinCEN, which requires financial institutions to meet four key requirements:
Identify and verify all customers or clients.
Identify and verify all beneficial owners of companies you want to do business with. (It’s generally accepted to investigate any individual(s) who controls and/or owns 20% or more of the company.)
Understand the nature and purpose of customer relationships to develop customer risk profiles.
Conduct continuous monitoring of customer activity and transactions to identify and report suspicious activity.
Why are KYC and CDD important?
Some businesses are required to know who they are doing business with. This includes financial institutions — such as cryptocurrency exchanges, insurers, and fintech companies — which are subject to anti-money laundering (AML) rules under the Bank Secrecy Act and related laws. But it also includes businesses that operate in other regulated industries, such as online gambling, travel, and age-restricted commerce, amongst others.
Compliance failures can come at an exceedingly high cost. In 2017, Deutsche Bank AG was fined $425 million by the New York State Department of Financial Services for failing to maintain appropriate AML control policies.
Additionally, KYC protocols can deflect bad actors during the account creation process and help organizations gather information for use in subsequent monitoring — for example, where a user usually logs in and the types of transactions they typically make. Companies that ensure proper KYC and CDD processes safeguard their customers against fraud by continuously monitoring for suspicious activity. CDD can also assist law enforcement by gathering data to document crimes — such as money laundering, terrorist financing, and fraud.
What is the main difference between KYC and CDD?
The biggest difference between KYC and CDD processes is when they occur during the customer interaction.
KYC checks — such as verifying an ID card or a home address — are sometimes limited to the beginning of the customer transaction or account creation process, while CDD explicitly requires continuous monitoring of customers’ interactions with the service.
What are the main functions of KYC?
KYC processes include three main functions:
1. Customer identification program (CIP)
Financial services companies are required by the USA PATRIOT Act to “form a reasonable belief that it knows the true identity of each customer.” This means companies must collect four pieces of identifying information from potential clients: full name, date of birth, legal address, and a valid identification number (such as an SSN or TIN).
See also: What is a customer identification program (CIP)?
2. Customer due diligence (CDD)
CDD checks create a risk profile for each customer using identity verification, transaction records, and wealth sources. These checks are ongoing and may occur at any time during the transaction process.
3. Ongoing monitoring
Continuous monitoring includes, at a minimum, monitoring transactions to identify suspicious activity that might point to financial crimes. It can also include additional measures, such as regularly rescreening customers based on relevant risk profiles.
Understanding the different levels of CDD
Companies may enforce different levels of CDD for different types of customer interactions. For example, a customer withdrawing $50 from their banking app should experience only minimal friction, versus if they tried to empty their entire account from a new location.
The three levels of CDD are as follows:
1. Simplified due diligence
Simplified due diligence is applied to low-risk transactions or customers with known and reliable fund sources. While identity verification is still required, simplified frameworks streamline the process by requiring fewer in-depth checks.
2. Standard due diligence
Standard due diligence is generally required by law for any transaction or customer that doesn’t qualify for simplified due diligence. These processes include the collection and verification of basic customer information, such as customers’ full names and addresses, to decrease risk.
3. Enhanced due diligence (EDD)
Enhanced due diligence is applied to high-risk transactions and individuals. This may include high-value transactions or transactions from higher-risk individuals such as politically exposed persons. Enhanced checks often ask for additional identity documentation or verify asset sources before transactions are approved.
Keep learning: CDD vs EDD: What’s the difference?
What are the biggest challenges for CDD in KYC?
Establishing a comprehensive customer due diligence program can be complicated, involving many different moving parts and competing objectives. This opens the door for a number of KYC challenges, which we explore in greater detail below.
Ensuring data is protected
In order to gauge customer risk, financial institutions must first collect data. At a minimum, this will include identity information like the customer’s name, date of birth, legal address, identification number, and government-issued ID. But it can also include a variety of other documents and risk signals, including passive, device, and behavioral signals.
Generally speaking, the more data you collect, the more robust your risk profile can be for each customer. But collecting huge swaths of customer data also opens you up to risks in the form of data breaches or mismanagement. Institutions that collect large amounts of customer data are routinely targeted by bad actors who would love nothing more than to steal and either use or sell that data.
With this in mind, financial institutions must have security measures in place to protect and minimize customer data where possible, or else risk potential legal and regulatory actions in addition to damaged customer trust.
Potential solution: Choose a KYC platform that is capable of handling data security and PII storage for you, so you can focus on running your business.
Minimizing onboarding friction
In order to perform KYC and customer due diligence, a financial institution must collect identity information and evidence from a user during the account creation and onboarding process. Without this information and evidence, it would be impossible to verify the person’s identity or create a representative risk profile for them.
Unfortunately, by its very nature, this introduces friction at the exact moment that most businesses would like to be limiting friction. Every question a user has to answer, every choice they have to make, every document they are asked to provide offers one more opportunity for them to change their mind and decide against opening an account — and that can have a real, negative effect on conversions if it is not controlled.
Potential solution: Collect passive signals like IP address, device fingerprint, geolocation data, and behavioral signals in the background to inform your risk analysis without requiring direct input from the user. Dynamically segment customers so that low-risk users experience less friction, while higher-risk users experience more friction.
Scaling to handle high volumes
In the past, CDD and KYC were largely manual processes. Human personnel did everything from:
Reviewing IDs to authenticate them and identify forgeries
Cross-referencing data provided by users against data in authoritative or issuing databases
Auditing and monitoring customer transactions for suspicious activity
and more
Today, most banks and financial institutions see such high volumes of transactions and account openings that it would be impossible to perform CDD in KYC at scale without at least some form of automation to help.
Potential solution: Leverage intelligent automation to automate the most tedious and time-consuming tasks so that your compliance and risk teams can focus on higher-value tasks and edge cases where human review is required.
Operating in multiple jurisdictions
KYC and CDD requirements can vary significantly from one jurisdiction to the next, posing a particular challenge to financial institutions operating in multiple countries. These differences can include things like acceptable verification methods, database coverage, ID types, languages, and more.
Potential solution: Use a flexible KYC solution that empowers you to tailor and adjust your verification and due diligence flows for each jurisdiction that your business operates within.
Improve your KYC and CDD procedures with Persona
With Persona’s KYC solutions, identity verification decisions can take just seconds, so users can get verified quickly and be on their way. Thanks to Persona’s customizable platform, you can personalize every element — from theme to copy — along the customer’s journey to ensure it feels native to your brand.
Businesses using Persona can offer a custom eKYC experience for each use case and customer. For example, you might offer different verification options for customers without a Social Security number, or add additional steps for individuals whose passwords have been leaked in a data breach.
Persona’s KYC solutions are constantly being updated to help businesses meet shifting KYC/AML compliance standards and regulation changes worldwide, giving organizations confidence that they’re meeting the right compliance standards no matter where they do business.
Want to learn more about Persona’s KYC and CDD solutions? Read our case studies from Coursera and Square, or get in touch to speak with our experts about your business’s specific needs. We’d love to chat!
FAQs
Why do banks need KYC and CDD?
Toggle description visibility
The Bank Secrecy Act, USA PATRIOT Act, and other AML laws require banks and other financial institutions to perform KYC and CDD as part of a broader anti-money laundering (AML) protocol. The goal is to make it more difficult for criminals to access and use the global financial system to launder and move money made from illegal activities. Likewise, KYC and CDD serve to combat the financing of terrorism, bribery, identity theft, and other financial crimes.
In addition to KYC and CDD, these same laws require banks to perform KYB when entering into a business relationship with another entity, or when providing business accounts to customers.
What are the KYC documents needed for CDD?
Toggle description visibility
When performing due diligence on individuals, financial institutions will typically collect a variety of documents to establish and verify key details about their identity.
At a minimum, this will include some kind of government-issued ID like a driver’s license or passport. Depending on the situation, the institution may also need to establish proof of address, which may involve collecting a recent piece of mail, like a utility bill or bank statement. In order to establish a proof of income, lenders often require one or two recent pay stubs and potentially a bank statement.
Due diligence for business entities will require these same documents for all of the entity’s UBOs, as well as a variety of different business documents for verification.
What does the KYC process look like?
Toggle description visibility
In order to fulfill the regulatory requirements, a KYC program must consist of three primary components:
A customer identification program with processes in place to verify the identity of all new accountholders
A customer due diligence program with processes in place to establish a risk profile for each new customer
An ongoing monitoring program with processes in place to monitor customer activity and transactions for suspicious or unusual activity
In practice, when a customer wants to open an account, they will typically be asked to provide information — like their name, date of birth, legal address, and a taxpayer identification number like a Social Security number — as well as a government-issued ID.
The rest happens in the background, typically via a combination of AI-detection, document analysis and verification, and database verification. In fact, most users are unlikely to even realize that they are being assessed for risk, as it happens in seconds or minutes during account onboarding.
What are the biggest technology advancements for CDD and KYC?
Toggle description visibility
In recent years, CDD and KYC have benefited from a wide variety of technological advancements that make it easier to assess customer risk without introducing undue friction into the onboarding process. Some of the most impactful advancements include:
Electronic KYC (eKYC): Widespread adoption of smartphones with high-quality cameras has meant that many financial institutions can now perform CDD and KYC remotely, without their customers ever needing to step into a physical branch.
Automation: While once a heavily manual process, technology has made it possible for many KYC and CDD processes to be either fully or partially automated — decreasing the risk of human error, speeding up approval times, and reducing overall friction during sign up.
Optical Character Recognition (OCR): Optical character recognition is a technology that makes it possible to automatically extract text from an image, such as an ID. When leveraged effectively during the KYC process, it can reduce friction by requiring a user to manually input less information. (This can also help minimize input errors.) For example, if a user is instructed to photograph their ID early in the KYC process, OCR technology can automatically extract information like their name, date of birth, address, ID number, and more.
Dynamic risk segmentation: No two customers pose exactly the same risk of fraud or money laundering as one another. Dynamic risk segmentation technology allows you to adjust the KYC and CDD flow that a customer experiences based on the amount of risk you gauge them to have in real time — again, heightening security without undue friction.
Liveness detection: Active and passive liveness detection — which helps you differentiate between a real person and a fake or pre-recorded image — is one of the most powerful weapons against the threat of AI-generated selfies and other assets like documents and IDs.
See the strategic guide to balancing risk and conversion in identity verification.