We've got "due diligence" all wrong: we must correct it.

The history of "Know Your Customer" is often overlooked but it's important. The term originates in marketing – all good salespeople know that to interest a person and then to make a sale requires what was once described to, not by, me as "you-ability", that is to say to find out how to make the customer feel that the product or service is relevant to that customer.

In 1986, in the UK, the coming into force of The Financial Services Act changed the meaning: in the fields of banking, insurance and securities companies were required to review the customer's financial and other needs and wants and to recommend the best product or service. It was about this time, that, for brevity, financial companies began to refer to services as "products."

Almost a decade later, as countries implemented the EU's First Money Laundering Directive and the Financial Action Task Force's Forty Recommendations, the term changed again – now it formed the central plank of the suspicious activity regime : you can't form suspicion without information and, of course, often the absence of information is information in itself.

All this time, the term "Due Diligence" had a very specific meaning: it was the checking of information by, mainly, a purchaser in relation to a company or asset he was purchasing.

But as with so many things, wordflation took hold. Some people thought that KYC didn't sound powerful enough and said that "Due Diligence" should also be used instead of "Know your customer".

Then someone else decided that "Due Diligence" should be graduated with at least two stops with the addition of "Enhanced Due Diligence" for cases considered to be potentially higher risk.

This has had the effect of dramatically changing the focus of information gathering and analysis away from that envisaged by the first generation of counter-money laws and regulation. It has also had a detrimental effect on risk assessment, which is ironic given the mantra by the FATF and Regulators that businesses must adopt a "Risk Based Approach."

The concept of a risk-based approach was introduced in my book "How Not To Be A Money Launderer" in 1996. 1 In that book, I concentrated on the risks that businesses faced because criminals would seek to use them as conduits for laundering proceeds of criminal conduct. It is a theme I have returned to over and over again since then, including my books "Understanding Suspicion in Financial Crime"2 and "Trade-Based Financial Crime"3

A risk-based approach depends on identifying the risk of money laundering before the money comes into the possession of the regulated business. Why? It's because by the time the money is in the hands of the regulated business it is already being laundered. So, for the same reasons that we should speak of "counter" money laundering instead of "anti" money laundering, we should be focussing, initially, on information relating to prospective customers, suppliers and relevant third parties.

That is why, again in the early forms of regulation etc. Know Your Customer was expressly applicable to "an applicant for business."

The step from KYC to ensure that the correct product or service was being sold to KYC for money laundering risk assessment purposes was a very small step.

The USA was always more concerned with money than with the customer. Indeed, for more than a decade it flew in the face of the FATF's recommendations with one senior prosecutor saying that the USA did not need suspicion-based reporting because cash transaction did the same job. In 1999, attempts to introduce KYC in the Gramm-Leach-Bliley Act saw an unholy alliance between the USA's Left (in the form of the American Civil Liberties Union) and multiple right wing groups including those who claimed to be "sovereign persons". They were successful in getting the KYC parts of the GLB Act removed – but didn't make a peep when almost identical provisions formed part of the USA PATRIOT Act.

The lack of appreciation of the need for effective risk management has persisted in the USA: despite inclusion in the USA PATRIOT Act, alternative investment advisers (and scheme operators), so-called "hedge-funds", were excused the requirements when FinCEN decided to cancel its draft final rule saying "we have eyes on the money through the banks." Moreover, the 2024 "Investment Advisers" Rule is trumpeted as applying to those businesses but it contains so many exclusions that many advisers will be able to tick the "not applicable" box and sign a blank form; at least that will be the effect. The failure to implement a national regime for the registration of lawyers, accountants and others is a further indication that insufficient attention is paid to the person and to preactive measures.

The concentration on account data and not the person is the essence of Due Diligence. It is not the same as Know Your Customer.

About 25 years ago, one of my companies developed the slogan "Know Your Customer, Not Just His Money."

One of the commercial drivers that have accelerated the move from KYC to Due Diligence is the increase in non-face-to-face business. Those who think that this came about with the advent of fintechs are wrong. The question of non-face-to-face business began shortly after e-mail became popular (but was still far from the primary means of written communication) and as the use of the World Wide Web started to be central to the way of life where a viable internet was present. In the UK, there were two types of business that made early use of it: insurance companies and conveyancing solicitors and similar.

The challenge of non- face to face business was long-established before anyone started talking about money laundering policies and procedures; we solicitors (as I was then) were under a professional obligation to make sure that the person giving instructions on behalf of a company or another person was authorised to do that. Obviously, those of us who took that obligation seriously checked two things: a) did the authority exist? and b) was the person giving the instruction actually the person who was authorised?

What needs to change?

The focus on money, on financial data, and on background gleaned from the media including public social media, can be viewed as due diligence but are they "Know Your Customer"?

No. Not without much, much more information: "source of funds" is no use unless it is "source of all funds." "Source of Wealth" is a pointless division of source of funds. But "extent of wealth" is valid – how many cars, properties, where, value and so on give a picture, as does "all sources of income" and "all reasons for expenditure." These are true Know Your Customer questions, as is watching what car he drives, his watch, even haircut all of which provide indicators.

KYC tells us about the customer before we are in possession, custody or control of his assets: it's the first step in a risk assessment process.

And increasingly, we don't do it properly because business models for all manner of financial services businesses have changed to make it impossible to gather much of the information we need and, worse, even if we ask for it, we have almost no way of verifying most of it.

1 https://vortexcentrum.com/elan/ebookshop/hownotcover

2 https://amzn.to/3TZqXFY

3 https://amzn.to/47SkMJD

------------

Nigel Morris-Cotterill is author of "Understanding Suspicion in Financial Crime" and the seminal "How not to be a money launderer" and more , founder of Vortex Centrum, a pioneer in financial crime risk and compliance with more than 30 years experience plus an earlier career in law.

His latest book, CUT-THROATS AND BRIGANDS: BLOOD on the ( WALL ) STREET is published 8 October 2024 (UK https://amzn.to/3ZTLTBZ) and is available as a Print Your Own ebook via vortexcentrum.com

You can support Morris-Cotterill's writing via www.honourpay.com