What is the difference between KYC and CDD?

Although KYC (Know Your Customer) and CDD (Customer Due Diligence) are very similar, there are some differences between the two concepts that we will address in this article.

KYC and CDD are the cornerstones of any AML (Anti Money Laundering) policy developed by a company, and they revolve around the need to verify the identity of the customers with whom those companies affected by AML regulations work.

In simple terms, Know Your Customer (KYC) is about demonstrating Customer Due Diligence (CDD), i.e., verifying a customer’s identity. Therefore, it is difficult to distinguish between KYC and CDD because the latter is an integral part of the former.

In that sense, they could be considered the same, but are KYC and CDD the same or not?

Let’s start by considering each term individually.

What is KYC and its importance?

KYC is a essential process in the financial and many other industries, designed to verify the identity of customers. This process involves the verification of personal information such as names, surnames, addresses, dates of birth and official identity documents. The importance of KYC lies in its ability to help businesses prevent fraudulent activity.

By knowing your customers, you can make informed decisions about your business relationships with them, ensuring that you are interacting with legitimate and genuine parties.

CDD, beyond customer knowledge

CDD conducts in-depth and ongoing analyses to evaluate customer risk.

Due diligence focuses not only on collecting data, but also on interpreting and monitoring the customer’s financial behaviour. This process is essential to detect unusual or suspicious activity that may indicate a risk of money laundering or terrorist financing. Due diligence allows firms to adapt their compliance strategies and control risk proactively, adjusting vigilance according to the customer’s risk profile.

Some of the customer due diligence requirements are:

• Identification obligation: Entities must identify all their customers, both natural and legal persons, by verifying their identity through official documents (ID card, passport, etc.).
• Knowledge of the purpose of the business relationship: institutions should gather information on the purpose and nature of the business relationship. This includes understanding the nature of the customer’s activities and the reason why the customer wants to engage the entity’s services.
• Ongoing monitoring including supervision (once the business relationship is established, there should be ongoing monitoring of the customer’s transactions and activities to ensure that they correspond to the knowledge of the customer, his risk profile and the nature of the relationship) and updating of information (institutions are obliged to keep customer information up to date and conduct further checks in the event of significant changes in the relationship).

• Customer risk classification: customers should be classified according to their risk profile (low, medium, high), which will determine the level of due diligence measures applicable. For example, a high-risk customer may require enhanced monitoring and stricter control measures.
• Enhanced due diligence measures: for high-risk customers, such as politically exposed persons (PEPs), additional measures should be applied, which may include senior management approval to establish the business relationship, enhanced monitoring of the relationship, and obtaining additional information on the source of funds.
• Record keeping and retention: Institutions are required to retain documentation and records related to customer due diligence for a minimum period of 10 years. This includes both identification documentation and transaction records.

CDD (Customer Due Diligence) in Spain

KYC rules are based on a policy of customer identification and acceptance, continuous monitoring of the relationship with these customers and risk management. But this translates in Spanish law into normal due diligence measures that will be applied gradually depending on the risk of the obliged party.

SEPBLAC is the Financial Intelligence Unit in Spain, being the supervisor for the prevention of money laundering and terrorist financing and is in charge of defining the due diligence measures to be applied.

These measures are simplified in some cases and enhanced in other cases where the operations have a higher risk based on the country or geographical location, the risk inherent to the client itself and the risk related to the type of transaction to be carried out.

Due diligence obligations are therefore aimed at identifying and getting to know those natural or legal persons who wish to do business with regulated entities.

Sepblac authorises companies to carry out these identification measures by electronic or telematic means, such as video-identification.

Authorisation of non-in-person verification procedures in Spain

Article 21.1.d) of the Regulation of Law 10/2010 of 28 April, approved by Royal Decree 304/2014 of 5 May, rules that obliged subjects may establish business relationships or perform transactions via telephone, electronic or telematic means with customers who are not physically present, when the customer’s identity can be evidenced by secure procedures for customer identification in remote transactions, provided that such procedures have been previously authorised by Sepblac.

In accordance with this authorisation, Sepblac has established a series of minimum specifications with respect to customer identification procedures for non-face-to-face transactions, allowing among other,?video-identification.

So how do CDD and KYC differ?

KYC specifies the checks that are carried out at the start of a customer relationship to identify and verify that such customers are who they say they are. This is especially relevant for companies that are subject to AML (Anti Money Laundering) regulations.

Know Your Customer procedures therefore allow the creation of a customer’s risk profile by retrieving their data before initiating a business relationship, usually in a digital onboarding process by collecting their personal data and identity document.

Customer Due Diligence, on the other hand, allows assess whether the information provided by customers during registration is correct. In addition, CDD checks must be performed on an ongoing basis for as long as there is a customer relationship, requiring a record of transactions to be kept and updated.

KYC checks are therefore made at the early stage of establishing business relationships, when we screen potential customers, while Customer Due Diligence (CDD) is an ongoing monitoring of suspicious activities aimed at money laundering and both are a crucial part of an anti-money laundering (AML) program.

At this point, I’m sure it seems a bit mind-blowing… okay, now you are talking about AML? And how is that different from KYC?

What is the difference between KYC and AML?

The difference between them lies in the scope and focus of each within the financial compliance framework.

The main difference between AML and KYC is as follows:

• AML is a broad term that encompasses the set of laws, regulations and procedures designed to prevent and combat money laundering and other illegal financial activities. This framework includes a variety of policies and strategies implemented by governments and regulatory bodies to detect, investigate and sanction suspicious transactions and activities that may be linked to money laundering, terrorist financing, or related offences. The AML approach is comprehensive and systemic, covering the full spectrum of measures necessary to protect the financial system and maintain its integrity.
• KYC is a specific part of the AML framework that focuses on the process of verifying and identifying customers by firms (as discussed above). The objective of KYC is to ensure that financial institutions and other businesses know who they are doing business with by verifying the identity of their customers. This process includes the capture and validation of identity documents. KYC uses various tools and software to carry out this verification, thereby facilitating compliance with AML regulations.

In terms of focus, AML is concerned with establishing and monitoring global policies and regulations for the prevention of money laundering. In contrast, KYC focuses on the practical application of these policies at the level of day-to-day transactions and business relationships. In addition, KYC provides firms with the necessary procedures to comply with AML requirements by ensuring that they properly identify their customers and detect any activity that may be indicative of a money laundering risk.

Challenges and solutions in implementing KYC and CDD

As we have hinted, implementing KYC and CDD processes is essential for complying with AML regulations, but it is not without challenges. Below are some of the most common obstacles companies face when implementing these processes, along with possible solutions to overcome them:

Data protection and GDPR compliance

One of the main challenges is the protection of personal data collected during this process, especially in laws with strict regulations such as the General Data Protection Regulation (GDPR) in the European Union. Companies must ensure that data is handled securely and that customers give informed consent for the collection and processing of their data.

The solution involves companies implementing advanced encryption solutions to protect data in transit and at rest. Additionally, they should establish clear data retention policies and procedures for the secure deletion of information that is no longer needed. Regular audits are also essential to ensure ongoing compliance with the GDPR and other privacy regulations.

Technological integration and legacy systems

Many companies, especially those with older IT systems, face difficulties integrating new KYC and CDD solutions with their existing technological infrastructure. The lack of interoperability between systems can lead to inefficiencies, data duplication, and security gaps.

A viable solution is to adopt cloud-based KYC and CDD platforms, which offer greater flexibility and ease of integration with legacy systems. These platforms are often compatible with APIs, allowing for easier integration with different systems. Additionally, staff training and investment in upgrading technological infrastructure are crucial to overcoming these barriers.

Managing data volume and scalability

Large corporations that handle a high volume of clients often find it difficult to scale their KYC and CDD processes. Manual verification can become unsustainable, creating bottlenecks and increasing the risk of errors.

Automation is key to managing volume and scaling effectively. Implementing technologies like artificial intelligence (AI) and machine learning can help automate identity verification, analyse large volumes of data quickly, and detect suspicious patterns that could indicate fraud or money laundering.

Handling international clients and multijurisdictional compliance

Companies operating in multiple countries face the problem of complying with various local and international KYC and CDD regulations. This can be especially complex due to the lack of harmonisation in regulations and the different requirements of each jurisdiction.

To manage this complexity, companies should adopt a risk-based approach, adjusting their KYC and CDD procedures according to the risk profile of the client and the jurisdiction in which they operate. The use of software solutions that offer automatic updates of global regulations can help ensure real-time compliance.

Customer experience and onboarding friction

KYC and CDD processes can be perceived by customers as intrusive or complicated, which can negatively affect the user experience and increase the abandonment rate during onboarding.

Companies should seek a balance between regulatory compliance and customer experience, simplifying processes as much as possible. Implementing fast identity verification solutions, such as facial biometrics or video identification, can reduce friction and improve customer satisfaction without compromising security.

Next up:?Integration of KYC and CDD in non-financial industry

Ready for more? Follow the rest of this content on Mobbeel's website>.