CDD, EDD & Beneficial Ownership *(OUTLINE + BULLET BODY)*

Know Your Customer isn't a slogan — it's a graduated process, and the exam tests whether you know which gear you're in. Standard customers get standard due diligence. Low-risk ones might get a lighter touch. But the moment a customer trips a risk trigger — a politically exposed person, a high-risk jurisdiction, an opaque ownership structure — you shift into enhanced due diligence and start asking harder questions. Get the level wrong in either direction and you've got a problem: too little for a high-risk client is a compliance failure; too much for everyone is wasted resources and unhappy customers. Let's learn to choose the right gear.

- **Customer Due Diligence (CDD)** is the **standard** process of identifying the customer, understanding the relationship, and assessing risk so you can detect suspicious activity. It is **risk-based** (FATF Recommendation 10; FinCEN CDD Rule). - Three levels on a spectrum: - **Simplified Due Diligence (SDD):** reduced measures for **demonstrably low-risk** customers/products (permitted under FATF/EU where risk is low; note US rules are more prescriptive). - **Standard CDD:** the baseline for most customers. - **Enhanced Due Diligence (EDD):** intensified measures for **higher-risk** customers/relationships. - The level applied flows from the **risk rating** assigned via the risk assessment (prior lecture). Risk can change over the life of the relationship, moving a customer between levels.

- The **Customer Identification Program (CIP)** (USA PATRIOT Act §326; **31 CFR 1020.220**) requires, at account opening, collecting at minimum: **name, date of birth, address, and an identification number** (e.g., SSN/EIN/passport). - The institution must **verify identity** within a reasonable time using **documentary** methods (ID documents) and/or **non-documentary** methods (database checks, credit bureau, etc.), and maintain records of the verification. - CIP also requires checking customers against **government lists** (e.g., OFAC) where applicable. - CIP answers "**is this person who they say they are?**" — it's the front door of CDD.

- Beyond the named customer, institutions must **identify the natural persons who ultimately own or control a legal entity** — to prevent shells from hiding the real party. - Under the **FinCEN CDD Rule**, for **legal entity customers** identify beneficial owners under **two prongs**: the **ownership prong** (each individual owning **25% or more**) and the **control prong** (one individual with **significant managerial control**) — at least one (control) and up to five total. - FATF Recommendations 24/25 push for **beneficial-ownership transparency** of legal persons and arrangements (registers, etc.); the US CTA (covered in Domain 2) created a national BO registry. - The goal: **pierce the structure** to the humans — and verify and risk-rate them, not just the entity. - Exam cue: "25% or significant control"; remember the control prong always yields at least one beneficial owner.

- **Customer-type triggers:** **PEPs** (especially foreign PEPs), customers in **high-risk industries** (MSBs, cash-intensive businesses, casinos, virtual-asset businesses, NPOs/charities), and **complex/opaque ownership** (multiple layers, nominee shareholders, bearer-share entities). - **Geographic triggers:** customers or funds connected to **FATF grey/black-listed** or otherwise **high-risk jurisdictions**, sanctions-adjacent regions, or high-corruption countries. - **Product/channel triggers:** **private banking, correspondent banking, trade finance, wire-heavy** activity, and **non-face-to-face/online** onboarding through third parties. - **Behavioral triggers:** activity **inconsistent with the expected profile**, unusual transaction patterns, adverse media, or reluctance to provide ownership/source-of-funds information. - What EDD adds: **deeper verification, identifying source of funds and source of wealth, senior-management approval to onboard/continue, more frequent and intensive monitoring, and more frequent periodic review.** - Exam cue: distinguish **source of funds** (origin of the specific money in the account) from **source of wealth** (how the customer accumulated total net worth) — EDD often requires both.

- CDD is **not a one-time event at onboarding** — the CDD Rule's fourth prong requires **ongoing monitoring** to identify and report suspicious transactions and to **keep customer information current on a risk basis**. - **Transaction monitoring** compares actual activity to the **expected profile** built at onboarding; deviations generate alerts (covered in the monitoring lecture). - **Periodic review** re-examines the customer's risk rating and refreshes CDD information — **frequency is risk-based**: e.g., high-risk customers reviewed **annually**, medium every **2–3 years**, low every **~3–5 years** (illustrative; set by policy). - **Trigger-based reviews** also occur on events: a SAR filing, adverse media, a change in ownership/control, a jurisdiction's risk status change, or a material change in activity. - Outcome of review can be **re-rating** the customer (up or down), applying EDD, or — where risk exceeds appetite and can't be mitigated — **exiting/de-risking** the relationship. - Exam cue: "CDD is ongoing"; the right next step is often "update/refresh CDD and re-rate," not immediately closing the account.

- New legal-entity customer onboards → **CIP** (verify the entity and its representative) → **identify beneficial owners** (25%/control) → **understand nature and purpose** → assign a **risk rating**. - If a **trigger** is present (e.g., a foreign PEP beneficial owner) → escalate to **EDD**: source of funds/wealth, **senior-management approval**, enhanced monitoring. - Over time → **ongoing monitoring** flags deviations; **periodic/trigger reviews** refresh the profile and re-rate; persistent unmitigated risk → consider **exit**. - This flow is the spine of most Domain 3 "what's your next move?" questions.

Know Your Customer is a graduated system. CIP confirms identity at the front door — name, date of birth, address, ID number, verified and recorded. Beneficial ownership pierces the entity to the humans behind it under the twenty-five-percent and control prongs. The customer's risk rating sets the gear: simplified, standard, or enhanced. EDD triggers — PEPs, high-risk geographies, opaque structures, suspicious behavior — pull you into deeper checks, including source of funds and source of wealth and senior-management sign-off. And it never stops: ongoing monitoring and risk-based periodic review keep the picture current. Next, we go deeper into the highest-risk customers and relationships: politically exposed persons, and correspondent and private-banking enhanced due diligence — including nested accounts and the shell-bank prohibition.