Customer Due Diligence Webinar Transcript

Hi everyone! Welcome to the fourth webinar of a webinar series produced by DIA. My name is Kariba and I'm a Senior Advisor in our Engagement and Innovation team within the AML Group. Today's webinar will be focusing on customer due diligence or CDD, one of many businesses obligations under the AML/CFT Act. Some businesses may know this as "know your customer" or KYC. This webinar is for businesses who are captured under the AML/CFT Act because they provide certain services in the ordinary course of their business. If you are not sure if you are captured please refer to guidance on the DIA website.

If you have any questions about CDD during the webinar or any other questions about your AML obligations, please email us at

Now let's get started.

Firstly, here's what we'll be covering today.

What is CDD and why you need to do it.

When to conduct CDD and who to conduct CDD on. Beneficial ownership with some examples. Standard CDD requirements or what information you need to collect.

Verifying identity using IVCOP or the Identity Verification Code of Practice including the three parts. Examples of CDD. Reliance or when a business can rely on others to complete CDD for you. And ongoing CDD.

So, what is customer due diligence?

Customer due diligence is a cornerstone of the AML/CFT system and you should therefore focus a significant amount of time and attention on this obligation and ensure adequate resourcing. CDD is also something that we will pay particular attention to when reviewing your documents or checking the effectiveness at an on-site inspection.

CDD is where you develop an understanding about your customers and the money laundering terrorism financing risks they may pose to your business. It involves gathering and verifying information about your customers identity, beneficial owners and representatives. There are three types of CDD. Simplified CDD, standard CDD (which will be the focus of this webinar and) and enhanced CDD (which will be the focus of a future webinar). So why do you need to conduct CDD? Essentially it's to mitigate any risks posed by types of customers or clients that you have assessed in your risk assessment but it is also an obligation for businesses who are captured by the act. Those seeking to launder money or finance terrorism generally try to avoid attracting attention by masking their identity and/or the illegal source of their funds. If you have effective procedures, policies and controls to know who your customer is, it will make it more difficult for money launderers or financers of terrorism to conduct illegal transactions through your business.

What to do before you start conducting CDD. You will need to have written your business risk assessment and looked at any risk that may be posed by types of customers and clients you deal with. You will need to have written an AML/CFT programme which outlines your policies, procedures and controls for CDD. Finally make sure you are familiar with the supervisor guidance that exists on CDD.

We've written a how-to for CDD on various structures like trusts, companies and partnerships, which can all be found on our website. As you need to conduct CDD on beneficial owners, we have also written a guideline on beneficial ownership.

You'll also need to be familiar with the Amended Identity Verification Code of Practice or IVCOP which I'll talk about later.

When do you conduct CDD? You need to conduct CDD when a business relationship starts. Business relationship is defined in the legislation. It says that a business relationship is a "business, professional or commercial relationship between a reporting entity and a customer that has an element of duration or that is expected by the reporting entity at the time to have an element of duration". So "duration" is a key word in that definition. Depending on what sector you are in, when a business relationship starts will look slightly different.

We recommend reading a set of specific guidelines on our website for more information.

You also need to conduct CDD when a customer seeks to conduct an occasional transaction or activity. Both of these are also defined. An occasional activity is where you provide a captured service but there is no business relationship or expected duration. Some examples of occasional transactions are where a cash transaction occurs outside of a business relationship that is equal to or over 10,000 NZD or a wire transfer occurs and is over a 1,000 NZD. CDD will only be needed if you're a financial institution providing certain financial activities as stated in the Act or if you are a lawyer, conveyancer, accounting practice, trust and company service provider, and real estate agent carrying out certain activities as stated in the Act. If the business relationship or occasional activity or transaction does not involve a captured service or financial activity then you will not be required to conduct CDD when onboarding that customer. You may also need to conduct CDD on an existing customer, meaning a customer before you had obligations under the AML/CFT Act, where there has been a material change in your business relationship and you have insufficient information on that customer. Material change is not defined but we consider it to mean an event, activity or situation that you identify that could change the level of money laundering or terrorism financing risk you may encounter.

So who do you need to conduct EDD on?

Your customer or client. As we just mentioned this will be the individual or entity you are providing a service to, who you're about to enter into a business relationship with or conduct an occasional activity or transaction with.

You must also conduct CDD on any beneficial owner of your customer or client. Beneficial owner is defined as either an individual who has effective control of a customer or an individual who owns more than 25% of a customer. So this could be shareholders of a company, directors of a company who have effective control, or trustees of a trust, just to name a few examples. Beneficial ownership is a tricky subject and it can be confusing. You will need to establish who the beneficial owners are before you conduct CDD. This is so you know who the real or ultimate owners are or those who have effective control so you're able to make appropriate decisions about the level of money laundering and terrorism financing risk associated with your customer. One particular common mistake is thinking that a beneficial owner can be a company or trust. A beneficial owner must be an individual or a natural person, it can't be a company or trust or other legal entity. This should help you when trying to determine beneficial ownership or verify the beneficial owner.

As one of my colleagues used to say you are looking for the warm body in the legal structure. Once you find that person who meets that definition this is who you will need to conduct CDD on.

Please note there can also be more than one beneficial owner. And you must also conduct CDD on anyone acting on behalf of your customer. So this could be your customers power of attorney, a legal guardian or an employee who has authority to act on behalf of the company that is your customer.

Let's go into some beneficial ownership examples. Remember there are two parts to the definition. Ownership and effective control. So for ownership - the prescribed threshold for ownership is more than 25%.

You will need to understand the ownership structure of your customer. You should consider that as possible for ownership to be split into parcels of less than 25%, but a relationship between parties may give an individual aggregated ownership of the customer that amounts to more than 25%. So in the straightforward example shown on the slide X Company is directly owned by an individual, Mr. Smith, who owns 75% and Y Company which owns 25%. Y Company is owned equally by two individuals Mrs. Jones and Mr. Winston.

First you establish that this ownership structure is correct. You need to identify and verify the identity of the individuals who own more than 25% of X Company. In this case only Mr. Smith owns more than 25% of the company.

It's worth pointing out that even if there was just one owner of Y Company they would still not be considered a beneficial owner of X Company as the definition is more than 25%. 25% ownership does not meet the definition.

In this example X Company has five direct owners each owning an equal amount. A Company, B Company, C Company, D Company, and E Company. You first need to establish that this ownership structure is correct. Two of the five direct owners D Company and E Company are wholly owned by Mr. Smith. Therefore you need to identify and verify the identity of Mr.

Smith as only he owns more than 25% of your customer, X Company. For some customers, when you have applied the beneficial ownership test it will become clear that ownership is spread over a large number of individuals with no individual owning more than 25%. In this example Mr. Smith now only owns E Company and Ms. D owns D Company. In such cases you must still identify a beneficial owner. In this example because no individual or individuals own more than 25%, the effective control element is more likely to determine who the beneficial owners are. Effective control of the customer is part of the beneficial ownership definition. An example is an individual who exercises responsibility for senior management decisions, or similar, of the customer.

Remember a beneficial owner has to be an individual, not a legal entity. Maybe you discover in the example shown that Mr. C holds all the voting rights for X as shown in X Company's constitution. You also find there is a Ms. Jones who has responsibility for all managerial decisions at X Company. You determine both individuals meet the beneficial ownership definition because they both have effective control. Now we've discussed who you need to identify, let's move on to what information you are required to get for standard CDD. To meet the identity requirements you need to obtain a person's full name, a person's date of birth, if they're not the customer, their relationship to the customer, the address or registered office and the person's company identifier or registration number. To verify, you need to take reasonable steps to satisfy yourself that the information obtained is correct. To verify a beneficial owner you need to, according to the level of risk, take reasonable steps to verify the identity of the beneficial owner so you are satisfied you know who the beneficial owner is. For someone acting on behalf, you need to, according to level of risk, take reasonable steps to verify the person's identity and authority to act on behalf, so you're satisfied you know who the person is and that they have the authority to act on behalf of your customer. You can see there is a difference between verifying your customer and verifying your customers beneficial owner or representative. The key difference is according to the level of risk. On your customer the level of risk has no effect on the steps you take to satisfy yourself that the information obtained is correct.

Whereas for beneficial ownership and for representatives the level of risk will impact what steps you take or, in other words, the steps you take in a low-risk situation will be different to the steps you take in a high-risk situation for verifying the identity of beneficial owners or those acting on behalf. And there's a couple of other requirements.

So you must obtain information relating to the nature and purpose of a business relationship and you must obtain sufficient information to determine whether they should be subject to enhanced customer due diligence. So how do you verify the information you have collected? The Identity Verification Code of Practice or IVCOP is a suggested best practice for a business conducting name and date of birth verification on a natural person that is low to medium risk.

Part 1 of IVCOP speaks to face-to-face documentary verification.

Part 2, certification of documents for non face-to-face documentary verification. And Part 3, electronic verification. You only need to meet one of the parts to verify someone's name and date of birth. There is no code of practice for address verification, but you should verify a customer's address using documents, data or information issued by a reliable and independent source such as a bank statement or a utility bill. So let's talk about the 3 parts of IVCOP in more detail. Part 1 of IVCOP provides for instances where you can use a single document to verify name and date of birth or a combination of documents for verification. To meet Part 1, this verification needs to be conducted face-to-face and the document or documents sighted in person at the same time as the customer. This is so you are able to both verify the documents are legitimate and that they also match your customer.

The most common examples of documents or combination of documents are sighting your customers passport. A passport can be used on its own to verify your customers identity. There is some confusion as to whether an expired passport can be accepted. The AML/CFT supervisors consider a "passport" to mean a "valid passport" so an expired passport does not meet this standard. You may however choose to accept this as an exception when a customer has no current or valid documents. I'll talk about exceptions in just a second. Or for a combination of documents, a New Zealand driver's license and a bank credit card or debit card, or a New Zealand driver's license and a bank statement.

The code of practice also states that a business must have exception handling procedures in place for when a customer or client is unable to satisfy the requirements of Part 1. In other words, they don't have a valid current passport, and they no longer drive which has happened in some circumstances where a customer or client is elderly. In these situations you will need to establish an internal business process of what you will accept for identity verification to mitigate any potential risk that the customer may pose. One example may be that you'll choose to accept an expired identity document or documents that are less than two years expired and you have your compliance officer check your exception as another layer of scrutiny.

A common mistake or myth of document verification is that the documents need to also be certified, that is in addition to being sighted face-to-face.

Certification and verification are different. If you sight the document you do not then need to also certify the document yourself or have it certified by someone else. You should, however, take a copy for your records and write the name of the person who sighted the documents and the date of the verification. Part 2 of IVCOP provides for where you may use a trusted referee to verify your customers identity and identity documents in circumstances where you can't sight your customers original identity documents. Trusted referees are listed in IVCOP. Some commonly used trusted referees are; a justice of the peace, a lawyer, a chartered accountant, a registered doctor or a registered teacher. A trusted referee may not be related to the spouse of or live at the same address as your customer. They also cannot be involved in the transaction or activity.

A trusted referee must sight the original documents and make a statement that the copied documents that are being sent to you are true a copy and represent the identity of the individual. Or in other words they must sight the original documents and the person at the same time, just like you have to with face to face verification.

Certification must also include the name of the trusted referee, their signature and the date of the certification. The trusted referee must also specify their capacity to act as a trusted referee or in other words their profession. They may have a stamp that they use in their work that can be used for certification purposes. Certification must have been carried out in the three months preceding the presentation of the copied documents. Part 3 of IVCOP or electronic verification is available for customers on-boarded by email or online where you are not meeting them face to face or sighting their identity documents. It can be used to verify the name and date of birth of customers you have assessed to be low to medium risk.

Electronic verification is where you use an electronic identity or record kept in electronic form that contains authenticated core identity information about an individual. Electronic identity verification is using that record to verify an individual's identity when conducting CDD.

An electronic source is not a customer that takes a selfie or photo and scans a copy of their identity document and then sends these to you by email. An electronic identity provider is not the electronic source under Part 3 of IVCOP, rather they are an intermediary between the reporting entity and the electronic source. There are two options to comply with Part 3 of IVCOP, let's go over these now. Option one is to use a single electronic source that is able to verify an individual's identity to a high level of confidence. Only an electronic source that incorporates biometric information or information which provides a level of confidence equal to biometric information, enables an individual's name and date of birth to be verified to a high level of confidence. Currently in New Zealand only a verified RealMe identity meets the standard. Please note that a verified RealMe is different to having a RealMe account. The second option under electronic verification is to use at least two independent and reliable matching electronic sources.

When selecting your electronic sources clause 17 of IVCOP sets are the factors that must be considered when determining whether an electronic source is reliable and independent. This includes whether the information is maintained by a government body and whether the source incorporates a mechanism to determine whether the customer can be linked to the claimed identity. One of the sources you use must verify the individuals name and date of birth whereas the second must verify the name. They must, of course, match each other. In most circumstances the primary reliable and independent source will be administered by a government body. Typically for persons residing in New Zealand this will be either the DIA confirmation service or an NZTA drivers licence check.

These allow an individual's name, date of birth and identity document number to be submitted for verification against official government databases.

Upon verification a positive or negative match is returned depending on whether the identity and the documents are genuine or valid. For the second matching source reporting entities have more options. The second source only needs to verify a customer's name, not date of birth, and as essentially required only to corroborate the primary source. Options include credit bureaus, utility providers, telco companies, New Zealand

Land Registry or companies office records online. You must then use additional measures to ensure the person being dealt with online is the genuine holder of the identity they are claiming in other words you have to link your customer to their claimed identity. Other than real me there are no electronic sources in New Zealand that incorporate a mechanism to link the customer to the claimed identity. This means that you must always implement additional measures to meet this requirement. There is flexibility in how this has achieved depending on your products or services and methods of delivery. However, the measures must be robust and be able to authenticate the person being dealt with online is the genuine holder of the identity they are claiming to be and that is being verified. There are some examples of additional measures in the IVCOP explanatory note, one of which is issuing a letter that contains a unique reference to the customers address that has been verified by reliable and independent source. These additional steps should be taken before any transactions or activities are undertaken. If you are using electronic verification you will need to describe in your AML/CFT programme the forms of electronic identity verification methods you are using and how they are reliable and independent.

You'll also need to describe what additional measures you are taking and how they are robust and link your customer to the claimed identity.

In summary there are two key components to electronic identity verification.

Firstly, confirmation of the identity information via an electronic source. So in other words, checking that the identity document is valid and following that up by matching the person you are dealing with online to the identity.

Both these components must be satisfied. Usually it's fairly easy to satisfy the first component, for example that a driver's license is a valid driver's license through the New Zealand Transport Agency. Where a business usually has issues is with the second component which is linking the customer to the identity document.

This is what you will need to put time and resource into. Usually a business will use a third-party provider to complete electronic verification on its behalf.

Remember the provider is not the electronic source they usually just have access to the source. We recommend that if you are using a provider you make sure you ask them how they are satisfying Part 3 of IVCOP, especially clauses 17 and 18 and in particular how they are linking the customer to the identity document. Let's quickly run through an example of face to face verification in practice. In this example your client is an individual or an actual person who is a New Zealand resident.

Firstly you have to identify the risk of your client and what level of CDD is required. You should refer to your AML/CFT programme. This client meets your criteria for standard CDD. Then you should obtain information on nature and purpose of the proposed business relationship. Your client is a natural person and a New Zealand resident selling their family home.

They explain to you that they are selling the property to finance the purchase of a new, larger house.

Next, you need to identify the relevant persons whose identity needs to be verified. Are there any beneficial owners or representatives you need to identify? The client is the sole owner of the house.

You determine there is no reason to believe they're acting on behalf of anyone else but you treat the client as the sole beneficial owner.

You then make a determination on the level of money-laundering terrorism financing risk. Are there any high risk factors here? Are they any red flags? You determine this is a low risk money-laundering terrorism financing situation based on the fact that your client is not a politically exposed person, no cash is involved, they are in New Zealand resident, they have a low-risk occupation, and their behavior is normal for the activity being undertaken. Meaning they do not appear to be in any rush and they don't want to make a loss on the house.

Finally you need to gather identity information and verify using IVCOP.

You obtain and verify the identity of your client by sighting their current passport. You obtain their address from a recent bank statement. You take copies and date and sign them for record-keeping purposes.

So now we can move on to how to conduct CDD on companies as an example of what CDD can look like on a legal entity when EDD isn't required. So remember the requirement is for you to conduct CDD on your customer, any beneficial owner, and any person acting on behalf.

Therefore, when your customer is a company you will need to identify the company. Including the full legal name and trading name, the business address or registered office, the jurisdiction of incorporation, and the company identifier or registration number. You will be able to verify all this information using the Companies Register if they were incorporated in New Zealand.

You need to identify the beneficial owners of the company, so identify those who meet the definition of beneficial owner, such as shareholders, senior management, and those with effective control such as some directors. For those people you need their full name, their date of birth, their address and their relationship to the customer. When trying to assess beneficial ownership you may discover that your customer company is owned by other legal entities who cannot meet the definition of beneficial owner as, remember, they are not a natural person. Therefore you may have to assess the ownership of those entities to determine the beneficial owner of your client. Remember, any individual will only be a beneficial owner of your customer if they own more than 25% of your customer or have effective control of your customer.

You'll then have to get the name, date of birth and address of the beneficial owner. Remember, you need to, according to level of risk, take reasonable steps to verify the identity of the beneficial owner so you're satisfied that you know who they are.

You then need to identify the person acting on behalf of the company.

Acting on behalf of the customer is when a person is authorized to carry out a transaction or other activities on behalf of the customer. This includes persons who have authority to act on behalf of the business, for example an accountant. But for a company this is most likely the individual who you are dealing with.

And you will need to get the representatives or the person acting on behalf full name, date of birth, relationship to the customer, their company number or registration number if applicable, and their authority to act for the company. The person acting on behalf of the company must be a properly authorized representative. OK, let's put all that into an example. In this example your customer is a legal entity or a company owned by Mr. and Mrs. Marsh. The captured service you're providing is managing the client funds or managing the funds of the company.

First you need to identify the risk of your client and what level of CDD is required. Again you should refer to your AML/CFT programme. As a New Zealand company your client meets your criteria for standard CDD.

You obtain information on nature and purpose of the proposed business relationship. Your client is a New Zealand company and it requires your assistance to ensure they make the right payments at the right time to keep the company operating well. You need to identify the relevant persons who need to be identified. You use the Companies Register to confirm that Mr. and Mrs. Marsh are the sole owners of the company and gain reliable information about the company's address and business registration number.

You then need to make a determination on the level of money laundering terrorism financing risk. You determine low money laundering terrorism financing risk based on the fact that the beneficial owners and not politically exposed persons, no cash is involved, the owners are New Zealand residents who have low-risk occupations and their behavior is normal for the activity being undertaken. You then gather identity information and verify using IVCOP. You have obtained information on the company via the Companies Register. You verify the identity of your clients beneficial owners by sighting their driver's license and birth certificates. You obtain their address from a recent utility bill. You take copies of all of these documents, date and sign them. In some specific circumstances, reporting entities can rely on others to conduct CDD if the other party is either a member of the same designated business group, another reporting entity in New Zealand, or a person in another country that has sufficient AML/CFT systems and measures in place who is regulated for AML/CFT purposes, an agent or an approved reporting entity. Relying on a member of your designated business group. A member of a DBG, let's say Member A, can rely on another member of the same DBG, Member B, to conduct CDD if the information is given before Member A has established a business relationship or conducts an occasional transaction or activity. Any verification information must be able to be given to Member A by Member B as soon as practicable but within five working days of the request.

In this scenario, Member A, not Member B, is responsible for ensuring that it is complying with AML/CFT requirements.

Relying on another reporting entity or suitably regulated person oversees. A reporting entity can rely on another person for CDD so long as the person is either reporting entity in New Zealand or is a person resident in a country which is regulated for AML/CFT purposes; and has a business relationship with the customer concerned; and has conducted CDD to at least the standard required in the Act; and has provided the reporting entity the relevant information before it has established a business relationship or conducted an occasional transaction or activity; and they can provide the relevant information on request to the reporting entity as soon as practicable but within five working days; and they consent to conducting CDD and providing all relevant CDD information to the reporting entity. In this scenario the reporting entity requesting the CDD remains responsible for ensuring the CDD is conducted in accordance with the AML/CFT Act.

You can also rely on an agent. A reporting entity may authorize a person to be its agent and rely on that agent to conduct CDD and obtain any information required for CDD records. 'Agent' is not defined in the Act, instead the ordinary principles of agency law will apply. And, you can rely on an approved entity. However, as of yet there are no prescribed approved entities under the AML/CFT Act. One of your CDD obligations is to conduct ongoing CDD and account monitoring. You are required to regularly review any information you hold about the customer and regularly review their account activity and transaction behavior. The purpose of this is to ensure that the nature and purpose of the business relationship and any transactions relating to that business relationship are consistent with your knowledge of the customer and the customers risk profile. This regular review will also help you to identify any grounds for reporting a suspicious activity. Reporting entities are required to develop a process for ongoing CDD and account monitoring for their customers according to the level of risk each customer presents. You should think about the level of CDD that was previously undertaken and consider the level of risk involved with that customer or their activities and transactions.

This means higher-risk customers need to have more frequent and thorough account monitoring than customers deemed to have low or medium risk.

The account monitoring conducted should enable you to identify any transaction behavior that is out of character with your knowledge of the customer, their risk profile and the CDD you have previously conducted.

And that's the conclusion on the CDD webinar. If you still have any questions please make sure you email us at or call us on 0800 257 887. Let us know what other webinar topics you would like us to complete by emailing us or filling out our online survey on our website. Thank you for listening!