Customer Due Diligence: Essentials for Emerging Markets

1.1 When CDD Is Required — FATF Recommendation 10

FATF Recommendation 10 specifies four circumstances in which financial institutions must apply CDD measures. These are not discretionary — each trigger mandates a CDD response:

1.2 The Four CDD Measures

FATF R.10's Interpretive Note specifies four mandatory CDD measures. Every FI must apply all four — not just identification:

Measure (a): Identify and Verify Customer Identity

Using reliable, independent source documents, data, or information, the institution must:

• For natural persons: establish name, date of birth, nationality, and residential address.
• For legal persons: establish legal name, legal form, registered address, directors, authorised signatories.
• Verify the identity — not just collect it. Verification means confirming the information against an independent source (government-issued ID, company registry, independent database).
• Digital identity verification is permissible under FATF's 2020 Digital Identity Guidance — biometric verification, liveness checks, and document scanning satisfy the verification requirement where the system meets the required assurance level.

Measure (b): Identify the Beneficial Owner

The institution must identify the natural person(s) who ultimately own or control the customer. For legal entities:

• Identify all natural persons holding 25% or more of shares or voting rights — this is the standard starting point.
• The 25% is a floor, not a ceiling. Trace control through other mechanisms: voting agreements, board control, veto rights, contractual arrangements.
• If no natural person can be identified above 25%, identify the senior managing official (e.g., CEO) as a last resort — and document why no other BO could be identified.
• Take reasonable measures to verify the BO's identity.

Measure (c): Understand the Purpose of the Relationship

The institution must understand and, as appropriate, obtain information on the purpose and intended nature of the business relationship:

• What products/services will be used?
• What is the expected transaction profile (volume, frequency, amounts, currencies, counterparties)?
• What is the source of funds?
• What is the nature of the customer's business or income?

This baseline is used to calibrate transaction monitoring — transactions that deviate significantly from the expected profile trigger investigation.

Measure (d): Conduct Ongoing Due Diligence

CDD does not stop at onboarding. The institution must:

• Scrutinise transactions throughout the relationship to ensure they are consistent with the institution's knowledge of the customer, their business, and their risk profile.
• Keep CDD documents, data, and information up to date and relevant.
• Apply enhanced scrutiny when risk indicators emerge — a trigger review is required when circumstances change materially.

2.1 Simplified CDD — When Less Is Permitted

Countries may permit FIs to apply simplified (reduced) CDD measures where ML/TF risk is demonstrably lower. Simplified CDD means adjusted measures — not zero measures. Basic identification still occurs; what changes is the depth and timing of verification.

When Simplified CDD May Apply

FATF's Interpretive Note to R.10 identifies potentially lower-risk customer categories where simplified CDD may be permissible:

• Listed companies subject to regulatory disclosure requirements (stock exchange-listed entities with transparent financials).
• Public bodies and government entities.
• Financial institutions regulated in a lower-risk jurisdiction subject to equivalent AML/CFT requirements.
• Low-risk financial products (e.g., basic low-value savings products with contribution limits and withdrawal restrictions).

What Simplified CDD Looks Like in Practice

Examples of how simplified CDD differs from standard CDD:

2.2 Enhanced Due Diligence — When More Is Required

Enhanced Due Diligence (EDD) is mandatory in higher-risk situations. FATF specifies three categories where EDD is always required, plus a general obligation to apply EDD wherever higher risk is identified.

Mandatory EDD Category 1: Politically Exposed Persons (PEPs)

Under FATF Recommendation 12, all PEP relationships require EDD. Three EDD measures are required for PEPs:

1. Senior management approval before establishing (or continuing) a business relationship with a PEP.
2. Source of wealth and source of funds — establish how the PEP accumulated their overall wealth, and the origin of the specific funds in this transaction.
3. Enhanced ongoing monitoring throughout the relationship.

Mandatory EDD Category 2: Correspondent Banking (R.13)

When a financial institution (correspondent) provides services to another financial institution (respondent), EDD requires:

• Gathering sufficient information about the respondent to understand the nature of its business.
• Assessing the respondent bank's AML/CFT controls and determining whether they are adequate.
• Obtaining senior management approval before establishing a new correspondent relationship.
• Documenting respective AML/CFT responsibilities.
• Refusing relationships with shell banks (no physical presence, not affiliated with a regulated group).

Mandatory EDD Category 3: High-Risk and Non-Face-to-Face Situations (R.19)

FATF Recommendation 19 requires EDD for business relationships and transactions with persons from countries that have not applied FATF recommendations adequately (black-listed and grey-listed jurisdictions). EDD must also be applied in other higher-risk situations, including:

• Non-face-to-face customer relationships where identity cannot be verified in person.
• Customers with complex or opaque corporate structures.
• Transactions with no apparent economic purpose.
• New products and new delivery channels assessed as higher risk.

2.3 Third-Party CDD Reliance

FIs may rely on a third party (introducer, professional intermediary, or another regulated FI) to perform and provide the CDD. This is permitted under FATF R.10 but subject to strict conditions:

• The FI must immediately obtain the necessary CDD information from the third party.
• The third party must be able to provide copies of CDD documentation on request without delay.
• The third party must be regulated and supervised for AML/CFT purposes in a jurisdiction with adequate AML/CFT standards.
• Ultimate responsibility remains with the FI — liability cannot be outsourced. If the third party provided deficient CDD, the FI remains accountable.

3.1 The FATF Definition of Beneficial Owner

Key word: natural person. Beneficial ownership always traces to a human being. It cannot terminate at a company, trust, or foundation. No matter how many layers of corporate structure exist, the exercise must continue until natural persons are identified.

The 25% threshold: A natural person holding 25% or more of a legal entity is presumed to be a beneficial owner. This threshold is a floor — it captures ownership-based control. Control can also be exercised through voting rights, contractual arrangements, or board positions below the 25% threshold. All such control pathways must be examined.

3.2 Tracing Beneficial Ownership Through Layered Structures

The practical challenge in BO identification is that criminal structures are designed specifically to defeat it. Common structures used to obscure the ultimate beneficial owner include:

Layered Corporate Chains

Company A owns Company B, which owns Company C, which owns Company D — the operating entity. Each company is in a different jurisdiction. The criminal controls Company D but does not appear in any register. Tracing requires: identifying the shareholder of D → identifying the shareholder of C → identifying the shareholder of B → identifying the natural person who controls A.

Red flags: Each layer adds opacity. Multiple offshore jurisdictions with weak BO disclosure requirements. Nominee shareholders at each layer. No discernible commercial reason for the layering.

Nominee Directors and Shareholders

A professional (lawyer, company formation agent, or trust company) acts as director or holds shares on behalf of the real owner. Nominee arrangements are legal in many jurisdictions — the problem is when they are used to conceal the real beneficial owner.

Red flags: A director sits on the boards of dozens of unrelated companies. The nominee provides no substantive information about the business. The nominee cannot explain the purpose of the company or identify the real controller.

Bearer Shares

Shares owned by whoever physically holds the certificate — no register of shareholders. FATF has called for abolition or immobilisation of bearer shares. Many jurisdictions have banned them; where they still exist, bearer shares are a high-risk indicator requiring EDD.

Trust Structures (FATF Recommendation 25)

For trust structures, FIs must identify:

• The settlor — the person who created and funded the trust.
• The trustee(s) — the legal owner of trust assets.
• The protector (if any) — an oversight role that can direct or remove trustees.
• The beneficiaries or class of beneficiaries — those who benefit from trust distributions.
• Any other natural person exercising effective control over the trust.

3.3 FATF Recommendation 24 — Revised 2022

FATF revised Recommendation 24 in March 2022 (first formal amendment since 2012), with updated guidance published in March 2023. Key changes:

• Multi-pronged collection approach: Countries must collect BO information through a combination of mechanisms — company registries, FI-collected CDD data, and direct disclosure from companies themselves. Reliance on a single source is no longer sufficient.
• Accuracy requirements: BO information must be adequate, accurate, and up-to-date. Companies must have obligations to update BO information when it changes.
• Competent authority access: FIUs, law enforcement, and tax authorities must have timely access to BO information. Public access is not mandated by FATF but many jurisdictions (particularly EU members) have opted for public registers.
• Risk-based approach applied to legal persons: Countries must assess which types of legal persons pose the highest BO transparency risk and apply proportionate measures.

BO Verification Sources in Practice

For FIs operating in Africa and Asia, BO verification sources include:

4.1 What Ongoing Due Diligence Requires

FATF R.10(d) requires ongoing monitoring of the business relationship and scrutiny of transactions to ensure consistency with the institution's knowledge of the customer, their business, and risk profile.

In practice, ongoing CDD involves three overlapping activities:

Transaction Monitoring

Every transaction is compared against the expected profile established at onboarding. Transactions that deviate — in amount, frequency, counterparty, geography, or nature — generate alerts for investigation. The depth and sensitivity of monitoring is calibrated to the customer's risk rating.

Periodic Customer Reviews

At defined intervals (typically annually for high-risk, every two to three years for standard, every five years for low-risk), the institution reviews the customer's CDD file to confirm that:

• Identification documents remain valid.
• The customer's business activities and risk profile remain as expected.
• Beneficial ownership information is current.
• No new risk factors have emerged (adverse media, regulatory alerts, PEP status changes).

Event-Triggered Reviews

Certain events must trigger an immediate review, regardless of the scheduled review cycle:

• A significant, unexplained change in transaction behaviour.
• Adverse media report naming the customer.
• Customer becomes a PEP (elevation in political exposure).
• Law enforcement or FIU enquiry related to the customer.
• Transaction monitoring generates multiple unresolved alerts.
• The customer's business activity changes significantly.

4.2 The CDD Lifecycle — Detect, Predict, Prevent, Manage

From ANZ Bank's practitioner framework presented at ACAMS, a high-quality CDD programme operates across four phases throughout the customer lifecycle:

4.3 Record-Keeping — FATF Recommendation 11

All CDD and transaction records must be maintained for a minimum period. FATF R.11 sets out the core requirement:

What must be retained:

• CDD documents: identification documents, BO documentation, and all supporting evidence collected during the relationship.
• Transaction records: sufficient detail to reconstruct each individual transaction — amount, currency, date, counterparty names and account numbers.
• STR filings and supporting documentation (the STR itself and the underlying investigation file).
• Training records: completion records for all AML/CFT training.

Availability: Records must be available to competent authorities and regulators on request — promptly and without excessive delay. An FI that holds records but cannot produce them efficiently fails the R.11 obligation just as surely as one that destroys them early.

Storage format: FATF permits electronic storage. Records must be retrievable and legible for the full five-year period. Where records are in a foreign language, institutions in some jurisdictions must be able to produce translated versions on request.

5.1 Structural CDD Challenges in Emerging Markets

Applying FATF's CDD standards in Sub-Saharan Africa, South Asia, and Southeast Asia presents practical challenges that do not exist in the same form in advanced economies:

Informal Economies and Cash Dependence

Large proportions of economic activity in many emerging markets occur outside the formal financial system. Customers may have limited formal documentation of income, business activity, or address. Requiring proof of salary, tax returns, or utility bills as CDD evidence can exclude large segments of the legitimate population.

FATF position: Financial inclusion is explicitly recognised in FATF guidance. The RBA permits simplified CDD for lower-risk customers and basic financial products. An inflexible CDD requirement that excludes the unbanked is inconsistent with the proportionality principle of R.1.

Weak Company Registries

In many ESAAMLG and GIABA member states, company registries are incomplete, not publicly accessible, or contain inaccurate data. BO registers do not exist in several jurisdictions. FIs cannot rely on registry data alone for BO verification and must compensate with:

• Direct customer disclosure (BO declaration forms, corporate documents).
• Site visits for higher-risk customers.
• Cross-referencing against commercial databases and media.
• Interview-based due diligence conducted by relationship managers.

Mobile-Only Customers

In East Africa and West Africa, a significant proportion of the adult population has a mobile money account but no bank account. CDD for mobile money customers must contend with:

• No physical branch — verification is remote or agent-assisted.
• National ID card may be the only available verification document — and ID card quality varies significantly across jurisdictions.
• Agent-assisted CDD creates a third-party reliance chain — the agent who onboards the customer is performing CDD on behalf of the MNO or MFI.

Duplicate and Fraudulent Identity Documents

Document fraud — including forged national ID cards, duplicate identities, and stolen documents — is documented in FATF and ESAAMLG/GIABA typologies reports as a significant emerging market risk. CDD systems that rely solely on document review without electronic verification are particularly vulnerable.

5.2 Digital Identity as a CDD Solution

FATF published its Guidance on Digital Identity in March 2020, explicitly confirming that digital identity systems can satisfy CDD requirements where they meet appropriate assurance levels.

Emerging market applications of digital identity for CDD:

• Kenya: Huduma Namba (national ID system) — biometric data linked to national identity number. MPESA uses national ID number as a core CDD identifier.
• Nigeria: BVN (Bank Verification Number) — biometric-linked unique identifier for every bank customer, introduced in 2014 by the CBN. Widely used as the foundation for CDD across Nigerian banks.
• India: Aadhaar biometric ID system — used by financial institutions for eKYC, significantly reducing the time and cost of customer onboarding.
• Ethiopia: Fayda national digital ID programme — still maturing; National Bank of Ethiopia has begun integrating it into financial sector CDD requirements.

5.3 Practical CDD Improvements — ANZ Practitioner Model

From ACAMS practitioner guidance, institutions operating in data-poor emerging market environments can improve CDD quality through:

• Consistent data collection: Standardised CDD forms across all branches and channels — globally consistent practices for data collection.
• Single customer view: Linking all customer data (from all products and channels) into a unified record. Inconsistencies between records are red flags.
• Exception reporting: Automated flags for CDD gaps — missing documents, expired IDs, unverified BO fields — rather than relying on manual review.
• Clear accountability: Every CDD record has a named owner responsible for its completeness. Quality controls monitor completion rates.
• Consequence management: Staff who fail to complete CDD properly face documented consequences — compliance failures are not cost-free at the individual level.