Skip to main content

Customer Due Diligence (CDD) Proceedures for Law Firms

09 December 2024
A man wearing glasses is focused on his laptop, engaged in work at a desk.

Customer Due Diligence (CDD) is one of the most important proceedures for Anti-Money Laundering (AML) compliance, ensuring firms meet regulatory requirements while creating trust and transparency in client relationships. This process is crucial in mitigating risks, particularly for legal professionals who handle sensitive information and manage complex transactions on a daily basis.

In this article, we’ll explore what a CDD proceedure entails, the risks specific to those offering legal services where heightened vigilance is necessary, and how law firms can implement robust and effective CDD processes into their AML compliance plan. 

Why Is Customer Due Diligence Important?

Customer Due Diligence is a systematic process used by firms to verify the identity of their clients and assess potential risks including with regard to money laundering and sanctions.

In keeping with the Money Laundering Regulations 2017 (MLR 2017), CDD is a mandatory requirement designed to prevent the misuse of professional services for illicit purposes, used alongside other “Know Your Customer” (KYC) checks

MLR 2017 outlines specific obligations for legal professionals, including identifying and verifying the identity of clients, beneficial owners and persons with significant control, understanding the nature of the client’s situation or business, and ongoing monitoring to be alert for irregularities. These regulations emphasise a risk-based approach, meaning that the depth of CDD measures should be proportionate to the perceived risk posed by each client.

Ultimately, irrespective as to how CDD has been conducted or who conducts it, responsibility for its accuracy, application and authenticity rests with the solicitor or other qualified fee earner who has day to day conduct of the matter.

The 3 Types of Customer Due Diligence

CDD is not a one-size-fits-all activity; there are three different types within the broader term, all of which depend on the nature of the client and the instruction. Law firms can fall foul of SRA expectations if they apply an inappropriate level of CDD, since the measure may be insufficient for the client risk level, exposing the firm to potential harm. Let’s take a look at each level:

Simplified Due Diligence (SDD)

SDD is applied to the lowest risk scenarios where the likelihood of money laundering is minimal, such as dealing with huge public bodies like the NHS, or large charities like the RNLI, or PLCs such as Barclays Bank or Hiscox Insurance. SDD involves the most basic identity verification without the need for extensive risk assessments, lessening the burden on time and resources. However, it is only very rarely applicable for the work conducted by most “high-street” firms. 

Regular Due Diligence (RDD)

This form of due diligence is the most commonly used, encompassing the majority of transactions and client relationships. It includes verifying identity, understanding the purpose of the relationship, considering the source of funds, and assessing risk based on the client’s background and transactions.

Enhanced Due Diligence (EDD)

The highest level of scrutiny, EDD is required for clients, instructions or situations of an elevated risk profile, such as dealing with politically exposed persons (PEPs), clients from high-risk countries, nations subject to financial sanctions or complex transactions. These extended checks involve additional identity verification, extended checks on sources of wealth, further ongoing monitoring, closer scrutiny of relationships between various entities such as business interests or persons, and often require approval from senior managers for continuing the business relationship. 

What Does Customer Due Diligence Involve?

 A visual representation of the customer development process, illustrating stages of understanding and validating customer needs.

CDD involves a step-by-step process, which typically includes the following activity: 

1. Verifying the Client’s Identity

The first step is to obtain information to confirm the client’s identity. This typically includes collecting official identification documents such as passports, driving licenses, or other government-issued IDs for individuals. It might also include conducting electronic checks. 

A meeting the client, either in-person or via online conferencing, duly recorded with the name of the representative of the firm who was present and the date that the meeting took place, is another important factor. 

Where the client is an entity, company directors and trustees, for example, are also identified as individuals. And, where the client is a regulated person or entity, checks could take place through information obtained from their regulator.

On occasion, some firms make use of reliance, where a regulated individual remote from the firm, shall provide some components of the CDD evidence. This methodology however, presents potential risk as to its integrity and the authenticity of information provided.

2. Understanding the Nature of Various Entity Relationships

To understand where funds for a transaction are originating from, legal professionals must gather information about client relationships with third-parties, especially in relation to business operations or potential contact with PEPs. These checks are intended to identify sources of funds and/or sources of wealth. Checks are also performed to better understand the entity's operations to evaluate if there are potential risks in terms of money laundering or corruption. Checks will commonly include associated parties including directors, shareholders or trustees where applicable. Checks might also include perusal of information from Companies House or from the Charities Commission, for example.

3. Identifying Beneficial Ownership or Persons of Significant Control

Firms need to identify who the “Beneficial Owner” of the transaction is. A Beneficial Owner within a business sense is typically someone who owns (directly or indirectly) a significant percentage of a company’s shares, voting rights, or has significant influence on its decisions. A related term is “Persons of Significant Control”. For example, Rupert Murdoch is 14% shareholder, but currently retains 41% of the voting rights for News Corp. Similarly, Google’s founders Larry Page and Sergey Brin have a controlling 51% of voting rights of parent company Alphabet via a 12% shareholding.

Verifying the identity of any Beneficial Owners and Persons of Significant Control is important to uncover potential risks, or hidden criminal beneficiaries. Firms must investigate the ownership structure, nominee arrangements or trusts, and the involvement of third parties. 

4. Assessing Risk Levels

Firms are required to perform a risk assessment to determine whether a client poses a standard or heightened level of risk. High-risk clients, such as PEPs, individuals from high-risk nations, or those involved in complex financial arrangements, may necessitate Enhanced Due Diligence (EDD).

5. Ongoing Monitoring

CDD is not a one-off process - it requires continuous monitoring of the client relationship, including reviewing the client’s activities and transactions for inconsistencies or suspicious behaviour. This step is essential for ensuring that the information held by the firm remains accurate and up-to-date.

6. Record Keeping

Legal professionals must maintain detailed records of all CDD measures, including copies of identification documents, details of meetings, risk assessments, and transaction details. These records must be kept for five years after the end of the business relationship, as required by MLR 2017. After the five years, the legal basis (Article 6 of the GDPR) of processing changes so that as components of personal data due consideration must be applied to the retention of documents obtained for CDD and the information provided to the associated data subject(s).

When Is Customer Due Diligence Required?

CDD measures are required during the following situations:

  1. New Client Relationships: At the outset of any client relationship, to verify identity and understand the purpose of engagement.
  2. Inadequate Documentation: When a client provides insufficient or unreliable identification information, prompting further verification.
  3. Infrequent or Unusual Transactions: For occasional clients or infrequent transactions, to assess legitimacy and risk.
  4. Suspicious Activity: If unusual behaviour, inconsistent information, or potential money laundering is suspected.
  5. Changed Circumstances: When there are significant changes in a client’s situation or transactions, requiring risk reassessment.
  6. For donors or giftors: When an individual or entity that is not the client donates money for a transaction, such as a Gifted Deposit. Such donors must also be subject to appropriate CDD.

What Should You Do if You Notice Any Red Flags During CDD Checks?

CDD measures are designed so that any red flags can be easily identified, exposing potential financial crime at the earliest position possible. If you happen to notice these warning signs, such as suspicious transaction patterns, some of all of the following might be necessary: 

  1. Escalate the Case: Refer the matter, without delay, to your firm’s Nominated Officer or Money Laundering Reporting Officer (MLRO) for further investigation. 
  2. Conduct Enhanced Due Diligence (EDD): Apply stricter verification and monitoring measures to better understand the risks.
  3. File a Suspicious Activity Report (SAR): If you suspect money laundering or criminal activity, submit a SAR to the National Crime Agency (NCA).
  4. Pause Transactions: Delay or suspend any transactions until the concerns are resolved or cleared by the MLRO. However, you must be careful to avoid “tipping off” of the suspected party/parties.

What Are the Benefits of CDD Compliance?

CDD measures have a wide range of benefits for each firm, which commonly include: 

  • Compliance with regulations such as the MLR 2017, thus helping to avoid fines and legal penalties associated with AML failures. 
  • Identifying and managing high-risk clients or transactions reduces exposure to money laundering, terrorist financing, and other financial crime.
  • A structured CDD process strengthens risk assessments and decision-making, improving the overall efficiency of the firm’s daily activities.
  • Preventing involvement in criminal activities safeguards the firm’s reputation and reduces potential damage from regulatory scrutiny.

What Challenges Do Solicitors Face With CDD?

Like most checks associated with AML compliance, there are some challenges which solicitors will have to overcome. These include:

  • Balancing the thoroughness of processes with client confidentiality can often be demanding.
  • Limited resources, which can restrict the extent to which processes are followed.
  • Implementing new technology can be costly and require regular updates. 
  • Dealing with high-risk clients can increase workload and scrutiny. 
  • Time constraints during daily workloads can prolong client waiting times.
  • A lack of understanding of AML obligations can create gaps during measures. 
  • Keeping up with changing regulations can place a strain on smaller firms in particular. 

The Future of CDD: Technological Advances

The adoption of new technologies has significantly enhanced CDD checks, particularly through the use of electronic Know Your Customer (eKYC) and EID/V tools. eKYC refers to the digital process of verifying the identity of clients, using technologies like digital ID verification and secure online databases. EID/V, a subset of eKYC, allows firms to cross-check client details against trusted digital sources, ensuring faster, more accurate identity validation. Some providers of such technology include:

By using new technologies, solicitors can apply automation to augment some of the more time-consuming CDD tasks, reduce the risk of human error, and enable real-time verification of clients.

Firms should regularly ‘vet’ the services provided to measure their effectiveness and accuracy; recording the outcomes of the reviews.

It is also important to bear in mind that even with extensive scrutiny, such systems and platforms are not infallible and that they do not absolve the fee earner or the firm of responsibility for appropriate and accurate CDD and associated record keeping.

Strengthen Your CDD Knowledge Through Our AML Training

Knowing your AML obligations inside-out can be a difficult task, but at PDA Legal, we help solicitors and firms to feel more confident in their understanding and dealing with CDD and AML risk.

Our AML training services include CDD and broader KYC requirements, compliance controls, the risks of tipping off, and more, helping to equip firms in the fight against financial crime. For more information about our AML training or to book a free, no obligation consultation, please contact us today.

Contact Us

Get in touch for a free no obligation quote today
  • Law Society Lexcel Assessor. Legal Practice Quality Mark.
  • Cyber Essentials  logo
  • Information Commissioner's Office logo
  • ISO logo
  • Legal Aid Agency logo
  • Solicitors Regulation Authority