What is Enhanced Due Diligence in the context of bitcoin and cryptocurrency?
Certain customers may trigger enhanced due diligence review based on certain behaviors that regulators consider to pose a higher risk for financial crime like money laundering.
Protecting your business from financial criminals, fraudsters, and regulatory scrutiny isn’t a one-and-done task. As we’ve detailed throughout our 101 blog series, good AML compliance is a day-to-day responsibility.
In a recent post, we talked about one of the foundational daily compliance practices for cryptocurrency MSBs: Know Your Customer/Customer Due Diligence (KYC/CDD). Knowing who your customers are and their purposes for doing business with you is a fundamental feature of good compliance.
But not all customers (and not all transactions) are created equal. As you monitor your customers, you will start to notice patterns over time.
Some customers will engage in behavior that signals a higher risk of money laundering or terrorist financing. These customers may execute transactions more frequently. Others will exclusively purchase or sell large amounts of cryptocurrency.
There is another level of oversight to be applied to customers who pose a higher risk to your institution. It is called Enhanced Due Diligence.
We’re continuing our series of cryptocompliance 101 posts to help cryptocurrency business owners understand the regulatory landscape, its nuances, and what steps need to be taken to strengthen their compliance.
Today’s topic is Enhanced Due Diligence (EDD). In this post, we will:
- Explain what EDD is in detail
- Answer questions about what kind of customer behavior should trip an alert for EDD review
- Explore how cryptocurrency businesses can implement EDD practices into their compliance program.
And if you have more questions, reach out! We offer free consultations to help cryptocurrency businesses make sure their AML compliance is built to satisfy all federal and state regulatory requirements.
Let’s get started!
What is Enhanced Due Diligence (EDD)?
EDD is a procedure for monitoring and reporting customers or customer transactions that pose a higher risk of money laundering or terrorist financing to the institution (i.e., you, the business owner).
This might sound similar to what we covered in the KYC/CDD post. Indeed, the two are related. Just as KYC/CDD procedures were developed as a best practice to comply with Bank Secrecy Act (BSA) regulations, EDD creates an extra layer of compliance with the BSA and FinCEN, and thus, more protection for business owners like you.
In short, think of EDD as an extension of KYC/CDD for higher-risk customers and transactions.
Importantly, new guidelines issued by FinCEN in 2016 (implemented May 11, 2018) require financial institutions to obtain something called “beneficial ownership information” from customers.
What this means is that financial institutions must collect yet more information from customers to determine not just who the customer you’re dealing with is, but whether that customer is merely executing business on behalf of another entity or individual, or the “beneficial owner.”
Think of the beneficial owner as the “true” owner of the account; it is the person or entity that actually benefits from doing business with you.
Because this new rule requires financial institutions to collect more information from customers, financial and compliance professionals have grouped it under EDD to differentiate from, and also enhance, regular CDD procedures.
Remember that strong AML compliance takes the conservative approach of mimicking traditional financial compliance due to a lack of regulatory clarity on cryptos. Because of this, it might sound like EDD is for rarified exceptions that you’re not likely to encounter much in your business.
On the contrary, EDD is as essential a feature of strong compliance as anything else we have covered, and given the inherently heightened risk cryptocurrency poses for money laundering and terrorist financing, robust EDD is absolutely critical.
What your business requires in terms of EDD policy and procedures will depend on the nature and severity of the risk posed to you. Determining that level of risk will depend on the behavior and profile of your customers.
So, in short, how do you know when a customer should trigger an EDD review? What exactly do you need to look for in your customers and their transactions?
How do you know a customer needs an EDD review?
As we covered above, EDD’s primary purpose is to manage a higher risk of money laundering and terrorist financing that is posed by high-risk customers. But how will you know if a customer is high risk?
Some of your customers will pose a higher risk to your cryptocurrency business because of their activity, profile, transaction volume, and frequency, among other things.
Generally speaking, customers that should trigger EDD review are those that:
- Execute approximately 5 or more transactions in a month.
- Execute one or multiple transactions in the amount of $10,000 or more.
- Provide identification not issued by a state in which your business is registered or licensed.
Additionally, any customer may be flagged for EDD review by your BSA Compliance Officer. There may be instances or patterns that appear suspicious and warrant more extensive review. Anyone in your company who notices suspicious activity should report it to the BSA Compliance Officer. Ultimately, it’s the BSA Compliance Officer’s decision to flag a customer for EDD review.
What does EDD review entail?
Again, your EDD policy and procedures will depend on a lot of things unique to your institution, including your business model, location, and risk profile determined by a risk assessment performed by a third-party compliance expert.
However, EDD will always entail gathering more information from the customer flagged for review. This could include more documentation from the customer as to the nature of their business, a telephone interview, and potentially media research to see if your customer pops up negatively (i.e., if their name is included in a news story as a potential suspect in criminal activity).
When should an EDD review take place?
Your customers may qualify for EDD review the minute they become your customer for the first time. Regardless of when a customer is flagged for EDD review the first time, said customer and his/her transactions should be reviewed frequently throughout your business relationship with them.
Imagine EDD as a “yellow light” for your customers. You will continue to do business with them, but watch them closely.
You must also be prepared to terminate your relationship with them immediately if your BSA Compliance Officer determines that they pose too high a risk to your institution, or if they refuse to comply with an EDD review.
Once EDD review of a flagged customer has been completed, the BSA Compliance Officer must report his/her findings to your company’s Board of Directors, and file any necessary reports, including Suspicious Activity Reports, in a timely fashion as determined by regulations.
How to apply solid EDD practices to your cryptocurrency business
The first step to mitigating bitcoin compliance issues is to have a third-party perform a risk assessment so that you can determine your company’s risk profile and the levels of risk your customers pose to your institution.
As we said above, no two cryptocurrency businesses have the same risk factors to consider. Your business model, location, products and services, and other considerations will determine your overall risk factor. Subsequently, your policies and procedures, including your thresholds for customer EDD review, will be more effective at protecting your business.
While this article should give cryptocurrency business owners an idea of what an EDD policy entails, it does not constitute an exhaustive EDD policy or associated procedures. There is no substitute for third-party compliance experts that work exclusively with cryptocurrency companies like those employed by BitAML.