What is simplified due diligence (SDD)?

Before entering into a relationship with a new customer, financial institutions must establish what level of due diligence to perform. This decision will be determined by a number of factors that, combined, provide a customer risk score, highlighting whether they pose a low, medium, or high risk of money laundering and/or terrorist financing (ML/TF). 

What is simplified due diligence?

Simplified due diligence (SDD) is the lowest level of customer due diligence (CDD) that a financial institution can employ. It is a brief identity verification process that can be applied to eligible customers when the risk of money laundering or terrorist financing is deemed very “low”. It precedes standard due diligence – the most common level applied to low and medium-risk customers – and enhanced due diligence (EDD) – applied to high-risk customers.

Compared to higher levels of due diligence, SDD entails less intensive means of gathering information. Despite this, SDD must still respond to the four components of CDD outlined by the global financial crime watchdog, the Financial Action Task Force (FATF). These include:

• Customer identification and verification
• Beneficial owner identification and verification
• Understanding the purpose and nature of the relationship
• Ongoing monitoring

Who qualifies for simplified due diligence?

While every new prospective customer must undergo identity checks and verification, not every customer will qualify for SDD. Generally, the following customer types qualify for SDD because of their inherent low risk of ML/TF:

• Financial institutions that are subject to money laundering requirements, such as the European Union Anti-Money Laundering Directives (AMLDs)
• Entities that are accountable to a community institution and subject to appropriate check and balance procedures
• Public authorities that have a publicly available identity and transparent accounting practices
• Customers offering certain insurance policies, electronic money products, or pensions

However, the above list may vary depending on the jurisdiction, as not all countries permit SDD to be performed in the same way or under the same circumstances. In the EU, the Fourth Anti-Money Laundering Directive (4AMLD) noted that firms could no longer automatically apply SDD measures to a “pre-defined” list of customers. Instead, firms must now actively demonstrate low risk and provide robust rationale for using SDD. 

In Canada, firms can apply the “simplified identification method” to seven specific types of entities issued by Financial Transactions and Reports Analysis Centre of Canada (FINTRAC), provided firms also record their grounds for considering there is a low risk of ML/TF. By contrast, New Zealand’s Anti-Money Laundering and Countering Financing of Terrorism Act 2009 defines 19 customer types eligible for SDD. 

When is simplified due diligence needed?

Of the 40 Recommendations provided by the FATF, Recommendation 10 focuses on CDD, which includes SDD. The FATF recommends that due diligence measures should be undertaken when:

• Establishing a business relationship
• Suspicion is raised about money laundering or terrorist financing
• The financial institution questions the adequacy of previously obtained customer identification data
• Carrying out occasional transactions above the designated threshold (USD/EUR 15,000)

In these instances, firms will often undertake due diligence measures to identify the account’s beneficial owner, obtain information on the intended purpose of the business relationship, and complete source of wealth (SOW) and source of funds (SOF) checks. But, if there is a proven low risk of ML/TF and the account relates to a particular type of financial institution or activity, firms may decide to undertake a simplified set of due diligence measures. 

The FATF provides a non-prescriptive list of instances when SDD may be required:

• A financial activity (other than the transferring of money or value) is carried out by a natural or legal person on an occasional or very limited basis
• A financial product or service provides appropriately defined and limited services to certain types of customers
• A household has an average monthly income less than a predetermined amount

When identifying lower-risk situations suitable for SDD, compliance staff should ensure the scenarios are consistent with the assessment of overall ML/TF risks identified on a country and company-wide level. 

The Compliance Team’s Guide to Customer Onboarding

Learn how to prioritize risk and effectively manage it in our 5-part training series for compliance professionals.

Download now

What are the steps involved in the SDD process?

1. The first stage of SDD is known as the customer identification process (CIP). This occurs during the customer onboarding phase before a business relationship has been established. During this stage, firms must ensure the sources they use to identify their customers are reliable and independent to mitigate the risk of criminals being onboarded with expertly forged documents.

2. Once a customer has been identified, firms must then determine the level of due diligence to perform. This decision should be made in light of an organization’s risk appetite informed by its business-wide risk assessment, which should also form the basis of a firm’s policies and procedures. These policies should indicate the type of customers and industries a firm is willing to do business with.
When assessing whether SDD is the appropriate level of due diligence to perform, compliance teams should consider their firm’s risk ratings related to:

• Customer-type 
• Jurisdiction
• Occupation
• Products and services offered
• Account-type
• Ownership structure

3. If the customer is deemed low-risk across the factors listed above, a simplified, less detailed identity verification process can begin. At this stage, firms can use public information or rely on fewer documents to verify a customer’s identity. Beneficial owners may also be identified without seeking additional information or documents to verify their identities. The purpose and nature of a proposed business relationship can also be inferred from the nature/type of both the client and the desired product or service.

4. Once the customer’s identity has been verified and they have been successfully onboarded, firms must undertake ongoing monitoring measures to ensure the client remains low-risk. If any unusual activity is flagged during this stage that is not commensurate with the customer’s risk profile, firms may decide to employ greater levels of CDD.

What is the difference between SDD and EDD?

Making up both ends of the due diligence spectrum, SDD and EDD differ in many ways. The table below outlines where they diverge across each element of the know-your-customer (KYC) process.

Ultimately, effective CDD measures are built on a combination of expertise and technology. As customer risk scores and criminal threats evolve, firms must be prepared to be flexible with their due diligence process. While SDD measures are less time and resource intensive than standard due diligence or EDD, firms should still utilize autonomous systems that refresh entity profiles within minutes of a change, lest a customer’s risk profile changes and they are no longer eligible for SDD.