Blog

Enhanced Due Diligence: Ensuring KYC and Regulatory Scrutiny

James Efron
September 16, 2019
7 minutes read
2816

Enhanced Due Diligence: The adoption of innovative solutions in businesses today, should not have the sole purpose of making profits. A broader vision is required that could abstractly look into the secondary dependencies that can impact a business. These dependencies vary from the third-party services and businesses to associated regulations and compliance requirements. Instead of limiting the focus on business revenue generation, knowledge of local regulations and guidelines should also be ensured.

Customer identification and verification become a crucial step for businesses to meet the Know Your Customer (KYC) guidelines. While partnering with third parties and businesses, especially the financial institutions and banking industry who has a lot to deal with multiple other industries should ultimately comply with the need of knowing them fully. This serves as the primary step to curb the risks of harsh penalties and local regulatory fines.

A recent study shows that In the EU, regulatory fines can reach up to €20 million. This could be estimated to be 4% of the business annual revenue. Per violation, it costs about $1,000,000 in countries like Australia and Brazil. KYC compliance is the step that can deter the risks of such huge monetary loss. The banks when open new accounts for users need to conduct the Customer Due Diligence (CDD) process. This process ensures the identity of the user under certain KYC parametres. It includes the Anti-money Laundering (AML) background checks, terrorist financing, and checks for Politically Exposed People (PEPs) to ensure that any forbidden entity does not dare to be the part of the legitimate business.

Enhanced Due Diligence (EDD) is an advanced concept of CDD, the security perspectives and guidelines that are CDD do not cover are wrapped up by EDD. It ensures a high-level security potential that could impact the business directly or indirectly. The hidden security challenges, identity assurance, risk assessments, and evaluation are part of EDD. The high-risk privacy and security concerns are eliminated with EDD compliance at an organizational level. The monitoring and screening of entities and transactions reduce the chances of online fraud and payment scams. Also, introduce soundness and reliability in the business.

The intersection of Enhanced Due Diligence and KYC

EDD and KYC both fulfill the purpose of customer authentication. EDD policies intersect with KYC ensuring the rigorous onboarding process for the end-users. The data should be collected, examined and processed with responsibility and detailed auditing should be performed to keep track of the activities been performed in the system. Controlled data access should be done in order to limit the number of users accessing sensitive user data. In this way, there will be fewer chances of integrity interruption within the data. EDD requirements also assure KYC risks associated with each verification process, with individual risks calculation and assurance before further processing. Also, Identities should be verified against money laundering and counterterrorism checks that make sure the honest traffic on board.

Under the hood of local regulatory compliances, EDD ensures the data privacy and protection rights associated with the user. User data privacy rights include the intentions for which data are collected, analyzed and processed. The time span to which data will be saved in the database and the tasks in which data will be used is also answered. The organizations that fail to comply with these laws are subjected to heavy lawsuits.

Regulatory Penalties Around the World

The comparison of data protection regulations around the globe is done, among which it is discovered that about 65% of countries have made amendments into their policies or have adopted the GDPR requirements when it was announced. Penalties can be demonstrated on the basis of local regulatory compliance by the countries and how they see it. This alignment of lawsuits can extend in case of non-compliance accordingly. The fines are not only applicable to the ones who undergo some cyberattack or data breach but it doles out to each individual business who does not comply with local regulators. Below are some of the countries and companies who are recently fined:

Germany: first fine Germany faced back in July 2018. A German social media network named Knuddles got hacked which compromised the information of more than 330,000 users which includes 808,000 email addresses and relevant passwords. The reason, this information got hacked was that Knuddles has stored the user information in plain text which is entirely against the GDPR law. The company this breach in September and blocked all the affected user accounts and informed those users. Due to this data breach, Knuddles was subjected to a small fine of €20,000, which was under debate by many people. Although local regulators find it totally proportional to the loss the company has made due to data breach. After this, the company put strong security measures to protect their system from similar and further incidents of a data breach.

Poland: Poland’s DPA subjected to a fine of €220,000 on April 1, 2019. A digital marketing agency, Bisnode failed to dole up with the requirements of GDPR. Bisnode scraps the data and process it, but without notifying the data subjects, which leads them to a heavy fine. As it is the GDPR law, that without the permission of subjects, user data cannot be used. Additionally, Bisnode was supposed to mail 6 million people in the next three months which cost them an extra €8 million. If this company has notified its end-users previously could avoid this heavy risk.

Google: In January 2019, Google subjected to a heavy fine of €50 million. The violation of the requirements of GDPR was taken in notice when data subjects complaint about the inappropriate method of Google for asking consent from them. The lack of transparency is one of the key points of GDPR which was not fulfilled. According to GDPR, consent should be freely given, must be informed, must be granular and should involve affirmative action. But, Google failed to comply with all these specifications as the boxes for consent were pre-ticked which is not considered as valid consent.

How Enhanced Due Diligence help avoid Penalties?

One of the major challenges with EDD is to know how much information is required from a customer to verify the identity. Electronic checks are implemented by financial institutions that automate the tasks of verifying identities against money laundering and terrorist financing. These tasks are audited automatically which keeps the track of entities entering and leaving the system while screening them against multiple checks. Their activities are constantly monitored to avoid the chances of malicious actors being part of the system.

Online Identity Verification

Verify the onboarding customers using a bunch of necessary information which includes personal information i.e. name, date of birth, address, age, etc. (varies with the niche of businesses accordingly). This can reduce the risks of online fraud that take place every now and then with multiple faces.

Avoid Financial Crime

With EDD, dirty money can be prevented which includes the money from PEPs, terrorists, and money launderers. The necessary security precautions are covered by EDD due to which soundness and transparency in the system are ensured that deters the risks of financial crimes.

Clear Compliance Details

The compliance details of the company should be obvious. It is not necessary that a data breach explicitly shows how secure your software is, but the key step is complying with local regulators and privacy programs. In the business’ policies, all the compliant documentation should clearly mention the laws that are required by your specific business niche.

Disclaimer: No warranty is herein provided that the information contained in this document is accurate, up-to-date, and/or complete. In no circumstance(s), does such information constitute legal or any other advice. Any person who intends to use, rely, pass-on, or re-publish the information contained herein in any way is solely responsible for the same. We suggest to verify the information and/or obtain expert advice independently if required.

Latest News

News
Danish Gambling Operator Reports Tipwin to the Police for AML Failings
The intersection of Enhanced Due Diligence and KYC
Regulatory Penalties Around the World
How Enhanced Due Diligence help avoid Penalties?
Then danish gambling operator Spillemyndigheden has reported Tipwin to the police for violating the Danish Money Laundering act

According to the sources, Spillemyndigheden, the government office based in Odense, Denmark, has reported to the police that the business has failed to create risk assessments of retail bets with a lack of written policies on its retail offerings.

It is also worth mentioning that the operator also lacks complete business procedures and controls for the offerings based on land or in regards to money laundering until 25 May 2022.

In the official statement of the regulator to the police, it stated all the shortcomings of Tipwin in compliance with the anti-money laundering standards. It stated: “Spillemyndigheden notes that the rules on risk assessment, policies and business procedures are absolutely fundamental in the Money Laundering Act. By failing to prepare a risk assessment, Tipwin has not had a useful tool that has provided an overview and understanding of where and to what extent Tipwin is exposed to money laundering or terrorist financing, and what measures are in place are necessary to mitigate the risks involved.”

This clearly states that the german based gambling operator, Tipwin is exposed to the illicit crimes of money laundering and terrorist financing and has failed to comply with the AML regulations. The Danish regulator also focused on the lack of preparation from the operator on assessments of risks which are fundamental components of the anti-money laundering act.

Spillemyndigheden also added: “Preparing a risk assessment of the company’s business model is a very fundamental means of limiting the risk of money laundering. Tipwin has thus also not had policies and operational procedures that stem from the risk assessment. By failing to prepare a risk assessment, the Gambling Authority has therefore handed over the case to the police investigation.”

The authority also launched an injunction on the breach of rules and procedures in regard to the online casino and betting operations. With the main emphasis on money laundering, the regulator released a statement last month which reminded businesses in the industry of the obligations. It mentioned the regulations most firms are complied with, which are in order to prohibit the financial interactions with individuals, groups, legal bodies or countries.

In addition, Spillemyndigheden issued a 3 months deadline to Tipwin to sort out the situation.

Suggested Read: Danish Gaming Regulator Sanctions Unibet Over AML Violations

Enhanced Due Diligence: Ensuring KYC and Regulatory Scrutiny

The intersection of Enhanced Due Diligence and KYC

Regulatory Penalties Around the World

How Enhanced Due Diligence help avoid Penalties?

Online Identity Verification

Avoid Financial Crime

Clear Compliance Details

Crown and Star Casinos – A Stain on Australia’s Reputation

Australia’s Anti-Money Laundering Regime

How Casinos and Businesses Can Secure their Operations

What Shufti Pro Offers

Let’s prove your

customer’s identity

with Shuftipro.

Let’s prove your customer’s

identity with Shuftipro.