What happens if you can’t complete CDD?

Identifying and verifying your client, understanding the beneficial ownership behind any corporate structure and forming a view on the purpose of the relationship are the building blocks of every other control you apply.

But what happens when those blocks won’t fit together? 

When a client refuses to provide information, when verification fails or when beneficial ownership remains opaque after reasonable enquiry, the international standards set by FATF (the Financial Action Task Force) are very clear about what should come next. A version of its recommendation is applied in every jurisdiction that has implemented the FATF Standards.

What does FATF say about incomplete CDD?

FATF is the global standard-setter for anti-money laundering, counter-terrorist financing and counter-proliferation financing. Its 40 Recommendations are endorsed by more than 200 jurisdictions and supranational bodies, and they form the basis of national AML law almost everywhere.

Recommendation 10 sets out the core CDD requirements: identification, verification, beneficial ownership, understanding the relationship and ongoing monitoring. It also addresses what should happen when those measures can’t be carried out. Where a financial institution is unable to comply with the CDD requirements, Recommendation 10 states that it should:

• not open the account, commence business relations or perform the transaction;
• terminate the business relationship with existing customers; and
• consider making a suspicious activity / transaction report (SAR /STR) to the financial intelligence unit (FIU) in relation to the customer.

The Recommendation applies to financial institutions directly and to designated non-financial businesses and professions (DNFBPs) through Recommendation 22. That brings accountants, legal professionals, trust and company service providers (TCSPs), property businesses and high-value dealers (HVDs) into the same framework.

How national laws implement this

National AML regimes translate Recommendation 10 into binding obligations. The wording varies a little but the substance is consistent.

In the UK, Regulation 31 of the Money Laundering Regulations 2017 (as amended) (MLRs) requires the relevant person to refuse the transaction, decline or terminate the relationship and consider whether a disclosure is required under Proceeds of Crime Act 2002 (POCA) or the Terrorism Act 2000.

In the EU, Article 14(4) of the Fourth Anti-Money Laundering Directive (carried forward into the EU’s AML Regulation) imposes the same obligation on obliged entities.

Australia, Canada, Singapore, the UAE and most other major financial centres have equivalent provisions in their domestic AML legislation. The language differs but the underlying obligation of  ‘stop, decline or terminate and consider reporting’, is the same.

When does CDD count as ‘unable to be applied’?

The Recommendation doesn’t define this exhaustively, which puts the judgement back on you. In practice, CDD becomes incomplete in a few recognisable ways:

• The client refuses, delays or evades requests for identification or verification documents
• Documents provided fail verification or appear inconsistent with other information you hold
• Beneficial ownership can’t be established with reasonable confidence, particularly where layered structuresinvolve nominees, offshore vehicles or unresponsive intermediaries
• Source of funds or source of wealth explanations don’t hold up against the evidence, or simply aren’t forthcoming
• Enhanced due diligence triggers, such as a high-risk jurisdiction connection or PEP status, can’t be satisfied to a proportionate standard

The threshold is whether you can apply CDD to a standard that reflects the risk. Where you can’t, you have an obligation to stop.

When to report

The third limb of Recommendation 10’s failed-CDD response is the one that needs the most careful thought. You must consider whether to submit a suspicious activity or transaction report. The trigger isn’t the failure of CDD itself but the suspicion or knowledge that comes with it.

If a client’s reluctance to provide information, or the unexplained gaps in what they will provide, gives you reasonable grounds to suspect money laundering, terrorist financing or proliferation financing, Recommendation 20 requires that suspicion is reported. 

National regimes put this into effect through their SAR or STR frameworks: in the UK it’s a SAR to the National Crime Agency, in the EU an STR to the relevant national FIU, in the US a SAR to FinCEN, and so on.

Recommendation 21 prohibits tipping off the customer about the report. Once a disclosure is being considered, conversations with the client need to be handled carefully.

Most jurisdictions recognise a narrow exception where independent legal professionals are ascertaining the legal position for a client or representing them in legal proceedings. Recommendation 23 reflects this, and national laws build the carve-out into their failed-CDD provisions. The exception protects legal professional privilege but doesn’t create a general exemption from CDD itself.

Final thoughts

The risk-based approach shapes everything up to this point: how much CDD you do, what counts as adequate verification, how deep your source-of-funds enquiry needs to go, and what counts as reasonable effort before you conclude you’re unable to complete CDD. None of this is the same for a low-risk client and a high-risk one.

However, once you’ve genuinely concluded CDD can’t be completed, the response is fixed. No client is exempt and no risk rating changes your obligations. Your record should show what you asked for, what was provided, where the gaps were and why this led to your decision. That’s what a supervisor or law enforcement will look for when assessing the reporting decision.