Fire and Forget: Understanding Your Risks from Outsourcing Customer Due Diligence (CDD)

By Martin Dilly, Director at Martin Dilly AML Limited and Certified Anti-Money Laundering Specialist (CAMS)

‘Fire and forget’ is a military term used to describe a type of missile which does not require

further guidance after launch (such as illumination of the target or wire guidance), and can hit its target without the launcher being in line-of-sight of the target. It is also a term I regularly use to describe how some reporting entities (REs) are utilising customer due diligence (CDD) outsource providers.

In the AML/CFT context, I often see a RE simply ‘firing’ off their customer onboarding files

to a provider and ‘forgetting’ about them as long as they receive a positive confirmation (through a sign-off sheet or portal) that CDD was ‘OK’. In addition, many REs also seem to

forget that:

(a) the risk associated with the accurate completion of CDD remains with the RE; and

(b) it is not as simple as engaging such a provider – the RE will need to consider

how the outsourcing fits into its overall AML/CFT risk profile and framework.

There has been an exponential uptake by REs in the use of third-party CDD outsource providers over the last two years. These third-party providers essentially undertake CDD on an RE's customers including determining beneficial ownership and, in some cases, undertaking enhanced CDD investigation.

I distinguish these providers from those which provide electronic identity verification (EIV) services being essentially access to relevant databases in order to assist entities in meeting the requirements of Part 3 of the Amended Identity Verification Code of Practice 2013 (Code of Practice).

This exponential uptake has been driven by a number of factors:

  • Such providers are a reasonably recent introduction to the market and there has been a pent-up demand for such services.

  • ‘Phase 2’ REs – essentially lawyers, accountants, and real estate agents - have shown an appetite for such services, driven by the structures of these businesses.

  • COVID-19 lockdowns meant that REs that would have typically undertaken face-to-face verification were not able to use that method effectively so looked to alternatives.

Having had an opportunity to audit REs using a variety of such providers, I have seen the

benefits of such services for entities, with the provider able to take care of the more mechanical, time-consuming aspects of CDD, freeing up staff time or allowing for REs who

lack appropriately-skilled staff to undertake the CDD in the first place. The ability to access

a pool of trained AML/CFT analysts that specialise in CDD is certainly attractive to organisations where they may not be able to justify hiring one internally (provided they can

find one – AML resource is always seemingly in short supply).

My audits picked up a number of risks and considerations, however, which entities have not contemplated in their adoption of such services.

Use of third-party AML/CFT tools and services

Before looking specifically at CDD outsourcing services, it is worth discussing use of third-

party AML/CFT tools/services generally. Too often I see REs looking to acquire tools before

they have determined what they need to build, that is, the RE has not undertaken a risk assessment or a gap analysis of current processes against the obligations of the Act.

Such tools and services can provide important parts of an RE’s programme (and in some cases may prove essential in meeting certain obligations), however, they should not be viewed as a ‘magic bullet’ for the challenges in your programme.

With any AML/CFT tool, you should understand:

(a) the limitations of the tool itself – what does it do and what doesn’t it do;