Conflicting Risk Appetites: A Surefire Recipe for Due Diligence Disasters

Article by Sandra Erez


CDD and KYC have been baked into AML compliance for two decades now, yet enforcement of money-laundering violations continues to accelerate. How is it that penalties from a highly regulated environment are not able to serve as a bulwark against the corporate (and human) appetite for profit?

Know Your Customer … But to Thine Own Self Be True

Almost every move we make is determined by a risk assessment. From jet-skiing without a life jacket to parking momentarily in a no-parking zone, our daily decisions are made weighing risk against benefit. While we often think we have all the information and skills to assess the situation, many of us zoom past the red flags, muffle the warning beeps on our risk radar and speed ahead anyway – only to take a long, hard fall later for not erring on the side of caution.

Some of us simply can’t fight this aspect of human nature.

When it comes to assessing the risk of money laundering in the financial sector, the highly calibrated risk-assessing processors can seem just as inadequate. Despite having years of practice for firms to get it right, we are privy to an endless parade of financial institutions mired in the astonishing magnitude of their muddled customer due diligence (CDD). In 2020, banks worldwide paid a collective $15.13 billion in fines for a range of compliance failures.


As BuzzFeed News revealed last fall with the publication of the FinCEN Files, banks look the other way while processing trillions of dollars in suspicious transactions and often ignore their own employees’ warnings.

Don’t Rain on My Parade: Poking Holes in the AML Compliance Umbrella

A scandal can serve as a good scare tactic in that it sends fear shivering through boards of directors, reminding them that AML noncompliance can be a risky business in a shifting sea of regulatory enforcement. Every time huge fines rain down from thunderous regulatory skies on an errant firm, compliance officers in organizations in the same sector suddenly remember to huddle under their colorful “tick the box” compliance umbrellas so they can hire more compliance staff and scribble new AML policies. Too often these will be forgotten when the media storm passes and the ice water in management’s veins begins to thaw.

What’s more, it’s clear that these punitive actions are not translating into lessons learned. AML fines have accelerated steadily over the past two decades. The period between 2008 and 2018 saw $26 billion in fines, while 2019 alone saw $10 billion. There is no reason to believe this trend will reverse any time soon.

It appears there is a huge disconnect between “compliant” CDD controls and the ability to assess the money-laundering risk off the back of that process. The resolution to that quandary requires a deep dive into the swirling vortex of the CDD black hole.

Conflicting Risks Can Sink Ships

Grounded in a risk-based approach, AML legislation best practice places high importance on the CDD process as a primary gatekeeper in the prevention of financial crime. If the due diligence is done right, both at onboarding and in an ongoing fashion, it can help safeguard against money launderers looking to secure a haven for their illegal activities.

But although financial institutions may be putting their best foot forward to stay compliant with AML and CDD regulations, the same faulty human decision-making processes (miscalculating risk when focusing on an immediate outcome) is replicated when it comes to CDD execution. Employees and employers alike are interested in swiftly onboarding clients, which means lowering customer drop-out rates while potential gains pour unobstructed (and more quickly) into the company coffers. And skipping cyclical ongoing monitoring checks means less people to man the company decks, less friction with the existing clients and perhaps even higher personal ratings from their direct supervisors sharking the waters for big fish.

In short, the KYC/CDD process is vulnerable both at the staff level where people (by their nature) are prone to breaking rules and err in their haste to get the job done, as well as on the board/management level where the human appetite for greed and power will always directly conflict with organizational risk appetite.

So as long as the lure of lucrative transactions waxes louder than the lure of the police sirens, there needs to be a human-friendly, intuitive CDD safety net in place so the slippery fish can’t slip through any holes.

Paying the Price of the Disconnect in the Murky CDD Process

In an infinite fintech sea rife with financial crime, onboarding and monitoring clients is at once a Sisyphean and thankless task – with plenty of room for error throughout. Diligence doers participating in different parts of the CDD process often come to the table with varying levels of responsibility, differing skill sets and maybe even opposing incentives for doing their jobs. Yet they are expected to work seamlessly in tandem over time, often without a centralized repository to house documentation and communications between them.

At the same time, the difficulty in accurately assessing the multiple, intertwined layers of risk, (client, product, geographic and transactional) can become even more overwhelming when inconsistent verification standards within the firm result in poor-quality datasets. Add that to a lack of a standardized decision tree in place to generate the risk ratings, and once again, the CDD process can end up being highly subjective – leaving the guy at the helm to sheepishly present the regulator with a justified audit trail of abhorrent CDD incompetence.

And finally, the faint of heart (and those individuals disdainful of sophisticated CDD solutions) should note that all this careful and detailed investigation is being carried out against the backdrop of dynamic global sanctions changes, emerging legislation, missing documentation, client identity falsifications and pressure from the client (and the firm) to keep the money moving in one direction – all under the leer of a looming regulator. Yikes!

UBO or UFO? Go with the Flow!

Weighing the risks against the benefit under stringent AML controls means asking the right questions in order to avoid doing completely unnecessary checks. But at the same time, it also means knowing when not to cut corners (like not bothering to investigate source of wealth or source of funds. The only way to achieve that delicate balance is to implement a data-rich, centralized solution that is inherently customizable to any firm’s specific workflow while providing built-in best practice checks and balances to fit relevant business environments and jurisdictions. Guiding and leading with automatic prompts and triggers enables staff adhering to a risk-based approach systematically with minimum effort.

The quintessential tool would be anchored in conditional logic, where the relevant queries and requests for information would appropriately unfold during the CDD process as the system is dynamically generating an overall risk rating. In addition, the supervisors can be flagged to initiate changes, approve or disapprove, as well as oversee the weighting of the individual risk ratings as necessary at any point in time. The strategically placed prompts, calls for action, reminders and flag triggers act as a bulwark against the typical KYC/CDD obstacles – namely, human beings.

Know Your Risk … of Not Having a Conditional Logic-Based CDD Lifeboat in Place

As the rising tide of money-laundering crime engulfs regulators across the globe, they are digging in and clawing their way to the top by upping the ante. Penalties can now include not only fines, but also other enforcement measures, like firms being barred from taking on new clients or being restricted in certain areas of business.  Jurisdictions such as the U.K. have expanded the businesses subject to a regulatory framework to include accountancy practices, law firms, estate agents, art dealers and cryptocurrencies while virtual assets are starting to come under a regulatory framework in the EU. No one is safe from their oversight – from the little accounting firms to those offshore lounging on their yachts!

As for you, the casual doer of diligence wandering around bewildered in the CDD maze, beware: The ultimate responsibility for onboarding that risky client is on you and your firm. Perhaps in addition to verifying your clients, you should verify your need for a risk-based CDD solution before someone high up goes head over heels overboard.