CUSTOMER ONBOARDING & CDD/EDD PLAYBOOK
Operational Guide for Customer Identification, Risk Assessment, and Due Diligence.
The Customer Onboarding & CDD/EDD Playbook establishes the Bank’s risk-based framework for identifying, verifying, and understanding customers and beneficial owners. It ensures that the institution’s onboarding processes comply with the Bank Secrecy Act (BSA), FinCEN CDD Rule (31 CFR 1010.230), and global AML standards, while supporting a seamless client experience.
This Playbook provides standardized procedures for customer identification, risk scoring, and enhanced due diligence, ensuring consistent application across jurisdictions, business lines, and customer types. It integrates governance oversight, automated screening, and continuous monitoring to ensure the integrity of the Bank’s client base.
It serves as the foundation for managing AML risk exposure during onboarding and supports ongoing risk management efforts throughout the customer lifecycle.
What This Playbook Covers
• Regulatory Framework & Purpose – Defines the statutory foundation for CDD and EDD requirements under the BSA, FinCEN, FATF, and other applicable standards.
• Customer Identification Program (CIP) – Outlines procedures for verifying customer identity at account opening, including beneficial ownership and control requirements.
• Customer Due Diligence (CDD) – Establishes a standardized risk assessment methodology based on customer type, geography, product, and delivery channel.
• Enhanced Due Diligence (EDD) – Describes additional verification and documentation steps for high-risk customers, including PEPs, correspondent accounts, and complex ownership structures.
• Ongoing Monitoring & Periodic Review – Explains how customer profiles and risk ratings are updated to reflect new information, behavior, or regulatory changes.
• Governance, Roles & Responsibilities – Defines oversight, escalation, and decision-making processes for onboarding approvals and exceptions.
• Integration with Transaction Monitoring & Reporting – Links customer risk profiles to monitoring thresholds, alert prioritization, and SAR escalation processes.
Regulatory Framework & Purpose
The Bank’s Customer Onboarding and CDD/EDD Program is established under the Bank Secrecy Act (BSA) and the USA PATRIOT Act, and aligns with FinCEN’s Customer Due Diligence Rule (31 CFR 1010.230).
The Program ensures that the Bank:
Identifies and verifies the true identity of each customer and beneficial owner.
Understands the nature and purpose of customer relationships to develop a risk profile.
Conducts ongoing monitoring to identify and report suspicious transactions.
Updates and maintains customer information as risk or behavior changes over time.
It also incorporates global standards from the Financial Action Task Force (FATF) and the Wolfsberg Group, reinforcing the Bank’s commitment to transparency and international cooperation in the fight against money laundering, terrorist financing, and financial crime.
By maintaining a unified, risk-based approach to customer due diligence, the Bank strengthens both regulatory compliance and customer trust across all business lines and jurisdictions..
Customer Identifciation Program (CIP)
The Bank’s Customer Identification Program (CIP) establishes minimum requirements for identifying and verifying each customer’s identity prior to account opening, in accordance with 31 CFR 1020.220 and 12 CFR Part 21.21.
The CIP ensures that the Bank:
Collects identifying information (name, date of birth, address, and identification number) for all customers, including individuals, legal entities, and beneficial owners.
Verifies identity using risk-based procedures that balance reliability and efficiency, including:
• Documentary methods – government-issued IDs, corporate formation documents.
• Non-documentary methods – database verification, independent credit bureaus, sanctions lists, and internal records.Maintains records of the information used for verification and results of any discrepancies.
Screens all customers against OFAC and internal watchlists prior to account activation.
Applies enhanced procedures for customers who cannot be fully verified, ensuring that exceptions are escalated and approved by compliance.
The CIP is fully integrated with the Bank’s onboarding systems and serves as the first line of defense in preventing the establishment of anonymous or deceptive relationships.
Customer Due Diligence (CDD)
The Bank’s Customer Due Diligence (CDD) framework ensures the institution understands who its customers are, what they do, and why they are transacting.
It forms the foundation for risk-based monitoring and regulatory reporting obligations.
Key Objectives:
Understand the nature and purpose of each relationship to assess the likelihood of financial crime risk.
Assign an initial risk rating (low, medium, high) based on objective and behavioral factors.
Maintain a dynamic customer risk profile that adjusts as conditions or activities change.
Core CDD Components:
Customer Type – Individual, legal entity, intermediary, fund, or correspondent relationship.
Geography – Country of residence or operation, FATF classification, sanctions exposure.
Products & Services – Nature of products used, delivery channels, and transaction types.
Customer Behavior – Anticipated activity patterns, source of funds, and expected volumes.
Outcome:
Each customer is assigned a risk score and category that determines the level of due diligence, frequency of reviews, and depth of ongoing monitoring.
This process ensures proportional scrutiny and alignment with the Bank’s enterprise-wide risk appetite.
Enhanced Due Diligence (EDD)
Enhanced Due Diligence (EDD) applies when a relationship, entity, or transaction presents elevated money laundering, sanctions, or reputational risk.
EDD provides deeper insight into ownership, control, source of wealth, and transactional intent.
EDD Triggers Include:
Complex or layered ownership structures (e.g., offshore funds, SPVs, trusts).
Politically Exposed Persons (PEPs) and their associates.
Clients located in or transacting with high-risk or sanctioned jurisdictions.
Sovereign wealth funds, state-owned entities, or government-linked investors.
Relationships relying on third-party administrators or distributors.
EDD Procedures:
Ultimate Beneficial Ownership (UBO) mapping and verification through reliable documents.
Source of Wealth (SOW) and Source of Funds (SOF) analysis, supported by financial statements, tax filings, or sale contracts.
Adverse media and reputational screening using global databases and open-source intelligence.
Senior management or committee approval prior to onboarding or continuation.
Ongoing monitoring and annual refresh of high-risk profiles.
Objective:
EDD ensures transparency into who ultimately benefits from the relationship and whether the activity aligns with legitimate business purposes.
Beneficial Ownership & Control Idendification
The Bank’s AML framework mandates full transparency into the ownership and control of every institutional client, fund vehicle, and related entity.
Regulatory Basis:
Complies with FinCEN’s CDD Rule (31 CFR 1010.230) and FATF Recommendation 10, requiring financial institutions to identify and verify:
Ownership Prong – Each natural person who, directly or indirectly, owns 25% or more of equity interests.
Control Prong – At least one natural person with significant managerial control, such as a CEO, GP, or trustee.
Verification Requirements:
Collect legal formation documents, registers of members, and structure charts.
Obtain certifications of beneficial ownership from authorized representatives.
Conduct independent verification using registry data, corporate filings, or OSINT.
Identify intermediate entities and trace ownership through each layer to the ultimate natural person.
Document and retain ownership charts, verification results, and escalation notes.
Enhanced Measures:
When ownership is obscured through offshore jurisdictions, nominee arrangements, or trusts, the Bank conducts expanded verification and legal review prior to onboarding.
Objective:
To ensure no account is opened or maintained without clarity of ultimate beneficial ownership and to prevent misuse of fund structures for concealment or evasion purposes.
Business Purpose & Expected Activity Assessment
Understanding the purpose and expected activity of every relationship is essential to identify anomalies and prevent misuse of the Bank’s services.
Purpose of Assessment:
To ensure the relationship has a legitimate business or investment rationale, and that activity aligns with the client’s profile and stated objectives.
Information Collected:
Nature of the business or fund strategy (e.g., private equity, hedge fund, pension, sovereign).
Primary services requested: custody, subscription/redemption processing, capital calls, FX, etc.
Expected transaction profile: frequency, volumes, and counterparties.
Geographic exposure: key investor, portfolio, and counterparty locations.
Expected capital flow patterns: subscription cycles, redemption schedules, and distributions.
Example – Institutional Activity Profile
Outcome:
The documented business purpose and transaction baseline enable:
Automated monitoring thresholds aligned with expected volumes.
Alert triage and escalation when deviations occur.
Regulatory defensibility for risk-based decisions.
Initial Risk Assessment & Documentation Requirements
The Bank performs a documented, risk-based assessment for every new customer relationship during onboarding. The assessment establishes the initial risk tier (Very Low, Low, Moderate, High, or Critical) based on the customer’s profile, products, jurisdictions, ownership complexity, and activity expectations.
Key Components of Initial Assessment:
Risk Factors Evaluated:
Customer type (individual, fund, intermediary, or corporate)
Geography / jurisdiction exposure
Product or service type and delivery channel
Ownership structure and beneficial owners
Expected account activity and purpose
Sanctions, PEP, or adverse media results
Documentation Requirements:
Completed CDD risk assessment form with all data fields populated
Supporting identification, ownership, and verification records
Rationale for risk rating, signed by the onboarding analyst or reviewer
System evidence of screening and validation results
Compliance approval for High or Critical risk customers prior to activation
Outcome:
The assigned risk tier determines due diligence depth, review frequency, and monitoring thresholds throughout the customer lifecycle.
Reference: FinCEN CDD Rule (31 CFR 1010.230), FATF Recommendation 10, and the Bank’s Enterprise Risk Scoring Methodology.
Periodic Review Scheduling Based on Risk Tier
The Bank’s periodic review framework ensures customer information, documentation, and risk ratings remain accurate and current throughout the relationship. Review frequency is proportionate to the assigned risk tier and aligns with regulatory expectations under the Bank Secrecy Act (BSA) and FinCEN guidance.
Risk Tier Review Frequency Primary Objective
Critical Risk Every 6 months Confirm enhanced due diligence remains and monitoring thresholds are appropriate.
High Risk Annually (12 months) Validate customer profile, beneficial ownership, and account activity consistency.
Moderate Risk Every 2 years Reassess key risk indicators and update screening results.
Low RiskEvery 3 years Confirm no material change in products, geography, or ownership.
Very Low Risk Every 5 years Spot-check for dormant or inactive accounts and revalidate identification.
Trigger-Based Reviews:
In addition to scheduled reviews, CDD updates are required when:
Ownership, control, or signatory authority changes
Adverse media or sanctions screening hits occur
Transaction activity deviates from expected patterns
A regulatory inquiry or law enforcement request is received
Outcome:
Periodic reviews ensure the customer’s risk profile remains current, justified, and evidence-based, supporting proactive detection of emerging financial crime risk.
Beneficial Ownership and Control (BOI) Procedures
Objective: Define how ultimate beneficial owners (UBOs) are identified and verified.
Regulatory Basis:
Complies with FinCEN’s CDD Rule (31 CFR 1010.230) and FATF Recommendation 10, which require financial institutions to identify and verify natural persons who own or control a legal entity.
BOI Structure:
Ownership Prong: Each natural person who directly or indirectly owns 25% or more of equity interests.
Control Prong: At least one natural person with significant managerial control (e.g., CEO, Managing Partner, Trustee).
Verification Standards:
Obtain certifications of beneficial ownership from authorized representatives.
Validate against corporate filings, registries, and independent data sources.
Use enhanced verification for trusts, SPVs, and offshore entities.
Reconfirm BOI upon material change events (ownership transfer, merger, etc.).
Outcome:
Ensures transparency, accountability, and alignment with global AML standards..
High-Risk Ownership Structures
Objective: Identify and manage ownership configurations that obscure control, funding sources, or beneficial ownership.
Examples of High-Risk Structures:
Trusts – especially discretionary or offshore trusts with layered beneficiaries.
Special Purpose Vehicles (SPVs) – created to isolate risk or obscure parent ownership.
Private Investment Funds – multiple investor layers and fund-of-funds arrangements.
Offshore Companies – registered in secrecy jurisdictions or tax havens.
Bearer Share Entities – pose anonymity and money-laundering risks.
Control & Mitigation Measures:
Require structure charts and source of wealth/funds documentation.
Escalate for Enhanced Due Diligence (EDD) when ownership is indirect or complex.
Conduct adverse media and sanctions screening on all controlling parties.
Implement periodic revalidation of ownership information.
Outcome:
Increases transparency and prevents misuse of complex ownership layers for illicit purposes..
Enhanced Due Diligence (EDD) Triggers and Risk Factors
The Bank applies Enhanced Due Diligence when a customer, product, or transaction presents heightened risk of money laundering, sanctions exposure, or reputational harm.
EDD triggers are defined by regulatory guidance, industry best practice, and the Bank’s internal risk appetite.
Common EDD Triggers:
High-risk jurisdictions (FATF, OFAC, or EU-identified countries)
Politically Exposed Persons (PEPs) and senior public officials
Sanctioned, watchlist-linked, or adverse media relationships
Complex corporate ownership or multi-layered structures
High-risk industries (MSBs, crypto, real estate, casinos, arms trading)
Correspondent banking or nested relationships
Rapid, unexplained fund movements or atypical transaction patterns
EDD Escalation Path:
Relationship flagged by onboarding, monitoring, or screening tools.
Compliance performs a risk impact assessment and data verification.
BSA Officer approves or rejects onboarding with appropriate rationale.
Outcome:
EDD ensures high-risk relationships are fully transparent, with documented rationale for acceptance, mitigation, or decline..
Enhanced Due Diligence Data Collection & Verification
The Bank requires comprehensive documentation to understand the source, legitimacy, and ownership of high-risk relationships.
EDD ensures that heightened scrutiny is applied to all parties involved, using independent and verifiable data sources.
Core EDD Data Elements:
Ultimate Beneficial Ownership (UBO): Legal documentation tracing ownership to natural persons.
Source of Wealth (SOW): Description and evidence of how the customer accumulated wealth (e.g., business income, inheritance, asset sales).
Source of Funds (SOF): Verification of where transactional funds originate for onboarding or ongoing activity.
Business Model & Transaction Purpose: Written explanation of the customer’s operations, partners, and anticipated cash flows.
Reputational Screening: Adverse media, sanctions, and enforcement actions review across all principals.
Verification Methods:
Cross-check documents with independent registries and third-party databases.
Validate financial statements, tax filings, or transaction records supporting SOW/SOF claims.
Perform enhanced sanctions and PEP screening at both entity and ownership levels.
Require senior management approval for EDD completion and account activation.
Outcome:
Ensures that the Bank engages only in relationships where source transparency and legitimacy are fully demonstrated and documented.
EDD Monitoring and Review Cycle
The Bank conducts ongoing monitoring and scheduled reviews of high-risk relationships to ensure that enhanced due diligence remains current, accurate, and effective.
This process provides continuous assurance that risk mitigation controls align with the customer’s evolving activity and profile.
Core EDD Review Elements:
Annual or Semi-Annual Review: Frequency depends on the customer’s risk tier and activity pattern.
Transaction Activity Review: Compare actual transactions to the expected profile established during onboarding.
Adverse Media & Sanctions Screening: Re-run screening and update risk scoring after any hit or alert.
Documentation Refresh: Verify that SOW/SOF, UBO, and key identification documents remain valid.
Risk Reassessment: Update the customer’s risk rating and determine if escalation or de-risking is required.
Escalation Criteria:
Material ownership or control changes.
Repeated SAR filings or transaction anomalies.
Newly identified adverse media or sanctions matches.
Regulatory inquiries or subpoenas related to the customer.
Outcome:
Maintains a dynamic and risk-responsive EDD framework, ensuring that enhanced oversight evolves with each customer’s true risk exposure..
Customer Risk Scoring Philosophy and Objectives
The Bank applies a quantitative, risk-based approach to assess each customer’s inherent financial crime exposure at onboarding and throughout the relationship.
This framework enables consistent, data-driven risk classification across all customer segments.
Objectives:
Provide a standardized, transparent, and reproducible method for evaluating customer risk.
Ensure alignment with regulatory guidance under the BSA, FinCEN CDD Rule, and FFIEC expectations.
Establish a defensible linkage between risk factors, scoring weight, and customer tiering.
Support proportional due diligence, monitoring, and review frequency based on risk exposure.
Principles:
Each customer receives a numerical risk score (0–100) derived from defined attributes and weightings.
Scores translate into risk tiers: Very Low, Low, Moderate, High, and Critical.
Risk scores determine:
Onboarding approval levelshe Board of Directors sets the tone for the Bank’s culture of compliance and holds ultimate accountability for the effectiveness of the BSA/AML Program. Through formal approval and regular oversight, the Board ensures the Program remains aligned with enterprise risk appetite and regulatory expectations.
Key responsibilities include:
Policy & Framework Approval: Review and approve the BSA/AML Policy, risk assessment methodology, and governance framework annually.
Resource & Independence Assurance: Confirm the BSA/AML Officer and Compliance team possess adequate authority, expertise, and staffing to fulfill their duties independently.
Oversight & Reporting: Receive periodic briefings on AML risk exposure, SAR trends, regulatory developments, and testing results through Board and Committee reports.
Culture & Accountability: Promote an ethical environment that prioritizes financial crime prevention, data integrity, and transparent escalation of compliance concerns.
Through these functions, the Board reinforces accountability, transparency, and the integrity of the Bank’s compliance operations.
Core Risk Factors and Weighting (0–100 Model)
The Bank assigns a numerical score (0–100) to each customer based on weighted risk factors that reflect the overall likelihood of financial-crime exposure.
This scoring model provides a transparent, data-driven foundation for assigning customer risk tiers and determining the level of due diligence, monitoring, and review required.
Primary Risk Factors:
Customer Type & Occupation (0–20%) – Higher exposure for cash-intensive or regulated sectors.
Geography / Jurisdiction (0–20%) – Elevated risk for high-corruption, sanctions, or secrecy-jurisdictions.
Product & Service Risk (0–15%) – Weight based on the potential for misuse (e.g., private banking, wires, trade finance).
Delivery Channel (0–10%) – Higher risk for non-face-to-face onboarding or digital channels.
Sanctions / PEP / Adverse Media (0–15%) – Scored by screening results and severity of exposure.
Activity Profile Deviation (0–10%) – Variance from expected transactional behavior.
Ownership Complexity (0–5%) – More complex or opaque structures increase residual risk.
Negative History or Law Enforcement Links (0–5%) – Includes prior SARs or criminal references.
Scoring Bands (Example):
0–20 = Very Low
21–40 = Low
41–60 = Moderate
61–80 = High
81–100 = Critical
Outcome:
Generates a risk-tier assignment that drives customer-level due diligence, periodic review frequency, and escalation thresholds.
Risk Scoring Calculation and Tier Assignment
Body Text:
The Bank’s customer risk scoring process applies quantitative weighting to each risk factor to generate a composite score.
This composite value determines the customer’s risk tier, which in turn drives the required level of due diligence, frequency of review, and escalation authority.
Scoring Methodology Overview:
Assign Individual Factor Scores (0–100): Each core risk factor is assessed independently based on documented criteria.
Apply Weighting: Factor scores are multiplied by their respective weight percentage.
Sum Weighted Scores: Total score = Σ(weighted factor scores).
Assign Tier: The composite score is mapped to the Bank’s standardized risk tiering scale.
Example Formula:
Customer Risk Score = Σ (Factorᵢ × Weightᵢ)
(Sum of each factor score multiplied by its assigned weight)
Tier Definitions:
Risk Scoring Governance and Maintenance
Key Points
The Bank maintains a documented governance process for the calibration and validation of customer risk scoring.
Ownership: BSA Officer and Compliance Data Analytics jointly manage scoring logic and system parameters.
Annual Validation:
• Confirm scoring weights remain aligned with regulatory expectations and risk trends.
• Test data quality, calculation integrity, and output distribution.Change Management:
• Updates require dual review and sign-off (BSA Officer + Risk Oversight).
• Material changes documented in the AML Model Inventory.Audit Trail:
• All changes, overrides, and recalibrations are logged and version-controlled.
• Reports retained for minimum five years per regulatory recordkeeping standards..
Ongoing Monitoring & Periodic Review
Key Points
The Bank conducts continuous and event-driven monitoring to detect anomalies and ensure risk ratings remain accurate.
Monitoring Triggers:
• Unusual transaction volumes, geographies, or counterparties
• Adverse media or sanctions alerts
• Ownership or control changes
• Significant deviations from expected activityPeriodic Review Cadence:
Based on customer risk tier (see Standard Review Intervals).
• Critical / High – 6–12 months
• Moderate – 2 years
• Low / Very Low – 3–5 yearsReview Objectives:
• Validate customer profile and beneficial ownership
• Confirm ongoing legitimacy of business activity
• Reassess CDD and EDD documentation
• Update internal systems and monitoring thresholds
Trigger Events for Out-of-Cycle Reviews
Key Points
The Bank requires immediate out-of-cycle reviews when certain trigger events indicate a potential change in customer risk.
These reviews ensure that customer profiles, documentation, and risk ratings remain accurate and current.
Examples of Trigger Events:
Ownership or Control Change – New beneficial owners, directors, or signatories identified.
Adverse Media or Regulatory Action – New negative information impacting reputation or integrity.
Sanctions or PEP Match – Screening hit requiring escalation and investigation.
Transaction Activity Deviation – Activity inconsistent with the established baseline.
Law Enforcement Inquiry or Subpoena – External requests prompting review of account activity.
Dormant or Inactive Relationship Reactivation – Re-onboarding process initiated.
Outcome:
Ensures rapid identification and mitigation of emerging risks while maintaining a defensible audit trail for all review triggers..
Escalation Matrix and Approval Authorities
Key Points (on-screen text):
The Bank maintains a formal escalation matrix to ensure consistent handling of high-risk, exceptional, or non-standard onboarding decisions.
Escalations are based on risk tier, product type, jurisdiction, or regulatory concern.
Escalation Levels:
Front-Line Review – Analyst identifies exception or elevated risk indicator and documents rationale.
Compliance Review – Performs due diligence validation, reviews documentation gaps, and recommends course of action.
BSA Officer Review – Confirms final risk rating, reviews mitigating controls, and authorizes onboarding or decline.
AML Governance Committee – Reviews material or repeat exceptions, approves EDD files, and reports to senior management.
SAR Referral and Escalation Procedures
Key Points
The Bank maintains a documented process for escalating potentially suspicious customer activity to the BSA Officer and AML Governance Committee.
Escalations may arise from onboarding reviews, ongoing monitoring alerts, or adverse media findings.
Referral Process:
Initial Detection – Analyst or system alert identifies unusual or unexplained activity.
Preliminary Review – Compliance performs validation and gathers supporting data (KYC file, transactional evidence, media results).
Escalation to BSA Officer – Detailed referral memorandum is submitted for case assessment.
SAR Determination – BSA Officer evaluates red flags, consults with management as needed, and determines filing necessity.
Governance Reporting – Confirmed SARs are reported to senior management and Board within established timelines.
Key Principles:
Ensure timely escalation within 24–48 hours of detection.
Maintain confidentiality and audit trails for all referrals.
Document rationale for non-filing decisions.
Outcome:
Provides a consistent, defensible process for identifying and reporting suspicious activity, ensuring alignment with BSA/FinCEN standards.
Fund-Specific SAR and Escalation Triggers
Key Triggers for Escalation:
Subscription / Redemption Anomalies: Unexplained investor inflows or redemption timing inconsistent with stated fund strategy.
Layered Fund Structures: Use of multiple feeder or SPV entities with opaque or offshore ownership.
Adverse Media or Regulatory Action: Fund manager, administrator, or key investor named in enforcement or sanction context.
Unverified Beneficial Ownership: Delays or refusal to provide full UBO transparency.
Disproportionate Capital Flows: Transactions inconsistent with expected size, geography, or investor profile.
Third-Party Administrators: Lack of oversight or missing CDD documentation from delegated onboarding partners.
Rapid Account Movements: Opening and closing fund accounts within short timeframes without business rationale.
Cross-Jurisdictional Transfers: Movement of subscription or redemption proceeds through high-risk or secrecy jurisdictions.
Outcome:
Promotes early detection and escalation of atypical fund activity, reinforcing AML governance specific to the Bank’s fiduciary and investment-fund clientele.
Quality Assurance & Continuous Improvement
Purpose:
Ensure consistency, accuracy, and ongoing effectiveness of the onboarding, CDD, and EDD processes through structured quality review, feedback, and improvement cycles.
Key QA Objectives:
Validate that KYC files, documentation, and approvals meet internal policy and regulatory standards.
Detect and remediate procedural or data integrity gaps.
Promote continuous learning and accountability across onboarding teams.
Ensure audit and exam readiness for CDD/EDD-related processes.
Quality Review Components:
Sampling: Periodic QA review of CDD/EDD files based on risk tier and portfolio size.
Testing: Validation of data accuracy, completeness, and escalation evidence.
Findings Tracking: Documenting deficiencies, root causes, and corrective action status.
Feedback Loop: Results communicated to Operations, Compliance, and Training for process enhancements.
Metrics Dashboard: Integration of QA KPIs into AML oversight reporting.
Key Metrics (KPIs):
% of onboarding files reviewed with no material findings.
% of high-risk customer reviews completed within SLA.
Risk rating variance rate between QA and Operations.
Turnaround time for remediation closure.
Repeat findings trend by business line or jurisdiction.
Outcome:
A proactive quality framework that ensures the Bank’s customer due diligence process remains accurate, effective, and regulatorily defensible.
Documentation Standards & Recordkeeping
Purpose:
Define consistent standards for documentation collection, validation, and retention to support audit trails, regulatory review, and effective risk management.
Core Documentation Requirements
Minimum KYC Documentation:
• Government-issued ID or registration certificate
• Proof of address or principal place of business
• Tax identification or regulatory license (where applicable)
• Ownership and control documentation (UBO declarations, org charts)EDD Documentation Enhancements:
• Source of wealth and source of funds verification
• PEP/Adverse media search results
• Additional due diligence reports or independent verifications
Recordkeeping & Retention
Retention Period: Minimum 5 years after account closure or last transaction (per 31 C.F.R. § 1010.430).
Storage: Centralized digital repository with access controls, encryption, and audit logging.
Version Control: Updates tracked through metadata (date, preparer, approver).
Accessibility: Records must be retrievable within 72 hours of regulatory request.
Evidence Integrity Controls
Maintain read-only copies of approved files to prevent alteration.
Apply dual approval before archiving EDD records.
Conduct periodic reconciliation between onboarding systems and document repository.
Outcome:
Creates a defensible audit trail that supports regulatory reviews, minimizes operational risk, and reinforces transparency across the Bank’s customer lifecycle.
Ongoing Monitoring & Periodic Reviews
Purpose:
Ensure customer risk profiles remain accurate and aligned with evolving behavior, ownership, and regulatory expectations through structured review cycles and event-driven monitoring.
Core Principles
Dynamic Risk Management:
Customer risk rating must reflect current information—not only onboarding data.Continuous Surveillance:
Periodic reviews, triggered reviews, and transaction monitoring work together.Documentation Discipline:
All reviews, findings, and escalations must be logged and retrievable.
Out-of-Cycle Review Triggers
Material change in ownership or control
Adverse media or new enforcement action
PEP status change or sanctions designation
Unusual transaction patterns or volume spikes
Correspondent or nested account exposure
Integration with Monitoring Systems
Automatic alerts flow from the Bank’s transaction monitoring and sanctions screening platforms into CDD review queues.
Exceptions prompt risk re-scoring and escalation to Compliance.
Outcome:
Promotes a living KYC framework—keeping risk ratings current and defensible while aligning ongoing monitoring with regulatory scrutiny.
Appendices & Tools
Purpose:
Provide ready-to-use operational templates and reference materials to support consistent application of onboarding, CDD, and EDD procedures across the Bank.
Included Tools:
Customer Onboarding Checklist – Step-by-step workflow for CIP, CDD, and approvals.
Risk Scoring Worksheet & Calculator – Standardized model for tiering and review scheduling.
EDD Investigation Checklist – Documentation and approval guide for high-risk customers.
Periodic Review Template – Used for out-of-cycle and scheduled refreshes.
Escalation & Approval Matrix – Defines authorities and decision levels.
Documentation Reference Table – Summary of required forms and records.
Sample Case Studies – Illustrations of onboarding risk scenarios for training use.
Outcome:
These resources ensure that all onboarding and review activities are consistent, well-documented, and traceable — reinforcing accountability and regulatory readiness across the Bank’s customer lifecycle..
