How does adopting a risk-based approach impact the CDD measures applied?

CDD should be based on risk. The amount of information and verification required depends on the level of financial crime risk, including ML, TF, and PF risk posed by the applicant for business or customer. Accordingly, an FI or DNFBP must first assess the risk and rate each applicant for business or customer. This initial customer risk assessment will help the FI or DNFBP determine how much information to collect and verify during the CDD process, including:

• the reduced simplified CDD measures that may be applied for low-risk applicants or customers (as described in the FAQ – What is Simplified Customer Due Diligence); and
• any additional enhanced CDD measures that must be applied for higher risk applicants or customers (as described in the FAQ – What is Enhanced Customer Due Diligence).

Not all customers within a risk category are the same, as they may pose different types of risks (e.g. higher risks based on geographic exposure, or higher risk based on business activities). Consequently, the level and type of CDD, enhanced CDD, or simplified CDD applied for an applicant for business or a customer should take into account the particular circumstances of each applicant for business or customer, on a case-by-case basis.