What is good GDPR handling?

Does your business have a good handle on GDPR and on how you process personal data?

Virtually all businesses that come into contact with personal data are subject to local laws and regulations. In the EU and EEA that means GDPR. For this reason it’s important that you know the requirements for how you correctly process personal data.

Below you can read about the EU directive and how it applies to personal data – as well as get a few tips on best practice for processing personal data:

• What is the General Data Protection Regulation (GDPR)?
• What businesses are subject to GDPR?
• What is a Data Manager and a Data Processor?
• What is a DPO (Data Protection Officer)?
• How to comply with GDPR
• Storing personal data – when and for how long?
• Rights of private individuals
• Ongoing audits and the principles of accuracy
  

What is the General Data Protection Regulation (GDPR)?

GDPR, or General Data Protection Regulation, is a regulatory framework and directive in EU law on data protection and privacy in the European Union and the European Economic Area.

The regulation applies to all personal data, as well as the transfer of personal data outside the EU and EEA. It was implemented in 2018.

Its official name is:

“Regulation (Eu) 2016/679 Of The European Parliament And Of The Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation)”

As an EU regulation and directive it is, strictly speaking, not an actual law. Instead it’s a legally binding agreement between all EU and EEA countries, which they are required to then interpret and implement in their local law.

That means that, while GDPR is binding and sets out to give specific directions regarding personal data, there can be variations and minor differences from country to country. It often acts as a basic framework that is then expanded upon by the individual country.

Oversight: Different countries in the EU and EEA have different supervisory or regulatory agencies. These ensure that GDPR is upheld and guide local governments, businesses and organizations in how to be GDPR-compliant.

Which businesses are subject to GDPR?

GDPR applies to virtually all processing of personal data i.e. all information that can be connected with or identify a specific person.

Read more about personal data and the different categories.

As the regulation is geographically specific to the EU and EEA, it only applies:

• When the data manager or data processor is in the EU, regardless of whether the actual processing is conducted in or outside the EU.
• When the person whose personal data is processed is in the EU, regardless of the data manager’s or data processor’s location.
• When the processing of personal data pertains to a product or business in the EU, or involves surveilling behavior inside the EU.

To be concise: almost all businesses with an affiliate with the EU, whether this applies to them or their clients/customers, are subject to GDPR.

What is a Data Manager and Data Processor?

And what’s the difference?

According to the GDPR, it’s important to fundamentally separate the two specific roles that both process personal data.

You can either be a data manager or a data processor.

There are different requirements for the two roles. That’s why it’s important to know which is which and who is who, before you start to process personal data.

Data Manager

The data manager defines the purpose and procedure for how personal information is processed. As data manager you are obligated to ensure that:

• You have a legal right to process specific personal data
• You’re capable to provide insight to the registered parties, at their request
• You register violations of personal data security to the relevant oversight, supervisory or regulatory agency.

Data Processor

As a data processor you solely process the personal data on behalf of the data manager. You do not have any influence on the purpose or procedure you operate under.

A data processor can, for example, be a software provider for the services used to store data on the servers, or a different type of provider of an automated processing of personal data, wherein you do not directly have any access to the data.

Because the relation between data manager and data processor involves the exchange of personal data, it’s important that there is a data processing agreement in place that clearly defines the exact relation between the two. A template for this can be found on GDPR.eu.

What is a Data Protection Officer (DPO)?

There can also be a third role: DPO or Data Protection Officer. You might have come across this term before, but what does it mean? And should your business have a DPO?

The role of DPO is to advise on the requirements of GDPR and guide the data manager in how they can fulfill these requirements. It’s important to note that the DPO is not responsible for whether or not the business is compliant with GDPR or local law.

Governmental agencies are required to – regardless of whether they’re data managers or data processors – appoint a DPO. Private companies are only obligated if all of the following three conditions apply:

• Processing of personal data is a core work activity
• Personal information is processed in vast quantities
• Processing consists of regular and systematic surveillance or contains sensitive personal data (‘special categories of personal data’)

When is processing of personal data a ‘core work activity’?

Most organizations perform some type of processing of personal data but GDPR differentiates between non-core work activities and core work activities.

Non-core work activities can generally be said to be activities that support core work activities. For example, most businesses come in contact with a certain amount of personal data in regards to employee data and personal data related to sales and different types of support. These are considered to be non-core work activities.

According to GDPR, the processing of personal data is a core work activity, if what a business is looking to sell is irrefutably connected to personal data. This could, for example, be:

• Insurance companies whose product is tailored on the basis of personal data
• Providers of market research
• Search engines
• Businesses related to headhunting of new employees

These are all examples of business activities that are centered around processing personal data, and where the output depends on the information obtained and processed.

How to comply with GDPR

GDPR necessitates a risk-based approach similar to, for example, anti-money laundering initiatives.

A risk-based approach means that, whether or not the business is a data processor or a data manager, you are obligated to perform an assessment of the types of data that is stored or processed by the business. Then you need to make sure that there are organizational and technical security measures or safeguards in place that correspond to the assessed risks.

Technical security measures

Examples include strong firewalls, ongoing updates of codes and systems, encryption and a strong IT-infrastructure.‍

Organizational security measures

Examples include described procedures, businesses can enact organizational security measures such as clear policies for personal data, security access, courses in correct data processing, and the further education of employees.

To comply with GDPR, businesses need to have:

• Risk assessments
• Policies and procedures
• Audits and documentation

How do you perform a risk assessment?

Risk assessments will typically evaluate, or assess:

• What types of data is stored by the business (there are for example differences in sensitivity between storing e-mail addresses and copies of passports)
• Consequences for data leaks (for example, phishing, hacking or accidental internal leaks of material pertaining to personal data)
• The security measures in place to minimize the above risks

On the basis of these factors you can assess whether the risk is acceptable, or if you need to implement new safeguards to minimize the risk of data being stolen or leaked.

There are also requirements for documentation of your considerations regarding the procedures.

Policies

Most businesses have set procedures and policies in place that streamline and systematize work activities. In the same way, it’s a good idea to define policies and procedures for the processing of personal data.

Typically you’ll divide personal data policies into whether they pertain to personal data about employees or clients/customers. A personal data policy for clients could, for example, contain the following:

• A clarification of whether you’re acting as data manager or data processor.
• Where the personal data is stored – on internal or external servers or storage units? If it’s stored outside of the EU/EEA then what did you do to ensure a sufficient level of security?
• Whether you have a DPO, and if so, what the DPO’s assignment is and how you’ve secured the DPO’s position in the organization.
• What the stated purpose is for storing data, specifically your legal rights and the legitimacy of the purpose.
• What your policy for deleting or erasing personal data is, and for how long you store data after the termination of a client/customer relationship.
• Optionally, which technical and organizational security measures you’ve implemented to protect against data leaks, and how you’re planning to react in the case of a leak.

Business procedures

The business procedures should be in an internally accessible document that has been written to support the work flow and procedures you’ve agreed upon. A business procedure is often a relatively detailed description about how you handle personal data with specific procedures for how your business – in its day-to-day activities – make unnecessary data is deleted, and how you share data with others whether that’s with colleagues or external data processors.

Audits and documentation

Simultaneously you need to be able to document that your processing of personal data is in accordance with GDPR and local law. You, for example, need to document how you delete personal data after the end of a business relationship.

A business can have multiple procedures regarding how and how often they delete data. But according to GDPR it’s essential that it’s written down or somehow documented, so that the proper regulatory agencies can audit your actions and thus ensure that you’re complying with GDPR.

The documentation requirement can be supported by IT solutions that can even automate some of the necessary processes.

Storing of personal data – when and for how long?

Businesses can store personal data as long as they:

• Have a legal right to it.
• Have a legitimate purpose for storing the data.

The legal right regarding storage of personal data is defined as:

• The business has obtained consent from the person whose personal data is being stored.
• It’s written in the law that the data must be stored.
• It’s necessary in order to uphold an agreement or contract.
• The business has a legitimate interest in storing the personal data. And this interest has a greater value for the person’s own interest, than if it was deleted.

Normally, the business or governmental agency has sufficient legal right if just one of the above criteria have been met.

A legitimate purpose is basically defined by common sense.

Ask yourself: What is the purpose of storing the given personal data?

If you don’t have a legitimate purpose then the data needs to be deleted.

Example

Six months ago the company had a job posting looking for a legal aid. They had many applicants but have since closed the entire department and do not plan to hire legal aids ever again.

Does the business still have a legitimate purpose for saving resumés and applications? Here, the answer is no.

As long as a business has the legal right and a legitimate purpose, then the business can continue to store data. As soon as this is no longer the case, the data should be deleted.

Rights of private individuals

With the implementation of GDPR, private individuals gain the right to access the data businesses store about them. This is often called access rights or subject right:

• In principle, you have the right to access all personal data about yourself that the data manager is responsible for.
• A data processor cannot grant access, because they are not responsible for the registered data.

The data and information you can request includes:

• How your personal data is processed
• What purpose there is for the processing
• Who the information is shared with
• For how long the data is stored
• Where the personal data originates from

This is to ensure that the data is verifiable, accurate and that the processing is performed on the basis of sound legal authority.

Ongoing audit and the principle of accuracy

As a business you are obligated to make sure that the stored personal data is accurate and that wrong or false information is deleted.

This is also called the principle of accuracy.

The principle does not only revolve around the duty of deleting or correcting information that you’ve been informed is wrong. You also have an obligation to actively seek out and verify the accuracy of your data.

This could for example be done by you continuously comparing the data you obtain with searches in registries and databases with publicly available information, or that you periodically request verification from the individual that the information is about.

The extent of how thoroughly you need to verify the information’s accuracy and authenticity, and how frequently you need to repeat this process, depends on the data you are processing. The more sensitive – and therefore the greater importance the information holds to its owner – the more procedures and fail-safes you need to implement to protect against this outcome.

Cases at Meo

Meo has also collaborated with a lot of different companies that have benefited greatly from the Danish software platform, Meo. Among them is the law firm Bech-Bruun, which recently commented on whether the platform has provided clarity on the secure handling of information and data from new clients in accordance with the GDPR law.

This focus is something that is reflected in the opinions of our various partners and customers, who all believe that our software platform has created security for them in connection with the exchange of data and information with clients or partners.

We at Meo therefore help to create clarity over administrative tasks as well as the security of your business and the exchange of data.

Meo – Processing personal data easily and securely

If you’ve read along from the top, and have lost your breath over the challenges of working with GDPR and personal data, then you’re not alone.

Luckily, there are a number of good solutions for the business challenges of processing data.

Meo is a software platform that since 2015 has made it possible for businesses and individuals to exchange information in a transparent and secure way.

For businesses there are a number of benefits from using Meo:

Onboarding

Onboard your clients digitally on secure channels.

Validation

Setup your own requirements for validation of information.

Documentation

A full audit trail and overview of the performed actions and consent for processing.

Processing

With Meo you comply with all legal requirements, both GDPR and AML.

A Business Obligation

Businesses that process personal data and information are obligated to protect said data. Data security is a foundational premise if you work in the financial services or sector – but it’s also a necessity if you handle or process any form of data.

In this article we explain:

• What is data protection?
• Technical data protection
• Organizational data protection
• How to manage breach of data protection

With Meo you can simplify the process of protecting your clients’ personal data – from first contact till the end of your business relationship. Our solution ensures that you comply with GDPR and Anti-Money Laundering (AML) laws and regulations in all of the EU.

Read more on holistic profiles

What is data protection?

Data protection is a catch-all term for all security measures and safeguards that protect your own – and your clients’ – data.

All businesses in the EU are obligated under GDPR (General Data Protection Regulation) to protect their customers’, employees’ and other partners’ data – including their personal data. This applies to both internal (people in the organization) and external (for example, hackers) parties.

It’s up to the business itself to implement sufficient safety measures that protect data. These safeguards are usually categorized as either:

• Technical security measures or precautions
• Organizational security measures or precautions

The appropriate degree or extent of such measures for your business is up to you. This requires, among other things, that you make a Data Protection Impact Assessment (DPIA) and a consequence analysis of your data protection. You can find a template for a Data Protection Impact Assessment (DPIA) on GDPR.EU.

Furthermore, it’s important that you can document that you’ve installed or implemented the necessary measures, and that you subsequently and regularly evaluate whether they’re sufficient in order to protect the personal information you process.

There are a number of internationally recognized standards for data protection, such as:

• ISO 29151
• ISO 29134
• ISO 27001

They can be read in full on the International Organization for Standards’ website.

As a data manager and as a data processor it’s important that, even if you’re following the standards and guidelines, this is not synonymous with complying with GDPR. For that reason it’s important that you have a systematic, professional, and structured approach to the job. If you process sensitive personal data (‘special category of personal data’) it can be necessary to add-on or expand with subsequent protection measures.

Technical data protection

Technical data protection and safeguards are all forms of security measures that rely on digital tools and IT infrastructure. It exists predominantly on computers and servers.

This could, for example, be:

• Firewalls
• Passwords
• 2-factor authentication
• Encryption
• Logging of data handling
• Different administrative roles
• Storing data in levels (so a breach doesn’t give access to all data)
• Anti-virus
• Backup

Organizational data protection

Organizational data protection and safeguards are the type of data protection that involves people and processes. Data is secured by training employees and following guidelines that prohibit unplanned error or intentional breaches of personal data.

This term applies to:

• Procedures for data processing
• Clear distribution of roles and access
• Security courses
• Education of employees
• Risk- and consequence assessments
• Action plans for breaches of personal data

How to manage breaches of data protection

No data protection is fail-safe and fool-proof.

This is also acknowledged by the GDPR itself and by most of the regulatory agencies responsible for enforcing it in the EU.

In order to minimize the damage of a breach, it’s important that you have a clear action plan for when you might suspect that there’s been a breach of your security. This encompasses, but is not limited to, a clear division of responsibilities between data manager and data processor, how you report potential breaches to clients, and clear guidelines for how you report breaches to the relevant regulatory authorities.

With Meo you get AML and GDPR compliant data protection

With Meo, you get a software platform that protects your clients’ data and ensures you comply with Anti-Money Laundering (AML) laws and regulations.

Furthermore, the platform helps you verify your clients’ identity so you comply with KYC and CDD. Get more information about our security by reading our Security Whitepaper.

Data Processing & Compliance

GDPR (General Data Protection Regulation) sets a high standard for data processing of personal data, and how you document your actions. For that reason it’s important that you know what personal data is and how they’re processed correctly.

In this article we dive deep into data processing and explain:

• What is data processing and what is considered sensitive data?
• What requirements does GDPR set for your data processing?
• How do you process personal data correctly?
• What’s in a data processing agreement?
• What’s the difference between a data processor and a data manager?

What is data processing and what is sensitive data?

Data processing is any activity in which personal data is collected, registered, stored, analyzed, transmitted, deleted, sold etc. The term is defined so broadly that any contact with personal information is basically considered as data processing.

Data, in this case, is defined as formalized information that is typically handled by a machine or a computer.

Most businesses and organizations will, in one form or another, handle or process some type of data, most often personal data. The GDPR defines personal data as: “any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.”

Typically, personal data is divided into two categories. Some countries also have a third category while others consider the category “Confidential personal data” to be of the same category as sensitive data.

• General or common personal data: names, e-mail addresses, place of residence, place of employment, and other factual information that is publicly available.
• Sensitive personal data (‘Special category of personal data’): Health records, information about a subject’s ethnicity, religion, or sexual identity. This data is more personal, and should therefore be handled with greater care.
• Confidential personal data: social security numbers, criminal records and other classified information that needs to be regulated separately.

What requirements does GDPR set for your data processing?

According to the GDPR all personal data needs to be handled and processed particularly and sensitively. The more personal or private the information, the more rules and regulations you have to uphold during the processing of the data.

If you want to know more about how you should protect your clients’ personal data, you can read our article about data security.

Here is a concrete example on what the GDPR demands of you when you process data: A business needs to verify whether a given name actually belongs to the client. This is a requirement under KYC as defined in the Anti-Money Laundering Directive. Here you are required to use authoritative data sources that verify the credibility of the information. You could for example do this by seeing a copy of their passport or driver’s license. You are then required to document that you’ve verified their identity. All of this data processing needs to happen in accordance with the GDPR.

Is there a difference between data handling and data processing?

Data handling and data processing is often used interchangeably.

However, you could say that data processing is the overall term for both data handling and data utilization.

Data handling can be seen as an almost passive or non-transformative processing of data, whereas with data utilization, you do something with that data, such analyzing, deleting, or changing it.

How do you process personal data correctly?

In order to process personal data correctly, you need:

• The legal right and a legitimate purpose
• Consent from the person whose personal data you’re processing
• A data processing agreement

A legal right and a legitimate purpose are prerequisites whenever you process personal data. Your rights are limited by whether you’re processing general or sensitive personal data.

You need consent from the person whose personal data you’re processing. This needs to fulfill a number of requirements: it needs to be voluntary, limited or specific, informed, and unambiguous. Furthermore, you need to document and verify that you’ve obtained the consent correctly.

There are exceptions as to when a business can get consent. This could be if, for example, it’s necessary out of care and due diligence to the person, or if there is a legitimate reason for the data manager that isn’t superseded by the subject’s own interests.

You can read more about consent on GDPR.eu.

Thirdly, businesses need a data processing agreement. This is a contract which contains instructions for the data processor on how to process the information. This agreement is between the data manager and data processor.

What’s in a data processing agreement?

A data processing agreement needs to give clear instructions to the data processor concerning how the information should be handled and processed. It’s a legally binding document that needs to be in writing and kept electronically.

The purpose of the agreement is to ensure that the personal data is treated and processed responsibly and securely. It’s also important that it contains requirements for how and when to contact the data manager if there’s suspicion of a security breach or misuse. If your business is the data processor it’s your responsibility to inform the data manager about suspicions of misuse or data breaches.

As part of the instructions the data processor should also be required to perform yearly, or by agreement, audits to document that they’re following the instructions and current laws. This can be done through an audit report that needs to be certified by an external auditor.

You can find a template for a data processing agreement on GDPR.eu.

What’s the difference between a data processor and a data manager?

The data processor and the data manager are not the same person.

The data manager is the party that determines which data to process, to what purpose, and using which tools. The data manager defines the ground rules for how the data ought to be processed.

On the other hand, the data processor is the party that performs the actual processing on behalf of the data manager.

It’s important to separate the two, because they have different requirements. One party, the data manager, ensures that the data processing is GDPR compliant, whereas the other party, the data processor, takes responsibility for acting in accordance with the given instructions.

Easier data processing with Meo

With Meo you can easily find the information you need about your clients using a simple search. And personal data is deleted or properly archived, whenever a business relation ends.

The platform makes sure that you comply with GDPR and makes it easy to handle data for:

Onboarding

Onboard your clients using secure channels.

Validation

Determine your requirements for validation of information.

Documentation

Full log and tracking of actions and access.

KYC (Know Your Customer)

KYC is about knowing your customers and clients so your business can avoid getting involved with organizations that commit crimes, launder money or fund terrorism.

In this article we explain:

• What is KYC (Know Your Customer)?
• What type of businesses are subject to Anti-Money Laundering (AML) laws and regulations, as well as KYC?
• What requirements does international law – including the EU Anti-Money Laundering directive – have regarding KYC?
• How can your business make sure you know your customers & clients?

With Meo you get a thorough and easy-to-use Know Your Customer platform that – from first contact with your client till the customer relation expires – can verify and document your clients’ identity and perform a KYC-check in real time.

Read more about the platform here or contact us to hear more about how we can help your company with KYC compliance.

What is KYC?

KYC is an abbreviation for “Know Your Customer.”

The term is especially used in finance because banks, accounting firms, lawyers, and private equity funds all have to document their clients’ identity so that governments. Basically, it must be documented where money is coming from and going to.

This is meant to prohibit or stand in the way of money laundering and black money that has been obtained by criminal means. If they are unable to supervise or audit the flow of money, it can undermine confidence and trust in financial organizations and companies whose business is dependent on stocks, investments and the greater financial market.

If you do not fulfill the demands of KYC, it can result in fines, penalties, sanctions, and even prison sentences. The exact amount or extent depends on local laws and regulations. A 2020 Financial Times article found that: “[...] AML fines in the initial six months of 2020 reached a total of $706m, compared with last year’s aggregate of $444m.”

What businesses and organizations are subject to the Anti-Money Laundering (AML) directive and KYC?

Many different types of businesses, including all companies and organizations involved in finance and the financial sector, are subject to anti-money laundering laws and regulations – and therefore KYC.

This applies, but is not limited, to:

• Banks, financial institutes and merchant banking
• Credit-, currency- and securities businesses
• Foundations and stock brokers
• Lending firms
• Providers of financial leasing
• Insurance companies
• Accountants and accountancy firms
• Founders of businesses
• Lawyers and attorneys
• Realtors
• Businesses that deal in valuables whose worth exceeds €15.000

What requirements does the law and regulations have in regards to KYC?

The overall directives and regulations regarding knowing your customer are best exemplified in European law by the Anti-Money Laundering (AML) Directive. Among other things, it states that businesses need to perform risk assessments, verify the identity of their clients or customers, and report if they have suspicion of money laundering or other types of fraud.

Risk assessments are structured procedures, wherein you evaluate the risk as objectively as possible and approach each client individually, instead of treating them uniformly.

That means that you are required to have clear guidelines and policies in place regarding the risk of being involuntarily involved in money laundering and financial crimes, as well as supporting your employees with counseling and well-established procedures for when and how you are obliged to report money laundering, if you are not able to refute your suspicions.

In addition, you need to be able to document your vetting and verifications of, among other things, your clients’ identity. It’s futile to perform an audit if you are unable to document your findings afterwards. A typical error often made in this approach is when you manually assess copies of passports and driver’s licenses. Here it is necessary to not only vet the documents to ascert their legitimacy, but also document that you’ve performed the verification.

With a KYC Platform such as Meo you can automate much of the process, while simultaneously documenting that you are complying with GDPR and other data protection laws while handling personal data.

How do you perform an audit or check of your client’s identity?

Your vetting and verification check of your clients’ identity is built upon your risk assessment and the identified risk. Afterwards, you can conduct an audit under strict or relaxed procedure.

Strict procedures for physical persons can, among other things, be a request for a copy of their passport, a physical meeting or further demands regarding the terms of your expected shared business.

If it’s regarding a legal entity, you can request founding documents, articles of association and make more comprehensive requirements for the description of the business scope.

A KYC check requires the retrieval of personal data documenting the client’s identity. As a starting point this includes name and social security number or legal entity identifier (LEI), depending on whether you’re assessing a person or a legal entity. With this method you can verify and check your client’s identity – and thereby comply with KYC standards.

This identifying information needs to be vetted via an independent and credible source. That means the documents need to be verified and compared with other registries or sources that can validate addresses, passports or names.

For both persons and legal entities you need to – if relevant – obtain information about the goal of the business venture and the extent of your relation.

How often do you need to check your client’s identity?

You need to vet your client’s identity at the start of every business venture – and if there are changes in your client’s circumstances, as well as at appropriate times.

With high-risk clients the procedure can be repeated once a year, whereas with Low-Risk Clients a check every five years can suffice.

The extent of the KYC check depends on the risk assessment of the client. In cases where you assess that there is a low risk of money laundering, you can perform a more lax KYC check. You could, for example, choose not to obtain updated documentation, provided that the identification papers (ID), you received originally, still are legally valid.

Remember to check for PEP (Politically Exposed Person)

As a consequence of the latest Anti-Money Laundering Directive from the EU, you are now also required to determine whether the person is a PEP (Politically Exposed Person).

Politically exposed people are individuals whose political position or relation makes them a high risk target for money laundering. That’s because they’re more likely to be exposed to blackmail, bribery or in some other way (voluntary and coerced) be involved in financial crimes.

This can be done by cross-referencing with publicly available information and databases, also known as PEP-lists.

It’s important to be aware that these lists are not sufficient in order to indicate whether a person is considered a PEP – they’re only lists of the people that local governments have reported as explicitly politically exposed.

Spouses, business partners etc. of people on the PEP-lists are also considered PEPs. That makes it especially difficult for businesses to comply with the PEP-requirements without using external data sources that specialize in maintaining updated lists of all persons, that can be defined as PEP.

Meo works together with a number of external data vendors that have specialized in having updated PEP-lists that cover a wide variety of nationalities and sectors

Introduction to CDD

CDD, or Customer Due Diligence, is an important concept to know – especially for businesses that are subject to anti-money laundering laws, regulations, and directives. What is CDD in banking for example?

Following the EU’s latest money laundering directive (AML 5) which was issued in 2020, there have been a number of changes to money laundering laws in Europe. The biggest change is that businesses were obliged to transition to an anti-money laundering (AML) risk assessment model that demands more of businesses and their ability to correctly assess their customers and client relationships – which is where CDD comes into the picture.

In this article we comprehensively explain what CDD is – and answer the most frequently asked questions about the subject.

What is CDD?

CDD is an acronym for ‘Customer Due Diligence’.

The term applies to all procedures that a business uses to verify the identity of their customers or clients, as well as assess their background information and risk level. A number of these activities need to be completed before the potential client actually signs a legal contract and becomes a client.

Both individuals and other businesses can be subject to a CDD investigation.

Why is Customer Due Diligence important?

There are quite a few good reasons for businesses to have proper Customer Due Diligence procedures and checklists in place when you need to assess potential clients:

• To protect your business against potential risks.
• To make the best possible decisions as a business.
• To comply with current laws and regulations.
• To guard the business against deception and malpractice, such as identity theft.
• To help the business identify unusual behavior with the business’ clients.

For these reasons, a procedure regarding Customer Due Diligence is a necessary tool for many businesses, in particular businesses subject to anti-money laundering laws and regulations.

Read more about the danish Anti-Money Laundering Directive (Hvidvaskloven).

Customer Due Diligence checklist

What is CDD, and how do you handle this process? CDD data consists of information regarding a customer or client that makes it possible to assess to what extent the client might put the business at risk of being misused for money laundering or the financing of terrorism.

This data can – among other things – consist of:

1. The client’s identity

Names, photos, addresses, and birth certificates can all be used to identify a client.

2. Background check

A part of the initial CDD also pertains to PEP screenings that assess whether the client is a so-called PEP (Politically Exposed Person). This could, for example, be to investigate whether the client has or is involved in scandals or other troubling activities (information that is typically publicly available). This is called Adverse Media Screening.

3. Ownership

If your client is a company or organization, it’s important to ascertain ownership of the businesses: who owns the business? If ownership is shared, who owns how many shares of the business?

4. Customer relationship

It’s equally important to understand and get an overview of the professional relation between you and your potential client. How is this relation? What is the purpose of the partnership?

Enhanced Due Diligence (EDD) for high-risk clients

Certain clients – for example, PEPs – have a higher risk profile than others. In these cases, it’s important to implement procedures defined as Enhanced Due Diligence (EDD).

With Enhanced Due Diligence you investigate the potential client’s:

Legal matters

Has the person or business previously been convicted, or involved in a crime? Are there any contractual relations that need to be accounted for? Questions like these illustrate the importance of Customer Due Diligence and Enhanced Due Diligence.

Finances and taxes

How are their financial statements? Are there any obvious tell-tale signs of illegal activities?

Shares

Does everything add up when it comes to the person’s/business’ physical shares and commodities, including offices and production facilities?

On-going control and assessment

You can implement an enhanced, on-going control and surveillance of the client’s business.

Who can benefit from a Customer Due Diligence checklist?

There are different types of companies and organizations that can benefit from using Customer Due Diligence checklists as part of their KYC processes. These include, among others:

• Companies dealing with customers in general
• Such companies can benefit from having a CDD checklist to help them avoid legal or financial problems that may arise from not conducting thorough due diligence on customers. By following the steps in the above checklist, the company can ensure that the necessary precautions are taken to avoid potential risks and problems.

• Businesses obliged to comply with AML rules
• Anti-money laundering (AML) regulations require businesses to put in place additional measures to prevent the financing of criminal activities. Part of these regulatory requirements include the completion of the CCD. By using a checklist, businesses can make sure they are compliant with AML rules on an ongoing basis.

• Any organization or financial institution that wants to protect itself from the financial risks associated with customers

Documentation to help companies identify and assess potential threats from their customers can be quite beneficial. By putting in place and ensuring proper measures to mitigate these risks, businesses can protect themselves from any financial losses that may arise as a result.

What are the risks of not completing a Customer Due Diligence checklist?

First of all, your company could end up being liable for any losses incurred by the other party as a result of your company’s negligence

Secondly, your business may be subject to civil or criminal sanctions if it is discovered that you have participated in money laundering or other financial crime, even if unknowingly.

Thirdly, your company may miss important information about the other party that could be crucial to a decision-making process.

Finally, your company may be blacklisted for non-compliance with regulatory requirements or by financial institutions if it turns out that business has been conducted with individuals or entities in high-risk categories.

Customer Due Diligence in connection to money laundering

CDD procedures are invaluable for businesses that are subject to Anti-Money Laundering (AML) laws and regulations, as they’re necessary to conduct the individual clients’ risk assessments.

In many cases there is a need for both CDD (Customer Due Diligence) and KYC (Know Your Customer) information in order to get a proper overview of the client’s risk profile and simultaneously verify their identity". The business’ KYC procedure describes what tasks are necessary to perform before the business can credibly say that they know their client.

For example, CDD and KYC procedures are necessary for:

1. New clients

Before a potential new client becomes an actual client, their identity needs to be verified and undergo a risk assessment.

2. Single transactions

Businesses in the financial sector as well as banks are required to investigate and evaluate whether clients are demonstrating suspicious behavior. This could for example be when making a substantial transaction or when dealing with high-risk countries.

3. Suspicion of money laundering

A through background check of the client is also necessary if you have a suspicion that they might be involved in criminal activities, such as money laundering.

4. Faulty or lacking documentation

If a client is unable to provide valid or approved identity documents then the business needs to perform a CDD check.

Streamline your Customer Due Diligence procedure with Meo

Meo is a software platform developed to handle information and data about your clients in a secure and centralized fashion.

With Meo you get:

A safe and automated onboarding

You can define and obtain the required information from your clients – directly in the platform.

A comprehensive overview

All relevant information about your clients are stored in one easy-to-use platform. It gives you a grand overview and ensures that you’re compliant with GDPR. You can also tag clients for easy organization.

Automated processes

With Meo it’s possible to integrate processes that automatically screens your clients against PEP lists.

What are some of the warning flags when it comes to CDD?

Warning flags that appear during a Know Your Customer (KYC) check should be carefully examined before making a decision on whether to initiate or continue the business relationship. These warning flags can vary from company to company and industry to industry, but common warning flags to look out for during a CDD check include, for example

• Customer information provided does not match the documentation available in the audit
• If the ownership picture is unclear or includes foreign companies and/or persons
• There is a lack of registration of a beneficial owner
• One or more of the company’s representatives are on PEP or sanctions lists
• If the company’s representatives are involved in other companies that are assessed as high risk
• If the industry in which the business operates is particularly prone to money laundering, such as cryptocurrency trading or bookmaking and betting
• If the company’s activities include cash handling

And the list goes on and on. However, the most important thing is to be aware of and responsive to customer information and behavior to avoid unnecessary risk.

Who is Meo?

Who are we at Meo and why do we help with CDD in banking and other organisations and fields?

At Meo we work with KYC procedures and Customer Due Diligence in several different institutions and organisations. Our previously mentioned software-as-a-service helps to streamline these processes and handle data and exchanges correctly and securely in compliance with GDPR.

We have for many years worked with several types of organisations with everything from AML, data security, compliance checks, PEP lists and general knowledge sharing within RegTech. Our digital solution assists with efficient CDD by checking PEP-lists and thorough background checks.

You are very welcome to contact us to learn more about our software and digital solutions, as well as our onboarding. Sign up to receive our newsletter, where we regularly send information and knowledge sharing on everything from ’what is CDD and how to be aware of money laundering’.

Learn what a Politically Exposed Person list is.

PEPs, or Politically Exposed Persons, are individuals who are involved in politics or hold high office in governments, just to mention a few examples.

If your business is subject to Anti-Money Laundering (AML) laws and regulations, it’s important that you can determine whether you’re involved with PEPs as they are often come with a higher risk of money laundering and financing of terrorism.

On this page we try to answer ‘what is a PEP’, and all other questions regarding the Politically Exposed Person list:

• What is a PEP (Politically Exposed Person meaning)?
• How does a PEP list work?
• What do you need to do as a business if you have a client who is a PEP?
• How the Meo platform can help you check your clients identity and do PEP screenings.
• Fight financial crime with thorough PEP screenings
• Recent changes in PEP legislation
• Identification of PEPs

What is a PEP?

What is the meaning of PEP? A PEP (Politically Exposed Person) is an individual who has a high-ranking job in a government or some other type of political position. In other words, it’s a person who possesses a certain form of political and institutional power.

Because of that power they’re considered high risk in relation to money laundering, blackmail, bribery and other types of corruption – both voluntary and involuntary. Spouses, family and close business partners are also considered PEP, as their relationship can be exploited by criminals to pressure the person in the position of power.

Examples of PEP typically include:

• Politicians
• Leaders of government or state
• Judges and members of the court
• High-ranking members of the Central Bank
• Ambassadors
• High-ranking officers in the Defense Forces
• Spouses and children of the people above
• Close business partners and connections of the people above

The Anti-Money Laundering Directive requires all businesses subjected to the directive to be extra careful when they have clients or customers who are PEPs – and therefore constitutes an elevated risk.

Because of this, it can be difficult for businesses to evaluate, by themselves, whether a current or potential client is a PEP. For that reason EU governments have established lists of present and former PEPs, the so-called PEP lists.

What is a PEP list?

A PEP list is an overview of people who are presently or have formerly been classified by the EU as a Politically Exposed Person. But, what does a Politically Exposed Person mean?

The purpose of the Politically Exposed Person list is to make it easier for businesses to assess whether their clients are subject to aggravated circumstances. Every European government has its own PEP list that they maintain.

It’s important to note that the lists are not seen as sufficient evidence of PEP status. It’s possible that a person is considered a PEP despite not appearing on the list, or if they have not yet been added.

The fact that the Politically Exposed Person lists are incomplete – as well as the fact that spouses, close business partners, amongst other examples, are also considered PEPs – makes it difficult for businesses to live up to the PEP requirement without accessing external data sources that have specialized in maintaining updated lists with all people defined as PEPs.

In these cases, a platform like Meo can help. With our AML solution you can quickly and easily perform PEP checks of clients and customers by screening a number of PEP lists all over Europe.

What do you need to do as a business if your client is a PEP?

If you get involved with a PEP client, you need to conduct an enhanced KYC check (meaning Know Your Customer) and implement greater supervision and more audits of their business venture.

How you conduct an enhanced KYC check, you can read more about in our article about KYC (Know Your Customer).

The audit itself can, among other things, consist of your company investigating their financial transactions more carefully as well as evaluating your client relationship in relation to their current risk assessment.

Meo makes it easy to perform a security check and cross-reference with PEP lists
With Meo’s platform you can easily verify your clients’ identity and cross-reference with a number of well-established Politically Exposed Person lists.
Furthermore, our platform ensures that your clients’ personal data is handled responsibly and in accordance with GDPR.
See all features

Fight financial crime with thorough PEP screenings

If you want to fight financial crime, you need to be aware of PEP lists. It is necessary to be aware of PEPs as it is essential for employees and management to be able to identify these people and handle them correctly and safely in order to avoid financial crime.

On a global scale, bribery and corruption are major problems and there are many examples of attempts to do exactly this to PEPs, therefore common international standards have been established to combat them. The definition of PEPs as well as the requirements for handling PEP transactions are determined based on international standards and on experience gathered over a number of years from authorities around the world.

Recent changes in PEP legislations

An important element of the new anti-money laundering rules is that companies must adopt a risk-based approach and conduct risk assessments of each individual customer relationship. This also applies to the rules on PEPs.

In addition, the knowledge and monitoring must be based on a risk assessment, meaning that companies must strengthen their efforts and monitoring of PEPs that are known to have a greater risk of exposure to money laundering, including bribery, etc.

Additional customer due diligence procedures and additional monitoring must be carried out as deemed necessary by the individual firm to ensure full compliance with the legislations.

Identification of PEPs

Rules on identification of PEPs are put in place as a preventive procedure and should therefore not be interpreted as stigmatizing PEPs as people engaging in criminal activities. Thus, companies have no grounds for refusing to proceed with a customer relationship or closing existing customer relationships solely on the fact that a person is a PEP or a close associate or business partner of a PEP.

PEPs should always be aware that they and their close associates and business partners may at any time be asked to explain or document their finances or other transactions.

Related parties and close collaborators

Related parties and close partners are not considered PEPs solely on the basis of their relationship with a PEP. However, they need to be identified because they may benefit from or be taken advantage of in relation to money laundering, corruption or bribery.

Related parties

The definition of a close relative of a PEP includes:

• Parents
• Spouse, cohabitant or registered partner
• Children and their spouses, cohabitants and/or registered partners

This means that the term does not affect siblings or stepchildren and stepparents e.g.

Close partners

The definition of close business partners of a PEP includes:

• A person who is the owner of a business or other legal entity together with one or more PEPs.
• A person who has a close business relationship with one or more PEPs. For example, a trading partner.
• A person who is the owner of a company or other legal entity established solely for the benefit of a PEP. This means that the person controls all the ownership interests or voting rights, etc. directly or indirectly.

This means that positions that would not be considered as PEPs are, for example, a person participating in board work together with a PEP.