CDD must be risk-based, which means that service providers must ensure their CDD procedures adequately reflect the risk-sensitivity to money laundering or terrorist financing of their customers and business relationships and of their products and transactions. Service providers must be able to demonstrate that their CDD measures are proportionate to the money laundering and terrorist financing risks identified.
The Anti-Money Laundering Directive (AMLD5) lists factors that should be considered when determining risk sensitivity. An example of evidence of potentially elevated risks includes “products or transactions that might favour anonymity". This applies to virtual currencies. The Directive also mentions “non-face-to-face business relationships or transactions, without certain safeguards, such as electronic signatures". DNB expects crypto service providers to explicitly consider these risk factors and to perform enhanced customer due diligence where necessary.
They are also responsible for making a risk analysis that fits their operational management. They must consider the risk factors that are specific to their organisation and services, i.e. they must take into account the products and services they offer and the types of transactions and distribution channels they facilitate. They must take measures to mitigate the risks identified.
The Directive also stipulates that service providers must consider customer-specific and geographic risk factors. The type of customer or the circumstances under which a business relationship is created may play a role here. It is the service providers’ responsibility to make an adequate assessment of these risks and adjust the intensity of their CDD measures to an appropriate level.
Enhanced customer due diligence involves additional measures on the part of the service provider to investigate the business relationship. The Wwft requires service providers to take reasonable measures to investigate complex or unusually large transactions, as well as unusual transaction patterns that do not seem to serve a clear economic or legal purpose. In such cases, the entire business relationship with the customer should be subjected to enhanced CDD.