Customer Due Diligence (CDD) & Know Your Customer (KYC): When a New Client Raises Old Red Flags

May 15 / Leonard Nwogu-Ikojo
In this fictional case study, what began as a standard client file review led Luc Dubois, Senior Compliance Officer at FinTruex, into a complex case involving nominee shareholders, shell companies, and sanctions exposure. This article explores how Luc applied KYC and CDD principles in practice, recognized triggers for Enhanced Due Diligence under AMLD5, and took decisive action to protect his firm from regulatory and reputational risk. A must-read for compliance professionals navigating real-world AML challenges.

This article is intended for educational and informational purposes only and does not constitute legal, regulatory, or professional compliance advice. The scenario and recommendations provided are illustrative and may not capture all applicable requirements or risks in specific cases. Readers should follow their organization’s internal policies, data protection requirements, and seek professional advice tailored to their circumstances.

Luc Dubois, Senior Compliance Officer at FinTruex, a fintech firm based in Lyon, France, was reviewing new client onboarding files when he encountered a troubling submission. EU Reiczit Ltd, a logistics company registered in Malta, had provided documentation that initially appeared to be complete. However, upon closer examination, Luc discovered discrepancies: the declared beneficial owner was listed as a nominee shareholder linked to several dormant companies in Croatia, and the company’s reported turnover did not seem to match its stated business activities.

Sensing potential risks, Luc quickly initiated an internal compliance review in accordance with FinTruex’s due diligence protocols. Utilizing the company’s compliance tools and publicly available records, he conducted a more thorough investigation. His enhanced screening revealed a concerning link: a shell company affiliated with EU Reiczit Ltd had previously been flagged in publicly available sanctions records, connected to restricted trade routes in the Middle East.

What had started as routine onboarding was rapidly evolving into a serious compliance challenge. Under the EU’s Fifth Anti-Money Laundering Directive (AMLD5), Luc recognized that these indicators necessitated Enhanced Due Diligence (EDD). He now faced a critical decision on how to proceed—balancing regulatory compliance with the firm’s commercial interests.

Understanding and Applying CDD & KYC in Practice

Customer Due Diligence (CDD) and Know Your Customer (KYC) are essential components of anti-money laundering (AML) compliance. Regulated firms must:


  • Verify customer identities using reliable, independent sources (e.g., passports, company registries).
  • Identify beneficial owners—the individuals who ultimately own or control the entity.
  • Understand the purpose and intended nature of the business relationship.
  • Monitor transactions and customer profiles on an ongoing basis.


Under AMLD5, these measures are mandatory across the EU for financial institutions and other regulated entities.

When is Enhanced Due Diligence (EDD) Required?

Luc’s investigation revealed several triggers for EDD:


  • Opaque ownership structures or nominee shareholders.
  • Involvement of shell companies in jurisdictions associated with elevated AML risk.(List of high risk jurisdiction countries - EU, FATF)
  • Links to entities listed in sanctions databases (e.g., OFAC, EU Consolidated List).
  • Inconsistencies or unexplained discrepancies in submitted documentation.


When such risk factors are present, regulators expect firms to conduct deeper inquiries—not just procedural checks.

Luc’s Next Steps: A Compliance Roadmap

In response to the findings, Luc took decisive action to uphold the firm’s compliance obligations while maintaining business integrity:


  • Paused onboarding until all identified red flags could be investigated and resolved.
  • Conducted enhanced background checks using FinTruex’s compliance systems and open-source research.
  • Verified beneficial ownership through official registries, considering requesting notarized declarations.
  • Escalated findings internally through compliance and legal channels, ensuring confidential handling within authorized teams.
  • Prepared a Suspicious Transaction Report (STR) if warranted by the findings.
  • Documented each step meticulously to maintain a defensible audit trail.


Why It Matters

CDD and KYC are vital safeguards for protecting the financial system. Weak due diligence exposes firms to regulatory fines, legal penalties, and reputational harm. For instance, in 2022, a Dutch bank faced a €480 million fine for systemic AML compliance failures, largely due to inadequate customer due diligence.

By taking a thorough, proactive approach, Luc ensured that FinTruex met its compliance obligations without unnecessarily hindering legitimate business opportunities. His actions positioned the firm to effectively manage both regulatory and commercial risks.

Data Protection Consideration

In executing CDD, KYC, and EDD activities, firms must ensure that all collection, processing, and handling of personal data comply with applicable data protection laws (e.g., GDPR, UK GDPR). Sensitive data should only be accessed by authorized personnel, with safeguards for confidentiality, secure storage, and lawful international transfers.

Conclusion

KYC and CDD are dynamic, risk-based processes, not static checklists. Compliance professionals play a critical role in rigorously applying these measures, balancing regulatory requirements with business needs while safeguarding organizational integrity.


Created with