FATF ¦ R.10 Cus­to­mer Due Dil­i­gence

Recommendation 10: Getting customer due diligence right

Recommendation 10 of the FATF Standards puts Customer Due Diligence (CDD) at the center of anti-money laundering and counter-terrorist financing controls. Its aim is straightforward: know who your customer is, understand who really controls or benefits from the relationship (the beneficial owner), and maintain enough insight into the business purpose and activity to detect anomalies. The requirement applies when establishing a business relationship, carrying out occasional transactions above set thresholds, or when there is suspicion of money laundering or terrorist financing — regardless of any exemptions.

When suspicion arises: CDD and tipping-off

If a financial institution suspects that a transaction is linked to money laundering or terrorist financing, it should normally identify and verify the customer and beneficial owner and file a suspicious transaction report (STR) to the FIU under Recommendation 20. At the same time, institutions must avoid tipping off. Staff should be trained to recognize when pursuing CDD might alert the customer to a potential STR. In such cases, the institution may defer certain CDD steps and proceed directly to reporting, ensuring confidentiality is preserved in line with Recommendation 21.

Verifying persons acting on behalf of the customer

CDD is not limited to the named customer. Institutions must verify that anyone acting on a customer’s behalf is properly authorized and must identify and verify that person’s identity. This ensures that intermediaries, agents, or signatories are legitimate and traceable.

CDD for legal persons and legal arrangements

CDD for companies, partnerships, trusts, and similar structures goes deeper than obtaining basic registration details. Institutions must:

• Identify and verify the customer’s legal existence, governing instruments, senior management, and registered/principal addresses.
• Identify the beneficial owner and take reasonable steps to verify their identity.

For companies, this typically follows a cascading approach:

1. Identify natural persons with a controlling ownership interest (e.g., above 25%, depending on local rules).
2. If ownership control is unclear, identify natural persons exercising control through other means.
3. If no natural person can be identified under the first two steps, identify and verify the senior managing official(s).

For trusts, institutions must identify the settlor, trustees, protector (if any), beneficiaries or class of beneficiaries, and any other natural person exercising ultimate effective control.

Listed companies subject to robust disclosure requirements — or their majority-owned subsidiaries — are generally exempt from identifying individual shareholders or beneficial owners, given the mandated transparency.

Beneficiaries of life insurance policies

For life or investment-linked insurance, institutions must collect beneficiary information as soon as beneficiaries are designated. If beneficiaries are specifically named, record their names; if designated by class or characteristics (such as “spouse” or “children”), collect sufficient detail to establish identity at payout. Verification occurs at payout. Where a beneficiary that is a legal person or arrangement presents higher risk, enhanced CDD should include identifying and verifying the beneficial owner at payout. Inability to meet these requirements should trigger consideration of an STR.

Bastian Schwind-Wagner _Follow

"Customer due diligence is essential to preventing the misuse of financial services; it requires clear identification of customers and beneficial owners and ongoing monitoring to detect unusual activity. Firms that apply proportionate, documented CDD measures reduce regulatory risk and strengthen their ability to report meaningful suspicions to the FIU.

A robust risk-based approach lets institutions focus resources where they matter most by combining enhanced measures for higher-risk relationships with sensible simplifications for low-risk cases. Proper training, escalation procedures, and controls to avoid tipping-off are critical to maintaining effective CDD without jeopardizing investigations."

Reliance on prior identification and timing of verification

Recommendation 10 does not require re-identification for every transaction. Institutions may rely on previously obtained identification, unless doubts arise — for example, a suspected offense or a material change in account behavior inconsistent with the customer’s profile.

Verification may be completed after establishing a relationship in limited situations where immediate processing is essential — such as rapid securities transactions or non–face-to-face onboarding — provided risk management controls are in place (transaction limits, enhanced monitoring) until verification is finalized.

Applying CDD to existing customers

CDD is not a one-off event. Institutions must apply CDD to existing customers based on materiality and risk, and refresh records at appropriate times, especially where previous measures were limited or data is outdated.

Risk-based approach: when to enhance, when to simplify

Recommendation 10 is implemented through a risk-based approach. Institutions assess customer, product, service, transaction, delivery channel, and geographic risk factors to determine whether to enhance or simplify CDD.

Higher-risk indicators can include:

• Unusual relationship circumstances (e.g., unexplained geographic distance).
• Non-resident customers, cash-intensive businesses, personal asset-holding vehicles.
• Complex or opaque ownership (nominees, bearer shares).
• Countries with inadequate AML/CFT controls, sanctions, high corruption, or terrorist activity.
• Private banking, anonymous transactions, non–face-to-face onboarding without safeguards, or payments from unknown third parties.

Lower-risk indicators can include:

• Regulated financial institutions and DNFBPs subject to effective AML/CFT supervision.
• Listed public companies with robust beneficial ownership disclosure.
• Public administrations.
• Low-premium life insurance, pension policies without early surrender or collateral use, payroll-deducted retirement schemes.
• Financial products designed with strict limits to promote inclusion.

Risk variables — such as account purpose, asset levels, transaction size, and relationship duration — adjust the level of scrutiny. A lower risk for identification and verification does not automatically translate to lower risk for ongoing monitoring.

Enhanced and simplified measures

Enhanced CDD for higher-risk relationships commonly involves:

• Collecting more information on the customer, beneficial owner, and purpose of the relationship.
• Assessing source of funds and source of wealth.
• Obtaining senior management approval.
• Increasing monitoring frequency and depth, and requiring first payments to come from an account in the customer’s name at a bank with comparable standards.

Simplified CDD, where justified by lower risk, can include:

• Post-establishment verification under defined thresholds.
• Less frequent updates to identification data.
• Reduced ongoing monitoring based on sensible monetary limits.
• Inferring purpose and nature from the product type rather than collecting detailed information.

Simplified measures are never allowed where there is suspicion of money laundering or terrorist financing, or where specific higher-risk scenarios apply.

Thresholds and ongoing due diligence

The designated threshold for occasional transactions is USD/EUR 15,000, whether in a single operation or linked operations. Institutions must keep CDD records up to date and undertake periodic reviews, especially for higher-risk customers.

Practical takeaways for compliance teams

• Treat CDD as a living process: ensure that documents, data or information collected under the CDD process is kept up-to-date and relevant by undertaking reviews of existing records, particularly for higher-risk categories of customers.
• Build procedures to prevent tipping off when suspicion arises; allow for STR filing without compromising investigations.
• Apply cascading ownership checks to pierce corporate opacity; fall back to senior managers only when truly necessary.
• Integrate robust risk assessment to calibrate CDD — enhance for higher risk, simplify for lower risk — without undermining detection capability.
• Document decisions, thresholds, and controls; ensure staff training covers both CDD execution and tipping-off risks.
• Align life insurance CDD with beneficiary designation timing and payout verification; add enhanced steps at payout if beneficiary risk is high.
• Use technology to flag material changes in behavior that should trigger re-verification or enhanced monitoring.

Recommendation 10 is about building confidence: knowing your customer, understanding who truly benefits, and continuously challenging anomalies. Done well, it protects institutions, strengthens investigations, and reduces the abuse of the financial system.

Dive deeper

• FATF ¦ The FATF Recommendations ¦ Link
• FATF ¦ Luxembourg’s measures to combat money laundering and terrorist financing ¦ Link