Improving CDD Processes for High-Risk Industries

The European Banking Authority (EBA) has launched a consultation on proposed Regulatory Technical Standards (RTS) in response to the European Commission’s call for advice on new mandates for the #AMLA. These regulatory updates are part of the EU’s evolving AML/CFT framework, enhancing risk assessment, customer due diligence, and enforcement measures across financial institutions. Key Highlights ✅ Enhanced #RiskBased Supervision for FIs • Introduction of new methodologies for assessing inherent and residual risk in FIs under Article 40(2) of AMLD6. • Standardized scoring system for classifying low, medium, substantial, and high-risk entities. • Supervisors must conduct annual risk assessments, with stricter scrutiny for high-risk financial entities. ✅ Direct Supervision of High-Risk Institutions by AMLA • Under Article 12(7) of the AMLAR, AMLA will directly supervise institutions operating in at least six EU member states. • Risk-based selection process to prioritize institutions with high money laundering (ML) and terrorist financing (TF) risks. • Strict thresholds for determining material operations under the freedom to provide services within the EU. ✅ Stronger CDD Requirements • Standardized CDD measures under Article 28(1) of the AMLR, covering: 🔹 Standard CDD, Simplified DD, and EDD protocols. 🔹 More stringent identity verification using eIDAS-compliant tools (where available). 🔹 Risk-based approach for electronic money instruments, ensuring uniform CDD compliance across member states. ✅ Harmonized Sanctions and Enforcement Mechanisms • Under Article 53(10) of AMLD6, a new regulatory framework for applying pecuniary sanctions, administrative measures, and periodic penalty payments (PePPs). • Supervisory convergence across the EU to ensure consistent enforcement of AML/CFT violations. • Introduction of quantitative thresholds for calculating fines and penalties based on gravity of breaches. ✅ Greater Cross-Border Coordination & Data Utilization • AMLA to centralize risk data from national FIUs and AML/CFT supervisors. • Risk methodologies will integrate EuReCA database findings, ensuring a harmonized approach to risk detection and mitigation. • Increased cooperation between AML and prudential supervisors for aligned financial oversight. Takeaways 🔹 Prepare for AMLA Supervision—High-risk entities operating across multiple EU states must be ready for direct oversight. 🔹 Standardize Risk Assessments—Align internal frameworks with EBA’s scoring system for inherent and residual ML/TF risks. 🔹 Strengthen CDD—Ensure compliance with new verification protocols, particularly for electronic and #crypto transactions. 🔹 Align Enforcement Strategies—Expect more stringent fines and compliance penalties under AMLD6’s harmonized sanctioning regime. 🔹 Invest in #AML Technology—Leverage AI-driven monitoring and data analytics to meet enhanced risk assessment and reporting requirements. #FinancialCrime #Compliance

👀🦆 CDD - Take a Closer Look 🦆👀 Getting CDD documents - EIDV reports, ID, bank statements - is not enough ❌️ You actually need to scrutinise what you obtain 👀 ⚠️ Lack of scrutiny of CDD was an emerging risk identified in the SRA's Sectoral Risk Assessment last year. ⬆️ Audits often show a lack of scrutiny of CDD - whether it is a case of scrutiny isn't taking place or whether it is but isn’t being documented. 🟢 Do the documents support what you know about the client/what they've told you. ➡️ Cross reference dates, spellings, values, transactions. Are there any red flags present or areas which warrant you digging a bit deeper because they change the risk profile of the client/matter. 🔵 Do not overly rely on EIDV reports. ➡️ Understand what the report checks and confirms and where there may be deficiencies. If you know something which is not supported (or is contradicted) by the EIDV report - you need to investigate. This means you need to read the report!! 🟣 Evidence your scrutiny. ➡️ Annotate the documents, do a file note, include narrative in your Risk Assessment. There are lots of ways to evidence your scrutiny - ensure you know how your firm want you to do this. ⚠️ Don't assume someone else will undertake the scrutiny - especially where you have built in escalation processes. Those processes only work if everyone applies a critical eye. The takeaway here - make sure you join the dots ✒️ and capture that thought process in your audit trail. The documents alone are not enough.

Practical Realities of AML Compliance in the DIFC, Lessons from the Frontline As a Compliance Officer and MLRO working in the DIFC, I’ve found that success in AML compliance isn’t about simply following rules, it’s about applying judgment, staying alert to context, and making the frameworks work in practice. We operate in a dual-regulated landscape, where federal and DFSA specific obligations overlap. That makes the role of the MLRO both strategic and operational. Here are a few insights that might resonate with others in similar roles: 1. Business Risk Assessments must evolve, not sit in a folder Don’t treat the BRA as a one-time document. When products change, clients shift, or new delivery channels emerge, the risk profile changes too. Tie your BRA to business planning, not just the audit cycle. 2. Risk rating isn't static, CDD should reflect reality If a low-risk client suddenly moves funds across high-risk jurisdictions or appoints a new shareholder, your systems should trigger a reassessment. Ongoing monitoring isn’t a box-tick, it’s a mindset. 3. Training should match the business, not the regulation A generic AML course won’t cut it. Tailor your sessions. Front-office staff should understand red flags in onboarding and relationship management, while finance teams need to recognise unusual payment patterns. 4. The SAR process should be clear, and safe Staff should know not just how to raise a red flag internally, but feel safe doing so. Clear guidance, confidentiality, and top-down support make all the difference in early detection. 5. Don’t outsource oversight You can outsource tasks, but not accountability. Whether it’s onboarding checks, screening tools, or external consultants, make sure their outputs feed into your internal processes and are reviewed critically. Practical tip, If your team can't articulate why a client is rated as “high risk” within 30 seconds, there may be a gap between your framework and frontline understanding. Compliance frameworks may be built on policy, but they are upheld by people. It’s not just what you document, it’s what you embed. In high-growth financial centres like the DIFC, the firms that thrive are those where AML is not just a control, it’s part of the culture. #AML #MLRO #DIFCCompliance #DFSA #FinancialCrime #RiskBasedApproach #UAECompliance #ComplianceOfficer #Governance #RegTech #CustomerDueDiligence #SAR #FATF #RiskManagement #ComplianceCulture #Onboarding #AMLTraining #MoneyLaundering #DIFC #FederalLaw20of2018 #CultureMatters

🚨 Critical Export Control Lessons from Recent OFAC Settlement: A Wake-Up Call for Aviation Suppliers As an export compliance professional, I wanted to share some crucial insights from a recent OFAC enforcement action that highlights the increasing complexity of global trade compliance, particularly in the aviation sector. SkyGeek Logistics recently settled with OFAC for $22,172 over six apparent violations of Russian sanctions. While the settlement amount might seem modest, the case offers valuable lessons for companies operating in sensitive industries. Key Takeaways for Export Professionals: Enhanced Due Diligence in High-Risk Sectors The aviation industry, particularly when dealing with parts and equipment, requires heightened scrutiny. SkyGeek's case demonstrates how seemingly routine transactions - like processing refunds or shipping basic goods like paints and coatings - can lead to sanctions violations when dealing with restricted parties. The Importance of Continuous Screening One of the most significant lessons from this case is the need for continuous screening throughout the entire transaction lifecycle. SkyGeek's initial screening missed recent SDN designations, highlighting why one-time screening isn't sufficient in today's rapidly changing regulatory environment. Geographic Risk Factors The case underscores the particular challenges when operating in jurisdictions known for potential sanctions evasion. The UAE's role as a hub for Russian aviation-related activities means companies need to implement additional due diligence measures when dealing with entities in such regions. Practical Recommendations: 👉 Implement robust rescreening protocols, especially for long-standing customers and pending transactions 👉 Utilize advanced screening software with fuzzy logic capabilities 👉 Develop specific procedures for high-risk jurisdictions and industries 👉 Create clear protocols for handling refunds and returns, including mandatory rescreening Industry Impact: This enforcement action demonstrates OFAC's continued focus on Russia's aerospace and technology sectors. Companies in these industries should note that even small-value transactions can trigger enforcement actions if they potentially contribute to Russian military capabilities. Risk Mitigation Steps: SkyGeek's remedial measures provide a blueprint for other companies: 🚅 Comprehensive business review of sales in high-risk jurisdictions 🚅 Enhanced screening protocols with improved search logic 🚅 Regular screening throughout the order fulfillment process 🚅 Updated controls for refund processing 🚅 Enhanced employee training What are your thoughts on these compliance challenges? How does your organization handle continuous screening in high-risk sectors? #ExportCompliance #InternationalTrade #Sanctions #RegulatoryCompliance #Aviation #SupplyChain #OFAC #RiskManagement

Over the past years, and now deep into 2026, one theme keeps repeating itself across AML enforcement actions: operational breakdowns in Transaction Monitoring, KYC, data handling and reporting. I will not cover technology failures and lack of frameworks, but on the ground operational gaps. After working with institutions that have successfully strengthened their AML operations, and with others that still struggling, a few patterns are clear. 1️⃣ Transaction Monitoring: A Mass-Production Reality Many banks underestimate the operational complexity of TM. When alert volumes reach 50,000+ per month, you’re not managing a “review process” anymore ,you’re running a factory line. And factory lines need: Rigid capacity management Scenario simulations before deployment Stable workflows with immediate corrective actions in case of deviations Skilled analysts and continuous training Every time a tuning change unexpectedly spikes volume, the result is predictable: backlogs, delayed SARs, and regulatory scrutiny. Managing backlogs is always more expensive and riskier than maintaining a stable flow. 2️⃣ KYC: The Chronic Pain Point KYC delays and massive CDD/ODD/EDD volumes cause recurring compliance failures. In large institutions with 10M+ customers and limited automation, annual workloads can exceed 3 million cases. Two major issues stand out: Terminology chaos (CDD, ODD, event‑driven, EDD) → inconsistent planning Long lead times → inability to predict and manage real process time Clear classification + workflow design = transparency. Once you can track process time, waiting time, rework loops, and bottlenecks, you can manage and improve them. These are basic process management principles yet still rare in many institutions. 3️⃣ Automation & CI Are Not Optional Low‑risk segments can be automated to a very high degree. Exception handling should be the norm, not the entire workload. But perhaps the most underestimated lever is Continuous Improvement. Your best insights don’t come from consultants or system vendors, but from KYC and TM specialists themselves. Tapping into that knowledge pool is essential for improving quality, effectiveness, and efficiency. Bottom Line AML failures are rarely about regulatory interpretation. They are the result of operational blind spots. Banks that succeed treat AML Operations as: A production discipline A data‑driven function A continuously improving system A close partnership between Tech, Ops, and Compliance Those that don’t… keep reappearing in enforcement actions. #AMLoperations #processmanagement #opsmanagement #carveconsulting DFSA section 10 of the AML act (when to conduct KYC Procedures) in comment section

Retail wanted to remove all CDD questions. Marketing agreed. “Drop-off risk,” they said. “User experience,” they said. But here’s the reality: BSA doesn’t care about your conversion rate. A client called me last week facing this exact dilemma during an online account opening rollout. Retail and Marketing pushed to strip out customer due diligence (CDD) questions to “make the flow easier.” It sounds good in theory… until an examiner asks: • How are you identifying high-risk customers upfront? • Where’s your documented risk-based CDD? • Why is your onboarding blind to AML risk? You can’t say: “our UX team thought it looked clunky.” 👉 Here’s the balance: Yes, user experience matters. But regulators expect BSA Officers to have a risk-based process at account opening. What works in practice: • Keep tiered questions: Ask baseline CDD for everyone, trigger enhanced questions only if risk flags appear. • Use progressive disclosure: Sequence questions through the flow, don’t front-load everything. • Test placement and language: Keep it conversational, not interrogational. • Close the loop with ongoing monitoring: You can collect more later but you can’t ignore it upfront. Cutting corners may feel like progress. It’s actually planting the seeds of your next MRA. Lesson: Don’t let Marketing write your BSA playbook. Design for compliance and user experience but never sacrifice the first for the second. 👉 How have you addressed the CDD vs UX tension in your organization? I’d love to hear what’s worked (and what hasn’t). LFP Risk Solutions

High-Risk Customers How Enhanced Due Diligence (EDD) for High-Risk Customers is Conducted? Enhanced Due Diligence (EDD) is a stricter version of Customer Due Diligence (CDD) applied to high-risk customers such as politically exposed persons (PEPs), offshore companies, clients from high-risk jurisdictions, and cash-intensive businesses. 1. Identify High-Risk Customers  Factors That Trigger EDD -Customers from high-risk countries (FATF black/grey list) -PEPs (Politically Exposed Persons) or their associates -Businesses dealing with cash-intensive transactions (casinos, crypto, money service businesses) -Complex ownership structures (shell companies, trust funds) -Transactions that lack a clear economic purpose  Screen Against AML Watchlists -Sanctions Lists (OFAC, UN, EU, FATF) -PEP Lists -Negative Media Checks (Links to financial crime, fraud, money laundering) 2. Gather Additional Documentation  For Individuals -Source of Wealth (SoW): How was the wealth accumulated? (e.g., salary, business profits, inheritance) -Source of Funds (SoF): Where is the money coming from? (e.g., bank accounts, investments) -Proof of Address (Recent utility bill, lease agreement) -Enhanced Identity Verification (Biometric checks, additional government ID)  For Businesses -Detailed Ownership Structure (Ultimate Beneficial Owners – UBOs) -Business Purpose & Economic Justification -Financial Statements & Tax Records -Proof of Business Activities (Invoices, contracts, website, business registration) 3. Conduct In-Depth Risk Assessment  Assess Risk Level Based on Customer Profile & Transactions -Analyze transaction volume, frequency, and geographical locations Identify abnormal patterns (e.g., structuring, frequent international wire transfers) -Review past compliance history (e.g., previous AML flags, regulatory concerns)  On-Site Visits & Interviews (For Businesses) -Conduct physical verification of business operations -Interview key executives and verify legitimacy of business activities 4. Implement Ongoing Monitoring & Reporting  Continuous Transaction Monitoring -Real-time tracking of large or unusual transactions -Scrutinizing transactions linked to offshore accounts, high-risk countries  More Frequent KYC Updates -Update high-risk customer profiles every 6 months to 1 year (instead of the usual 1-2 years)  File Suspicious Activity Reports (SARs) -If there are red flags, report to regulators (e.g., FinCEN, FCA, FATF, AUSTRAC) -Maintain detailed records for compliance audits

Many companies don’t fail at AML because they don’t care. They fail because they don’t know where to start. They collect documents. Apply checks. But they miss the bigger picture - how everything connects. Here’s the structure I recommend when building an AML framework that actually works: 𝗦𝘁𝗮𝗿𝘁 𝘄𝗶𝘁𝗵 𝘆𝗼𝘂𝗿 𝗯𝘂𝘀𝗶𝗻𝗲𝘀𝘀 𝗿𝗶𝘀𝗸𝘀 → A Business-Wide Risk Assessment (BWRA) helps you understand where your exposure is - across products, services, customer types, and geographies. 𝗗𝗲𝗳𝗶𝗻𝗲 𝘁𝗵𝗲 𝗹𝗲𝘃𝗲𝗹 𝗼𝗳 𝗖𝗗𝗗 𝘁𝗼 𝗯𝗲 𝗮𝗽𝗽𝗹𝗶𝗲𝗱 → Use the BWRA to decide the right level of due diligence for each type of customer. That’s how you avoid both over-checking or under-checking. 𝗔𝘀𝘀𝗲𝘀𝘀 𝗲𝗮𝗰𝗵 𝗰𝘂𝘀𝘁𝗼𝗺𝗲𝗿’𝘀 𝗿𝗶𝘀𝗸 → A risk-based AML program means looking at each customer individually. Who are they? What do they do? How do they generate their income? 𝗖𝗼𝗹𝗹𝗲𝗰𝘁 𝘁𝗵𝗲 𝗿𝗶𝗴𝗵𝘁 𝗶𝗻𝗳𝗼𝗿𝗺𝗮𝘁𝗶𝗼𝗻 → CDD isn’t about documents - it’s about understanding. Define what information is required based on risk and make that part of your procedures. 𝗖𝗵𝗲𝗰𝗸 𝘁𝗵𝗮𝘁 𝗮𝗰𝘁𝗶𝘃𝗶𝘁𝘆 𝗺𝗮𝗸𝗲𝘀 𝘀𝗲𝗻𝘀𝗲 → Do the transactions match the customer profile? If not, ask why. Transactions should make sense based on what you know about the customer. If they don’t, something’s missing - and it’s our job to find out what. 𝗞𝗲𝗲𝗽 𝗲𝘃𝗲𝗿𝘆𝘁𝗵𝗶𝗻𝗴 𝘂𝗽 𝘁𝗼 𝗱𝗮𝘁𝗲 → Risks change. Customers evolve. Your framework should, too - including the BWRA, customer risk assessments, and CDD files. When AML is done right, it protects both your business and your reputation. If this feels familiar, you're not alone. Many teams I speak to are working hard, but sometimes there's confusion. And it doesn't have to be this way! Wondering how this can be applied in practice within your business? I have some free slots this week - DM me if you need clarifications on how to implement that!

🇬🇧 Last week the FCA has published findings from its multi firm review on CDD, EDD and ongoing due diligence. The review covered asset managers, wholesale banks, CFD providers, crowdfunders and non-bank lenders. The findings are relevant to all authorised firms carrying out CDD not just those sectors. Three areas were assessed and the below findings identified. 1️⃣ Policies and procedures • Insufficient detail on EDD. Policies did not explain what additional steps staff should actually take when enhanced due diligence is required • Customer review cycles unclear. Firms did not define how often reviews should happen or what should trigger an earlier review • No alternative ID verification routes. Staff were not guided on what to do if standard identification could not be provided • Firms not following their own policies. Procedures existed but were not applied in practice, including for periodic reviews 2️⃣ CDD and EDD processes • No evidence of EDD being performed. Firms could not show what enhanced measures were applied to high risk clients • Incomplete record keeping. The purpose and intended nature of relationships were not properly documented, making ongoing monitoring ineffective • Senior management approval not defined. There were no clear scenarios requiring sign off, weakening governance and oversight 3️⃣ Compliance monitoring and audit • Quality control gaps. Some firms had no real process to check whether CDD was being done properly • Lack of independence. The same staff onboarding customers were also reviewing them, which is not independent oversight • No version control. Firms could not demonstrate that policies had been reviewed or updated, leaving no audit trail What this means in practice Your CDD and EDD policies need to give clear, practical guidance that teams can actually follow. Review cycles should be defined and consistently applied. EDD for high risk customers, including PEPs, needs to be properly documented and approved at the right level. And the people testing your controls should not be the same people running them.

For the second question in Preparing for AML/CFT Analyst Interview: How do you conduct Enhanced Due Diligence (EDD) for high-risk clients? In the world of compliance and AML, conducting EDD is essential for managing the risks associated with high-risk clients. Here’s a breakdown of the key steps involved: - Comprehensive Client Identification: Go beyond standard KYC by gathering detailed information, including ownership structure, source of wealth, and business activities. - In-Depth Risk Assessment: Assess factors like the client’s geographic location, industry, transaction patterns, and potential political exposure. - Ongoing Monitoring: High-risk clients require continuous monitoring to quickly identify unusual or suspicious activity. - Expert Collaboration: Complex cases, such as those involving PEPs or offshore entities, benefit from the input of subject matter experts. By implementing a thorough EDD process, we can better safeguard our organizations from financial crime while ensuring regulatory compliance. #AML #Compliance #DueDiligence #RiskManagement #HighRisk