The European Network and Information Security Agency (ENISA) (2016) echoes the nuances of the Basel Committee on Banking Supervision (2017), which states that banks should use CDD information to identify transactions that involve deposits or withdrawals of a considerable amount of money, those that do not make much economic sense, or those that do not match the customer’s expected or regular transactions. The European Network and Information Security Agency (ENISA) (2016) indicates that more than establishing policies and procedures that relate to the approval of account opening, banks should have specified policies concerning the nature and extent of needed CDD, updating of CDD information, and frequent monitoring of ongoing account. Thus, with access to comprehensive and accurately updated customer records and profiles, a bank may need to effectively and continuously monitor the installed risk assessment system like computers to identify suspicious activities. Commensurate with the size and complexity of the organizational structure, risks and materiality, compliance and risk officers, the information needed to monitor and analyze accounts (European Network and Information Security Agency (ENISA), 2016) the availability of suitable integrated management information systems. Likewise, banks should have a database of their customers every time changes in sanction lists happen. Also, banks should periodically screen their customers’ databases to identify foreign PEPs and new accounts at high risk and ensure they are subjected to enhance*d due diligence.
For a bank to avoid costs of risk damage, it should record information acquired from CDD. The recordings should contain both (i) the recording of the documents customers provides when the bank is verifying their identity and (ii) the personal IT transcription structures for banks that are relevant to the CDD information systems enclosed in the recorded documents or acquired from other places (Basel Committee on Banking Supervision, 2017). Additionally, banks can develop and put to use vibrant rules about the information that must be documented when conducting due diligence on individual and customer dealings. If possible, the rules should account for any set measures to privacy. They should contain a description of types of information documented for inclusion in the records, including such records’ retention period of fewer than five years from the time banking relation was terminated or the sporadic transactions. Furthermore, maintaining records that are entirely updated is key for banks that need to sufficiently monitor their associations with customers, comprehend the ongoing g activities and business among customers, provide a trail of audits when disputes, investigations, legal actions arise that may lead to criminal prosecution or regulatory actions (Basel Committee on Banking Supervision, 2017). Enough record keeping of the evaluation process associated with the review, ongoing monitoring, and drawn conclusions should be maintained to help demonstrate the compliance of the bank with the requirements of CDD and the aptitude of managing ML and FT risk.