The revised and updated Wolfsberg Group CBDDQ V.1.4. and supporting materials were published on the 10th February, 2023. This journey started with the original AML Questionnaire issued in 2004, updated in 2014 and in 2018 (all 3 worked on by the author) and in 2020 and now in 2023. As important is the release of the shorter FCCQ, which is used for non correspondent banks and updates and consolidation of essential completion guidance.
Focussing on the CBDDQ, the number of questions increased from 28 to 110 headline questions in 2018. The 2023 Version takes the number of overall headline questions from 110 to 132, suggesting this is much more than a technical upgrade and represents sensible incremental improvements also reflecting a changing financial and financial crime landscape.
In it’s own announcement, the Wolfsberg Group states that:
“The CBDDQ updates include a new section on Fraud and additional questions related to Whistleblower Policy, Virtual Bank License, the approval of Sanctions Policy, and other changes designed to improve the logic, usability and flow of the questionnaire. The Declaration Statement has been updated to include a revised period for update of the Questionnaire.”
This is a typically understated announcement from the Wolfsberg Group. A closer inspection of the CBDDQ Version 1.4 against Version 1.3 reveals 10 observations that are worth making at this time. These are:
- Section 3. AML/CTF Sanctions Programme (Q25): Boards of Directors are expected now to “receive, assess and challenge” regular reporting on the status of the AML/CTF/Sanctions Programme, which is a development from just receiving reports. Its an important change, but could also and perhaps should also include ABC & Fraud.
- Section 3. AML/CTF Sanctions Programme (Q27): inclusion of a new question on whistleblowing policies has been included. This is a welcome addition, though numerous additional questions could have been conceived to identify whether the policy is effective, and therefore has potential for expansion in future versions.
- Section 7. KYC, CDD & EDD (Q76): A number of additions have been made to what could be described as potential higher risk customer and or industry types where EDD (or prohibitions) may be required which include some interesting choices. “Respondent Banks” – is more a technical change; “General Trading Companies” is the most substantive change and opens up potentially a very broad new category, “Used Car Dealers” – not a new, more an old threat; c/f scrap dealers & “Embassies and Consulates” also not a new threat, more an old one, which has long been highlighted, though the risk comes mostly from the country risk. Note: Asking a question as to whether these are treated as EDD (or prohibited) isn’t the same as saying they should be considered default higher risk (or prohibited), but with inclusion in the CBDDQ whilst others are not, their inclusion has weight.
- Section 8. Monitoring & Reporting (Q84) (& Section 10 Sanctions (Q102): A number of additional questions require for the first time the names of the vendors and tools used for main controls such as transaction monitoring and screening. Additional new questions also enquire whether tools have been updated and or re calibrated. This might and should grab FI’s and vendors attention, as FI’s and vendors will increasingly need to validate their approaches and be able demonstrate effectiveness. It should be noted that even after selecting the best available vendor and or using their tools this isn’t a guarantee of effectiveness. Effectiveness will always depend on the FI itself and how it has been implemented and used. Additional new questions have also been included on tuning and the frequency of tuning. Despite these changes, regulations such as DFS Rule 504 and others similar to this, already go further.
- Section 8. Monitoring & Reporting (Q87): A new question has been added focussing on data completeness for monitoring purposes, as part of a broader data management programme. Whilst completeness is called out and mention is made to a data management programme, effectiveness is not further explored. Possibly something for a future version.
- Section 10. Sanctions (Q106): The listed sanctions programmes that are elevated and called out specifically are the UN, USA, U.K. & EU and the G7 (USA, U.K, Canada, France, Germany, Italy & Japan) more broadly. There is no change from the previous version in this regard, but it should be noted that France includes a number of sanction names over and beyond the EU list of sanctions. Also increasingly minimum global lists (after UN) from many Tier 1 Banks include US, EU, UK, Australia, Japan and Canada. A change reflecting this could be considered in a future update.
- Section 12. Quality Assurance/Compliance Testing (Q117): The quality assurance and testing section has been tweaked but is nevertheless a big change, from focussing on second line assurance and testing focussed on “KYC processes” in the previous version to all aspects of the broader FC programme. Most FI’s rely on internal audit for this and don’t have a comprehensive second line assurance and testing function. For those that do, often they are mostly focussed on KYC/CDD. Whilst this makes sense, resourcing and sustaining these activities has been challenging for even the largest FIs.
- Section 14. Fraud (Qu’s 117-120): Fraud has been added as a new separate section albeit with just 4 questions. New Fraud questions include whether the entity has an anti fraud policy and process to address fraud risk, a dedicated anti fraud team, a real time anti fraud monitoring tool and whether information to support fraud controls such as IO addresses, GPS and Device ID are collected. Whilst there is no definition of fraud, it seems clear it is referring to fraud against FI customers, their accounts and use of products and services and not internal fraud or other frauds. Compared to questions around AML/CTF /Sanctions and ABC these questions are limited and can be expanded in a future version as Fraud becomes ever more an increased priority to be addressed and broader concern.
- Declaration: The time period for updating the Declaration has been extended from “annually” to “no less frequently than18 months”.
- Overall Content: The amount of information expected from Version 1.4 versus Version 1.3 is not insubstantial, and can be estimated at about a 15% content increase, as Version 1.4 expands the total number of Sections from 13 to 14 and Questions from 110 to 132 and lines from 347 to 407.
It has been clear for some time that the potential for adding new questions to the CB DDQ is one that has to be carefully considered balancing the desire to improve the CBDDQ as a good enough standard CB due diligence tool, with the need for acceptance across the industry and not just for Wolfsberg Group Banks. As always the Wolfsberg Group has made its own assessment of this balance and provided the industry with a new and updated CB DDQ, which will never be perfect but is the best version yet.