# Customer Due Diligence (CDD) Customer Due Diligence (CDD) is integral to the Know Your Customer (KYC) process. In compliance with regulatory requirements, companies must periodically run several risk checks on both new and existing customers throughout the business relationship to ensure customers are vetted and to detect any suspicious fraudulent behaviors. ## Solaris CDD process Solaris conducts Customer Due Diligence on **new customers** before establishing a business relationship and **existing customers** as long as Solaris' business relationship with the customer still stands. These checks include three different areas: - Customer screening - Risk classification - Customer vetting **1. Customer screening** During the screening process, Solaris checks the customer's data against a variety of data sources, such as sanction lists, watch lists, and PEP lists. **2. Risk classification** During this process, Solaris runs granular risk models and scores each customer based on several risk factors, such as the customer type (B2C, B2B), the customer's personal and financial data, and the branch in which they're opening an account. **3. Customer vetting** During this process, Solaris checks the customer for fraud patterns. The customer vetting rules include checking for data discrepancies, multiple identities, or missing required information. For B2C and freelancer customers, Solaris stores the results of these checks in various properties of the `person` resource or the `business` resource for B2B customers. - Solaris conducts customer due diligence on **both new and existing** customers. The customer's risk status can change over time as Solaris runs periodic screenings in compliance with Anti-Money Laundering (AML) regulations. - You must always monitor the status of the CDD process for all of your customers and take the necessary actions accordingly as described in this guide. ## CDD statuses The CDD process results are stored in three different properties in the `person` resource for B2C and freelancer customers or the `business` resource for B2B customers. These properties are: - Customer screening > `screening_progress` - Risk classification > `risk_classification_status` - Customer vetting > `customer_vetting_status` Each one of these properties has its own set of statuses, and each status is assigned a particular color (green, yellow, red). The color signifies the severity of the status and the actions and measures you must take in each case. ### List of green/yellow/red statuses The following diagram includes the color-coded statuses for each property: ![CDD statuses](/assets/cdd-statuses.c26d20836f53056db4b39c1ed5c2d1c91ae72708d3f84b944fcfc0c7b77e7190.b242e30b.svg) Check the descriptions of these values [below](#appendix-i-customer-due-diligence-statuses). ## How to validate CDD for your customers? You must monitor the status of the CDD process performed on your customers **regularly** by following these steps: ![CDD process flow](/assets/cdd-process-flow.e8152e454ff8f233a3552f0ef40f225437a032d687b0bac06bb77e3153a1263f.b242e30b.svg) ### B2C customers 1. Subscribe to the [PERSON_CHANGED](/api-reference/onboarding/webhooks/#tag/Webhook-events/paths/person_changed/post) webhook event. 2. When you receive a notification on this webhook event, that means that the screening and risk-related attributes have changed. 3. Call the [GET Retrieve a person method](/api-reference/onboarding/persons/#tag/Persons/paths/~1v1~1persons~1%7Bid%7D/get) to retrieve the full details of the changed properties. 4. Validate each status of the CDD-related properties as described in the following sections. 5. Complete any instructions or actions you receive from Solaris. ### Freelancer customers 1. Subscribe to the [PERSON_CHANGED](/api-reference/onboarding/webhooks/#tag/Webhook-events/paths/person_changed/post) webhook event. 2. When you receive a notification on this webhook event, that means that the screening and risk-related attributes have changed. 3. Call the [GET Retrieve a person method](/api-reference/onboarding/persons/#tag/Persons/paths/~1v1~1persons~1%7Bid%7D/get) to retrieve the full details of the changed properties. 4. Validate each status of the CDD-related properties as described in the following sections. 5. Complete any instructions or actions you receive from Solaris. ### B2B customers 1. Subscribe to the [BUSINESS_CHANGED](/api-reference/onboarding/webhooks/#tag/Webhook-events/paths/business_changed/post) webhook event. 2. When you receive a notification on this webhook event, that means that the screening and risk-related attributes for the business' legal entity have changed. Please note that only the field `screening_progress` is relevant for businesses. 3. Call the [GET Retrieve a business method](/api-reference/onboarding/businesses/#tag/Businesses/paths/~1v1~1businesses~1%7Bid%7D/get) to retrieve the full details of the changed properties. 4. Subscribe to the [PERSON_CHANGED](/api-reference/onboarding/webhooks/#tag/Webhook-events/paths/person_changed/post) webhook event. 5. When you receive a notification on this webhook event, that means that the screening and risk-related attributes have changed for the natural persons associated with the business, such as legal representatives, authorized persons or beneficial owners. Please note that only the field `screening_progress` is relevant for natural persons associated with a business. 6. Call the [GET Retrieve a person method](/api-reference/onboarding/persons/#tag/Persons/paths/~1v1~1persons~1%7Bid%7D/get) to retrieve the full details of the changed properties. 7. Validate each status of the CDD-related properties for both the business resource and each person resource as described in the following sections. 8. Complete any instructions or actions you receive from Solaris. The status of **all** three CDD-related properties **MUST** be `green` before you can: - onboard new customers, - provision **additional** banking products (e.g., account opening, loan provisioning), and/or - continue your business relationship with an existing customer (i.e., the customer must have no red statuses). Only for B2B customers If the `business` resource or any of the `person` resources of the natural persons associated with the business only have a "green" value for the `screening_progress` property and no value for the `risk_classification_status` or the `customer_vetting_status` properties, then your implementation should treat it as a "green" status. ### Validate green/red statuses Below is a list of definitions for each type of status: **For new customers in onboarding:** - **"Green" status:** The customer can proceed with onboarding. - **"Red" status:** The customer **cannot** proceed with onboarding. **For existing customers:** - **"Green" status:** The customer's risk status has not changed. Therefore, you can continue with the business relationship with the customer. - **"Red" status:** Solaris found a risk factor for the customer. Solaris team will contact you with instructions and actions to take. ### Enhanced due diligence process of yellow statuses Yellow statuses trigger the **Enhanced Due Diligence** process (EDD), in which the customer's profile will undergo a silent review process. Based on the outcome of the enhanced due diligence process, Solaris will reclassify the customer to either a `green` or `red` status. You must monitor the status of the outcome of the EDD process and take actions accordingly, as described in the previous [section](#validate-greenred-statuses). #### Questions & answers API Solaris might require additional information from the customer. In this case, you'll receive a notification on the webhook event `QUESTIONS\_REQUIRE\_ANSWERS`, which includes a question set. You must forward these questions to your customer and collect their answers in your frontend. After the customer has answered **all** questions in the set, submit the answers to Solaris using the questions and answer API. Visit the following links for more information about the questions & answers feature: - [Questions & answers guide](/guides/compliance/questions-and-answers/) - [Questions & answers API reference](/api-reference/onboarding/compliance/#tag/Questions-and-Answers) #### EDD process flow The following diagram describes the EDD process flow: ![EDD process flow](/assets/edd-process-flow.72f7465e21c611507eb87e1e3706af56b67f8518a86fadd3594ed833f67d202c.b242e30b.svg) **For new customers in onboarding:** - **"Yellow" status:** The customer **cannot** proceed with onboarding. Solaris will begin the Enhanced Due Diligence process initially as a silent review of the customer. You must monitor the status of the outcome of the EDD process and take actions accordingly, as described in the previous [section](#validate-greenred-statuses). **For existing customers:** - **"Yellow" status:** Solaris found a potential risk factor for the customer. Solaris will begin the Enhanced Due Diligence process initially as a silent review of the customer. You must monitor the status of the outcome of the EDD process and take actions accordingly, as described in the previous [section](#validate-greenred-statuses). ## CDD for B2B lending features CDD is mandatory for some B2B lending features, such as [B2B Fronting Loans](/guides/lending/fronting/business-fronting-loans/), [B2B Fronting Factoring](/guides/lending/fronting/business-fronting-factoring/), and [Trade Finance](/guides/lending/trade-finance/). However, the CDD flow for lending features is different from the standard flow for Digital Banking products. The process goes as follows: 1. Subscribe to the [BUSINESS_CHANGED](/api-reference/onboarding/webhooks/#tag/Webhook-events/paths/business_changed/post) webhook event. 2. When you receive a notification on this webhook event, that means that the screening and risk-related attributes for the business' legal entity have changed. 3. Call the [GET Retrieve a business method](/api-reference/onboarding/businesses/#tag/Businesses/paths/~1v1~1businesses~1%7Bid%7D/get) to retrieve the full details of the changed properties. 4. Validate the status of the CDD-related properties for the business resource as described in the previous [section](/guides/kyc/cdd/#validate-greenred-statuses). 5. All CDD-related properties must have a `green` value. In case of any `red` or `yellow` status value, the related lending product application will be rejected and no business relationship can be established with the customer. ![Lending CDD process flow](/assets/lending-cdd-process-flow.d5adccc4046cb73312cff04837edb35afec6a2feaaf1653d39cd5d0cb9f1c41e.b242e30b.svg) ## Testing This section includes instructions on how to test the CDD process. ### Unhappy path: Customer triggers a hit Complete the following steps to simulate an unhappy path of a person triggering hits on the CDD process: 1. Create a person resource using the following properties: **Request example** ```json // POST /v1/persons { "first_name": "X-MANUALTEST-HAPPYPATH", "last_name": "BADGUY" } ``` **Response example** ```json { "id": "ec23da1d10f9ba5782ddc74c442387a7cper", "salutation": null, "title": null, "first_name": "X-MANUALTEST-HAPPYPATH", "last_name": "BADGUY", "address": { "line_1": null, "line_2": null, "postal_code": null, "city": null, "country": null, "state": null }, "contact_address": { "line_1": null, "line_2": null, "postal_code": null, "city": null, "country": null, "state": null }, "email": null, "mobile_number": null, "birth_name": null, "birth_date": null, "birth_city": null, "birth_country": null, "nationality": null, "employment_status": null, "job_title": null, "tax_information": { "tax_assessment": null, "marital_status": null }, "fatca_relevant": null, "fatca_crs_confirmed_at": null, "business_purpose": null, "industry": null, "industry_key": null, "terms_conditions_signed_at": null, "own_economic_interest_signed_at": null, "aml_follow_up_date": "2027-07-28", "aml_confirmed_on": "2022-07-28", "flagged_by_compliance": false, "expected_monthly_revenue_cents": null, "vat_number": null, "website_social_media": null, "business_trading_name": null, "nace_code": null, "business_address_line_1": null, "business_address_line_2": null, "business_postal_code": null, "business_city": null, "business_country": null, "business_state": null, "screening_progress": "NOT_SCREENED", "risk_classification_status": "NOT_SCORED", "customer_vetting_status": "NOT_VETTED", "annual_income_range": null, "data_terms_signed_at": null, "branch": null, "birth_province": null, "birth_post_code": null, "socioprofessional_category": null, "purpose_of_account_opening": null, "main_income_source": null, "work_country": null, "work_province": null, "self_declared_as_pep": null, "international_operativity_expectation": [], "registration_number": null, "legitimation_valid_until": null } ``` 1. Create an identification with IDnow and simulate a happy path scenario as described [here](/guides/kyc/videoident/#2-create-an-identification-resource). Complete Step 2, 3, and 4 with the person resource you created in Step 1 above. 2. After a successful video identification, call the GET Retrieve a person resource and and the value of `screening_progress` should be set to `POTENTIAL_MATCH`. **Request example** ```shell GET /v1/persons/{id} ``` **Response example** ```json { "id": "ec23da1d10f9ba5782ddc74c442387a7cper", "salutation": null, "title": null, "first_name": "X-MANUALTEST-HAPPYPATH", "last_name": "BADGUY", "address": { "line_1": "STREET", "line_2": "1", "postal_code": "12345", "city": "CITY", "country": "DE", "state": null }, "contact_address": { "line_1": null, "line_2": null, "postal_code": null, "city": null, "country": null, "state": null }, "email": null, "mobile_number": "+1555010", "birth_name": null, "birth_date": "2002-02-02", "birth_city": "BIRTHPLACE", "birth_country": null, "nationality": "DE", "employment_status": null, "job_title": null, "tax_information": { "tax_assessment": null, "marital_status": "UNKNOWN" }, "fatca_relevant": null, "fatca_crs_confirmed_at": null, "business_purpose": null, "industry": null, "industry_key": null, "terms_conditions_signed_at": null, "own_economic_interest_signed_at": null, "aml_follow_up_date": "2027-07-28", "aml_confirmed_on": "2022-07-28", "flagged_by_compliance": false, "expected_monthly_revenue_cents": null, "vat_number": null, "website_social_media": null, "business_trading_name": null, "nace_code": null, "business_address_line_1": null, "business_address_line_2": null, "business_postal_code": null, "business_city": null, "business_country": null, "business_state": null, "screening_progress": "POTENTIAL_MATCH", "risk_classification_status": "NORMAL_RISK", "customer_vetting_status": "NOT_VETTED", "annual_income_range": null, "data_terms_signed_at": null, "branch": null, "birth_province": null, "birth_post_code": null, "socioprofessional_category": null, "purpose_of_account_opening": null, "main_income_source": null, "work_country": null, "work_province": null, "self_declared_as_pep": null, "international_operativity_expectation": [], "registration_number": null, "legitimation_valid_until": "2030-10-31" } ``` ### Simulate customer hit using device monitoring You can also trigger the CDD process by creating a [suspicious device activity](/guides/kyc/device-monitoring#how-to-test-device-monitoring) using the suspicious test ID. This will also result in Solaris auto-generating a [question set](/guides/compliance/questions-and-answers) for the customer. ## Appendix I: Customer Due Diligence statuses **Customer screening statuses** The following table includes the different statuses for the field `screening_progress` and their descriptions: | Value | Description | Associated color | | --- | --- | --- | | `NOT_SCREENED` | Default status. It means Solaris has not started screening the customer. | yellow | | `POTENTIAL_MATCH` | The Enhanced Due Diligence process has been triggered for the customer. In this case, additional information may be requested and eventually the customer will be reclassified to either `red` or `green`. You **CANNOT** onboard the customer at this stage and must wait until the final screening score. | yellow | | `SCREENED_ACCEPTED` | No match was found for the customer and an account can be opened. | green | | `SCREENED_DECLINED` | The risk screening process has failed and the customer cannot be onboarded. | red | **Risk classification statuses** The following table includes the different statuses for the field `risk_classification_status` and their descriptions: | Value | Description | Associated color | | --- | --- | --- | | `NOT_SCORED` | Default status. It means Solaris has not started scoring the customer. You CANNOT onboard the customer with this status. | yellow | | `POTENTIAL_RISK` | The Enhanced Due Diligence process has been triggered for the customer. In this case, additional information may be requested and eventually the customer will be reclassified to either `red` or `green`. You **CANNOT** onboard the customer with this status and must wait until the final risk classification score. | yellow | | `NORMAL_RISK` | The customer risk group has been classified as low or medium. You can onboard the customer with this status. | green | | `INFORMATION_REQUESTED` | The AML team requests additional information from the customer. Based on the provided information, the customer will be reclassified to either `red` or `green`. You **CANNOT** onboard the customer with this status and must wait until the final risk classification score. | yellow | | `INFORMATION_RECEIVED` | The customer sent the requested information to the AML team and it's currently under investigation. Based on the provided information, the customer will be reclassified to either `red` or `green`. You can NOT onboard the customer at this stage and must wait until the final risk classification score. | yellow | | `RISK_ACCEPTED` | The customer passed the risk classification process and you can onboard the customer with this status. | green | | `RISK_REJECTED` | The customer is rejected due to identified risks. You CANNOT onboard the customer with this status. | red | | `CUSTOMER_UNRESPONSIVE` | The customer did not provide the requested information. You CANNOT onboard the customer with this status. | red | | `SCORING_NOT_REQUIRED` | In certain cases, the risk classification process is not required for a customer (e.g., the beneficial owner of a business). You can onboard the customer with this status. | green | **Customer vetting statuses** The following table includes the different statuses for the field `customer_vetting_status` and their descriptions: | Value | Description | Associated color | | --- | --- | --- | | `NOT_VETTED` | Default status. It means Solaris has not started vetting the customer. You CANNOT onboard the customer with this status. | yellow | | `NO_MATCH` | The customer passed the vetting process and no fraud patterns were detected. You can onboard the customer with this status. | green | | `POTENTIAL_MATCH` | The Enhanced Due Diligence process has been triggered for the customer. In this case, additional information may be requested and eventually the customer will be reclassified to either `red` or `green`. You **CANNOT** onboard the customer with this status and must wait until the final customer vetting score. | yellow | | `INFORMATION_REQUESTED` | The AML team requests additional information from the customer. Based on the provided information, the customer will be reclassified to either `red` or `green`. You **CANNOT** onboard the customer with this status and must wait until the final customer vetting score. | yellow | | `INFORMATION_RECEIVED` | The customer sent the requested information to the AML team and it's currently under investigation. Based on the provided information, the customer will be reclassified to either `red` or `green`. You can NOT onboard the customer at this stage and must wait until the final customer vetting score. | yellow | | `RISK_ACCEPTED` | The customer passed the customer vetting process and you can onboard the customer with this status. | green | | `RISK_REJECTED` | The customer is rejected due to identified fraud patterns. You CANNOT onboard the customer with this status. | red | | `CUSTOMER_UNRESPONSIVE` | The customer did not provide the requested information. You CANNOT onboard the customer with this status. | red | | `VETTING_NOT_REQUIRED` | In certain cases, the customer vetting process is not required for a customer (e.g., authorized person of an account). You can onboard the customer with this status. | green |