Reliance on Third Parties for Customer Due Diligence

The regulated entities operating in the International Financial Services Centres (IFSC) in India are required to comply with the IFSCA (Anti Money Laundering, Counter-Terrorist Financing and Know Your Customer) Guidelines, 2022, including the requirement to identify and assess the money laundering (ML) and terrorist financing (TF) risk the customer pose to the business and apply adequate Customer Due Diligence (CDD) measures to mitigate the same. To comply with this AML requirement, the regulated entity can place reliance on third parties for Customer Due Diligence measures.

In the context of reliance on third parties for CDD, let us understand what Customer Due Diligence is, what the third parties can be relied upon for CDD, and the regulatory conditions prescribed under IFSCA (AML, CFT & KYC) Guidelines.

What is Customer Due Diligence?

Customer Due Diligence is the process where the regulated entity:

  • Collects information and identification documents of the customers
  • Verifies their identity documents and authenticates whether the customers are actually who they claim to be
  • Enquires about the nature and purpose of the intended business relationship
  • Identifies the beneficial owners of the corporate customer and verifies their identified
  • Assesses the potential ML/FT risk such customers may pose to the business
Reliance on Third Parties for Customer Due Diligence

CDD is one of the AML/CFT measures deployed when establishing a business relationship with the customer and on an ongoing basis to manage the risk.

What are the third parties the regulated entities can rely upon for CDD?

When the proposed customer of the regulated entity has an existing business relationship with the following third parties, then the regulated entity can use the data available with such third parties for CDD and customer verification of the particular customer:

  • a financial institution that is subject to and is supervised by a financial regulator; or
  • the regulated entity’s branches, subsidiaries, parent entity, the branches and subsidiaries of the parent entity, or any other related corporations.

Thus, a ‘third party’ on which the regulated entity can place reliance for Customer Due Diligence would be a regulated financial institution or the regulated entity’s associated entities (part of the same Financial Group) having an existing relationship with the person subject to CDD measures.

What does it mean by “Reliance on Third Parties for Customer Due Diligence”?

Reliance on third parties for CDD means that a regulated entity relies upon and uses the CDD information pertaining to a particular person with whom the third party already has an existing client relationship, and such third party has performed necessary CDD processes, including customer identification and identity verification. This is not restricted to just obtaining the name and address of the customer; rather, it would include all the CDD information and documents.

The third party’s relationship with the person is distinct or separate from the business relationship proposed by the customer, with the regulated entity relying on the third party for CDD.

Thus, reliance on a third party for CDD indicates the regulated entity’s reference to the CDD measures applied to the customer the regulated entity is proposing to onboard instead of conducting the checks and verification measures on its own afresh.

What conditions must be considered before relying on a third party for CDD?

A regulated entity can rely on third parties for CDD measures subject to the fulfilment of the following conditions:

  • The regulated entity should be able to obtain records or information pertaining to the CDD measures carried out by the third party on an immediate basis,
  • The regulated entity should take adequate steps to ensure that the third party shall provide copies of the identification documents relating to CDD to the regulated entity upon request, without delay,
  • The third party (not part of the same Financial Group) is adequately regulated, supervised and monitored and has implemented measures for complying with CDD and AML record-keeping requirements as per FATF Recommendations and meeting the provisions of IFSCA (AML, CFT & KYC) Guidelines. When relying on a third party who is part of the same Financial Group, the following conditions must be satisfied:
    • the Financial Group applies and implements group-wide programmes on CDD that meets standards set out in FATF Recommendations and
    • implementation of CDD and recordkeeping at the group level are supervised by that country’s financial services regulator or some competent authority.
    • Here, the regulated entity should document the methodology followed for assessing the third party’s compliance with FATF Recommendations and the outcome of such assessment.
  • The third party is not located or based in a country or jurisdiction assessed as high-risk.
  • Reliance on a third party cannot be placed for ongoing monitoring of the business relationship with the customer.
  • Reliance cannot be placed on third parties explicitly prohibited by the IFSCA from relying upon.

It is important to note that the regulated entity shall ultimately be responsible for CDD measures, including Enhanced Customer Due Diligence measures for high-risk customers.

Other key considerations before relying on a third party for CDD

  1. The regulated entity is not automatically required to obtain certified documents from a third party to carry out CDD. However, the regulated entity should ensure that certified documents are readily available from a third party upon request.
  2. the regulated entity must assess the jurisdictional or geographical ML/FT associated with the third party, considering the outcome of the FATF publications, mutual evaluation reports, political stability, etc.
  3. the regulated entity should not rely upon the third party located in the country, which prevents access to CDD data due to secrecy or data protection laws of such country.
  4. When regulated entities are not satisfied with the CDD measures applied by the third party or the CDD measures are found deficient, the regulated entity shall immediately apply the CDD measures necessary to remediate the deficiencies.
  5. The regulated entity’s AML/CFT Policy and overall framework must provide for placing reliance on third parties, the extent to which the entity shall rely on such CDD data and the measures the regulated entity shall perform on its own.
  6. For smooth compliance, the regulated entity must enter into an agreement with the third party when placing reliance on such a party for CDD.

What are the benefits of relying on a third party for CDD?

Sr. No.





A third party’s experience can be used to enhance the adequacy and quality of CDD measures applied.


Time & Cost

Relying on a third party helps the regulated entity save time and thus increase cost-effectiveness.


Independent Perspective

CDD measures applied by the third party offer an unbiased view (bias related to onboarding the customer for financial benefit could be avoided).


The process of conducting CDD to identify the customer and verify their identity is a major legal obligation of a regulated entity. In this context, the IFSCA (AML, CFT, & KYC) Guidelines, 2022, permits the regulated entity to place reliance on specified third parties for CDD, subject to certain conditions.

Let AML India assist you with defining your code or policy around reliance on third parties for CDD and ensure compliance with the conditions mentioned in the IFSCA (AML, CFT, and KYC) Guidelines.


No. Reliance on third parties for Ongoing CDD is prohibited under the IFSCA Guidelines.

The regulated entity is responsible for its CDD; it may rely on third parties, but responsibility and accountability are solely the regulated entity’s.

About the Author

Pathik Shah


Pathik is a Chartered Accountant with more than 25 years of experience in compliance management, Anti-Money Laundering, tax consultancy, risk management, accounting, system audits, IT consultancy, and digital marketing.

He has extensive knowledge of local and international Anti-Money Laundering rules and regulations. He helps companies with end-to-end AML compliance services, from understanding the AML business-specific risk to implementing the robust AML Compliance framework.