Customer due diligence overview

Customer due diligence overview

Contents

Introduction

Customer due diligence (CDD) is required by the 2007 Regulations because businesses can better identify suspicious transactions if they know their customers and understand the reasoning behind the instructions they give.

CDD measures are a key part of the anti-money laundering requirements. They ensure that businesses know who their clients are, ensure that they do not accept clients unknowingly which are outside their normal risk tolerance, or whose business they will not understand with sufficient clarity to be able to form money laundering suspicions when appropriate. If a business does not understand its client's regular business pattern of activity it will be very difficult to identify any abnormal business patterns or activities. In addition businesses must be in a position to supply the client's identity to SOCA should that client become the subject of a SAR.

Many businesses will have other procedures for client acceptance, for example, to ensure compliance with professional requirements for independence and to avoid conflicts of interest. The requirements of the 2007 Regulations may either be integrated with those procedures or addressed separately. In either case, initial CDD information not only assists in acceptance decisions, but also enables the business to form well-grounded expectations of the client's behaviour which provides some assistance in detecting potentially suspicious behaviour during the business relationship.

The processes required for compliance with anti-money laundering initial CDD requirements contribute vitally to the overall picture of potential clients and appropriate risk assessment of them. However, a lack of concern raised during CDD does not automatically mean that the client and engagement will remain in their initial risk category. Continued alertness for changes in the nature or ownership of the client, its business model, or its susceptibility to money laundering – or actual evidence of the latter - must be maintained.

When is CDD required?

General

Businesses must conduct CDD on those clients who retain them for services regulated under the 2007 Regulations.

Regulation 7 requires that businesses conduct CDD when:

  • Establishing a business relationship
  • Carrying out an occasional transaction
  • They suspect money laundering or terrorist financing
  • They doubt the veracity or adequacy of documents, data or information previously obtained for the purpose of CDD

A business relationship is a business, professional or commercial relationship between a relevant person and a customer, which is expected by the relevant person at the time when contact is established to have an element of duration.

An occasional transaction is a transaction (carried out other than as part of a business relationship) amounting to 15,000 euros or more, whether the transaction is carried out in a single operation or several operations which appear to be linked.

The distinction between occasional transactions and long-lasting business relationships is relevant to the timing of CDD and the storage of records.

Where an occasional transaction is likely to increase in value or develop into a business relationship, businesses should consider conducting CDD early in the retainer to avoid delays later. As relationships change, businesses must ensure they are compliant with the relevant standard.

There is no obligation to conduct CDD in accordance with the 2007 Regulations for retainers involving non-regulated activities.

Specific timing requirements

Regulation 9 requires businesses to verify their client's identity and that of any beneficial owner, before they establish a business relationship or carry out an occasional transaction.

Regulation 11 provides that if a business is unable to complete CDD in time, it cannot:

  • Carry out a transaction with or for the client through a bank account
  • Establish a business relationship or carry out an occasional transaction

It must also:

  • Terminate any existing business relationship
  • Consider making a disclosure to SOCA

Identification and verification of identity procedures are also required at other times, for example, when there is a suspicion of money laundering or terrorist financing or where there are doubts about the sufficiency of identification information already held. If it is concluded the information held is insufficient, the business should remedy this as soon as is practicable. Should a suspicion be developed about the client, businesses will need to consider whether they are satisfied that the information already held is sufficient and up to date or whether any additional or updated information is required in respect of the client(s) in question.

In particular, in any case where suspicion is developed, Simplified due diligence may no be longer be applied. This means that if simplified due diligence had been applied, additional information will need to be collected in accordance with the business's risk-based procedures. Businesses must bear in mind in conducting this CDD work the need to avoid disclosing that a money laundering report has been made, or that an investigation is underway, or may be commenced.

Exceptions to timing requirements

There are several exceptions to the timing requirement and the prohibition on acting for the client.

However, businesses should consider why there is a delay in completing CDD, and whether this of itself gives rise to a suspicion which should be disclosed to SOCA.

Normal conduct of business

Regulation 9(3) provides that verification may be completed during the establishment of a business relationship, (not an occasional transaction), where:

  • It is necessary not to interrupt the normal conduct of business
  • There is little risk of money laundering or terrorist financing occurring

Verification must be completed as soon as practicable after the initial contact.

Businesses should consider their risk profile when assessing which work can be undertaken on a retainer prior to verification being completed.

They should not permit funds or property to be transferred or final agreements to be signed before completion of full verification.

If a business is unable to conduct full verification of the client and beneficial owners, then the prohibition in Regulation 11 will apply.

Ascertaining legal position

Regulation 11(2) provides that the prohibition in 11(1) does not apply where a lawyer or other professional adviser is in the course of ascertaining the legal position for their client or performing their task of defending or representing their client in, or concerning legal proceedings, including advice on instituting or avoiding proceedings.

The requirement to cease acting and consider making a report to SOCA when you cannot complete CDD, does not apply when the relevant person is providing legal advice or preparing for or engaging in litigation or alternative dispute resolution.

When delay may be acceptable

In forming new business relationships, there are some cases where delay may be acceptable, such as in urgent insolvency appointments, and urgent appointments that involve ascertaining the legal position of a client or defending the client in legal proceedings. In such cases, businesses should still gather enough information to allow them to at least form a basic assessment of the identity of the client and money laundering risk and to complete other acceptance formalities such as considering the potential for conflicts of interest.

In other cases, where the majority of information required has been collected before entering a business relationship, short time extensions to complete collection of remaining information may be acceptable, provided this is caused only by administrative or logistical issues, and not by any reluctance of the client to provide the information and is necessary not to interrupt the normal course of business. Such extensions should be exceptional, rather than the norm. It is recommended that such extensions of time are considered and agreed by a member of senior management or the MLRO to ensure the reasons for the extension are valid and do not give rise to concern over the risk category of the client or the potential for money laundering suspicion.

If evidence is delayed (rather than refused), businesses should consider:

  • The credibility of the client's explanation
  • The length of delay
  • Whether the delay is in itself reasonable grounds for suspicion of money laundering requiring a report to SOCA and/or a factor indicating against acceptance of the client and engagement

If a prospective client refuses to provide evidence of identity or other information properly requested as part of customer due diligence, the business relationship or occasional transaction must not proceed any further and any existing relationship with the client must be terminated. Consideration must also be given to whether a report needs to be made to SOCA.

In the context of insolvency work, special considerations apply. The person or entity entering into the business relationship is considered to be the insolvent. An Insolvency practitioner should obtain verification of the identity of the person or entity over which he is appointed. Acceptable evidence of verification may include a court order, a court endorsed appointment, or an appointment made by a debenture holder or creditors meeting supported by a company search or similar. It is not always possible or necessary to obtain identification evidence direct from individuals or individual shareholders or directors in an appointment in respect of a company as their co-operation may not be forthcoming.

It is important for an officeholder to be sure about the identity of the person or entity over which he is taking appointment given the urgency of the situation and the necessity not to delay when this might risk dissipation of assets and erosion of value. However, completion of other elements of customer due diligence may not be possible prior to appointment and should be completed as soon as practicable after appointment (if possible, usually within 5 working days).

Insolvency practitioners post appointment have a very different relationship with the insolvent client than that with a normal client and have access to a very wide range of information which alters the need for traditional pre-appointment CDD. However, particular focus is needed before, and immediately after, appointment on considering the way the business has been operated and assessing the risk of assets being tainted by crime in which case it may well be necessary, but not as a matter of routine in every case, to apply to SOCA for consent to perform the normal range of duties of collection, realisation and distribution of assets.

Ongoing monitoring

Regulation 8 requires that businesses conduct ongoing monitoring of a business relationship on a risk-sensitive and appropriate basis. Ongoing monitoring is defined as:

  • Scrutiny of transactions undertaken throughout the course of the relationship, (including where necessary, the source of funds), to ensure that the transactions are consistent with the business's knowledge of the client, their business and the risk profile
  • Keeping the documents, data or information obtained for the purpose of applying CDD up-to-date.

Businesses must also be aware of obligations to keep clients' personal data updated under the Data Protection Act.

Ongoing monitoring of the business relationship is required. This comprises scrutiny of activity during the relationship, including enquiry into source of funds if needed, to ensure all is consistent with expected behaviour based on accumulated customer due diligence information. In addition, it is required that the documentation concerning the relationship (including customer due diligence) is kept updated. The need to update customer due diligence information should be considered at appropriate times, following a risk based approach, according to the business's knowledge of the client and changes in its circumstances or the nature of services provided by the business. A business may also wish to consider this need, on a more routine basis, as appropriate opportunities arise.

Examples of such opportunities are:

  • At the start of new engagements and when planning for recurring engagements
  • When a previously stalled engagement restarts
  • Whenever there is a change of control and/or ownership of the client
  • When there is a material change in the level, type or conduct of business
  • Where any cause for concern, or suspicion, has arisen (in such cases, care must be taken to avoid making any disclosure which could constitute tipping off).

Ongoing monitoring will normally be conducted by relevant persons handling the retainer, and involves staying alert to suspicious circumstances which may suggest money laundering, terrorist financing, or the provision of false CDD material.

Existing clients

Businesses must apply CDD measures at appropriate times to existing clients (i.e. those where there was an existing business relationship prior to 15 December 2007) on a risk-sensitive basis.

Risk-based approach to customer due diligence

Regulation 7(3) requires CDD measures to be carried out on a risk-sensitive basis, depending on the type of client, business relationship, product or transaction. This means that businesses need to consider how their risk assessment and management procedures flow through into their client acceptance and identification procedures, to give sufficient information and evidence, in the way most appropriate to the business concerned.

Businesses must be able to demonstrate to their supervisory authority that they took appropriate measures in view of the risks of money laundering and terrorist financing.

Businesses cannot avoid conducting CDD, but they can use a risk-based approach to determine the extent and quality of information required and the steps to be taken to meet the requirements.

Application of a risk-based approach is of considerable importance in verification, both to ensure a good depth of knowledge in higher risk cases, but also to avoid superfluous effort in lower or normal risk cases.

What is CDD?

Regulation 5 says that CDD comprises:

  • Identifying the client and verifying their identity on the basis of documents, data or information obtained from a reliable and independent source
  • Identifying, where there is a beneficial owner who is not the client, the beneficial owner and taking adequate measures, on a risk-sensitive basis, to verify his identity so that you are satisfied that you know who the beneficial owner is. This includes understanding the ownership and control structure of a legal person, trust or similar arrangement
  • Obtaining information on the purpose and intended nature of the business relationship

Identification of a client or a beneficial owner is simply being told or coming to know a client's identifying details, such as their name and address.

Verification is obtaining some evidence which supports this claim of identity. Verification can be completed on the basis of documents, data and information which come from a reliable and independent source. This means that there are a number of ways a business can verify its client's identity including:

  • Obtaining or viewing original documents
  • Conducting electronic verification
  • Obtaining information from other regulated persons

The resources used to undertake effective CDD are not prescribed. Various sources may be used to enhance a business's knowledge of their client, including direct discussion with the client, information (e.g. websites, brochures, reports etc.) prepared by the client and review of public domain information.

Businesses need to consider whether there are any particular steps they wish to specify for use in higher risk cases to increase the depth of CDD, such as seeking out wider information from extensive internet and press searches concerning the potential client, its key counterparties, its sector and jurisdiction, or possibly using subscription databases which provide a quick way of accessing public domain information and in many cases provide links to persons or companies known to be associated with the potential client.

Businesses might, as appropriate to their risk assessment, wish to check the names of clients against lists of persons subject to asset-freezing restrictions, including under financial sanctions and terrorism financial restrictions. HM Treasury maintains a consolidated list of persons designated as being subject to financial restrictions in force in the UK but recourse may be had to further lists such as those issued by the UN and the US Treasury Office of Foreign Assets Control (or OFAC).

Documents

The purpose of verification of identity is to confirm and prove the information collected in so far as it relates to the identity of the client. Recourse to documents from independent sources is important.

The amount of reliance that can be placed upon, and thus the strength of, particular forms of evidence varies. The following are illustrative of the different strength of various forms of documentary evidence starting with the highest:

  • Documents issued by a government department or agency or a Court (including documents filed at Companies House or overseas equivalent)
  • Documents issued by other public sector bodies or local authorities
  • Documents issued by businesses regulated by the Financial Conduct Authority or overseas equivalent
  • Documents issued by professionals regulated for anti-money laundering purposes by the bodies listed in Schedule 3 of the 2007 Regulations or overseas equivalents
  • Documents issued by other bodies

In the case of individuals, documents from highly rated sources that contain photo identification as well as written details are a particularly strong source of verification of identity.

Businesses may wish to consider whether copies of original documents and copies of certified copies of original documents should be certified as true copies to demonstrate their provenance.

Annotation should be used when the document is as good as an original but is not the original itself. This particularly applies to printouts from the Internet, such as downloads from Companies House, regulator, stock exchange or government websites, or similar trustworthy business information sources. Each document so obtained should bear written evidence showing who printed it, when, from where and should be signed by the relevant person.

Electronic verification

There are now a number of subscription services that give access to databases of information on identity. Many of these services can be accessed online and are often used by businesses to replace or supplement paper verification checks.

Electronic verification will only confirm that someone exists, not that the client is the person they claim to be. Businesses should consider the risk implications in respect of the particular retainer and be on the alert for information which may suggest that the client is not the person they say they are. Businesses may mitigate risk by corroborating electronic verification with some other CDD material.

When choosing an electronic verification service provider, businesses should look for a provider who:

  • Has proof of registration with the Information Commissioner's Office to store personal data
  • Can link an applicant to both current and previous circumstances using a range of positive information sources
  • Accesses negative information sources, such as databases on identity fraud and deceased persons
  • Accesses a wide range of 'alert' data sources
  • Has transparent processes enabling businesses to know what checks are carried out, the results of the checks, and how much certainty they give on the identity of the subject
  • Allows the capture and storage of the information used to verify an identity

When using electronic verification, businesses are not required to obtain consent from their client, but the client must be informed that this check will take place.

Reliance on third parties

Businesses may rely on third parties, subject to the third parties' consent, to complete all or part of CDD as set out below but they should be cautious in relying on third parties as they will remain liable for any failure to comply notwithstanding their reliance on a third party.

Reliance may be placed on persons who are:

  • Regulated credit or financial institutions (excluding money service businesses)
  • Professional lawyers, auditors, external accountants, insolvency practitioners or tax advisers

Professionals in the second of these categories must be regulated by one of the supervisory authorities listed in Part 1 of Schedule 3 to the 2007 Regulations, or be subject to equivalent regulation in an EEA or non-EEA state including mandatory professional registration recognised by law and supervision for compliance with requirements equivalent to the third money laundering directive.

Businesses may outsource their customer due diligence measures but remain liable for any failure in the CDD. Using an electronic verification service is an example of outsourcing.

An individual or business consenting to be relied upon must, if requested, make available to the person relying as soon as is reasonably practicable:

  • Any information obtained about the client (and any beneficial owner) when applying CDD measures; and/or
  • Copies of any identification and verification data and other documents on the identity of the client (and any beneficial owner) obtained when applying CDD measures.

Before placing reliance, an individual or business seeking to rely must take steps to ensure the person being relied upon will provide the required information.

Any individual or business consenting to be relied upon must ensure the records of CDD which become the subject of reliance are retained for 5 years from the date on which reliance commences.

Failure by a person who has been relied upon to comply with the requirements in relation to responding to requests for information, relying upon a person without having ensured they will provide the information required on request, or failing to keep the records required after reliance has been allowed are all criminal offences.

Where reliance is placed on a third party, businesses are not required to apply standard CDD measures. However, businesses must still carry out ongoing monitoring.

Whilst reliance may be a useful and efficient feature of a CDD system between parties who are able to build a relationship of trust, it should not be entered into lightly. Individuals and businesses need to consider carefully whether they wish to be relied upon and before so consenting ensure:

  • Their client (and any other third party whose information would be disclosed) has no objection to their information being passed to the person seeking reliance; and
  • That they have in place the necessary record-keeping systems.

Prohibited relationships

The 2007 Regulations set out circumstances which constitute prohibited relationships. In Regulation 16, correspondent banking relationships with shell banks, or a bank known to permit use of its accounts by a shell bank are prohibited. Shell bank means a credit institution, or an institution engaged in equivalent activities, incorporated in a jurisdiction in which it has no physical presence involving meaningful decision-making and management, and which is unaffiliated with a regulated financial group

In addition, set up of anonymous accounts in the UK is prohibited, and CDD must be applied to any existing accounts continuing in existence after 15 December 2007 before such an account is used.

All businesses must pay special attention to services or, where relevant, products or transactions that might allow anonymity and take measures to prevent their use in money laundering or terrorist activity. Businesses must include any such product or transaction within those requiring Enhanced due diligence.

In addition, businesses must comply with any prohibition issued by HM Treasury in respect of any person, or State to which the Financial Action Task Force has decided to apply counter-measures. Directions may be given not to enter into business relationships, carry out occasional transactions or proceed with any such arrangements already in progress. The Government also issues advisory notices, against countries with material deficiencies in their anti-money laundering and counter terrorist financing (AML/CTF) regimes, based on the FATF Non-Co-operative Countries or Territories list (consisting of countries with extremely ineffective AML/CTF legislation and systems which prevent them from adequately co-operating internationally in combating money laundering and terrorist financing) and other FATF concerns. An advisory notice requires that businesses and individuals in the UK should exercise caution when entering into business relationships in such countries. Advisory notices are available from the HM Treasury website under 'press notices'. Businesses may subscribe to receive press notices on the HM Treasury website.