Chapter 29 AML: Customer Due Diligence Flashcards
29.1 What is the purpose of CDD
Purpose is to understand a client’s identity and business activities so MLTF risks can be properly managed. Understanding a client’s identity fulfils a legal and regulatory requirement and it equips itself to make informed decisions about the client’s standing and acceptability. CDD also helps a business to construct a better understanding of the client’s typical business activities. Clients are also required to fill in CDD forms with their banks and solicitors. You should never relax CDD or turn a blind eye to MLTF risks because you know someone who works for your clients.
CDD principles –
• identifying the client and then verifying their identity by obtaining documents or other information from independent and reliable sources
• identifying beneficial owners so that the ownership and control structure can be understood and the identities of any individuals who are the owners or controllers can be known and, on a risk sensitive basis, reasonable measures should be taken to verify their identity
• gathering information on the intended purpose and nature of the business relationship
It is important that risks are assessed at the outset of a business relationship so that a proportionate degree of CDD can be brought to bear. CDD is applied to all new and existing clients alike. The 2017 regulations state CDD must also be performed where there is either a suspicion of MLTF or any doubts of the reliability of the information, they also need to decide whether a SAR should be made to the NCA.
The identification phase requires the gathering of information about a client’s identity and the purpose of the intended business relationship. Appropriate information gathered for an individual is full name, date of birth and residential address. In the case of corporates and other organisations identification extends to establishing the identity of anyone who owns or controls the client, these people are the beneficial owners.
The next stage is risk assessment, which should be performed in accordance with the risk-based approach. An initial risk assessment is based on the information gathered during identification but may prompt the gathering of additional information. Once this has been carried out, evidence is required to verify the identity of the information gathered.
Verification involves validating that the identity is genuine and belongs to the claimed individual or entity. For individual’s verification may require passports, for corporates verification measures are needed for any beneficial owners. Written documentation is necessary for each stage, this can be done in any way, including specialist AML risk software, spreadsheets, notes on the permanent file and notes on the inside cover of the tax return.
29.1 What is the purpose of CDD - beneficial ownership, listed companies, unlisted companies and trusts
Beneficial ownership – they can only be a natural person (an individual), they are different for a range of different client types:
• companies with securities listed on an EEA regulated investment market – no requirement to establish beneficial ownership
• bodies corporate with more than 25% voting rights and capital/profits – any individual who exercises ultimate control over the management of the body is a BO
• Partnerships other than LLPs and LPs with more than 25% voting rights and capital/profits – any individual who exercises ultimate control over the partnership is a BO
• Trusts – the beneficiaries, the settlor, trustees and other individuals with control are BO’s
• Other legal entities – any individual benefiting from the property and any individual who exercises control over the entity is a BO
• Estates of deceased individuals – the executor of the estate is the BO
• Other cases – the individual who ultimately owns or controls the client is the BO
• Where all means of identifying the BO is used – the senior individual responsible for management is the BO
Due diligence required in respect of companies:
Listed companies – do not need to obtain details of a beneficial owner of a listed company and you need the company name and number, with the address of registered office and if different the place of business
Unlisted companies and LLPs – need the following information verified, company name and number, address of registered office, articles of association or other governing documents and the law it’s subject to, names of board members and senior persons responsible for operations and shareholders who own or control 25% of the shares or voting rights. Reliance cannot be placed entirely on company’s house information for details of beneficial ownership.
Trusts – beneficial owners are described as the beneficiaries, the settlor, trustees and other individuals with control of the trust. Firms must take reasonable care to verify beneficial ownership. Trustees will have to keep a record of the beneficial owners and provide details if requested when a business relationship is entered into. If the details change the trustees must notify the relevant person within 14 days.
29.1 What is the purpose of CDD - event driven reviews, periodic reviews and ongoing procedures
CDD should normally be completed before entering into a business relationship, which is defined as a relationship between a relevant person and a customer, which arises out of the business of the relevant person and it expected by the relevant person, at the time when the contract is established, to have an element of duration. Generic advice is unlikely to constitute a business relationship but may constitute an occasional transaction. Established business relationships should be subject to CDD procedures throughout the duration of the relationship and keep CDD up to date.
Event driven reviews - events prompting a CDD information update must include:
• A change in the client’s identity
• A change in beneficial ownership of the client
• A change in the service provided to the client
• Information that is inconsistent with the business’ knowledge of the client
May also be triggered by
• The start of a new engagement
• Planning for recurring engagements
• A previously stalled engagement restarting
• A significant change to key office holders
• The participation of a PEP
• A significant change in the client’s business activity
• Suspicion or cause for concern
Periodic reviews – businesses should have routine periodic reviews to update their CDD. The frequency of up-dating it should be risk based
Ongoing procedures – the CDD procedures for either event-driven or period reviews may not be the same as when first establishing a new business relationship. Ongoing CDD may require the collection of less new information than was required at the start.
29.1 What is the purpose of CDD - SDD, EDD and PEP
Simplified due diligence – can be applied when a client is low risk. CDD measures still required but the extent and timing may be adjusted. The business’ internal procedures should set out clearly what constitutes reasonable grounds to qualify for SDD. If a client has been subjected to SDD and a suspicion of MLTF arises, the appropriate due diligence procedures will apply instead. Members will need to justify why SDD was appropriate.
Enhanced due diligence – a risked based approach to CDD will identify situations with a high risk of MLTF. Enhanced due diligence must apply when:
• Where is a high risk of MLTF
• Any occasional transaction or business relationship with a person established in a high risk third country
• If a business has determined a client is a PEP or a family/close associate of a PEP
• Where a client has provided false or stole identification documentation
• Where the transaction is complex and unusually large which have no apparent economic or legal purpose
The business’ internal procedures should set out clearly what constitutes grounds to qualify for EDD. The procedures for EDD must include examining the background and purpose of the engagement and increasing the degree and nature of monitoring of the business relationship in which the transaction is made to determine whether that transaction or that relationship appear to be suspicious. It may also include:
• Seeking additional independent reliable sources to verify information
• Taking additional measures to understand the background, ownership and financial situation of the client
• Taking further steps to be satisfied that the transaction is consistent with the intended purpose
• Increasing the monitoring of the relationship, including greater scrutiny of transactions
Politically exposed person (PEP) – PEPs must undergo EDD, businesses treat PEPs on a case by case basis and apply EDD on the basis of their assessment of the MLTF risk associated with the PEP. Family member of a PEP includes spouse, children, parents and their children’s spouse or partner. A close associate is an individual having a joint beneficial ownership of a legal entity or has close business relations.
If the business is not aware of any factors that would make the PEP a higher risk category, they may be categorised as a low risk PEP, meaning the business should apply less onerous EDD requirements. Such factors may include involvement in public scandals, undeclared business interests and the acceptance of inducements to influence policy. Businesses must treat individuals as PEPs for at least 12 months after they cease to hold a prominent public function, that does not apply to family members or close associates. The 2017 regulations state that only directors, deputy directors and board members of international organisations should be treated as PEPs, not middle-ranking or junior officials. Businesses are required to use risk sensitive measures to recognise PEPs, businesses likely to provide services regularly to PEPs should consider subscribing to a specialist database. EDD on a PEP must include senior management approval for the relationship, adequate measures to establish and enhanced monitoring of the ongoing relationship.
EU Directive makes it clear that refusing a business relationship with a person solely on the basis they are a PEP is contrary to the spirit and letter of the EU directive and of the FATF standards. Businesses should only refuse relationships when such risk assessments indicate they cannot effectively mitigate and manage these risks.
29.1 What is the purpose of CDD - financial sanctions, other parties, group engagements and subcontracting
Financial sanctions and other prohibited relationships – businesses must comply with sanctions, embargos or restrictions to which the UN, UK and EU has placed. Arrangements in place may have to stop if sanctions are later put in place. Sanctions imposed by overseas countries may also apply to UK businesses. The guidance by the OFSI helps businesses with sanctions. The 2017 regulations out in place reporting obligations for certain businesses, not complying with reporting obligations will be committing an offence which may result in a criminal prosecution or a monetary penalty.
Reliance on other parties – business can rely on other parties to complete all or part of CDD, but only if the party is a member of the regulated sector in the UK or subject to an equivalent regulatory regime that includes compliance supervision equivalent to the EU directive. Businesses should enter into an agreement to ensure the other party will provide the CDD documentation immediately on request. CDD still remains with the relying party. A business relying on a third party to complete CDD should still carry out a risk assessment and perform ongoing monitoring. Businesses must still maintain copies of all relevant information to satisfy CDD requirements, they should also enter into a written agreement.
Parties granting reliance – a business should consider whether it wishes to be relied upon to perform CDD for another party. Before granting consent, a business that is relied upon must ensure its client is aware that the disclosure may be made to the other party and has no objection to the disclosure. It should make sure that it has adequate systems for keeping CDD records, it can make information available immediately on request and it can keep the CDD records secure for five years after the end of the business relationship.
Group engagements – when a business contracts with a group of companies under the control of a parent, it may wish to consider applying CDD in a proportionate, risk-sensitive way by treating the group as a single entity.
Subcontracting – where a business is engaged by another business to help work for one of its clients, the business should consider which one is its client. For example, if there is no business relationship or engagement letter between the business and the other business’ client, CDD may only be required for the business that needs help. Where there is significant contact and there is a business relationship, CDD must be done on both companies.
29.5 CDD Documents and data
Evidence gathering – the 2017 regulations do not prescribe what information sources a business should consult to perform CDD. The information should be drawn from independent sources and any identity evidence used should be from an authoritative source. For higher risk cases businesses may wish to use subscription databases. Documents issued or made available by an official body can be regarded as being independent. There is a broad hierarchy of documents:
• Documents issued by a government department and agencies or a court
• Documents issued by other public sector bodies or local authorities
• Documents issued by regulated firms in the financial services sector
• Those issued by other firm’s subject to the regulations or equivalent legislation
• Those issued by other organisations
29.5 CDD Documents and data - client identification
Client identification (individuals) – need the full name, date of birth a residential address should be obtained. For verification a document issued by an official body is deemed to be independent and a reliable source. Documents should be valid and recent. Documents sourced online should not be accepted if there is suspicion regarding the provenance of the documents. For a normal risk individual, a valid passport, driving licence or an identity card is sufficient. For a high-risk individual, a second document should be seen which can also be recent evidence of entitlement to a local authority funded benefit, instrument of a court appointment, current council tax letter, HMRC issued tax notification, tax deduction certificates, current bank statements and current utility bills. Source of wealth and funds – evidence can be obtained from searching public information sources like the internet, company registers and land registers. If the client’s funds have been derived from employment, property sales, investment sales, inheritance or divorce settlements, it may be appropriate to obtain documentary proof. Client identification (LLPs/Private Companies) – need the full name of the company, registered number, registered office address and the principal place of business, any shareholders who control more than 25% of the shares or voting rights and the identity of the agent purporting to act on behalf of the entity and their authorisation. You should also verify (unless the entity is listed on the regulated market) the law to which it is subject, its constitution and the full names of all directors. Client identification (listed or regulated entity) – need the full name, the membership or registration number and the address. For verification you need a printout from the website of the relevant regulator or exchange or written confirmation of the entity’s regulatory or listing status from the regulator or exchange. Client identification (government or similar bodies) – need the full name of the body, the main place of operation and the government or supra-national agency which controls it. For verification you need a printout from the website of the relevant body, additionally for housing associations you must include its registered number, registered company number and registered address on the printout.
29.5 CDD Documents and data - certification, annotation and use of electronic data
Certification – must consider how you demonstrate the provenance of document copies. When the original was seen by a relevant employee it is sufficient for them to endorse the copy. When the copy originates from outside the business, the standing of the person who certified it should be considered and relevant employees should be aware of the risks associated with certified copies. It may be necessary to stipulate acceptable sources for certified copies. An appropriate person in relation to the certification of documentation is someone in a position of responsibility, who knows and is known by a customer and may reasonably confirm the customers identity
Annotation – where a document is not the original one but could be mistaken for one it should be annotated. This is particularly true for documents sourced from the internet. Documents of this kind should carry an indication of the source and when the download took place.
Use of electronic data – there are a number of subscription services which give access to identity-related information, many are often used to replace or supplement paper-based verification checks. Before using any electronic services, a member should consider:
• Does the system draw from multiple sources – single source system is not sufficient
• Are the sources checked and reviewed regularly
• Are there control mechanisms to ensure data quality and reliability
• Is the information accessible
• Does the system provide adequate evidence that the client is who they claim to be
In some cases, for a higher risk client electronic verification may not be sufficient. You can reduce risk by supporting electronic verification by obtaining other source material by getting a trusted third party to verify the identity and requiring a client to pay you through an account held in their own name.
29.6 Delays to CDD
The 2017 regulations do recognise that CDD will sometimes need to be completed while the business relationship is established, rather than before. But delays of this are only permissible when there is little risk of MLTF. When most of the information has been collected before the business relationship has begun, it may be acceptable to have a short extension provided the cause of the delay is administrative or logistical, not the client’s reluctance to cooperate. It is recommended each extension is considered individually and agreed by the MLRO. No client engagement should be completed until CDD has been completed.
Provided CDD is completed as soon as practicable, verification may be completed during the establishment of a business relationship if necessary, not to interrupt the normal course of the business and there is little risk of MLTF. It may be necessary to do this because work is urgent like in some insolvency appointments, appointment involving ascertaining the client’s legal position or defending them in legal proceedings, response to an urgent cyber incident and when it is critically important to preserve or extract data or other assets without delay.
Cessation of work and suspicious activity reporting – if a prospective client or existing refuses to provide CDD information, the work must not proceed, and any existing relationship must be terminated. In many cases inability to complete CDD is not a circumstance where an insolvency practitioner can resign, and an appropriate risk-based approach should be adopted where the client’s management are not cooperative. Consideration must be given to whether a SAR needs to be submitted to the NCA.
