AML Awareness - Customer Due Diligence
Know your customer (KYC) and customer due diligence (CDD) are frequently used in anti-money laundering circles, especially in the financial services world but, as far as accountants are concerned, in practical terms they are one and the same. As well as ensuring that you comply with the law, undertaking proper CDD as part of your KYC and client acceptance procedures makes good business sense. It will help ensure that you do not accept clients who you might consider too risky or whose business you do not adequately understand .
What is CDD?
There are three components that make up the CDD measures required by the Money Laundering Regulations 2007 . Chapter 14 of the ICAS General Practice Procedures Manual, to which all eligible ICAS firms can have free access, contains detailed guidance on each of these areas. If you have not already done so, you can sign up for the GPPM here.
The three components are:
Ascertaining and verifying the identity of the client i.e. knowing who the client is and confirming that identity is valid by obtaining documents or other information from sources which are independent and reliable.
Frequently, identity checks for money laundering purposes are interpreted as simply obtaining a copy of photo-identification (such as a passport) and proof of address (such as a recent utility bill). This will indeed satisfy the requirements. However, there are other ways of obtaining satisfactory evidence of identity , such as visiting them at home or their place of business. Section 14.10 (Obtaining Identification) of the GPPM contains detailed information on the identity checks required for the various types of clients for whom you are likely to act, together with a comprehensive list of relevant client ID checklists.
Ascertaining and verifying (if appropriate) the identity of the beneficial owners of a client, if there are any, so that you know the identity of the ultimate owners or controllers of the business and understand the ownership and control . The recent introduction of the Persons with Significant Control for limited companies may make this a little easier.
The focus on identifying and verifying (if they are higher risk) the identity of beneficial owners is not only an important element of CDD, but is also an important factor in an effective risk-based approach to client acceptance.
Regulation 6 of the 2007 Regulations states that, where not otherwise specified, the beneficial owner is the person who ultimately owns or controls the client or on whose behalf a transaction is being conducted. It also sets out in some detail the meaning of ‘beneficial owner’ in terms of bodies corporate, partnerships, trusts, and other legal entities and arrangements not falling into these categories, together with special provisions regarding estates of deceased persons.
Information on the purpose and intended nature of the business relationship i.e. knowing what you are going to do for them and why.
In the majority of case for most compliance work undertaken by accountancy practices, the nature and purpose of the proposed business relationship will be self-evident. However, when more complex or unusual work is involved, more thought needs to be given to this element .
Levels of CDD
There are three levels of CDD – ‘Standard’, ‘Simplified’, and ‘Enhanced’.
Standard due diligence
‘Standard due diligence’, as outlined above, should be applied to all clients, unless ‘simplified’ due diligence is or ‘enhanced’ due diligence is appropriate.
Simplified due diligence
‘Simplified due diligence’ means that you do not have to apply the standard due diligence because you believe that a client falls into a relevant category.
The main categories are credit or financial institutions subject to the provisions of the money laundering directive or equivalent overseas requirements; companies listed on a regulated EEA market or equivalent overseas requirements subject to specified disclosure obligations; and UK public authorities and certain public authorities in the EU and EEA . In such cases, it is important to ensure that the person who is authorising the work is authorised to do so.
The circumstances in which ‘simplified due diligence’ can be applied are therefore quite limited, and even if it does, you must still carry out ongoing monitoring and appropriate KYC information should therefore still be obtained.
Enhanced due diligence
‘Enhanced due diligence’ should be applied to clients in situations which present a higher risk of money laundering or terrorist financing, and in particular if a client has not been physically present for identification purposes .
In such cases, one or more additional measures must be taken to enhance due diligence, by either gathering additional documents, data or information, or taking additional steps to verify documents or obtain a confirmatory certificate from a credit or financial institution subject to the money laundering directive. Also, if you are dealing with a politically exposed person (PEP ), that is someone who has been entrusted with a prominent public function and presents a higher risk for potential involvement in bribery and corruption by virtue of their position and the influence that they may hold, senior management must give approval for the relationship to be established; you must take adequate measures to establish the source of wealth and funds which are involved; and you must conduct enhanced monitoring once the relationship is established.
Examples of applying this in practice can be found in our helpsheet PDF [223 KB].
When to perform CDD procedures
CDD measures should normally be undertaken BEFORE entering into a business relationship with a client. The reason for this is obvious – as previously discussed in another article , you have to decide whether a client fits your practice’s established risk profile and you can only do that if you have already undertaken the appropriate CDD procedures. Deciding to take a client on without “checking them out” heightens considerably the risk of taking on undesirable clients. In addition, if procedures are not completed before entering a business relationship, practices and their clients may suffer considerable cost and inconvenience in having to terminate a relationship if ID procedures either cannot be completed, or where the results are unsatisfactory.
There are though some cases where a delay in completing CDD may be acceptable, such as in urgent insolvency appointments, and urgent appointments that involve ascertaining the legal position of a client or defending the client in legal proceedings. In such cases, you should still gather enough information to at least form a basic assessment of the identity of the client and money laundering risk and to complete other acceptance formalities such as considering the potential for conflicts of interest.
However, the initial “on-boarding” check is not the end of the matter. To avoid the practice taking on work that could involve undue risk of money laundering, CDD should also be undertaken when carrying out an occasional transaction or additional work for a client. Further CDD should always be done where there is a change in beneficial ownership, or where you suspect money laundering or terrorist financing, and where you have doubts concerning the veracity of previous identification information.
Reliance on third parties
You may rely on third parties, such as banks, lawyers, auditors, other external accountants, insolvency practitioners or tax advisers, to complete all or part of the CDD. However, it’s important to remember that before you can rely on someone else’s CDD, they must agree to you relying on their work. If you do rely on another professional’s CDD, you will remain liable for any failure to comply with the law, and it would therefore be prudent to get copies of relevant information and documentation from them to ensure that the information is sufficient.
If you give consent to another profession to rely on your CDD, you should take great care to ensure you have adequate systems in place to keep proper records and to respond to any request for these. If requested, you must give them any information obtained about the client and any beneficial owner, and copies of any identification and verification data and other documents on the identity of the client (and any beneficial owner) obtained when applying CDD measures, as soon as is reasonably practicable. You must also ensure the CDD records relied on are retained for five years from the date on which reliance commences. Failure to do any of this is a criminal offence.
Relying on another professional’s CDD may be useful and efficient, but it should not be done lightly and only with a third party you trust.