ECSH33305 - Testing customer due diligence: what is due diligence?

What is due diligence?

Due diligence means taking the necessary care and attention when carrying out a transaction or establishing a business relationship with a customer. A business might refer to this as KYC (Know Your Customer or Client) or KYB (Know Your Business) which are terms widely used within the financial industry.

Customer due diligence (CDD) under Part 3 of The Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017 (MLR 2017) involves:

  • Verifying that customers are who they say they are.
  • Identifying and verifying beneficial owners.
  • Obtaining information on the purpose and intended nature of a transaction or business relationship.

The requirements are explained within the following sections of this guidance, with further guidance in ECSH63450 - Part 3 - Customer Due Diligence: contents.

You should also use the chronological flowchart to help you follow all of the CDD requirements.

Where there is an ongoing business relationship, the information must be kept up to date and transactions scrutinised (including, where necessary, the source of funds) to ensure that they are consistent with the business’s knowledge and expectations of the customer.

Enhanced due diligence and ongoing monitoring involves checks on customers and situations which are considered to be higher risk, for example:

  • Gathering additional evidence and/or verification of customers’ identity.
  • Checks on the source of funds and/or source of wealth.
  • Obtaining management approval to continue with the transaction.

The basic principle is that the higher the risk, the more verification of identity and scrutiny of transactions is required to mitigate the risk of the business being used for money laundering or terrorist financing (ML/TF) activity, detect suspicious activity, and hold sufficient information to assist law enforcement in any subsequent investigations.

Accordingly, where a transaction carries a low risk of ML/TF activity, simplified due diligence measures can be applied, where a business can adjust the extent, timing, or type of its CDD measures, provided it still carries out sufficient monitoring to be able to detect any unusual or suspicious transactions.

Whilst a business can take a risk-based approach to due diligence, it must be able to demonstrate that the extent of its measures are appropriate in view of the risks of ML/TF, as required by regulation 28(16). It is therefore important that you test CDD measures alongside the risk assessment carried out under regulation 18 – see ECSH33205 for more information.

As you can see, due diligence is much more than simply photocopying an individual’s identity document. What may be appropriate for one customer, may not be for another, therefore a business cannot apply a “one size fits all” approach.

You must refer to the specific anti-money laundering (AML) guidance for each sector on GOV.UK. which explains the requirements associated to the supervised activity carried out by the business.

General guidance is also provided in “Your responsibilities under money laundering supervision” on GOV.UK.

You may also need to refer to the standards of CDD used across the financial sector in the Joint Money Laundering Steering Group (JMSLG) guidance.