ECSH33310 - Testing customer due diligence: when customer due diligence is required

You must establish when a business needs to apply customer due diligence (CDD) measures, as required by regulation 27 of The Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017 (MLR 2017). This is when:

  • A business relationship is established.
  • Money laundering or terrorist financing (ML/TF) is suspected.
  • There are doubts about a customer’s ID or information already provided.
  • It is necessary for existing customers, for example if their circumstances change.
  • Carrying out an occasional transaction.

You will need to use your understanding of the business activities, your review of its risk assessment, [, its policies, controls and procedures (PCPs), and the topics discussed throughout your intervention to help you decide if the business should have conducted CDD. Use the guidance below and in ECSH 63465 Regulation 27 – Customer due diligence.

In addition to the above bullet points, there are specific criteria for high value dealers, letting agency businesses, and art market participants.

For high value dealers (HVD), regulation 27(3) and (4) apply.

See ECSH33312 Occasional transactions and sector specific information in ECSH51500.


Letting agency business (LAB) – regulation 27(7A) applies

A LAB must apply CDD measures in relation to any transaction which consists of the conclusion of an agreement for the letting of land:

  • For a term of a month or more, and
  • At a rent which during at least part of the term is, or is equivalent to, a monthly rent of 10,000 euros or more.

The LAB must apply CDD measures to both the person who is letting the land and the person who is renting it.

To test whether the LAB is carrying out CDD measures correctly, you should ask the business to provide a full list of rental agreements for the relevant period you want to test. To take account of fluctuating exchange rates, you can then remove any transactions below £8,500 as a starting point for testing.


Art market participants (AMP) – regulation 27(7C) applies

AMPs must apply CDD measures in relation to any trade in a work of art, when it carries out, or acts as an intermediary in, any transaction, or series of linked transactions, whose value amounts to 10,000 euros or more.

AMPs must also apply CDD measures in relation to the storage of a work of art when it is the operator of a freeport and the value of the works of art so stored for a person, or series of linked persons, amounts to 10,000 euros or more.

For more guidance on when a transaction would be out of scope, see ECSH33315.


Money laundering or terrorist financing is suspected

If the business suspects money laundering or terrorist financing, it must carry out CDD measures to be able to raise a suspicious activity report (SAR).


There are doubts about a customer’s ID or information already provided

A business must apply CDD in these circumstances. For example, a business recognises a customer has carried out previous transactions, which do not require CDD measures. The business asked the customer their name and the purpose of the transaction and recalls the customer had said that they lived out of town but were in the area for work. The second instance, the customer gave a different name and said that they were visiting the area for a week on holiday. The inconsistency in the information provided by the customer should prompt the business to apply its CDD measures under regulation 27(1)(d) and consider whether it should submit a SAR.


At other times based on a risk based approach

A business must apply CDD when becoming aware of a change of circumstances of an existing customer that affects the risk associated with that customer, as required by regulation 27(8), regulation 27(9) sets out what must be considered (see ECSH33375 Ongoing monitoring). See the Existing Customers section starting at paragraph 5.3.17 of JMLSG.

There is a requirement on UK body corporates to inform the business of changes to its information (such as a change of name, address, directors or beneficial owners) which should trigger a review under regulation 27(8). See regulation 43 of MLR 2017 for details.

You should check whether the business has PCPs detailing what to do in all the above scenarios, and then question if it has come across these scenarios, to test that it applied CDD measures at the correct time. Use the 5WH (who, what, when, why, where, and how) to aid you in questioning the business on this topic.


Where CDD has not been carried out

To help you decide if there has been a breach of regulation 27, consider if the business conducted CDD when required to do so. If it didn’t, you must establish how the breach occurred, in order to consider whether the business has taken reasonable steps to comply – see ECSH34005.

If it has not taken reasonable steps, you will need to consider what Sanction/s are appropriate. You must clearly set out when the business was required to carry out CDD under regulation 27 when writing your Table of Failures.

If the CDD measures taken do not meet the requirements set out in regulation 28, see ECSH33325.

If CDD has been carried out, but verification was not done at the correct time, see ECSH33385 Timing of verification.

If you have identified situations where you suspect ML/TF which should prompt CDD, but where it has not been done, you should consider:

  • Has the business assessed these risks in the first place? - If not, has this led to a breach of regulation 27?
  • Has the business identified the risk since, by reviewing cases and management information?
  • Has it subsequently now identified and assessed the risks so that the same breaches do not appear in the future? - If not, why?
  • Are the risk management systems and internal controls sufficiently identifying instances where there may be a risk which it was not aware of?
  • Has this prompted a review of its risk assessment under regulation 18? – see ECSH33205 Checking risk assessment and management.