ECSH33320 - Checking customer due diligence: what due diligence measures are required

What customer due diligence measures are required

Once you have confirmed when a business is required to conduct customer due diligence (CDD) under regulation 27 of The Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017 (MLR 2017) , you can then turn to the CDD measures it must carry out under Regulation 28. 

The first part you need to consider is regulation 28(2), which is in 3 distinct parts, namely:

• Has the customer been identified? (Who is the customer?)
• Has their identity been verified by way of documents to confirm that the customer is who they say they are? and
• Has the business assessed the purpose and intended nature of the business relationship or transaction?

You should then check who the business is required to conduct CDD measures on.

To determine who the business must have applied CDD measures to, you must ensure you understand the customer relationship before you can begin to test the business’s CDD procedures and review documents. You may consider asking:

• Who is the customer? What is the name of the person it regularly deals with?
• What type of entity are they? Are they an individual, corporation, trust, or other entity?
• What type of relationships do they have - occasional transaction or business relationship?
• Who is benefitting from the transaction? Who is the ultimate beneficial owner of the transaction? For example, an estate, corporation, or number of individuals?
• Who is the business in communication with throughout the transaction or when establishing a business relationship? For example, are there third parties acting on the customer’s behalf?

You should always discuss these points before asking to see records of verification. This will demonstrate if the checks match the information provided.

Please read this guidance in conjunction with the relevant requirements section.

 

Customers

You must check if the business has identified and verified its customers and how it does so. This should be explained in the business’s policies, controls and procedures (PCPs).

Ask the business who it considers its customer to be. You will need to verify this by looking at who is shown as the customer in the business’s records, for example on the invoice for goods or services supplied.

If you are conducting a check on a business who acts as an intermediary in a transaction, for example an auctioneer, you will need to confirm that they are required to identify and verify the customers on both sides of the transaction, the buyer and the seller. Another example is where you are conducting a compliance check on a letting agency business, if the transaction is in scope, then you must check that the business has identified and verified the person who owns the land being let, and the person who is renting the land. For an auctioneer who is also a high value dealer, if cash is received from the buyer and paid directly to the seller, both parties will need to be identified and verified.

Ensure you check the sector guidance published on GOV.UK which is relevant to the business, to determine who the business needs to conduct CDD on in each specific scenario.

Note a customer may be an individual (natural person) or an entity such as a company, partnership, trust or other legal persons and the business is required to take certain measures for each of these.

Section 5 of Part I of the Joint Money Laundering Steering Group guidance gives full guidance on the application of CDD measures and you should consider this guidance when determining whether the measures taken by the business are appropriate.

Customer is an individual

The business must identify and verify the customer. You should check that as per HMRC’s guidance, it has obtained their:

• Given and family name.
• Date of birth or residential address.

HMRC guidance states this is as a minimum.

As shown in JMLSG guidance, where the customer is a private individual, the customer is the beneficial owner, unless there are features of the transaction that indicate otherwise. You should establish if there are multiple individuals for one transaction or business relationship, and whether the business has done checks on any co-owners. This is because the transaction is being carried out on their behalf, or they benefit from the transaction. For example, for a compliance check to an estate agency business (EAB), you will need to check if the business has identified if there are multiple owners of a property being sold (often done by checking the Land Registry), and has verified the identity of each of those co-owners, even if the business tells you it is just one of the owners it has mainly been in contact with.

 

Customer is a body corporate

 When the customer is a body corporate, it must be able to demonstrate that it has:

• Identified and verified the customer, for example, the company itself.
• Obtained and verified its name.
• Obtained and verified its company number or other registration number.
• Obtained and verified the address of its registered office, and if different, its principal place of business.
• Taken reasonable measures to determine and verify the law to which it is subject.
• Taken reasonable measures to determine and verify the full names of the board of directors (or if there is no board, the members of the equivalent management body).
• Taken reasonable measures to understand the ownership and control structure of that entity.
• Taken the required measures on any beneficial owners (see below). This is because the transaction is being carried out on their behalf, or they benefit from the transaction.

 

Customer is a legal person, trust, company, foundation or similar legal arrangement

When the customer is a legal person, trust, company, foundation or similar legal arrangement, you should establish whether the business has:

• Identified and verified the customer, for example, the trust or charity itself.
• Taken reasonable measures to understand the ownership and control structure of that entity.
• Taken the required measures on any beneficial owners (see below). This is because the transaction is being carried out on their behalf, or they benefit from the transaction.

Case study

You are checking the compliance of a money service business (MSB). The MSB tells you a customer wanted to complete a transaction and provided a bank statement as evidence of source of funds. When you come to review the records, you see the bank statement is in the name of a limited company. The MSB tells you the customer was a director of the business but not a beneficial owner, which it verified by looking at Companies House. You establish that actually, the customer was the limited company, and the director was acting on behalf of the limited company. You then proceed to check that the business performed the correct checks for this type of customer. Without having the discussion with the business AND checking the records, you would not have established the information needed to be able to assess whether the business carried out correct checks for the type of customer.

 

People acting on behalf of the customer

As well as verifying the customer, you must also confirm that the business is verifying the identity of anyone purporting to act on the customer’s behalf in a transaction or business relationship and that they are authorised to act on behalf of the customer. Note, there is an increased risk if someone else is acting on the customer’s behalf because it reduces the business’s exposure to the customer. In some sectors, this is identified as a risk indicator shown in the “Understanding risks and taking action” guidance, so you must check the business has considered this risk in its risk assessment and has procedures to verify the individual and their involvement, particularly if they are paying for the transaction.

For example, the business must have identified and verified the customer, but also a person delivering or sending funds on the customers behalf and verified that they are authorised to act on the customer’s behalf. This should be explained in the business’s PCPs.

You should also understand if the business has considered who they deal with in their customer’s business and whether they are authorised to carry out the transaction. For example, the business may be dealing with a member of staff in the customers organisation rather than a director or beneficial owner - did it confirm the individual's role and carry out any checks to confirm that they had the authority to complete the transaction on behalf of the company? Have there been any changes to payment instructions which could indicate payment diversion fraud (see the National Crime Agency briefing for more details).

You will need to question the business on who it dealt with to establish the transaction or business relationship. You will need to check where the money came from for the transaction and if it was paid for by bank transfer or card payment, whose name the account was in; the customer’s name, or a third party.

Case study 1

You are conducting a check on an estate agency business (EAB), and the business has sold a property where the beneficial owner of the property has deceased. You see the business has obtained a copy of the death certificate, understood the grant of probate, and last Will and testament. This is so it can identify who the beneficiaries are, or the executor and any third parties acting on their behalf. You establish that a solicitor is acting on the customer’s (the estate) behalf to arrange for the property to be marketed, so the EAB would need to identify and verify the solicitor, as they are a third party acting on the customer’s behalf.

Case study 2

You are conducting a check on an art market participant (AMP). The AMP’s records show it has sold a painting to an individual. However, whilst reviewing supporting records including the business’s bank statements, you establish that the AMP received the full payment for the painting from a third party which was a limited company. The AMP carried out checks to identify and verify this third party, as they were the ones who paid on behalf of the individual. It is necessary for the AMP to understand why the payment was received from a third party and verify with their customer that they were authorised to act on their behalf.

 

Beneficial owners (BO)

Where there are BOs of a customer, you should establish whether the business has:

• Identified the beneficial owner - may be one or multiple people and can be individual(s) or entities/trusts or similar.
• Taken reasonable measures to verify the identity of the beneficial owner.

You should also understand if the business has established who they are dealing with in their customer’s business, whether there are additional or hidden BOs. Control may be hidden using formal nominees (such as nominee directors) or informal nominees (such as spouses, relatives or associates who do not appear to be involved in the running of the business).

 

BO of a body corporate and partnership

You must read the definition of beneficial owner in regulation 5 of MLR 2017.

An example of a BO in a body corporate is a majority shareholder, so you will need to check if the business has identified the shareholders and then applied CDD measures to anyone with more than 25% of the shares. Note it is “more than” 25%, so holding exactly 25% or under does not make someone a BO.

Where it is more difficult to determine who the BOs are, such as if there are no shares issued, you will need to consider if the business has taken reasonable measures to understand the ownership and control structure. Use the 5WH (who, what, when, why, where, and how) to aid you in questioning the business regarding how it determined beneficial ownership.

Examples of someone who has control are when the person:

• Holds the right, directly or indirectly, to appoint or remove a majority of the board of directors of the company.
• Has the right to exercise, or actually exercises, significant influence or control over the company.

For guidance on checking whether the CDD measures are appropriate for the BOs, see -ECSH33328 Customers that are a body corporate.

 

BO of a trust or similar arrangement and other

The meaning of BO in relation to trusts, similar arrangements and others is defined in regulation 6 of MLR 2017. This consists of:

• The settlor (the person who puts assets into a trust).
• The trustee(s) (the person(s) who manages the trust - can be a natural person or a corporate body).
• The beneficiaries (the person(s) who benefits from the trust; trustees can also be beneficiaries).
• The individuals (or some of the individuals) benefiting from the trust who have not been determined, the ‘class of persons’ in whose main interest the trust is set up or operates (this describes a group of individuals who are not yet known or named individually in the trust deed, for example, ‘future grandchildren’ or ‘employees of company XYZ’ and can also include named potential beneficiaries).
• Any individual who has control over the trust - control can be exercisable alone, jointly with another person or with the consent of another person. It means that for example, they can add or remove a person as a beneficiary, appoint or remove trustees, or dispose of trust property (the full list can be read in regulation 6).

For guidance on checking whether the CDD measures are appropriate for the BO’s, see ECSH 33329 Customers that are a trust or other legal person.

 

Customers beneficially owned by other entities

You may find that the business’s customer is an entity, for example a subsidiary company, beneficially owned by another company (called the parent or holding company), which in turn is owned by another company and so on. As required by regulation 28(4)(c) of MLR 2017, where the customer is beneficially owned by another person, and that BO is a legal person, trust, company, foundation or similar legal arrangement, the business must take reasonable measures to understand the ownership and control structure of that legal person, trust, company, foundation or similar legal arrangement.

You should establish whether the business has understood the control structure until it reaches an ultimate beneficial owner (UBO), who is a natural person (human being). You must then check whether they have carried out CDD on them to prove if they exist and are who they claim to be see ECSH33328 Customers that are a corporate body or partnership and ECSH33329 Customers that are a trust or other legal person.

Once you have determined on whom the business was required to do CDD, you need to consider whether the extent of the CDD was appropriate, in that the business has taken adequate measures to identify and verify these persons.

If the business is unable to carry out its CDD measures it must not establish a business relationship or carry out a transaction with the customer and must terminate any existing business relationship with the customer - see ECSH33390 Requirement to cease transactions for further information.