ECSH33325 - Testing customer due diligence: confirming customer due diligence measures are appropriate

Regulation 28(16) of The Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017 (MLR 2017) requires the business to demonstrate that the extent of the customer due diligence (CDD) measures it has taken are appropriate in view of the risks of money laundering and terrorist financing (ML/TF), including risks identified:

  • in its risk assessment under regulation 18(1) MLR 2017
  • by its supervisory authority and in information made available to the business under regulations 17(9) MLR 2017(the “Understanding risks and taking action”) and regulation 47 MLR 2017 (anti-money laundering (AML) guidance) shown under the heading “Guidance for specific business types” on GOV.UK.

You must therefore refer to this information when testing CDD measures to establish if any of the risks are present and confirm the measures taken follow the published guidance.

You must first confirm that the business was required to carry out CDD under regulation 27 MLR 2017.

You will then have established who the business is required to conduct CDD on – see ECSH33320.

Having understood this, you should turn to checking whether the business can demonstrate to you that the CDD measures it took are appropriate in view of the risks of ML/TF. To be able to test this, you must have a good understanding of the risks the business faces. You should do this by reading:

You will need to test whether the business has identified and verified its customer, anyone acting on behalf of the customer, and any beneficial owner (BO) of the customer and therefore knows who its customer is.

 

Risk based approach

There is no ‘one size fits all’ approach to CDD. You must consider each customer against the factors considered in its risk assessment, such as the type and value of goods or services provided, where the customer is based, and so on. You must review what the business has done in conjunction with its policies, controls and procedures (PCPs) and sector specific guidance. For example, a business may carry out additional CDD where services are provided at a distance, such as digitally through apps, as opposed to goods which are delivered face to face.

The extent of the CDD checks should depend on the level of risk associated with a particular customer and/or transaction. You should question how the business established the level of CDD needed. For example, in its business wide risk assessment it may categorise its customers high, medium, and low risk, with CDD measures for each category set out in its PCPs. When considering the measures taken on a particular customer, you must confirm that the risk category is correct and there are no additional risks present. This may indicate that the business has failed to appropriately identify and assess a risk under regulation 18(1).

You do this by carrying out your own open-source checks on the customer, for example checking they are not a designated person subject to sanctions,politically exposed, or adverse media linking the company or individual to fraud, money laundering or terrorist financing.

For example, a business states in its risk assessment that all customers are low risk geographically, but your records testing shows there are customers from high-risk third countries, which you identified by checking the Financial Action Task Force lists.

You will then need to check to confirm that the business followed its PCPs when carrying out CDD checks on customers to the associated risk level.

 For example, an estate agency business may rate individual customers based on their geographic location - from the local area as low risk, from other parts of the UK as medium risk, and customers from abroad as high risk. It may set out in its PCPs the different levels of CDD checks to be applied depending on these risk ratings.

When you test the CDD measures, you should establish whether this has been carried out in practice and whether any additional measures taken mitigate the risks.

If not, you will need to discuss with the business what went wrong, whether the business knew of these failings and who was responsible for ensuring PCPs were followed. There is therefore likely to be a corresponding breach of either regulation 18, where a risk has either not been identified or has been assessed incorrectly; or regulation 19, where procedures and controls are ineffective or have not been followed.

For standard CDD, the business should tell you how its PCPs mitigate the risks it has identified, taking into account the degree of discretion permitted when following a risk-based approach, as set out in regulation 46 MLR 2017. For example, there may be customers who are unable to meet the business’s CDD standards of verification due to a lack of photographic ID, so it is important to understand how the business counters this. This contrasts with enhanced due diligence (EDD), where the measures to be taken are more prescriptive.

Consider what the requirements for CDD are, as described in the sector guidance published on GOV.UK. Within the sector guidance it will explain: What are the minimum requirements for the business (“must do”) and what are recommendations for the business (“should do”)? If you are unsure whether any checks the business has carried out meet the requirements of the MLR 2017, you should refer to the Joint Money Laundering Steering Group (JMLSG) guidance and seek additional support where necessary.

There are some common documents and information you might come across when reviewing CDD undertaken by a business such as ID documents, electronic verification, and source of funds. For guidance on reviewing the documents that may be used, see ECSH33355.

 

Understanding business systems

You must get the business to ‘walkthrough’ the CDD process with you for at least one transaction, from beginning to end, to ensure you understand the records created and the systems used, from receipt of a customer’s instruction to payment for completion of the transaction or service. Where you are conducting desk-based checks, you can achieve this by asking the business to provide screenshots of the systems used. This allows you to visualise both the customer and staff member’s journey when completing a transaction and understand the CDD checks performed.

Where there are controls built into systems, the walkthrough allows you to see these controls in action. Ask the business to show you any control mechanisms to halt transactions and/or flag the transaction for further scrutiny. This may be senior manager approval or other compliance functions, depending on the size of the business. This may also link to an internal suspicious activity report (SAR) or submission of a Defence Against Money Laundering (DAML) SAR - see ECSH33600 Checking internal reporting and suspicious activity reports for more information.


Establishing the facts

If a business states it has not carried out any CDD, you need to ask follow-up questions to clarify this. The business may have done some checks on the customer but may not be familiar with the terminology or has misheard/misinterpreted your question. This can be particularly common in newly registered businesses.

For example, you should establish:

  • Who the business dealt with, and conversations held with the customer, in person or over the phone?
  • Whether the business has completed any background research on the customer? For example, checked the customer’s website, carried out open-source checks or checked Companies House, credit checks or references, checks to verify a VAT registration number or equivalent.
  • If any visits have been carried out to the customer’s home address or trading premises, or if goods are regularly delivered there.

Businesses will usually carry out some due diligence on new business relationships which may identify and verify some of the information required under MLR 2017.

Similarly, if a business has not carried out a required check, you must establish why not. Is it included in the business's PCP documents? If so, why have the PCPs not been followed? Were there particular circumstances surrounding the customer which need to be considered? If a member of staff dealt with the customer, were they appropriately trained?

This will help you determine exactly which requirement of MLR 2017 the business has not complied with. For example, if the business says it has seen documents to verify identity but is unable to provide copies, that is a record-keeping breach rather than a failure to carry out CDD.

(This content has been withheld because of exemptions in the Freedom of Information Act 2000)



Evaluating compliance

To evaluate compliance, you must:

  • Check that CDD measures are applied at the right time.
  • Assess whether the information the business obtains satisfactorily verifies that customers are who they say they are.
  • Confirm that reasonable measures have been taken to identify and verify beneficial owners – see information in ECSH33328, customers that are a body corporate and ECSH33329, customers that are a trust or other legal person.
  • Ensure that the purpose and intended nature of business relationships are considered.
  • Check that EDD is carried out for high-risk situations.
  • Check that transactions are scrutinised in a risk-sensitive way rather than a tick-box approach.
  • Confirm that the business recognises when there are reasonable grounds for suspicion of money laundering or terrorist financing – see ECSH33400 Checking internal controls and compliance monitoring for information.

Ultimately, you are assessing whether the CDD measures taken confirm that the customer is who they say they are and is not using the business to launder money or finance terrorism. If the business is unable to demonstrate to you that the extent of the measures it has taken are appropriate, you must explain why the procedures do not satisfy the requirements and point the business to relevant guidance to support it.