ECSH33326 - Testing customer due diligence: identification and verification

Regulation 28(2) of The Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017 (MLR 2017) sets out that as part of its customer due diligence (CDD) measures, the business must identify the customer and verifythe customer's identity, unless the customer's identity has already been verified by business.

See ECSH33327 for guidance on the requirement to assess, and where appropriate obtain information on, the purpose and intended nature of the business relationship or transaction.


What does “identify” mean?

The dictionary meaning of identify is to establish or indicate who or what someone (or something) is. It means gathering unique information to distinguish someone from any other person. In relation to CDD, this means confirming who the transactions and/or business relationships are being conducted on behalf of.

Identification of a customer, beneficial owners and anyone acting on behalf of the customer will vary depending on their “type” or category, for example:

  • Natural person(s). 
  • Legal persons.
  • Body corporates. 
  • Trusts. 
  • Foundations.
  • Other similar legal arrangements.

You must consider who the customer is, so:

  • What is the name of the natural or legal person?
  • What type of entity are they (see the list above)? 
  • Who is benefitting from the transaction? Who is the ultimate beneficial owner of the transaction? For example, for an estate (beneficiaries to a trust), body corporate (shareholders), or a number of legal persons? 
  • Who is the business in communication with throughout the transaction or when establishing a business relationship? For example, are there other parties acting on the customer’s behalf (such as solicitors, agents or members of staff)? 


How to gather the unique information

The methods used to identify the customer will depend on the delivery channels used by the business when providing its products or services, such as:

  • Physical presence – information communicated in person.
  • Digitally verbally – communicated over the phone or communication device.
  • Digitally non-verbally – communicated over an electronic application or IT device, such as by completing an electronic form, or sending an email.
  • Written communication – completing a written referral or paper application form.


Types of unique information

As the unique information to distinguish and differentiate customer, beneficial owners and third parties depends on the type of entity they are, this means that businesses will need to gather different types of information throughout the identification process. For example:

  • Natural person(s) will have a name, date of birth and nationality, along with other unique information, such as a phone number, bank account number and physical characteristics. Not all of these will be required to complete CDD but a combination would usually be needed to distinguish and differentiate them from anyone else.
  • Legal persons will also have a name and an address where they can be contacted, as well as usually having a bank account, phone number, email address, website and may have a unique registration number (URN). Legal persons need natural person/s who are responsible for it (such as boards of directors) as well as owners (such as its members). 
  • Body corporates, similar to legal persons, will have a name, should have a registered office or correspondence address, may have a trading address, are likely to have a bank account, phone number, email address, website and a Company Registration Number (CRN) and date of incorporation shown on Companies House. It will also have natural person(s) who are responsible for and in control of it, such as persons with significant control and both natural and legal persons who own them (known as beneficial owners). Where a body corporate is owned by another body corporate or legal person, it will have a corporate structure to distinguish the information on parents and subsidiaries. 
  • Trusts, similar to legal persons, the unique information to distinguish them will once again differ to that of a natural person and a body corporate. Trusts may or may not have a name, as they are a legal arrangement for managing assets. Trusts are likely to have natural persons who are linked to it in various positions (such as trustees, settlors and beneficiaries). 
  • A foundation will have a council or board of directors associated to it, therefore will have the names of its natural persons in these positions. A foundation may have a legal name (for example where it is established as a charity), or a family name associated to it. Foundations will also have an address for where correspondence will need to be sent.


How to test the business has identified the customer?

To establish whether the business has met the requirement to identify the customer, any beneficial owners, and anyone who purports to act on behalf of the customer, you need to establish: 

  • Who are the individuals or businesses who purchase the goods or services provided by the business? (This is often who the business invoices).
  • Who are the beneficial owners (BO) of the customer where the customers are companies, trusts or other legal entities? See ECSH33320 What customer due diligence measures are required for more information.
  • What information is obtained on customers or potential customers and how are they introduced to the business? 
  • How does the business identify its customers, BO and any third parties acting on behalf of the customer? Is that reflected in its written procedures?
  • Who identifies the customers, BO and any third parties acting on behalf of the customer? 
  • What information is obtained, depending on whether the customer is an individual, company, partnership, other legal entity or third party acting on behalf of the customer? 
  • When is the information obtained?
  • How does the business obtain this information? For example, directly from the customer or online searches. 

You will need to review supporting records (under regulation 40(2)(b))to confirm the persons identified are the same persons who received the goods or services.

For more information, follow the guidance in Section 5 of Part I of the Joint Money Laundering Steering Group guidance. Remember, you may need to refer to older versions of the guidance, to ensure that you are applying the guidance in force at the time of the transaction.

 

What does verify mean?

Verify means to prove that something is accurate and true. Regulation 28(18) of MLR 2017 states that verify means on the basis of documents or information obtained from a reliable source, which is independent of the person whose identity is being verified. It also clarifies that documents issued or made available by an official body (such as a government-issued identity document) are considered to be independent of the person, even if they are provided by, or on behalf of, the person being verified.

Therefore, for the purposes of CDD, the business must demonstrate that the information which has been communicated to them (see above) is accurate and true. You will need to confirm what information has been verified (in relation to the risk it was mitigating), to understand whether the documents and information meets the requirements of regulation 28.

If the business is unable to explain why it has gathered the documents, it is unlikely that it is taking a risk-based approach to CDD.

For example, you may review the CDD measures a trust or company service provider (TCSP) took when establishing a new business relationship. The TCSP explains the customer provided a personal bank statement to verify their address. You notice that the transactional information has been obscured and ask the TCSP who redacted the information. The TCSP confirms that the bank statement was provided by the customer but was only used to verify the customer’s address. Therefore, the redaction is acceptable because the document verifies the address information given verbally by the customer. 

For further guidance on the types of documentary evidence a business may use, see ECSH 33356.


How to test the business has verified the customer?

To establish whether the business has met the requirement to verify the customer, you should establish:

  • How does the business verify the identity of the customers, the BO and any third parties acting on behalf of the customer? Note the business is not required to verify the identity of all the directors of a body corporate.
  • Who performs these checks?
  • What information is verified?
  • What verification documents are obtained for individuals, companies, other legal entities and third parties acting on behalf of the customer?
  • Where are the documents obtained from – are they from the customer or is an independent source used? For example, credit checks, online searches.
  • Are the documents obtained from a reliable source?
  • Does the information that is gathered from the customer match the information from the independent source(s)?
  • How has the business verified that anyone acting on behalf of the customer is authorised to do so? For example, a solicitor acting on behalf of a deceased person’s estate or a corporate travel planner who exchanges currency on behalf of its clients. What evidence does it have of this?
  • Are there any circumstances when further checks are required?
  • Are there any discrepancies to information on BOs? What does the business do when it finds a discrepancy in in the information provided? Has it identified the reason for the discrepancy, to establish what the true information is? Does it ask the customer?Please see further guidance in relation to the requirement to report discrepancies in registers and obligations on corporate bodies and trustees – ECSH33385.
  • If the business states it encountered difficulties in identifying beneficial ownership of a body corporate, what did it do?

The sector guidance published on GOV.UK gives examples of documents and steps businesses can take to verify customers. You must check the business has followed this guidance.

There is further information on how to prove and verify identity on GOV.UK, including how to assess the validity of a document. 

 

Breaches

Where you establish that the business has not identified or verified a customer, you should tell the business that there is a breach of regulation 28 MLR 2017 and direct it to guidance to correct this.