ECSH33329 - Testing customer due diligence: customers that are a trust or other legal person
Regulation 28(3A) of The Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017 (MLR 2017) sets out that, where the customer is a legal person, trust, company, foundation or similar legal arrangement the relevant person must take reasonable measures to understand the ownership and control structure of that legal person, trust, company, foundation or similar legal arrangement.
You must check the business is complying with the measures set out inECSH33320.
A legal person is an entity or body which has an existence separate and distinct from the persons (legal or natural) comprising that entity or body, such as corporate bodies or Scottish partnerships.
Trusts are a way of managing assets (money, investments, land, or buildings) for people. However, they can be used to create complex structures which increase the difficulty of identifying individuals if they are being used for illicit purposes and can provide anonymity. There are different types of trusts. You can find more general information on trusts on GOV.UK.
Checking how the business is meeting the requirements
When confirming whether the business has taken appropriate measures when conducting customer due diligence (CDD), the first thing to consider is what risks the business has identified for these types of customers and how it has assessed these risks – see the general guidance in ECSH33325.You should check what the business states it does as part of its policies, controls, and procedures (PCPs) in relation to CDD measures for these customers, and make sure it has followed them.
You should ask the business how it has identified and verified the information it is required to and then see evidence of these checks.
Part of the required beneficial ownership checks is to establish who has control over a trust. These are explained in regulation 6 MLR 2017. The business will need to have reviewed the deed of trust (or equivalent constitutive documents), and you should see evidence of them checking this to establish the purpose and structure of the trust, and details of the parties involved.
If there are complex or opaque structures, you need to understand if the business has satisfied itself why these structures are being used, and what evidence it has taken.
You should establish if the business has considered whether the person identified as the beneficial owner (BO) has control over the entity:
- Does the person identified as the BO have ownership, voting rights or control rights in the legal person, so that they meet the definition of a BO in regulations 5 and 6 of MLR 2017?
- Is the person actually exercising the rights associated with the level of ownership and/or control in practice in their own name, or is the person exercising those rights under instruction from, or by agreement with, an undisclosed third party?
You should be aware there are obligations on trustees to assist a business in identifying BOs (the settlor(s), beneficiaries, trustees and any individual who has control over a trust) and any other person that may benefit (the beneficiaries) and the business can request that the customer provides them with information as required by regulation 44 MLR 2017. See ECSH33385 on requirement to report discrepancies in registers and obligations on corporate bodies and trustees for details.
You should expect to see the business has:
- Conducted the necessary checks on all beneficial owners, including taking reasonable measures to verify the trustee(s).
- Obtained documents showing that they have the authority to act for the trust.
- Conducted checks to verify that they are a trustee.
- Reviewed the terms of a trust, as it may be that there may be multiple trustees which are all required to consent to one of them taking an action.
You also need to establish whether there is someone acting on behalf of a trust. If so, you should see evidence that the business has conducted CDD on them.
You may find that the business’s customer is a trust, beneficially owned by another entity, which in turn can be owned by another entity and so on. The business needs to understand the control structure until it reaches an ultimate beneficial owner (UBO), who is a natural person, in other words a human being, and carry out CDD on them.
Where the BO is a ‘class of persons’ you should check whether the business has ascertained and named the scope of the class (for example, the employees of XZY Ltd), not necessarily identified every individual member of the class (for example, the name of all 100 of the employees of XZY Ltd).
For partnerships, follow the guidance for body corporates to establish the beneficial owner/s, as set out in regulation 5.
Reasonable measures
Where MLR 2017 allows the business to take “reasonable measures,” you will need to consider if these are indeed reasonable. You should consider whether the business has conducted the checks:
- ssing a risk-based approach;
- In a way that is proportionate and effective to mitigate any identified money laundering or terrorist financing risks;
- and evidenced the extent it has tried to obtain the information and verification.
For example, if the business could not verify certain pieces of required information using a reliable source which is independent of the person whose identity is being verified, it may have used another source which was not independent, such as information provided by the customer. Consider whether it could have verified the information in another way that the business did not do. You would have to consider on a customer-by-customer basis whether this would constitute reasonable measures.
Requirement to report discrepancies in registers
If the business has an ongoing relationship with customers who are a certain type of entity, which includes trusts, you need to understand whether and how the business is meeting its requirements to report discrepancies in beneficial owners as required by regulation 30A of MLR 2017. See ECSH33385 on requirement to report discrepancies in registers and obligations on corporate bodies and trustees for more information.
Breaches
Where you establish that the business has not taken appropriate measures, you should tell the business that there is a breach of regulation 28 MLR 2017 and direct it to guidance to correct this.