ECSH33335 - Checking customer due diligence: enhanced due diligence

Introduction

Where there are high-risk factors of money laundering and terrorist financing (ML/TF) present, the business must carry out enhanced customer due diligence (EDD) the customer due diligence (CDD) measures required by regulation 28 – see ECSH33320.  

The EDD measures are set out in regulation 33 to 36 (Part 3, Chapter 2) of the Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017 (MLR 2017).

This page sets out the general guidance in relation to EDD. There is also further guidance in relation to the specific measures required for:

Whilst it is for the business to decide how it applies the additional measures in order to mitigate higher risk transactions, you must ensure that additional checks are carried out and meet the requirements of MLR 2017.  You must also bear in mind regulation 33(7) which states that the presence of one or more risk factors may not always indicate that there is a high risk of money laundering or terrorist financing in a particular situation. For example, if considering regulation 33(6)(a)(v), it may be normal for the customer to be cash intensive due to the nature of its business activities.

It is important to ensure the business understands the risk, can explain the EDD measures it has in place and how these additional checks mitigate the risk of ML/TF. For example, a high value dealer (HVD) may recognise that cash payments carry a high risk of money laundering. It therefore sets out that EDD will be carried out on all cash payments it receives over the value of £20,000 and that one of the checks is to ask customers to provide evidence of the source of funds, by obtaining a copy of a bank statement. However, if the bank statement provided doesn’t show the origins of the funds in the account, this measure doesn’t mitigate the risk and further checks would be needed. Practical questions you should consider are covered under the “What to establish” sections in the guidance on Relevant Requirements. You must also ensure that you read the EDD section within the sector guidance published on GOV.UK so that you can check that the business has followed it.

More information on EDD can be found in paragraphs 5.5.1 to 5.5.12 of Part I of the Joint Money Laundering Steering Group (JMLSG) guidance.

Initial risk and residual risk

It’s important to note that the high-risk factors refer to the initial risk rating, not the residual risk (the risk remaining after controls have been applied). Remember, when determining the level of risk, a business should consider the probability and impact (the likelihood of the risk occurring and the impact if it were to happen). It will then design controls to reduce the risks it has identified and assessed. For example, an art market participant (AMP) has customers based in a high-risk third country. It therefore assesses its geographical risk as high. However, due to its EDD procedures, which involve fully understanding the nature of its customers’ business, ownership and financial situation (including source of funds), the risks are mitigated, and the customers’ residual risk is assessed as low. In contrast, a business may still consider a particular customer’s residual risk to be high, and therefore will monitor this customer more closely than another. Make sure you discuss this with the business to ensure that you fully understand how its risk scoring works. 

What EDD can include?

If EDD is required, then the business must do more to verify customers’ identity and scrutinise the background and nature of the transactions standard customer due diligence. How this goes beyond standard due diligence must be made clear in the business’s policies, controls, and procedures.

Depending on the requirements of each case, the EDD measures shown in regulation 33(5) may include:

  • seeking additional independent, reliable sources to verify information provided or made available to the relevant person.
  • taking additional measures to understand better the background, ownership and financial situation of the customer, and other parties to the transaction.
  • taking further steps to be satisfied that the transaction is consistent with the purpose and intended nature of the business relationship.
  • increasing the monitoring of the business relationship, including greater scrutiny of transactions.

However, regulation 33(5) includes the words “among other things”, therefore this list is not exhaustive, and it is important to understand what other measures the business applies and why. You can find more examples in the following pages.

Please note that a business cannot rely on a third party to conduct EDD on their behalf under a reliance arrangement.

How to test that the EDD measures are appropriate

You must refer to the guidance for Confirming customer due diligence measures are appropriate in addition to the guidance below.

Where the business has not applied any EDD measures, you must establish the reasons for this. You will need to refer to the checks you carried out when establishing risk, procedures, and training. For example, it may be that the business has failed to identify a risk in the first place or has failed to assess it as high risk. If the risk has been identified and assessed as high risk, you will need to confirm that it has policies, controls, and procedures (PCPs) to mitigate and manage the risk to an acceptable level. For example, checking back to the business’s PCPs may highlight that EDD procedures are ineffective or there are no procedures at all, or that procedures haven’t been followed and controls to prevent this are missing. The lack of EDD measures may indicate a staff training issue which would need to be explored further. For example, identifying which member of staff failed to identify the transaction required EDD, confirming when they were last trained and/or why the training wasn’t effective.

So alongside breaches of regulation 33 for the specific customers on which EDD measures were not applied, you will also need to consider breaches of the fundamental requirements under regulations 18 to 24.

If the business has applied EDD measures, you should check what has been applied on a customer-by-customer basis, as the circumstances and risks surrounding each customer will be different. The business must take a risk-based approach, and you must assess whether the checks carried out do actually mitigate the risk. You will need to establish the reasons a particular check was performed and what risk it mitigated. For example, in the HVD scenario above, a member of staff may follow procedures to request a copy of a customer’s bank statement to verify source of funds but fails to notice that the customer’s account was credited with an amount matching the funds from a third person. This could indicate that the end customer is not who the business thought it was.

Your questioning may indicate that the business knowingly carried out transactions without carrying out appropriate EDD. Without this evidence of the conversation with appropriate people in the business, it is difficult to establish the reasons why PCPs are failing to mitigate high risk activity. You will need this evidence to consider an appropriate sanction for any breaches identified.

If you are unsure whether the additional measures applied are appropriate, you should seek further support .

Breaches

Where you have established there is a breach of regulation 33, you should tell the business it has failed to carry out appropriate EDD and direct it to guidance to correct this. You must consider which sub-section/s the business has failed to comply with.

Please see additional guidance on specific breaches of customer due diligence.