ECSH33345 - Checking customer due diligence: simplified due diligence
Regulation 37 of The Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017 (MLR 2017) sets out that a business can apply simplified due diligence (SDD) where a business relationship or transaction represents a low risk of money laundering or terrorist financing (ML/TF).
SDD means the customer due diligence (CDD) measures applied by the business can be reduced. It must still take appropriate steps to identify and verify its customer, however there can be a change to when CDD is done, how much is done, and the type of measures taken.
When assessing whether there is a low risk of ML/TF in a particular situation, and whether it is appropriate to apply SDD measures, the business must take into account:
- its risk assessment under regulation 18(1)
- relevant information made available to it under regulations 17(9) and 47 (in other words, guidance and risk information published by HMRC); and
- lower risk factors in relation to its customers, geographic areas, products and services and so on, set out in regulation 37(3).
Regulation 37(3) sets out the considerations for lower risk situations which you must read in full. You should also follow the guidance in the Relevant Requirements for regulation 37.
However, types of customers that may indicate lower risk include:
- a public authority or publicly owned body in the UK (for example government departments, local authorities)
- a financial institution that is subject to anti-money laundering supervision in the UK/equivalent regulation in another country (for example banks and building societies)
- a company whose securities are listed on a regulated market (for example, businesses on the London Stock Exchange)
- customers based in a country which has effective systems to counter ML/TF, has low levels of corruption or other criminal activity, such as terrorism, money laundering and the production and supply of illicit drugs, or
- a country which, on the basis of credible sources, such as evaluations, detailed assessment reports or published follow-up reports published by the Financial Action Task Force, the International Monetary Fund, the World Bank, the Organisation for Economic Co-operation and Development or other international bodies or non-governmental organisations.
When SDD may be appropriate
The business should be able to explain to you when it applies SDD measures, which should be set out in its policies, controls and procedure documents (PCPs). You should refer to these to establish whether the business is doing what it says it does.
You should check whether SDD has been applied in appropriate situations, by asking to review customers on whom SDD has been carried out. As shown at the top of this page, we would not expect to see SDD carried out where information suggests there is a risk of ML/TF and you will need to review these documents to confirm the measures are appropriate. For example, you need to make sure that there are no factors which require enhanced due diligence (EDD), for example, the customer is established in a high-risk third country or is a politically exposed person.
You must confirm that the business is still complying with the requirements of regulation 28 and regulation 30A of MLR 2017 but has adjusted the extent, timing, or type of due diligence it carries out.
If the business has changed from doing CDD to SDD in the relevant period you are testing, you should discuss whether the business decided the initial risk assessment was incorrect and considered lowering the risk rating for certain types of customers, or whether there have been changes, or customers activity changed, in any way to warrant a change in the level of due diligence. If not, establish why the business has decided to do reduce its CDD measures and whether it is appropriate to the risk of ML/TF.
Checking whether the SDD measures are appropriate
To check the business has complied with the requirements of SDD, you should follow the guidance for confirming CDD measures are appropriate. You should ascertain which CDD measures it has reduced and discuss the following topics with the business.
Identification and verification
Has the business identified and verified the customer?
Where applicable, has the business verified the identity of anyone acting on behalf of the customer and taken reasonable measures to verify the beneficial owners’ identity?
You should establish:
- what records have been used to verify the customer, and beneficial owner?
- has at least one authoritative document been used that demonstrates the person's name and (at least) either their address or date of birth, contains security features that prevent tampering, counterfeiting and forgery, and has been issued by a recognised body that has robust identity proofing measures? For example, a passport
- when was the customer verification done?
- was it during the establishment of a business relationship or within a reasonable time frame – see Timing of verification for more information.
This must be assessed on a customer-by-customer basis.
Purpose and intended nature of the business relationship or transaction
Has the business assessed and where appropriate obtained information on the purpose and intended nature of the business relationship or occasional transaction. You should establish:
- where are the information and records to determine the nature or purpose of a business relationship or transaction from?
- has the business used information it already has?
For example, if the business’s customer is a pension scheme, it can assume what the purpose of that scheme is.
Reporting discrepancies in the register
Where relevant, has the business complied with the requirement to report discrepancies in registers and obligations on corporate bodies and trustees?
Monitoring transactions
Has the business monitored transactions within a business relationship to ensure that the activity remains low risk, and that suspicious activity can be identified? You should establish:
- how often is the business conducting transaction monitoring?
- are checks triggered when a reasonable threshold is reached? Does the frequency seem reasonable?
- how often is customer due diligence reviewed? For example, when a change occurs. Does this seem reasonable?
- what evidence is there of ongoing monitoring (if it is part of a business relationship), is it in line with the business’s risk assessment?
Breaches
Where you establish that the business has not applied SDD appropriately, you should tell the business that there is a breach of regulation 37 of MLR 2017 and direct it to guidance to correct this. For guidance on specific breaches, see ECSH 33395 Specific breaches of customer due diligence.
Case study
You are checking the compliance of a trust or company service provider (TCSP) providing a virtual office service. You have selected a business relationship to test, and established the business does not know the owners of the customer, they are not local to the business, nor do they regularly collect their post. The TCSP has rated the risk as ‘low’ and applied SDD to this customer. You establish that because this is indicated as a higher risk by HMRC in the “Understanding risks and taking action” guidance for the TCSP sector, the business has not appropriately taken account of risk information provided to it. You will also need to check whether there are associated breaches, such as a breach of regulation 18(1) for failing to appropriately identify and assess a risk regarding its risk assessment.