ECSH33375 - Checking customer due diligence: ongoing monitoring
Introduction
Ongoing monitoring is set out in regulation 28(11) of The Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017 (MLR 2017) and involves:
- scrutiny of transactions undertaken throughout the course of the business relationship (including, where necessary, the source of funds [ to ensure that the transactions are consistent with the relevant person's knowledge of the customer, the customer's business and risk profile
- undertaking reviews of existing records and keeping the documents or information obtained for the purpose of applying customer due diligence (CDD) measures up-to-date
You should be aware that ongoing monitoring only applies where there is a business relationship as defined in regulation 4 of MLR 2017 and described in ECSH 63190 Regulation 4 - Meaning of business relationship. It is vital to confirm and gather evidence on whether the business establishes business relationships with its customers, as opposed to other situations which require CDD under regulation 27.
CDD checks carried out at the start of the business relationship only gather information at a fixed point in time, and things change. It is important that the business can demonstrate that it monitors transactions and the records it holds, so it has an up-to-date picture of its customer and the risk it poses. Any changes to customer behaviour and/or people running the business should trigger a review of CDD, so that the business knows who it is dealing with and can effectively mitigate the risk of it being used for money laundering and terrorist financing.
Ongoing monitoring does not apply to occasional transactions (although there may be times when CDD becomes out of date before a transaction is completed. For example, where there is an indication that the identity of the customer’s beneficial owner (BO) has changed, you should check that the business verified the identity of the new BO before continuing with the transaction (for more instances see regulation 27(9)).
Risk assessment and policies, controls and procedures (PCPs)
You should establish how the business has considered the level of ongoing monitoring that is needed in line with its risk assessment. This may be different from customer to customer.
A review of the business’s PCPs should explain how and when it conducts ongoing monitoring of transactions and customers. As part of your records testing, you should see evidence of ongoing monitoring checks, summarised below.
If it is not mentioned in the PCPs, you will need to discuss ongoing monitoring with the business to establish what the business’s PCPs are, and then consider whether there is a breach of regulation 19(1)(c). However, please remember, if the business does not establish a business relationship with its customers, there is no requirement to carry out ongoing monitoring.
Scrutiny of transactions
To establish whether the extent of the measures is appropriate, you should ask the business when and how it scrutinises transactions, who has responsibility for monitoring transactions and what steps are carried out as a result.
(This content has been withheld because of exemptions in the Freedom of Information Act 2000)
Where applicable, you may need to ask to see:
- changes to risk assessments over time
- reviews of source of funds – consider what the business established in the first instance, and whether there were any transactions inconsistent with the identified source of funds suspicious activity reports (SAR) generated as a result of transaction monitoring
You should be aware that in an ongoing business relationship, the business is not required to keep supporting transaction records for more than 10 years, so you will need to consider the relevant period you are asking to see records for .
Case studies
Case study 1
An accountancy service provider (ASP) tells you that a customer who does not operate a cash intensive business changed from paying its fees by bank transfer to paying its fees in cash. You establish this change prompted the ASP to ask for information regarding the change and where the cash was coming from. The customer provided an explanation regarding the source of funds and explained to the ASP that his bank had recently started charging him to deposit cash, which was affecting his profit margins. The ASP confirmed that nothing else had changed in the customer’s business from the records provided by the customer, and therefore accepted this explanation. The ASP shows you that its risk assessment was updated to reflect the receipt of cash. You conclude that the ASP has conducted appropriate ongoing monitoring.
Case study 2
During CDD testing at a money service business (MSB) transmitting money, you select a customer and ask to see their transaction history. You notice that the customer regularly sends money to a family member, although the transactions are always below £500. However, you notice some recent transactions which are considerably larger than normal. You ask the MSB about these transactions, who explains that the customer has sold his property in the UK and is in the process of buying a property abroad. The MSB obtained a letter from a solicitor and a bank statement confirming that the sale had occurred, to verify the information and source of funds. The MSB also asked the customer to provide an up-to-date residential address and documents to verify he lived there, as he recognised that the customer no longer lived at the property he had recorded on his system. You conclude that the MSB conducted appropriate ongoing monitoring.
Case study 3
You are working on the compliance check of a high value dealer (HVD) who is a wholesaler. The sales director explains that a customer account is set up on its computerised accounts system and they carry out a credit check to consider the customer’s initial credit limit. You ask how the business monitors the customer’s transactions. The accounts clerk demonstrates to you that each time the customer carries out a transaction, the system records the spend and the method of payment. The accounts team check that ID is held before accepting any cash payments exceeding £7,000. The system also analyses a customer’s monthly spend and creates alerts for increases above 20% in total monthly spending. The finance director explains that this alerts him to review patterns of spending, and to review the customer’s credit limit. You select one customer account and notice the customer had similar monthly spends for seven months and then the monthly spend trebled for the next three months. You ask the finance director if the business questioned the customer about why the monthly spend had increased so much. He says he assumes that the customer has opened another shop but as the account is paid in cash, there is no commercial risk to the business. You ask if the system alerted him to the increased spending. The director shows you an alert was sent but he did nothing about it. You ask if the business assessed whether the risk level of the customer changed. The director states that they did not consider looking at the customer’s risk assessment again. You conclude that the business has not conducted appropriate ongoing monitoring.
Keeping information on the customer up to date
You should ask the business how it ensures documents, information, and data on the customer is up to date.
You should establish:
- what prompts the business to review its CDD information – is it event driven or periodic?
- who is responsible for reviewing information?
- what information about the customer is monitored?
- how does this work in practice? For example, does an electronic verification system alert the business when information has changed or is it driven manually? (This is particularly relevant when customers are corporations and trusts as the business is required to report discrepancies in registers and obligations on corporate bodies and trustees)
You will need to take into account how and where customer information is stored, see ECSH 33525 record keeping. For example, if CDD records are held off site or by a third party, are they retrieved to carry out a review?
(This content has been withheld because of exemptions in the Freedom of Information Act 2000)
You should establish if other events trigger a review of CDD, for example:
- where a new representative contacts the business to carry out a transaction on behalf of a customer, or where the business has detected unusual transactions that are not consistent with its knowledge of the customer
- there is a change in beneficial ownership of the customer. For example, the inclusion of a new beneficial owner who is a politically exposed person (PEP)
- there is a change in the purpose or intended nature of the relationship. For example, the customer changes from a sole trader to a partnership, or their reason for wanting to use a service such as nominee director changes
- any other matter which might affect the customer’s risk assessment. For example, the customer starts operating in new jurisdiction or changes business activities, or new risk information is published by HMRC.
There is no obligation for the business to re-verify identity unless:
- it has doubts about the adequacy or veracity of the evidence obtained, or
- there have been changes to the customer, such as a change of name due to marriage, or changes to their appearance.
This is set out in the Joint Money Laundering Steering Group (JMLSG) guidance at paragraph 5.3.27.
However, depending on the types of documents used to verify identity and the reasons for obtaining it, an up-to-date copy may be needed. For example, where a business holds a copy of a passport from an overseas customer who travels to the UK to conduct its business, and the passport has expired.
(This content has been withheld because of exemptions in the Freedom of Information Act 2000)
Case study
You are checking the compliance of an ASP. You select a customer to test CDD which is a business operating multiple hotels. The customer appears to be a UK limited company. The ASP onboarded the customer over five years ago and conducts regular bookkeeping for the customer. The business tells you that there is one ultimate beneficial owner and that it applied CDD measures to this individual. After conducting your own open-source checks, you establish that the beneficial ownership has changed twice and now involves a potential politically exposed person in a high risk third country. As the ASP failed to carry out ongoing monitoring, it was not aware that the ultimate beneficial owner had changed and therefore failed to consider the additional risks arising in this transaction.
Evidence of undertaking reviews of existing records and keeping information on the customer up to date
You need to assess whether the records held demonstrate effective ongoing monitoring. You must consider what ID documents were initially gathered by the business and what information it verified, and then what information is available to ensure that information remains correct and that there have been no changes. For example, is there a signed and dated customer risk assessment periodically reviewed which acknowledges that there have not been any changes to the customer?
If there have been no changes, there is no requirement to keep numerous copies of the same document. Where the business has been in a longstanding business relationship with a customer, it may decide to collate and assess information already held, rather than approaching a customer for more identification data or information. You should assess whether these measures are appropriate.
Frequency of ongoing monitoring
You must check reviews are managed using a risk-based approach. Consider that for a trust or company service provider (TCSP), reviewing all customer information on 1 April each year is not risk based, as some customers would be lower risk, and some would be higher risk. You should establish how often the business is conducting the checks and decide whether the frequency is suitable on a customer-by-customer basis. If enhanced ongoing monitoring is required has this been done more regularly than if it was applying standard or simplified customer due diligence ?
You must also check that what the business has described in its PCPs is happening in practice.
Breaches
Where you have established there is a breach of ongoing monitoring, you should tell the business it has breached regulation 28(11) of MLR 2017 and direct it to guidance to correct this. There are likely to be associated breaches.
Case study
You are establishing the compliance of an ASP who prepares annual accounts for its customers. The business tells you it conducts an annual review of CDD and, if there are no changes, records that no refresh was necessary. Whilst reviewing the records, you notice that for one customer, revised identity documents were seen and copies taken, to verify that the customer had changed surname. The business has recorded a note explaining that the customer got married and changed their name. On another customer record, the business has the minutes from its annual meeting with the customer. It states that no refresh of CDD was conducted as it had asked the customer and there had been no changes in their circumstances. It also recorded there were no changes to the work the business was doing for the customer. You cross reference this with the engagement letter for the customer and the latest invoice for services carried out. You conclude that the business has met the requirements of keeping information on the customer up to date for the purposes of ongoing monitoring.