ECSH33375 - Ongoing monitoring

Introduction

Ongoing monitoring is set out in of The Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017 (MLR 2017) and involves:

  • Scrutiny of transactions undertaken throughout the course of the business relationship (including, where necessary, the source of funds [ to ensure that the transactions are consistent with the relevant person's knowledge of the customer, the customer's business and risk profile.
  • Undertaking reviews of existing records and keeping the documents or information obtained for the purpose of applying customer due diligence (CDD) measures up-to-date.

You should be aware that ongoing monitoring only applies where there is a business relationship as defined in MLR 2017 and described in ECSH63190. It is vital to confirm and gather evidence on whether the business establishes business relationships with its customers, as opposed to other situations which require CDD under regulation 27 MLR 2017.

CDD checks carried out at the start of the business relationship only gather information at a fixed point in time, and things change. It is important that the business can demonstrate that it monitors transactions and the records it holds, so it has an up-to-date picture of its customer and the risk it poses. Any changes to customer behaviour and/or people running the business should trigger a review of CDD, so that the business knows who it is dealing with and can effectively mitigate the risk of it being used for money laundering and terrorist financing.

Ongoing monitoring does not apply to occasional transactions (although there may be times when CDD becomes out of date before a transaction is completed). For example, where there is an indication that the identity of the customer’s beneficial owner (BO) has changed, you should check that the business verified the identity of the new BO before continuing with the transaction (for more instances see ).

Risk assessment and policies, controls and procedures (PCPs)

You should establish how the business has considered the level of ongoing monitoring that is needed in line with its risk assessment. This may be different from customer to customer.

A review of the business’s PCPs should explain how and when it conducts ongoing monitoring of transactions and customers. As part of your records testing, you should see evidence of ongoing monitoring checks, summarised below.

If it is not mentioned in the PCPs, you will need to discuss ongoing monitoring with the business to establish what the business’s PCPs are, and then consider whether there is a breach of regulation 19(1)(c) MLR 2017. However, please remember, if the business does not establish a business relationship with its customers, there is no requirement to carry out ongoing monitoring.

Scrutiny of transactions

To establish whether the extent of the measures is appropriate, you should ask the business when and how it scrutinises transactions, who has responsibility for monitoring transactions and what steps are carried out as a result.

These may consist of:

  • How does the business monitor customer transactions to help identify unusual activity?
  • Who checks that transactions are consistent with its knowledge of the customer and of its operations, based on the information obtained when establishing the business relationship (as required by regulation 28(2)(c) MLR 2017)?   
  • What does the business do when risks associated with transactions have changed?
  • Who monitors the frequency, volume, and size of transactions?
  • What does it take into account, such as abnormal size or frequency of activity for that customer or peer group, the nature of a series of transactions, geographic destination or origin of a payment - for example high risk third countries?
  • How does it take into account the risk assessment of the customer?
  • What triggers scrutiny of transactions?
  • In what situations does the business consider it necessary to carry out source of funds (SOF) checks?
  • What systems are in place to monitor customer activity/transactions? Is it manual or automated, or a combination of the two?
  • If it is an automated system, what does the system define as unusual or uncharacteristic behaviour by the customer? Is that in line with the business’s definition?
  • When is it done - in real time or after the event?
  • If after, is it within a reasonable time to respond to patterns/trends?
  • Does the system flag transactions or activities for further examination?
  • are reports generated? Where do they go? Are they reviewed by appropriate person(s)?
  • What actions does the business take on the back of the findings?
  • What does the business do if the information does not align with the information gathered at the start of the business relationship?
  • Does the business change the risk level associated with the customer?
  • Can the business show you an example where the activities of the customer led to a change in risk level, for example from low risk to medium risk or vice versa?

To decide if the business has implemented appropriate monitoring procedures, you will need to select a customer and ask to see records of transactions carried out. You will then question the business and ask to see records to confirm it identified the changes and took appropriate measures. Where applicable, you should ask to see any reports where customers have been flagged for ongoing monitoring purposes.

Where applicable, you may need to ask to see:

  • Changes to risk assessments over time.
  • Reviews of source of funds – consider what the business established in the first instance, and whether there were any transactions inconsistent with the identified source of funds suspicious activity reports (SAR) generated as a result of transaction monitoring.

You should be aware that in an ongoing business relationship, the business is not required to keep supporting transaction records for more than 10 years, so you will need to consider the relevant period you are asking to see records for.

Case studies

Case study 1

An accountancy service provider (ASP) tells you that a customer who does not operate a cash intensive business changed from paying its fees by bank transfer to paying its fees in cash. You establish this change prompted the ASP to ask for information regarding the change and where the cash was coming from. The customer provided an explanation regarding the source of funds and explained to the ASP that his bank had recently started charging him to deposit cash, which was affecting his profit margins. The ASP confirmed that nothing else had changed in the customer’s business from the records provided by the customer, and therefore accepted this explanation. The ASP shows you that its risk assessment was updated to reflect the receipt of cash. You conclude that the ASP has conducted appropriate ongoing monitoring.

Case study 2

During CDD testing at a money service business (MSB) transmitting money, you select a customer and ask to see their transaction history. You notice that the customer regularly sends money to a family member, although the transactions are always below £500. However, you notice some recent transactions which are considerably larger than normal. You ask the MSB about these transactions, who explains that the customer has sold his property in the UK and is in the process of buying a property abroad. The MSB obtained a letter from a solicitor and a bank statement confirming that the sale had occurred, to verify the information and source of funds. The MSB also asked the customer to provide an up-to-date residential address and documents to verify he lived there, as he recognised that the customer no longer lived at the property he had recorded on his system. You conclude that the MSB conducted appropriate ongoing monitoring.

Case study 3

You are working on the compliance check of a high value dealer (HVD) who is a wholesaler. The sales director explains that a customer account is set up on its computerised accounts system and they carry out a credit check to consider the customer’s initial credit limit. You ask how the business monitors the customer’s transactions. The accounts clerk demonstrates to you that each time the customer carries out a transaction, the system records the spend and the method of payment. The accounts team check that ID is held before accepting any cash payments exceeding £7,000. The system also analyses a customer’s monthly spend and creates alerts for increases above 20% in total monthly spending. The finance director explains that this alerts him to review patterns of spending, and to review the customer’s credit limit. You select one customer account and notice the customer had similar monthly spends for seven months and then the monthly spend trebled for the next three months. You ask the finance director if the business questioned the customer about why the monthly spend had increased so much. He says he assumes that the customer has opened another shop but as the account is paid in cash, there is no commercial risk to the business. You ask if the system alerted him to the increased spending. The director shows you an alert was sent but he did nothing about it. You ask if the business assessed whether the risk level of the customer changed. The director states that they did not consider looking at the customer’s risk assessment again. You conclude that the business has not conducted appropriate ongoing monitoring.

Keeping information on the customer up to date

You should ask the business how it ensures documents, information, and data on the customer is up to date.

You should establish:

  • What prompts the business to review its CDD information – is it event driven or periodic?
  • Who is responsible for reviewing information?
  • What information about the customer is monitored?
  • How does this work in practice? For example, does an electronic verification system alert the business when information has changed or is it driven manually? (This is particularly relevant when customers are corporations and trusts as the business is required to report discrepancies in registers and obligations on corporate bodies and trustees).

You will need to take into account how and where customer information is stored, see ECSH33525. For example, if CDD records are held off site or by a third party, are they retrieved to carry out a review?

You should ask the business for details of contact it has with existing customers, and whether this is used to trigger a review of information held. This will vary from sector to sector. For example, a lettings agency business (LAB) may use a renewal of a tenancy agreement as a trigger to review its CDD records. An ASP may do it once a year when preparing and submitting a customer’s annual accounts. Whereas an HVD may not consider it necessary to review the information because it visits its customers weekly to deliver goods and any changes would be recognised immediately.

You should establish if other events trigger a review of CDD, for example:

  • Where a new representative contacts the business to carry out a transaction on behalf of a customer, or where the business has detected unusual transactions that are not consistent with its knowledge of the customer.
  • There is a change in beneficial ownership of the customer. For example, the inclusion of a new beneficial owner who is a politically exposed person (PEP).
  • There is a change in the purpose or intended nature of the relationship. For example, the customer changes from a sole trader to a partnership, or their reason for wanting to use a service such as nominee director changes.
  • Any other matter which might affect the customer’s risk assessment. For example, the customer starts operating in new jurisdiction or changes business activities, or new risk information is published by HMRC.

There is no obligation for the business to re-verify identity unless:

  • It has doubts about the adequacy or veracity of the evidence obtained, or
  • There have been changes to the customer, such as a change of name due to marriage, or changes to their appearance.

This is set out in the Joint Money Laundering Steering Group (JMLSG) guidance at paragraph 5.3.27.

However, depending on the types of documents used to verify identity and the reasons for obtaining it, an up-to-date copy may be needed. For example, where a business holds a copy of a passport from an overseas customer who travels to the UK to conduct its business, and the passport has expired.

You should ask:

  • How the business ensures that the customer’s address/es are kept up to date.
  • Does the business regularly visit its customers or deliver goods to them to satisfy ongoing monitoring?

Is the business fulfilling its requirement of reporting discrepancies to the information held in the register (only applicable in the circumstances described in ECSH33385). You will need to look for changes to customers to check what the business has done as a result of the change. For example, you will need to check the information on Companies House, and whether there have been any changes to beneficial ownership. You can then check whether the business has identified that and what subsequent checks it carried out.

Case study

You are checking the compliance of an ASP. You select a customer to test CDD which is a business operating multiple hotels. The customer appears to be a UK limited company. The ASP onboarded the customer over five years ago and conducts regular bookkeeping for the customer. The business tells you that there is one ultimate beneficial owner and that it applied CDD measures to this individual. After conducting your own open-source checks, you establish that the beneficial ownership has changed twice and now involves a potential politically exposed person in a high risk third country. As the ASP failed to carry out ongoing monitoring, it was not aware that the ultimate beneficial owner had changed and therefore failed to consider the additional risks arising in this transaction.

Evidence of undertaking reviews of existing records and keeping information on the customer up to date

You need to assess whether the records held demonstrate effective ongoing monitoring. You must consider what ID documents were initially gathered by the business and what information it verified, and then what information is available to ensure that information remains correct and that there have been no changes. For example, is there a signed and dated customer risk assessment periodically reviewed which acknowledges that there have not been any changes to the customer?

If there have been no changes, there is no requirement to keep numerous copies of the same document. Where the business has been in a longstanding business relationship with a customer, it may decide to collate and assess information already held, rather than approaching a customer for more identification data or information. You should assess whether these measures are appropriate.

Frequency of ongoing monitoring

You must check reviews are managed using a risk-based approach. Consider that for a trust or company service provider (TCSP), reviewing all customer information on 1 April each year is not risk based, as some customers would be lower risk, and some would be higher risk. You should establish how often the business is conducting the checks and decide whether the frequency is suitable on a customer-by-customer basis. If enhanced ongoing monitoring is required has this been done more regularly than if it was applying standard or simplified customer due diligence?

You must also check that what the business has described in its PCPs is happening in practice.

Breaches

Where you have established there is a breach of ongoing monitoring, you should tell the business it has breached regulation 28(11) MLR 2017, direct it to guidance to correct this and consider an appropriate sanction. There are likely to be associated breaches.

Case study

You are establishing the compliance of an ASP who prepares annual accounts for its customers. The business tells you it conducts an annual review of CDD and, if there are no changes, records that no refresh was necessary. Whilst reviewing the records, you notice that for one customer, revised identity documents were seen and copies taken, to verify that the customer had changed surname. The business has recorded a note explaining that the customer got married and changed their name. On another customer record, the business has the minutes from its annual meeting with the customer. It states that no refresh of CDD was conducted as it had asked the customer and there had been no changes in their circumstances. It also recorded there were no changes to the work the business was doing for the customer. You cross reference this with the engagement letter for the customer and the latest invoice for services carried out. You conclude that the business has met the requirements of keeping information on the customer up to date for the purposes of ongoing monitoring.