ECSH33380 - Checking customer due diligence: timing of verification
Regulation 30 sets out that where a business is required to carry out customer due diligence (CDD) measures under regulation 27, 28 or 29 of The Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017 (MLR 2017), it must:
- verify the identity of the customer
- any person purporting to act on behalf of the customer, and
- any beneficial owner of the customer
before the establishment of a business relationship or the carrying out of the transaction.
However, provided that the verification is completed as soon as practicable after contact is first established, the verification may be completed during the establishment of a business relationship if:
- it is necessary not to interrupt the normal conduct of business, and
- there is little risk of money laundering and terrorist financing (ML/TF).
A credit or financial institution may open an account for the customer, provided no transactions are carried out by or on behalf of the customer before verification has been completed.
You can find more information in the Relevant Requirements for Regulation 30.
How to test compliance
When testing CDD measures, you must check the business has verified the identity of the customer (and where applicable, any third party acting on the customer’s behalf, and any beneficial owners) before a transaction is carried out.
You will need to identify customers on whom the business was required to carry out CDD and ask to see records of verification carried out, following the guidance for What customer due diligence measures are required.
For each customer you should consider what records you will need to review to establish the timing of verification.
(This content has been withheld because of exemptions in the Freedom of Information Act 2000)
Exceptions
The Joint Money Laundering Steering Group (JMLSG) guidance, paragraph 5.2.3 to 5.2.5 discusses exceptions to when verification must be conducted.
For this to be considered appropriate, you must confirm that there are no risk factors present by using the CDD information available. You must then consider whether CDD was completed as soon as practicable. If the business states it has used the exception, you should establish how frequently it is doing so, as the exception is very limited.
(This content has been withheld because of exemptions in the Freedom of Information Act 2000)
Breaches
Where you have established there is a breach of timing of verification, you should tell the business there is a breach of regulation 30 of MLR 2017 and direct it to guidance to correct this.
Case study
You begin a compliance check and make initial contact with the business, agreeing to visit it in two weeks’ time. In anticipation of your visit, the business checks its customer files are up to date. It realises that it did not verify the identity of a customer and its beneficial owners, so performs the checks immediately. You select this customer in your records testing and discuss when the customer’s identity was verified. The business confirms that it did not carry out the checks at the time of the transaction. You conclude that there is a timing of verification breach (regulation 30) and discuss what happened and why CDD procedures were not carried out in order to consider any associated breaches.