ECSH33380 - Checking customer due diligence: timing of verification
Regulation 30 of the Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017 (MLR 2017) sets out that where a business is required to carry out customer due diligence (CDD) measures under regulations 27, 28 or 29 MLR 2017, it must:
- Verify the identity of the customer.
- Any person purporting to act on behalf of the customer, and
- Any beneficial owner of the customer.
Before the establishment of a business relationship or the carrying out of the transaction.
However, provided that the verification is completed as soon as practicable after contact is first established, the verification may be completed during the establishment of a business relationship if:
- It is necessary not to interrupt the normal conduct of business, and
- There is little risk of money laundering and terrorist financing (ML/TF).
A credit or financial institution may open an account for the customer, provided no transactions are carried out by or on behalf of the customer before verification has been completed.
You can find more information in the relevant requirements for Regulation 30 MLR 2017.
How to test compliance
When testing CDD measures, you must check the business has verified the identity of the customer (and where applicable, any third party acting on the customer’s behalf, and any beneficial owners) before a transaction is carried out.
You will need to identify customers on whom the business was required to carry out CDD and ask to see records of verification carried out, following the guidance for What customer due diligence measures are required.
For each customer you should consider what records you will need to review to establish the timing of verification.
For example, check the dates contracts were signed or invoices raised, against the date the identity and verification document was provided/uploaded/saved by the business:
- Did the customer email or use instant messaging to provide a copy of their ID – ask to see the original message and record the date and time.
- Are dates shown on reports provided by external identity providers or credit reference companies? Were they carried out before the customer received the goods or services?
- If checks have been made to websites, registers (such as Companies House, HMRC or other supervisors, or the London Stock Exchange) are they time stamped?
- Is there a screenshot with the date visible on the device?
- Have there been changes in Companies House which indicate when a check was carried out - for example a director is shown as active, but when you check Companies House it shows they resigned over a year ago?
Make sure you confirm with the business that these were the first time the checks were carried out, even if there are no previous records. If you confirm that checks were carried out previously, but records were not retained or have since been destroyed or deleted, there may only be a breach of regulation 40 MLR 2017, rather than a failure to carry out CDD.
Specific examples are provided below:
High value dealer (HVD)
Where you are conducting a check to an HVD business that is undertaking occasional transactions, use a transaction testing sheet to help you record the appropriate information. Recording all of the relevant dates – such as invoice details, shipping details, payment dates will help you confirm if verification took place before the customer received the goods.
Some customers may be allowed credit terms (where goods are paid for ‘on account’). The customer may have been a customer for a long time, and commercial checks may have been carried out to establish an appropriate credit limit, however verification for the purposes of MLR 2017 should be carried out when a transaction meets regulation 27(3) MLR 2017. Checks for commercial reasons are unlikely to satisfy all of the requirements of regulation 28 MLR 2017, although are likely to verify the customer is who they say they are.
Money service business (MSB)
You must establish whether the identity of the customer is verified before the activity is undertaken. For example, at an MSB money transmitter where a customer is remitting money, you should see evidence of when the customers identity was verified and check this against the date and time the money is remitted, which should be evident from transactional data. Where a business relationship is established, identity may have been verified during a previous transaction, and you will need to follow the guidance for ongoing monitoring, see ECSH33375. There is important information regarding overridden CDD information on ECSH63480, which you should note when conducting a check to an MSB. Use a transaction testing sheet to help you record the appropriate information.
Art market participant (AMP)
Some AMP sales and purchases can take many months to complete, from a customer initially inquiring about a relevant piece of art, to the item being delivered to them, especially if an artist has been commissioned to create a new work of art. It is likely that different CDD measures will occur throughout the sales process. For example, the business may initially meet a customer following an introduction from another AMP, to view/discuss the work of art. The price may be negotiated and a few weeks later, a sale agreed. At this point, the business may request a copy of the ID document. That document may be used to carry out further checks, such as electronic verification by a third-party identity provider. This might highlight a potential risk, so the business may then ask for source of funds information from the customer. It may arrange shipping with the customer and satisfy itself that the shipping address is the customer’s residential address. When payment is made, the business will verify it is from a bank account in the customer’s name. This example highlights the possible length of time it can take to conduct the necessary due diligence. You should keep this in mind and record the dates of each of the checks on your transaction testing sheet. This only applies to customers from 10 January 2020 (when AMPs came into scope of MLR 2017), so keep this in mind when you are selecting records to test.
Estate agency business (EAB)
Regulation 14(3) MLR 2017 states that for an EAB, the business enters into a business relationship with a purchaser at the point when their offer is accepted by the seller. Therefore, the business must have verified the identity of the buyer(s) before this point. The regulation states ‘(as well as with a seller)’ which is in brackets. This means it should already be done by this point, so going back to regulation 30 MLR 2017, it must be done before the establishment of a business relationship, which is usually before the property is marketed.
You should be aware there is a little more give in the process whereby the timing of verification could occur at a point later down the line after the property has been marketed. You should establish if the business considers there to be a risk of money laundering or terrorist financing (ML/TF). For example, in the case of a probate sale, the business might assess there is no ML/TF risk when a property is just being advertised, so may deem it acceptable to verify the beneficial owner(s) later in the sales process. You should discuss with the business when it considers the risk occurs. Strictly speaking, from the wording of regulation 30 and the sector guidance on GOV.UK, it would be expected that the verification of the customers identity would be done before the establishment of the business relationship - however as shown in this example, regulation 30(3) MLR 2017 may apply – see Exceptions below.
For a typical high street estate agent, you will need to ask when the business considers the start of the business relationship with a seller. If it states this is when the property is marketed, you should record this date. This may be evidenced on the tool that the business uses to create property listings for its website. This system may also record when the customer was verified, for example, the date CDD documents or information uploaded to the system. You may also see an estate agency agreement (EAA) which the EAB sends to the customer detailing the service that will be offered and fees payable. You can check all this information against when the seller’s identity was verified by reviewing what documents and information it used to verify the identity. If the business has conducted Land Registry checks to ascertain who the beneficial owner of the property was, these reports show the date and time the check was conducted.
Next, you will need to see evidence of when the buyers offer was formally accepted by the seller, whereby a binding contract is entered into. This is known as the ‘exchange of contracts’. There should be written confirmation of this (email or letter) so you will need to check that the buyer’s identity was verified before this point.
Use a transaction testing sheet to help you record the appropriate information.
Lettings agency business (LAB)
For a landlord and tenant, you will need to see evidence of when the tenants offer was accepted before the tenancy agreement was confirmed. You will need to check that the landlords and tenants’ identity was verified before this point. This only applies to new customers from 10 January 2020 or any agreements which were renewed since then, so be mindful of this when you are selecting records to test.
Use a transaction testing sheet to help you record the appropriate information.
Accountancy service provider (ASP) and trust or company service provider (TCSP)
ASPs and TCSPs tend to issue customers with a contract, setting out the payment terms and details of the service(s) that will be provided. You should ask when the business relationship started for the customer you are testing, and when it first provided relevant services. Look at the contract, which should be dated, there may be a clause to say that the relationship starts when the customer signs and returns the contract. You can also ask for invoices or evidence of receipt of fees showing when services were provided, and check these against the records the business holds to verify the customer. Remember, ASPs and TCSPs may invoice for services which are out of scope for supervision, so it is important to confirm the relevant services carried out.
Where the customer is a legal entity, you should ask to see checks the business performed of information held on Companies House. You should check when this was done, and what records were taken at the time (see above bullets). You should confirm the details held with Companies House and explore any discrepancies. You can also check the business has met its requirement to report discrepancies of information on beneficial owners in registers.
Information regarding regulation 30(6) and 30(7) may be pertinent to these sectors. See ECSH63480.
Use a transaction testing sheet to help you record the appropriate information.
Exceptions
The Joint Money Laundering Steering Group (JMLSG) guidance, paragraph 5.2.3 to 5.2.5 discusses exceptions to when verification must be conducted.
For this to be considered appropriate, you must confirm that there are no risk factors present by using the CDD information available. You must then consider whether CDD was completed as soon as practicable. If the business states it has used the exception, you should establish how frequently it is doing so, as the exception is very limited.
Where a customer's identity was verified after the establishment of the business relationship or transaction, you must question the business on why the CDD checks occurred when they did and see evidence showing the business identified that the transaction/business relationship met the criteria for applying an exception to timing of verification. You must then establish when the verification was done and whether this was as soon as practicable after contact was first established.
Breaches
Where you have established there is a breach of timing of verification, you should tell the business there is a breach of regulation 30 MLR 2017 and direct it to guidance to correct this.
Case study
You begin a compliance check and make initial contact with the business, agreeing to visit it in two weeks’ time. In anticipation of your visit, the business checks its customer files are up to date. It realises that it did not verify the identity of a customer and its beneficial owners, so performs the checks immediately. You select this customer in your records testing and discuss when the customer’s identity was verified. The business confirms that it did not carry out the checks at the time of the transaction. You conclude that there is a timing of verification breach (regulation 30 MLR 2017) and discuss what happened and why CDD procedures were not carried out in order to consider any associated breaches.