Client Due Diligence (CDD) Requirements

A considerable amount of information on client due diligence is included in the Anti-Money Laundering Guidance for the Accountancy Sector.

When I take on a client I just want to get on with the work for them. What is the point of having to carry out CDD particularly if I have known them for years?

CDD must be undertaken because it is a legal requirement.

The Anti-Money Laundering Guidance for the Accountancy Sector includes further details on this area in Chapter 5. The purpose of client due diligence is to know and understand a client's identity, the way in which their business operates and the sources of their funds so that money laundering or terrorist financing risks can be identified and managed. CDD is not only a legal requirement, it will help you to make informed decisions aboiut the client's professional standing and acceptability.

Clients are generally used to providing CDD documents as they are also required by other regulated businesses such as banks and solicitors. Of course if you know a client well it may mean you already know a lot of background information about them which you can note down as part of your client due diligence. You should, however, also be careful not to turn a blind eye to money laundering or terrorist risks because you know or are related to someone. 

Does CDD have to be undertaken before I start work for a client?

You should normally identify and verify the identity of your client (and anyone purporting to act on their behalf and any beneficial owner) before the establishment of a business relationship.

However, exceptionally Regulation 30 allows verification to be completed during the establishment of a business relationship if:

  • This is necessary not to interrupt the normal conduct of business
  • There is little risk of money laundering or terrorist financing occurring,

provided that the verification is completed as soon as practicable after contact is first established.

I have heard that I should be checking the financial sanctions and proscribed terrorist group lists. Where do I find these?

You are correct. Businesses must comply with any sanctions, embargos or restrictions and you should therefore check the following lists as part of your client due diligence processes:

AML Newsletter 20 refers to further information on Financial Sanctions Reporting Obligations. The AML Newsletters can be accessed here.

 

 

Can I use electronic ID when doing CDD?

Whilst electronic verification may  be sufficient in some cases to comply with AML requirements, there may be circumstances where it will not be sufficient, for example where the client is in a higher risk category. Electronic verification will only confirm that someone exists, not that your client is who they say they are. You should consider the risk implications in respect of each client and be on the alert for information which may suggest that your client is not the person they say they are. You may reduce the risk by supporting electronic verification by:

  • obtaining some other source material, such as
    • getting a trusted third party (such as a fellow ATT/CTA, accountant or solicitor - also see below) to verify the identity of the client by sending you certified copies of their identification documents
    • making telephone contact with the client on a home or business number which has been verified electronically
  • requiring the client to pay you through an account held in their own name with a UK or EU regulated credit institution or one from an equivalent jurisdiction.

An appropriate record of the steps taken and/or copies of the evidence obtained to identify the client should be kept.

When choosing an electronic verification service provider you want to know that the information supplied will be sufficiently extensive, reliable, and accurate so you should look for a provider who:

  • is recognised, through registration with the Information Commissioner's Office, to store personal data;
  • can link the subject to both current and previous circumstances using a range of positive information sources;
  • accesses negative information sources, such as databases on CCJs, identity fraud and deceased persons;
  • accesses a wide range of 'alert' data sources;
  • has transparent processes enabling you to know what checks are carried out, the results of the checks, and what they mean in terms of how much certainty they give as to the identity of the subject;
  • allows you to capture and store the information used to verify an identity.

Remember that although you do not need to obtain your client's permission to carry out electronic verification, they must be informed that this check is to take place. It's a good idea to include something to this effect in your engagement letter.

Details of some of the providers of electronic ID verification can be found here

My clients have been with me for years, do I still need to do CDD on them?

You need to keep CDD up-to-date for all your clients. You may well already have sufficient documentary ID details on your files but if there has been any subsequent change to their circumstances or risk profile, you should update your CDD. You should review clients' CDD on a regular basis and need to be able to evidence this regular review.

I know all of my clients really well and consider the AML risk in relation to each one. Do I have to have a written risk assessment for each one?

Risk review of clients is an important part of the client due diligence and managing money laundering and terrorist financing risk.

Anti-Money Laundering Guidance for the Accountancy Sector sets out the three stages of CDD: Identification, Risk Assessment and Verification. Each of these stages interact as information gathered will inform risk assessment which may in turn indicate further identity information is required or more verification is needed etc. Documenting the initial risk assessment of the client and subsequent reviews therefore evidences that risk on that individual client has been considered and taken into account and that the requirements of the regulations are being met.

Members can record CDD in the way they consider most helpful (subject to data protection restrictions). Members advise us how they record risk review and these include:

  • Specialist AML risk review software
  • Spreadsheets recording initial risk assessment and dates of review
  • Notes on the permanent file
  • Notes on the inside cover of the tax return files updated on an annual basis

There may be alternative methods which are more appropriate to your individual practice.

What is enhanced due diligence (EDD) and when do I need to consider doing it?

As set out in Chapter 5 of the Anti-Money Laundering Guidance for the Accountancy Sector EDD 'must include:

  • as far as reasonably possible, examining the background and purpose of the engagement; and
  • increasing the degree and nature of monitoring of the business relationship in which the transaction is made to determine whether that transaction or that relationship appear to be suspicious.'

It may include obtaining additional independent sources to verify information provided by the client and other additional checks.

Regulation 33 sets out a number of circumstances where EDD is mandatory:

(a) in any case identified as one where there is a high risk of money laundering or terrorist financing;

(b) in any business relationship or transaction with a person established in a high-risk third country;

(c) in relation to correspondent relationships with a credit institution or a financial institution (in accordance with Regulation 34);

(d) if a relevant person has determined that a customer or potential customer is a PEP, or a family members or known close associate of a PEP (in accordance with Regulation 34);

(e) in any case where the relevant person discovers that a customer has provided false or stolen identification documentation or information and the relevant person proposes to continue to deal with that customer;

(f) in any case where:

(i) a transaction is complex and unusually large, or there is an unusual pattern of transactions, and

(ii) the transaction or transactions have no apparent economic or legal purpose, and

(g) in any other case which by its nature can present a higher risk of money laundering or terrorist financing.

The Reguations include a number of areas to consider when determining whether there is a high risk of money laundering or terrorist financing (see Appendix E of the Anti-Money Laundering Guidance for the Accountancy Sector).

I was previously told that EDD is required when a client is not met face to face. This is not on the list in the Regulations so is it still required?

Whilst not specifically mentioned in the legislation you do need to do EDD in any case identified as one where there is a high risk of money laundering or terrorist financing. There may be a reason why you cannot meet a client face to face and you may consider based on the identificationdetails provided and verified that the money laundering/terrorist financing risk is not high. However, in many cases practitioners may consider that there are higher risks when they have not met a client face to face and where you have any concerns EDD should be undertaken.

Should I do EDD on businesses where a high percentage of their turnover is received in cash?

One of the customer risk factors set out in MLR 2017 relates to 'where the customer is a busines that is cash intensive'. Therefore you do need to consider the risks relating to the cash intensive businesses and ensure appropriate CDD and ongoing monitoring is undertaken. You may also want to consider whether these clients should have an individual risk rating of 'high'. Additional monitoring on cases such as this could include:

  • Regular discussions with the client about ensuring all cash transactions are recorded and explaining the implications if a tax return is not complete.
  • Querying unexplained payments into the bank account.
  • Checking whether income looks to be in line with other businesses in the same sector.

This is not an exhaustive list.

Members are reminded of the requirements in Professional Conduct in Relation to Taxation (PCRT) where they come across irregularity in a client's tax affairs.

I understand that it is possible to do simplified due diligence (SDD) under MLR 2017. When are you able to do this?

The application of simplified due diligence is set out in Regulation 37. It is no longer the default option for certain entities such as listed companies.

SDD can be applied where there is considered to be a low risk of money laundering and terrorist financing having taken into account risk assessments available and risk factors set out in the Regulations. The risk factors are also included in Appendix E of the Anti-Money Laundering Guidance for the Accountancy Sector guidance.

If challenged, members will need to justify why SDD was appropriate and will need to maintain suitable records.

Now requirements on EDD and SDD are set out in the Regulations does that mean that Standard Due Diligence no longer applies?

Standard due diligence continues to be required as before. It is the required level of due diligence unless you are aware that the EDD requirements apply or where SDD cannot be justified.

Remember that the CDD required must be considered on an individual basis for each client.

If my client has been introduced to me by another firm, do I still need to do CDD on them?

You can rely on the CDD undertaken by the other firm but there are strict criteria which must be met including the requirement for a written reliance agreement. Further details are set out in Regulation 39 and there are also details in 5.3.19 to 5.3.25 of the Anti-Money Laundering Guidance for the Accountancy Sector.

Reliance on CDD should not be entered into lightly. Even though you are relying on another's CDD you remain liable for any failure to comply. For this reason many advisers obtain certified copies of CDD from the original adviser instead in order to fulfil their CDD obligations.

You should also be aware that even if a reliance agreement is in place the client still has to be risk reviewed and you are still required to do ongoing monitoring.

What due diligence is required in respect of companies?

Listed Companies

MLR 2017 now makes it clear that you do not need to obtain details of a beneficial owner of a listed company and sets out precisely what details are required, which are:

  • Company name and number
  • Address of Registered Office and, if different, place of business

Unlisted Companies and LLPs

For unlisted companies and LLPs the following information must be obtained and verified:

  • Company name and number
  • Address of Registered Office and, if different, place of business
  • Articles of Association or other governing documents and the law it is subject to
  • Names of Board members and senior persons responsible for operations.

MLR 2017 makes it clear that reliance cannot be placed solely on Companies House information and therefore it will be necessary to ask the customer for this information as well. Regulation 43 requires the corporate body to provide the above information and details of its legal owners and beneficial owners if requested by you.

This ties in to the fact that as before beneficial owners will have to be identified and reasonable steps must be taken to verify their identity.

What due diligence is required in relation to trusts?

(For further details refer to Regulations 6 and 44)

There are tougher rules on checking the beneficial owners of trusts. The definition of the beneficial owner has been expanded and includes the settlor, trustees, beneficiaries and anyone with control of the trust (Regulation 6). Where all the individual beneficiaries have yet to be determined the beneficial owner includes the class of persons in whose main interest the trust is set up or operates. Where it is not possible to identify all the beneficiaries it may be acceptable to establish the class of persons who are beneficiaries or potential beneficiaries under the trust.

Firms must take reasonable measures to verify beneficial ownership. Trustees will have to keep a record of the beneficial owners and they must provide details if requested where a business relationship has been entered into. Where during the course of the business relationship these details change then trustees must notify the relevant person within 14 days.

A register of trusts will be maintained by HMRC. Where a trust has a tax liability in respect of income tax, CGT, IHT, SDLT, land and buildings transaction tax or stamp duty reserve tax, the trustees will have to supply specified information to HMRC for inclusion in the register. This is similar to the register of people with significant control (PSC register) recently introduced for companies.

The ATT is currently working on a more detailed answer to this FAQ.

The Company Formation Agent which I use has started to ask me for certified copies of client due diligence. Why is this?

Under Regulation 4 (2) CDD must now be undertaken where a company is being formed for a customer. This is the case even where that is the only transaction required for the customer. This is the reason why company formation agents request certified copies of documents.