CDD is the new ID

The Money Laundering Regulations 2007 will come into force on 15 December 2007.

The draft regulations, currently available at www.hm-treasury.gov.uk, should be finalised this summer; any alterations will be highlighted in future articles. You should refer to them for full details and definitions.

Following the introductory article (Journal, May, p26) this article outlines the requirements for customer due diligence (CDD), which incorporates customer identification and “know your customer”. The term “customer” is used in the regulations and is therefore used here in preference to “client”.

Meaning – reg 4

“Customer due diligence” means:

(a) identifying the customer and verifying identity on the basis of documents, data or information obtained from a reliable and independent source;

(b) identifying the beneficial owner and taking risk based and adequate measures to verify his identity so that the relevant person is satisfied he knows who the beneficial owner is, including, in the case of a legal person (such as a trust or similar arrangement), measures to understand the ownership and control structure;

(c) obtaining information on the purpose and intended nature of the business relationship;

(d) conducting ongoing monitoring of the business relationship, including scrutiny of transactions/source of funds, to ensure they are consistent with your knowledge of that person and their risk profile; and ensuring documents, data or other information held are kept up to date.

The Society is aware that marketing exercises by certain firms have implied that documentation obtained from an “independent source” means that it cannot be provided by the customer to the solicitor. This is not the case. The documentation provided by clients should be issued by an independent source, for example a government department or agency, or a local authority.

The definition of “beneficial owner” has generated a heated response and is under review by government. The Society has put forward views and suggestions; however the concept is in line with the guidance provided by the Society for a number of years. Determine who you are acting for, and who is behind the transaction – including companies and trusts. If the client can’t or won’t provide the information you require, and it cannot be established otherwise, then you cannot continue to act.

It is clear that not only must up-to-date documentation be obtained, but the business you are carrying out needs to be kept under review as well. It is not sufficient to carry out verification of identity once and then refer to the client as an existing client with no regard to any changes in their circumstances or the type of work carried out. This is covered further in reg 5

When and how to apply due diligence – reg 5

Subject to what follows, CDD measures must be applied when:

• establishing a business relationship;
• carrying out occasional transactions;
• there is a suspicion of money laundering or terrorist financing;
• there are doubts about the veracity or adequacy of documents, data or information previously obtained for customer identification purposes.

CDD must also be applied to existing customers at appropriate times on a risk-sensitive basis.

A relevant person must:

• determine the extent of CDD measures on a risk-sensitive basis depending on the type of customer, business relationship, product or transaction;
• be able to demonstrate to his supervisory authority that the extent of CDD measures is appropriate in view of the risks of money laundering and terrorist financing.

Again the emphasis is on consideration of risk in relation to the client and the business carried out for them, and the need to keep matters under ongoing review throughout the relationship. This allows firms to move away from a tick box, “one size fits all” regime and operate a system that is proportionate to the perceived risk and more flexible. While this offers benefits, including simplified CDD as you will read below, it may also pose challenges in terms of managing compliance.

Timing – reg 6

Verification of identity including, where appropriate, the beneficial owner, must take place before the establishment of a business relationship or carrying out of an occasional transaction. It may be completed during such establishment if this is as soon as practicable after initial contact, and this is necessary not to interrupt the normal conduct of business and there is little risk of money laundering or terrorist financing.
Again, consideration of the risk is paramount in deciding whether you may proceed beyond initial contact before verifying identity. This also confirms that the identity of the beneficial owner needs to be established in order that identity may be verified, at the earliest possible stage and before any transaction is undertaken.

Non-compliance – reg 7

Where CDD in terms of reg 5 or 6 has not or cannot be complied with for a customer you:

• may not carry out a transaction with or for the customer through a bank account;
• may not establish a business relationship or carry out an occasional transaction;
• must terminate any existing business relationship;
• must consider making a report to the Serious Organised Crime Agency (SOCA).

The above does not apply where notaries, other independent legal professionals, auditors, external accountants or tax advisers are in the course of ascertaining the legal position for their client or performing tasks of defending or representing that client in, or concerning, legal proceedings, including advice on instituting or avoiding proceedings.

Simplified due diligence (SDD) – reg 9

In certain limited circumstances, an “exemption” is provided from regs 4-6, apart from the duty of ongoing monitoring, or where there is suspicion of money laundering or terrorist financing. This applies to certain types of credit or financial institution, listed company or public authority, or, subject to certain conditions, the beneficial owner of a pooled account held by a notary or other independent legal professional. It also applies to certain products, including life insurance with an annual premium less than 1,000 euro or single premium below 2,500 euro, other specified insurance or pension products, small value electronic money, and a child trust fund.
Products or transactions fulfilling all the criteria detailed in sched 2, para 3 are also exempt.
Many of the categories relating to types of product are unlikely to apply to the majority of legal firms.

Enhanced due diligence (EDD) – reg 10

In keeping with the assessment of risk and the allowance for simplified due diligence where risk is low, there is a requirement to have enhanced procedures where risk is high. In addition to this general requirement, two specific situations are mentioned under this regulation.
Where the customer has not been physically present for identification purposes, specific and adequate measures must be taken to compensate for the higher risk of money laundering or terrorist financing, for example:

• ensuring identity is established by additional documents, data or information;
• supplementary measures to verify or certify the documents supplied, or confirmatory certification by a credit or financial institution subject to the money laundering directive;
• ensuring payment is through an account held in the client’s own name with a credit institution.

EDD must also be carried out where the customer is a politically exposed person (PEP). A PEP is someone who is or has in the last year been “entrusted with prominent public functions” of a state, other than the UK, the Community or an international body, and is resident outside the UK, or an immediate family member or known close associate of such a person (having regard to information in your possession or publicly known) – all explained more fully in sched 2, para 4.
In order to know whether someone is a PEP, you will need to have in place risk-based and proportionate systems. This will require you to consider both the types of customer you act for and the types of transactions you undertake, and to have an underlying risk profile. Based on that risk profile you will also have to carry out client due diligence, which should provide at least basic information about the client. If the risk is deemed to be high or information indicates the client is a PEP, enhanced due diligence will be required. There are private databases which can be used to check names: firms who provide electronic verification of identity normally also provide this service.
Senior management approval will be required to establish a business relationship with a PEP, and you will need adequate measures to establish the source of wealth and of funds involved, and to conduct enhanced ongoing monitoring of the relationship.

Reliance on third parties – reg 12

A relevant person may rely on a third party to apply any or all of the CDD measures relating to verification of identity of the customer or beneficial owner and the nature and purpose of the intended business relationship – provided that the relevant person remains liable for any failure to comply with the regulations.

For the purposes of reg 12 a third party is:

• a credit or financial institution which is an authorised person; or
• a relevant person who is an auditor, external accountant, insolvency practitioner, tax adviser, notary or other independent legal professional who is regulated by a professional body specified in the regulations;
• equivalent persons, in EEA and non-EEA states, to these two categories who are subject to mandatory professional registration and supervised for money laundering compliance in terms of the directive or an equivalent manner.

A person who acts as a third party must, if requested,

• make immediately available to the person relying on him any information about the customer obtained when applying the CDD measures; and
• immediately forward relevant copies of any ID and verification data and other relevant documents on the identity of the customer or beneficial owner which the third party obtains when applying those measures.

This regulation does not prevent firms applying CDD measures carried out by means of an outsourcing service provider or agent.

It is for senior management within a firm to come to a view about which if any third parties they are prepared to rely on, and whether they are prepared to act as third parties to others. The wording of any certificate or letter taken or given in this regard will have to be carefully considered.

If you act as a third party you may then require to ensure you retain documents for a period beyond the normal retention period.

Morag Newton, Director, Guarantee Fund

Guidance in relation to compliance with the Money Laundering Regulations will be issued in due course.

Future articles will cover record keeping, systems, internal reporting systems and training requirements.