AML Spotlight: Holistic customer due diligence

For our anti-money laundering (AML) blog series spotlighting key topics and concerns, our AML Risk Manager Jenni Rodgers looks at holistic customer due diligence: what it is, why it's important and the steps and risk factors to consider.

What is the “holistic approach to customer due diligence”?

The Oxford English Dictionary definition of “holistic” is: considering a whole thing or being to be more than a collection of parts.

Conducting holistic customer due diligence (CDD) and client/matter risk assessments (CMRAs) is essential for managing risk. By taking a comprehensive approach to understanding the risks associated with a particular client, matter and any relevant parties, practices can better protect themselves from potential money laundering, terrorist financing, sanctions, and any other wider risks.

A single risk factor may not automatically determine the risk rating of a client or matter. CDD and CMRAs combined should consider all the risk factors taken together holistically and assessment of the overall risk informs whether a matter or client is deemed to be higher or lower risk.

Our AML assurance work and Policies, Controls & Procedures (PCP) thematic findings

Throughout assurance work and frequent engagement with the profession, the AML team at the Law Society has identified a recurring theme that there is often a lack of evidence presented within AML PCPs and file reviews regarding the requirement to undertake holistic CMRAs and CDD.

Often the AML team see that practices comply with their requirements to identify and verify clients, beneficial owners and relevant parties. However, following this up with documenting, evidence and assessing the holistic risk, including the purpose and intended nature of the business relationship, often lacks.

This requires improvement in both understanding and underlying compliance. We identified in our AML thematic review of PCPs that there was an absence of clear demonstration that CDD should be holistic in nature – and the importance of documenting nature, background and circumstances of any client and/or matter.

Only 15 of the 40 practices that took part evidenced guidance to staff in relation to the identification of red flags and providing a holistic picture of money laundering/terrorist financing risk and less than half demonstrated that CDD should be holistic in nature – failing to evidence a fundamental element of CDD and risk assessments.

Client & Matter Risk Assessments (CMRAs)

The first step in the holistic approach is to conduct a holistic client and matter risk assessment. This involves analysing the risks associated with a particular client and relevant parties. The risk assessment should consider the following factors (although the below list is not exhaustive):

Client risk

• The identity of the client or relevant parties such as beneficial owners or directors.
• Any higher risk business sectors or activities.
• The nature, purpose and background of the business relationship.
• The results of sanctions, politically exposed persons (PEPs) or adverse media screening for all parties.
• Source of funds/wealth, private or regulated funding, is the funding and the accrual of wealth commensurate with your knowledge of the client?
• Is there a logical reason for the funding source?
• The client or relevant parties’ reputation and history at the firm.
• Is there a cash intensive element?

Geographic risk

• Risks inherent in the geographic location of the client or relevant parties ie where do they reside, where are they incorporated and where do they operate from?
• Where are the funds deriving from and the risks involved in this?

For more on this topic, check out our blog from last year on AML and geographical risks.

Product/service risk

• The type of products/services being provided.
• Is the product/service inherently higher risk?
• Does it make sense for the client to instruct on this matter?

Transaction risk

• Is this a particularly complicated transaction?
• What is the value of the transaction?
• Is it complex or unusually large?
• Does it involve anonymity?

Delivery channel risks

• Is an intermediary involved?
• Have you met the client or relevant parties face to face?

When weighing risk factors, practices should take a holistic approach and make an informed judgement about the relevance of different risk factors in the context of a particular customer relationship or occasional matter.

Remember, it is important to record information that may be clear in your mind, ensuring that all relevant information is written down for you and for any audit.

Tip: Revisit the five Ws – who, what, when, why and where. Don’t forget the H - how.

The AML team has published examples of client and matter risk assessment templates and guidance for natural and non-natural persons. We encourage all practices to consider them, but also emphasise that practices should amend the templates to fit their size, nature and PCPs.

Customer due diligence (CDD)

Once the risk assessment has been completed, the next step is to determine the level of due diligence required. This will depend on the level of risk identified in the risk assessment.

CDD is the collective term for the checks you must do on your clients, which may differ depending on the circumstances. As detailed above, it is holistic in nature and is wider than simply undertaking identification and verification of clients.

A holistic approach to customer due diligence and risk assessments involves taking a comprehensive view of the risks associated with a particular customer or relevant parties. This includes considering the above risk factors both before and during the collection of relevant due diligence.

You should be able to build a picture through the documents collected and evidence that this picture makes sense to you and an auditor when the “smell test” is applied.

This may be useful when determining warning signs or red flags during the due diligence process itself. No list of examples can be exhaustive, however LSAG Guidance Section 18 provides a useful list to consider and below are some key factors to think about when applying the test:

• Does this transaction make sense?
• Is the documentation consistent with what I am being told about the background, nature, and circumstances of the client?
• Is the client excessively obstructive, secretive, or unwilling to cooperate?
• Is the transaction corresponding with the client’s normal activities?
• Are there frequent changes to funding or the client’s details?
• Is the client rushing the transaction?

Due diligence is never the same for all clients. Whilst you have PCPs in place to assist with standardising your CDD process, you must apply a risk-based approach to the collection of due diligence that is tailored to the inherent risks present.

Source of funds/wealth

This is a fundamental aspect of holistic CDD.

A practice must scrutinise transactions on a matter-by-matter basis, with the objective of understanding what the underlying/originating source of funds are for transactions you undertake on behalf of a client. It’s not just about collecting bank statements.

Source of wealth checking is a holistic appraisal regarding where an individual or an entity has derived their overall wealth (ie the origin of their entire body of assets), rather than any specific portion of it. Building a picture of wealth is important and is holistic in its very nature. Although this isn’t something that is mandatory on all clients and matters, it is something that paints a picture of your clients’ holistic picture.

Screening

Adverse media/PEP and sanctions screening systems and controls should fit into a wider, holistic approach to financial crime risk mitigation.

Tip: Can a simple internet search of a client or involved party provide for more due diligence collection, if screen printed for example? Can you collect information on their employer or their business from the internet? Such measures will assist with the holistic picture.

Our continued efforts on the holistic approach

The AML team continues to engage with the profession around this area of required improvement, including blogs, such as this one, amongst other guidance available on our website to guide the profession and ongoing dialogue with practices.

There is no prescribed approach to the recording of risk assessments and holistic due diligence, however they must be written down so that you can evidence them to your supervisor.

What is important is that risk assessments/due diligence are adequately documented, all relevant factors are considered, and decision-making/rationale is recorded. We emphasise that the file must be able to be reconstructed and, if it is not written down, then it did not happen.

Document and evidence everything.

Useful Links

• PCP Thematic Review
• AML Annual Report 2022
• AML Annual Report 2023
• LSAG Guidance
• CMRA Templates & Guidance
• Sectoral Risk Assessment