Client due diligence

‍Understanding CDD

CDD is most commonly undertaken at the start of a business relationship, although you must be alert to other triggers for CDD, which are set out below. At the start of a business relationship in particular, it is easy to understand the importance of CDD, which helps a firm to better understand the client and, in the case of a business, its typical business activities. CDD must be clearly recorded, so that all relevant employees can easily get to understand the client, and so have expectations about the client’s activities. It then becomes much more likely that unexpected activities will be noticed, and even identified as suspicious.

Verification of the relevant information gathered about a client will always include ID verification. The reason for this is that criminals value obscurity and will, inevitably, try to conceal their true identity. This may involve the creation of complex corporate structures in which they (as beneficiaries) will try to hide. So CDD requires a flexible approach in which questions are asked as they arise – as information is gathered - and verification is sought of the answers provided. Simply put, CDD is necessary to understand sufficiently well a client’s identity and activities, so that AML risk can be properly managed, including the risk that suspicious activity will go unnoticed.

Legal Framework for CDD

Part 3 of MLR 2017 sets out a firm’s obligation to perform CDD, what CDD entails and the different types of CDD, namely:

• CDD,
• Enhanced CDD, and
• Simplified CDD.

These three types of CDD underline the fact that CDD, like many other AML processes, must be risk-based.

What is CDD?

CDD measures are set out in regulation 28 of MLR 2017, and entail:

• identifying the client,
• verifying the client's identity, and
• understanding and assessing the intended nature of the business relationship.

In the case of an incorporated client, you would usually be required to determine and verify:

• the company’s name and registration number,
• the address of its registered office and principal place of business,
• the law to which the company is subject,
• the company’s constitution (e.g. its articles of association),
• the names of the directors,
• the names of the senior persons responsible for the company’s operations and anyone else purporting to act on behalf of the client, and
• the ownership and control structure of the company, including the company’s ultimate beneficial owner.

Similar provisions apply in respect of other types of entity, such as charities and trusts, and MLR 2017 sets out a firm’s CDD obligations if it has been unable to identify the beneficial owner.

When to Conduct CDD

The triggers for performing CDD measures (or reviewing the CDD undertaken previously) are set out in regulation 27 of MLR 2017. A firm must apply CDD measures (reflecting the assessed risk) whenever it:

• establishes a business relationship,
• suspects money laundering or terrorist financing, or
• doubts the authenticity (or adequacy) of documents or information previously obtained for the purposes of CDD.

CDD measures must also be applied to existing customers at other times, on a risk-based approach. In other words, CDD must be regularly reviewed in respect of higher risk clients, and whenever the firm becomes aware that the circumstances of a client have changed such that the risk assessment of that client may have changed.

An “occasional transaction” is defined in MLR 2017 as “a transaction which is not carried out as part of a business relationship”. Although occasional transactions are unlikely to occur within an accountancy practice, we should note that CDD must also be applied if a firm carries out an occasional transaction amounting to the equivalent of 15,000 euro or more. 

Enhanced CDD

You will find the requirements relating to Enhanced CDD in regulations 33 and 35 of MLR 2017. When conducting CDD (including during the course of ongoing monitoring), a firm must apply Enhanced CDD measures, with a view to managing the assessed risks, when any of the following applies:

•  A high risk of money laundering or terrorist financing is identified.
•  A proposed or ongoing business relationship is with a person established in a “high-risk third country” (or a party to a relevant transaction is in a high-risk third country).
• A client or potential client is a politically exposed person (PEP), or a family member or close associate of a PEP (see below).
• It is discovered that a client has provided false information (which would include false ID documentation) and the firm intends to continue to deal with that client.
• A transaction is complex or unusually large; there is an unusual pattern of transactions; or one or more transactions have no apparent purpose.
• Other circumstances exist that could present a higher risk of money laundering or terrorist financing.

In this context, a “high-risk third country” is a country named on the FATF list of high-risk jurisdictions or its list of jurisdictions under increased monitoring.

According to regulation 35, a PEP is an individual entrusted with prominent public functions, including:

• heads of state, heads of government, ministers and deputy or assistant ministers,
• members of parliament (or similar legislative bodies),
• members of the governing bodies of political parties,
• members of supreme courts and any judicial body the decisions of which are not subject to further appeal,
• members of courts of auditors or of the boards of central banks,
• ambassadors, charges d'affaires and high-ranking officers in the armed forces,
• members of the administrative, management or supervisory bodies of State-owned enterprises, and
• directors, deputy directors and members of the board or equivalent function of an international organisation.

A “family member” of a PEP would include their spouse or civil partner, the PEP’s children (and their spouses/civil partners) and the PEP’s parents. A “close associate” of a PEP might be an individual with a close business relationship with a PEP, or someone with sole beneficial ownership of an entity or arrangement set up for the benefit of a PEP.

If a client or potential client is a PEP, or a family member or close associate of a PEP, the firm must carefully consider the impact that might have on its risk assessment of money laundering and terrorist financing (taking into account any information and guidance issued by its supervisory authority). It must then determine the extent of the enhanced CDD measures to be applied in relation to that client.

If a firm intends to continue a business relationship involving a PEP, there must be approval for continuing (or establishing) the business relationship from senior management. In addition, regulation 35 specifies that the firm must establish the client’s sources of  income (and source of wealth). It must also conduct enhanced ongoing monitoring of the business relationship.

In many cases, MLR 2017 is not prescriptive regarding the enhanced CDD measures required. However, regulation 33 states that those measures may include:

• seeking additional reliable sources to verify information gathered by the firm,
• taking steps to better understand the client’s background, ownership and financial situation,
• taking further steps to be satisfied that a transaction is consistent with the purpose and intended nature of the business relationship, and
• enhancing the monitoring of the business relationship, including greater scrutiny of transactions.

Specifically in respect of a business relationship involving a high-risk third country, the enhanced CDD measures must include

• obtaining additional information on the client and on the client’s beneficial owner,
• obtaining additional information on the intended nature of the business relationship,
• obtaining information on the source of funds and source of wealth of the client and the client’s beneficial owner,
• obtaining information on the reasons for a relevant transaction,
• obtaining the approval of senior management for establishing or continuing the business relationship, and
• conducting enhanced monitoring of the business relationship.

In the case of complex, unusual or suspicious transactions, regulation 33 requires a firm’s enhanced CDD measures to include:

• examining, as far as possible, the background and purpose of the transaction (or transactions), and
• conducting enhanced monitoring of the business relationship in which the transaction (or transactions) were made (to determine whether there is reasonable cause for suspicion).

Simplified CDD

Simplified CDD is the subject of regulation 37, which states that simplified CDD measures may be applied if a business relationship is assessed as presenting only a low risk of money laundering and terrorist financing. If that is the case, a firm must nevertheless comply with the CDD requirements of regulation 28, although (according to regulation 37) “it may adjust the extent, timing or type of the measures it undertakes under regulation 28 to reflect its [low risk assessment]”.

In practice, the extent of simplification of your CDD could only be to lessen the verification measures that you consider necessary. Therefore, if you have efficient processes in place anyway, there may be little benefit to be gained in seeking to simplify your CDD measures.

Best Practices for Effective CDD

Develop Clear Policies and Procedures

MLR 2017 specifically requires a firm to have a clearly documented policy in respect of CDD. Recognising that AML compliance must be risk-based, a firm’s CDD policy would be likely to set out when a situation requires enhanced CDD measures, when CDD should be revisited, and what form ongoing monitoring should take. It should also make clear which checklists and verification resources should be used in each situation.

Train Staff Regularly

In all but the smallest firms, regular AML training should cover CDD policies and processes and the importance of CDD. Ensuring that staff understand their responsibilities and the role of CDD in AML compliance will increase the likelihood that any suspicious activity will be identified and reported.

Use Technology

Automation and systemisation help to promote consistently high standards of compliance. AML software can streamline the client verification process, as well as ensuring AML risk assessments are comprehensive and making AML document storage and retrieval easier. It can even help to navigate complex ownership structures and so help to identify beneficial owners.

Regulatory Guidance and Resources

Supervisory authorities (including HMRC and many of the professional accountancy bodies) provide resources in the form of standard templates and checklists and guidance on CDD requirements. Some commercial organisations also provide effective solutions. Some standard documentation will need to be tailored to the needs and circumstances of your firm. Resources such as this Firmcheck guidance can provide (as part of your firm’s AML training) the understanding required to help tailor policies, procedures and documentation to the unique circumstances of your firm.

‍