Client ID verifications

For a firm of accountants, CDD is most commonly undertaken at the start of a business relationship. In that context, it is easy to see how CDD can help a firm to better understand the client, so that relevant employees can have expectations about the client’s activities and be more likely to notice unexpected – perhaps suspicious - activities. But the information gathered about the client needs to be verified, with evidence being gained from a reliable, independent source.

CDD requires a flexible approach in which questions are asked as they arise – as information is gathered - and verification is sought of the answers provided. Verification of the relevant information gathered about a client will always include ID verification, as criminals value obscurity and will, inevitably, try to conceal their true identity. Although the identification of corporate entities is also relevant, this section of the guidance focuses on verifying the identification of individuals, whether they be clients, beneficial owners, directors, trustees, or anyone else identified as significant within the information-gathering process.

What does the legislation say?

The verification requirements are set out within regulation 28 of MLR 2017. Wherever it requires information to be verified, it means it must be verified “on the basis of documents or information in either case obtained from a reliable source which is independent of the person whose identity is being verified”. It clarifies that any documents issued by an official body (such as a passport or driver’s licence) are deemed to be from an independent source, even if they are provided to the firm by the person whose identity is being verified.

With regard to the reliability of the source, regulation 28 explains how certain electronic identification processes may be regarded as being obtained from a reliable source. It states that the electronic identification process must be “secure from fraud and misuse and capable of providing assurance that the person claiming a particular identity is in fact the person with that identity, to a degree that is necessary for effectively managing and mitigating any risks of money laundering and terrorist financing”.

In itself, perhaps that is of limited help, particularly when it has proven difficult to verify the identity of the person by more traditional means, in which case the money laundering and terrorist financing risk may be assessed as higher. But a firm may, in fact, decide to use electronic verification as an element of CDD in all cases (and not only out of necessity or as a response to assessed risk). In any case, judgement must be exercised by the firm in evidencing that it is satisfied that the client’s identification has been suitably verified. In placing reliance on an online service provider, a firm must be satisfied that the evidence to be gained will be relevant, reliable and sufficient. In reaching its conclusion, it should ask itself a few questions:

• What sources does the system draw upon? (This must be a range of sources.)
• How up-to-date is the information to be gained from the provider? (This is dependent upon the online system itself, as well as the sources of information that the system interrogates.)
• Does the provider themselves have a system for checking the accuracy and relevance of the information being gathered?

The adequacy of all the evidence gathered to verify the identity of those concerned must be assessed on a case-by-case basis, in light of the client’s risk profile (including, of course, any lack of clarity concerning the ownership and control of the client). Of course, there are many means of undertaking CDD online, including searching the entire internet in innovative ways, using social networking platforms, maps (including street view), etc. But these are time-consuming. Therefore, in each case, you must be clear about the relevant, proportionate approach to undertaking CDD according to the assessed risk.

When to perform ID checks

Regulation 30 states that a firm must perform the relevant ID checks before the establishment of a business relationship. (A one-off piece of work such as the formation of a company on behalf of a client is deemed to be a business relationship, even though the relationship may not be ongoing.)

There are limited exceptions to this strict timing requirement. The verification work may be completed during the establishment of a business relationship if there is little risk of money laundering or terrorist financing, and it is necessary so as not to interrupt the normal conduct of business. In such cases, the verification must, nevertheless, be completed as soon as practicable.

Reporting discrepancies

Regulation 30A of MLR 2017 concerns the firm’s obligation to report discrepancies in the registers maintained by the Registrar of Companies or HMRC. Broadly speaking, before establishing a business relationship with a company or LLP, a firm must collect an excerpt of the relevant register, including details of the company’s beneficial owners. Similar details must be gathered in respect of other entities, such as a trust.

The firm must report any material discrepancy between information gathered from the register and other information that has become available to the firm while carrying out its CDD processes when establishing the business relationship. It must do the same when undertaking ongoing monitoring and CDD (i.e. after the business relationship with the client has been established).

A material discrepancy in relation to a company or LLP must be reported to the Registrar of Companies, while a discrepancy in relation to a trust must be reported to HMRC. In this context, a “material discrepancy” is one described in Schedule 3AZA to MLR 2017.

Traditional methods of verification

“Traditional methods of ID verification” tend to relate to “traditional ways of working”. Since the start of the COVID pandemic in the UK, in 2020, many firms have adapted to be able to work remotely from the office and remotely from their clients. Prior to that, it was common practice for a firm to get to know a potential client through an initial face-to-face meeting to which the relevant individuals would be asked to bring their passports or other photographic ID. (Verification of addresses would often be conducted with reference to utility bills.)

Although an accountant wouldn’t usually claim to be an expert in forgery, it is usually possible to inspect original documents to ensure they are current, valid, and show no obvious signs of tampering. It is also easier to feel confident that a passport photograph, for example, is a true likeness of the person sitting on the other side of your desk. The increase in popularity of online meetings initially meant that ID verification often took place by the client holding photographic ID up to the camera, meaning that reliability was dependent upon having a good internet connection. Therefore, digital methods of ID verification steadily became more common.

Digital methods of verification

Electronic verification uses database checks and/or biometric verification. These methods must meet the requirements for reliability and independence, as set out in regulation 28. In addition, an efficient system should be able to verify both identities and relevant addresses, and ensure the evidence is adequately recorded and securely stored.

Electronic ID verification will usually check an individual’s details against a number of electronic databases, such as the electoral roll, credit reference agencies and Companies House. Biometric verification is another means of electronic ID verification. It uses technology such as facial recognition to confirm a client’s identity. Biometric tools are effective and help to streamline client onboarding.

Sanctions screening 

Particularly important in your verification work is verification that the individual (or organisation) concerned, and the part of the world in which they are based, are not subject to financial sanctions. Based on assessed risk (if not done automatically), a firm may be required to check individuals and organisations against multiple official lists in respect of UK, EU and UN sanctions. Updates to the sanctions lists must be monitored, and existing clients may need to be rescreened when changes occur. This seemingly daunting task is made easier by the use of software and by the consolidated list maintained by the Office of Financial Sanctions Implementation (OFSI), which is fairly easy to search.

Reliance on third parties

Intuitively, it seems sensible that a firm of accountants should be able to rely on the CDD (including ID verification) performed previously by another firm of accountants which, after all, is supervised for AML compliance. But, in reality, it is not that simple. A firm must take responsibility for its own AML compliance, and it remains liable for any failure to apply suitable CDD measures.

Regulation 39 of MLR 2017 states that a firm may only rely on a third party who is:

• another relevant person subject to MLR 2017 (i.e. in the UK) or
• a person overseas who is subject to similar CDD and record-keeping requirements and who is supervised for compliance with those requirements.

So far, so good. However, if a firm wishes to rely on CDD measures applied by a third party, it must obtain from the third party all the CDD information required by regulation 28 in relation to the relevant client. It must also have a formal agreement with the third party that enables the firm to:

• obtain from the third party, on request, copies of any ID information and verification evidence, and
• require the third party to retain copies of the relevant information and documents for the necessary period (under regulation 40).

A firm will often be deemed to have complied with these requirements if it is relying on information provided by another firm in the same group. However, in other cases, the obligations of the third party are onerous and the benefits to the firm (which must retain responsibility for the CDD measures) are few. In short, many firms choose to manage their compliance risk by documenting a policy of:

• never relying on CDD measures applied by a third party, and
• never entering into an agreement with another relevant person to permit them to rely on the firm’s CDD.

Conclusion

ID verification is necessary before embarking on a client relationship, but may also be triggered by events during the course of the relationship. It is worth remembering the following points:

• Your firm’s policies, controls and procedures should set out its verification procedures, which may vary according to the circumstances.
• Verification work, including ID verification, must respond to the assessed risk in each case.
• Automated solutions are usually regarded as reliable (and independent). They may be used in response to assessed risk or as a matter of course, as they provide efficiency (and can often help with data storage).
• Regular staff training for relevant employees should ensure robust and efficient ID verification.
• The secure retention of records relating to ID verification is a requirement of both MLR 2017 and data privacy legislation.
• A firm cannot delegate its responsibility for appropriate CDD measures, which include ID verification.

‍