14 minute read
Due diligence
Knowing who your client really is
Verification, checks for suspicious activity and discrepancy reporting are all crucial steps in client due diligence, says David Potts
Collecting identity information and risk assessing prospective or current clients is a key part of a firm’s client due diligence processes. However, the process is incomplete until any information gathered has been verified and occasionally a firm may be obliged to report suspicious activity or a discrepancy during onboarding or a continuing relationship.
Verifying clients
Criminals often seek to mask their true identity by using complex and opaque ownership structures. The purpose of a firm’s client due diligence is to know and understand a client’s identity, so that any money laundering or terrorist financing (MLTF) risks can be properly managed. Effective client due diligence is therefore a key part of MLTF defences.
By knowing the identity of a client, including who owns and controls it, a firm is not only fulfilling its regulatory requirements but is equipping itself to make informed decisions about the client. Good client due diligence helps a firm to construct a better understanding of the client’s typical business activities. By understanding what normal practice is, firms find it easier to detect abnormal events, which in turn may point to MLTF activity.
The Money Laundering Regulations stipulate that client due diligence must be applied not only at the start of a new business relationship but also at appropriate points during an ongoing relationship, and particularly where there is any doubt about the reliability of the identity information or documents obtained previously for verification purposes.
Firms must identify their clients so that they can be sure they understand and know who the client is. This means collecting ID documents like passports, driving licences and utility bills. They must also identify any beneficial owners so that the ownership and control structure of their clients can be understood.
Once the client has been identified and an initial risk assessment has been carried out, then evidence is required to verify the identity information gathered during the first stage. This means obtaining documentation or other information from independent and reliable sources, and this stage is called client verification:
Identification Risk Assessment Verification
Verification involves validating that the identity is genuine and belongs to the claimed individual or entity and must be completed using an independent, authoritative source. Documentation purporting to offer evidence of identity may emanate from several sources; however, these documents may differ in their integrity, reliability and independence. Some are issued after due diligence on an individual’s identity has been undertaken; others are issued on request, without any such checks being carried out. For example, certain documents issued by government departments and agencies or by a court could be considered the most reliable form of identification.
For clients who are individuals, you must obtain the full name, date of birth and residential address of your client. You can verify this by using documents issued by an official body – this is deemed to be an independent reliable source, even when provided by the client, such as a passport. You must retain a copy of this identification and your verification within your client file. Ensure they are valid and recent documents in line with your riskbased approach. Where there is an increased risk specifically relating to the identity of the individual, it may be appropriate to request additional, supplementary documents. Where appropriate, evidence of source of wealth and source of funds can be obtained from searching public information sources like the internet, company registers and land registers.
Indications of money laundering: red flags
Remember that red flags such as those highlighted here might not mean anything in isolation but taken together can provide a strong indication of money laundering.
● Transactions: Are transactions unusual because of their size, frequency or the manner of their execution, in relation to the client’s known business type?
● Assets: Does it appear that a client’s assets are inconsistent with their known legitimate income?
● Identity: Has the client taken steps to hide their identity, or is the beneficial owner difficult to identify?
● Political status: Is the client engaged in unusual private business given that they hold a prominent public title or function? Or do they have ties to an individual of this nature?
● Geographic area: Is the collateral provided, such as property, located in a high-risk country, or are the clients or parties to the transaction native to or resident in a high-risk country?
● Structures: Are there complex or illogical business structures that make it unclear who is conducting a transaction or purchase?
● Resources: Are a client’s funds made up of a disproportionate amount of private funding or cash, in relation to their socioeconomic profile?
● Behaviour: Is the client behaving oddly in either a personal or a public capacity, given the nature of their role in the business? Or do they have links to people acting oddly?
● Documents: Are information or documents being withheld by the client or their representative, or do they appear to be falsified?
● Choice of professional: Have you, or other professionals who are involved, been instructed at a distance, asked to act outside of your usual speciality or offered an unusually high fee?
Find out more at www.aiaworldwide.com/my-aia/aml/suspiciousactivity-reporting and access specific guidance for UK and ROI regulated firms related to spotting the red flags of money laundering and terrorist financing.
The full name of the company, the registered number and the registered office address and, if different, principal place of business, must be verified. Firms must also take reasonable measures to determine and verify key information about the company. Beneficial owners should be verified on a risk-based approach, so for highrisk clients, more verification work should be performed. If the firm has exhausted all possible means of identifying the beneficial owner of the company, the firm must take reasonable measures to verify the identity of the senior person in the company who is responsible for managing it, and keep records in writing of all the actions the firm has taken and any difficulties it has encountered.
Electronic client verification resources
There are several electronic databases or online platforms which firms may use to check and maintain information on a client’s identity. Many of these services can be found online and are often used by firms as part of client identification procedures. Under the UK anti-money laundering (AML) regime, information from electronic databases is an acceptable form of verification of clients’ identities.
When not to make a discrepancy report...
You do not need to report in specific circumstances:
● If you have already made a discrepancy report, you do not need to report the same discrepancy again.
● If the discrepancy is resolved in the time between identifying it and submitting a report, you do not need to report it.
● It is not a discrepancy when the entity holds information that we do not include on the PSC register.
● A spelling error is not a discrepancy; for example, Jon Smith instead of John Smith, or a missing or slightly different spelling of a middle name.
● Minor variations in an address is not a discrepancy, or where a nationality of Welsh, English, Scottish or Northern Irish is given but the register shows UK.
● A PSC must own more than 25% of shares to be registrable, so you do not need to report a missing PSC if they own 25% or less. (This does not impact people who are PSCs because they control the company in another way.)
● Where a company has claimed an exemption from providing their PSC details because they are trading on a regulated market, PSC details will not be shown on the register so you do not need to report a discrepancy.
This means that electronic identification can be used either as part of a wider process or, where appropriate, as the only source of identification. However, the firm remains responsible for ensuring that they adequately verify all their clients’ identities. There are inherent weaknesses in relying on third party software to undertake due diligence and it is important that firms take steps to mitigate associated risks.
For example, before using electronic client verification resources firms, AIA recommends that firms assess whether the information received from these databases is sufficiently reliable, comprehensive and accurate. It is useful to consider whether:
● the system draws on multiple sources;
● the data is up to date; and
● there are regular tests to ensure the integrity of the data.
AIA encourages all members to consider their own client identification needs and not to conclude that any ‘off the shelf’ product will be necessarily appropriate in all cases. Firms should take a risk-based approach, considering the depth of scrutiny needed on a case by case basis. Some clients may be considered higher risk and therefore warrant more extensive checks; for example. where politically exposed persons (PEPs) are present or the client operates in a high-risk jurisdiction.
It is vital that firms record evidence of your information gathering and client verification as this will be assessed during any monitoring review. Overall, the firm has a responsibility to demonstrate that all reasonable steps have been taken to satisfy themselves that the client is who they purport to be.
Spotting and reporting suspicious activity
Occasionally, information can come to a firm in the course of undertaking client due diligence which means they are required to file a Suspicious Activity Report (SAR) or Suspicious Transaction Report (STR).
If you suspect that money laundering may be taking place, you are legally obligated under the 2017 Money Laundering Regulations to submit a SAR or STR. It is important to consider whether or not it is appropriate to continue to act for the client and continue a business relationship.
Recognising warning signs of money laundering is a continual challenge but there is guidance available to help: typologies, alerts and sector guidance provided to AIA members.
Customer due diligence is a key part of a robust risk-based approach. There are several key red flags that could indicate that there is a strong chance of money laundering being present. One of these may also be where you are unable to verify the identity of your client, documents do not match originals presented by your client or your client is evasive when you look to seek verification of their identity.
Reporting discrepancies
Under regulation 30A(3) of the Money Laundering and Terrorist Financing (Amendment) Regulations (MLR) 2019, firms must report any discrepancies between information collected from a relevant register and while undertaking AML requirements under the regulations such as client due diligence or ongoing monitoring.
Before establishing a business relationship with any UK company or entity, the firm must obtain proof of their client’s registration on the People with Significant Control register, or an excerpt of the register. In addition, from 10 March 2022 a firm establishing a business relationship with a trust must obtain proof of the trust’s registration on the Trust Registration Service (TRS) if the trust is required to be registered.
If the firm identifies a discrepancy between the information that they gather during client take-on processes and the information that is on the PSC register or TRS, the firm must report that discrepancy to Companies House or HMRC as applicable.
A person with significant control (PSC) is someone who owns or controls a company. A company can have one or more PSCs. The purpose behind discrepancy reporting is to ensure that the information on the PSC register is adequate, accurate and current. Discrepancy itself is not defined within the Regulations, but there is an expectation from government that material differences should be reported. A discrepancy therefore is when the information that an obliged entity holds about a beneficial owner is different to the PSC information recorded by Companies House.
This could include:
● a difference in name;
● an incorrect entry for nature of control;
● an incorrect entry for date of birth;
● an incorrect entry for nationality;
● an incorrect entry for correspondence address;
● a missing entry for a person of significant control or a registrable beneficial owner; and
● an incorrect entry for the date the individual became a registrable person.
A discrepancy should be reported as soon as reasonably practicable after the discrepancy is discovered, which would normally be within 15 working days of establishing that a material discrepancy exists.
This means that firms have the opportunity to discuss the potential discrepancy with the client to establish whether an inadvertent error has been made and will be corrected without delay. The outcome of any such discussion with the client will allow the business to conclude whether a material discrepancy exists and is reportable. Businesses are not obliged to discuss the identified discrepancy with the client before making a report.
Businesses do not have to wait for a response from Companies House or HMRC before taking on their clients. The decision as to whether to establish a business relationship with that entity is up to the business, based on their usual riskbased approach. Businesses should assess the relevance of any discrepancies within their client due diligence process. In particular, if it appears the discrepancy is intentional, the business should consider whether other information you have received from your client is true and reliable.
A discrepancy report is not a substitute for a SAR but finding a discrepancy does not in itself require a regulated firm to submit a SAR. The normal tests for when a SAR is required still apply – those that we have discussed previously.
In the case of a ‘designated person’ in the Republic of Ireland, Regulation 20(3)(b) states that if a designated person carrying out customer due diligence on an entity, or otherwise, forms the opinion that there is a discrepancy between the information in the central register (RBO) and the information the entity must hold in its internal register of beneficial ownership, then the designated person shall deliver, in a timely manner, to the Registrar notice of that opinion, specifying the particulars as respects which the foregoing discrepancy exists. This is completed using Form DN1 which must be submitted online via the RBO Sharefile account. More information is available at bit.ly/3hLOAlc.
Specific guidance on using online reporting tools is available at bit.ly/3UUaNfe. However, you should be prepared to provide company information, the nature of the discrepancy and any other relevant information to make your report easier to complete. It should take around ten minutes. You should then keep records of any reports made for a period of five years in your client file.
Companies House will then investigate the discrepancy report and, in most cases, contact the company. If the information on the register is incorrect, Companies House can use a new power which allows them to remove incorrect information. They will expect the company to update the register and will undertake compliance action if this does not happen.
If a business identifies a discrepancy on the PSC register or TRS and the client corrects the discrepancy within a reasonable period, the business does not need to make a report to Companies House or HMRC if they are satisfied that the PSC register or TRS is now correct. This is on the basis that no material error would exist. Similarly, if there is a change in ownership of a client, a discrepancy between the PSC register and the information collected is only reportable if the client does not update the PSC details within the permitted time period for doing so.
Find out more
If you’ve missed an AML update webinar you can catch up quickly and easily online, for free. There are a wide variety of topics available which provide in-depth guidance on specific AML requirements:
www.aiaworldwide.com/my-aia/aml
Guidance on CDD requirements: