The LSAG AML Guidance – Enhanced Client Due Diligence (CDD)

This is the fourth blog in a series to help law firms grapple with the latest Legal Sector Affinity Group (LSAG) guidance on the Money Laundering Regulations. 

When do I need to undertake EDD? 

In the previous blog in this series, we introduced and defined client due diligence (CDD). We explained how CDD differs, depending on the type of client entity, focusing on the requirements for individuals and companies. We also mentioned that there are three different levels of CDD that can be applied when identifying your clients: standard due diligence, simplified due diligence (SDD), and enhanced due diligence (EDD).

In this, the fourth in our LSAG blog series, we will be looking more closely at EDD, and the situations which require you to examine a client’s background more thoroughly than the standard CDD process allows.

Examples of when EDD is required include: 

  1. When the client (or one of its beneficial owners) is based in a high-risk country
  2. Anytime you identify the client as posing a higher risk of money laundering or terrorist financing
  3. When you are acting for a client who is a PEP (politically exposed person). 

In these situations, the LSAG Guidance sets out the information you should obtain as part of the EDD process. For instance, the guidance sets out a list of questions you should ask with regard to the client’s PEP status. These include: specifying the role the individual holds, considering whether there is a potential for your services to be misused for corrupt purposes, and detailing the level of scrutiny the PEP is subject to.

Does EDD just mean asking more questions during client onboarding? 

We gave some examples above as to the questions you should ask when acting for a PEP. In addition to those PEP questions, you should also consider asking other questions, such as with respect to the client’s ultimate beneficial owners (UBOs). For example, you may ordinarily only obtain information on UBOs who own or control more than 25% of the client entity. But if you’re applying EDD, you might consider examining UBOs who own less than 25% of the company. 

Another important area to consider is the client’s source of wealth. Whilst your standard CDD process should involve some enquiries as to the client’s financial background, the guidance says that, as part of the EDD process, you should take additional measures to understand the client’s source of wealth. This could involve asking the client more questions as to how they accumulated their overall body of wealth, but it should also include seeking additional evidence to verify information already acquired. 

However, whichever questions form part of your firm’s EDD process, it is important to remember that EDD does not just involve asking the client more questions during the onboarding process. For example, as well as providing examples of questions that should be asked as part of the EDD process, the guidance also reiterates the requirement in the Regulations that enhanced ongoing monitoring be undertaken whenever EDD is applied. That means subjecting the client to increased levels of scrutiny throughout the course of the business relationship. 

Another important aspect of EDD is recording the way in which the information came to you, not just the information itself. This means, when undertaking EDD, you should record how your firm obtained the extra information. Was it by searching publicly available sources, or did the information come from the client? Furthermore, if the client was asked additional questions, you should record the way that they reacted to being asked those questions. Did they readily volunteer the information, or were they reluctant to do so? 

Read more: The Omnitrack AML client onboarding solution

CDD and the Risk-Based Approach 

Noting the client’s reactions to being asked additional questions, and not just the answers themselves, is important because being obstructive can be an indicator that the client poses a higher risk of money laundering or terrorist financing. 

The reason asking additional questions is not enough is because identifying your clients is not the primary purpose of CDD. Identifying your clients is simply part of the process of trying to prevent your firm from being used to commit financial crimes. For that reason, whichever level of CDD you apply, the decision should always be taken using a risk-based approach. A high-risk client should lead to more extensive checks, and a low-risk client may mean that some of the standard CDD requirements can be dispensed with. 

Accordingly, while CDD and risk assessments are separate parts of the AML process, they should also be connected. This point is illustrated when considering the impact both that the enhanced due diligence and risk assessment processes can have on one another:  

  • A risk assessment which concludes that a client is a high risk will prompt the need to do EDD
  • Conversely, the EDD process may prompt you to go back and change the risk level

It is for this reason that the process of undertaking both risk assessments and CDD should be dynamic, rather than static, as recommended in the second blog in this series. 

Remember, whichever level of CDD you apply, its purpose is knowing who you’re acting for, what their intentions are, and trying to spot any red flags. 

How are you managing your GDPR compliance requirements?

GDPR added a significant compliance burden on DPOs and data processors. Data breaches must be reported to the authorities within 72 hours, each new data processing activity needs to be documented and Data Protection Impact Assessments (DPIA) must be carried out for processing that is likely to result in a high risk to individuals. Penalties for breaching GDPR can reach into the tens of millions of Euros.

GDPR added a significant compliance burden on DPOs and data processors. Data breaches must be reported to the authorities within 72 hours, each new data processing activity needs to be documented and Data Protection Impact Assessments (DPIA) must be carried out for processing that is likely to result in a high risk to individuals. Penalties for breaching GDPR can reach into the tens of millions of Euros.

“In a world older and more complete than ours they move finished and complete, gifted with extensions of the senses we have lost or never attained, living by voices we shall never hear.”

Picture of James

James

VinciWorks CEO, VInciWorks

Spending time looking for your parcel around the neighbourhood is a thing of the past. That’s a promise.

How are you managing your GDPR compliance requirements?

GDPR added a significant compliance burden on DPOs and data processors. Data breaches must be reported to the authorities within 72 hours, each new data processing activity needs to be documented and Data Protection Impact Assessments (DPIA) must be carried out for processing that is likely to result in a high risk to individuals. Penalties for breaching GDPR can reach into the tens of millions of Euros.

GDPR added a significant compliance burden on DPOs and data processors. Data breaches must be reported to the authorities within 72 hours, each new data processing activity needs to be documented and Data Protection Impact Assessments (DPIA) must be carried out for processing that is likely to result in a high risk to individuals. Penalties for breaching GDPR can reach into the tens of millions of Euros.

How are you managing your GDPR compliance requirements?

GDPR added a significant compliance burden on DPOs and data processors. Data breaches must be reported to the authorities within 72 hours, each new data processing activity needs to be documented and Data Protection Impact Assessments (DPIA) must be carried out for processing that is likely to result in a high risk to individuals. Penalties for breaching GDPR can reach into the tens of millions of Euros.

GDPR added a significant compliance burden on DPOs and data processors. Data breaches must be reported to the authorities within 72 hours, each new data processing activity needs to be documented and Data Protection Impact Assessments (DPIA) must be carried out for processing that is likely to result in a high risk to individuals. Penalties for breaching GDPR can reach into the tens of millions of Euros.