Anti-money laundering – a guide to customer due diligence

Image implying money laundering
Under the Fourth Money Laundering Directive, CDD is required by anyone trading goods in cash with a value over €10,000, down from previous amount of €15,000

Customer Due Diligence and Anti-Money Laundering

Ensuring your staff are able to carry out effective customer due diligence goes a long way to ensuring your staff and clients are not are not facilitating money laundering. Such processes to be aware of and understand include submitting a suspicious activity report (SAR), understanding what is required to take a risk based approach and the supporting documents that should be requested from clients. Here is some guidance to carrying out customer due diligence and how to deal with potential red flags.

The guidance is taken from our interactive e-learning course, Anti-Money Laundering: Know Your Risk. You can demo the course for free here. The course is in line with the Fourth and Fifth Money Laundering Directive and will be updated when the Fifth Directive comes into force.

What is customer due diligence?

Customer due diligence is the process of identifying your customers and checking they are who they say they are. In practice, this means obtaining a customer’s name, photograph on an official document which confirms their identity and residential address and date of birth. There are three levels of customer due diligence: standard, simplified and enhanced.

Learn more: VinciWorks’ AML client onboarding and ongoing monitoring software solution

3 Levels of Customer Due Diligence(CDD)

Standard customer due diligence

This involves identifying the customer, and ensuring it is based on a reliable independent source. The purpose and intended nature of the business relationship or transaction must be assessed and further information obtained where appropriate.

Simplified customer due diligence

This can be applied when a risk assessment has shown a negligible or low risk of money laundering. The only requirement is to identify the customer and there is no need to verify the customer’s identity.

Enhanced customer due diligence

Enhanced CDD must be applied when the risk of money laundering is high, such as if the person in question is a politically exposed person. Enhanced due diligence measures can include:

  • Additional identification information from the customer
  • Information on the source of funds or source of wealth
  • The intended nature of the business relationship
  • The purpose of the transaction
  • Subjecting the customer to additional ongoing monitoring procedures

Submitting a suspicious activity report (SAR)

Financial institutions must submit a SAR if they suspect something in a transaction is illegal. Law enforcement will make a decision after a SAR has been submitted and the firm must not reveal to the customer that a SAR has been submitted.

Once a SAR is submitted, in the UK, the NCA has 7 working days to respond to the SAR. If it responds, it will either give consent or require a further “moratorium period” of 31 calendar days to investigate the matter before giving or refusing consent. If the NCA does not respond within the 7 working day period (or within the 31 calendar day “moratorium period”), there is deemed consent and the relevant individuals/entities who made the SAR will have a defence if they proceed with the activities.

The risk based approach to anti-money laundering

Money laundering measures must take a risk-based approach at every level. There are national risk assessments which highlight money laundering risks in general, and every organisation must complete its own company-wide risk assessment as well as a risk assessment for each customer and area of the business.

A risk assessment must include:

  • Requirement to demonstrate and document that risk assessments are conducted and kept up to date, taking into account risk factors including those relating to their customers, countries or geographic areas, products, services, transactions or delivery channels
  • Written money laundering policies and procedures that take the firm’s risk assessment into consideration
  • Internal audit teams, where necessary, to test the internal policies, controls and procedures
  • Training on how to conduct risk-based CDD and ongoing monitoring

Be aware of hidden beneficial owners

A customer who wishes to launder money may use one of a number of structures to obscure or disguise the beneficial ownership of assets. Here are some of the methods that could be used:

  • Shell company – a company without any activity or that has no significant assets or operations
  • Front company – using a legitimate business to hide criminal activity and create legitimate funds
  • Double invoicing – sending funds from an offshore company that is actually repatriating already smuggled cash
  • Trusts – assets are placed into a trust for a beneficiary which can be paid without requiring a justification for a source of wealth
  • Bearer bonds, securities and cheques – where ownership is by physical possession, and can be cashed at any time
  • Charities and non-profits – cash intensive organisations that can take deposits without arousing great suspicion under the guise of using funds for a legitimate purpose

Read more: Anti-money laundering – how to spot suspicious transactions

Keep central registers of beneficial owners

Organisations are required to maintain accurate and current information on their beneficial ownership. They must provide that information to the government. The information on beneficial ownership is held by the government in a central register that is accessible to banks, law firms and “any person or organisation that can demonstrate a legitimate interest”. These interconnected registers contain the names, dates of birth, nationality, country of residence and the nature and extent of the beneficial owners’ interests in the transaction.

Request the correct supporting documents

If you are conducting enhanced due diligence due to a high risk transaction, you may, and in many cases should, request at least one of the following from the client:

  • bank statements,
  • recently filed business accounts, or
  • documents confirming the source such as a sale of a house, the sale of shares, receipt of a personal injuries award, a bequest from an estate or a win from gambling activities.

When cash is involved, proving the transaction becomes more difficult as a bank statement showing a cash withdrawal does not mean that it’s the same cash which the client is in possession of. Equally, a bank statement showing a cash deposit does not prove where the cash has come from in the first place.

Not everyone is efficient or able to keep detailed records, so a lack of documentation does not always mean that money laundering is taking place. However, you should always ask yourself whether it is consistent with what you know about the client and whether there is any other information that makes you suspicious this should be recorded and investigated.

All your anti-money laundering resources on one page

VinciWorks’ anti-money laundering resource page contains a host of resources, from policy templates and guides to course demos. The resources are regularly updated to ensure they are in-line with the latest regulations, such as the Fourth Directive, and will be updated further when the Fifth Money Laundering Directive comes into force. You can get instand access to our resources by clicking on the button below.

Anti-money laundering resource page

How are you managing your GDPR compliance requirements?

GDPR added a significant compliance burden on DPOs and data processors. Data breaches must be reported to the authorities within 72 hours, each new data processing activity needs to be documented and Data Protection Impact Assessments (DPIA) must be carried out for processing that is likely to result in a high risk to individuals. Penalties for breaching GDPR can reach into the tens of millions of Euros.

GDPR added a significant compliance burden on DPOs and data processors. Data breaches must be reported to the authorities within 72 hours, each new data processing activity needs to be documented and Data Protection Impact Assessments (DPIA) must be carried out for processing that is likely to result in a high risk to individuals. Penalties for breaching GDPR can reach into the tens of millions of Euros.

“In a world older and more complete than ours they move finished and complete, gifted with extensions of the senses we have lost or never attained, living by voices we shall never hear.”

Picture of James

James

VinciWorks CEO, VInciWorks

Spending time looking for your parcel around the neighbourhood is a thing of the past. That’s a promise.

How are you managing your GDPR compliance requirements?

GDPR added a significant compliance burden on DPOs and data processors. Data breaches must be reported to the authorities within 72 hours, each new data processing activity needs to be documented and Data Protection Impact Assessments (DPIA) must be carried out for processing that is likely to result in a high risk to individuals. Penalties for breaching GDPR can reach into the tens of millions of Euros.

GDPR added a significant compliance burden on DPOs and data processors. Data breaches must be reported to the authorities within 72 hours, each new data processing activity needs to be documented and Data Protection Impact Assessments (DPIA) must be carried out for processing that is likely to result in a high risk to individuals. Penalties for breaching GDPR can reach into the tens of millions of Euros.

How are you managing your GDPR compliance requirements?

GDPR added a significant compliance burden on DPOs and data processors. Data breaches must be reported to the authorities within 72 hours, each new data processing activity needs to be documented and Data Protection Impact Assessments (DPIA) must be carried out for processing that is likely to result in a high risk to individuals. Penalties for breaching GDPR can reach into the tens of millions of Euros.

GDPR added a significant compliance burden on DPOs and data processors. Data breaches must be reported to the authorities within 72 hours, each new data processing activity needs to be documented and Data Protection Impact Assessments (DPIA) must be carried out for processing that is likely to result in a high risk to individuals. Penalties for breaching GDPR can reach into the tens of millions of Euros.