The LSAG AML Guidance – Client Due Diligence (CDD)

This is the third blog in a series to help law firms grapple with the latest Legal Sector Affinity Group (LSAG) guidance on the Money Laundering Regulations. 

What is CDD?

Client due diligence, or CDD, is the process of identifying your clients and checking that they are who they say they are. In practice, this is often viewed as a tick-box process, with CDD simply consisting of taking photocopies of passports and utility bills when new clients are onboarded. However, whilst that is often an element of what is required, CDD is far broader than that, with the exact information to be gathered (as well as the timing of when CDD should be revisited) depending on the circumstances. 

The LSAG Guidance explains: 

CDD is the collective term for the checks you must do on your clients, which may differ depending on the circumstances. It is holistic in nature and is wider than simply undertaking identification and verification of clients.

Some examples of what CDD processes can include are: 

  • Identifying clients (and beneficial owners) and verifying their identities
  • Assessing clients’ source of wealth
  • When acting for an entity (rather than an individual) making sure you understand the client’s ownership and control structure

When do I need to undertake CDD?

The regulations require CDD to be undertaken whenever a business relationship is established with a client. In order to be a “business relationship”, the regulations state that there must be an expectation at the time of establishment that the relationship will have, “an element of duration”. Wherever that is the case, CDD should be undertaken. 

There may be some law firms that decide not to apply CDD where they do not consider a specific piece of work to be part of a “business relationship”. However, whilst this may be permissible in a limited number of cases, there can be issues with this approach. Where a firm does not presume a business relationship is being established when acting for a new client, it must have procedures in place to ensure that, if a business relationship is subsequently established, CDD will then be applied. Otherwise, fee earners may presume that, because they are familiar with a specific client, there is no need to go through the full AML onboarding process. Accordingly, many firms choose to undertake CDD for all new clients, regardless of whether they consider that this will constitute the start of a “business relationship”.

Other situations requiring CDD

Even if a business relationship is not being established, the regulations also require lawyers to undertake CDD when carrying out certain occasional transactions. 

As set out in both the regulations and the LSAG Guidance, CDD should also be undertaken whenever money laundering or terrorist financing is suspected, as well as whenever there are doubts concerning the veracity or adequacy of documents or information previously obtained. Furthermore, even in the absence of suspicion of money laundering, the regulations require some form of ongoing monitoring of business relationships.

This involves: 

  • Analysing whether a client relationship or transaction has proceeded as anticipated, and is in keeping with your knowledge of the client’s business affairs
  • Periodically reviewing the documents held in relation to a specific client.

It should thus be clear that whilst the most extensive information-gathering exercise may take place when clients are onboarded, CDD must also be undertaken throughout the course of a client relationship. 

CDD on different entities 

As mentioned above, there are a range of factors that can influence the exact information that needs to be collected from a client. One of the key factors will, of course, be the type of client entity. When acting for individuals, the guidance states that their “name, date of birth and current address… should be verified, using independent sources”. The guidance addresses some exceptional cases where clients are unable to produce standard documentation, but says that verification of identity can generally be achieved by obtaining: 

  • One government document that verifies either name and address or name and date of birth
  • A government document that verifies the client’s full name and another supporting document that verifies their name and either their address or date of birth

When acting for an entity, rather than an individual, the guidance says that you “must identify the customer and take reasonable measures to understand the ownership and control structure of that [customer]”. What this entails in each situation can vary greatly, and depends on factors such as the type of client entity, or its jurisdiction of incorporation. But, by way of example, when acting for a UK company, a firm must generally identify and verify:

  • The company name; 
  • The company number; 
  • Its registered office address;
  • Its main place of business (if different); and  
  • Any beneficial owner(s) of the company.

A firm should also seek to obtain a copy of the company’s articles of association, as well as the names of all the directors, and other people responsible for the company’s operations. 

For non-UK companies, after finding out the law to which it is subject, a firm should also seek to obtain the equivalent information and constitutional documents to those outlined above. 

The requirements above are an example of the information which is typically required when acting for a company. But there are situations in which a simplified version of CDD (or SDD) is acceptable instead. Conversely, there are situations where you must undertake enhanced due diligence (EDD) on the client entity. We will deal with the situations which require EDD in our next blog.

VinciWorks’ AML client onboarding solution

Easily edit your client onboarding form, including adding and editing questions, as well as editing form logic

VinciWorks’ AML client onboarding solution gives firms peace of mind that all necessary information has been recorded and that the firm has a strong defence in case of a breach. It can be used to streamline both the risk assessment and document collection aspects of client onboarding.

Features

  • 100% customisable — admins can edit questions and tweak the risk assessment process
  • Upload documents via the questionnaire, which can be used to access all client information and documents in one centralised portal
  • Choice of direct client access or internal-only use
  • Conditional logic — the form adapts as it is completed, so relevant questions are asked based on the identified risk level
  • Securely share CDD analysis and information between offices for complex matters
  • Conduct and record regular checks to comply with ‘ongoing monitoring’ requirements
How are you managing your GDPR compliance requirements?

GDPR added a significant compliance burden on DPOs and data processors. Data breaches must be reported to the authorities within 72 hours, each new data processing activity needs to be documented and Data Protection Impact Assessments (DPIA) must be carried out for processing that is likely to result in a high risk to individuals. Penalties for breaching GDPR can reach into the tens of millions of Euros.

GDPR added a significant compliance burden on DPOs and data processors. Data breaches must be reported to the authorities within 72 hours, each new data processing activity needs to be documented and Data Protection Impact Assessments (DPIA) must be carried out for processing that is likely to result in a high risk to individuals. Penalties for breaching GDPR can reach into the tens of millions of Euros.

“In a world older and more complete than ours they move finished and complete, gifted with extensions of the senses we have lost or never attained, living by voices we shall never hear.”

Picture of James

James

VinciWorks CEO, VInciWorks

Spending time looking for your parcel around the neighbourhood is a thing of the past. That’s a promise.

How are you managing your GDPR compliance requirements?

GDPR added a significant compliance burden on DPOs and data processors. Data breaches must be reported to the authorities within 72 hours, each new data processing activity needs to be documented and Data Protection Impact Assessments (DPIA) must be carried out for processing that is likely to result in a high risk to individuals. Penalties for breaching GDPR can reach into the tens of millions of Euros.

GDPR added a significant compliance burden on DPOs and data processors. Data breaches must be reported to the authorities within 72 hours, each new data processing activity needs to be documented and Data Protection Impact Assessments (DPIA) must be carried out for processing that is likely to result in a high risk to individuals. Penalties for breaching GDPR can reach into the tens of millions of Euros.

How are you managing your GDPR compliance requirements?

GDPR added a significant compliance burden on DPOs and data processors. Data breaches must be reported to the authorities within 72 hours, each new data processing activity needs to be documented and Data Protection Impact Assessments (DPIA) must be carried out for processing that is likely to result in a high risk to individuals. Penalties for breaching GDPR can reach into the tens of millions of Euros.

GDPR added a significant compliance burden on DPOs and data processors. Data breaches must be reported to the authorities within 72 hours, each new data processing activity needs to be documented and Data Protection Impact Assessments (DPIA) must be carried out for processing that is likely to result in a high risk to individuals. Penalties for breaching GDPR can reach into the tens of millions of Euros.