ECSH33310 - Testing customer due diligence: when customer due diligence is required
You must establish when a business needs to apply customer due diligence (CDD) measures, as required by of The Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017 (MLR 2017). This is when:
- A business relationship is established with a customer or an occasional transaction is carried out.
- Money laundering or terrorist financing (ML/TF) is suspected.
- There are doubts about a customer’s ID or information already provided.
- It is necessary for existing customers, for example if their circumstances change.
You will need to use sector specific information in ECSH51500, your understanding of the business activities, your review of its risk assessment, its policies, controls and procedures (PCPs), and the topics discussed throughout your intervention to help you decide if the business should have conducted CDD.
Money laundering or terrorist financing is suspected
If the business suspects money laundering or terrorist financing, it must carry out CDD measures to be able to raise a suspicious activity report (SAR).
There are doubts about a customer’s ID or information already provided
A business must apply CDD in these circumstances. For example, a business recognises a customer has carried out previous transactions, which do not require CDD measures. The business asked the customer their name and the purpose of the transaction and recalls the customer had said that they lived out of town but were in the area for work. The second instance, the customer gave a different name and said that they were visiting the area for a week on holiday. The inconsistency in the information provided by the customer should prompt the business to apply its CDD measures under regulation 27(1)(d) and consider whether it should submit a SAR.
At other times based on a risk based approach
A business must apply CDD when becoming aware of a change of circumstances of an existing customer that affects the risk associated with that customer, as required by (8), regulation 27(9) sets out what must be considered (see ECSH33375 Ongoing monitoring). See the Existing Customers section starting at paragraph 5.3.17 of the .
There is a requirement on UK body corporates to inform the business of changes to its information (such as a change of name, address, directors or beneficial owners) which should trigger a review under regulation 27(8). See of MLR 2017 for details.
You should check whether the business has PCPs detailing what to do in all the above scenarios and then question if it has come across these scenarios, to test that it applied CDD measures at the correct time. Use the 5WH (who, what, when, why, where, and how) to aid you in questioning the business on this topic.
Where CDD has not been carried out
To help you decide if there has been a breach of regulation 27, consider if the business conducted CDD when required to do so. If it didn’t, you must establish how the breach occurred, in order to consider whether the business has taken reasonable steps to comply – see ECSH34005.
If it has not taken reasonable steps, you will need to consider what Sanction/s are appropriate. You must clearly set out when the business was required to carry out CDD under regulation 27 when writing your Table of Failures – for example:
· If an estate agency business failed to carry out any CDD on a purchaser when their offer was accepted by the seller, the breach would fall under regulation 27(1) (with reference to regulation 4(3)).
· If a currency exchange office failed to carry out CDD on a customer carrying out an occasional transaction, the breach would fall under regulation 27(2).
· If a high value dealer failed to carry out CDD on a customer carrying out an occasional transaction in cash, the breach would fall under regulation 27(3).
· For an art market participant occasional transaction, the breach would be under regulation 27(7C).
If the business has carried out some CDD, but the measures taken do not meet the requirements set out in regulation 28, see ECSH33325 Confirming customer due diligence measures are appropriate.
If CDD has been carried out, but verification was not done at the correct time, see ECSH33380 Timing of verification.
If you have identified situations where you suspect ML/TF which should prompt CDD, but where it has not been done, you should consider:
- Has the business assessed these risks in the first place? - If not, has this led to a breach of regulation 27?
- Has the business identified the risk since, by reviewing cases and management information?
- Has it subsequently now identified and assessed the risks so that the same breaches do not appear in the future? - If not, why?
- Are the risk management systems and internal controls sufficiently identifying instances where there may be a risk which it was not aware of?
- Has this prompted a review of its risk assessment under regulation 18? – see ECSH33205 Checking risk assessment and management.