The regulations keep the core requirement that you must perform client due diligence before you establish a business relationship and when you identify any factors relevant to your risk assessment that have changed. These may include:
- your client’s identity has changed
- you have identified a transaction that isn’t consistent with your knowledge of your client
- the services you are providing to your client have changed.
You must still identify and verify the owner and the beneficial owner but the regulations state that you can’t rely solely on Companies House.
There are three key changes to the CDD requirements:
- You must now also complete CDD where you only perform company formation services, even if that service is a one-off service for that client (s.4(2)).
- You must also identify and verify the identity of a person purporting to act on behalf of your client.
- You must obtain and verify the name of the body corporate, its registration number, its registered address and principal place of business. You must also take reasonable measures to determine and verify the law to which it is subject, its constitution (set out in governing documents) and the names of the board of directors and its senior management (s.28(3)).
Simplified due diligence (SDD) (s.37)
Under MLR07, SDD was the default option for a defined list of entities – for example, listed companies.
Instead, the regulations now embed SDD into the risk-based approach. You must still perform CDD but you may limit that due diligence based on whether you think SDD is appropriate. The regulations gives a list of low-risk factors where SDD may be appropriate, which is similar to the list of entities in MLR07 (ie credit or financial institutions) but also includes customers in geographical areas of lower risk.
Enhanced due diligence (EDD) (s.33)
The rules around EDD are significantly different under the regulations. There is a defined list of situations where you must apply EDD. These are:
- where there is a high risk of money laundering or terrorist financing
- in any business relationship with a client established in a high-risk country
- if the client is a politically exposed person (PEP), or a family member or known close associate of a PEP
- in any case where the client has provided false or stolen identification documentation or information on establishing a relationship
- in cases where you identify that the client has entered into transactions that are complex and unusually large, or there is an unusual pattern of transactions, and the transaction or transactions have no apparent economic or legal purpose.
If your risk assessment identifies that you should carry out EDD, then you must, as a minimum:
- As far as reasonably possible, understand the background and purpose of the transaction.
- Increase the degree and nature of monitoring of the business relationship to determine whether the transaction or your business relationship are suspicious.
You may also choose to perform one of the following measures:
- Seek additional independent, reliable sources to verify information the client has provided to you.
- Take additional measures to understand better the background, ownership and financial situation of your client, and other parties to the transaction.
- Take further steps to satisfy yourself that the transaction is consistent with the purpose and intended nature of the business relationship.
- Increase your monitoring of the business relationship, including greater scrutiny of transactions.
The regulations give a list of risk factors that might indicate that there is a high risk of money laundering or terrorist financing. You should consider these when assessing if EDD might be appropriate (s.33).