 |
 |
 |
 |
 |
 |
 |
 |
 |
 |
 |
 |
 |
 |
SP3 All firms must know their customer to such an extent as is appropriate for the risk profile of that customer.
7 Knowing your customer
Having sufficient information about your customer - “knowing your customer” - and making use of that information underpins all anti-money laundering and combating the financing of terrorism efforts, and is the most effective defence against being used to launder the proceeds of crime. If a customer has established an account using a false identity, they may be doing so to defraud the institution itself, or to ensure that they cannot be traced or linked to the crime the proceeds of which the firm is being used to launder. A false name, address, or date of birth will usually mean that law enforcement agencies cannot trace the customer if they are needed for interview as part of an investigation.
Section 10B of the Crime (Money Laundering and Proceeds) Act require all firms to seek satisfactory evidence of the identity of those with whom they deal (referred to in these Guidance Notes as “customer identification documentation”). Unless satisfactory evidence of the identity of potential customers is obtained in good time, the business relationship must not proceed.
When a business relationship is being established, the nature of the business that the customer expects to conduct with the firm must be ascertained at the outset to establish what might be expected later as normal activity. This information should be updated as appropriate, and as opportunities arise. In order to be able to judge whether a transaction is or is not suspicious, firms need to have a clear understanding of the business carried on by their customers. This must entail such ongoing monitoring of the business relationship, as is appropriate to the nature and scale of the business and the risks posed by the customer. This ongoing monitoring must include scrutiny of the transactions being conducted to ensure that these are consistent with the knowledge of that customer, the business and the risk profile and the source of funds. Where necessary the ongoing monitoring will require updating of the firm’s documentation.
A firm must establish to its satisfaction that it is dealing with a real person (natural, corporate or legal), and must verify the identity of persons who are authorised to operate the business relationship. Whenever possible, the prospective customer should be interviewed personally.
The verification procedures needed to establish the identity of a prospective customer should basically be the same whatever type of account or service is required. The best identification documents possible should be obtained from the prospective customer i.e. those that are the most difficult to obtain illicitly. No single piece of identification can be fully guaranteed as genuine, or as being sufficient to establish identity so verification will generally be a cumulative process.
! The overriding principle is that every institution must know who their customers are, and have the necessary customer identification documentation, or data to evidence this.
7.1 Overriding requirements for customer due diligence measures
The application of customer diligence measures can be complex in order to come to a set of documents which are collectively known as the “customer identification documents”. The customer identification documents form the basis of the firm’s knowledge of the underlying customer and is what will drive the risk-profiling and therefore the intensity of the measures that are to be applied.
The requirements for customer due diligence can be summarised in the diagram below and the following sections describe in more detail what is required for each.
Figure – Customer due diligence measures and customer identification documentation summarised.
7.1.1 Applying customer due diligence measures (S10B(11))
R59 Firms must apply customer due diligence measures in the following cases;
a. When establishing a business relationship;
b. When carrying out a one-off transaction amounting to €15,000 or more, whether the transaction is carried out in a single operation or in several operations which appear to be linked;
c. Where there is a suspicion of money laundering or terrorist financing, regardless of any derogation, exemption or threshold;
d. When there are doubts over the veracity or adequacy of previously obtained customer identification data.[18]
7.1.2 What constitutes customer due diligence measures (S10A & 10C)
R60 Customer due diligence measures shall comprise of the following, but the extent to which each of this is applied shall be determined on a risk-sensitive basis;
a. Identifying the customer and verifying the customer’s identity on the basis of documents, data or other information obtained from a reliable and independent sources;
b. Identifying, where applicable, the beneficial owner so that the firm is satisfied that it knows who the beneficial owner is, including, as regards legal persons, trusts and similar legal arrangements understanding the ownership and control structure of the customer;
c. Obtaining information on the source of the income or wealth and the purpose and intended nature of the business relationship;
d. Conducting ongoing monitoring of the business relationship including scrutiny of transactions undertaken throughout the course of that relationship to ensure that the transactions being conducted are consistent with the firm’s knowledge of the customer, the business and risk profile, including, where necessary, the source of funds and ensuring that the documents, data or information held are up to date.[19]
7.1.2.1 Beneficial owner
R61 The term “beneficial owner” is to be interpreted throughout these Notes as meaning the following;
“The person(s) who ultimately owns or controls the customer and/or the natural person on whose behalf a transaction or activity is being conducted and includes, at least, the following;
In the case of a corporate entity;
2. The natural person(s) who
otherwise exercises control over the management of a legal entity;
5. The natural person(s) who
exercises control over 25% or more of the property of a legal arrangement or
entity.”[20]
7.2 When customer due diligence measures need to be applied
R62 Generally, a firm should never establish a business relationship until all the relevant parties to the relationship have been identified and the nature of the business they expect to conduct has been established.
Once an ongoing relationship has been established, any regular business undertaken for that customer should be assessed at regular intervals against the expected pattern of activity of the customer. Any unexpected activity can then be examined to determine whether there is a suspicion of money laundering. (See 7.8 below on monitoring requirements)
! A firm may complete the verification of the identity of the customer and beneficial owner during the establishment of the business relationship if this is necessary not to interrupt the normal conduct of business and where there is little risk of money laundering or terrorist financing occurring. In these situations these procedures shall be completed as soon as practicable after the initial contact and in all cases, before completion of the transaction[21].
Section 10D states that what constitutes an acceptable time span must be determined in the light of all the circumstances including the nature of the business, the geographical location of the parties, and whether it is practicable to obtain evidence before commitments are entered into, or money passes.
R63 Section 10F stipulates that if satisfactory evidence of identity has not been obtained it must not carry out a transaction or establish a business relationship.
! A firm can start processing business immediately, provided that at the same time it is taking steps to verify the customer's identity. Clearly, every effort should be made to complete verification before settlement takes place unless this is impracticable for good reasons. Of course, the verification must be completed even if settlement has occurred.
! In the case of a life assurance product, the verification of the identity of the beneficiary under the policy may be deferred until after the business relationship has been established. In this case, verification shall take place at or before the time of payout or at or before the time the beneficiary intends to exercise rights vested under the policy[22].
R64 Firms may permit opening of bank accounts provided that there are adequate safeguards to ensure that transactions are not carried out by the customer or on its behalf until full compliance with the customer identification measures has been achieved[23].
R65 Where a person is unable to comply with customer due diligence requirements of a firm, the firm may not carry out a transaction through a bank account, or establish a business relationship, in certain circumstances, a firm may have to freeze (see 7.2.1 below) or cancel a transaction after it has dealt but before settlement. The firms must also give consideration to making a suspicious transaction report to GFIU in accordance with Chapter VIII.
7.2.1 Freezing (S10F)
The customer may continue to deal as usual, but, in the absence of the evidence of identity, proceeds should be retained. Documents of title should not be issued, nor income remitted (though it may be re-invested).
Where an investor exercises cancellation rights, or cooling off rights, the sum invested must be re-paid (subject to any shortfall deduction where applicable). The repayment of money arising in these circumstances does not constitute "proceeding further with the business". However this could offer a readily available route for laundering money.
R66 Firms should be alert to any abnormal exercise of cancellation/cooling off rights by any customer, or in respect of business introduced through any single intermediary. In the event that abnormal exercise of these rights becomes apparent, this should be regarded as suspicious, and reported via the usual channels (see Chapter VIII below).
7.2.2 Exceptional Circumstances
It is recognised that there may be exceptional circumstances when applicants for business will not be able to provide appropriate documentary evidence of their identity and where independent address verification is impossible. In such cases, firms might agree that a senior manager may authorise the business if he is satisfied as to the applicant’s acceptability. The reasons supporting this decision should be recorded in the same manner and retained for the same period of time as other identification records. If the senior manager is not satisfied, or money laundering is suspected, then the firm must not proceed with the business.
! Where these circumstances arise, internal procedures must provide appropriate advice to staff on how identity can be confirmed. If money laundering or terrorist financing is known or suspected, the reporting procedures should be followed, taking care that "tipping-off" does not occur.
7.2.3 Acquisition of One Financial Sector Business by Another
When a company acquires the business of another financial services company or firm, either in whole, or as a product portfolio (e.g. the mortgage book), it is not necessary for the identity of all existing customers to be verified again, provided that all customer account records are acquired with the business, and that the due diligence enquiries prior to acquisition do not give rise to doubt that anti-money laundering and combating the financing of terrorism procedures followed by the business accorded with Gibraltar requirements.
R67 In the event that the AML and CFT procedures previously undertaken by the acquired firm have not been in accordance with Gibraltar requirements, or the procedures cannot be checked, or the customer records are not available to the acquiring firm, verification of identity and KYC procedures will need to be undertaken for all transferred customers as soon as practicable.
7.2.4 Applying the customer due diligence measures retrospectively
R68 Customer due diligence measures in these Notes must be applied, not only to new customers but also, at appropriate times to existing customers on a risk-sensitive basis[24].
Firms will need to consider what an “appropriate time” is. Many firms may consider certain “trigger events” to be the main driver for revising the customer identification documentation held on the customer. Firms may decide to implement the revised measures in a staggered approach. For example, a customer’s change of address might only trigger the verification of the address to be invoked yet a customer wanting a new product or service should merit a complete risk profiling.
! Nothing in these Notes requires that firms conduct an identification or remediation programme of the existing customer base.
However, if money laundering or terrorist financing is known or suspected or the firm doubts the veracity of previously conducted customer due diligence measures, then the requirements of these Notes need to be applied.
7.3 To whom customer due diligence measures need to be applied
The meaning of "Applicant for Business", "Business Relationship" and "One-Off Transaction" are essential to an understanding of this guidance, and these terms are defined below.
It is important to determine whether the applicant for business is undertaking a one-off transaction, or whether the transaction is the initial step in an ongoing business relationship as this can affect the verification requirements. The same transaction may be viewed differently by a firm and by an introducer depending on their respective relationships with the applicant for business. Therefore, where a transaction involves an intermediary, both the firm and the intermediary must separately consider their positions, and ensure that their respective obligations regarding verification of identity and associated record keeping are met.
For example, from a life company's viewpoint, most dealings with an applicant will fall within the definition of a business relationship, as even with single premium contracts there will generally be an intention to establish an on-going relationship with the customer. For a unit trust manager, an applicant may be making a one-off purchase, or entering into a business relationship in the form of a regular savings plan. If an intermediary is involved, it may be dealing with an applicant to a life company or a fund operator within the context of a business relationship, or as an occasional customer undertaking a one-off transaction. Most transactions undertaken by exchange bureaux will be one-off transactions.
7.4 Minimum Due Diligence Requirements versus Additional Information
A firm may conclude, under its risk-based approach, that the minimum due diligence requirements are insufficient in relation to the money laundering or terrorist financing risk, and that it should obtain additional information about a particular customer. Nothing in these Notes prevents a firm from taking a stronger view of the minimum requirements so long as it can justify that the approach is within a risk-based approach.
! As a part of a risk-based approach, firms may need to hold sufficient information about the circumstances and business of their customers for two principal reasons:
o to inform its risk assessment process, and thus manage its money laundering/terrorist financing risks effectively; and
o to provide a basis for monitoring customer activity and transactions, thus increasing the likelihood that they will detect the use of their products and services for money laundering and terrorist financing.
The extent of additional information sought, and of any monitoring carried out in respect of business relationship will depend on the money laundering or terrorist financing risk that the risk profile of the business relationship presents to the firm.
In practice, under a risk-based approach, it will not be appropriate for every product or service provider to know their customers equally well, regardless of the purpose, use, value, etc., of the product or service provided. Firms’ information demands need to be proportionate, appropriate and discriminating, and to be able to be justified to customers.
R69 A firm should hold a fuller set of customer identification documentation in respect of those business relationships assessed as carrying a higher money laundering or terrorist financing risk.
At all times, firms should bear in mind their obligations under the Data Protection Act only to seek information that is needed for the declared purpose, not to retain personal information longer than is necessary, and to ensure that information that is held is kept up to date.
At the time this guidance comes into effect, firms are not expected to obtain additional information in respect of existing customers, or classes/categories of customer. However, firms should have regard to 7.2.4 above, which give guidance on what they should do in respect of existing customers.
7.5 "Applicant For Business"
The person whose identity must be verified is described throughout the Sections as an "applicant for business". Who this is will vary:
· a customer dealing on his own behalf is clearly the applicant for business;
· when a customer is acting as agent for a principal (for example, as authorised manager of a discretionary investment service for clients) and deals in his own name on behalf of an underlying client, then it is the customer acting as the agent, and not his client, who is the institution's applicant for business. The underlying client may well be, in turn, an applicant for business so far as the agent is concerned;
· when a person wants an investment to be registered in the name of another (e.g. a grandchild), it is the person who provides the funds who should be regarded as the applicant for business, rather than the registered owner;
· when an intermediary introduces a client to an institution, but in the client's name rather than that of the intermediary is given as the investor, it is the underlying client who is the institution's applicant for business;
· when a customer seeks advice, or access to an execution-only dealing service, in his own name and on his own behalf, he is clearly the applicant for business;
· when a professional agent introduces a third party to an institution so that the third party may be given advice, and/or make an investment in his own name, then it is the third party (not the introducer) who is the institution's applicant for business;
· when an individual claiming to represent a company, partnership or another legal entity applies for business, then the applicant for business will be the entity, the identity or existence of which should be verified, rather than that of any individual claiming to represent it;
· when a company manager or company formation agent introduces a client company, it is the client company which is the applicant for business;
· when a trust is introduced, it is the settlor that is the applicant for business.
These distinctions are important since they are relevant in determining the correct procedures for verification of identity where this is required.
7.6 “Business Relationship” And “One-Off Transactions"
R70 It is necessary to determine, from the outset, whether the applicant for business is seeking to establish a "business relationship" with the institution, or is an occasional customer undertaking a "one-off transaction".
Section 7 defines a "business relationship" as a business, professional or commercial relationship between a relevant financial business and a customer, which is expected by the relevant financial business, at the time when contact is established, to have an element of duration.
A "one-off transaction" means any transaction carried out other than in the course of an established business relationship. The Sections cover sales transactions as well as purchases. Where business is undertaken whether on a one-off basis, or when a series of small deals is placed whether with the same or different product provider, identification procedures will be required on the part of the firm if these, as single or linked transactions, amount to €15,000 or more.
7.7 What comprises the customer identification documentation?
The demonstration of a person’s identity is particularly complex in the context of supporting the due diligence measures of a firm.
Customer identification documentation consists of two distinct elements;
1. The physical person
2. The nature of the economic activity
Both of the above are inextricably linked to the country from which they originate as this will have a direct bearing on the assessment of the country risk and the customer’s risk profile.
7.7.1 The physical person
R71 Irrespective of the nature and risk profile of the customer, other than where specific exemptions are provided for, a firm is required to document and maintain a record of all the customer identification documentation which includes recording how and when each of the due diligence requirements steps were satisfactorily completed by the firm.
The customer due diligence measures in R60 need to be applied on a risk sensitive basis which includes an escalation by the firm of the measures which are proportionate to the firm’s risk methodology.
! The objectives of the Notes in relation to customer identification documentation are first, that the evidence offered is reasonably capable of establishing the customer’s identity, and secondly, that the person who is assessing the evidence is satisfied that the customer is the person he claims to be.
R72 The requirements in relation to the completion of satisfactory customer identification documentation are that:
a. the applicant for business will produce satisfactory evidence of his identity; or
b. procedures established by the firm will produce such satisfactory evidence.
7.7.1.1 Individuals
R73 For individuals perceived to present a low risk, a firm can satisfy the minimum customer identification documentation requirements by confirming the name and likeness by gaining sight of a document from a reliable and independent source which bears a photograph or from reliable and independent data sources.
For face-to-face customers a
! With identity theft becoming more of a concern, firms must remain vigilant to guard against the provision of false or stolen customer identification documentation being used to open and operate business relationships. Nothing in these Notes requires firms to put in place additional controls to check the veracity of the documents provided other than what would normally be required as part of good business practice. Firm’s, however, may wish to use electronic verification and other such processes to verify that customer supplied documents have not been forged.
R74 The customer identification documentation, or data, obtained should demonstrate that a person of that name exists at the address given, and that the applicant for business is that person.
! The address of the applicant for business can also generally be determined from the same document and if the customer’s risk profile is low, there is no requirement to seek additional documentary evidence.
R75 Where; the document provided above does not contain details of the address, the address provided does not match that provided for the business relationship, or the customer risk profile presents a higher risk, a firm will need to conduct separate address verification.
A firm can easily satisfy this requirement using electronic sources of data without having to ask the customer. This is preferred as this also then satisfies the independent criteria as this is sought by the firm itself.
! Care should be taken about applying this requirement too stringently, for example, where the address verification only shows up the spouse or family member of the applicant for business. In such cases the firm needs to document the linkage between the applicant for business and the person at the given address.
R76 In respect of business relationships where the surname and/or address of the applicants for business differ, the name and address of all applicants, not only the first named, must be verified in accordance with the procedures set out above.
Any subsequent change to the customer’s name, address, or employment details of which the institution becomes aware should be recorded as part of the know your customer process. Generally this would be undertaken as part of good business practice and due diligence but also serves for money laundering and terrorist financing prevention.
! The date of birth is important as an identifier in support of the name, and is helpful to assist law enforcement. Although there is no obligation to verify the date of birth, this provides an additional safeguard.
7.7.1.2 Bodies Corporate
R77 Where the applicant for business is a body corporate, the firm must ensure that;
a. it fully understands the company’s legal form,
b. it understands the company’s structure and ownership.
Corporate customers may be publicly accountable in several ways. Some public companies are listed on stock exchanges or other regulated markets, and are subject to market regulation and to a high level of public disclosure in relation to their ownership and business activities. Other public companies are unlisted, but are still subject to a high level of disclosure through public filing obligations. Private companies are not generally subject to the same level of disclosure, although they may often have public filing obligations. In their verification processes, firms should take account of the availability of public information in respect of different types of company.
! The structure, ownership, purpose and activities of many corporates will be clear and understandable. Corporate customers can use complex ownership structures, which can increase the steps that need to be taken to be reasonably satisfied as to their identities; this does not necessarily indicate money laundering or terrorist financing. The use of complex structures without an obvious legitimate commercial purpose may, however, give rise to concern and increase the risk of money laundering or terrorist financing.
R78
Firms must put into place additional due
diligence measures when establishing business relationships with non-Gibraltar
registered companies, or companies with no direct business link to
Such companies may be attempting to use geographic or legal complexities to interpose a layer of opacity between the source of funds and their final destination. In such circumstances, institutions should carry out effective checks on the source of funds and the nature of the activity to be undertaken during the proposed business relationship. This is particularly important if the corporate body is registered or has known links to countries without and effective AML/CFT regime. In the case of a trading company, a visit to the place of business may also be made to confirm the true nature of the business.
R79 For corporates perceived to present a low risk, a firm can satisfy the minimum due diligence requirements by obtaining the following:
1. Obtaining a copy of the certificate of incorporation/certificate of trade or equivalent which should include the;
2. Performing a search in the country of incorporation which confirms the items in (1) above.
b. Registered office business addresses;
c. Copy of the latest report and accounts, is available and audited if applicable;
d. copy of the board resolution to open the relationship and the empowering authority for those who will operate any accounts;
Where the business relationship is being opened in a different name from that of the applicant, the institution should also make a search, or equivalent trading name search for the second name.
R80 The following persons and beneficial owners as (i.e. individuals or legal entities) must also be identified in line with 7.7.1.1 above:
a. The beneficial owner(s) of the company as defined in 7.1.2.1
b. The shareholders of the company (if different from the beneficial owners) who own or control through direct or indirect ownership of 25% plus one share or the voting rights in the company including through the bearer share holdings, other than a company listed on a regulated market that is subject to disclosure requirements consistent with Community legislation or subject to equivalent international standards.
c. The natural person(s) who otherwise exercise control over the management of the company.[25]
A simple example would be to obtain for each entity a comprehensive company search report from a reliable company registry or registered agent. However just as there are alternatives to a passport and utility bill, so there are alternatives to a company search and another example might be to obtain a set of consolidated financial statements that have been audited by a reliable firm of auditors and that show the group structure and ultimate controlling party.
7.7.1.3 Partnerships and unincorporated businesses
R82 In the case of partnerships and other unincorporated businesses whose partners/directors are not known to the institution, the identity of at least two partners or equivalent should be verified in line with the requirements for personal customers.
Where a formal partnership agreement exists, a mandate from the partnership authorising the opening of an account and conferring authority on those who will operate it should be obtained.
7.7.1.4 Retirement Benefit Schemes: Approved Schemes
Where a Retirement Benefit Scheme has Income Tax Office approval, a firm’s customer identification documentation can be met by confirming the scheme’s approval.
Retirement Benefit Schemes approved by the Income Tax Guidance Notes are formed under an irrevocable trust. In other cases, a Retirement Benefit Scheme should be treated for AML/CFT purposes, and minimum due diligence requirements obtained, according to its legal form.
For operational purposes, the firm is likely to have a list of those authorised to give instructions for the movement of funds or assets, along with an appropriate instrument authorising one or more pension trustees (or equivalent) to give the firm such instructions.
! The identities of individual signatories of Retirement Benefit Schemes need only be verified on a risk-based approach.
! Any payment of benefits by, or on behalf of, the trustees of an occupational pension scheme will not require verification of identity of the recipient.
R83 Where individual members of a Retirement Benefit Scheme are to be given personal investment advice, their identities must be verified. However, where the trustees and principal employer have been satisfactorily identified (and the information is still current), it may be appropriate for the employer to provide confirmation of identities of individual employees.
7.7.1.5 Charities, church bodies and places of worship
Charities have their status because of their purposes, and can take a number of legal forms. Some may be companies limited by guarantee; some may take the form of trusts; others may be unincorporated associations.
R84 In each case, a charity should be treated for AML/CFT purposes, and the minimum due diligence requirements met by obtaining the necessary customer due diligence documentation, according to its legal form.
Firms should take appropriate steps to be reasonably satisfied that the person the firm is dealing with is properly authorised by the customer and is who he says he is.
7.7.1.6 Legal persons, trusts and similar legal arrangements
There are a wide variety of trusts, ranging from large, internationally active organisations subject to a high degree of public interest and quasi-accountability, through trusts set up under testamentary arrangements, to small, local trusts funded by small, individual donations from local communities, serving local needs.
R85 In carrying out their risk assessments firms take account of the different money laundering or terrorist financing risks that trusts of different sizes and areas of activity present.
Most trusts and similar arrangements are not separate legal entities – it is the trustees collectively who are the customer. In these cases, the obligation to identify the customer attaches to the trustees, rather than to the trust itself. The purpose and objects of most trusts are set out in a trust deed.
R86 In respect of trusts, the firm should obtain the following information:
b. Nature and purpose of the trust (e.g., discretionary, testamentary, bare);
d. Identity of the settlor or grantor;
e. Identity of all trustees[26];
g. Where the beneficiaries have already been determined, the identity of the natural person(s) who is the beneficiary of 25% or more of the property[27]
h. Where the individuals that benefit from the legal arrangement have yet to be determined, the class of persons in whose main interest the arrangement is set up.[28]
! The formal documentation of a beneficiary’s identity need only be conducted prior to the distribution of trust assets and not when the trust is established or during its lifetime.
! Where a trustee is itself a regulated entity, or a publicly quoted company, or other type of entity, the identification procedures that should be carried out should reflect the standard approach for such an entity.
! Firms should take appropriate steps to be reasonably satisfied that the person the firm is dealing with is properly authorised by the customer and is who he says he is.
Some consideration should be given as to whether documents relied upon are forged. In addition, if they are in a foreign language, appropriate steps should be taken to be reasonably satisfied that the documents in fact provide evidence of the customer’s identity.
R87 Firms must make appropriate distinction between those trusts that serve a limited purpose (such as inheritance tax planning) or have a limited range of activities and those where the activities and connections are more sophisticated, or are geographically based and/or with financial links to other countries.
For trusts presenting a lower money laundering or terrorist financing risk, the minimum due diligence will be sufficient. However, less transparent and more complex structures, with numerous layers, may pose a higher money laundering or terrorist financing risk. Also, some trusts established in jurisdictions with favourable tax regimes have in the past been associated with tax evasion and money laundering.
R88 Where a trust is assessed as carrying a higher risk of money laundering or terrorist financing, the firm must seek additional information in order to satisfy the customer identification documentation.
7.7.1.7 Clubs and societies
Where an application is made on behalf of a club or society, firms should make appropriate distinction between those that serve a limited social or regional purpose and those where the activities and connections are more sophisticated, or are geographically based and/or with financial links to other countries.
For many clubs and societies, the money laundering or terrorist financing risk will be low.
R89 The following minimum due diligence must be conducted on clubs and societies:
a. Full name of the club/society
b. Legal status of the club/society
c. Purpose of the club/society
R90 The firm should verify the identities of the officers of a club or society who have authority to operate an account or to give instructions concerning the use or transfer of funds or assets.
Firms should take appropriate steps to be reasonably satisfied that the person the firm is dealing with is properly authorised by the customer and is who he says he is.
7.7.2 Economic activity
The risks associated with money laundering and the financing of terrorism stem from the associated activity either: that the funds that are going to be put through a business relationship derive from criminal activity and will use the business relationship to channel these funds or, that proceeds of criminal activity will be mixed with legitimate economic activity in order to disguise their origin.
A two pronged approach is therefore necessary if a firm is to properly address these risks.
The first of these entails identifying the source of the income or wealth which will form the basis of the business relationship. By determining that the source is not from criminal activity, the firm substantially mitigates the customer risk.
The second part of the approach is to identify the purpose and intended nature of the business relationship. By establishing this, the firm will be able to adequately monitor the activity on the business relationship and how this correlates to the intended activity. In the assessment of where these differ, the firm is able to ascertain better if money laundering or the financing of terrorism is taking place.
7.7.2.1 The nature or source of income or wealth
By seeking information on the nature or source of the business relationship’s income or wealth a firm is able to ascertain the risk posed to it in respect of money laundering or the financing of terrorism by addressing both the customer risk as well as the country risk. In certain cases, the product risk will also be affected by the determination of the source of the economic activity.
R91 The minimum due diligence requirements to satisfy customer identification documentation on nature and source of income or wealth is ascertained by documenting this to a level of “plausible verifiability”.
The term “plausible verifiability” is made up of two constituents:
o Plausible. This is the documentation that the customer’s economic activity is commensurate with the information that the firm will have before it through its due diligence processes. It should be clear to a firm when a customer is providing a source of economic activity that is incompatible with the information before it. In such cases the firm should consider the implications of such a statement or evidence and whether, as a result, a suspicious transaction report should be made to GFIU.
o Verifiability. This is documentation of the economic activity to a level of detail that would enable the firm, law enforcement agencies or other bodies to independently verify the source of income or wealth if the customer’s risk profile increased, or money laundering or financing of terrorism was known or suspected. It is clear from this that a description of “business man” would clearly be inappropriate as this is not verifiable. A description of “Management Consultant, MD of owner owned company X Management Consultants Limited of Number 1 The High Street, London, W23 1PX, UK” would be verifiable as the business and the address would be easily verifiable and the activity on the business relationship could easily be matched to the description provided. Again, any discrepancies between the information provided and the actual activity should prompt the firm to independently verify this information themselves or to make a suspicious transaction report.
! A firm will be able to identify the country risk posed to it from the source of the income or wealth of the business relationship.
R92 As the business relationship’s risk profile increases, the firm must move away from “plausible verifiability” to ”independent verification” of economic activity in order to satisfy the customer identification documentation requirements in relation to the source of income or wealth.
R93 Independent verification requires that firms seek additional information on the economic activity of the business relationship from reliable and independent sources.
7.7.2.2 Purpose of and intended nature
R94 At the commencement of the business relationship a firm must document the purpose and intended nature of that relationship. This information must form part of the customer identification documentation.
The extent and detail of this information must be sufficient to allow the firm to readily identify variances between actual activity and the stated intended nature of the relationship and to increase information requirements in order to satisfy itself that money laundering or the financing of terrorism has not taken place and where it is not satisfied as to the information received, to make a suspicious transaction report to GFIU. Section 7.8 below expands on the monitoring requirements further.
7.8 Monitoring Requirements (S10G)
The requirement to monitor customer activity is derived from Article 8(1)(d) 3rd Money Laundering Directive. These provisions have been incorporated into the Statements of Principles as well as the specific requirement of R60d. These are summarised below;
SP3 All firms must know their customer to such an extent as is appropriate for the risk profile of that customer.
R60 -d Conducting ongoing monitoring of the business relationship including scrutiny of transactions undertaken throughout the course of that relationship to ensure that the transactions being conducted are consistent with the firm’s knowledge of the customer, the business and risk profile, including, where necessary, the source of funds and ensuring that the documents, data or information held are up to date.
Additionally and in order to comply with the requirements of the Directive the following Requirement have also been introduced;
R95 Firms must pay special attention to any activity which they regard as particularly likely, by its nature, to be related to money laundering or terrorist financing and in particular complex or unusually large transactions and all unusual patterns of transactions which have no apparent economic or visible lawful purpose.[29]
7.8.1 What is monitoring?
R96 The essentials of any system of monitoring are that:
a. it flags up transactions and/or activities for further examination;
b. these reports are reviewed promptly by a senior independent person and where these raise a knowledge or suspicion of ML or TF, reported to the MLRO; and
c. appropriate action is taken on the findings of any further examination .
Monitoring can be either:
o in real time, in that transactions and/or activities can be reviewed as they take place or are about to take place, or
o after the event, through some independent review of the transactions and/or activities that a customer has undertaken and in either case, unusual transactions or activities will be flagged for further examination,
and does not necessarily require sophisticated electronic systems.
Monitoring may be by reference to specific types of transactions, to the risk profile of the customer, or by comparing their activity or profile with that of a similar, peer group of customers, or through a combination of these approaches.
! Firms should also have systems and procedures to deal with customers who have not had contact with the firm for some time, in circumstances where regular contact might be expected, and with dormant accounts or relationships, to be able to identify future reactivation and unauthorised use.
! In designing monitoring arrangements, it is important that appropriate account be taken of the frequency, volume and size of transactions with customers, in the context of the customer, interface, country and product risk.
Effective monitoring is likely to be based on a considered identification of transaction characteristics, such as:
o Is the size of the transaction consistent with the normal activities of the customer?
o Is the transaction rational in the context of the customer’s business or personal activities?
o Has the pattern of transactions conducted by the customer changed?
o Where the transaction is international in nature, does the customer have any obvious reason for conducting business with the other country involved?
Higher risk accounts and customer relationships will generally require more frequent or intensive monitoring.
A monitoring system may be manual, or may be automated. One or other of these approaches may suit most firms. In the relatively few firms where there are major issues of volume, or where there are other factors that make a basic exception report regime inappropriate, a more sophisticated automated system may be necessary.
The effectiveness of a monitoring system, automated or manual, in identifying unusual activity will depend on the quality of the parameters which determine what alerts it makes, and the ability of staff to assess and act as appropriate on these outputs. The needs of each firm will therefore be different, and each system will vary in its capabilities according to the scale, nature and complexity of the business. It is important that the balance is right in setting the level at which an alert is generated; it is not enough to fix it so that the system generates just enough output for the existing staff complement to deal with – but equally, the system should not generate large numbers of ‘false positives’, which require excessive resources to investigate.
[18] Article 7 of 3MLD.
[19] Article 8 of 3MLD.
[20] Definition of Beneficial Owner as defined in Article 3(6) of 3MLD
[21] Article 9(2) of 3MLD
[22] Article 9(3) of 3MLD
[23] Article 9(4) of 3MLD
[24] Article 9(6) of 3MLD
[25] Adapted from Article 3(6) of 3MLD.
[26] Article 3(6)(b)(iii) of 3MLD
[27] Article 3(6)(b)(i) of 3MLD
[28] Article 3(6)(b)(ii) of 3MLD
[29] Article 20 of 3MLD.