Customer due diligence (CDD) is a process of checks to help identify your client and make sure they are who they say they are.
You’re in a better position to identify potential money laundering if you know your client and understand the reasoning behind the instructions they give you.
CDD allows you and your firm to assess the money laundering and terrorism financing risks a client, and the work they wish you undertake, may expose you to.
This guide introduces the different levels of CDD and when these need to be carried out.
There’s more information on CDD in chapter 4 of the Legal Sector Affinity Group's Anti-money laundering (AML) guidance for the legal sector.
Under regulation 27 of the Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017 (MLR 2017) you must carry out CDD measures when:
- establishing a business relationship
- carrying out an occasional transaction that amounts to 15,000€ or more
- you suspect money laundering or terrorist financing
- you doubt the accuracy or adequacy of documents or information previously obtained for CDD
If you’re required to carry out CDD measures, you must:
- verify your client’s identity based on a reliable independent source (such as a passport)
- identify where there’s a beneficial owner who is not the client and take reasonable measures to verify their identity and to understand the ownership and control structure of a legal person, trust, company, foundation or similar legal arrangement
- assess, and where appropriate obtain information on, the purpose and intended nature of the business relationship or transaction
The way you comply with the requirement to take CDD measures may differ from case to case.
Regulation 31 provides that if you cannot complete CDD you cannot establish a business relationship with a client.
You cannot avoid conducting CDD, but you can use a risk-based approach to determine the extent and quality of information required and the steps to be taken to meet the requirements.
Under regulation 28(12), when carrying out CDD you must reflect on:
- the practice’s risk assessment required under regulation 18
- your assessment of the level of risk arising in any case
When assessing the level of risk, factors you must take into account include:
- purpose of a transaction or business relationship
- size of the assets or of the transactions undertaken
- regularity and duration of the business relationship
You also need to be able to demonstrate to the Solicitors Regulation Authority (SRA) that you’ve applied the AML requirements appropriately.
You may demonstrate your compliance to the SRA through:
- documenting your risk analysis
- having written policies for how to apply the AML requirements to a given risk profile
- keeping notes of your decisions, particularly on cases which seem to pose a higher risk
Where your client is a corporate body, you must obtain and verify:
- its name
- its company number or other registration
- the address of its registered office and, if different, its principal place of business
Unless the corporate body is a company listed on a regulated market, you must take reasonable measures to determine and verify:
- the law it’s subject to
- its constitution or other governing documents
- the names of the board of directors (or equivalent management body) and the senior persons responsible for its operations
Corporate bodies (other than companies listed on a regulated market) are required under the MLR 2017 to provide you with the information outlined above when you enter into a transaction or form a business relationship with them. This should assist you in carrying out your CDD checks.
Ongoing monitoring and record keeping
Under regulation 28(11) you must carry out ongoing monitoring of business relationships. Ongoing monitoring is defined as:
- scrutiny of transactions undertaken throughout the course of the relationship (including where necessary, the source of funds), to ensure that the transactions are consistent with your knowledge of the client, their business and the risk profile
- undertaking reviews of existing records and keeping the documents, or information obtained for the purpose of applying CDD, up to date
When the business relationship or occasional transaction has ended, you must keep records of CDD documents and supporting evidence for five years.
After five years, you must delete personal data unless:
- express consent is given to retain that data
- your firm is required to retain the personal data, for example, for the purposes of court proceedings
You’ll need to amend your systems and procedures to make sure that, unless an exemption applies, such personal data is deleted.
As well as CDD measures, regulation 33(1) sets out a list of circumstances in which enhanced due diligence (EDD) measures must be applied. It includes any transaction or business relationship involving:
- a person established in a high-risk third country
- a politically exposed person (PEP) or a family member or known associate of a PEP
- any other situation that presents a higher risk of money laundering or terrorist financing
Regulation 33(6) also sets out a list of factors that you must consider when assessing whether there’s a higher risk of money laundering present. However, the presence of one or more of these factors does not automatically mean that it’s a higher risk situation.
Even where a client is not based in a high-risk third country you must still consider the individual money laundering and terrorist financing risks posed by that client and matter.
Under the MLR 2017, EDD measures must include, as a minimum:
- examining the background and purpose of the transaction
- increasing your monitoring of the business relationship
Regulation 33(5) gives a non-exhaustive list of ways you can conduct EDD including:
- seeking additional independent, reliable sources to verify information provided or made available to you
- taking additional measures to better understand the background, ownership and financial situation of the customer, and other parties to the transaction
- taking further steps to be satisfied that the transaction is consistent with the purpose and intended nature of the business relationship
- increasing the monitoring of the business relationship, including greater scrutiny of transactions
Additional material may include the use of e-verification either to confirm the validity of the passport provided or to see if the person has a credit or electoral history at the address they’ve provided.
High-risk third countries
Article 9.2 of the Fourth EU Money Laundering Directive (Fourth Directive) allows the European Commission to identify 'high-risk third countries'.
These countries are identified as having strategic deficiencies in their national AML and counter-financing of terrorism regimes that pose significant threats to the financial system of the EU.
You must apply EDD measures in any transaction or business relationship with a person established in a high-risk third country.
This requirement does not apply if the:
- client established in a high-risk third country is a branch or majority owned subsidiary of an entity established in a European Economic Area (EEA) state which is subject to the Fourth Directive
- branch or subsidiary complies fully with the procedures and policies established for the group under article 45 of the Fourth Directive
When deciding whether it’s appropriate to apply EDD consider geographic risk factors, such as whether the country in which the client or transaction is based:
- has deficient AML legislation
- has high levels of acquisitive crime or corruption
- is an offshore financial centre or tax haven
- allows nominee shareholders to appear on the share certificate or register of owners
To effectively manage the money laundering risks that your firm faces, you should also:
- be aware of which jurisdictions are on the European Commission list and the sanctions list maintained by the Office for Financial Sanctions Implementation
- be alert to unexpected instructions to undertake transactions relating to one of those jurisdictions which is outside of your normal practice
- be alert to unexpected increases in instructions to undertake transactions relating to one of those jurisdictions or where the instructions are unusual given your understanding of normal practice in those jurisdictions
- be alert to large asset transfers out of those jurisdictions
- consider undertaking further due diligence checks if you are not sure who you’re dealing with and ask more questions about the source of funds and purpose of the transaction
- have a process for checking clients against the sanctions lists where they have a connection with a jurisdiction which is on the sanctions lists
A PEP is someone who's been appointed by a community institution, an international body, or a state, including the UK, to a high-profile position within the last 12 months.
Under AML regulations, the main aim of applying additional scrutiny to work involving PEPs is to mitigate the risk that the proceeds of bribery and corruption may be laundered, or assets otherwise stripped from their country.
Conducting due diligence on clients that you do not meet
The MLR 2017 states that not meeting a client in person poses a higher risk of money laundering.
You’re required to conduct EDD on these clients, because:
- clients seeking to engage in criminal activity will often try to limit what you know about them and their transaction, and this may be easier to achieve if they do not meet you in person
- when you meet a client, you have an opportunity to verify their identity against a photographic identification or to otherwise check the information you have for them is correct
- if you have concerns about a transaction and ask the client questions face-to-face, you may be better able to assess whether they’re answering you honestly
Regulation 37 of the MLR 2017 allows you to carry out simplified due diligence (SDD) where you’re satisfied that the business relationship or transaction presents a low risk of money laundering or terrorist financing.
However, the presence of one or more of the factors in regulation 37(3) does not necessarily mean that a given situation is lower risk.
When assessing whether there’s a lower risk of money laundering or terrorist financing, you must consider whether the customer is:
- a public administrator or a publicly owned enterprise
- an individual resident in a geographical area of lower risk
- a credit or financial institution which is subject to requirements in national legislation implementing the Fourth Directive and supervised for compliance with those requirements in accordance with the Fourth Directive
- a company listed on a regulated market and the location of the regulated market
You must also consider the:
- product, service, transaction or delivery channel risk factors – this includes whether the product or service is one of the insurance policies, pensions or electronic money products specified in regulation 37(3)(b)
- geographical risk factors based on where the client is established and where it does business – for example, an EEA state or third country with effective systems to counter money laundering or terrorist financing, or with documented low levels of corruption or other criminal activity
Financial services firms are not required to apply CDD to the third-party beneficial owners of pooled accounts held by legal professionals, provided the:
- information on the identity of the beneficial owners is available on request
- financial services firm's business relationship with the holder of the pooled account presents a low degree of risk
The Legal Sector Affinity Group’s Anti-money laundering guidance for the legal sector
Risk assessments – our guidance on conducting risk assessments
Politically exposed persons – our guidance on dealing with PEPs
While every effort has been made to ensure the accuracy of the information in this article, it does not constitute legal advice and cannot be relied upon as such. The Law Society does not accept any responsibility for liabilities arising as a result of reliance upon the information given.
Have you got a practice question? Call the Practice Advice Service on 020 7320 5675 or email firstname.lastname@example.org
The Practice Advice Service is staffed Monday to Friday from 9am to 5pm.