CDD is more than ID

Especially if they have multiple businesses or sources of income: Transparency International found more than one in 10 (around 14%) of UK LLPs show red flags for money laundering. 

This is where your customer due diligence (CDD) comes into play. As stated in the Legal Sector Affinity Group (LSAG) anti-money laundering (AML) guidance for the legal sector:

“CDD is the collective term for the checks you must do on your clients, which may differ depending on the circumstances. It is holistic in nature and is wider than simply undertaking identification and verification of clients.”

Walking through the stages of CDD

This is how LSAG sets out the components of good CDD:

• identification and verification (ID&V) procedures relating to natural persons (this includes the ultimate beneficial owners of non-natural clients, and those purporting to act on behalf of a client)
• procedures to facilitate a clear understanding of the client’s source of wealth and funds in relation to a transaction, and the level of evidence required, in line with the risk profile of the client/matter
• procedures to facilitate reporting of discrepancies between beneficial ownership information obtained through due diligence checks and what is held on the Companies House register
• enhanced due diligence (EDD) procedures – including the provision of adequate controls to manage higher risk clients/transactions, and measures to establish source of funds/source of wealth where appropriate
• the practice’s position on the use and application of simplified due diligence
• the timing of any due diligence procedures
• the practice’s position on the use of regulation 39 reliance and any related procedures
• the ongoing monitoring of clients and their matters
• the identification of instances where it is required or appropriate to re-apply or renew CDD or EDD on a client
• dealing with the return of un-solicited or apparently accidentally deposited funds
• identification and scrutiny of any complex or unusually large transactions, or an unusual pattern of transactions, or those which serve no apparent economic or legal purpose
• any additional measures to prevent products/transactions that support anonymity being used for ML/TF
• identification of politically exposed persons (PEPs), their relatives or close associates and the control of any associated risks

Your CDD can be made easier and more manageable by putting in place standardised policies, controls and procedures (PCPs) for your client onboarding.

It's all about taking a risk-based approach in areas where your firm could be exploited.

Written records are a must and again, there should be PCPs in place for these. If your firm is ever investigated, written records are key to your defence.

The initial identification

I won’t dwell here as this is possibly the most commonly known part of CDD, known as ID&V. It involves the gathering of information about a client’s identity.

The outcome of your ID&V will contribute to the information you add to your client risk assessment. But this process isn’t always linear.

If your client risk assessment flags some high-risk areas, you may need to revisit the ID&V stage and perform EDD.

The risk assessment

This should be completed following the risk-based approach. It must reflect the purpose, regularity and duration of the business relationship, the size of any transaction, and your business risk assessment.

The first risk assessment or evidence-gathering process may highlight a need for more information to be obtained or an updated risk assessment carried out.

If you haven’t done this for every client and entity your business acts for, you’re not complying with your AML obligations. Only completing these steps during onboarding is not enough either.

Keeping up to date

CDD needs to be re-applied to existing clients when you have any legal duty in the course of the calendar year to contact a client to review information:

• relevant to your client risk assessment (or practice-wide/matter risk assessment as appropriate), or
• concerning beneficial ownership information of the customer, including information which helps you understand the ownership or control structure of any entity that is the beneficial owner of the client

The duty also arises where a practice has a duty to contact the client under the International Tax Compliance Regulations 2015.

The five client risk factors

There are five risk factors that underpin the AML framework:

1. customers
2. countries or geographic areas
3. products or services
4. transactions
5. delivery channels

These risks can present a number of red flags in your clients. For example:

• are you finding it difficult to verify a client’s identity?
• are they behaving suspiciously, such as becoming defensive in response to certain questions, or avoiding face-to-face contact?
• are clients insisting on cash payments?
• are you involved in a transaction that has no apparent economic or legal purpose, that is large or unusually complex?

A full list of red flags can be found in section 18 of the LSAG AML guidance for the legal sector.

In some cases, these red flags will lead to a requirement for EDD. This could mean further checks or renewing ID&V on an annual basis.

Senior management may also need to approve the client relationship and additional information, such as source of funds, may be required.

If you suspect that ML, TF or PF has taken place, or may take place, you are legally obliged to submit a suspicious activity report (SAR) to your money laundering reporting officer (MLRO).

Don’t forget, all CDD – and all AML activity – is in place to ensure you can submit a full and accurate SAR.