PEPs, CDD and POCA: answering your questions

I work in a small firm. Sometimes the electronic verification checks into whether a client is a PEP are inconclusive. How far do we have to go to ascertain this?

In practices where work on behalf of politically exposed persons (PEPs) is rare, it may be acceptable to use publicly available or open sources.

Checking for PEP status should be undertaken on a risk-based approach, in light of other customer due diligence (CDD) information held (such as employment) which may lead to the practice suspecting PEP status.

Simple measures may include:

• asking the client or their representative (as appropriate) whether the person is a PEP, as a part of client onboarding
• performing an internet search to check whether the individual may hold any position that qualifies them as a PEP, or
• reviewing the information they submit to you carefully to determine whether any information you have access to suggests they may be a PEP

Other indicators that may indicate your client is a PEP include:

• receiving funds from a government account
• correspondence on official letterhead from the client or a related person
• information from the client or person related to the matter linking the client to a PEP, and
• any information which comes to your attention suggesting your client is actually a PEP or linked to one

Where you suspect a client is a PEP but cannot establish that for certain, you should consider what steps you could take to resolve this uncertainty.

If you are not able to resolve the issue to your satisfaction, you may consider (on a risk-based approach) applying aspects of enhanced due diligence (EDD) procedures.

A lack of clarity as to whether a person is a PEP could, in and of itself, be indicative of a heightened risk of money laundering.

For further information, see chapter 6 of the anti-money laundering guidance for the legal sector and our guidance on PEPs.

How long should we retain CDD records? Can it be for the same length of time as the file?

A “relevant person” (such as an independent legal professional) must keep CDD records as defined in regulation 40(2) of the Money Laundering Regulations 2017 (MLRs 2017).

Regulation 40(3)(b)(ii) provides:

“(3) Subject to paragraph (4), the period is five years beginning on the date on which the relevant person knows, or has reasonable grounds to believe—

(a) that the transaction is complete, for records relating to an occasional transaction; or

(b) that the business relationship has come to an end for records relating to—

(i) any transaction which occurs as part of a business relationship, or

(ii) customer due diligence measures taken in connection with that relationship.

(4) A relevant person is not required to keep the records referred to in paragraph (3)(b)(i) for more than 10 years.”

This includes simplified due diligence (SDD) and EDD records.

Many practices will wish to retain the complete client file, including CDD records, for a period exceeding the five years specified in regulation 40(3).

For example, your practice’s retention policy may specify longer retention times to take account of the expiry of limitation periods for potential negligence actions against the practice.

The client’s consent must be obtained if there is any variation on the period prescribed in regulation 40(3).

This consent clause may be contained in your engagement letter or terms of business. It should be signed or otherwise acknowledged by the client.

For more information, see chapters 6.22 and 10.3-10.4 of the anti-money laundering guidance for the legal sector.

We’re onboarding a client and need to carry out due diligence. Our overseas branch office is acting for the client. Can we obtain the documents from the branch rather than ask the client again?

The use of CDD information held by other parts of the same organisation is permissible.

Regulation 20(1)(b) of the MLRs 2017 requires you to maintain policies, controls and procedures for data protection on sharing of information within a group about clients.

Where CDD information is held by the practice in other jurisdictions, and the UK branch seeks to use this information, care should be taken by the UK branch that information held meets the necessary requirements under the MLRs 2017.

No foreign data protection limitations should hinder access to this information by the UK practice, or by UK law enforcement agencies upon valid request.

Should such limitations be in place, the UK branch cannot use this information and should themselves conduct appropriate CDD.

Where the practice undertakes multiple transactions for a specific client, you do not need to keep duplicate CDD records in each file. You can hold information in a central file.

Similarly, where one branch of the same UK organisation seeks to use CDD held by another part, this should be clearly documented and recorded on file.

The underlying information must be readily and easily accessible by the part of the organisation seeking to rely on it.

Where one part of the organisation ceases to have a relationship with a client, CDD information should be kept and transferred to any other part of the business which continues that relationship.

However, it may be prudent for you to review the CDD documents and consider the risk profile of the new retainer and any additional due diligence that may be necessary.

For further information, see chapter 10 of the anti-money laundering guidance for the legal sector.

A former client is being investigated for financial crime. We’ve been served an order to produce information listing several financial institutions. I’ve advised the order should be amended to include our firm. The police say non-compliance with the order as it stands is a s359 POCA offence. Is this correct?

You should check which statutory provision of the Proceeds of Crime Act 2002 (POCA) the notice or order is issued under.

You may have been served with a notice under the terms of a disclosure order under section 357 POCA rather than a production order, which falls under section 345.

Under section 357(4) POCA:

“A disclosure order is an order authorising an appropriate officer to give to any person the appropriate officer considers has relevant information notice in writing requiring him to do, with respect to any matter relevant to the investigation for the purposes of which the order is sought, any or all of the following—

(a) answer questions, either at a time specified in the notice or at once, at a place so specified;

(b) provide information specified in the notice, by a time and in a manner so specified;

(c) produce documents, or documents of a description, specified in the notice, either at or by a time so specified or at once, and in a manner so specified.”

The section 357 power is extremely wide, and it is important to ensure that the demand in the notice does not exceed the terms of the order.

Under section 361 POCA, a disclosure order does not:

• override privilege, except that a lawyer may be required to provide the name and address of their client, or
• require a person to produce excluded material

There is also a provision under section 362(3)(b) for any person affected by the disclosure order to make an application to discharge or vary it.

For further information, see our practice note on responding to a financial crime investigation.