Client Due Diligence | Are you Asking the Right Questions?

David Potts, AIA Director of Operations and MLRO, explores ‘simplified’ and ‘enhanced’ due diligence and explains how the right questions enable the effective management of money laundering risk.

It is well established that criminals and bad actors often seek to mask their identity by using complex and opaque ownership structures.

As accountants we have a key tool available to disrupt economic crime and to ensure that illicit finance is prevented from entering the legitimate economy. Client due diligence is all about knowing and understanding your client’s identity and business activities so that any money laundering or terrorist financing risks can be managed.

Effective client due diligence is, therefore, a key part of anti-money laundering defences. By knowing the identity of a client, including who owns and controls it, you are not only fulfilling your legal and regulatory requirements but equipping yourself to make informed decisions about your client’s standing and acceptability.

Client due diligence also helps you to construct a complete understanding of your client’s typical business activities. By understanding what normal practice is, it is easier to detect abnormal events, which in turn may point to money laundering or terrorist financing activity.

The Money Laundering Regulations require that the extent and breath of your client due diligence measures reflect your assessment of the risks. Fundamentally this means focusing your effort on higher risk clients, whilst avoiding disproportionate effort for lower risk clients.

Broadly speaking, simplified due diligence may be applied in circumstances where your firm has determined that a client is low risk (with certain exceptions). For clients where high-risk characteristics are present, your firm must undertake enhanced due diligence. The scenarios and requirements for undertaking enhanced due diligence are explored throughout this article.

Principles of client due diligence

Client due diligence requires the collection and recording of information about a client’s personal background and business, or ‘know your client information’.

The Money Laundering Regulations outline the required components of good client due diligence. You must apply them at the start of a new business relationship (including a company formation), at appropriate points during the lifetime of the relationship and when an occasional transaction is to be undertaken:

• Identify the client: This involves knowing who the client is and then verifying their identity (i.e. demonstrating that they are who they claim to be) by obtaining documents or other information from independent and reliable sources.
• Identify beneficial owner(s): This is so that the ownership and control structure can be understood and the identities of any individuals who are the owners or controllers known. On a risk sensitive basis, reasonable measures should be taken to verify their identity.
• Gathering information: This should be conducted on the intended purpose and nature of the business relationship.

When determining the degree of client due diligence to apply, your firm must adopt a risk-based approach, considering the type of client, business relationship, product or transaction, and ensuring that the appropriate emphasis is given to those areas that pose a higher level of risk.

Should my firm be applying simplified due diligence?

Simplified due diligence can usually be applied when a client is low risk, in accordance with the firm’s risk assessment criteria. To perform this risk assessment, you should ensure that your firm takes into account risks outlined in the National Risk Assessment of Money Laundering and Terrorist Financing 2020 and in the sectoral risk outlook published by the Accountancy Anti-Money Laundering Supervisors Group.

The Money Laundering Regulations set out low risk indicators, which should be considered too:

• public authorities or state-owned businesses;
• lower risk geographic location – both of the client and its activities;
• regulated businesses – such as banks and other financial institutions; and
• businesses listed on the stock exchange (or a foreign exchange where the rules are equivalent to those in the UK).

As a firm, you must also consider the services you are being asked to provide to the client, alongside delivery methods, and whether this is something assessed as being of higher risk in your firm-wide risk assessment; for example, providing trust or company services. If the services you are providing are considered high risk or if the client has high-risk characteristics, such as being a cash-based business, then simplified due diligence is not appropriate, even if any of the other conditions above are met.

As a minimum requirement to perform simplified due diligence, there must be no high risk characteristics related to the client.

How should my firm apply simplified due diligence to a client?

The Money Laundering Regulations require only that you must comply with standard client due diligence measures; however, you may vary the extent, timing or type of measures taken to reflect lower risk.

The components of good client due diligence outlined in the Regulations are:

• identifying the client (i.e. knowing who the client is);
• verifying the identity of the client (i.e. demonstrating that they are who they claim to be) by obtaining documents or other information from independent and reliable sources;
• identifying the beneficial owner(s) so that the ownership and control structure can be understood and the identities of any individuals who are the owners or controllers can be known;
• on a risk-sensitive basis, taking reasonable measures to verify the identity of the beneficial owner(s); and gathering information on the intended purpose and nature of the business relationship.

Examples of simplified due diligence may include the following:

• in the case of a corporate client, perhaps only verifying a single director’s identity;
• reducing verification requirements for ultimate beneficial owners;
• requiring fewer identity documents for an individual; and
• carrying out periodic monitoring at longer intervals.

Documenting simplified due diligence

Your firm should document your processes and explain which client due diligence actions are required when you are undertaking simplified due diligence. These processes will be reviewed during any anti-money laundering compliance review undertaken by AIA.

Furthermore, even though your firm may be undertaking solely simplified due diligence on a client, it is important to note that ongoing monitoring is still required by the Money Laundering Regulations.

This is useful when considering whether anything in your business relationship – or any information that has come to you while providing services for that client – indicates that it is no longer appropriate to carry out simplified due diligence and instead a more in-depth assessment is required.

Recent anti-money laundering and economic crime updates

• Politically exposed persons: New rules categorising politically exposed persons affecting the application of client due diligence were introduced on 10 January 2024.
• Economic Crime and Corporate Transparency Act 2023: Some of the measures introduced by the Economic Crime and Corporate Transparency Act 2023 will come into force in March 2024. Anyone setting up, running, owning or controlling a company in the UK will need to verify their identity. To help you prepare for this, Companies House has launched a new Changes to UK company law website.
• High risk countries: This list published by HM Government replicates those countries listed by the Financial Action Task Force as high risk or under increased monitoring. It is updated periodically to reflect changes.

Additional guidance and free webinar recording

Log in for more information, including templates, checklists and a free webinar recording outlining your client due diligence requirements.

When should my firm undertake enhanced due diligence on a client?

A risk-based approach to client due diligence will identify situations in which there is a higher risk of money laundering or terrorist financing. In these instances, the Money Laundering Regulations specify that ‘enhanced’ due diligence (Regulation 33) must be applied:

• where there is a high risk of money laundering or terrorist financing;
• in any occasional transaction or business relationship with a person established in a high-risk third country;
• if a business has determined that a client or potential client is a politically exposed person, or a family member or known close associate of a politically exposed person (taking into account amendments to the Money Laundering Regulations made in 2023 relating to UK domestic politically exposed persons);
• where a client has provided false or stolen identification documentation or information on establishing a business relationship;
• where a transaction is complex and unusually large, and there is an unusual pattern of transactions which have no apparent economic or legal purpose; and
• in any other case which by its nature can present a higher risk of money laundering or terrorist financing.

When undertaking enhanced due diligence on a client, the following steps must be taken. As far as reasonably possible, examine the background and purpose of the engagement. You should increase the degree and nature of monitoring of the business relationship in which the transaction is made, to determine whether that transaction or that relationship appears to be suspicious.

For clients that are higher risk due to connections to a high-risk third country:

• obtain additional information on the client and its ultimate beneficial owners;
• obtain additional information on the intended nature of the business relationship;
• obtain information on the source of wealth and source of funds of the client and the client’s beneficial owner;
• where there is a transaction, obtain information on the reasons for the transaction;
• obtain the approval of senior management for establishing or continuing the business relationship (where appropriate dependent on the size of firm); and
• increase the monitoring of the business relationship, by increasing the number and timings of controls applied.

Enhanced due diligence may also include one or more of the following measures:

• Seeking additional independent, reliable sources to verify information, including identity information, provided to the business.
• Taking additional measures to understand better the background, ownership and financial situation of the client, and other parties relevant to the engagement.
• Taking further steps to be satisfied that the transaction is consistent with the purpose and intended nature of the business relationship.
• Increasing the monitoring of the business relationship, including greater scrutiny of transactions.

Ask the right questions

Performing enhanced due diligence at certain trigger points is a regulatory requirement which often means that more in-depth questions are asked of clients. It is important to make use of your professional scepticism to judge whether the information you are being told is accurate or trustworthy and to question further where clients may be uncooperative or things do not seem right.

Remember that you must have documented policies and procedures that trigger the application of enhanced due diligence both at client onboarding and for ongoing monitoring. You should also record your decisions and reasoning – both to accept and decline a client.

Further detailed guidance is provided within ‘Anti-Money Laundering Guidance for the Accountancy Sector’ for situations where simplified and enhanced due diligence are required, including what constitutes simplified due diligence and enhanced due diligence respectively. This guidance is available here.

 

Author Biography

David Potts is Director of Operations at the AIA.

"Performing enhanced due diligence at certain trigger points is a regulatory requirement which often means that more in-depth questions are asked of clients. It is important to make use of your professional scepticism to judge whether the information you are being told is accurate or trustworthy and to question further where clients may be uncooperative or things do not seem right."

David Potts, AIA Director of Operations and MLRO