As the supervisory regimes intensify, we look at the fundamentals of an effective AML regime in these sectors with a focus on CDD. We highlight areas, from our own experience, where firms fall below supervisory expectations and consider if firms can improve their performance and reduce regulatory risk without increasing their time taken, human resource and thus costs. We hope this article will assist those involved in AML in these sectors, who believe they may need to enhance their current processes.

Core areas

Any effective AML regime in any firm must include the following:-

  • A Practice Wide Risk Assessment (PWRA);
  • Clear Policies, Controls and Procedures (PCPs);
  • A Client and Matter Risk Assessment methodology (CMRA);
  • Client Due Diligence (CDD) procedures;
  • Training;
  • Record Keeping;
  • Suspicious Activity Reporting (SARs);
  • Assurance; and
  • Governance.

Common failures

In relation to the above, where might firms fail to meet supervisory expectations?

PWRA and CMRA – a total reliance on templates in sector guidance rather than a factual examination of the risks a firm may face at the firm level and the client level;

PCPs – a ‘cut and paste’ from sector guidance rather than a fit for purpose set of PCPs taking account of the results of a PWRA e.g. no account being taken for the size and nature of a firm or products/matters a firm undertakes.

Training – a lack of a detailed training or a curriculum/timetable with specific training requirements for the different employees in the firm, including senior management.

Assurance and Governance  – Very common – a lack of assurance and any regular management information (e.g. SAR numbers, changes in client risk profiles, training records) means a firm has little capability to spot areas of concern. This results in a lack of governance, with no thoughtful, senior level discussions on issues that require enhancement, amendment or remediation.

Turning to the main focus of this article and where, rightly or wrongly, regulators and supervisors will continue to focus – Client Due Diligence (CDD).

Client Due Diligence (CDD)

While often referred to as Know Your Customer (KYC) or ,for entities, Know Your Business (KYB) these elements are just one part of CDD. The ‘must have’ measures of CDD are set out in the international body, the Financial Action Task Force’s (FATF) Recommendation 10 as being:-

  1. “identifying the customer and verifying that customers’ identity using reliable, independent source documents or data”;
  2. “identifying the beneficial owner and taking reasonable measures to verify the beneficial owner, such that the financial institution is satisfied that it knows who the beneficial owner is. For legal persons and arrangements this should include financial institutions understanding the ownership and control structure of the customer;
  3. “understanding and, as appropriate, obtaining information on the purpose and intended nature of the business relationship”; and
  4. “conducting on-going due diligence on the business relationship and scrutiny of transactions undertaken throughout the course of that relationship to ensure that the transactions being conducted are consistent with the institution’s knowledge of the customer, their business and risk profile, including where necessary the source of funds”.

NB: References to “financial institutions” will also refer to all those deemed “relevant persons” in the UK ML Regulations including law firms and accountants.

The above four foundations are expanded upon further in country-specific legislation such as the UK’s ML Regulations and given that the ‘devil is in the detail’, much more comprehensive guidance is provided in industry sector guidance e.g. Legal Sector Affinity Group (LSAG).

In relation to these foundations, we highlight the following areas where firms are still apparently falling below expected standards.

  1. ID&V  – It is, of course, expected that one facet of identifying and then verifying the identity of a client is to ascertain any particular risk that may be present e.g. are they a PEP. Even today, there are firms who have no automatic screening capability to assist in the identification of PEPs, those who may be subject to Sanctions or who may have adverse/negative information related to them;
  2. UBOs (Ultimate Beneficial Owner) – In the FATF recommendation above, the critical phrase is “control structure”. The ’trap’ firms can fall into is to identify, say, those with over 25% ownership BUT then not ascertaining, to any degree of comfort, that those identified are actually controlling the entity.
  3. Nature of relationship – In many circumstances, firms consider that this foundation is satisfied by the provision of details of the matter being handled (e.g. property purchase or compilation and filing of annual accounts). This may not actually be the case, for example where the property is being purchased for rental or for someone else, or where there is a wider context to the work being undertaken, such as the sale of a business.
  4. It is interesting that “on-going monitoring” is part of the CDD recommendation. One common error for firms here is to think that this only means ‘transaction monitoring’  and therefore that, since in certain matters transactions are minimal, nothing further is required.  In fact, on-going due diligence means, in addition to the scrutiny of transactions, firms being satisfied on an on-going basis that the transactions align with what a firm knows of the client, their risk profile, and where necessary the Source of Funds (SoF). Again, clarity should be given in the CDD procedures as to exactly what is required and how, and with what frequency, it is achieved.

How can Firms Improve Performance?

ID&V – While copies of passports, utility bills etc. are still valid, it can take time and effort to get the details right. (E.g. is the utility bill within 3 months?) Additionally, establishing whether the prospective client is a PEP or Sanctioned entity can take time.

To meet the PEP/Sanctions requirement, many firms employ screening platforms and, subject to the firm being satisfied as to their supplier’s ‘fuzzy logic’ competence, this is a more efficient process.

Many of these suppliers’ platforms now offer electronic identification enabling a client to upload a photograph and document. Indeed, some suppliers will verify identities without documents via automated checks conducted through independent and reliable sources (e.g. the electoral roll). The use of these platforms will significantly reduce the time and effort currently being applied by firms who still have  operate manual processes. The cost of these platforms can vary, but as a general rule will cost less than a current exclusively manual process.

UBOs – Similar to ID&V, the use of screening and digital identification will greatly assist in ascertaining UBOs. However, firms should consider if those declared as UBOs on ownership structures (be that via the client or say from Companies House) are the actual controllers. It is therefore important that firms look to confirm this by making efforts to fully comprehend ownership structures (e.g. by declared UBOs confirming they do not act on anyone else’s behalf and there are no indirect controllers).

Understanding and obtaining information on the nature of business and on-going monitoring  – In considering how firms can improve their performance in these areas, a useful analogy can be drawn from everyday life. To actually ‘know’ a person or a business, you have to ask questions. The questions should be easy for the responder to understand and should also be relevant. If answers don’t make sense or are incomplete, you must ask further questions or seek clarification. Many firms either do not do this (e.g. accepting the hopelessly generalized ‘business consulting’ as an answer to what a client does for a living) or spend endless time going back and forth with the client, trying to obtain this ‘understanding’. This approach means inconsistent responses, a need for continuous training and client dissatisfaction.

To improve, therefore, firms should consider employing enhanced onboarding questionnaires with effective guidance for the fee-earner or client themselves to understand the question being asked and the reason for it. This is particularly so with business clients. E.g. Where a client is asked about their business, it should be clear that short responses such as ‘consultancy’ or ‘retail’ are insufficient and that responses need to be detailed as to, for example:

– What do they sell? (Goods, services, both?)
– Where do they sell it and to what type of buyers? (home, abroad, B2B, B2C?)
– How do they market and sell it? (premises, online, face-to-face?)
– What’s their pricing model? (Contract, subscription, pay as you go?)
– How do they get paid? (Transfer, card, payment service, cheque, cash, crypto?).
– Who runs the business day-to-day and what’s their career background?
– Who are their major suppliers and customers?

Only this level of detailed information will meet the supervisory expectations of “…obtaining information on the purpose and intended nature of the business relationship” and  of satisfying themselves that “…the transactions being conducted are consistent with the institution’s knowledge of the customer, their business…”.

Stuart Hammond

Director, Legal & Regulatory

Marker AI is a digital onboarding platform for professional firms which comes with know-how like this built in. Contact us here for a conversation.