ICAEW.com works better with JavaScript enabled.
During ICAEW’s recent anti-money laundering (AML) webinar on customer due diligence (CDD) in practice, viewers highlighted a range of issues. We pick out some common themes, and ICAEW’s AML team provides responses to key questions.

Electronic checks

Do you have any guidance on which is the best electronic ID provider?

Electronic identification checks can be a good source of evidence and there are a wide range of systems available.

When choosing or using a provider, you need to understand the checks that are being carried out by each system and the sources the system draws from. It is your responsibility to assess whether the information is sufficiently reliable, comprehensive and accurate for the firm’s requirements.

ICAEW does not hold a list of approved providers for electronic verification and can’t offer advice on specific providers.

However, the CCAB AML Guidance for the Accountancy Sector covers the main issues you need to consider when using electronic verification and choosing an appropriate system.

These include:

  • Does the system draw on multiple sources?
  • Are the sources checked and reviewed regularly?
  • Are there control mechanisms to ensure data quality and reliability?
  • Is the information accessible?
  • Does the system provide adequate evidence that the client is who they claim to be?

ICAEW has also produced guidance on what to consider.

You need to thoroughly check what the software does and doesn’t do. With verification services, for example, providers’ websites usually outline which sources they’re using to do checks. And from that you should be able to get a sense of whether they're doing enough to meet your needs. Make sure you understand whether the software is set-up to perform all three stages of customer due diligence – know your client, risk assessment and verification. We find that some firms believe they have a complete solution, when really the software is only for KYC and verification.

If you require more details, get in touch with the provider and ask them direct questions, or check their FAQs. If you sign up for a demo, you can see what is being done, how and why.

Customer due diligence

Would you accept certified ID documents via email or request hard copy posted versions?

You need to obtain sufficient verification according to the level of risk you assign to each client. For a normal or low risk client, certified ID should be OK. If the client is high risk, or if you have any doubts about the veracity of the certified document, you will need to gather additional pieces of evidence to satisfy yourself that your client is who they say they are.

Is meeting a client on Zoom considered to be ‘meeting a client’?

Post-pandemic, virtual meetings have become increasingly common. An online meeting is now considered as 'meeting the client'.

But you need to recognise that meeting the client is part of a bigger picture. You need to think about what the meeting is achieving – what is its purpose and how is it part of your AML risk mitigation strategy?

You should always bear in mind the risks you are trying to mitigate. So, if you think there is an issue or concern with a client that a traditional, in-person meeting might help to deal with, then you might want to move to that.

Can seeing original ID documents on a Zoom call count as verification?

Based on risk, seeing original documents during a virtual meeting could be acceptable.

There is technology available, for example, that can use facial recognition to confirm a true match between someone’s face and the image on a passport they are holding up. So, if you have any concerns, you could invest in software to enhance the reliability of what you’re seeing.

Ultimately, it boils down to the risk of the client. And if you suspect they might not be who they say they are, then seeing ID documents only in a virtual meeting would not be ideal; you would want to get a certified document or meet in person.

I have been acting for some personal tax clients in excess of 30 years, far before any AML checks were required. AML checks (eg, passport and address) now just seem like a box ticking exercise. Given the time and effort it takes, is it really necessary?

Proportionate, risk-based AML checks on all your clients are necessary to mitigate the risk of money laundering. They are not a box ticking exercise and ID checks are just one part of your wider AML responsibilities.

You are required to comply with the UK’s AML legislation. This involves having appropriate policies and procedures for assessing and managing money laundering risks, including carrying out CDD and ongoing monitoring of existing clients.

Knowing a client for many years doesn't necessarily make that client low risk in AML terms.

What would be considered to be the basic ID verification for normal risk clients, compared to higher risk where enhanced due diligence (EDD) is required. What differences would ICAEW want to see?

The CCAB guidance explains that basic ID verification for a normal risk client is a piece of government issued photo-ID, that can prove your client is who they say they are. So seeing the client's passport will be enough.

For a higher risk client, you need to understand what has driven the high-risk rating. If the risk factor is to do with the client’s identity, then you should obtain more evidence to confirm that they client is who they say they are – this might include other documentation from government departments (eg, driving licence or HMRC issued tax notification or a council tax statement). However, in many cases, the risk associated with a client is linked to other factors – such as the nature of the client’s business (eg, it is cash-based) or the countries it operates in. In these scenarios, ‘verification’ is about performing enough due diligence to satisfy yourself that those risks don’t crystallise, as well as ensuring you have robust ongoing monitoring procedures to spot suspicious transactions. This might mean greater scrutiny over certain transactions, making sure that you understand how the client is generating funds, or understanding why and how a client is trading in particular jurisdictions.

Is it necessary to obtain new ID if you have an existing client and their passport goes out of date?

If it's a typical client and there are no specific risks and nothing's changed except the passport date has expired, we wouldn't expect you to ask for new ID.

Other AML supervisors may have a different approach. But at ICAEW, we say if you’ve verified the client once, you don't need to verify them again unless circumstances change.

A change in circumstances would include you suspecting the client might have misled you when they provided the original ID, or where you have other concerns about the client.

You might also want to update your verification records if there’s a change in the client’s name.

Would you always have an annual reassessment of any customer's due diligence?

You need ongoing CDD to make sure you keep up to date with a client, their business and the associated risks.

There are two parts to this process: the periodic review and event-driven reviews. The frequency for the routine periodic review should be risk-based, making use of the firm’s risk assessment. So, a high risk client might be annual, and a low risk client might be longer than that.

Event-driven reviews are triggered by a specific event, such as change in beneficial owners or a doubt about the reliability of existing identity information.

If you update the risk assessment and ID documents required, do you need to keep a copy of the original assessment and ID to show how you reached your past conclusions, or are the updated details adequate?

The CCAB AML Guidance for the Accountancy Sector states that ‘all records created as part of the CDD process, including any non-engagement documents relating to the client relationship and ongoing monitoring of it, must be retained for five years after the relationship ends’.

When we review CDD as part of our monitoring reviews, we would need to see all information that supports your current risk rating and the verification work you have done to mitigate that risk. But remember, the CDD is an important tool for your engagement teams to understand the risks associated with the client and where they need to apply additional scepticism. If documents are updated, they need to have sufficient information in them that the engagement team understands the client and where AML risk exists.

Suspicious activity reports (SARs)

Can one continue to act for a business if a SAR report has been made for that business?

There is nothing in the Money Laundering Regulations (MLRs) that says you can’t continue to act for the business.

What the MLRs do require is that you go back to CDD and reassess the risk, and you might decide the elevated risk is unacceptable and you do not want to continue the relationship. That’s a matter for you to decide within the firm, and it depends on the nature and extent of the issues involved.

You should also consider your wider obligations, for example, the PCRT (Professional Conduct in Relation to Taxation) says that if a client is not prepared to rectify a tax error, and you’re submitting a SAR about that, you must disengage.

You must also ensure you’re complying with the requirements in ICAEW’s Code of Ethics.

Ultimately, if you think a client is involved in money laundering or some other criminality, you need to be thinking very carefully about whether you want to continue to act for that client, and whether you could be facilitating or enabling what’s going on.

For a client where you decided not to onboard, would you still file a SAR, even if the client didn’t become a client?

Yes, you would still file a SAR even if you didn’t onboard the client.

Tipping off

Would disengaging a client risk tipping off?

This is a complex area and difficult to answer in a few lines. We recommend that firms watch our Suspicious Activity Reporting Q&A video for a more in-depth discussion on this point.

If you decide to disengage with a client for AML reasons, what do you say in response to a professional clearance request from another accountant?

If you have made one or more SARs, you must not disclose that fact to the prospective accountant. You should therefore avoid answering queries that relate specifically to suspicions of money laundering.

In responding to the professional enquiry, you should nevertheless include relevant statements of fact (not opinions) that allow the incoming accountant to form their own conclusion, or that may prompt them to make their own enquiries. An example might be: ‘we were unhappy submitting the accounts as instructed’.

Resources

Watch our webinar on CDD in practice, which includes practical case studies from money laundering reporting officers, or choose to view any of our previous webinars.

Open AddCPD icon

Add Verified CPD Activity

Introducing AddCPD, a new way to record your CPD activities!

Log in to start using the AddCPD tool. Available only to ICAEW members.

Add this page to your CPD activity

Step 1 of 3
Download recorded
Download not recorded

Please download the related document if you wish to add this activity to your record

What time are you claiming for this activity?
Mandatory fields

Add this page to your CPD activity

Step 2 of 3
Mandatory field

Add activity to my record

Step 3 of 3
Mandatory field

Activity added

An error has occurred
Please try again

If the problem persists please contact our helpline on +44 (0)1908 248 250