Do we have to ask for ID for beneficial owners?

Under the Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017 (MLR17), where the customer is beneficially owned by another person, the relevant person must identify the beneficial owner and take reasonable measures to verify them.

You must verify the identity of the beneficial owners.

Are verification documents to be obtained for beneficial owners owning 25% or more, or is it owning more than 25%?

Beneficial ownership (for companies, LLPs and partnerships) in the regulations is defined as more than 25%. However, there could be entities that intentionally put ownership at 22.5% or similar to avoid coming under this threshold. So, depending on the risk, it might be worth setting your percentage lower.

Also, look carefully at the actual holdings to see what someone could be in control of in practice. If there was a husband, wife and their three children with holdings, it's feasible that the three children are under the control of the husband or wife. So in reality, you might want to think about what they're doing in a slightly different way.

I act for the UK branch of an American parent company. What checks should I carry out on beneficial owners and key decision makers?

This highlights the fundamental message of our webinar. It's very difficult with such limited information to tell you what checks you should do. The checks you carry out will be driven by the know your client (KYC) processes you've done and any red flags you identified connected with your client. The checks will then be based on the risks you've identified and assessed.

The fact that you've got an overseas parent doesn't change anything about the assessments and procedures you need to carry out. It could, however, make it more complicated because it can be more difficult to work out the ultimate beneficial owners and verify them.

Do I need to meet my client?

You don't have to meet your client. But if you don't, you need to think about the risks that meeting the client is trying to mitigate and whether you can reduce those risks in some other way. Think about how else you are going to prove that they are who they say they are, and they live where they say they live.

Does a meeting need to be physical, or can it be online?

The issue of whether online meetings count as meeting the client has become more relevant post-pandemic. An online meeting is considered as 'meeting the client'. But the important element to consider is that meeting is part of a bigger picture. What is meeting achieving – what is its purpose and can you get that assurance in some other way?

Is getting certified passport and address proof compulsory if we are not meeting the client?

It isn't compulsory, but you should always be taking a risk based approach to verification. If you have concerns about the copy or think there is a risk the person is falsifying who they are, then you probably want to get it certified.

If it's someone you haven't met and/or someone who is overseas that you're getting copied documents for, the risk is likely to be higher, partly because you may be unfamiliar with overseas documents, so asking for certified documents would help reduce that risk.

The link below might assist with verifications of non-UK nationals, as it provides examples of overseas verification documents, such as passports.

• Council of the European Union - PRADO - Home (europa.eu)

How do you check identity and verify non-UK nationals?

As in any other situation, ask the client to provide ID. If you can't meet them and see the documents for yourselves, ask them to get the documents certified locally.

Keep in mind that some countries might not be as advanced in their AML regulations and policies, so you may need to explain to clients why you need this information and to see and verify ID documents.

What are your thoughts on electronic AML checks and what do they really offer in terms of meeting customer due diligence (CDD) requirements?

They can be a good source of evidence and there are some good systems available. Electronic verification is fine as long as you understand the checks that are happening and the sources that the system draws from. You have to take responsibility for knowing what the electronic system you use is checking and be confident that when you put in the information and press the buttons, you understand what you're getting in return

Firms need to know whether they've bought access to software that covers KYC, risk assessment or verification checks. Not all systems do all three. Sometimes firms think their electronic system is recording a risk assessment when it's really only doing identity verification of key contacts or beneficial owners.

The CCAB AML Guidance for the Accountancy Sector covers the main issues you need to consider with electronic verification.

Can ICAEW recommend appropriate software?

The CCAB AML Guidance for the Accountancy Sector covers the main issues you need to consider with electronic verification.

ICAEW does not hold a list of approved providers for electronic verification. We expect firms to be able to identify whether a particular provider is doing the searches they require in accordance with their own policies and procedures.

What is an adverse search string and how are they applied to search engines?

Search engines can be one of best resources for finding out information about your client and those connected to them.

Using a search string in a search engine can identify any adverse media. You use the strings to narrow the search.

Most search engines offer guidance on how to construct effective search strings. Some examples might be:

• 'CLIENT NAME' AND 'crime'
• 'CLIENT NAME' AND 'corruption'
• 'CLIENT NAME' AND 'money laundering'

Go through the pages and look at what's coming up; and take a note of anything that is interesting or relevant. This will help you get a good feel about your client and flag anything you need to follow-up.

Be aware that there are ways to suppress information in searches and push it down the pages, so don't just rely on the first few results. Check down through a few pages to make sure you capture all the available information.

Also remember that searches can bring up misinformation, so be careful to check sources.

The latest video in ICAEW's AMLbites series takes you through how to make the most of open source checks.

How do we find out about sources of wealth?

The main thing is simply to ask questions, understand the answers, and evidence these where possible. You can and should ask the question: 'Where is the money coming from, and what pieces of paper do you have to prove that?'

In many circumstances, there might be a copy of a will because it's an inheritance. Or someone can broadly prove that it's from a savings account that they've paid into regularly over a number of years.

If you start to get into complicated structures overseas, and you're asking how the money got there in the first place and where did it come from, you need evidence to prove that. If people are genuine, they should have all of that paperwork and be able to provide it. When they can't provide it, that's when there could be a problem.

What is it about providing TCSP services that is considered high risk?

The National Risk Assessment states that company formation and related TCSP services continue to be the highest risk services for the accountancy sector.

It adds that company formation as a standalone service is considered lower risk. But when combined with other high-risk services, such as those provided by accountancy firms, or other high risk factors, such as a third party outside the UK, the level of risk increases.

Registered office or nominee directorship services are also at risk of exploitation because they can be used to conceal beneficial ownership or to facilitate the movement of funds offshore.

Watch ICAEW's AMLbites video on TCSPs to find out more about the risks and how to mitigate them.

How often should you do a CDD review?

You need ongoing CDD to make sure you keep up to date with a client, their business and the associated risks.

There are two parts to this process. There's the periodic review – for which you might set a timeframe based on risk. So a high risk client might be annual and a low risk client might be longer than that. Then there are event-driven reviews, which are triggered by a specific event.

What constitutes a trigger event that requires a complete review of CDD?

Trigger events include a change in a client's identity; changes to the structure of the business (such as a new director or a change in the beneficial owner); information coming to light that isn't consistent with your knowledge of the client; situations where you have cause for concern or suspicion; and any significant changes in the client's business activity.

Anything about a change of the structure would be a trigger event, which would mean you might need to go and do verification work or understand why that change had happened.

The presentation of a new risk factor would also mean going back to look at your risk assessment of the client.

Submitting a suspicious activity report (SAR) also requires you to go back and redo your CDD.

How do you check for sanctions in ongoing CDD?

The pace of change and volume of sanctions imposed in spring 2022 has meant the AML risks associated with sanctions has increased.

It doesn't matter if you're at the beginning of the CDD process or it's ongoing CDD, you need to check in the same way. Most firms use third party screening services. Popular providers include Smartsearch, Worldcheck and Dow Jones. ICAEW's client screening service also offers sanctions checks.

You need to stay alert to the risks and select clients for regular screening on a risk basis.

Based on risk, some firms do automated screening where they check their whole client list on a regular basis, such as weekly or even daily.

To find out more about how the largest firms deal with sanctions compliance, check out ICAEW's thematic review of sanctions.

Is there a "for beginners" guide for sole practitioners to help those starting out?

Our AMLbites series would be a good one for new starters and small firms or sole practitioners. Each video covers a specific and relevant topic, lasts around 10 minutes and is freely available for all to view.

When should I submit a SAR relating to the government’s Bounce Back Loan (BBL) scheme?

The CCAB AML Guidance for the Accountancy Sector offers general information on when you should submit a SAR.

BBLs were made for business purposes only. Where loans were used for personal or other non-business purposes, they do not meet the criteria. It is not your firm's responsibility to find out what a loan was used for. But if you receive, or come across, information "during the course of business" that the loan was misused, you may have an obligation to report.

Red flags associated with BBLs include accounts showing minimal business activity before receiving the loan, fund transfers to personal accounts or third parties, rapid cash withdrawals, or multiple loan applications using different business names.

Something to look out for is when money goes into the company account as a loan, and then goes straight back out again to the directors. If you think the money's gone in and it hasn't been used for the purpose for which it was intended, which was to support the business, then you should report it.

• Check out our AMLbites.
• Read the CCAB AML Guidance for the Accountancy Sector.
• Watch the AML team's webinar on money laundering risks or any of their previous webinars.
• Learn more about COVID support fraud.