All ICAEW-supervised firms are required to carry out customer due diligence (CDD) to reduce the risk of being used by criminals to launder money. But some firms are still unsure where and when to apply ‘simplified’ and ‘enhanced’ due diligence.
The Money Laundering Regulations require that the extent and breath of your CDD measures reflect your assessment of the risks. This effectively means you pay extra attention to any higher risk cases and, at the same time, avoid disproportionate effort for lower or normal risk cases.
In this context, simplified due diligence (SDD) can be applied in certain circumstances where you have determined a client as low risk. Enhanced due diligence (EDD) applies to the opposite end of the risk scale, for high risk clients.
Keeping it simple
“The legislation says you can only carry out SDD if the engagement or client has been assessed as presenting a low degree of risk,” says Angela Foyle, Head of Risk Management and Economic Crime at BDO Global Office, and ICAEW Regulatory Board member. But what that means in practice is not spelled out in the legislation, which can lead to confusion.
In deciding whether you can apply SDD to a particular client, you have to meet a number of conditions. “First, your business-wide risk assessment has to support the low risk rating you’ve assigned the client,” Angela explains. “You also have to take account of any risks in the National Risk Assessment and in the sectoral risk outlook from the Accountancy AML Supervisors Group.”
The Money Laundering Regulations set out low risk indicators, and you need to factor these into your decision too. They include:
- public authorities or state-owned businesses;
- lower risk geographic location – both of the client and its activities;
- regulated businesses – such as banks and other financial institutions; and
- businesses listed on the stock exchange (or a foreign exchange where the rules are equivalent to those in the UK).
"It's worth saying, however, that indicators are exactly what they say they are - indications,” emphasises Angela. “In some cases, there may be other factors involved that highlight a slightly higher level of risk, in which case you need to consider those factors.”
“And if you think there are any elements of higher risk, you need to think about how to mitigate these, which would effectively mean that SDD doesn’t apply.”
Applying SDD
When deciding whether to apply SDD, you must consider the risks identified in your firm-wide risk assessment.
For example, you need to look at what services you’re being asked to provide. “Is this simply bookkeeping or is it TCSP (Trust and Company Service Providers) services?” says Angela. “And if it’s something assessed as higher risk in your firm-wide assessment, then SDD is not appropriate, even if other conditions are met.”
Also consider whether there’s a specific characteristic of the client that would cause it to be in a higher risk category, for example a cash-based business. In situations where something else triggers a concern, for example an adverse open source search, even if the client otherwise would qualify as low risk, these concerns need to be resolved, which means SDD is not appropriate.
Verification modification
The regulations are not specific about what SDD entails. All they specify is that you must comply with the standard CDD measures but may vary the extent, timing or type of measures taken to reflect the lower risk.
The CCAB AML Guidance for the Accountancy Sector adds, as an example, that SDD would allow a firm to modify its verification measures, for instance you might not ask for as much identity documentation.
Examples of SDD may include:
- In the case of a corporate client, perhaps only verifying a single director’s identity.
- Reducing verification requirements for ultimate beneficial owners
- Requiring fewer identity documents for an individual.
- Carrying out periodic monitoring at longer intervals.
“Even when you apply SDD, ongoing monitoring is still required,” explains Angela. “And one of the key things you need to think about is whether anything in the relationship or work you’ve carried out indicates that your decision to apply SDD is not appropriate.”
Firms also need to document their processes, explaining exactly what CDD steps are required when SDD is permitted. ICAEW reviewers will expect to see evidence of this.
Heightened investigation
At the other end of the risk scale is EDD. “This is really heightened investigation; it’s the measures you take in addition to standard CDD,” explains Jonathan Wright, Deputy Global Financial Crime Leader at EY. “You’d perform EDD where you believe you face increased risk or likelihood of money laundering or terrorist financing, or facilitation of any other financial crime."
The requirements for EDD come under Regulation 33 of the Money Laundering Regulations, which sets out the circumstances in which you must apply EDD. These are where:
- your risk assessment of the client identifies a high risk of money laundering
- the client is established in a high risk third country or either of the parties to the transaction is established in a high risk third country
- the client is a politically exposed person (PEP) or a family member or known close associate of a PEP
- the client provides false or stolen ID documents
- there are complex or unusually large transactions, or when there is an unusual pattern of transactions with no apparent economic or legal purpose
- there is any other case which, by its nature, presents a higher risk
“For some of these triggers, it will be to some extent dependent on your business whether you feel EDD is applicable,” says Jonathan. “For example, if we consider complex transactions or arrangements, that’s likely to be personal to you and your firm. What is complex to your firm may not be to another firm.”
“One idea to take away is to consider whether you could define some of these terms in the context of your own business and what conditions should typically be met for EDD to apply,” he suggests.
Referring to the point about providing fake or stolen ID, he notes that while he can’t be prescriptive, he would imagine most firms presented with this situation would first consider declining the business, rather than move straight into performing EDD.
ICAEW’s monitoring visits suggest some firms are still confused about what is meant by a high risk third country. Pre Brexit, the UK followed the EU’s lead on this, but since January 2021 it has created its own list, and each country on this list has significant deficiencies in its national AML and terrorist financing regimes.
In practice, the list has been aligned with that of the Financial Action Taskforce (FATF). “If you’ve not been on the FATF website,” says Jonathan, “then I would encourage you to look as there is interesting information on new and emerging risks from a financial crime perspective.”
The UK list should be viewed as a baseline,” he adds. “If you do business in other jurisdictions outside the UK that your firm isn’t used to, you may want to build your own internal list.”
A questioning mindset
“When it comes to EDD,” emphasises Jonathan, it’s very clearly a must – not a ‘may’, ‘should’ or ‘consider’. EDD is not ‘a nice to have’ but something you’re expected to do and have evidenced and documented.”
“You should always avoid a box ticking approach to CDD,” he stresses. “And in the context of EDD what that means is that the questions you ask should be built around the circumstances of the client with which you’re looking to do business, because there is no one size fits all approach to EDD. You always need to adopt a questioning mindset.”
“Don’t be afraid to ask questions where something doesn’t seem right,” he advises. “Avoid sounding apologetic or as if you’re ticking boxes or being excessively bureaucratic. If you do that, you lose leverage with your client. When you don’t believe in the question you’re asking, the client may bat it back to you. So go into your questioning with confidence.”
Publicly available open sources, screening checks (including ICAEW’s client screening service for members and subscription services are all useful tools in conducting EDD.
As with SDD, you need to ensure you have documented policies and procedures for the situations in which you will apply EDD, and record your decisions and rationale – both to accept and decline a client.
Above all, always use your professional scepticism, advises Jonathan. “No one knows your business better than you,” he stresses, “And that puts you front and centre when making any calls about what does, and does not, look right.”
Resources
Keep updated
Be the first to know when articles like this are released by following us on LinkedIn and subscribing to our monthly newsletter, Regulatory & Conduct News.