ECSH63470 - Regulation 28 - Customer due diligence measures
|
Category Heading |
Description |
||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
The Law |
https://www.legislation.gov.uk/uksi/2017/692/regulation/28 |
||||||||||||||||
|
What it means |
Regulation 28 sets out the customer due diligence measures a relevant
person must apply when the circumstances highlighted in
regulation 27 arise. The relevant person must identify the customer unless the identity of the customer is known to, and has been verified by, the relevant person. The relevant person must assess, and where appropriate obtain information on, the purpose and intended nature of the business relationship or occasional transaction. |
||||||||||||||||
|
Purpose |
The purpose of customer due diligence measures is to confirm to the
relevant person that the customer they believe they are entering into a
business relationship, or in specific circumstances they are occasionally
transacting with, is in fact who they claim to be. Additionally, customer due
diligence measures are necessary to ensure the relevant person has up to date
information about the customer throughout the course of the relationship and
that it is consistent with the relevant persons knowledge of the customer, the
customer's business and risk profile. |
||||||||||||||||
|
Time Line |
This was also a requirement under MLR2007 (Regulation 7). |
||||||||||||||||
|
What to establish |
Failure to ... 28(2) identify and verify the customer and assess the purpose and intended nature of the business relationship or occasional transaction, 28(4) identify and verify the beneficial owner, 28(8) to keep records of steps taken to identify the beneficial owner, 28(10) to identify and verify a person acting on behalf of the customer, 28(11) to conduct ongoing monitoring of a business relationship, and 28(12) of the CDD to reflect the risk assessment carried out in regulation 18 are ... fundamental breaches of this regulation. 28(2)(a) Has the relevant person identified the customer? 28(2)(b) Has the relevant person verified the customer? (see Regulation 28(18) and Regulation 28 (19) for what verify means). 28(2)(c) Has the relevant person assessed, and where appropriate obtained information on, the purpose and intended nature of the business relationship or occasional transaction? 28(3)(a)(i)(ii)(iii) If the customer is a body corporate, has the relevant person obtained and verified the: name of the body corporate, its company number or other registration number, and the address of its registered office, and if different, its principal place of business? 28(3)(b)(i)(ii) If the customer is a body corporate and not listed on the regulated market, has the relevant person taken reasonable measures to determine and verify: the law to which the body corporate is subject and its constitution, and the full name of the board of directors and the senior persons responsible for the operation of the body corporate? 28(3A) Has the relevant person taken reasonable measures to understand the ownership and control structure of that legal person, trust, company, foundation or similar arrangement? 28(4) Is the customer beneficially owned by another person? (see reg 5 and 6 for meaning of beneficial ownership) 28(4)(a)(b) and (c) Has the relevant person identified and taken reasonable measures to verify the identity of the beneficial owners? If the beneficial owner is a legal person, trust, company, foundation or similar arrangement, has the relevant person taken reasonable measures to understand the ownership and control structure of it? 28(6) If the beneficial owner of the body corporate has not been identified, and reg 28(7) has been applied, has the relevant person treated the senior person in that body corporate responsible for managing it as the beneficial owner? 28(7) and (8) Has the relevant person exhausted all possible means of identifying the beneficial owner and, not succeeded in doing so, or is not satisfied that the individual identified is the beneficial owner? If this is the case, has the relevant person taken reasonable measures to verify the identity of the senior person in the body corporate responsible for managing it, and kept records in writing of: all the actions the relevant person has taken in doing so, and any difficulties the relevant person has encountered in doing so? 28(9) What information has been used to satisfy reg 28(4) and what is the source of this information? 28(10) If a person ("A") acts on behalf of the customer, has the relevant person verified that A is authorised to act on behalf of the customer, has A been identified and had their identity verified? 28(11) Has ongoing monitoring been conducted by the relevant person on the business relationship? 28(12) Do the customer due diligence measures undertaken by the relevant person reflect the risk assessment carried out under reg 18(1) and its assessment of the level of risk arising in any particular case? 28(13) Has the relevant person considered, the purpose of the account, transaction or business relationship; the level of assets to be deposited by a customer or the size of transaction; and, the regularity and duration of the business relationship? 28(16) Is the relevant person able to demonstrate to its supervisory body that the extent of measures it has taken to satisfy its requirements under the regulations are appropriate in view of the risks of MLTF, which include: the risks identified in the risk assessment carried out by the relevant person under reg 18(1), and the risks identified by its supervisory authority and in information made available to the relevant persons under regulations 17(9) and 47? |
||||||||||||||||
|
How to test compliance and evidence to obtain |
Obtain evidence that the relevant person has identified the customer.
The information obtained will depend on the type of customer. Check whether the relevant person knows: who the customer is, who owns and controls the customer, what the customer does, what the customer's source of funds are and their activities, what the relevant person will be doing for them, and what the customer's legal structure is. Check whether the relevant person has verified the customer (see Regulation 28(18) and (19)). Obtain customer risk assessments, new client forms (onboarding forms) and existing client reviews, along with dates that they were completed to assess whether CDD measures have been applied properly. Contracts, engagement agreements etc should be obtained to support the purpose and intended nature of the business relationship. If the customer has been assessed as low or high risk, has the relevant person applied a suitable level of CDD measures? |
||||||||||||||||
|
Best Practice |
In general, we must understand the level of risk assigned to the
relevant person's customers, and then check what CDD measures have been
conducted and determine whether they are appropriate. |
||||||||||||||||
|
AMP |
The customer for CDD purposes will vary, depending on the AMP's business
model. It will be the purchaser of a work of art, and any broker or agent
acting for them. It will be the seller, where the AMP provides a service to,
and receives financial value from them. Where the customer is acting as an agent, the AMP conducting the transaction has an obligation to carry out CDD on the agent and also on the ultimate customer. CDD to include carrying out a lost/stolen database check |
||||||||||||||||
|
ASP |
Subcontracting - Where a relevant business (A), is engaged by another
business (B) to help with work for one of B's clients (C), then the relevant
business should consider whether its client is B and not C. However, both B and C may be deemed to be in a business relationship, depending on the circumstance. See parts 5.3.33 and 5.3.34 of the ASP guidance to determine what party/parties must have CDD measures applied. |
||||||||||||||||
|
EAB |
CDD measures must be conducted on both the seller and counterparty
(purchaser) in a transaction. For the seller, CDD measures must be conducted
before the commencement of a business relationship (normally no later than the
point of marketing a property) and on the purchaser when a seller accepts an
offer (no later than the point of exchange). See part 4 of the EAB guidance. |
||||||||||||||||
|
LAB |
A letting agent must also apply CDD measures in relation to any
transaction which consists of the conclusion of an agreement for the letting of
land (see Reg 13(7)): for a term of a month or more, and, at a rent which
during at least part of the term is equivalent to, a monthly rent of 10,000
Euros or more. CDD measures must be applied to both the person by whom the land
is being let and the person who is renting the land (please see regulation
27(7A) and (7B). |
||||||||||||||||
|
HVD |
CDD measures must be carried out on the customer when receiving a
relevant cash payment or the supplier if making a relevant cash payment - see
Regulation 14. Complete the HVD transaction testing sheet (found in the HVD
section of the Knowledge Library) to ensure that CDD is carried out on all
relevant parties to the transaction, e.g. the invoiced customer, the individual
or business presenting the cash payment (including any couriers used) and the
beneficial owner of the goods. Where customers have travelled to the UK to make
a relevant cash payment, the business must ensure that the cash was declared to
Customs on entry; if not, the source of the sterling in the UK must be
established. If payment has been made via a MSB, the business must carry out
checks to ensure that the MSB is supervised under the MLRs. Businesses may be
required to carry out due diligence to satisfy other HMRC regimes; these checks will rarely satisfy all of the requirements of this regulation. Due diligence must include confirming that the customer is approved to carry out the activity to which the cash relates (e.g. Alcohol Wholesaler Registration Scheme (AWRS)). (This content has been withheld because of exemptions in the Freedom of Information Act 2000) HVDs who are/were monitored by HMRC Supply Chain Fraud Teams may have been asked to undertake CDD. It is likely that this CDD does not satisfy the requirements of MLR2017. |
||||||||||||||||
|
MSB |
See part 4.1, 4.2 and 4.3 of the MSB guidance for information on who the
customer is and where CDD measures need to be applied - |
||||||||||||||||
|
TCSP |
Company formation is considered to be a business relationship (see Regulation 4
and 4.9 of the TCSP guidance), therefore CDD measures must be applied. |
||||||||||||||||
|
Further Reading |
|
||||||||||||||||
|
FAQs |
What information must be included when identifying a customer? How do we effectively test CDD measures during a DBI? What is the definition of a 'body corporate'? What do I do if a business is reluctant to provide information due to GDPR concerns? The 'Information Commissioner’s Officer' website sets out that businesses are permitted to share data with law enforcement authorities who are discharging their statutory law enforcement functions: https://ico.org.uk/for-organisations/data-sharing-information-hub/sharing-personal-data-with-law-enforcement-authorities |