Client verification is the evidence gathering stage of CDD, and is driven by a risk assessment of the client.
"Through the risk assessment, you've got to be looking at all the risks involved with a particular client, as well as all the information they're providing to you about themselves," explains Michelle Giddings, ICAEW's Head of AML. "And then you have to make sure you have enough evidence to verify all of those pieces of information."
The CCAB AML Guidance for the Accountancy Sector sets out who you need to verify and outlines the key requirements. But, as a general rule, the higher the risk associated with a client, the more verification you will need to do.
"There are various different types of information you might want to verify, and there are various ways of doing it," says Vicky Soffa, Deputy MLRO, Financial Crime Team, Deloitte. Broadly, verification sources fall into three categories: client-sourced, publicly available, and proprietary information and software.
In many cases, the client will hold the verification documents you need. These include identity documents such as passports and driving licences; other documents evidencing addresses (such as utility bills); and trust, power of attorney or probate documents.
Government-issued documents such as passports and driving licences are a primary source of verification. CCAB guidance notes that these are deemed an independent and reliable source, even if provided by the client.
Other documents obtained from the client might need further verification based on the risk you’ve identified, for example confirming documents with public records.
"Your primary source is often going to be client-sourced information," says Vicky. "But you do need to think about the fact that if it’s coming direct from the client, is it something you might need to corroborate from another piece of evidence?"
You might need to get it certified by an appropriate third party if you're not seeing an original or, based on the risk, you might want to get more pieces of information to back it up.
Confidence in validity
If information in passports or other documentation is in another language, you need to be confident you understand what it's telling you. "We always ask for translation by someone competent," says Angela Foyle, Head of Risk Management and Economic Crime at BDO Global Office. "It doesn't necessarily have to be the whole document but certainly the relevant bits."
A common question firms ask is whether, if they’ve not met someone and they are overseas, should they always get documents certified, or is a copy sufficient?
"I would always ask for certified documents," says Angela. "Even in the UK it's possible to get a fake document and that’s when you already know what a utility bill or driving licence looks like."
If you have overseas clients, it can be helpful to check the Public Register of Authentic identity and travel Documents Online. "This gives you examples of identification documents specific to that country," says Sandy Price, AML Manager, Professional Standards, ICAEW. "It gives you an idea of what you are looking at and whether it is a valid document for that country."
Public sources
Verification for low-risk clients is relatively straightforward, but in higher risk cases it may be necessary to seek further information. An example of this would be the verification of the type of business conducted by the client or the source of wealth.
This is often where public sources, including open-source media (newspapers, internet searches), Companies House, and other publicly available trade and professional registers, come into play.
Companies House is a useful source of information. But it has its limitations. "If you're verifying directors, Companies House in isolation won't serve that purpose because it might not always be accurate," warns Sandy.
There are, however, efforts underway to make information at Companies House more reliable. The Register of Overseas Entities now requires certain information to be verified, discrepancy reporting has been extended from 1 April 2023 and the Economic Crime and Corporate Transparency Bill aims to give Companies House more powers to remove false information, as well as introducing verification.
Using open searches
Search engines can be one of best resources for finding out information about your client and individuals connected to them. "What we normally do is have a string of key words – for example, name of client, plus key words such as corruption, politically exposed person (PEP), bribe or fine – to narrow the search," says Vicky.
"Go through the pages and have a quick look at what's coming up; and take a note of anything that is interesting. That will give you quite a good feel about your clients. It might be that nothing comes up. That's not necessarily a problem; you just need to think: does that align with what I'd expect for an individual or company of this sort?"
"Depending on the client and the associated risk, going through a few more pages of search results lower down can be very enlightening," adds Michelle. "For those who want to, there are ways to suppress information in searches and push it down the pages, so there can be a huge raft of information on the later pages."
Electronic verification
In addition to public sources and the client's personal documents, you can also pay for a range of proprietary services. These include electronic sources of verification, software that screens for sanctions and PEPs, and subscription media services.
Many firms rely on electronic verification procedures. But if you choose to use these, you must be clear about the sources these are using, and what a pass or fail means.
The CCAB guidance advises looking at a range of key aspects:
- Does the system draw on multiple sources?
- Are the sources checked and reviewed regularly?
- Are there control mechanisms to ensure data quality and reliability?
- Is the information accessible?
- Does the system provide adequate evidence that the client is who they claim to be?
- How are PEPs defined?
- Are there searches of adverse media coverage?
"Don't blindly accept what the reports are saying," warns Sandy. "You have to think about the validity of the information you're getting."
"Check your contract for the different sources that the system is using to verify the client," she says. "And check things like how regularly your system is updating against sanctions lists – is it daily, weekly, or monthly? Some systems don't update their sanctions list more regularly than 30 days, and the rapid pace of change in sanctions over the past 12 months has shown that this might not be enough."
She also advises checking the accessibility of the information. "Can you get it easily in a format you can keep for evidence? Can you interpret the information, and do you understand what checks have been carried out? Where is the evidence coming from?"
"Firms need to know whether they've bought access to software that covers know your client (KYC), risk assessment or verification checks," adds Michelle. "Not all systems do all three. Sometimes, we find that firms think their electronic system is recording a risk assessment when it's only doing identity verification of key contacts or beneficial owners."
Firms often ask whether ICAEW holds a list of approved providers for electronic verification. "We don't," she explains. "And that's partly because we expect firms to be able to identify whether a particular provider is doing the searches they require in accordance with their own policies and procedures."
ICAEW does, however, offer its members a sanctions and PEP checking service which provides three free searches per week.
Recording the evidence
During ICAEW monitoring visits, reviewers will expect to see your firm's risk assessments and evidence of appropriate verification that links back to the risk assessments.
"The AML regulations do require you to evidence that you've performed the risk assessment and that you've verified the client, and you need to be able to evidence that," says Sandy.
"Risk assessments don't have to go into huge detail," she adds. "But they need to set out a summary of what you have identified as the risk."
"Then you need to set out what the next steps are – what the verification procedures that you've taken, and why, and show that these are linked directly to those risk assessments."
Firms often say to ICAEW: 'We have a client in a certain scenario doing X, Y or Z, is it enough just to get their passport?'
"It's really difficult to answer specific questions," says Michelle. "We can give some examples, but it's for you to really drill into the risks associated with a particular client – the risk to you as a firm and whether the client could be using you to facilitate money laundering. And then you've got to gather the evidence necessary to address those points and satisfy yourself that everything you've been told is accurate."
To find out more about verifying directors and beneficial owners, dealing with overseas clients, and what to look for in sanctions checks, watch the AML team's webinar on client verification.
The speakers also take you through three very different case studies of client scenarios, setting out the questions to ask and the verification steps that might be expected.