Simplified and enhanced due diligence: one size doesn't fit all

Anti-money laundering (AML) experts Angela Foyle from BDO and Jonathan Wright from EY talk about ‘simplified’ and ‘enhanced’ due diligence, and explain why there’s never a one size fits all approach to managing AML risk.

All ICAEW-supervised firms are required to carry out customer due diligence (CDD) to reduce the risk of being used by criminals to launder money. But some firms are still unsure where and when to apply ‘simplified’ and ‘enhanced’ due diligence.

The Money Laundering Regulations require that the extent and breath of your CDD measures reflect your assessment of the risks. This effectively means you pay extra attention to any higher risk cases and, at the same time, avoid disproportionate effort for lower or normal risk cases.

In this context, simplified due diligence (SDD) can be applied in certain circumstances where you have determined a client as low risk. Enhanced due diligence (EDD) applies to the opposite end of the risk scale, for high risk clients.

Keeping it simple

“The legislation says you can only carry out SDD if the engagement or client has been assessed as presenting a low degree of risk,” says Angela Foyle, Head of Risk Management and Economic Crime at BDO Global Office, and ICAEW Regulatory Board member. But what that means in practice is not spelled out in the legislation, which can lead to confusion.

In deciding whether you can apply SDD to a particular client, you have to meet a number of conditions. “First, your business-wide risk assessment has to support the low risk rating you’ve assigned the client,” Angela explains. “You also have to take account of any risks in the National Risk Assessment and in the sectoral risk outlook from the Accountancy AML Supervisors Group.”

The Money Laundering Regulations set out low risk indicators, and you need to factor these into your decision too. They include:

public authorities or state-owned businesses;
lower risk geographic location – both of the client and its activities;
regulated businesses – such as banks and other financial institutions; and
businesses listed on the stock exchange (or a foreign exchange where the rules are equivalent to those in the UK).

"It's worth saying, however, that indicators are exactly what they say they are - indications,” emphasises Angela. “In some cases, there may be other factors involved that highlight a slightly higher level of risk, in which case you need to consider those factors.”

“And if you think there are any elements of higher risk, you need to think about how to mitigate these, which would effectively mean that SDD doesn’t apply.”

Applying SDD

When deciding whether to apply SDD, you must consider the risks identified in your firm-wide risk assessment.

For example, you need to look at what services you’re being asked to provide. “Is this simply bookkeeping or is it TCSP (Trust and Company Service Providers) services?” says Angela. “And if it’s something assessed as higher risk in your firm-wide assessment, then SDD is not appropriate, even if other conditions are met.”

Also consider whether there’s a specific characteristic of the client that would cause it to be in a higher risk category, for example a cash-based business. In situations where something else triggers a concern, for example an adverse open source search, even if the client otherwise would qualify as low risk, these concerns need to be resolved, which means SDD is not appropriate.

Verification modification

The regulations are not specific about what SDD entails. All they specify is that you must comply with the standard CDD measures but may vary the extent, timing or type of measures taken to reflect the lower risk.

The CCAB AML Guidance for the Accountancy Sector adds, as an example, that SDD would allow a firm to modify its verification measures, for instance you might not ask for as much identity documentation.

Examples of SDD may include:

In the case of a corporate client, perhaps only verifying a single director’s identity.
Reducing verification requirements for ultimate beneficial owners
Requiring fewer identity documents for an individual.
Carrying out periodic monitoring at longer intervals.

“Even when you apply SDD, ongoing monitoring is still required,” explains Angela. “And one of the key things you need to think about is whether anything in the relationship or work you’ve carried out indicates that your decision to apply SDD is not appropriate.”

Firms also need to document their processes, explaining exactly what CDD steps are required when SDD is permitted. ICAEW reviewers will expect to see evidence of this.

Heightened investigation

At the other end of the risk scale is EDD. “This is really heightened investigation; it’s the measures you take in addition to standard CDD,” explains Jonathan Wright, Deputy Global Financial Crime Leader at EY. “You’d perform EDD where you believe you face increased risk or likelihood of money laundering or terrorist financing, or facilitation of any other financial crime."

The requirements for EDD come under Regulation 33 of the Money Laundering Regulations, which sets out the circumstances in which you must apply EDD. These are where:

your risk assessment of the client identifies a high risk of money laundering
the client is established in a high risk third country or either of the parties to the transaction is established in a high risk third country
the client is a politically exposed person (PEP) or a family member or known close associate of a PEP
the client provides false or stolen ID documents
there are complex or unusually large transactions, or when there is an unusual pattern of transactions with no apparent economic or legal purpose
there is any other case which, by its nature, presents a higher risk

“For some of these triggers, it will be to some extent dependent on your business whether you feel EDD is applicable,” says Jonathan. “For example, if we consider complex transactions or arrangements, that’s likely to be personal to you and your firm. What is complex to your firm may not be to another firm.”

“One idea to take away is to consider whether you could define some of these terms in the context of your own business and what conditions should typically be met for EDD to apply,” he suggests.

Referring to the point about providing fake or stolen ID, he notes that while he can’t be prescriptive, he would imagine most firms presented with this situation would first consider declining the business, rather than move straight into performing EDD.

ICAEW’s monitoring visits suggest some firms are still confused about what is meant by a high risk third country. Pre Brexit, the UK followed the EU’s lead on this, but since January 2021 it has created its own list, and each country on this list has significant deficiencies in its national AML and terrorist financing regimes.

In practice, the list has been aligned with that of the Financial Action Taskforce (FATF). “If you’ve not been on the FATF website,” says Jonathan, “then I would encourage you to look as there is interesting information on new and emerging risks from a financial crime perspective.”

The UK list should be viewed as a baseline,” he adds. “If you do business in other jurisdictions outside the UK that your firm isn’t used to, you may want to build your own internal list.”

A questioning mindset

“When it comes to EDD,” emphasises Jonathan, it’s very clearly a must – not a ‘may’, ‘should’ or ‘consider’. EDD is not ‘a nice to have’ but something you’re expected to do and have evidenced and documented.”

“You should always avoid a box ticking approach to CDD,” he stresses. “And in the context of EDD what that means is that the questions you ask should be built around the circumstances of the client with which you’re looking to do business, because there is no one size fits all approach to EDD. You always need to adopt a questioning mindset.”

“Don’t be afraid to ask questions where something doesn’t seem right,” he advises. “Avoid sounding apologetic or as if you’re ticking boxes or being excessively bureaucratic. If you do that, you lose leverage with your client. When you don’t believe in the question you’re asking, the client may bat it back to you. So go into your questioning with confidence.”

Publicly available open sources, screening checks (including ICAEW’s client screening service for members and subscription services are all useful tools in conducting EDD.

As with SDD, you need to ensure you have documented policies and procedures for the situations in which you will apply EDD, and record your decisions and rationale – both to accept and decline a client.

Above all, always use your professional scepticism, advises Jonathan. “No one knows your business better than you,” he stresses, “And that puts you front and centre when making any calls about what does, and does not, look right.”

Resources

Watch ICAEW’s AML webinars on CDD, verification and risk assessment, or any of the previous webinars
Read the CCAB AML Guidance for the Accountancy Sector
Check out ICAEW’s AMLbites
Customer due diligence: telling the story ICAEW’s AML supervisory team and AML professionals from leading firms explain the fundamentals of CDD and provide some practical tips.
Read more articles about CDD

Benefits of membership

Becoming a member

Pay fees and subscriptions

Member rewards

Support throughout your career

Member Insights Survey

Digital learning materials via BibliU

Take a look at ICAEW training films

Volunteering roles

Advertise with ICAEW

"How to guides" for ACA students

Exam resources

Digital learning materials

My online training file

Student Insights

UK groups and societies

Worldwide support and services

Strengthening trust in the profession

Regulatory applications