Criminals often try to hide who is controlling the movement of funds or assets by using complex and opaque ownership structures.
This is why CCD is so important because knowing your clients and their businesses means you are better placed to mitigate any potential money laundering or terrorist financing risks.
At its most basic, CDD involves getting to know who the client is, understanding its business activities, assessing the risks, and then verifying what you’ve been told.
“By really getting to the bottom of who the client is, what they do and what service they want you to do for them, you’ll be able to understand whether there is any risk of them involving you or your firm in laundering money,” explains Nikhil Manek, MLRO and Head of Anti-Financial Crime Internally for KPMG.
Know your client
“Under the Money Laundering Regulations, you must perform CDD at certain times before and during a business relationship,” says Sandy Price, AML Manager, Professional Standards, ICAEW. The CCAB AML Guidance for the Accountancy Sector provides extensive guidance on when you should carry out CDD and explains the three key stages.
The first stage is identification, which involves identifying the client and what they do. When you’ve gathered sufficient information, you need to perform a risk assessment and assign a risk to the client. You then have to carry out a risk-based verification process, which involves gathering evidence to demonstrate that what you’ve been told is true.
“When a client comes to you, the first thing you’re going to do is find out who the client is,” explains Sandy. “You want to know who owns and controls the client, what it does and what activities it wants you to perform. This is an information gathering exercise.”
Know your client processes (KYC) are fundamental to your AML defences. “The basics of KYC are really the same regardless of where you work or the size of your firm,” says Jonathan Wright, Deputy Global Financial Crime Leader at EY. “So, at a minimum, the sorts of things you would all need to get is the name and address of the client, where it’s based, what it does and where it operates.”
The identification phase may also include establishing the identity of anyone who ultimately owns or controls the client. These people are the beneficial owners (BOs). “If it’s a corporate entity, you should also understand who owns the shares and voting rights, from which you can then determine if any are persons that meet the BO definition,” says Jonathan.
It’s also important to consider those holding key management roles. “They may exercise control over the day-to-day running of the business,” explains Nikhil. “You may also want to look at non-executive directors and strategic advisory boards to see who else is involved in some shape or form in running the business, and assess whether there’s a risk.”
Gathering information on the nature of the client’s activities is another critical part of KYC. This would include what the client does and where; whether it has any overseas reach; and whether there are any associated individuals who are subject to sanctions, or are politically exposed persons (PEPs). Screening tools and public domain searches, including searches for adverse media, can support this.
Building blocks
Jonathan recommends documenting KYC information in a standard and uniform format. “We try to apply consistency to client files and as part of that I always try to impress upon our client onboarding team that they need to ‘tell the story’ of the client,” he says.
“What I mean by that is that when they arrange their KYC, it helps if there is some kind of logical flow. So, you start with the name and where it’s incorporated and then build up to who the owners and controllers are. Tell the story – if it is a bit of jumble it won’t make sense to me or to reviewers when they look at the file.”
The KYC process can often lead to more questions. “We provide our engagement teams with an itemised list of basic CDD they need to gather,” he notes. “But we always caveat that to say we may need more once we’ve assessed the information – it’s all about those building blocks.”
“In the initial meeting or discussion with the client, you might want to ask them to bring along identity verification such as a passport or driving licence, just so you have it at the start,” he explains.
“But you also want to set expectations at this point and be clear that this isn’t the start and end of the process. This is an initial request that you’re likely to need for every single scenario. You may then want to come back to them for more information after you’ve done your KYC and risk assessment.”
Assessing the risk
Once you’ve gathered all the KYC information, you need to assess it to see if there are any AML risks or red flags. “It’s no good just ticking boxes,” warns Jonathan. “You’ve got to assess that information to identify possible risks.”
“Based on the regulations, guidance from CCAB and our own firm-wide risk assessment, we’ve built a list of factors that we’d always want to consider when conducting a client risk assessment,” he explains. Typically, that would consist of asking about the structure of the firm, for example: Is it clear? Is it transparent? Have we been able to identify the beneficial owners?
Another important risk factor is the client’s business – whether it’s cash intensive, for example, or in a higher risk industry. “We’d also look at whether the client is a high net worth individual or PEP,” says Jonathan. “And at geography – whether the client is connected to any high risk jurisdictions, where it operates, who it does business with, and where the BOs or key management live.”
The type of services the client needs is equally important. “You can get very fixated on the client itself – but the services are important as well,” says Jonathan. “So, also think about whether you’re helping with tax returns or helping to restructure the company.”
The answer to each of the questions relating to the factors on the list is indicative of a level of risk, and you can use those individual risk scores to help drive an overall risk rating of low, normal or high.
Verification is the next step and should be based on the risks identified. “At this stage you are trying to prove that the client or individuals are who they claim to be, and they are doing what they say they are doing,” says Sandy.
The CCAB guidance covers verification in detail, including practical examples. “If you haven’t yet looked at the CCAB guidance we highly recommend you do,” suggests Sandy. The AML team has also produced a webinar focusing on this aspect of CDD.
Documenting the process
As part of AML requirements, ICAEW-supervised firms must be able to prove to ICAEW that they have performed appropriate risk-based CDD.
“What our reviewers expect to see on their visits is documentation,” explains Sandy. “We want to see you’ve identified your client, that you have documentation that explains who your client is and, if it’s a corporate, that you know who the BOs are or who controls it.”
Reviewers also expect to see a documented risk assessment. “We want to see how you decided on the risk,” she says. “It doesn’t need be an extensive checklist; it can be a handwritten paragraph on your considerations of the risk and your conclusion.”
For the final stage of the process, you need to show you’ve verified information based on risk by setting out what you have done to ensure the client is who say they are and is operating in the way they tell you.
“When you take on a client that is what we expect to see on each file – a summary of the processes you’ve been through,” says Sandy. But firms also need to show they are doing ongoing DD. “We sometimes find firms are not properly evidencing this,” she explains. “If nothing has changed, this could be as simple as a signature and date noting that you’ve done it and thought about it.”
Informed decisions
By conducting effective CDD you’re fulfilling your legal and regulatory requirements. But you’re also equipping yourself to make informed decisions about your clients, and protecting your firm and other people from the risks of money laundering.
“Fundamentally, it’s only through this process that you can identify the AML risks a client may present to you or the firm, and equally how you can mitigate them,” emphasises Jonathan. “To mitigate risks, you’ve first got to know what they are and understand them.”
A recent survey of randomly selected ICAEW member firms found that one in five had rejected a client take-on in the past year as a result of their CDD procedures.
“This really demonstrates the importance of CDD to our firms and the seriousness with which they approach CDD,” says Sandy. “Had those firms not been employing effective and robust measures, they could potentially have been taking on risky clients.”