Customer Due Diligence
Customer due diligence (CDD) is a cornerstone of your anti-money laundering and counter financing of terrorism (AML/CFT) regime. CDD is the process through which you develop an understanding of your customers, and the money laundering and terrorism financing risks they pose to your business. Knowing who your customer is, verifying the information provided and establishing their risk profile assists you in protecting your business from misuse.
There are three levels of CDD: standard, simplified and enhanced. The type of CDD you should conduct on your customer depends on the risks presented by your customer and the types of activities and transactions they undertake. At the beginning of the relationship, and on an ongoing basis, you should assess what level of CDD applies. This post provides you with an overview of your CDD obligations and it focuses on the three levels of CDD.
When to Conduct Customer Due Diligence
You must conduct CDD in the following circumstances:
when establishing a business relationship with a new customer;
if a customer seeks to conduct an occasional transaction or activity;
as soon as practicable after you become aware that an existing customer file is anonymous; and
if you are a designated non-financial business or profession, when an existing non-captured customer requests captured services.
Ongoing Customer Due Diligence
As part of your obligations, you are also required to conduct ongoing CDD. This means that you must review your existing customers and establish if you have sufficient information on them. You should conduct ongoing CDD on an ongoing basis, and based on the level of risk, for example, you could monitor high risk customers every year, and medium/low risk customers less often. You should also conduct ongoing CDD after a trigger event, for example, if you consider that a material change in the business relationship with the customer has occurred, like, the customer instructs you with a new request for services, or if the customer communicates to you that something has changed, like their bank account details. When you do ongoing CDD, you need to review the information you already have on file for the customer and assess what is outstanding and what needs to be requested from them.
Standard Customer Due Diligence
You will probably apply standard CDD on the majority of your customers as it applies to low and medium-risk companies, individuals and partnerships.
When applying standard CDD, you must verify the identity of the customer, any beneficial owners of the customer and any person acting on behalf of the customer.
Beneficial Ownership
If the customer is an entity, for example, a company or a partnership, you must verify the identity of each beneficial owner, defined as an individual:
who has effective control of a customer or person on whose behalf a transaction is conducted; or
who owns more than 25 per cent of the customer; or
who has ultimate ownership or control of the customer, whether directly or indirectly; or
on whose behalf the transaction is conducted that is a customer of a customer, but only if the person has ultimate ownership or control of the customer, whether directly or indirectly.
A beneficial owner is an individual (a natural person) who satisfies any one element or any combination of the four elements. For example, if your customer is a company, your customer’s beneficial owners will be the directors of the company and any individual shareholders who hold more than 25 per cent of your customer’s shares, whether directly or indirectly. You will need to record in the customer’s file all the documents that have been necessary to establish the customer’s ownership structure, for example, the Company Extract or an ownership tree/diagram. For further information on the beneficial ownership refer to the Beneficial Ownership Guideline, Guidance: Customer Due Diligence – Companies and Guidance: Customer Due Diligence – Limited Partnerships
Identity Requirements
For your customer or beneficial owner of the customer, you must collect and verify the following information:
the person's full name;
the person's date of birth; and
the person's address.
The verification of identity must be done on the basis of documents, data, or information issued by a reliable and independent source. This means, for example, that you need to obtain your customer’s passport to verify their name and date of birth, and a utility bill to verify their address. For further information on the verification of a person’s identity see the Amended Identity Verification Code of Practice and our post here.
Nature and Purpose
In addition to the above, you must also obtain information on the nature and purpose of the proposed business relationship between you and the customer. Such information must be sufficient to determine whether the customer should be subject to enhanced CDD.
Nature and purpose are two distinct concepts. The nature of the relationship includes information on the service provided to your customer, how much business (volume and value) is expected, and how regular their interactions will be. The purpose of the relationship relates to understanding what the customer is trying to achieve in the use of the service, i.e., the reasons why the customer would like a particular service.
Simplified Customer Due Diligence
Simplified CDD can only be conducted on a specified set of customers. The full list of entities to whom simplified CDD applies is included in Section 18 of the AML/CFT Act. Some examples are:
a listed entity;
a local authority; and
a state enterprise.
In practice, if you assess that simplified CDD applies to one of your customers, you will only need to obtain the proof of identity of the person acting on behalf of the customer (for example the person’s passport) and proof that such a person is authorised to act on behalf of the customer (for example, if the person acting on behalf of the customer is the in-house lawyer, a screenshot of the person’s email with the customer’s logo in the signature would function proof of their authority to act).
Considering the high compliance risk you may face if failing to complete standard CDD on a customer, because such a customer was wrongfully assessed as a simplified CDD customer, we suggest that each customer request for simplified CDD is formally assessed and approved by the AML/CFT Compliance Officer. To corroborate the assessment, proof of the reason why simplified CDD applies should be saved on file, for example, a screenshot of the relevant NZX webpage for a New Zealand listed entity.
Enhanced Customer Due Diligence
Section 22 of the AML/CFT Act prescribes some circumstances under which you must conduct enhanced CDD. Some examples of these circumstances when enhanced CDD applies are when the customer is:
a trust,
a non-resident from a country identified by the Financial Action Tasks Force as being a high-risk jurisdiction subject to a call for action (at the time of writing, North Korea and Iran);
a company with nominee directors/shareholders or shares in bearer forms;
a politically exposed person; and
a high risk customer.
Similarly, to what stated above for standard CDD, you will need to identify the beneficial owners of the customer and then verify the identity of each relevant person. Many of your enhanced CDD customers will be trusts and therefore we provide a summary below of what is required.
Trusts
For a trust the beneficial owners (not to be confused with the beneficiaries of the trust) usually include the trustees. When professional entities are appointed, for example as corporate trustees (i.e., a company, usually a law or an accounting firm, acting as the trustee of the trust), you also need to identify the individual(s) representing the corporate trustee or agent (i.e., the one or more lawyers or accountants who are effectively acting as the trustee).
In addition to the trustee, you will need to identify any other individual who has effective control over the trust, specific trust property, or with the power to amend the trust’s deeds, or remove or appoint trustees. This might include a protector or special trustee (if there are any), or one or more of the beneficiaries of the trust. The trust deed would usually contain such information.
The trust deed will also help you to collect the following information, which is also required by the AML/CFT Act to be collected:
for a trust that is a discretionary trust with more than ten beneficiaries, a description of each class or type of beneficiary;
for a charitable trust:
a description of each class or type of beneficiary; and
the objects of the trust;
for a trust that is not falling under either of the points above, the date of birth of each of the beneficiaries of the trust.
Information on charitable trusts can be found in the trust deed or the Charities Register.
Source of Funds or Wealth
In addition, you must also obtain and verify information on the source of funds or wealth of your customer.
The source of wealth is the origin of your customer’s entire body of assets. This information gives an indication of the amount of wealth that your customer would be expected to have and a picture of how they acquired it. The source of funds is more narrowly focused. It is the origin of the funds used for the transactions or activities that occur within the business relationship with you.
When you are establishing or updating your customer's risk profile, you may need to collect and verify information regarding their source of wealth. However, when enhanced CDD is triggered by circumstances involving transactions or activities, you may need to focus more specifically on the source of funds. It is important to remember that a customer’s source of wealth/funds does not exist in isolation from each other. You must determine when to examine the customer’s source of wealth, funds or both.
Moreover, you must:
take reasonable steps, according to the level of risk involved, to verify the source of funds/wealth information using reliable and independent sources.
carry out the verification of source of funds/wealth information also for low risk trust. ‘Reasonable steps’ does not mean ‘no steps’.
be satisfied that the nature and size of the customer’s wealth match what you know about them.
Documents verifying the information on the source of funds/wealth, trust deeds and other documents on the structure of the trust, identity verification documents on the beneficial owners, and information on the nature and purpose of the business relationship must be collected in the customer’s file.
For further reading on enhanced CDD see the Enhanced Customer Due Diligence Guideline and the Customer Due Diligence – Trusts.
Additional Enhanced CDD Measures
In some circumstances, obtaining and verifying information relating to the customer’s source of wealth and/r funds may not be sufficient to manage and mitigate the ML/TF risk. For these situations, you must carry out additional enhanced CDD measures before establishing, and during a business relationship. There are four additional enhanced CDD measures prescribed in regulations. You should consider which one or a combination of the following is appropriate in the given circumstances:
obtaining further information from the customer in relation to a transaction; or
examining the purpose of a transaction; or
enhanced monitoring of a business relationship; or
obtaining senior management approval for transactions or to continue the business relationship.
The four above-mentioned additional enhanced CDD measures is a non-exhaustive list. There may be other enhanced measures you can take that are more appropriate and/or necessary to mitigate the ML/TF risks faced by your business. Your additional enhanced CDD measures, and the circumstances in which you utilise them, should be detailed in your AML/CFT programme.
What’s Next
If you have any questions, get in touch and we will help you navigate your CDD requirements.