Skip to main content
HMRC internal manual

Anti-money laundering guidance for supervised businesses

AMLG11300 - Guidance for all sectors: Customer due diligence (CDD)

13. Customer due diligence (CDD)

 

13.1 What is CDD?

CDD, sometimes referred to as “know your customer” (KYC), is the collective term for the checks businesses must do on their customers and, where applicable, beneficial owners. There are different levels of due diligence measures which need to be applied dependent on the degree of risk associated with the type of customer, business relationship, product, or transaction.  In certain lower risk situations, simplified due diligence may be applied (AMLG11500), while enhanced due diligence is required in certain higher risk cases (AMLG11700). In any case, the measures should be sufficient to obtain a picture of the money laundering, terrorist financing and proliferation financing risk associated with the customer and effectively mitigate and manage that risk. You must be able to demonstrate to HMRC that the extent of the CDD measures you take are appropriate to the risk of money laundering, terrorist financing and proliferation financing to which your business is exposed.

 

Who is your customer?

Understanding who is your customer, is crucial to defining your CDD obligations under the Regulations. Who your customer is can vary for each supervised sector. For guidance on the meaning of customer, please see the sector-specific guidance in Part 2. 

 

13.2 What does CDD involve?

Full details of the CDD requirements under the Regulations are set out in AMLG11400 but the key requirements include the following:

  • Identifying all customers and verifying their identity through identity documents, such as a passport, official corporate documents, or electronically. For further information on what action is required to check and verify your customers identity see AMLG11400.
  • Where applicable, identifying all beneficial owners of your customers and taking reasonable measures to verify their identity. For further information on CDD and beneficial owners see AMLG11400.
  • Taking reasonable measures to understand the ownership and control structure of a customer that is a legal person, trust, company, foundation or similar legal arrangement.
  • Assessing and where appropriate, obtaining information on the purpose and intended nature of the business relationship or occasional transaction, for example, the source of funds and source of wealth, the purpose of transactions, and so on.
  • Conducting ongoing monitoring of the business relationship, to ensure transactions are consistent with what the business knows about the customer and the business’s risk assessment and confirming, on a risk-based approach, the source and origin of funds that your customer will be using in the relationship.
  • Retaining records of these checks and updating them when there are changes.

Identifying and verifying the identity of any person purporting to act on behalf of a customer and verifying they are authorised to do so.

Where the customer is a business that carries on regulated activity, HMRC also expects you to check that the customer is supervised for anti-money laundering purposes.

Important note: 

‘Reasonable measures’ means risk-based, proportionate and effective in mitigation of the identified money laundering and terrorism financing risks. You should consider whether you are comfortable that you would be able to demonstrate and evidence the extent to which you have sought such information and verification to HMRC upon request.


13.3 What are the mandatory CDD requirements?

Whilst the risk-based approach gives you some discretion to decide the extent and nature of the CDD measures that you apply, there are certain mandatory requirements under the Regulations that you must comply with.

You must:    

  • Complete CDD on all customers and beneficial owners when establishing a business relationship.
  • Complete CDD when carrying out an occasional transaction that amounts to a transfer of funds exceeding £800. This applies even if you knew them before they became your customers. See section 13.7 for further guidance on CDD and occasional transactions, along with Part 2 for specific information for your sector.
  • Complete CDD when you suspect money laundering or terrorist financing (risk indicators for money laundering and terrorist financing can be found in Part 3 – the understanding risks and taking action documents for each sector).  
  • Complete CDD if you have doubts about the accuracy or adequacy of documents or information previously collected for due diligence.  
  • Complete CDD when carrying out an occasional transaction which is over the threshold amount specified for your business sector. See section 13.7 for further guidance on CDD and occasional transactions.

  • Where a person purports to act on behalf of the customer, you must ensure that they are authorised to do so, identify them, and verify their identity. These obligations are contained with regulation 28(10). Employees or staff of a business acting on its own behalf (for example a member of staff transacting using a company credit card) should be considered to be acting as the business itself and are therefore not subject to the obligations under regulation 28(10).  
  • Apply EDD to take account of the greater potential for money laundering or terrorist financing in higher risk cases, including in respect of politically exposed persons (PEPs) and transactions where either party is established in FATF Call for Action countries. See AMLG11600 for further information on EDD.   
  • Apply CDD when you become aware that the circumstances of an existing customer have changed. This may require you to review the extent of due diligence undertaken, for example, applying EDD if the customer now represents a higher risk.   
  • Not deal with certain persons or entities if you cannot complete CDD and consider making a suspicious activity report (SAR) in these circumstances.
  • Have a system in placefor keeping copies of CDD and supporting records in accordance with the record keeping requirements set out in the Regulations and keep the information up to date.   
  • Understand the legal and beneficial ownership or control structure of a customer when the customer is one of the following:  
    • Legal person  
    • Trust   
    • Company   
    • Foundation   
    • or similar legal arrangement  

You should have procedures to identify those who cannot produce standard documents, for example, a person not able to manage their own affairs.

If the other party to the transaction is in the UK and in a regulated business, part of your CDD should include checking if they are registered with HMRC, or another relevant supervisor for AML supervision. You can check HMRC’s register of supervised businesses  Other supervisor’s lists of supervised businesses are often found on their websites. Where you establish that a business is trading in a relevant sector without the required supervision, you should report this to HMRC via the following link.


13.4 Timing of CDD

The customer's identity and, where applicable the identity of a beneficial owner, must be verified before establishing a business relationship or carrying out a transaction where CDD is required.    

The only exception to this requirement is in relation to a business relationship where both the following apply:  

  • It is necessary to begin setting up a business relationship before verifying the customers identity so as not to interrupt the normal conduct of business, and 
  • There is little risk of money laundering, terrorist financing.

Important note:

  • This exception is very limited. It allows for verification to be completed when setting up the business relationship only and the verification must still be completed as soon as practicable after contact is first established.   
  • This exception does not mean that you can delay customer due diligence because it is hard to verify a customer’s or beneficial owner’s identity.  
  • To use this exception, a business is expected to maintain a written record as to why, in relation to its risk assessment, it considers the business relationship presents little risk of money laundering or terrorist financing in line with its risk assessment, and to provide this record to HMRC on request.

 

13.5 What you must do if you cannot comply with the CDD requirements

If you cannot comply with the customer due diligence measures, then you must not establish a business relationship or carry out an occasional transaction with or for the customer.

  • You must terminate any existing business relationship with the customer. 
  • You must consider making a suspicious activity report (SAR). For further information on submitting a SAR see AMLG11100.
  • If no suspicious activity report is made, you must record the reasons why it is considered that a report is not required. 

If money has already been deposited in an account as part of the transaction, you may repay this to the person who deposited it, in the same method and to the same account it originated from, unless you suspect money laundering, terrorist financing or proliferation financing, in which case you must, where the exemptions don’t apply ask the NCA for consent before it is repaid by submitting a request for a Defence Against Money Laundering (DAML). For further information on submitting a request for a DAML see AMLG11100 

Please see the sector specific guidance for more information on non-compliance with CDD in your regulated sector. 

Important note:

In the case of a customer that is a supervised business you should not continue with that business relationship or transaction if the business is not registered for supervision, and they should be. You should report this to HMRC.


13.6 CDD and business relationships

You must complete CDD on all customers, beneficial owners, and anyone purporting to act on behalf of the customer, before establishing a business relationship. See 13.4 above in relation to the timing of identification and verification of the customer.

A business relationship is a business, professional or commercial relationship between a business and a customer, which the business expects, on establishing the contact, to have an element of duration.  

For example, a business relationship exists where any of the following apply:   

  • Another person or business is your customer and there is an expectation of repeat or ongoing business and/or transactions.    
  • You set up a customer account.    
  • There's a contract to provide regular services. 
  • You give preferential rates to repeat customers.    
  • Any other arrangement that facilitates an ongoing business relationship or repeat custom, such as providing a unique customer identification number for the customer to use.   

Please see the sector-specific guidance for further information on business relationships within your regulated sector, as some sectors operate differently with regards to what constitutes a business relationship.


13.7 CDD and occasional transactions

If you are not entering a business relationship with a customer as set out above, you must still complete CDD on all customers and beneficial owners carrying out an occasional transaction over certain threshold amounts.  An occasional transaction is a transaction that is not carried out as part of a business relationship. 

You must apply CDD measures if you carry out an occasional transaction that amounts to a transfer of funds (within the meaning of Article 3.9 of the funds transfer regulation) exceeding £800. This will only apply to MSBs. Where an MSB carries out an occasional transaction which is not a transfer of funds e.g. currency exchange, the threshold is £12,000 as set out below. For more information and information on cash payments see the sector specific guidance for MSBs in Part 2.

There are also requirements for other relevant businesses to apply CDD when carrying out an occasional transaction from a certain amount.

The threshold amount over which you must apply CDD for occasional transactions differs depending on the activity that is carried out as follows:

  • ASPs - £15,000
  • AMPs - £10,000

  • EABs - £15,000 (but note that transactions involving EABs will usually constitute a business relationship – see part 2).
  • HVDs - £10,000 (cash transactions only).
  • LABs - £10,000 (monthly rent).
  • MSBs - £12,000 (or exceeding £800 if this transaction amounts to a transfer of funds).
  • TCSP - Provision of a TCSP service will never be an occasional transaction. It will always constitute a business relationship so CDD must be applied to all customers. 

Please note – the occasional transaction threshold may be reached in a single operation or in several operations which appear to be linked (i.e. linked transactions).e.g.  if a customer purchases two paintings for £5,000 each on the same day from the same AMP then CDD must be applied as this constitutes a linked transaction.

For sector-specific guidance around CDD and occasional and linked transactions see Part 2 sector specific guidance.

 

13.8 Extent of due diligence measures

The extent of due diligence which you apply over and above the mandatory CDD requirements set out above, depends on the degree of risk associated with the type of customer, business relationship, product, or transaction. It goes beyond simply carrying out identity checks to understanding who you’re dealing with and why. This is because even people you already know well may become involved in illegal activity at some time, for example if their personal circumstances change or they face some new financial pressure.

Using your risk assessment, you should determine the extent of due diligence, including the level of identification, verification, and ongoing monitoring that’s necessary, depending on the risk you assessed. The types of checks you undertake will differ for each customer, as the risks associated with them will vary. 

You must be able to demonstrate to HMRC in writing, within your risk assessment and policies, controls and procedures, that the extent of the CDD measures you take are appropriate to the risk of money laundering, terrorist financing and proliferation financing for your business. 

See Part 2 sector-specific guidance for more information about your regulated sector.