ECSH63615 - Regulation 39 - Reliance
| Category Heading |
Description |
|---|---|
| The Law |
https://www.legislation.gov.uk/uksi/2017/692/regulation/39/made |
|
What it means |
Regulation 39 sets out when Businesses may be able to rely on third parties to conduct customer due diligence measures. This is separate to a principal/agent relationship. |
|
Purpose |
The purpose of this Regulation is to allow Business' the opportunity to rely on a third party to carry out customer due diligence measures. However, this does not excuse the Business from ensuring measures are conducted in line with customer due diligence requirements. |
|
Time Line |
Reliance is established in regulation 17 of MLR2007 |
|
What to establish |
If the Business has used a third party to conduct customer due diligence measures on its behalf, and if so, why? Reg 39(1), (3), (4) - Does the third party being relied upon meet the criteria outlined within Reg 39(3) (this would be another relevant person who is subject to the MLRs or equivalent in an EEA state), and not subject to those outlined in Reg 39(4). Also establish if the Business is aware that they are still liable if the customer due diligence (CDD) checks conducted are insufficient. Reg 39(2)(a) - Ensure the Business can, and has immediately obtained from the third party, the information needed to satisfy the requirements of Regs 28(2) - (6) & (10). (b) - Establish if there is an agreement in place between the Business and the third party so that the third party is aware of their responsibilities, and that they are being relied upon. As part of that arrangement, the Business must be able to obtain copies of all due diligence checks conducted on request, as the third party must retain the records. Reg 39 (5) - Establish if the third party is a branch or majority owned subsidiary and check the qualifying criteria of this Reg. Reg 39 (7) - Establish if the Business is completing CDD measures by the use of an agent or outsourcing company. If this is the case, this is not reliance, and instead the Business doing its own CDD checks and again will be liable for failings. In this scenario, these procedures must be detailed in their RA and PCPs. |
|
How to test compliance and evidence to obtain |
Obtain any written agreements the business may have in place with a third party. Please note, there is no legal obligation to have this agreement in writing, however this would be best practice and it may be difficult for the business to evidence they have met this requirement without one. Review the business’s risk assessment and policies, controls and procedures. Establish if this reliance procedure has been addressed in these documents. If not, ask the business to explain the potential risks and procedures. Request a list of relevant customers/clients and risk analysis for each. Select a variety to sample test trying to ensure you cover different risk ratings. This will demonstrate if the third party has been made aware/followed the business's risking profiles. Obtain evidence of the customer due diligence measures conducted for the sample of customers/clients. Review the documents and ensure the third party has obtained enough to satisfy customer due diligence requirements (Regs 27-38). If they have not, the business remains liable for these failings. In general, it’s best practice to ascertain whether the business relies on a third party because it doesn’t know how to conduct measures on its own, which is a risk, or if they have a reason behind doing so that is understandable. This can be gauged by ensuring the business understands their risks and conducting the above checks. |
|
Scenario: |
A UK TCSP (A) supplies mail forwarding for another UK TCSP (B)’s client. The arrangement is between TCSPs (A) & (B). TCSP (A) does not undertake any CDD on TCSP (B)’s client, but relies upon TCSP (B) to undertake the appropriate level of CDD, as described in Regulation 28(2) to (6) and (10). An officer’s first consideration is, is TCSP (B) in a high-risk jurisdiction, if yes, then the UK TCSP (A) cannot rely upon TCSP (B) and TCSP (A) must undertake its own CDD. During the course of the intervention, the officer asks to see the information to satisfy Regulation 28(2) to (6) and (10). TCSP (A), by virtue of Regulation 39(2)(a), must have information, such as some form of communication from TCSP (B) advising that it [TCSP (B)] has identified and verified its client. This information should have been supplied to TCSP (A) immediately by TCSP (B), when it obtained it from its client. If TCSP (A) cannot produce the information it has breached Regulation 39(2)(a). If the officer wants to see the actual documentation/data (e.g. Passport, utility bill, etc) which TCSP (A) has relied upon TCSP (B) taking to identify and verify its client (i.e. satisfy Regulation 28(2) to (6) and (10)), then the officer can ask TCSP (A) to contact TCSP B to immediately obtain the copies of any identification and verification data and any other relevant documentation and make those documents/data available to the officer, by the date the officer requests. If TCSP (A) cannot produce the documents/data then it has breached Regulation 39(2)(b)(i). If TCSP (B) has not retained to information/documents and/or data for TCSP (A) (for the normal period, as described in Regulation 40) , then this would be a breach of Regulation 28(2)(b)(ii) on TCSP (A). It should also be noted that Reg 40(7) advises that if this business (TCSP (B)) is being relied upon by another business (TCSP (A)) to keep CDD then it (TCSP (B)) must, on request, immediately supply the information to the other business (TCSP (A)). |
|
Best Practice |
Using an electronic software provider to conduct a business’s own CDD, is not deemed reliance. This would form part of the business’s own CDD procedures and the business is responsible for evidencing that this procedure is enough to satisfy CDD requirements. |
|
AMP |
Art may change hands a number of times during a single transaction, and intermediaries also need to be supervised, therefore reliance agreements are likely with AMPs. |
|
ASP |
ASPs may rely on third parties to conduct customer due diligence checks where appropriate. This is separate to a subcontracting scenario (see section 5.3.33 of the CCAB guidance). ASPs can often not have appropriate customer due diligence measures in place. If they are a small local business, they may feel they already know their clients and do not need to conduct those checks. This is incorrect, they still need to undertake CDD. An example of this may be: 'I am an ASP Business who conducts a small amount of bookkeeping for my clients whom I've known for years. My clients have their own accountant who is separate to my business. The accountant is part of a big firm so they will have done customer due diligence.' This is a common scenario for a small ASP Business who deems their business insignificant for MLR purposes. In this scenario the business has no agreement with the larger firm to conduct measures on its behalf and just assumes this has been done. Therefore, the business hasn’t implemented customer due diligence measures of their own. This is not sufficient. Although the larger firm could very likely have conducted the relevant checks, they have only done so under their own business procedures and are not responsible for doing so on this business’s behalf. However, if this third party firm had an agreement in place to conduct the checks on behalf of the bookkeeper, and the bookkeeper was aware of what checks are carried out and when, this may be acceptable. |
|
EAB |
EABs may rely on third parties to conduct customer due diligence where appropriate. However, EABs are normally the first party involved in a transaction and therefore as CDD has to be conducted at the outset of the Business relationship, often they cannot rely on third parties. You may come across an EAB who has not conduct CDD as they feel the solicitor/banks handling the customers monies will do those checks. At this stage of the process, the business relationship has already commenced and therefore this is not sufficient to meet the requirements of the Regulations. The EAB may also not have entered into an agreement with the solicitors/banks to do this. |
|
LAB |
|
|
HVD |
HVDs don'tgenerally rely on another supervised business to carry out CDD. They may employ the services of an independent Due Diligence company to carry out checks on its behalf, but this is not usually a reliance agreement. HVDs are often involved in businesses where some due diligence is required to ensure that it isn't entering into a fraudulent supply chain. This is to prevent revenue loss, not for AML/CTF purposes. These "due diligence packs" are often a standard set of emailed ID documents and are therefore not risk-based and are unlikely to confirm all of the risks identified under Regulation 18. Again, they are not reliance agreements under the MLRs. |
|
MSB |
Although not common in this sector, MSBs may rely on third parties to conduct their CDD measures. Again, all the same rules apply in that the Business remains responsible for risk assessing, monitoring and any failures in the measures. Often MSBs, however, have a principal/agent relationship. This is not the same as third party reliance as the agent is conducting Business under the principal Business' registration. They will be expected to follow the principal Business' RAs and PCPs, with the CDD documents being collated in the principal’s records. |
|
TCSP |
TCSPs are allowed to rely on third parties to complete CDD measures as long as the criteria is met as set out above. |
|
Further Reading |
Section 52 of the AMP Guidance |
|
Section 5.3.25 – 5.3.31 of the ASP Guidance | |
|
Section 4.120 of the EAB Guidance | |
|
Section 4.139 of the MSB Guidance | |
|
Customer due diligence – Regulation 27 | |
|
Customer due diligence measures – Regulation 28 | |
|
Record-keeping – Regulation 40 | |
|
FATF Recommendation 17: Reliance on Third Parties: | |
|
FAQs |
What do I do if a business is reluctant to provide information due to GDPR concerns? The 'Information Commissioner’s Officer' website sets out that businesses are permitted to share data with law enforcement authorities who are discharging their statutory law enforcement functions: https://ico.org.uk/for-organisations/data-sharing-information-hub/sharing-personal-data-with-law-enforcement-authorities/ |