MLR3C8300 - Compliance visit tests: Checking customer due diligence and ongoing monitoring

The customer due diligence (CDD) and enhanced due diligence (EDD) requirements is set out in section 7 of MLR8

The specific requirements for verification of identity and the appropriate risk-based standards of evidence are set out in Notice MLR 8 section 8 and Appendix 5

Ongoing monitoring is explained in section 9 of MLR 8

In summary,

CDD involves:

  • Verification of customers’ identity
  • Identification and verification of the identity of beneficial owners
  • Obtaining information on the purpose and intended nature of business relationships

EDD involves additional checks for higher-risk customers and situation, e.g:

  • Additional evidence and/or verification of customers’ identity
  • Source of funds checks
  • Enhanced ongoing monitoring

Ongoing monitoring of business relationships involves:

  • Scrutiny of transactions (including, where necessary, the source of funds) to ensure that they are consistent with the knowledge and expectations of the customer
  • Keeping information on the customer up to date

Businesses must be able to demonstrate that the extent of their customer due diligence measures and the ongoing monitoring of their business relationships are appropriate in view of the risks of money laundering and terrorist financing (Regulation 7(3)(b) and 8(3).

The basic principle is that the higher the risk, the more verification of identity and scrutiny of transactions is required in order to deter money laundering or terrorist financing activity, detect suspicious activity, and hold sufficient information to assist law enforcement in any subsequent investigations.

The MLR 2007 specifies certain higher-risk situations where diligence measures (EDD) and enhance ongoing monitoring must be applied, such as where the customer is not physically present for identification purposes. Businesses must be able to identify if and when they have customers who are “politically exposed persons”, i.e. they are in certain government positions overseas that could expose them to the risk of corruption.

To evaluate compliance in these areas officers will need to:

  • Check that CDD measures are applied when business relationships are established and occasional transaction carried out.
  • Judge whether the information that the business obtains about customers is sufficient to satisfactorily confirm the identity of customers and any beneficial owners and establish the purpose and intended nature of business relationships.
  • Check that EDD is carried out for higher-risk customers and transactions, e.g. where business relationships are established without seeing the customer face to face or occasional transactions carried out without seeing the customer face to face for ID verification purposes.
  • Check that transactions are scrutinised in a risk-sensitive way.
  • Confirm that the business recognises when there are reasonable grounds for suspicion of money laundering or terrorist financing.

Compliance officers should consider the following questions:

  • When is customer ID obtained?

  • What evidence of ID is obtained for:

    • Individuals
    • Companies or other legal entities
  • Does the business check the identity of the “beneficial owners”, i.e. shareholders of its business customers?
  • How does the business obtain information on the purpose and intended nature of a new business relationship, i.e. what questions do they ask a new business customer to determine where the money comes from and the intended type and level of transactions to be carried out?

This is necessary to assess the risk of money laundering and to trigger scrutiny of transactions if they subsequently differ significantly from original expectations

  • How are higher-risk customers and transactions monitored?
  • Are unusual transactions scrutinised in a meaningful way?
  • In what circumstances are source of funds enquiries made?
  • Has the business identified indicators of suspicious activity?
  • Does the business monitor patterns of transactions, e.g. peaks of activity in particular locations or at particular times?

Business sector specific sections will include more detailed guidance on assuring compliance with CDD, EDD and ongoing monitoring requirements in the contexts of the risks and business structures in each sector. These sections are currently being drafted and will be available shortly.