In a report published by the UK’s Financial Conduct Authority (FCA) on the 21st of May 2021, concerning ‘common control failings identified in anti-money laundering frameworks’ one particular cause for concern pertained to Customer Due Diligence in particular ‘Enhanced Due Diligence’ (EDD).
The report inter alia highlighted that ‘some firms’ approach to EDD is weak and does not always mitigate the risks posed by the [particular] customer’. In this connection, the report recommended that ‘firms must ensure that they apply EDD measures in all high-risk situations and can clearly evidence what work has been undertaken’.
The purpose of this article is to examine the principle of Enhanced Due Diligence whilst concurrently understanding its every-day use and application – particularly during on-boarding and/or monitoring of clients.
CDD requirements
The Maltese Prevention of Money Laundering and Funding of Terrorism Regulations (S.L. 373.01) mandate that ‘customer due diligence measures[1] shall be applied to all customers when 1) establishing a business relationship 2) carrying out an occasional transaction and/or 3) when the subject person has knowledge or suspicion of proceeds of criminal activity, money laundering or the funding of terrorism….’[2]
Furthermore, said CDD measures are, as per Regulation 7(1), to consist of
- the identification and verification of the customer.
- the identification and verification of the beneficial owner/s.
- obtaining information on the purpose and intended nature of the business relationship to enable the construction of a business/risk profile and
- conducting on going monitoring of the business relationship.
The aforementioned four measures form the bedrock of any sound Anti-Financial Crime Compliance Programme. In practice, subject persons normally formulate and define a standard level of CDD measures for normal risk clients (factoring in sector specific guidance) – wherein simplified due diligence (SDD) measures may be applied for those customers presenting a lower risk of ML/FT.
Enhanced Due Diligence.
The online AML Portal ‘ComplyAdvantage’ defines EDD as ‘the process of gathering data and information to verify the identity of clients, but with additional information required to mitigate the risk associated with the client.’ In simple terms, more information and documentation should be obtained in situations where the obligation to conduct due diligence presents a higher degree of ML/TF risk. (This requirement applies to both occasional transactions and/or business relationships).
The Wolfsberg Group also provides an interesting definition, in that EDD refers to ‘additional information collected as part of the client due diligence process or increased cautionary measures, such as ongoing monitoring of activity, applied on a risk-sensitive basis in any situation, which by its nature can present a higher risk of ML/TF’. The emphasis on on-going monitoring, from a ‘Wolfsberg’ perspective is crucial particularly since its recommendations mostly relate to credit/financial institutions.
Insofar as distinguishing CDD from EDD, one of the best-known definitions is provided by the Financial Markets Authority (New Zealand), wherein in its Enhanced Customer Due Diligence Guidelines, EDD is defined as having ‘two core requirements over and above standard CDD’. These being (i) introducing increased or more sophisticated measures to obtain and verify customer details, their beneficial ownership structure – as per the level of risk involved and (ii) the obligation to obtain and verify information relating to the source of wealth and source of funds of the customer – wherein reasonable steps must be taken depending on the risk involved’.
This dual reasoning/rationale is also echoed by the UK’s Joint Money Laundering Steering Group JMLSG (Part I Guidance Notes of 2020), wherein obtaining comprehensive CDD data/documentation on file (i) assists in both formulating the risk assessment process and managing all ML/TF risks effectively whilst (ii) providing a basis for monitoring customer activity and transactions, thus increasing the likelihood that they will detect the use of their products and services for ML/TF.
All the above interpretations (as heterogenous and interesting as they may be), can be interpreted and construed as necessitating that, insofar as EDD is concerned:
- additional data gathering & information is a must;
- such compilation of data should be requested as part of a subject person’s philosophy embracing ‘more cautionary/sophisticated measures’;
- all findings will assist practitioners in conducting more robust risk assessments.
Risk-Based Approach (RBA) and EDD measures.
In the FATF’s Guidance for a risk-based approach for TCSPs ‘the general principle of a RBA (Risk-based approach – which in itself forms the cornerstone of AML/CFT guidance documents & legislation) is that, where there are ‘higher risks, enhanced measures should be taken to manage and mitigate those risks.’ Moreover, the ‘range, degree and frequency or intensity of preventive measures and controls conducted should be stronger in higher risk scenarios’. This is why a proper understanding of how and when to apply EDD is fundamental.
The extent of EDD measures.
The JMLSG also advises that ‘in practice, under a risk-based approach, it will not be appropriate for every service provider to know their customers equally well, regardless of the purpose, use or value of the product/service provided. Information demands need to be proportionate, appropriate and discriminating…. justifiable to customers.’ Therefore, merely requesting information for the sake of it (particularly when a client might not be able to disseminate such information) might not make sense for the request should be proportionate and commensurate to the customer with whom the subject person seeks to establish either a business relationship or occasional transaction.
Risk manifestations necessitating EDD.
Having defined EDD (and established its scope & purpose), it would be worth delving into the scenarios wherein EDD is prescribed by law. Interestingly, the FMA (New Zealand) mandates that EDD measures should be considered whenever there is a ‘material change’ – i.e. an event, activity or situation that (e.g. mostly during monitoring) could change the level of ML/TF risk. ‘Such material change could include circumstances where the customer asks for new or higher-risk products’, or if a trust is introduced, or if the volume/size of the ‘customer’s activities or transactions may increase beyond what is reasonable expected…’
From a purely local (Maltese) perspective, Regulation 11 states that ‘in addition’ to the measures contemplated under Regulation 7 of the PMLFTR, EDD is to be applied (introduced):
- in relation to activities that are determined by the FIAU to represent a high risk of money laundering or funding of terrorism (primarily as identified by the National Risk Assessment)
- whenever the subject person, through a risk assessment, designates either the occasional transaction or business relationship as representing a high-risk of ML/FT
- within the context of correspondent relationships with institutions from countries other than EU Member States
- when dealing with Politically Exposed Persons (PEPs).
- when analysing transactions that are complex, large, conducted in an unusual pattern or have no apparent economic/lawful purpose and
- when dealing with non-reputable jurisdictions.
EDD measures in practice.
Whilst obtaining brief descriptions of a business activity in a low-risk scenario may be acceptable (provided that the nature and purpose is understood), in ‘High Risk’ cases, additional information would need to be requested. Conventionally, this is done by substantiating said findings with documentation and (where applicable) additional measures as defined by the FIAU’s Implementing Procedures. These may inter alia include carrying out additional searches (e.g. adverse media checks) and/or requesting source of funds and source of wealth information (to seek to ensure they do not constitute the proceeds of crime).
The FCA’s ‘Financial Crime Guide’, as part of its EDD recommendations, advises obtaining a ‘better understanding of the customer’s/BO’s reputation and/or role in public life and assessing how this affects the level of risk’. In New Zealand, the FMA also recommends distinguishing between a customer that has a higher risk profile but is not involved in ML/TF as opposed to a customer whose transactions or activities may be linked to ML/TF. Therefore, all situations should be judged on a case-by-case basis factoring in existing legislation.
The FIAU’s Implementing Procedures (IPs) are in fact very much risk averse insofar as PEPs are concerned. Regardless of whether a business relationship is low risk or not, whenever a subject person is dealing with a PEP, family member or close associate of a PEP, EDD measures must always apply. As per the PMLFTR, they must also include[1] 1) Senior Management Approval 2) taking adequate measures to establish SoF and SoW and 3) enhanced monitoring of such relationships.
Whilst in low-risk situations, verifying the identity of the client/beneficial owner may be permissible (depending on the Policies & Procedures), this is certainly a ‘no-go’ when dealing with business relationships posing a high risk – wherein all identification & verification requirements should be completed prior to formal engagement.
Similarly, in situations which pose a greater threat of ML/TF, requesting information as to the customer’s residential status, employment and salary details, and other sources of income/wealth (such as inheritance, property sale or disposal of assets) will evidently be crucial in deciding whether or not to accept the client. EDD measures could also include requesting, where appropriate, the first payment to be carried out though an account in the name of the BO/Company from a credit institution situated in the EU/EEA area.
The UK’s FCA stipulates that ‘establishing how the customer/BO acquired their wealth to be satisfied that it is legitimate’ is also crucial when applying EDD measures. Therefore, identifying (and substantiating) wealth is perhaps the biggest conundrum for all subject persons – particularly when dealing with complex structures or beneficial owners who are also high net-worth individuals. However, as highlighted by the JMLSG, ‘the availability and use of financial information held is important for reducing the additional costs of collecting customer due diligence information – and can help increase understanding of the risk associated with the business relationship.’
Furthermore, whilst in low-risk scenarios the timing & extent of on-going monitoring may be conducted every two or three years, in situations of ‘High Risk’, enhanced monitoring of the business relationship would need to be considered (either on an annual or bi-annual basis) depending on the initial Customer Risk Assessment (CRA). Contextually, another EDD measure in this regard is increasing the number and timing of controls applied (and/or selecting patterns of transactions as per risk triggers accordingly) – particularly when the obligation to conduct transaction monitoring arises.
Whilst ‘low risk scenarios’, for all intents and purposes, might be within the subject person’s Risk Appetite – this would certainly not be the case for all ‘high risk’ situations. Essentially, much will depend on the subject person’s Risk Tolerance framework and Customer Acceptance Policy. Whilst not directly related to EDD, when faced with a number of customers that are desginated ‘High Risk’, it would also be advisable to either conduct a de-risking exercise or introduce a capping/threshold system– in order to mitigate the overall concentration risk posed by High-Risk clients.
Non-Reputable Jurisdictions.
EDD measures must also be applied whenever the subject person is dealing with natural/legal persons established in a non-reputable jurisdiction. Whilst EU/EEA jurisdictions might impose less obligations on the subject person (particularly insofar as risk is concerned), non-reputable connections will certainly require additional information – particularly in relation to source of funds, accounts through which funds are flowing, the degree of extent of links with the non-reputable jurisdiction (is this related solely to citizenship and/or source of wealth or are business activities also taking place in the country) and/or requesting more documentation as to the nature & purpose.
Involvement of senior management.
In practice, it is also recommended to not only rely exclusively on the subject person’s Policies and Procedures but discuss risk mitigation techniques with colleagues or Senior Management – particularly since each business case normally presents its own unique ML/TF threats. This is why obtaining Senior Management approval, within this context, is crucial – for the Board not only ‘owns’ the risk but should equally foster a culture of compliance.
So much so, that the FIAU’s Implementing Procedures (Part I) also mandate that the ‘subject person should have a clear policy on the escalation of decisions to senior management concerning the acceptance or continuation of high-risk business relationships.’
Conclusion
Inasmuch as all practitioners understand the meaning of ‘EDD’, its application and methodology still remains very much at the discretion of the subject person. Much will depend on the AML/CFT Manual (P&Ps) which would be expected to contain a comprehensive description of how EDD measures are to be applied on a case-by-case basis. This should not detract from the fact, that compliance officers will need to take a proactive approach and apply EDD whenever situations present a higher threat of ML/TF. To this end, relying solely on procedure might not be enough. Instinct and knowledge (as gained from ongoing research and training) will also prove critical in the fight against Money Laundering and Terrorism Financing.
Disclaimer: The above-mentioned article is simply based on independent research carried out by Dr. Werner and Partner and cannot constitute any form of legal advice. If you would like to meet up with any of our representatives to seek further information, please contact us for an appointment.