Introduction
The increased level of terrorist activity over the last 6 years, beginning with the September 11th atrocities in the US in 2001 are well known to us all, as are the subsequent actions and increased focus on prevention by Governments, Regulators and Law Enforcement agencies across the world.
In the UK incremental legislative/regulatory action has been taken over this period in the shape of the Money Laundering Regulations of 2001 and 2003 which have implemented the requirements of the First and Second EC Money Laundering Directives.
Throughout this time the Joint Money Laundering Steering Group have been providing their interpretation of the Money Laundering Regulations in the form of Guidance which is designed to provide assistance to firms in achieving compliance with the Regulations.
Money Laundering Regulations 2007
The Third Money Laundering Directive, which incorporated the FATF Forty recommendations, was adopted into European law in late 2005. The deadline for incorporation/implementation into member states' law is 15th December 2007.
In January 2007, HM Treasury published a draft of the new Money Laundering Regulations, incorporating the provisions of the Third European Directive. Included within the draft is the decision to repeal the 2003 Regulations and to create a completely revised AML/CFT framework.
The final version of the 2007 Regulations was laid before Parliament on 25th July 2007 coming into force on 15th December 2007 in line with the implementation date of the Third European Money Laundering Directive.
Impact of 2007 Regulations on the JMLSG Guidance
The JMLSG Guidance has been updated to reflect the provisions of the new Regulations and the following represents a high level summary of the key areas of change:
- Mandatory adoption of the risk based approach (chapter 4).
- Customer due diligence (CDD) measures (chapter 5) to be applied
- Situations where simplified due diligence may be applied (5.4)
- Enhanced due diligence measures to be applied in high risk situations e.g. relationships with Politically Exposed Persons, Correspondent Banks (5.5) and non face to face customer take on.
- Introduction of specific guidance and requirements in respect of Politically Exposed Persons (5.5).
- The extent to which reliance can be placed on CDD/KYC undertaken by other firms (5.6)
- Monitoring customer relationships (5.7)
- New and revised definitions within the Glossary of Terms.
Relevant businesses and their responsibilities
The 2007 Regulations define ‘relevant persons’ i.e. those firms to whom the Regulations apply. These are:
- Credit institutions
- Financial institutions
- Auditors, insolvency practioners, external accountants and tax advisors.
- Independent legal professionals
- Trust or company service providers
- Estate agents
- High Value Dealers
- Casinos
In order to prevent activities relating to money laundering and terrorist financing, Regulation 20 (1) dictates that a relevant person must establish and maintain appropriate and risk sensitive policies and procedures relating to:
- Customer due diligence measures and ongoing monitoring
- Reporting
- Record keeping
- Internal control
- Risk assessment and management
- The monitoring and management of compliance with, the internal communication of such policies and procedures.
The JMLSG Guidance is designed to assist firms with the implementation of these requirements be they large FSA regulated financial institutions or smaller firms of financial advisers. The JMLSG Guidance also provides the base for guidance prepared for other business sectors e.g. estate agents or casinos.
Customer due diligence
A key element of the Regulations is that firms need to apply is to undertake customer due diligence measures on the customer with whom the firm is establishing a relationship.
The prospective customer may be an individual, or a corporate or legal entity. Customer due diligence on a risk sensitive basis is required at the commencement of the relationship. Due diligence measures need to be undertaken on the actual customer and all principal beneficial owners and controllers.. The firm also needs to maintain a level of confidence that the due diligence undertaken is relevant and up to date throughout the lifetime of the relationship.
Historically, undertaking customer due diligence has involved the individual providing documentary evidence e.g. a Passport and Utility Bill, which is then examined by a member of the firm's staff in order to establish that the documents are genuine and they relate to the individual. Documents were produced to evidence the existence of the person and to prove their residence at a particular address. A copy of the evidence of the needed to be taken e.g. a photocopy, and stored away as part of the audit trail that can be recovered at some point in the future in order to recreate the identification evidence for compliance purposes.
There is nothing to suggest that the taking of documentary evidence of identity actually prevents impersonation fraud. Documents have been used historically because there was no real alternative. People like documents because there is something tangible that they can hold. However the ability to obtain false and real documents fraudulently is very easy and they are relatively cheap. It is difficult to train front line staff to identify such cases and the result has been to increase the time and cost of opening accounts and to inconvenience genuine customers. Clearly a more effective solution has been necessary.
Other options for achieving customer due diligence
Although the original solution was conceived around paper evidence, CDD requirements can be satisfied by means of the use of other electronic information. This method satisfies the risk based approach adopted by the FSA and this is reflected in the JMLSG Guidance as a valid alternative method to documentary evidence.
This solution must and does validate an identity (i.e. does John Smith exist?) by looking for evidence that John Smith exists at a particular address within the vast array of electronic data that Experian holds and determining the size of the 'electronic footprint' and assessing the level of confidence that the identity exists.
Having established a level of confidence that a person exists under that identity, it is important to establish that 'this is John Smith that you are dealing with' i.e. the identity needs to be verified. This is done by capturing information at the point of the verification and supplied by the individual that only the real 'John Smith' would know. This data is then compared to the same data that 'John Smith' has provided on previous occasions with a range of product and service providers. The level of inconsistencies in the data supplied on this occasion is used to determine the level of confidence that 'this is John Smith'.
Using the wide range of information available an electronic solution can also identify a range of high risk conditions relating to the individual. For example, does the individual's name match to a name on the sanctions data that contains known terrorists and politically exposed persons? Why is there a Royal Mail Re-direction Check flag on the individual's current address?. It may be that a fraudster has put it there in order to intercept goods and services applied for in the name of the victim.
The use of an index - such as Experian's Authenticate - is included in the JMLSG guidance notes and can be customised to suit the needs of the organisation and the level of risk associated with that company's products and delivery channel.
This method is a reliable, consistent and cost effective solution for most organisations. Individuals that cannot be robustly confirmed can be identified for further closer checks by operators ensuring that only the most high risk cases are examined.
Disclaimer: The information contained on this webpage is provided for general guidance only. It is not intended to provide you with professional advice nor is it intended to substitute you obtaining professional advice.
