Know Your Customer (KYC)
You must meet certain day-to-day responsibilities if your business is covered by the Money Laundering Regulations. These include carrying out customer due diligence’ measures to check that your customers are who they say they are. You must also put in place internal controls and monitoring systems. The nature of these controls will depend on the size and complexity of your business, including the number of customers you have and the number and type of products and services you provide.
Customer due diligence requirements
What customer due diligence is
Customer due diligence means taking steps to identify your customers and checking they are who they say they are. In practice this means obtaining a customer’s:
- name
- photograph on an official document which confirms their identity
- residential address or date of birth
The best way to do this is to ask for a government issued document like a passport, along with utility bills, bank statements and other official documents. Other sources of customer information include the electoral register and information held by credit reference agencies.
You also need to identify the ‘beneficial owner’ in certain situations. This may be because someone else is acting on behalf of another person in a particular transaction, or it may be because you need to establish the ownership structure of a company, partnership or trust.
As a general rule, the beneficial owner is the person who’s behind the customer and who owns or controls the customer. Or it’s the person on whose behalf a transaction or activity is carried out.
If you have doubts about a customer’s identity, you mustn’t continue to deal with them until you’re sure.
Beneficial owner
Entity that enjoys the possession and/or benefits of ownership (such as receipt of income) of a property even though its ownership is in the name of another entity (called a 'nominee' or 'registered owner'). Use of a nominee (who may be an agent, custodian, or a trustee) does not change the position regarding tax reporting and tax liability, and the beneficial-owner remains responsible. Also called actual owner.
When you need to apply customer due diligence measures
You must apply customer due diligence measures:
- when you establish a business relationship
- when you carry out an ‘occasional transaction’ worth €15,000 or more
- when you suspect money laundering or terrorist financing
- when you have doubts about a customer’s identification information that you obtained previously
- when it’s necessary for existing customers - for example if their circumstances change
Customer due diligence when you’re establishing a business relationship
A business relationship is one that you enter into with a customer where both of you expect that the relationship will be ongoing. It can be a formal or an informal arrangement.
When you establish a new business relationship you need to obtain information on:
- the purpose of the relationship
- the intended nature of the relationship - for example where funds will come from, the purpose of transactions, and so on
The type of information that you need to obtain may include:
- details of your customer’s business or employment
- the source and origin of funds that your customer will be using in the relationship
- copies of recent and current financial statements
- details of the relationships between signatories and any underlying beneficial owners
- the expected level and type of activity that will take place in your relationship
The changing circumstances of your customers
You need to keep up-to-date information on your customers so that you can:
- amend your risk assessment of a particular customer if their circumstances change
- carry out further due diligence measures if necessary
Changes of circumstance may include:
- a big change in the level or type of business activity
- a change in the ownership structure of a business
When to apply customer due diligence for occasional transactions
You must carry out customer due diligence measures when your business carries out occasional transactions. These are transactions where the value is €15,000 (or the equivalent in other currencies) or more, that aren’t carried out within an ongoing business relationship. This applies whether it’s a single transaction or linked transactions.
Linked transactions are individual transactions of less than €15,000 that have been deliberately broken down into separate, smaller transactions to avoid customer due diligence checks. Your business must have systems in place to detect potentially linked transactions.
Once a potentially linked transaction has been identified, you need to decide if it has been deliberately split. Some issues to consider are when:
- a number of transactions have been made by the same customer in a short period of time
- it’s possible that a number of customers have carried out transactions on behalf of the same person
- a number of customers have sent money transfers to the same person
You also have to carry out customer due diligence measures for occasional transactions that are worth less than €15,000 in certain circumstances. For example, you must do this when the nature of a transaction means that there’s a higher risk of money laundering.
When to carry out enhanced due diligence
In some situations you must carry out ‘enhanced due diligence’. These situations are:
- when the customer isn’t physically present when you carry out identification checks
- when you enter into a business relationship with a ‘politically exposed person’ - typically, a politically exposed person is an overseas member of parliament, a head of state or government or a government minister (note that a UK politician isn’t a politically exposed person)
- any other situation where there’s a higher risk of money laundering
The enhanced due diligence measures for customers who aren’t physically present and other higher risk situations are broadly the same and include:
- obtaining further information to establish the customer’s identity
- applying extra measures to check documents supplied by a credit or financial institution
- making sure that the first payment is made from an account that was opened with a credit institution in the customer’s name
- finding out where funds have come from and what the purpose of the transaction is (higher risk situations only)
The enhanced due diligence measures when you deal with a politically exposed person are:
- making sure that only senior management gives approval for a new business relationship
- taking adequate measures to establish where the person’s wealth and the funds involved in the business relationship come from
- carrying out stricter ongoing monitoring of the business relationship
Customer due diligence measures where your customer is another Money Service Business
You should seriously consider applying enhanced due diligence if your customer is a money transmitter or currency exchange office. This situation presents a higher risk of money laundering or terrorist financing because the money you receive will be a ‘bulk transfer’ representing a collection of underlying transactions placed with your customer. The extent of enhanced due diligence measures you apply should be based on the risk and circumstances of each case.
At the very least you must get the number of underlying transactions of each bulk transfer made to you by your customer. This information will allow you to check that the number and average value of transactions is consistent with the level of business you anticipated when you began your business relationship.
It will also give you an indication of risk, particularly where either the number of underlying transactions or the average transaction value is significantly above what you expected. In such cases you must establish and record why it’s different.
You must undertake checks if you consider there is a risk, to ensure that your customer is carrying out due diligence (and if a money transmitter is involved obtain ‘Complete Information on the Payer’). This will include checking the relevant records for specific transactions.
Transmissions to high risk countries and financial corridors
What a financial corridor is
A financial corridor is a term used in describing remittances to high risk jurisdictions that may be sent through other countries. For example, money for some high risk jurisdictions such as Pakistan can go through the United Arab Emirates (UAE) before being finally sent to Pakistan.
The UAE in this instance is being used as a financial corridor. Since the transactions from the Sweden to UAE, and then from UAE to Pakistan, would be treated as separate transactions, establishing the ultimate beneficiary of the transaction is made more difficult for Money Service Businesses in Sweden.
You should treat these transactions in the same way as transmissions to high risk jurisdictions. You are expected to check carefully to ensure you prevent any potential money laundering, since there is a risk that this process is being used to hide the identity of the ultimate beneficiary.
Enhanced due diligence checks on transmissions to high risk countries
It is not possible to provide businesses with a definitive list of ‘high risk’ jurisdictions which may be more likely to receive funds through a financial corridor as these will change frequently.
However, you should seriously consider enhanced due diligence where you establish that the ultimate beneficiary is based in a different region from the receiving Money Service Business if you operate with high risk jurisdictions, for example Pakistan.
You should do this by reviewing the countries where individuals or entities are based, as indicated by the sanctions list.
Checking transmissions to high risk jurisdictions likely to receive funds through a financial corridor
You should consider enhanced due diligence on transmissions to jurisdictions which you judge may be a risk and/or are more likely to receive funds through a financial corridor. You should do this especially where the transaction is:
- large
- claimed to be for charitable purpose
You should get details of the charity and carry out relevant checks to verify their charitable status when the transaction is for charitable purposes.
Internal controls and ongoing monitoring of your business
You must make sure that your business has adequate internal controls and monitoring systems. These should alert you and other relevant people in your business if criminals try to use your business for money laundering. Once you’ve been made aware of a potential threat, you can take steps to prevent it and report any suspicious activity.
Your controls should include:
- appointing a ‘nominated officer’ and making sure that employees know to report any suspicious activity to them
- identifying the responsibilities of senior managers and providing them with regular information on money laundering risks
- training relevant employees on their anti-money laundering responsibilities
- documenting your anti-money laundering policies and procedures
- introducing measures to make sure that the risk of money laundering is taken into account in the day-to-day running of your business
What a suspicious transaction or activity is
There are many reasons why you or one of your employees might become suspicious about a transaction or activity. Often it’s just because it’s something unusual for your business - perhaps a customer has tried to make an exceptionally large cash payment. Maybe the customer behaved strangely, or made unusual requests that didn’t seem to make sense. Perhaps the transaction they wanted to make just didn’t add up commercially.
You must look carefully at all unusual transactions to see if there’s anything suspicious about them.
Complete a policy statement for your business
A policy statement is a document that includes your anti-money laundering policy and the procedures your business will take to prevent money laundering. The document provides a framework for how your business will deal with the threat of money laundering.
You should name relevant individuals and set out their responsibilities. Even if your business is small, it’s a useful tool for focusing your mind and those of your employees, if you have them, to make them constantly aware of the risks.
What should a policy statement include?
The exact contents of your policy statement will depend on the nature of your business. But it’s likely to include:
- details of your approach to preventing money laundering, including named individuals and their responsibilities
- details of your procedures for identifying and verifying customers, and your customer due diligence measures and monitoring checks
- a commitment to training employees so they’re aware of their responsibilities
- a summary of the monitoring controls that are in place to make sure your policies and procedures are being carried out
- recognition of the importance of staff promptly reporting any suspicious activity to the nominated officer
Record keeping requirements
You need to keep a record of all customer due diligence measures that you carry out, including customer identification documents that you’ve obtained. By keeping comprehensive records you’ll be able to show that your business has complied with the Money Laundering Regulations. This is crucial to protect your business if there’s an investigation into one of your customers.
The types of record you keep may include:
- daily records of transactions
- receipts
- cheques
- paying-in books
- customer correspondence
The formats that you can keep your records in are:
- originals
- photocopies
- microfiche
- scanned
- computerised or electronic
You must keep your records for five years beginning from:
- the date a business relationship ends
- the date a transaction is completed
More detailed information
Feel free to download documents:
Anti money laundering guidance for company service providers