Enhanced customer due diligence and monitoring (EDD) is required by the Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017 (MLR 2017) in any situation where there is a higher risk of money laundering or terrorist financing. It must also be carried out in certain prescribed situations. For example, where clients have unnecessarily complex or opaque business structures, the transactions are unusual or lack an obvious purpose, the client is not present, or the client is a politically exposed person (PEP). One other situation is where the business relationship or transaction is with a person established in a ‘high-risk third country’.
This begs the question: what are ‘high-risk third countries’?
What are the ‘high-risk third countries’?
High-risk third countries are identified by the European Commission under Directive 2016/849, which is in turn implemented in England and Wales by the MLR 2017. The list of high-risk third countries is updated regularly and was last updated on 6 March 2018.
Afghanistan, Bosnia and Herzegovina, Ethiopia, Guiana, Iraq, Iran, North Korea, Laos, Sri Lanka, Syria, Trinidad and Tobago, Tunisia, Uganda, Vanuatu and Yemen are currently listed as high-risk third countries. This means they have been found by the EU Commission to have strategic deficiencies in their anti-money laundering and counter-terrorism financing (AML/CTF) regimes. As referred to above, EDD is required in relation to all relationships or transactions involving countries on this list.
The Financial Action Task Force on Money Laundering (FATF) also publishes a list of countries three times a year in which deficiencies in the AML/CTF regimes have similarly have been identified and an action plan has been developed. Adaptations on the FATF list are not automatically incorporated into the EU list, so it may be prudent to check both lists if you have any concerns. FATF’s list was updated on 29 June 2018.
What does enhanced due diligence mean in practice?
The MLR 2017 does not generally prescribe specific steps to be taken in order to comply with EDD obligations. However, in addition to the normal customer due diligence (CDD) requirements under MLR 2017, such as obtaining identification documents, the following steps must be carried out and, crucially, their implementation and findings must be recorded in writing:
1. The transaction
As far as reasonably possible, examine the background, purpose and intended nature of the transaction. What has the client said about the purpose of the transaction? Have they been candid and forthright about all aspects of the transaction? What is the regularity and duration of the proposed activity: is it long term or an occasional transaction? Does the transaction fit with what the usual course of business conducted by the client? Are all the responsibilities of all parties in the relationship clear and documented?
Increase the degree and nature of monitoring of the business relationship in which the transaction is made to determine whether that transaction or that relationship appear to be suspicious. Has the transaction altered from its original intended purpose or structure? If so, what is the rationale? Has the nature of the business relationship with the customer changed? Have payments been made in an unusual or unpredictable manner? Has a specific relationship manager been appointed to oversee the monitoring? Have all red flags been recorded?
The following may also be considered and, again, the findings must be recorded in writing:
3. The customer
Take additional measures to understand better the background, ownership and financial situation of the customer or other parties to the transaction. Have any beneficial owners of the customer (if it is a company) been identified and also verified using independent sources. Is it also possible to verify the source of funds or wealth in the customer and its owners? What is the source of funds for the particular transaction? Have searches been conducted (e.g. press, using a third party corporate intelligence provider) for any adverse reporting in respect of the customer or any of its owners? What third parties are involved in the transaction? What is their role? Are they providing any actual services of value?
4. The high-risk third country
Consider the involvement with the high-risk third country. If the transaction is taking place in, or is connected to, the country, why is this the case? Is there an obvious business reason for the involvement? What is the risk (if any) that the country is being used for tax evasion purposes (a predicate offence of money laundering). If the customer is connected to the country, what is the nature of that connection? If an individual, is he/she ordinarily resident there? Or is the connection more historic/tangential?
5. Seek additional independent, reliable sources to verify the information provided
Consider using a reliable independent source in order to verify information provided by or on behalf of the customer. Can any independent verification (e.g. a confirmatory certificate) be provided by another credit or financial institution subject to the MLR 2017 or other official body (e.g. the relevant tax authority)? Consider also instructing a third party corporate intelligence provider to produce a due diligence report and/or conducting deep dive searches in respect of particularly prominent risks or issues of concern.
The MLR 2017 also sets out particular EDD steps that must be considered when dealing with certain types of customer, namely credit institutions, financial institutions and PEPs.