SDD - what does best practice look like?
Chris Hamblin, Editor, London, 30 July 2019
The most fundamental part of taking a 'best practice' approach to the application of 'simplified due diligence' is to realise that one size does not fit all. In this article, BDO continues its analysis of SDD with a collection of best practices that rest on industry and supervisory guidance, its own work as a 'skilled person' and the habits of its banking clients.
SDD is not a de facto exemption from standard CDD/KYC (customer due diligence/know your customer) measures. With this in mind, regulators expect every firm to assess risks before it applies simplified measures. The aim of its risk assessment ought to be to determine whether a prospective customer’s financial crime risk profile will allow for the use of SDD and to determine the extent of the simplified measures, after establishing that SDD is sufficient, so as to manage the low levels of financial crime risks that it has identified.
Despite the abundance of guidelines and advisory texts such as the writings of the UK's Joint Money Laundering Steering Group (JMLSG) and the European Banking Authority (EBA, now in Paris because of Brexit), many firms still face problems in changing their old SDD-related habits and controls to fit the new regime.
Factors for assessing SDD
Under the new European Union regulatory regime, firms can no longer automatically apply simplified measures to a ‘pre-defined’ list of customers. They must be aware that customers cannot just meet pre-defined criteria in order to qualify for SDD. Gone are the days when firms could use SDD simply because their customer was a legal entity with securities listed on a recognised exchange. The EU now expects firms to gather information and conduct proportionate assessments of risk before deciding whether customers can qualify for SDD. By doing so, they must satisfy themselves that the underlying risks associated with customers or relationships are indeed low.
More often than not, firms with robust SDD arrangements are capable of undertaking comprehensive and equally robust enterprise-wide assessments of their money laundering and terrorist financing risks. These are likely to spot the products, services, transactions, customers and/or countries that are not risky from the perspective of financial crime. In this manner, firms can look at the results of their enterprise-wide assessments when fixing their SDD arrangements and controls.
In addition to determining whether the type of customer falls under any of the criteria set out in provisions 37(3)(a)&(b) of the UK's Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017, each firm ought to consider the following factors when deciding whether a prospective relationship presents it with a low degree of risk and therefore whether the customer in question should qualify for SDD.
- The nature of the customer’s business or occupation.
- Whether the customer or individual has apparent substantial connections to highly risky jurisdictions.
- Whether substantial adverse publicity exists or whether anyone is worried about the customer’s or a beneficial owner’s reputation/integrity.
- Whether the customer presents a low level of risk but is seeking a product or service that poses a higher risk.
SDD measures
Firms are expected to use the results of their customer risk assessments to dictate the level and extent of checking and regular monitoring. By the same token, they must use the information that they have gained or used to decide whether this-or-that customer qualifies for SDD and to decide on the appropriate level of SDD. A large number of firms often apply a uniform level of simplified measures to all low-risk customers. By doing so, they may create slightly more efficient compliance processes which staff find easier to follow, but the regulator expects them to adjust the degree of checking that they do in a way that is proportionate to the lower risks with which they associated the customer at the outset. In applying "risk-proportionate SDD measures," firms are encouraged to
- vary the amount and type of information they require for the purpose of verification (e.g. when they rely on fewer documents to verify the existence of a customer or when they use public information for verification purposes);
- identify the beneficial owner(s) of a customer-firm (or a customer's firm) without seeking additional information or documents to verify their identities;
- infer the purpose and nature of the proposed business relationship from the nature/type of both the client and the product or service that he is after;
- accept "due diligence" (background checking) information directly from the customer as opposed to an independent source; and
- hinge the amount of required CDD information on the activity of a particular product or transaction (e.g. by asking for documents that verify someone's identity once his transactions surpass a predefined threshold).
SDD and 'ongoing monitoring'
It is critical for firms to consider the implication of applying simplified measures on their ongoing monitoring responsibilities. SDD does not exempt firms from conducting reviews of the business relationship. Similar to the standard due diligence measures, each firm is expected to use the information that prompted it to assign a low level of risk to this-or-that customer to:
- ensure that it knows enough about the customer, the nature of the relationship and his expected account activity, the better to identify unusual or suspicious activity;
- calibrate the frequency of "CDD refreshes" and periodic reviews; and
- adjust the intensity and frequency of its transaction monitoring.
Whether or not a firm has a large number of customers who present it with lower risks and therefore qualify for SDD, it must always bear in mind that the application of SDD does not exempt a money laundering reporting officer from reporting suspicious activities to the police.