Anti-money laundering - Responsibilities when verifying the status of new clients
Can you rely on third parties for money laundering compliance?
ACCA's Technical Advisory Service regularly receives calls from members who either subscribe to – or have received sales calls from – third party organisations that claim to provide a ‘one stop shop’ service for all their compliance needs.
Cold calling has increased as a result of the recent changes to the money laundering regulations (MLRs) effective from 26 June 2017. The question is can a third party provide an online service which absolves ACCA members from having to carry out any additional work on their clients? This is what some of the companies claim but unfortunately it is not true.
When a firm pays for these services effectively what they get for their money is an extra ‘layer of comfort’ about a new or existing client. Although companies vary, typically these services could include some/all of the following:
certain ID checks
certain due diligence checks
The issue is that the above – although useful to members – may not mean that their work has ended. So firms that rely totally on third party services run the risk of non-compliance with some of the MLRs and also ACCA's Rulebook.
To illustrate this let’s look at the existing ACCA Rulebook advice on customer due diligence:
Before any work is undertaken, the professional accountant shall verify the identity of the potential client by reliable and independent means. The professional accountant shall retain on their own files copies of such evidence. This will involve the following:
(a) where the client is an individual: by obtaining independent evidence of the client’s identity, such as a passport and proof of address;
(b) where the client is a company or other legal entity: by obtaining proof of incorporation; by establishing the primary business address and, where applicable, registered address; by establishing the structure, management and ownership of the company; and by establishing the identities of those persons instructing the professional accountant on behalf of the company and verifying that those persons are authorised to do so;
(c) in either case: by establishing the identity and address of any other individuals exercising ultimate control over the client and/or who will be the ultimate beneficiaries of the work or transactions to be carried out; and
(d) by establishing precisely what work or transaction is desired to be carried out and to what purpose.
If the professional accountant is unable to satisfy himself/herself as to the potential client’s identity, no work shall be undertaken.
Note that subject to any local legal requirement for a longer period of record retention, a professional accountant shall retain all client identification records for at least five years after the end of the client relationship. Records of all transactions and other work carried out, in a full audit trail form, shall be retained for at least five years after the conclusion of the transaction.
A third party could help with some of the above requirements but in many cases the above could all be carried out by the accounting firm. As part of the ‘know your client’ work the accountant would naturally want to visit the client (where possible) and gain a satisfactory knowledge of the business and how it works. Only by doing this would they be in a position to identify potentially suspicious transactions. So in this instance it would be difficult to see how a third party could provide the service.
Changes to the MLRs
You must still identify and verify the owner and the beneficial owner but the regulations state that you can’t rely solely on Companies House.
There are three key changes to the CDD requirements:
You must now also complete CDD where you only perform company formation services, even if that service is a one-off service for that client (s.4(2)).
You must also identify and verify the identity of a person purporting to act on behalf of your client.
You must obtain and verify the name of the body corporate, its registration number, its registered address and principal place of business. You must also take reasonable measures to determine and verify the law to which it is subject, its constitution (set out in governing documents) and the names of the board of directors and its senior management (s.28(3)).
Reliance on third parties (s.39)
If you place reliance on the CDD of a third party, or if a third party places reliance on your CDD, you need to be aware of the changes under the regulations.
If you are relying on a third party, you must obtain copies of all relevant documentation. You must also enter into a written arrangement that confirms that the firm being relied on will provide the relevant documentation immediately on request. In summary, for reliance on third parties for CDD:
written agreement is needed
the third party must retain documents and make them available within two working days of request by those relying.
If you choose to use online agencies to help with MLR compliance you must ensure that the agencies meet the above criteria. You should also be clear exactly what services are provided and what additional work you need to do. It appears unlikely that the use of an outside agency would mean that you would have to undertake no additional work, particularly client identification work.