Customer Due Diligence Checklist: FATF
December 21, 2020
Many Financial Intelligence Units worldwide use information from the Financial Action Task Force (FATF) to help build their rules-based plans for fighting financial crimes.
At the center of these best practices is often the FATF Recommendations, which have been reviewed and updated in close co-operation with the FATF-Style Regional Bodies (FSRBs) and the observer organizations including the International Monetary Fund, the World Bank and the United Nations.
The revisions to FATF standards over the years address new and emerging threats, clarify and strengthen many of the existing obligations, while maintaining the necessary stability and rigor in the Recommendations.
The FATF standards have also been revised to strengthen the requirements for higher risk situations, and to allow countries to take a more focused approach in areas where high risks remain or implementation could be enhanced.
Countries should identify, assess and understand the risks of money laundering and terrorist financing and then adopt appropriate measures to mitigate the risk. The risk-based approach allows countries to adopt a more flexible set of measures in order to target their resources more effectively and apply preventive measures in the most effective way.
Here is what FATF recommends surrounding customer due diligence.
Customer Due Diligence and Record Keeping
Financial institutions should be prohibited from keeping anonymous accounts or accounts in obviously fictitious names.
Financial institutions should be required to undertake customer due diligence (CDD) measures when:
- establishing business relations;
- carrying out occasional transactions: above the applicable designated threshold (USD/EUR 15,000);
- there is a suspicion of money laundering or terrorist financing; or
- the financial institution has doubts about the veracity or adequacy of previously obtained customer identification data.
- The principle that financial institutions should conduct CDD should be set out in law. Each country may determine how it imposes specific CDD obligations, through either law or enforceable means.
The CDD measures to be taken are as follows:
(a) Identifying the customer and verifying that customer’s identity using reliable, independent source documents, data or information.
(b) Identifying the beneficial owner, and taking reasonable measures to verify the identity of the beneficial owner, such that the financial institution is satisfied that it knows who the beneficial owner is. For legal persons and arrangements, this should include financial institutions understanding the ownership and control structure of the customer.
(c) Understanding and obtaining information on the purpose and intended nature of the business relationship.
(d) Conducting ongoing due diligence on the business relationship and scrutiny of transactions undertaken throughout the course of that relationship to ensure that the transactions being conducted are consistent with the institution’s knowledge of the customer, their business and risk profile, including, where necessary, the source of funds.
Financial institutions should be required to apply each of the CDD measures shown above, but should determine the extent of such measures using a risk-based approach
Verify identity before doing business
Financial institutions should be required to verify the identity of the customer and beneficial owner before or during the course of establishing a business relationship or conducting transactions for occasional customers.
Countries may permit financial institutions to complete the verification as soon as reasonably possible following the establishment of the relationship, where the money laundering and terrorist financing risks are effectively managed and where this is essential not to interrupt the normal conduct of business.
Where the financial institution is unable to comply with the applicable CDD requirements mentioned above, it should be required not to open the account, commence business relations or perform the transaction. Further, it should be required to terminate the business relationship and should consider making a suspicious transactions report in relation to the customer.
These requirements should apply to all new customers, although financial institutions should also apply this recommendation to existing customers on the basis of materiality and risk, and should conduct due diligence on such existing relationships at appropriate times.
Financial institutions should be required to maintain, for at least five years, all necessary records on transactions, both domestic and international, to enable them to comply swiftly with information requests from the competent authorities.
Such records must be sufficient to permit reconstruction of individual transactions, including the amounts and types of currency involved, in order to give evidence, if necessary, for prosecution of criminal activity.
Financial institutions should be required to keep all records obtained through CDD measures, account files and business correspondence, including the results of any analysis undertaken, for at least five years after the business relationship is ended, or after the date of the occasional transaction. This includes copies of licenses and passport information and other documentation.
Financial institutions should be required by law to maintain records on transactions and information obtained through the CDD measures. CDD information and the transaction records should be available to domestic competent authorities upon appropriate authority.
Politically exposed persons
Financial institutions should be required, in relation to foreign politically exposed persons (PEPs) to perform normal customer due diligence measures, including:
(a) have appropriate risk-management systems to determine whether the customer or the beneficial owner is a politically exposed person;
(b) obtain senior management approval for establishing (or continuing, for existing customers) such business relationships;
(c) take reasonable measures to establish the source of wealth and source of funds; and
(d) conduct enhanced ongoing monitoring of the business relationship.
Financial institutions should be required to take reasonable measures to determine whether a customer or beneficial owner is a domestic PEP or a person who is or has been entrusted with a prominent function by an international organization.
In cases of a higher risk business relationship with such persons, financial institutions should be required to apply the above measures. The requirements for all types of PEP should also apply to family members or close associates of such PEPs.
Financial institutions should be required, in relation to cross-border correspondent banking and other similar relationships, in addition to performing normal customer due diligence measures, to:
(a) gather sufficient information about a respondent institution to understand fully the nature of the respondent’s business and to determine from publicly available information the reputation of the institution and the quality of supervision, including whether it has been subject to a money laundering or terrorist financing investigation or regulatory action;
(b) assess the respondent institution’s AML/CFT controls;
(c) obtain approval from senior management before establishing new correspondent relationships;
(d) clearly understand the respective responsibilities of each institution; and
(e) with respect to “payable-through accounts,” be satisfied that the respondent bank has conducted CDD on the customers having direct access to accounts of the correspondent bank, and that it is able to provide relevant CDD information upon request to the correspondent bank.
Financial institutions should be prohibited from entering into, or continuing, a correspondent banking relationship with shell banks. Financial institutions should also be required to satisfy themselves that respondent institutions do not permit their accounts to be used by shell banks.
Money or value transfer services
Countries should take measures to ensure that natural or legal persons that provide money or value transfer services (MVTS) are licensed or registered, and subject to effective systems for monitoring and ensuring compliance with the relevant measures called for in the FATF recommendations.
Countries should take action to identify natural or legal persons that carry out MVTS without a license or registration, and to apply appropriate sanctions.
Any person working as an agent should also be licensed or registered by a competent authority, or the MVTS provider should maintain a current list of its agents accessible by competent authorities in the countries in which the MVTS provider and its agents operate.
Countries should take measures to ensure that MVTS providers that use agents include them in their AML/CFT programs and monitor them for compliance with these programs.
Countries and financial institutions should identify and assess the money laundering or terrorist financing risks that may arise in relation to
(a) the development of new products and new business practices, including new delivery mechanisms, and
(b) the use of new or developing technologies for both new and pre-existing products.
In the case of financial institutions, such a risk assessment should take place prior to the launch of the new products, business practices or the use of new or developing technologies.
They should respond appropriately to manage and mitigate those risks. To manage and mitigate the risks emerging from virtual assets, countries should ensure that virtual asset service providers are regulated for AML/CFT purposes, and licensed or registered and subject to effective systems for monitoring and ensuring compliance with the relevant measures called for in the FATF Recommendations.
Countries should ensure that financial institutions include required and accurate originator information, and required beneficiary information, on wire transfers and related messages, and that the information remains with the wire transfer or related message throughout the payment chain.
Countries should ensure that financial institutions monitor wire transfers to detect those that lack required originator and/or beneficiary information, and respond appropriately.
Countries should ensure that, in the context of processing wire transfers, financial institutions take freezing action and should prohibit conducting transactions with designated persons and entities, as per the obligations set out by the United Nations Security Council.
Reliance on third parties
Countries may permit financial institutions to rely on third parties to perform elements of the CDD measures if the criteria set out below are met.
Where such reliance is permitted, the ultimate responsibility for CDD measures remains with the financial institution relying on the third party.
The criteria that should be met are as follows:
(a) A financial institution relying upon a third party should immediately obtain the necessary information concerning elements of the CDD measures.
(b) Financial institutions should take adequate steps to satisfy themselves that copies of identification data and other relevant documentation relating to the CDD requirements will be made available from the third party upon request without delay.
(c) The financial institution should satisfy itself that the third party is regulated, supervised or monitored for, and has measures in place for compliance with, CDD and recordkeeping requirements.
(d) When determining in which countries the third party that meets the conditions can be based, countries should have regard to information available on the level of country risk.
When a financial institution relies on a third party that is part of the same financial group, and
- that group applies CDD and record-keeping requirements and
- where the effective implementation of those CDD and record-keeping requirements and AML/CFT programs is supervised at a group level by a competent authority, then relevant competent authorities may consider that the financial institution applies measures under (b) and (c) above through its group program, and may decide that (d) is not a necessary precondition to reliance when higher country risk is adequately mitigated by the group AML/CFT policies.
As you can see from the FATF recommendations, it is important to keep on top of customer activities. One of the key CDD measures is to identify the customer and verify that customer’s identity using reliable, independent source documents, data or information.
The ability to perform customer due diligence is an absolute necessity for organizations looking to comply with anti-money laundering (AML) regulations or for other reasons such as engaging with new suppliers.
With Alessa, your organization can also monitor every financial activity to get a holistic view of customer activities. The solution generates alerts for suspicious activity and sends them to the appropriate personnel for investigation and reporting.
If you need to investigate a customer in greater detail, we have the ability to do enhanced due diligence reports. Alessa now offers the ability to order EDD reports from Refinitiv directly from the application. This allows compliance teams to go beyond simply checking whether an entity is on a sanctions or a watch list and instead get detailed background information on individuals and businesses based on comprehensive research by the Refinitiv team.
The solution allows users to:
Eliminate unreliable and time-consuming internet checks
Simplify the EDD process
Save time and effort typically required for EDD
Integrates EDD risk indicators into the entity’s overall risk score
Alessa can help your organization keep track of your CDD and EDD measures to ensure you comply with this major pillar of AML compliance. To find out more about how Alessa can work for you, please contact us today.