A RISK-BASED APPROACH TO CDD
A risk-based approach to CDD is one that takes a number of discrete steps in assessing the most effective and proportionate way to manage the money laundering and terrorist financing risks faced by a licenceholder.
The risk assessment of a particular customer will determine:
(a) the extent of identification information to be sought;
(b) any additional information that needs to be requested;
(c) how that information will be verified and for whom; and
(d) the extent to which the relationship will be monitored.
It will also help to guard against identity theft.
Care has to be exercised under a risk-based approach. Being identified as carrying a higher risk of money laundering or terrorist financing does not automatically mean that a customer is a money launderer or is financing terrorism. Similarly, identifying a customer as carrying a lower risk of money laundering or terrorist financing does not mean that the customer presents no risk at all.
There are five stages within a risk-based approach to CDD requirements.
3.2.1 Stage 1- Collection of relevant information
CDD information comprises both identification and relationship information. To enable a customer profile to be prepared, licenceholders must collect relevant CDD information on a risk sensitive basis to determine how and how far this should be done on the following:
(a) The customer;
(b) The beneficial ownership and control of the customer;
(c) The nature of the customer's business and the customer's economic circumstances;
(d) The anticipated relationship with the licenceholder; and
(e) The source of funds.
A customer will be one of the following:
(a) An individual.
(b) The trustee of an express trust or other similar legal arrangements where they are acting on behalf of these entities.
(c) A legal person - bodies corporate, foundations (including those established under the Foundations Act 2011), anstalts, partnerships, associations, or any similar bodies that can establish a permanent customer relationship with a licenceholder or otherwise own property.
Underlying principals of a customer are the individuals who ultimately own or control a relationship, and/or the individuals on whose behalf the relationship is being conducted. The individuals considered to be the underlying principals for each customer type are described in Sections 4.6 and 4.7 and mainly refer to legal arrangements such as trusts and legal persons such as companies.
The Isle of Man Government considers it vitally important for the international standing and economic well-being of the Island that it conforms to established international standards for combating money laundering and terrorist financing. The FATF Recommendations and the Basel CDD principles both state the importance of knowing the identity of the beneficial owner and/or underlying principals and of not operating anonymous accounts.
Except where specific circumstances allow licenceholders must, in all cases, know the identity of underlying principals and/or beneficial owners at the outset of a business relationship. This is irrespective of the geographical origin of the client, or of any introducer or fiduciary, or of the complexity of a legal structure.
As per paragraph 25 of the Codes, licenceholders must not keep anonymous
accounts or accounts in fictitious names for any new or existing customer.
Where numbered accounts exist, licenceholders must maintain them in such a way that full compliance can be achieved with the Codes, the Rule Book and this Handbook. Licenceholders must properly identify and verify the identity of the customer in accordance with the Handbook
In all cases, whether the relationship involves numbered accounts or not, the customer identification and verification records should be available to the Compliance Officer, MLRO, other appropriate staff and competent authorities.
220.127.116.11 Profiling customers
Certain types of product or service may provide an opportunity to build generic templates that predict expected patterns of activity. More complex products or services will require individual customer profiles.
It is important that customer profiles are kept up to date to reflect changing circumstances (see Section 5).
The customer profile must contain sufficient information on the rationale for the relationship and the nature of the business that the customer expects to undertake in order for a licenceholder to be able to:
(a) predict a pattern of expected business activity within each customer relationship;
(b) Identify unusual complex or higher risk activity that may indicate money laundering or terrorist financing.
Identification information and the relationship information to be collected for each of the above customer types are described in the following Sections.
The following situations 1 to 4 will apply to all licenceholders:
Situation 1: Where the customer is a natural person
(a) Obtain identification information on the natural person.
Situation 2: Where the customer is a legal person
(a) Obtain identification information on the legal person.
(b) Obtain identification information on the underlying principals i.e. persons exercising control over the management of the legal person, any person(s) having power to direct the activities of the legal person. This will include directors and account signatories or persons in equivalent roles such as, in respect of foundations, council members, enforcer(s), person(s) appointed under the foundation rules (or equivalent in non-Isle of Man established foundations).
(c) Obtain identification information on any person(s) purporting to act on behalf of the legal person or by whom binding obligations may be imposed on the legal person. This will include persons holding powers of attorney.
(d) Obtain identification information on the beneficial owners i.e. any individual who ultimately owns or controls the customer, or on whose behalf a transaction or activity is being conducted. For legal persons not listed on a recognised stock exchange, this includes (but is not restricted to) any individual who ultimately owns or controls (whether directly or indirectly) 25% or more of the shares or voting rights in the legal person. For all legal persons this includes any individual who otherwise exercises control over the management of the legal person e.g. persons with less than 25% of the shares or voting rights but who nevertheless hold a controlling interest.
For a stock exchange to be considered as "recognised" the entities listed on it
must be subject to appropriate disclosure requirements. For entities listed
within Europe, this means regulated markets within the meaning of the Directive
on Markets in Financial Instruments 2004/39/EC. For entities listed outside
Europe, this means regulated markets subject to disclosure requirements
consistent with the aforementioned Directive.
For example, in the context of the London Stock Exchange, this would include
the Main Market but would not include the Alternative Investment Market.
(e) In respect of foundations, which are legal persons but which resemble trusts in many ways, licenceholders must also obtain identification information on the registered agent, founder(s), dedicator(s), assignee(s), all known beneficiaries and potential beneficiaries presenting a higher risk (or equivalent in non-Isle of Man established foundations). It is also necessary to obtain identification information on any other person(s) with a sufficient interest, including a person who in the view of the High Court, can reasonably claim to speak on behalf of an object or purpose of the foundation and a person who the High Court determines to be a person with a sufficient interest under section 51(3) of the Foundations Act 2011 (or equivalent in non-Isle of Man established foundations).
Situation 3: Where the customer is a trustee of an express trust
(a) Obtain identification information on the customer i.e. the trustee(s) or other persons controlling the applicant.
(b) Obtain identification information on the trust
(c) Obtain identification information on the underlying principals i.e. the settlor(s) or other persons by whom the arrangement is made, protector(s), any other person having power to direct the activities of the applicant, any person(s) whose wishes the trustee may be expected to take into account, known beneficiaries and potential beneficiaries presenting a higher risk.
(d) Obtain identification information on any person(s) purporting to act on behalf of the trustee(s) or by whom binding obligations may be imposed on the trustee(s).
Situation 4: Where the customer is acting other than as principal (except as trustee)
(a) Obtain identification information on the customer.
(b) Obtain identification information on the underlying principals (natural person, legal person or trustee of an express trust) on whose behalf the applicant is acting.
(c) Obtain information concerning the relationship between the customer and the underlying principals.
In all of the above situations, relationship information must be obtained (for express trusts, the relationship information to be obtained is on the express trust). Relationship information to be collected is outlined at Section 3.3.
The identification information that must be collected in respect of each type of customer is contained in Section 4.
3.2.2 Stage 2 - Assess and evaluate relevant information
On the basis of the information collected at Stage 1, or on the basis of the nature of the relationship, licenceholders must evaluate the information against the risk areas identified by the risk assessment required by Paragraph 3 of the Codes. Consideration must then be given to whether it is appropriate to collect further information on the applicant for business, on any underlying principals and on the relationship to be established.
In respect of any proposed relationship, licenceholders must always ensure they understand:
(a) why an applicant for business has requested a particular product or service;
(b) details of any existing relationships with the licenceholder;
(c) the nature and frequency of the customer's expected activity paying due regard to any linked accounts or other activity;
(d) the ownership and control structure of legal persons and arrangements.
- For legal persons this would include identifying the underlying principals, beneficial owners etc as outlined at Section 18.104.22.168;
- For legal arrangements this would include identifying the Settlor or other person by whom the arrangement is made, the Trustee or other person(s) controlling the applicant, any other person whose wishes the trustee may be expected to take into account and the beneficiaries;
(e) the various relationships between signatories and underlying principals;
(f) the nature of a customer's business activities or occupation;
(g) the source of the funds for the product or transaction in question; and
(h) where relevant, the source of income or wealth of the customer (see Section 3.4).
For many simple retail savings or investment products, the reasons for a relationship may be self evident. However, for more complex products they may not be e.g. corporate accounts, private banking accounts, investment banking, fund management and discretionary trusts and corporate services. Not all customers, products or services carry the same money laundering and terrorist financing risk and a risk-based and proportionate approach should be adopted in determining the amount of CDD information required in each case.
The following suggested risk factors are not meant to be exhaustive.
Residence in or connection with high risk countries for example:
(a) those that have been classified by the FATF as non-cooperative countries or territories;
(b) countries whose senior political or public figures are included on an internationally recognised sanctions list;
(c) those with inadequate safeguards in place against money laundering or terrorist financing including those jurisdictions listed in Appendicies G(a) and G(b);
(d) countries with high levels of organised crime or which are vulnerable to corruption;
(e) those countries that are believed to have strong links to terrorist activities.
In assessing country risk, regard should be given to data available from bodies such as the IMF, FATF, US Department of State (International Narcotics Control Strategy Report) and US Treasury (OFAC).
(a) Type of customer. E.g. a politically exposed person, a high net worth individual, or a non-quoted legal person will potentially present a higher risk.
(b) Complexity of the relationship, including unexplained use of corporate structures and express trusts and the use of nominee and bearer shares.
(c) Delegation of authority (e.g. power of attorney, mixed boards and representative offices).
(d) Request to use numbered accounts.
(e) Request to use "hold mail" or mail/email forwarding facilities.
(f) The public profile of the customer or involvement with, or connection to, politically exposed persons.
(g) Any linked accounts or business partners.
(h) Value and frequency of cash transactions including a business that generates significant amounts of cash.
(i) Value of funds involved in the relationship.
(j) Nature, scope and location of business activities generating the funds/assets in a relationship, having regard to sensitive activities.
(k) Reputation of the customer. E.g. a well-known, reputable company, with long histories in its industry and with abundant independent information about it and its beneficial owners and controllers are likely to present a lower risk.
(l) Behaviour of the customer. E.g. where there is no commercial rationale for a customer buying the products that he seeks, where there are requests for undue levels of secrecy, or where it appears that a relationship or transaction is being made unnecessarily complex.
(m) Express trusts: relationship of the known beneficiaries and potential beneficiaries to the settlor(s) (or equivalent in respect of foundations).
(n) Express trusts: the nature of classes of beneficiaries and classes within an expression of wishes for which it is not reasonable to identify specific persons within that class (e.g. a trust established for the benefit of all pupils within a specified school) (or equivalent in respect of foundations).
Product or service risk
(a) Ability to make payments to, or receive payments from, third parties.
(b) Ability to migrate from one product to another.
(c) Facilities for cash transactions within the product.
(d) Ability to pool underlying customers/funds.
(e) Ability to use hold mail or mail/email forwarding facilities.
(f) Ability to hold boxes, parcels or sealed envelopes in safe custody.
(a) Indirect relationship with the customer - use of introducers and pooled accounts.
(b) Non-face to face relationships - products or services delivered by post, telephone, internet etc.
(c) Availability for "straight-through" processing of customer transactions.
3.2.3 Stage 3 - Determine initial risk profile
On the basis of Stages 1 and 2, licenceholders must determine and record a risk profile for the relationship. This should show whether the customer is to be treated as standard risk or where additional CDD is required. It will determine which underlying principals' identity needs to be verified, how identity is to be verified and the ongoing CDD to be conducted throughout the course of the relationship. For higher risk relationships, enhanced CDD must be performed.
Licenceholders should consider whether inconsistencies between the CDD information obtained, specific information concerning source of funds or source of wealth, and the nature of transactions increases the customer's risk classification.
The risk profile should be reviewed and updated throughout the relationship.
3.2.4 Stage 4 - Verify the identity of the customer and any underlying principals
Licenceholders must satisfactorily verify the identity of the customer and the identity of any underlying principals.
Requirements for verifying identity are set out in Section 4.
3.2.5 Stage 5 - Conduct ongoing due diligence
Licenceholders should review the CDD information held in relation to all customers on a periodic basis, and for higher risk customers at least annually. The opening of a new account, purchase of a further product, or a meeting with the customer may provide an opportunity to confirm or update the information held in respect of that customer.
Further detailed guidance is contained in Section 5.
Procedures should ensure that up-to-date CDD information is readily accessible to the MLRO (and any designated person), and to the Commission and the FCU on request.