The Money Laundering and Terrorist Financing Act (Wwft) requires financial institutions to carry out customer due diligence when entering into a business relationship. This wiki page explains what customer due diligence entails.
As a financial institution, you are required to conduct customer due diligence. This is to prevent money laundering and the financing of terrorism. Based on the customer due diligence process, you decide whether or not to accept a customer. Based on certain results, you are obliged to report to the supervisory authorities or the Dutch Financial Intelligence Unit (FIU).
Customer or client acceptance is the process you go through, prior to entering a business relationship with a customer. During customer acceptance, consideration must also be given to sanction regulations. Financial institutions are required under the Financial Supervision Act (Wft), the Wwft and the Sanctions Act 1977 to check if the potential customer appears on sanction lists. If it is determined that this is indeed the case, the regulator must be notified, and the potential customer in question will be refused.
During the customer acceptance process, the following steps need to be completed. The depth of these steps depends on the risk of money laundering and terrorist financing.
First, you determine the identity of the client. You do this by requesting and documenting the identity information. Next, you determine that the stated identity matches the customer’s actual identity. This is also known as the know-your-client principle – or Know Your Customer (KYC).
Identification and verification must be carried out before the customer relationship is established.
If there is low risk of money laundering or terrorist financing, the law allows a financial institution to verify the identity of the customer (and the UBO) during the establishment of the business relationship. In this case, you verify the identity as soon as possible after the initial contact with the customer and no later than before the product or service is provided.
You also need to identify the natural person representing the customer and verify their identity. You must take reasonable steps to determine whether the natural person is acting on his or her own behalf or on behalf of others. For example, if there appears to be a straw-man construction, this may warrant enhanced customer due diligence and even refusing to establish a relationship with the (potential) customer. A strawman is a person who acts under their own name but acts on behalf of someone else.
Establishing the identity of the parties involved can be done in various ways. Permitted means to verify the identity of natural persons are:
For a legal entity, you can request a Chamber of Commerce/Trade Register extract. You can also consult trusted third-party sources, such as registers like Graydon and Dun&Bradstreet.
The Wwft requires you to identify the Ultimate Beneficial Owner (UBO). The UBO is the ultimate beneficial owner. This is always a natural person. You must take reasonable measures to verify the identity of the UBO. This means that the intensity with which you do this depends on the risk of money laundering and terrorist financing. For example, you can use a so-called UBO statement or Internet sources. You can also consult the UBO register for free.
You must be able to determine whether the client and/or the UBO is a “politically exposed person” (PEP). A PEP may be more suspectible to corruption.
This means you must screen the client and UBO against PEP lists. If indeed a PEP is identified, the institution must conduct enhanced customer due diligence and continuously monitor the customer. The tax autorities and the Ministries of Finance and Justice publish and maintain a list of politically exposed positions.
Sanction screening is also part of the client acceptance process. Sanction screening is often conducted simultaneously with screening against PEP lists. Where a true hit on a PEP list leads to enhanced due diligence, a true hit on a sanctions list leads to refusal of the potential client. In such a case, a report must also be made to the supervisory authorities.
If the (potential) customer is a legal entity, you must also gain insight into the ownership and control structure. You need to understand the (legitimate) structure and find it plausible.
1. Purpose and nature of the relationship: Based on the service being requested, you should be able to identify why it is desired and whether it is plausible.
2. Source of funds: In this step, you assess the legitimacy of the customer’s funds.
3. Initial risk classification: The assessment of the risk of money laundering and terrorist financing occurs at several points in the customer acceptance process. Therefore, it is also talk of an initial risk classification and final risk classification.
During the initial risk classification, it is determined which customer due diligence should be conducted. To support this assessment, many organisations use risk rating models and risk rating software to detect so-called red flags.
The risk factors of client, transaction, product/service are taken into account when deciding what form of customer due diligence should be conducted. You also consider the purpose of the relationship, financial exposure and the regularity or duration of the relationship. In any case, you should consider the risk factors listed in Appendices II and III to the Fourth Anti-Money Laundering Directive.
The term CDD is often used as a comprehensive term for customer due diligence, transaction monitoring, risk classification and sanction screening. The law distinguishes between:
Based on the information you have gathered in the previous steps, you make a choice which customer due diligence should be conducted.
To determine the extent to which customer due diligence measures should be applied, the financial institution assesses the risk of money laundering and the risk of terrorist financing.
If the risk is proven to be low, simplified customer due diligence measures are sufficient. This includes collecting sufficient data to determine whether simplified customer due diligence can be performed for a customer.
If there is a so-called normal risk, the institution conducts the normal customer due diligence, the components of which are listed above under the first paragraph.
If there is a higher risk of money laundering or terrorist financing, you must conduct enhanced customer due diligence. This may mean additional investigation into the origin of the assets of a client and the origin of funds involved in a transaction.
The final risk classification is done based on the outcomes of the relevant customer due diligence. It is often based on the professional judgment of the first line and any advice from the second line. Risk rating models and risk rating software are mainly supportive of the examination; however, the final risk classification will ultimately depend on the complete client due diligence.
The customer acceptance process can be completed after the customer due diligence has been conducted, and the customer risk has been adequately determined. The determined customer risk forms the basis for monitoring and review throughout the duration of the customer relationship.
Want to know more about the process of the customer acceptance process? You can follow our e-learning course ‘Wwft Customer Investigation’, or read more about our CDD services.