Following on from my article last week, I will continue on the subject of client profiling. It is an area in the AML CFT Act that is not well understood – from both the obligations to conduct client risk profiling, as well as the purpose and advantages that arise from establishing a client profile.
The AML CFT Act obligates ‘reporting entities’ (that is those businesses that provide a captured activity) to conduct ‘customer due diligence’. These obligations can be found in Part 2, subpart 1 of the Act.
Customer due diligence can be summarised as verifying the identity of the client through independent and reliable sources and obtaining knowledge of the client’s nature and purpose of the business relationship.
Customer due diligence applies to the client, any beneficial owner of the client and any person acting on behalf of the client.
A ‘beneficial owner’ means any person who has effective control over the client or person on whose behalf the transaction or activity is conducted. An example of this ownership or control would be a board of directors of a company or trustees of a trust.
The purpose of customer profiling is to enable a reporting entity to have reasonable assurance the client is who they say they are and knowledge of the nature and purpose of the client’s business relationship.
Having this knowledge places the reporting entity in a better position to detect any unusual circumstances when monitoring the client’s account activity and any transactions undertaken. This monitoring is commonly referred to as ‘ongoing due diligence’.
3-LEVELS OF CUSTOMER DUE DILIGENCE
The Act sets out three levels of customer due diligence – (a) simplified, (b) standard and (c) enhanced.
As most law firms will have clients falling into the category of standard and enhanced, For for the purpose of this article I will disregard ‘simplified’.
When a client requires enhanced due diligence, there is the obligation to obtain and verify the source of wealth or source of funds. This is the primary difference between standard and enhanced.
The methods used to verify a client will reflect the underlying ML FT risk that the client presents. Therefore, the steps taken to verify the client is expected to be more robust when the ML FT risk is higher.
OBLIGATION TO UNDERTAKE A RISK PROFILE
As the legislation obligates legal professionals to have knowledge of a client’s ML FT risk, these professionals will need to apply a risk profile methodology for all clients receiving a captured activity. Captured activity is defined in section 5 as ‘designated non-financial business or profession’.
If the methodology results in all clients falling into the same risk level, then the legislative obligation under section 57(1)(c), namely ‘effectively’ complying with customer due diligence requirements, is unlikely to have been met.
For each level of customer due diligence (simplified, standard and enhanced), the Act sets out verification is to be conducted “according to the level of risk involved”. This means that a business is required to understand the ML FT risks that the client presents.
Once ML FT risk profiling is concluded across all clients, the business can readily identify those clients requiring a higher frequency of monitoring for on account activity and transactions being undertaken.
IDENTITY VERIFICATION OF EXISTING CLIENTS
Prior to 1 July 2018, law firms should have identified those clients that are receiving a service that is ‘active’.
When a legal service or provision is active or ongoing and the client type has a high-risk profile or is prescribed in the Act as requiring enhanced due diligence -, such as a trust, then identity verification is required to be undertaken prior to carrying out any further activity for and on behalf of that client.
When an AML supervisor conducts a desk top analysis or site visit, they will expect to view tangible confirmation that the reporting entity has met its obligations of identifying higher risk clients. It is therefore important that the steps used to apply client profiling are documented in the programme and the methods relied on are recorded and maintained. Doing so will allow an independent third party, an auditor and an AML supervisor to easily decipher the process.
Author – Kerry Grass is an executive consultant for AML360 software. AML360 provides automated compliance solutions for small and medium sized businesses. Further information: aml360software.co.nz