Customer due diligence

Customer due diligence (CDD) is a process of checks to help identify your client and make sure they are who they say they are. This guide introduces the different levels of CDD and when these need to be carried out.

You’re in a better position to identify potential money laundering if you know your client and understand the reasoning behind the instructions they give you.

CDD allows you and your firm to assess the money laundering and terrorism financing risks a client, and the work they wish you undertake, may expose you to.

There’s more information on CDD in chapter 4 of the Legal Sector Affinity Group's anti-money laundering (AML) guidance for the legal sector.

How to carry out customer due diligence

Under regulation 27 of the Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017 (MLR 2017) you must carry out CDD measures when:

  • establishing a business relationship
  • carrying out an occasional transaction that amounts to 15,000€ or more
  • you suspect money laundering or terrorist financing
  • you doubt the accuracy or adequacy of documents or information previously obtained for CDD

If you’re required to carry out CDD measures, you must:

  • verify your client’s identity based on a reliable independent source (such as a passport)
  • identify where there’s a beneficial owner who is not the client and take reasonable measures to verify their identity and to understand the ownership and control structure of a legal person, trust, company, foundation or similar legal arrangement
  • assess, and where appropriate obtain information on, the purpose and intended nature of the business relationship or transaction

The way you comply with the requirement to take CDD measures may differ from case to case.

Regulation 31 provides that if you cannot complete CDD you cannot establish a business relationship with a client.

Risk-based approach

You cannot avoid conducting CDD, but you can use a risk-based approach to determine the extent and quality of information required and the steps to be taken to meet the requirements.

Under regulation 28(12), when carrying out CDD you must reflect on:

  • the practice’s risk assessment required under regulation 18
  • your assessment of the level of risk arising in any case

When assessing the level of risk, factors you must take into account include:

  • purpose of a transaction or business relationship
  • size of the assets or of the transactions undertaken
  • regularity and duration of the business relationship

You also need to be able to demonstrate to the Solicitors Regulation Authority (SRA) that you’ve applied the AML requirements appropriately.

You may demonstrate your compliance to the SRA through:

  • documenting your risk analysis
  • having written policies for how to apply the AML requirements to a given risk profile
  • keeping notes of your decisions, particularly on cases which seem to pose a higher risk

Corporate bodies

Where your client is a corporate body, you must obtain and verify:

  • its name
  • its company number or other registration
  • the address of its registered office and, if different, its principal place of business

Unless the corporate body is a company listed on a regulated market, you must take reasonable measures to determine and verify:

  • the law it’s subject to
  • its constitution or other governing documents
  • the names of the board of directors (or equivalent management body) and the senior persons responsible for its operations

Corporate bodies (other than companies listed on a regulated market) are required under the MLR 2017 to provide you with the information outlined above when you enter into a transaction or form a business relationship with them. This should assist you in carrying out your CDD checks.

Ongoing monitoring and record keeping

Under regulation 28(11) you must carry out ongoing monitoring of business relationships. Ongoing monitoring is defined as:

  • scrutiny of transactions undertaken throughout the course of the relationship (including where necessary, the source of funds), to ensure that the transactions are consistent with your knowledge of the client, their business and the risk profile
  • undertaking reviews of existing records and keeping the documents, or information obtained for the purpose of applying CDD, up to date

When the business relationship or occasional transaction has ended, you must keep records of CDD documents and supporting evidence for five years.

After five years, you must delete personal data unless:

  • express consent is given to retain that data
  • your firm is required to retain the personal data, for example, for the purposes of court proceedings

You’ll need to amend your systems and procedures to make sure that, unless an exemption applies, such personal data is deleted.

Read more in section 4 of the anti-money laundering guidance for the legal sector.

Enhanced due diligence

As well as CDD measures, regulation 33(1) sets out a list of circumstances in which enhanced due diligence (EDD) measures must be applied. It includes any transaction or business relationship involving:

  • a person established in a high-risk third country
  • a politically exposed person (PEP) or a family member or known associate of a PEP
  • any other situation that presents a higher risk of money laundering or terrorist financing

Regulation 33(6) also sets out a list of factors that you must consider when assessing whether there’s a higher risk of money laundering present.

However, the presence of one or more of these factors does not automatically mean that it’s a higher risk situation.

Even where a client is not based in a high-risk third country you must still consider the individual money laundering and terrorist financing risks posed by that client and matter.

Under the MLR 2017, EDD measures must include, as a minimum: 

  • examining the background and purpose of the transaction
  • increasing your monitoring of the business relationship

Regulation 33(5) gives a non-exhaustive list of ways you can conduct EDD including:

  • seeking additional independent, reliable sources to verify information provided or made available to you
  • taking additional measures to better understand the background, ownership and financial situation of the customer, and other parties to the transaction
  • taking further steps to be satisfied that the transaction is consistent with the purpose and intended nature of the business relationship
  • increasing the monitoring of the business relationship, including greater scrutiny of transactions

Additional material may include the use of e-verification either to confirm the validity of the passport provided or to see if the person has a credit or electoral history at the address they’ve provided.

High-risk third countries

The UK's high-risk third countries for anti-money laundering (AML) purposes are set out in the Financial Action Task Force's (FATF) lists on 'jurisdictions under increased monitoring' and 'high-risk jurisdictions subject to a call for action'.

Check the list of high-risk third countries

These countries are identified as having strategic deficiencies in their national AML and counter-financing of terrorism regimes that pose significant threats to the UK's financial system.

You must apply EDD measures in any transaction or business relationship with a person established in a high-risk third country.

When deciding whether it’s appropriate to apply EDD, consider geographic risk factors such as whether the country in which the client or transaction is based:

  • has deficient AML legislation
  • has high levels of acquisitive crime or corruption
  • is an offshore financial centre or tax haven
  • allows nominee shareholders to appear on the share certificate or register of owners

To effectively manage the money laundering risks that your firm faces, you should also:

  • be aware of which jurisdictions are on the list and the Office for Financial Sanctions Implementation sanctions list
  • be alert to unexpected instructions to undertake transactions relating to one of those jurisdictions which is outside of your normal practice
  • be alert to unexpected increases in instructions to undertake transactions relating to one of those jurisdictions or where the instructions are unusual given your understanding of normal practice in those jurisdictions
  • be alert to large asset transfers out of those jurisdictions
  • consider undertaking further due diligence checks if you are not sure who you’re dealing with and ask more questions about the source of funds and purpose of the transaction
  • have a process for checking clients against the sanctions lists where they have a connection with a jurisdiction which is on the sanctions lists

Politically exposed persons (PEPs)

A PEP is someone who's been appointed by a community institution, an international body, or a state, including the UK, to a high-profile position within the last 12 months.

Under AML regulations, the main aim of applying additional scrutiny to work involving PEPs is to mitigate the risk that the proceeds of bribery and corruption may be laundered, or assets otherwise stripped from their country.

Find out more about PEPs

Conducting due diligence on clients that you do not meet

The MLR 2017 states that not meeting a client in person poses a higher risk of money laundering.

You’re required to conduct EDD on these clients, because:

  • clients seeking to engage in criminal activity will often try to limit what you know about them and their transaction, and this may be easier to achieve if they do not meet you in person
  • when you meet a client, you have an opportunity to verify their identity against a photographic identification or to otherwise check the information you have for them is correct
  • if you have concerns about a transaction and ask the client questions face-to-face, you may be better able to assess whether they’re answering you honestly

Read more in section 4.12 of the anti-money laundering guidance for the legal sector

Simplified due diligence

Regulation 37 of the MLR 2017 allows you to carry out simplified due diligence (SDD) where you’re satisfied that the business relationship or transaction presents a low risk of money laundering or terrorist financing.

However, the presence of one or more of the factors in regulation 37(3) does not necessarily mean that a given situation is lower risk.

When assessing whether there’s a lower risk of money laundering or terrorist financing, you must consider whether the customer is:

  • a public administrator or a publicly owned enterprise
  • an individual resident in a geographical area of lower risk
  • a credit or financial institution which is subject to requirements in national legislation implementing the Fifth Directive and supervised for compliance with those requirements in accordance with the Fifth Directive
  • a company listed on a regulated market and the location of the regulated market

You must also consider the:

  • product, service, transaction or delivery channel risk factors – this includes whether the product or service is one of the insurance policies, pensions or electronic money products specified in regulation 37(3)(b)
  • geographical risk factors based on where the client is established and where it does business – for example, an EEA state or third country with effective systems to counter money laundering or terrorist financing, or with documented low levels of corruption or other criminal activity

Financial services firms are not required to apply CDD to the third-party beneficial owners of pooled accounts held by legal professionals, provided the:

  • information on the identity of the beneficial owners is available on request
  • financial services firm's business relationship with the holder of the pooled account presents a low degree of risk

Read more in section 4.11 of the anti-money laundering guidance for the legal sector

CDD costs

CDD costs can vary depending on the type of client and level of money laundering risk they pose. It can include:

  • identification and verification
  • source of funds checks

The SRA guidance is clear that firms can pass the costs of conducting CDD under the MLRs on to their clients.

However, the cost will need to be clearly stated in the firm’s terms and conditions.

It is important that clients are informed of and understand the cost in advance, as they will enable them to instruct an alternative firm if they do not agree with the cost.

E-verification costs

The SRA does not currently have separate guidance on passing the costs of e-verification systems to clients.

Firms need to make sure they bill correctly for e-verification. For example:

  • if e-verification costs £20 and the firm passes the cost directly on to the client, this is a disbursement
  • if e-verification costs £20 but the firm adds £15 for the time taken to review it and bills the client a lump sum of £35, this is a profit cost

The SRA highlighted that some firms have encountered issues with HM Revenue and Customs over how these costs are billed.

Communicating CDD costs to clients

AML regulation compliance costs should be identified to clients separately and be clear and transparent.

You should consider how best to do this in your firm.

Your client care letter could include information on proof of source of funds, such as:

“Under the Money Laundering Regulations 2017 and Proceeds of Crime Act 2022, all solicitors are under a statutory and regulatory duty to satisfy themselves about the source of funds in a transaction.

It is not sufficient for these purposes to be informed that funds are coming from a bank and rely on that information alone without further enquiry. We are required to make our own decision about the source of funds for a transaction, particularly where it is for a high-value property transaction.

As a starting point, we need to see a current bank statement showing the source of funds that will be used in the transaction and proof as to their origin (such as a copy of a completion statement from a solicitor who acted on a property sale or written confirmation from your accountant as to the source of funds)."

You may wish to set out information in your firm’s terms and conditions, on your website and in the initial client interview.

Consider the SRA’s price and service transparency requirements in making AML costs visible to the client before they engage your firm.

You may also wish to consider whether to hold off signing the client engagement letter until the checks are completed.

This is partly because it may suggest you have formed a business relationship without having completed AML checks, but also because you would have to go through the process of termination (which could be 30 days) if checks cannot be completed to your satisfaction.

You should take into account the number of checks that may need to be completed and consider whether you advise that cost can vary depending on the type of check.

If a cost is shown for a personal check, consider whether this is a ‘per person’ cost as in many engagements, there may be multiple persons to check.

Consider what your policy on reliance will be: how will you respond to a client who asks you to approach their former firm for CDD information.

Protect yourself and your firm from money laundering

Complete our online AML courses, led by a leading expert in risk management. Modules include:

Watch our partner Thirdfort's webinar on how to stay compliant

Call our AML helpline for support on issues such as due diligence, source of funds, sanctions and the high-risk jurisdictions list

Gain practical know-how with the Anti-money Laundering Toolkit (3rd edition)

Maximise your Law Society membership with My LS