In recent years there was a radical increase in the importance of conducting customer due diligence, especially following cases involving renowned international and local financial institutions, small- and medium-sized enterprises and even individual subject persons who have incurred penalties following inspections from the relevant authorities.
Most of the penalties incurred were in relation to inadequacies in their measures and controls to identify and verify the ownership and control structure through independent and reliable checks, and mitigate any risks associated with them.
Claire Galea Deguara, senior manager, risk and compliance, KSi MaltaSuch shortfalls are breaches of AML/CFT obligations and the Financial Intelligence Analysis Unit (FIAU) has been publishing administrative penalties regardless of the amount involved and/or the measures imposed to increase awareness among all stakeholders.
Who is a subject person?
The title ‘subject person’ has continued to broaden in the past years, which refers to any legal or natural person carrying out either relevant financial business or relevant activity. This includes auditors, real estate agents, notaries and company service providers among others.
A subject person is required to undertake customer due diligence measures when establishing business relations and carry out occasional transactions above the applicable designated thresholds. Ultimately, the subject persons’ obligations are: 1. deterrence; 2. detection; and 3. record-keeping.
These obligations are accomplished by obtaining customer due diligence, perform risk assessment and risk management, adopt a risk-based approach, reporting, record keeping, conduct training and vetting of employees and have internal controls.
In view of the above, it is important to identify whether the applicant requires a business relationship or an occasional transaction. A business relationship is based on three elements: the relationship is of a business, professional or commercial nature; it must have an element of duration; and one of the persons involved is a subject person.
On the other hand, an occasional transaction is outside a business relationship, for example the provision of tax advice, the formation of a company or a single operation that exceeds the designated thresholds.
Customer due diligence
The requisite for customer due diligence (CDD) measures, which should be clearly stated in the policies and procedures of the subject person, ensures that the following practices are in place.
1. Information and documentary phase:
• identify and verify the customer and their involved parties including the beneficial owner/s, based on documents, data or information obtained from reliable and independent sources and assess the information obtained;
• verify whether that person is the person he/she claims to be and whether a person is acting on their own behalf or on behalf of a third party (e.g. an agent);
• identify the purpose and intended nature of the business relationship or occasional transaction;
• screening searches against sanctions, PEP status and any negative media coverage via appropriate risk management systems.
2. Risk assessment phase:
• establish the business and risk profile of the customer;
• establish whether the profile of a customer falls within the subject persons’ risk appetite (which should be clearly stated in the Customer Acceptance Policy).
3. Decision and mitigation measures phase:
• decision to be taken on whether to accept or decline the prospective customer;
• clearly understand the customer’s profile to implement effective mitigation measures to mitigate risks identified, and decide whether additional documentation is required (EDD).
4. Ongoing monitoring phase:
• applicable if the customer is onboarded and a business relationship is established;
• data to be kept updated and transactions to be scrutinised throughout the course of the relationship;
• enable the subject person to identify transactions outside the customer profile that could lead to money laundering and financial of terrorism suspicions.
The identification and verification of a customer and their ownership and control structure need to be established before providing any services to the client.
In case there is a third-party agent or an intermediary or an introducer, the subject person is obliged to perform the necessary due diligence to identify and verify this person.
An adequate number of resources need to be held by a subject person in order to meet their AML/CFT obligations.
Subject persons may decide to rely on another subject person to fulfil the customer due diligence requirements, via a written agreement in place. However, the subject person placing reliance remains ultimately responsible for compliance obligations, and should still obtain:
1. the identification of the customer and their beneficial owner/s;
2. the purpose and intended nature of the business relationship or occasional transaction.
If the applicant at any stage is unable to comply with the subject person’s requirements, the latter should take the following actions:
1. not commence the business relationship or perform the transaction; or
2. terminate the business relationship, and/or
3. consider reporting to the FIAU if deemed necessary.
Deterrence from obligations and failing to comply with any lawful requirement, order or directive issued, can result in criminal prosecution or administrative penalties or both. As already mentioned, administrative penalties are being published by the authority and may result in reputational risks.
The above provides a general overview of the process that customer due diligence involves. For more information on the subject or if you have any questions regarding due diligence procedures for your firm, send an e-mail to cdeguara@ksimalta.com.