Welcome to the How to Comply with the AML/CTF Act Series!
If you haven’t been introduced to the series, check out this post:
What does it mean to know your customer?
In summary, your AML/CTF program will provide you with a toolkit and framework for identifying the ML/TF risks to your business, establish and document policies, procedures and controls to mitigate and manage these risks. In particular, Part B of your AML/CTF obligations consists of establishing a framework for identifying customers and beneficial owners of customers so as a reporting entity you can be reasonably satisfied a customer is whom they claim to be. This includes collecting and verifying information provided by your customer before providing them with a financial service.
The bronID identity suite will change the way you collect and share information for AML/CTF compliance. As a system, bronID has been tailored for the recent legislative changes and updates to the Australian AML/CTF Act, Consumer Data Right and GDPR to include privacy-preserving best practice with regards to data governance.
In this post, we will introduce you to Know Your Customer processes:
- Customer Due Diligence (CDD)
- Ready Reckoner and Safe Harbour
- Verification of Individuals (Know Your Customer - KYC)
- Verification of Entities (Know Your Business - KYB)
- Ongoing Customer Due Diligence (OCDD)
- Enhanced Customer Due Diligence (ECDD)
Customer Due Diligence
Customer Due Diligence (CDD) requires an established Part A of your AML/CTF program, this way you have a reference for policies and procedures when identifying the risk a customer poses to your business.
If you need to work on establishing Part A, see the previous post: “Conduct an AML/CTF risk assessment.”
When onboarding a new customer it is essential you determine the money laundering and terrorism financing risk posed by each customer, placing them into high, medium and low-risk buckets. This defines the next steps; whether you should proceed with a business relationship or transaction, the ongoing customer due diligence required and whether you need to do enhanced customer due diligence.
- Collecting and verifying customer identification information against independent or government databases.
- Identifying and verifying the beneficial owners of a customer if it is an entity.
- Identifying whether a customer is a politically exposed person (PEP) and taking steps to establish the source of funds used during the business relation or transaction.
- Ongoing customer due diligence and transaction monitoring
- Obtaining information on the purpose and intended nature of the business relationship.
Low-Medium Risk Customers: Ready Reckoner & Safe Harbour
High-Risk Customers: Enhanced Customer Due Diligence
Ready Reckoner and Safe Harbour:
The ‘Ready Reckoner’ summarises the minimum customer information a reporting entity must collect and verify for low-risk customers for the following types:
- Individuals (including beneficial owners)
- Incorporated and unincorporated associations
- Registered cooperatives
- Government bodies
- Agents acting on behalf of a customer
If your new customer is categorised within the low-medium risk bucket, you may adopt ‘safe harbour’ procedures to verify their identity information. While the safe harbour procedure acts as a standard for identifying low-medium customers, it is not compulsory for reporting entities to adopt as a procedure.
More often than not, electronic-based safe harbour will be the primary method of verification for online services. Document-based safe harbour is also possible using the bronID identity suite. Only it will require the user uploading images of their identity documents. This way a customer has a higher chance of verification using the ‘safe harbour’ procedure if any of the data is incorrect.
Verification of Individuals (Know Your Customer - KYC):
Electronic-based safe harbour procedure:
You should collect and verify the following information against at least two independent and reliable data source:
- Full name
- Full residential address or date of birth, or both.
Document-based safe harbour procedure:
You should collect and verify identity data from identity documents. You should also verify that the document has not expired (other than a passport, which may be used if it expired within the preceding two years)
Full name and residential address or date of birth using:
- An original or certified copy of a primary photographic identification document.
Alternatively, full name and residential address or date of birth using both:
- An original or certified copy of a primary non-photographic identification document; and
- An original or certified copy of a secondary identification document
The bronID portal and mobile app facilitate electronic verification primarily, with the capability of a document-based safe harbour if required.
Verification of Entities (Know Your Business - KYB):
In June 2014, the AML/CTF Act obligations of reporting entities introduced verifying the beneficiaries and directors of an entity who holds more than 25% of the company. Additionally, those individuals who exercise control over the business.
These obligations have intertwined Know Your Customer checks of individuals when verifying a business to be AML/CTF Compliant.
bronID has the capacity for a company profile to be linked to each significant individual identity, for a business, this means identifying directors and beneficiaries can become simple and straightforward task if the company has a bronID user.
Some entities can be verified using a Simple Verification procedure, the entities which fall within this group are:
Simple company verification can apply in particular cases:
- Domestic listed public company
- A majority-owned subsidiary of a domestic listed public company
- Licensed and subject to the regulatory oversight of a Commonwealth, state or territory statutory regulator concerning its activities as a company.
Simple trust verification:
- A managed investment scheme registered by ASIC
- A managed investment scheme that is not registered by ASIC that;
- Only has wholesale clients
- Does not make small scale offerings
- Registered and subject to the regulatory oversight of a Commonwealth statutory regulator concerning its activities as a trust.
- A government superannuation fund established by legislation.
Simple verification for companies and trusts usually does not require beneficial ownership checks as this information is publicly monitored by regulators.
Ongoing Customer Due Diligence
Reporting entities are required to have in place appropriate systems and controls to determine whether and how additional customer information should be collected or verified on an ongoing basis, ensuring up to date information.
The decision to apply the OCDD process to a particular customer depends on the level of ML/TF risk. For example, those who are of a high-risk will require more information sharing to comply with OCDD.
Some OCDD practices are:
- Implementing a transaction monitoring program
- Enhanced customer due diligence program
Transaction Monitoring Program:
- Appropriate risk-based systems and controls to monitor the transactions of customers
- Identify transactions that are considered to be suspicious
- Capable of identifying complex, unusually large transactions and unusual patterns of transactions which have no apparent economic or visible lawful purpose.
Enhanced Customer Due Diligence
If a customer is of high risk, simply performing an electronic or document ‘safe harbour’ verification is not sufficient for achieving your AML/CTF obligations, additional steps and procedures must be taken to serve these customers.
Since the changes to the AML/CTF Act in June 2014, enhanced customer due diligence program (ECDD) must be included in the AML/CTF Program policies and procedures.
The process of undertaking additional customer identification and verification measures in certain circumstances deemed to be high risk.
Your AML/CTF program details the procedures the reporting entity must take if:
- The customer is deemed high risk under its risk-based systems and controls
- The person is a PEP
- Suspicious matter reporting obligation arises
- One or more parties of a transaction are located in a prescribed foreign country.
Some measures you may choose to take if a customer needs ECDD:
- Seek further information
- More detailed analysis
- Verify or re-verify customer information
- Analysis and monitoring of transactions
- Senior Management approval
Using a combination of the bronID identity suite will allow for you to achieve a large proportion of your AML/CTF obligations, from performing KYC checks to enhanced and ongoing due diligence.
Next in the series, we will learn how to use the bronID platform for Create and Update the ML/TF Risk Profiles of your Customers, explaining how bronID can dynamically update your customer’s risk profile to match the requirements dictated by your risk score and assessment.