How can we carry out due diligence on clients remotely?
How can we carry out due diligence on clients remotely?
When we’re unable to conduct business face-to-face, being remote from one another makes Due Diligence much more difficult.
Whether we’re dealing with a well known client - or someone entirely new - our obligations introduce new challenges and changes to processes that impact not only our business but our customers' experience too.
We’ll cover how to deal with museums, Companies, Corporations, Trusts - or ‘entities’ - in another video.
Relevant regulations from HM Treasury’s approved guidance made available by the British Art Market Federation (BAMF) are included at the end of this transcript.
BAMF Guidance Document
At is most simplistic, the Due Diligence process can be broken down into 4 steps:
Request: We ask our client for information.
Verify: Establish identity.
Analyse: We assess the client relative to risk.
Store: The evidence and documentation supporting our decision is saved for 5 years.
Our due diligence process starts by requesting information from the client.
- Which must be from a reliable source independent of the customer e.g. Driving License.
- Documents should include a minimum of information.
- For example their full name, residential address and date of birth.
- What we receive must also help us verify identity, more on that shortly.
For now, let’s explore how this may affect you and your client.
- Asking for highly personal information may raise concerns about safety, security, storage and use...
- Regulation such as GDPR requires how and what you do with the information you collect is documented and easily accessible to customers.
- Sales teams will require guidance and process to ensure a consistent customer experience.
- Dealing with new or unknown clients without having met face-to-face makes accurate verification of identity difficult. Asking for a driving license alone will not be sufficient for verification.
- Have you decided how you are informing and educating your clients about these changes and is it clear to them what yours and their obligations are?
- Have you defined what you’re going to require to verify the identity of new and unknown clients?
- Is your sales team supported by a process and method to make it easy for them to nurture clients around the requesting of this information?
Now we must verify Identity.
Accurate verification of Identification is not only a requirement, it is the foundation upon which subsequent customer due diligence rests and therefore a vitally important step.
Verification can be achieved in a number of ways and in most instances, if you are dealing with well known, long-standing clients whom you have met in person, verification is satisfied by comparing your client to the likeness of the photograph and other information on the ID document that you know to be true e.g. Residential address.
The difficulty lies in instances where you have never met the customer and the relationship entirely remote. Indeed, remote fraud accounted for more than 84% of all fraud by type in the UK alone last year.
Remoteness not only makes verification more difficult, in addition - how you plan on receiving all this information has the potential to place your customers' information at risk from interception and theft.
So what are some of the challenges here?
- Cybercriminals routinely hack into email accounts and intercept invoices. Receiving ID documents and other sensitive material through a non-secure channel like email, puts your clients information at risk.
- While useful for helping you spot fraudulent documents, coverage for Electronic ID verification services isn’t International, nor do they help you confirm that the person submitting the ID document to you is the legitimate document owner. Consider criminals who present stolen cards, while the card is legitimate, the person presenting the card is not.
- While one of the most accurate ways to verify identity, credit checks are the most intrusive method. You do not have an obligation to carry out credit checks and if you do, you will have to inform your customers that you are carrying out these checks.
- Saving ID documents on mobile phones or in inboxes makes the information vulnerable to theft or data corruption, while inaccessible to other members of the team For example - accounts, client services or operations.
- Making it cumbersome or unsafe for your client to submit their information may be detrimental to the relationship and could delay the sale. Ideally we want to minimise the amount of work the client has to do.
- Teams must be confident in using multiple different document types to verify identity.
So how can we verify remote customers in an easy, unobtrusive way that meets the requirements?
- Have you determined how you’re going to receive documents securely outside email or mobile phones?
- Are you making it easy and secure for clients to share their information with you in a manner that is aligned with the customer experience you want to provide?
- Are you collecting at least two forms of proof of address from other regulated sectors e.g. Bank statement and utility bill?Is the information you receive, centralised and immediately available to other members of the team that might require access?
- Can the information be viewed on different devices and across multiple locations?
- Are teams regularly deleting any sensitive information from inboxes or their devices?
- Do you or your teams have access to guidance from the Home Office that may help them identify fraudulent identity documents?
How to detect basic forgeries in Identity Documents from the Home Office
As part of a risk-based approach, we will need to analyse the information from our customer, which should see you:
- Use a mixture of positive and negative information from a wide-range of data sources
- Assess whether or not there are any ‘red flags’.
- Determine if the client is Politically Exposed, is linked to a politically exposed person, is sanctioned or on any high-risk registers. Consider jurisdictional risk, or to which the client has links.
- Determine an appropriate course of action on a case-by-case basis. E.g. Carry out Enhanced Due Diligence.
- Ensure the Money Laundering Officer, or Deputy - in absence of the Officer - report any suspected suspicious activity identified by staff to the National Crime Agency and file a Suspicious Activity Report.
How does this affect you and your client?
- Accurately assessing risk using multiple sources of information, available via different services takes time to collate and everything needs to be thoroughly documented.
- Correctly identifying ‘Red Flags’ in a context where there has been no prior experience in compliance or customer risk makes judgement difficult across the business.
- When dealing with a high-risk country Enhanced Due Diligence will be required. Electing decisions to a senior member of the business removes autonomy from sales teams and creates a bottle-neck if there are large numbers of customers to analyse.
- Where there are Red Flags, or suspected ‘foul play’ you’re likely going to need to create an alibi which will be relayed to the client so as to avoid ‘Tipping Off’.
- Failing to file a Suspicious Activity Report with the National Crime Agency if Money-Laundering is suspected is a Criminal Offence.
- Where there are multiple members of a team - or a large number of clients to analyse, for example before an auction - the likelihood for ‘human error’ and incorrect judgement is much greater.
- Have you identified a wide-range of data sources that are dependable and independent of the client?
- Do you feel comfortable and confident in identifying any ‘Red Flags’ when analysing customer information?
- Do you have any risk-based rules and criteria available to help guide your decision making?
- Can you accurately identify if your client is a Politically Exposed Person, or is linked to someone from the political sphere?
- Is it easy for your team to see if the client is Sanctioned or on any High-Risk registers?
- Where there are multiple members of a team - or a large number of clients to analyse, for example before an auction - the likelihood for ‘human error’ and incorrect judgement is much greater.Are you able to assess country risk easily and are you aware which countries are considered higher risk than others and require Enhanced Due Diligence?
- If teams are analysing lots of client information do you have measures in place to ensure any ‘Red Flags’ are automatically elected to the Money Laundering Officer or Deputy to avoid human error?
- Should you identify suspected suspicious activity, do you have an ‘alibi’ and process documented to help you deal with the situation?
- Are you clear on how to file a Suspicious Activity Report with the National Crime Agency?
We must have systems in place to Store and make available ‘within specified timescales’:
- Documentation and all supporting evidence received for Customer Due Diligence.
- Details of transactions with clients over a 5 year period.Details on occasional transactions with clients over a 5 year period.
- A report indicating actions taken if you suspect any suspicious activity which can be shared with the National Crime Agency.
- A report indicating actions taken and information considered if you decide it is safe to proceed with the transaction which can be shared externally.
- Any evidence of Customer Due Diligence where you have relied on another business over a 5 year period.
How does this affect you and your client?
- Storing ID documents - physically or digitally - means you are responsible for the safety of the information and liable in the event it is stolen or compromised.
- Documenting and the creation of Customer Due Diligence reports requires organisation, on-going management and maintenance so that it is accurate, accessible to all members of a team and up-to-date.
- If information is saved locally on one computer, there is a possibility the information could become corrupted and is more vulnerable to theft or loss.
- Nominated officers should be regularly updated and aware of decisions and actions staff are taking when carrying out Customer Due Diligence.
- All documents, reports and evidence will need to be in a format that can be shared externally - and securely - as and when required.
- Do you have a secure, encrypted method of storage that is accessible to all members of staff that are dealing with clients?
- Have you defined a reporting process, what does this look like and how will it be delivered to your team?
- Is there a central, secure facility that offers nominated officers with an up-to-date picture of the businesses reporting?
- Do you have a process in place that will enable you to routinely - or automatically - back-up your reports and evidence of Due Diligence?
- Are you able to easily export or share reports and evidence of due diligence internally - or externally - through a secure channel?
File a Suspicious Activity Report with the National Crime Agency
A short tutorial exploring covering how we can carry out remote due diligence is available on the page below, for now however, here’re some recommendations to help when you’re carrying out due diligence remotely:
- Document where change will occur to make it easier for you and your team to get up to speed.
- Provide a secure, encrypted method to receive documents outside of email or text message.
- Be sure to collect two forms of proof of address from other regulated sectors to verify identity.
- Use guidance from the Home Office to help teams identify fraudulent ID documents.Centralise information so everyone has easy access.
- Familiarise yourself with ‘Red Flags’ and high-risk jurisdictions.
- Define risk-based criteria to help guide your decision making.
- Utilise governmental data to find out if someone is linked to, is Politically Exposed, on any sanctions or high-risk registers.
- Use a wide-range of ‘positive’ and ‘negative’ data sources to help in instances where Enhanced Due Diligence is required. Use an encrypted method of storage, do not store information on one computer locally and ensure regular back-ups are made.
- Ensure evidence of Due Diligence is easily shared and exported.
Guidance and Regulation
Relevant Regulations from British Art Market Federation to which this article applies:
Section 2 “...The changes introduced mean that from the 10 January 2020, Art Market Participants (AMPs) as defined in the regulations must:"
- Carry out customer due diligence measures on customers before they conclude a transaction
- Report suspicious transactions to the authoritiesKeep appropriate records of customer due diligence and of transactions
Section 63: “AMPs must maintain appropriate systems for retaining records and making records available when required within specified timescales. The following must be retained:"
- Copies of evidence obtained to satisfy CDD obligations and details of customer transactions for at least five years after the end of the business relationship
- Details of occasional transactions for at least five years from the date of the transaction
- Details of actions taken in respect of internal and external suspicion reports
- Details of information considered by the nominated officer in respect of an internal report, where the nominated officer does not make a suspicious activity report
- Copies of the evidence obtained if the AMP is relied on by another person to carry out CDD, for five years from the date that the other person’s relationship with the AMP ends
Regulation 18(4),(5),(6) Section 1.15. When identifying the risk associated with countries and geographic areas, AMP’s should consider the risk related to: the jurisdictions in which the customer (or beneficial owner) is based, or to which they have personal links…
Regulation 18(1),(2),(3) 1.2 [...] record appropriately what has been done, and why, and the steps taken to communicate the controls within the business.
Regulation 28 (2)(a)(b), 18 Section 5.30.
The Art Market Participant identifies a customer by obtaining a range of information about him. A customer’s identity must then be verified on the basis of documents or information obtained from a reliable source which is independent of the customer.
Regulation 28(2)(a)(b), 18. Section 5.31.
Evidence of identity can be obtained in a number of forms, In respect of individuals, much weight is placed on so-called ‘identity documents’, such as passports and photo card driving licenses, and these are often the easiest way of being reasonably satisfied as to someone’s identity.
Regulation 28(12) Section 5.33.
A person’s identity can be verified in different ways, for example by:
- Obtaining or viewing original documents and ensuring that they are valid and genuine, by comparing them to published, authoritative guidance that outlines security features (which protect against forgeries)
- Comparing the likeness of the person to the document (for example, photograph comparison or comparison of information)
- Conducting electronic verification through a scheme which properly establishes the customer’s identity, not just that the customer exists
- Obtaining information from another person in the regulated sector (for example, from a bank), that can be used in conjunction with other documents and information to prove a customer’s legitimacy over time, or to provide other positive or negative information.
Regulation 28(12) 5.55.
The AMP should obtain the following information: full name, residential address and date of birth” […] 5.56. “other evidence of identity may give the AMP reasonable confidence in the customer’s identity, although the AMP should weigh these against the risks involved.
Regulation 28(12) 5.37.
In their procedures, therefore, AMPs will in many situations need to be prepared to accept a range of documents, assessing the appropriateness of each according to the risk presented by the customer.
Regulation 28(12) 5.41.
Others accumulate corroborative information which in principle is separately available elsewhere.
Regulation 28(12) 5.42.
In using an electronic or digital source to verify a customer’s identity [...] The use of biometric information is one way of achieving the latter confirmation, as is the use of private information or codes that incontrovertibly link the potential customer (or beneficial owner) to the electronic/digital identity information.
Regulation 28(12) 5.45.
Positive information (relating to full name, current address, date of birth) can prove that an individual exists, but some can offer a higher degree of confidence than others. Some electronic sources or digital identity schemes specify criteria-driven levels of authentication that are established through the accumulation of specific pieces of identity information.
Regulation 28(12) 5.47.
Negative information includes lists of individuals known to have committed fraud, including identity fraud, and registers of deceased persons.
Regulation 28(12) 5.48.
For an electronic/digital check to provide satisfactory evidence of identity on its own, it must use data from multiple sources, and across time, or incorporate qualitative checks that assess the strength of the information supplied. An electronic check that accesses data from a single source (e.g., a single check against the Electoral Register), or at a single point in time, is not normally enough on its own to verify identity.
Regulation 35(3)(a) 5.164.
Individuals who have, or have had, a high political profile, or hold, or have held, public office, can pose a higher money laundering risk to AMPs. PEPs can pose a high money laundering risk because they may be able to abuse their position for private gain. Not all PEPs, however, pose the same money laundering risk;
There is a hierarchy depending on country of origin and rank, from higher tier officials to individuals with significant or absolute control over the levers, patronage and resources in a given area. This risk also extends to members of their immediate families and to known close associates. PEP status itself does not, of course, incriminate individuals or entities. It does, however, put the customer, or the beneficial owner, into a higher risk category. The level of risk associated with any PEP, family member or close associate (and the extent of EDD measures to be applied) must be considered on a case- by-case basis.
- Regulation 35(12)(b) 5.170;
- Regulation 35(12)(c) 5.171;
- Regulation 35(15) 5.173;
- Regulation 35(1), (5) 5.174;
- Regulation 35(3), (4) 5.179;
The nominated officer must make a report to the National Crime Agency (NCA) in respect of information that comes to them within the course of business where they know or suspect or have reasonable grounds for knowing or suspecting that a person is engaged in, or attempting, money laundering or terrorist financing – even if no transaction goes ahead.
Regulation 40 7.3.
AMPs must retain records concerning customer identification and transactions as evidence of the work they have undertaken in complying with their legal and regulatory obligations, as well as for use as evidence in any investigation conducted by law enforcement.
Regulation 21(8),(9) Section 3.17.
AMPs must establish and maintain systems which enable them to respond fully and rapidly to enquiries from financial investigators accredited under s3 of POCA
POCA ss 330, 331 Terrorism Act s 21A 6.1. All persons in the regulated sector (which includes AMPs) are required to make a report in respect of information that comes to them within the course of a business in the regulated sector:
- where they know or
- where they suspect or
- where they have reasonable grounds for knowing or suspecting that a person is engaged in, or attempting, money laundering or terrorist financing.
Regulation 28(12) 5.51.
In addition, a commercial organisation should have processes that allow the enquirer to capture and store the information they used to verify an identity.
Regulation 35(5)(b) Senior management approval 5.184.
Obtaining approval from senior management (see paragraph 5.174) for undertaking a transaction does not necessarily mean obtaining approval from the Board of directors (or equivalent body), but from a higher level of authority from the person seeking such approval. As risk dictates, AMPs should escalate decisions to more senior management levels.
Regulation 35(5)(b) 5.185.
The appropriate level of seniority for sign off should therefore be determined by the level of increased risk associated with the transaction; and the senior manager approving a PEP transaction should have sufficient seniority and oversight to take informed decisions on issues that directly impact the AMP’s risk profile, and not (solely) on the basis that the individual is a PEP. When considering whether to approve a PEP relationship, senior management should base their decision on the level of ML/TF risk the AMP would be exposed to if it entered into that transaction and how well equipped the AMP is to manage that risk effectively.
Regulation 39(7) 5.198.
For one AMP to rely on verification carried out by another AMP, the verification that the AMP being relied upon has carried out must have been based at least on the standard level of customer verification. It is not permissible to rely on the basis of simplified due diligence having been carried out, or any other exceptional form of verification. In order to judge whether to rely on another AMP, the relying AMP must know what CDD measures have been carried out.
- Regulation 39(7) 5.199;
- Regulation 39(7) 5.200;
- Regulation 39(7) 5.201;
- Regulation 39(7) 5.202;
- Regulation 39(7) 5.203;
- Regulation 39(3) 5.206;
An AMP’s policies and procedures must include [...] Ongoing monitoring activities
Regulation 40 7.3 AMPs must retain records concerning customer identification and transactions as evidence of the work they have undertaken in complying with their legal and regulatory obligations, as well as for use as evidence in any investigation conducted by law enforcement.
ArcartaPay (Arc-Pay Ltd) is registered with the Information Commissioner's Office (ICO), is an approved Service Provider by UK Trade Associations The British Antique Dealers Association (BADA) and LAPADA .
See Regulation 28(12) 5.50.
Nothing on this site constitutes legal advice or gives rise to a solicitor/client relationship. Specialist legal advice should be taken in relation to specific circumstances.
The contents of this site are for general information purposes only.
Whilst we endeavour to ensure that the information on this site is correct, no warranty, express or implied, is given as to its accuracy and we do not accept any liability for error or omission.
We shall not be liable for any damage (including, without limitation, damage for loss of business or loss of profits) arising in contract, tort or otherwise from the use of, or inability to use, this site or any material contained in it, or from any action or decision taken as a result of using this site or any such material.