Follow-up session on customer due diligence
Missed this event or want to watch it again?
AML/CFT Handbook – Appendix D2
Why do you still use source 8 Bribe Payers Index which hasn't been updated since 2011, where the Guernsey Financial Services Commission use TRACE Bribery Risk Matrix 2019?
Appendix D2 provides details of countries and territories (and also areas) that have been identified by reliable and independent third party sources as presenting higher risk in areas that will be relevant to an assessment of money laundering and financing of terrorism risks under normal CDD measures.
The sources used in the appendix are reviewed and updated on a regular basis, but there may be other useful sources that are not listed in Appendix D2.
In any case relevant persons are expected to exercise judgement in relation to how they interpret and use these sources and to reach their own conclusions on risk.
Is there any definition of a relevant connection to an Appendix D2 listed country or should we use the relevant connection to Appendix D1 as a guide?
Appendix D2 lists a number of countries and territories that are identified by reliable and independent external sources as presenting a higher risk. It is intended to assist in assessing country risk for AML/CFT purposes. The risk presented by a customer (or related party) with a connection to any particular country or territory will need to be assessed based on the particular circumstances.
Does the JFSC expect those relationships associated with source 1 and 2 in Appendix D2 to be subject to mandatory ECDD?
Just source 1 - as explained in the webinar
There are several countries that are on Appendix D2 which are on the FATF list alongside Cayman Islands e.g. Zimbabwe. Why did the JFSC take the decision to require supervisory notification in relation to exposure of Cayman only and not the other jurisdictions?
We understand that the potential exposure of Jersey relevant persons to Cayman entities and relationships was such that we required specific comfort that industry understood the implications of the listing and had put in place appropriate actions.
Do all relevant persons have to provide an action plan in relation to the Cayman source 2 listing, even if they deem that they do not have any remedial actions to take due to existing policies and procedures being robust and having not placed any reliance on obliged persons?
If no remediation is required, then no action plan is required.
Your supervisor may, however, wish to understand how you came to the conclusion that no action is required.
Does the change to Appendix D2 listed countries impact on exemptions under Article 18 or only Article 17?
The change applies to both Articles.
Expired documents
If you have a customer for whom you already hold CDD, this then expires and you seek to update this CDD, can you then use a selfie to support the expired CDD held?
As explained in the webinar – in normal circumstances, there is no obligation to renew expired documents.
See Handbook for regulated financial services businesses, section 4.3.2.
Although it's not necessary to automatically collect updated CDD when documents expire (e.g. when a certified passport expires), is it necessary to update the documents if the relevant person’s testing programme highlights the out of date documents? At what point after expiry would it become necessary to re-apply for updated CDD?
With higher risk relationships / individuals, when their ID expires, would enhanced measures not require, as a minimum, for an ID from the same country of issuance to be obtained?
Renewing expired documents is a suggested enhanced measure.
See Handbook for regulated financial services businesses section 7.3.
“Video verification”
Can you explain why the photo of the passport is not adequate rather than just saying that it is not within the safe harbour?
If we receive the KYC documents in question via email then the same documents are presented in the video call is this sufficient? The details of the presented documents are cross-checked live on the live video call.
The “safe harbours” are designed to indicate what may be considered “obtaining evidence of identity from a reliable and independent source”.
While safe harbours are not mandatory, they set a clear line in the sand that indicates our expectations. Any alternative method needs to be demonstrably as effective and robust as the safe harbours.
This will be difficult to demonstrate if the alternative method looks very similar to a safe harbour but lacks some of the key controls incorporated into the safe harbour.
Obtaining a photo of a passport (or viewing a passport in a video call) clearly does not incorporate the controls that are set out in the safe harbours.
Such methods would need further or alternative safeguards or controls to be considered equally effective.
Why can't a passport be accepted via a video call if the person is present in the video call, and the use of passport checker subscriptions can confirm the passport shown is valid?
This may be acceptable, depending on the particulars of the process.
Authentication of the document presented in the video call may be undertaken by the video software or “app” or as a separate process.
If the “passport checker” is an additional method of verification of the information presented in the video call, this may be as robust as an “app” with the verification built in.
There was mention a while back about the JFSC and industry working together on a centralised CDD database for common clients, has there been any progress on this matter?
A paper was published in July 2020- Exploring smart regulation: An assessment of the options for developing a shared KYC utility for the Jersey financial services sector.
In its proposed Digital Action Package the EU is proposing to set out in detail the processes/documentation needed for CDD/on boarding. Would the JFSC look favourably on adopting this material once it is published?
We will review any material or guidance produced and incorporate or implement as appropriate.
Delayed verification
So, the consideration of little risk of ML does not refer to the customer risk assessment i.e. the risk rating of the customer, but is a separate risk assessment specific to the delay of the verification of identity?
Correct – the assessment should be of the risk arising from the delay.
Utility bills
With the rise of fintech banks (Monzo, Revolut etc), if we do not have reasonable suspicion that a document has been tampered with. Does we still need to request a further utility bill to corroborate this information?
Where you have no suspicions as to the integrity and accuracy of the electronic statement, then no further corroboration would be required.
When verifying an electronic utility bill, would a second electronic bill be acceptable? Or even a non-certified second document?
The additional corroboration should be sufficient to give you comfort as to the accuracy of the information contained within the electronic statement.
A further, non-certified, electronic statement is unlikely to be sufficient.
Address verification
Where a client has more than one residential address that they split their time between, either in one jurisdiction or internationally, is it acceptable to hold and verify just one address or should verification be obtained for all of these addresses?
The “Principal residential address” is required.
This would normally be where the customer resides for the majority of time.
Whether a customer has, in fact, more than one principal address will depend on the individual circumstances. If so, each “principal” address should be obtained and verified.
Certification
I understood from your presentation that when using a digital signature as a 'wet copy' you referred to this being something like the 'authenticated signature' which I expect is the likes of a docusign envelope and not simply the attaching of a scanned or jpeg signature to the document - can you confirm this is correct
This is correct.
Electronic signature software is available that locks a certification into a pdf which cannot be tampered with. If implemented appropriately, this may be considered a “wet signature”, although the relevant person would need to be satisfied as to the reliability of the software.
If you have obtained correct hardcopy "wet ink" certified documents, can they be scanned and held electronically and the original certified documents destroyed?
Any records may be kept in a scanned form (see Handbook for regulated financial services businesses, section 10.1).
The record should indicate whether an original or certified copy was received and/or reviewed before being destroyed.
On Wednesday 10 March at 14:00, our Chief Adviser Financial Crime, Hamish Armstrong, will be joined by our International and Industry Engagement Co-ordinator, Caroline Morgan and one of our Supervision colleagues for a webinar on customer due diligence. This webinar builds on the information shared in our Covid-19 implications for customer due diligence webinar last year and is a direct response to requests from Industry to host more sessions. It also forms part of our focus on financial crime outreach and education as outlined in our business plan.
The webinar will cover:
- Use of technology in customer due diligence, including a reminder of good and bad practice
- Practical implications arising from the FATF listing process – what this means in relation to your customer due diligence processes and customer relationships
- An overview of our Q1 2021 thematic work which has a due diligence focus
You will have the chance to ask questions during the webinar and we will share a copy of the recording after it has taken place.