‘Fire and forget’ is a military term used to describe a type of missile which does not require
further guidance after launch (such as illumination of the target or wire guidance), and can hit its target without the launcher being in line-of-sight of the target. It is also a term I regularly use to describe how some reporting entities (REs) are utilising customer due diligence (CDD) outsource providers.
In the AML/CFT context, I often see a RE simply ‘firing’ off their customer onboarding files
to a provider and ‘forgetting’ about them as long as they receive a positive confirmation (through a sign-off sheet or portal) that CDD was ‘OK’. In addition, many REs also seem to
(a) the risk associated with the accurate completion of CDD remains with the RE; and
(b) it is not as simple as engaging such a provider – the RE will need to consider
how the outsourcing fits into its overall AML/CFT risk profile and framework.
There has been an exponential uptake by REs in the use of third-party CDD outsource providers over the last two years. These third-party providers essentially undertake CDD on an RE's customers including determining beneficial ownership and, in some cases, undertaking enhanced CDD investigation.
I distinguish these providers from those which provide electronic identity verification (EIV) services being essentially access to relevant databases in order to assist entities in meeting the requirements of Part 3 of the Amended Identity Verification Code of Practice 2013 (Code of Practice).
This exponential uptake has been driven by a number of factors:
Such providers are a reasonably recent introduction to the market and there has been a pent-up demand for such services.
‘Phase 2’ REs – essentially lawyers, accountants, and real estate agents - have shown an appetite for such services, driven by the structures of these businesses.
COVID-19 lockdowns meant that REs that would have typically undertaken face-to-face verification were not able to use that method effectively so looked to alternatives.
Having had an opportunity to audit REs using a variety of such providers, I have seen the
benefits of such services for entities, with the provider able to take care of the more mechanical, time-consuming aspects of CDD, freeing up staff time or allowing for REs who
lack appropriately-skilled staff to undertake the CDD in the first place. The ability to access
a pool of trained AML/CFT analysts that specialise in CDD is certainly attractive to organisations where they may not be able to justify hiring one internally (provided they can
find one – AML resource is always seemingly in short supply).
My audits picked up a number of risks and considerations, however, which entities have not contemplated in their adoption of such services.
Use of third-party AML/CFT tools and services
Before looking specifically at CDD outsourcing services, it is worth discussing use of third-
party AML/CFT tools/services generally. Too often I see REs looking to acquire tools before
they have determined what they need to build, that is, the RE has not undertaken a risk assessment or a gap analysis of current processes against the obligations of the Act.
Such tools and services can provide important parts of an RE’s programme (and in some cases may prove essential in meeting certain obligations), however, they should not be viewed as a ‘magic bullet’ for the challenges in your programme.
With any AML/CFT tool, you should understand:
(a) the limitations of the tool itself – what does it do and what doesn’t it do;
(b) your limitations in using it – for example, do you lack the data necessary to fully
utilise the features of transaction monitoring software; and
(c) how it fits into the rest of your AML/CFT toolbox.
The Basis for Outsourcing
“Subject to any conditions that may be prescribed by regulations, a reporting entity may
authorise a person to be its agent and rely on that agent to conduct the customer due
diligence procedures and obtain any information required for customer due diligence under
this Act or regulations.”
This section is stated broadly and is certainly less prescriptive than s33 (which allows an RE
to rely on CDD undertaken by another RE) but the general best practice rules for use of agents apply. At a high level, ensuring compliance by agents means ensuring that they are
completing the obligations in line with your standards (which should be in line with relevant
legislation and guidance) while mitigating the risk that this is being completed by a third-
party where oversight will likely be less than that of your own staff.
The number one thing to remember is that the RE remains liable for compliance with the
Act so it will need to ensure that it is satisfied that the outsource process meets the
requirements of the Act and associated guidance. You can outsource the mechanics of CDD,
but you can’t outsource the risk.
With this in mind, I set out below my recommendations for REs considering the use of
third-party CDD outsource providers:
(a) Update Risk Assessment
The RE should ensure that its Risk Assessment (completed under s58 of the Act) assesses the risk posed by using an agent channel. Any specific risks identified should then be addressed in its AML/CFT Programme.
(b) Update the CDD Process
The RE’s CDD processes should be updated including a consideration of how the provider’s process meets the requirements of the Act and Code of Practice. In particular, it should set out how the EIV process meets Part 3 of the Code of Practice, including relevant data sources and linking of identity to the presenter.
(c) Determination of Customer Risk
The process to determine the customer risk should be clear – does the RE determine the customer risk (and therefore the level of CDD required) prior to sending the customer file to the provider or is the risk level determined by the provider in line with parameters agreed? Where the provider is determining risk, it should be in line with the RE’s AML/CFT risk framework including the Risk Assessment.
(d) Agreement on CDD Approach
The RE should be satisfied that the approach by the provider to CDD is in line with its own. By way of example, I have seen different approaches between providers as to the treatment of trusts in company structures both in respect of determination of beneficial owners and as to whether enhanced CDD should apply in these circumstances. The RE should ensure that it is satisfied with the approach taken.
(e) Loss of Information
Where a RE shifts from using an internal CDD process to an outsourced one, it should ensure that all information it was collecting is also captured in the amended process. The main example I have seen of this is the capture of information relating to the nature and purpose of the business relationship which was included in the original process but not replicated in the outsource procedure.
(f) Access to Underlying Proof of Verification
The RE should ensure that it is provided with supporting verification information which is able to checked by staff (e.g. company extracts, trust deeds, proof of EIV and politically exposed person checks). It is not sufficient to simply rely on a statement from the provider that CDD has been completed. As a general rule, a confirmation from a provider should not be viewed as a green light to onboard the customer. It may simply be confirmation that the mechanical aspects of CDD have been completed but there may be some risk matters arising from the CDD which should be considered prior to onboarding.
From an audit perspective, I cannot rely on a RE telling me it has done CDD on a customer, they need to show me they have done it – this is the same whether it is completed by staff of the RE or an agent.
(g) Checking by Staff
Staff should review the outcome of any outsourced CDD to ensure it matches their understanding from the customer. This is a particular area of risk. By way of example, the staff member may think they are dealing with a straightforward New Zealand company, ABC Limited. The CDD completed by the provider shows that the shareholding of ABC Limited goes up through a number of higher-risk jurisdictions and includes some complex structures. If the staff member simply sees the sign-off sheet saying that CDD is completed, they will not appreciate the risk posed by the customer. Tying this back to my missile analogy above, it is important that staff of the RE maintain ‘line of sight’ on the target customer.
(h) Treatment of Exceptions
The RE will need to determine with the provider the rules around granting CDD exceptions:
Is the provider able to make a decision or will all exceptions be approved by the RE?
Where the RE confirms any exception, which staff member(s) can do this?
In any case, all exceptions should be clearly documented and maintained for easy reference.
In addition to checking by staff generally, compliance staff of the RE should be undertaking assurance over the process to gain comfort that it is being completed to the standard required by the RE – e.g. through sampling a selection of files.
(j) Limitations of Enhanced CDD
Enhanced CDD completed by a third-party will naturally be limited where that third-party does not have knowledge of the nature of the business relationship or size of transactions involved. As such, where enhanced CDD is undertaken by a provider, staff should ensure that the following is included on each relevant customer file:
Appropriate collected information on source of funds/wealth (SOF/W) – e.g. the customer’s explanation of the relevant SOF/W which may include the staff member’s knowledge of the customer’s circumstances where relevant;
The assessed risk level of the customer (e.g. while the customer may be a trust, there will a difference between a NZ family trust vs. a trust domiciled in a higher risk jurisdiction) with supporting notes to justify the decision; and
Supporting verification documents together with supporting notes as to why the RE considers the steps taken to verify the SOF/W are reasonable given the risk assessed.
(k) Timeliness of CDD
The RE should seek confirmation of the timeliness of the information held by the provider, that is, has the CDD been completed specifically for the RE or was it already held by the provider having previously been completed for another entity. If it is already held, the RE should seek assurances as to how the provider ensures that the information is still current (e.g. that the beneficial owners have not changed since the CDD was last undertaken).
(l) Sharing of Suspicious Activity Report (SAR) Information
A RE should not share any information relating to a SAR with the outsource provider to ensure compliance with the tipping-off provision in s46 of the Act. This may be an issue where a RE requires the provider to undertake enhanced CDD in accordance with s22A of the Act but where it may be difficult to undertake enhanced CDD where the provider is unaware of the nature of the suspicion.
(m) Privacy and Data Security
The RE should seek comfort around the security of customer data including relevant privacy controls.
(Check out The TIC Co. Privacy and Data Security Resource for more information)
(n) Protection of RE-specific Information
In the course of completing CDD, an RE may give the provider some information to assist the process such as the nature of the transactions being undertaken or knowledge around SOF/W of the customer. An RE should seek assurances that such information will not be stored with customer information where it may be accessible by, or available to, other REs.
(o) Use of Information
The RE should seek assurances around the use of customer information generally. Where a provider has access to essentially the customer lists of enough legal, accounting and stockbroking firms, for example it may be able to ascertain from the customers being onboarded and the timing of the onboarding the likelihood of certain transactions occurring, especially in a small market such as New Zealand. The RE may want to seek assurances around controls in this area including staff training on use of information and even potentially the provider’s policy on share trading by staff.
As stated earlier, the use of a specialist outsource CDD provider has proved beneficial to a number of REs where the accuracy of the mechanical aspects of CDD was improved over that undertaken by internal staff. Important considerations for initial implementation and ongoing use of these providers has often been overlooked in the excitement to remove
some of the busy work of CDD from the RE’s daily activities. My recommendations above
seek to highlight these areas.
It is also my hope that REs use the time saved from outsourcing the mechanical aspects of CDD to better focus on the risk-based aspects of CDD (including enhanced CDD and account monitoring), the intricacies of which continue to evade many REs.
A full-time consultant since 2012, Martin Dilly is a certified AML specialist, who is internationally recognised for his contributions to compliance training. Prior to that, Martin was director of AML Solutions, and has experience as a corporate solicitor as well as holding senior legal and compliance roles at ABN AMRO Bank.
Martin has worked with multiple entities across every captured AML sector, assisting through training, consulting, and auditing in New Zealand and abroad.
For advice on CDD feel free to contact us on 0800 115 121, or email firstname.lastname@example.org
Keep up to date with all AML/CFT developments and news by subscribing to our monthly ATTIC magazine.