Your 7 Point Checklist To Getting AML Customer Due Diligence Sorted

It can be really hard trying to stay on top of customer due diligence (CDD) when you’re dealing with a lot of clients, have complicated situations to manage, or information is taking time to be verified.


Daily working life for those affected by AML rules and regulations may not be as simple as it used to be, but you can make things easier for yourself by following a checklist of due diligence activity to ensure nothing slips through the gaps.


1. Dig deep and uncover details of your customers identity


Start off with a thorough look at your customer's identity. Getting evidence of this up front will save time and set you on the right track to getting the information you need to comply with AML due diligence regulations.


Most customers will have official documents such as a passport or NZTA drivers license to quickly show that they are who they say they are. Information you need to gather includes:

  • the person’s full name; and

  • the person’s date of birth; and

  • if the person is not the customer, the person’s relationship to the customer; and

  • the person’s address or registered office; and

  • nature and purpose of the proposed business relationship; and

  • any information prescribed by regulations.

Do this for your customer, any beneficial owner of your customer and any person acting on behalf of your customer. Remember that you need to find the actual human being who controls or receives the benefit - you cannot just look at the company or the trust.


2. Make sure you’ve got it right and verify identities


It’s not enough to just have evidence of a customer’s identity – you need to inspect this evidence and ensure it is verified so you can be satisfied the information provided is correct. And depending on the level of risk involved you must take reasonable steps to verify the identity of any beneficial owners, and verify the identity and authority of any person acting on behalf of your customer.


Documentary identity verification


If you are using documentary verification, verify the identity of you customer:

  • face to face; or by

  • ensuring copies of documents provided are certified by a trusted referee.


Who is a trusted referee?

In New Zealand a trusted referee must be 16 years or over and include people such as, police, justices of peace, registered medical doctors, registered teachers and lawyers.


Make sure the trusted referee isn’t related to the customer, a spouse or partner, involved in the business or transaction requiring certification, and doesn’t live at the same address as your customer.


Remember, for certification by a trusted referee to be valid:

  • The trusted referee must have sighted the original documentary identification, and made a statement to the effect that the documents provided are a true copy and represent the identity of your customer.

  • Certification must include the name, signature, and the date of certification. The trusted referee must specify their capacity to act as a trusted referee. It must also state that the photo on the identity document represents a true likeness of the person presenting it.

  • Certification must have been carried out in the three months preceding the presentation of the copied documents.


Electronic identity verification


If you need to carry out electronic identity verification you must verify your customer’s name from either:

  • A single independent electronic source that is able to verify an individuals’ identity to a high level of confidence; or

  • Use at least two independent and reliable matching electronic sources (the name and date of birth must be verified from one source and only the name is verified on the second source)

You must also check your customer’s details against your customer records, to ensure that no other person has used the same identifying information.


Recent confusion around EIV has seen the regulators issuing another Explanatory Note around EIV so it is important to follow guidelines to get it right, and remember EIV is not CDD, you must ensure you are completing all the requirements of due diligence on your customers – EIV alone is not enough.


3. Ensure you document the nature and purpose of business


Next up, review the nature and purpose of the proposed business relationship between you and your customer.


FMA guidelines advise you need to obtain sufficient information to determine whether the customer should be subject to enhanced customer due diligence. This will also help you assess the level of risk associated with your customer and is important for ongoing CDD and account monitoring obligations as your business relationship continues.


All this can take time but it is important to get it right. Although we are a small country sitting at the bottom of the world, it is estimated by the Department of Justice that $1.35 billion from the proceeds of fraud and illegal drugs is laundered through New Zealand businesses.


4. Save time with robust record keeping


Not many people like record keeping but remember getting this right could help defend against a money laundering offence in the future, save you time in the long run, and help keep you audit ready.


It is good practice to keep detailed records of all decisions and retain customer due diligence and relevant records in a readily auditable manner. It is important for you to note how you manage your records, where they will be stored and the retention and disposal process so you can easily identify records to be kept or destroyed.


Ensure you also record the rationale behind any decision that you make. Anyone reading the notes years later should be able to understand why you made a risk-based decision.


Customer due diligence records should include:

  • Identification information of your customer and any beneficial owners.

  • Copies of original documents used for verification of identity of your customer and any beneficial owners.

  • Information on the nature and purpose of your business relationship with your customer.

  • Records to show ongoing monitoring of your relationship and customer activities.

  • Record of training provided to staff.

The FMA state records should be kept ‘for a minimum of five years after a transaction or wire transfer has been completed or a business relationship has ended.’


5. Take additional measures where necessary


In some cases, a standard customer due diligence check is not enough, this may be because you are dealing with a high-risk customer and you have determined enhanced customer due diligence (EDD) checks are required. EDD should be conducted when:

  • Your customer has a trust or another vehicle for holding personal assets.

  • Your customer is a non-resident client from a country that has insufficient anti-money laundering and countering financing of terrorism systems or measures in place.

  • Your customer has a company with nominee shareholders or shares in bearer form.

  • Your customer is a politically exposed person (PEP). At the moment this only applies to international PEPs, but don’t be surprised if domestic PEPs are included in the future.

  • You consider that the level of risk involved is such that enhanced CDD should apply.

This means in addition to your standard customer due diligence checks you will need to:

  • Use increased or more sophisticated measures to obtain and verify your customer’s details, their beneficial ownership structure, and details of representatives and other key persons.

  • Obtain and verify information relating to the source of wealth or source of funds of your customer.


6. Don’t forget to continue your customer checks with ongoing customer due diligence


Customer due diligence isn’t something you can just do once and forget about it. It’s important to maintain an ongoing picture of your customer, their activities and transactions. This means carrying out ongoing customer due diligence where you should monitor accounts and review details you have on record systematically.


This account monitoring may be manual or electronic depending on the results of your risk assessments. For example, if the number of customers you have and the number of transactions processed is large, a manual system may not be an adequate way to detect unusual transactions or patterns in activities/behaviour. Getting this right will save a lot of time and help ensure you can maintain an accurate picture of your customer.


Ongoing CDD tasks to complete


Confirm Consistency - ensure that the business relationship and the transactions relating to that business relationship are consistent with your knowledge about the customer and the customer’s business and risk profile.


Maintain Records - make sure that you have up to date records relating to the customer and any entities with beneficial ownership or effective control. Your verification records must be up to date.


Regular Review - you must consider (a) the type of customer due diligence conducted when the business relationship with the customer was established; and (b) the level of risk involved to determine if you need to redo your CDD checks.


Respond To Changes - if the nature and purpose of your relationship with the customer changes you must respond appropriately and complete checks at the necessary level. If you identify anything suspicious you must file a SAR with the FIU.


7. Get audit ready


Unless you are given an extension by your sector supervisor three yearly audits are compulsory – there is no escape. And remember, your sector supervisor may do an audit at any time, so ensuring you follow the correct procedures for customer due diligence and keeping all your records in order can help make audit time less of a headache.


Some audit must do’s

  • Your risk assessment and AML/CFT programme has to be audited every three years by an appropriately qualified and independent individual.

  • Records must be kept of your audit. These must be kept for at least five years after the date on which they ceased to be used on a regular basis.

  • You must make your records relating to audits available to your supervisor on request.

  • Your annual AML/CFT report should include questions related to your audit result and actions you have taken in response to audit findings.

  • Your AML/CFT programme should include a procedure for undertaking an independent audit and indicates when your last audit was taken.

  • Remediation taken as a result of an audit should be documented.

There isn’t a list of approved auditors so you need to choose your auditor carefully. There are several things to think about when selecting your AML auditor so take the time to make sure you get it right and find an independent, reliable auditor experienced in your industry sector as well as AML.


At the end of your audit, your audit should advise whether:

  • you meet the minimum requirements for your risk assessment and programme;

  • your programme was adequate and effective throughout the specified period; and

  • whether any changes are required.


Put it into action!


I think we all agree there’s a lot of work involved in meeting AML/CFT customer due diligence obligations, but you can make things easier by sticking to the guidelines and getting the right processes and procedures in place.


AML/CFT obligations has required a lot of additional work for key industries impacted by AML, but if what we do can help stop criminals from reaping the financial benefits of illegal activity such as fraud, illegal drugs, human trafficking, tax evasion and other crimes its worth it.


Need more information? Take a look at 'the complete guide to understanding customer due diligence' for details on the different types of due diligence required for different situations.