The Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017

Customer due diligence measures

28.—(1) This regulation applies when a relevant person is required by regulation 27 to apply customer due diligence measures.

(2) The relevant person must—

(a)identify the customer unless the identity of that customer is known to, and has been verified by, the relevant person;

(b)verify the customer’s identity unless the customer’s identity has already been verified by the relevant person; and

(c)assess, and where appropriate obtain information on, the purpose and intended nature of the business relationship or occasional transaction.

(3) Where the customer is a body corporate—

(a)the relevant person must obtain and verify—

(i)the name of the body corporate;

(ii)its company number or other registration number;

(iii)the address of its registered office, and if different, its principal place of business;

(b)subject to paragraph (5), the relevant person must take reasonable measures to determine and verify—

(i)the law to which the body corporate is subject, and its constitution (whether set out in its articles of association or other governing documents);

(ii)the full names of the board of directors (or if there is no board, the members of the equivalent management body) and the senior persons responsible for the operations of the body corporate.

(4) Subject to paragraph (5), where the customer is beneficially owned by another person, the relevant person must—

(a)identify the beneficial owner;

(b)take reasonable measures to verify the identity of the beneficial owner so that the relevant person is satisfied that it knows who the beneficial owner is; and

(c)if the beneficial owner is a legal person, trust, company, foundation or similar legal arrangement take reasonable measures to understand the ownership and control structure of that legal person, trust, company, foundation or similar legal arrangement.

(5) Paragraphs (3)(b) and (4) do not apply where the customer is a company which is listed on a regulated market.

(6) If the customer is a body corporate, and paragraph (7) applies, the relevant person may treat the senior person in that body corporate responsible for managing it as its beneficial owner.

(7) This paragraph applies if (and only if) the relevant person has exhausted all possible means of identifying the beneficial owner of the body corporate and—

(a)has not succeeded in doing so, or

(b)is not satisfied that the individual identified is in fact the beneficial owner.

(8) If paragraph (7) applies, the relevant person must keep records in writing of all the actions it has taken to identify the beneficial owner of the body corporate.

(9) Relevant persons do not satisfy their requirements under paragraph (4) by relying solely on the information—

(a)contained in—

(i)the register of people with significant control kept by a company under section 790M of the Companies Act 2006 (duty to keep register)(1);

(ii)the register of people with significant control kept by a limited liability partnership under section 790M of the Companies Act 2006 as modified by regulation 31E of the Limited Liability Partnerships (Application of Companies Act 2006) Regulations 2009(2); or

(iii)the register of people with significant control kept by a European Public Limited-Liability Company (within the meaning of the Council Regulation 2157/2001/EC of 8 October 2001 on the Statute for a European Company which is to be, or is, registered in the United Kingdom) under section 790M of the Companies Act 2006 as modified by regulation 5 of the European Public Limited Liability Company (Register of People with Significant Control) Regulations 2016(3);

(b)referred to in sub-paragraph (a) and delivered to the registrar of companies (within the meaning of section 1060(3) of the Companies Act 2006 (the registrar)) under any enactment; or

(c)contained in required particulars in relation to eligible Scottish partnerships delivered to the registrar of companies under regulation 19 of the Scottish Partnerships (Register of People with Significant Control) Regulations 2017(4).

(10) Where a person (“A”) purports to act on behalf of the customer, the relevant person must—

(a)verify that A is authorised to act on the customer’s behalf;

(b)identify A; and

(c)verify A’s identity on the basis of documents or information in either case obtained from a reliable source which is independent of both A and the customer.

(11) The relevant person must conduct ongoing monitoring of a business relationship, including—

(a)scrutiny of transactions undertaken throughout the course of the relationship (including, where necessary, the source of funds) to ensure that the transactions are consistent with the relevant person’s knowledge of the customer, the customer’s business and risk profile;

(b)undertaking reviews of existing records and keeping the documents or information obtained for the purpose of applying customer due diligence measures up-to-date.

(12) The ways in which a relevant person complies with the requirement to take customer due diligence measures, and the extent of the measures taken—

(a)must reflect—

(i)the risk assessment carried out by the relevant person under regulation 18(1);

(ii)its assessment of the level of risk arising in any particular case;

(b)may differ from case to case.

(13) In assessing the level of risk in a particular case, the relevant person must take account of factors including, among other things—

(a)the purpose of an account, transaction or business relationship;

(b)the level of assets to be deposited by a customer or the size of the transactions undertaken by the customer;

(c)the regularity and duration of the business relationship.

(14) If paragraph (15) applies, a relevant person is not required to continue to apply customer due diligence measures under paragraph (2) or (10) in respect of a customer.

(15) This paragraph applies if all the following conditions are met—

(a)a relevant person has taken customer due diligence measures in relation to a customer;

(b)the relevant person makes a disclosure required by—

(i)Part 3 of the Terrorism Act 2000(5), or

(ii)Part 7 of the Proceeds of Crime Act 2002(6); and

(c)continuing to apply customer due diligence measures in relation to that customer would result in the commission of an offence by the relevant person under—

(i)section 21D of the Terrorism Act 2000 (tipping off: regulated sector)(7); or

(ii)section 333A of the Proceeds of Crime Act 2002 (tipping off: regulated sector)(8).

(16) The relevant person must be able to demonstrate to its supervisory authority that the extent of the measures it has taken to satisfy its requirements under this regulation are appropriate in view of the risks of money laundering and terrorist financing, including risks—

(a)identified by the risk assessment carried out by the relevant person under regulation 18(1);

(b)identified by its supervisory authority and in information made available to the relevant person under regulations 17(9) and 47.

(17) Paragraph (16) does not apply to the National Savings Bank or the Director of Savings.

(18) For the purposes of this regulation—

(a)except in paragraph (10), “verify” means verify on the basis of documents or information in either case obtained from a reliable source which is independent of the person whose identity is being verified;

(b)documents issued or made available by an official body are to be regarded as being independent of a person even if they are provided or made available to the relevant person by or on behalf of that person.