Unfortunately, being a man or woman of your word is not an acceptable regulatory standard for compliance.
Gone are the days when it was acceptable to confirm the identity of a new client by a director or senior colleague simply scribbling the words “known to me personally” on a file cover or due diligence checklist, without providing a shred of documentation.
The level of comfort that such personal introductions provided to a recipient, have since been outweighed by all the risks to its business operations, of failing to properly identify a customer, its affiliations or its source of funds. It is clear from regulatory guidance, that any such personal introduction should never replace the obligation to properly identify someone and run verification procedures on their data.
Relevant financial businesses are able to rely on due diligence which they have previously collected and where the information at hand is still considered to be reliable and up to date. Nonetheless, the standard remains that businesses should identify their customers and verify their identity using independent and reliable source documents.
In the Cayman Islands, the regulatory standards for the prevention and detection of money laundering and countering the financing of terrorism, though providing a certain level of flexibility, require, inter alia, (i) the obtaining of satisfactory evidence of the identity of an applicant for relevant financial business and (ii) the verification of that data at the earliest possible point after contact is made. There is scope to tailor the due diligence requests based on the type of customer, proposed transaction or nature or length of the business relationship.
The reality is, however, that the rainmakers are not always impressed by compliance demands and would prefer not to go out to clients to request further or better due diligence particulars, and in some cases, any at all. The concern is that a transaction that is time sensitive could be delayed, or a potential client could be “spooked” by the additional or “burdensome” due diligence requests. This is a well-known tension between the compliance function and the operations departments. It is remarkable that when those same requests are made of the rainmakers, they comply without utterance.
Since we are operating in a risk-based regulatory environment, what often follows is a lively debate on what constitutes taking reasonable measures to establish and/or verify someone’s identity, in light of regulatory guidance. Sectoral and industry best practices are to be considered in the analysis of what due diligence could suffice, and whatever decision is made should be clearly documented, and made subject to internal review.
Any reliance on introductions to personal clients, should always be premised on the basis that the standards of the AML/CFT regulations are being met. Accepting the assertion that someone is personally known requires the recipient to be satisfied that the introducer has obtained satisfactory evidence of the identity of the person being introduced, and further, that the evidence of such identification is being maintained in a compliant manner. If that is not the case, the introduction should not be relied upon. This is equally true under the eligible introducer’s regime.
The minimum documentation that should be held for a personal client is satisfactory evidence of (i) full name/names used; (ii) correct permanent address; (iii) date and place of birth; (iv) nationality; (v) occupation; (vi) nature of transaction/business and (vii) the source of funds.
With those three words, “known to me”, the introducer is essentially giving an assurance on all of the above. Do you really know someone’s true identity, their affiliations or their source of funds? The source is not the bank account or trust fund that the money may originate from. It is the transaction or series of transactions or occurrences that caused that bank account or trust fund to contain money in the first place. Do you know what they are?
In the wake of the publication of the National Risk Assessment report, the Cayman Islands Monetary Authority (CIMA), has stepped up its efforts to test the veracity of AML/CFT programs through offsite measures. Coupled with this is CIMA’s development of, and consultation on, revised data accessibility and record retention expectations. This signals that those conducting relevant financial business should expect a higher level of scrutiny from CIMA on AML/CFT matters and, ultimately, enforcement action including for failure to take appropriate measures to conduct due diligence on their customers to properly identify them, and potentially for failure to retain source documents and data, as required.
There is convergence in the customer due diligence space with the compliance obligations to CIMA for AML/CFT, the Tax Information Authority in respect of the automatic exchange of information and more recently the registrar of companies in respect of the beneficial ownership registers. It would appear that now is as good a time as any for businesses subject to one or more of these regulatory obligations, to take a step back and to determine how compliance can be achieved in a smarter and more efficient manner.