Due Diligence – what every adviser needs to know

So, what exactly is KYC? And what do we mean by Due Diligence? (Simplified, Standard & Enhanced)?

‘KYC’ involves verifying the identity of our customers before we provide a service to them. It can be broken down into the following steps:

• Identify and understand the client at onboarding. Ensure you understand the level of due diligence required (more about that later)
• Identify any additional risk factors. Sanctions, Politically Exposed Persons (PEP) status and potentially any ‘adverse media’ (negative stories about them)
• Where a limited company is involved, identify the ultimate beneficial owner (UBO) and perform the KYC process on them
• Identify sources of funds, assets, and address history

We need to carry out Due Diligence because it constitutes key regulation in the UK:

• The Money Laundering, Terrorist Financing and Transfer of Funds (information on the payer) Regulations 2017, and its subsequent amendments obligate businesses to follow AML requirements
• The Proceeds of Crime Act 2002 outlines the criminal offences and the penalties associated
• The Terrorism Act 2000 created the terrorist financing offences and required the reporting of suspicious activities to the National Crime Agency (NCA)
• The Financial Services and Markets Act 2000 delegates responsibility for AML to the FCA

This may all sound very serious, and you may think it unlikely that your mortgage clients could ever be involved in criminal activity. But here are some scary statistics to consider: one in five people in England and Wales were victims of fraud in 2020; 3.7 million fraud offences were recorded in 2022; fraud cost the UK economy £100bn in 2023 according to government figures, while £53m in FCA fines related to Financial Crime risks last year.

In 2024 the FCA’s priorities are to:

• Continue action against firms who fail to meet the FCA standards on Financial Crime
• Enhance the use of data and intelligence to identify and disrupt financial crime risks
• Support the implementation of the new regulatory framework and Edinburgh reforms
• Work the HM Treasury and other regulators (including international counter parties) to improve the effectiveness and efficiency of the UKs AML regime

So, what are the best KYC practices?

It is recommended that advisers use questionnaires to capture information, with signatures that you can cross check against other documents that are provided. Check the personal information supplied. Use Electronic Identity Verification (EIDV) to validate. Remember to inform the client that this leaves a soft footprint against their credit record and gain specific consent from them to carry out the checks.

Review the identification documents provided and check signatures. Verify the documents are real against electronic database systems. Review any anomalies and/or errors and alerts that this shows you. Is it input error or a forged document?

Check the business information supplied, do internet searches and use Companies House to verify business details. Remember, Companies House will only search against the exact details you input. You can use external third-party systems that will offer a wider search against personal and business name variations. Be aware that staged business details and staged income are becoming more frequent signifiers of fraud.

As noted above there are various levels of Customer Due Diligence and as a business you need to have a risk assessment in place to break these down. So where are the lines drawn and what triggers a more robust check for your business?

Simplified Due Diligence – applied where there is a low degree of risk. Perhaps the initial appointment has taken place in the customers home and there is ample evidence that this is the main residence, e.g., photographs.

Standard Due Diligence – applied where distanced selling has taken place and no face-to-face meetings have taken place. For example, an ex-pat client, mitigated by appointment over a recorded Zoom/Teams meeting, and ID has been held up beside the face.

Enhanced Due Diligence – applied where there is an additional external element to consider, this could be because there has been a PEP or Sanction alert during EIDV, a complex business ownership family tree or even adverse media.

The level of risk you attribute to each level of due diligence will determine the documentation and or evidence you deem necessary.

Depending on the type of business you are doing you may need to maintain this due diligence, revisiting on a regular basis for as long as your business relationship runs.

Key considerations for your firm:

• What risks do you consider to be associated with your business?
• Are the current KYC procedures and policies aligned to this risk assessment and up to date with regulations?
• Are all staff adequately trained and is that training translating into applied behaviours?
• Can you evidence all the above?

Sadly, financial crime is on the rise. The landscape is constantly changing and so is the way that criminals operate. The importance of carrying out and evidencing KYC simply cannot be stressed too emphatically, and it is incumbent on all mortgage advisers to take this responsibility seriously.