Due Diligence

Customer Due Diligence Requirement under IFSCA AML/CFT Guidelines 2022

The IFSCA or International Financial Services Centres Authority issued IFSCA (Anti Money Laundering, Counter-Terrorist Financing & KYC) Guidelines, 2022, on 28^th October 2022. The said circular has mandated that the regulated entity shall, after the outcome of ML or TF risk, determine the degree of customer due diligence (CDD) that needs to be performed. A CDD enables the entity to obtain information from the customer to assess the risk they might face. Further, if any information obtained from CDD diligence alters the risk rating of a customer, then such change shall be reflected in the CDD.

When to undertake customer due diligence?

The Customer due diligence shall be undertaken after assigning the risk rating for each customer. The regulated entity, while undertaking CDD, shall undertake the following:

• CDD, in respect of all customers
• Enhanced CDD, in respect of high-risk customers
• Simplified CDD, in respect of low-risk customers

What is the timing of Customer Due Diligence?

The regulated entity shall undertake Customer Due Diligence at the time of:

• Establishing business relationship
• After establishing a business relationship

Moreover, the regulated entity shall undertake Customer Due Diligence when:

• There is a veracity or adequacy with the data, documents, or information of current consumer
• There is a suspicion of ML/TF risk
• Change in the risk rating of the customer, which is reuired due to a change in circumstances of the customer

What are the conditions for verification before establishing a business relationship?

Before verification, the regulated entity must establish a business relationship with the customer subject to following conditions:

• The non-completion of the verification does not affect the normal conduct of the business.
• There is a low risk of occurrence for ML or TF activity; if any risk is identified, such risk shall be effectively managed by the regulated entity.
• There are adequate safeguards to ensure that there is no transaction being undertaken on behalf of the account holder before the verification completion.
• The verification must be completed in 30 business days after establishing the business relationship.

However, where the regulated entity is unable to comply within 30 business days, then it shall before the end of 30 days:

• States reason for its non-compliance
• Complete the verification as soon as possible
• Recording of non-compliance to the governing body

Suspension and termination:  The regulated entity shall terminate or suspend the relationship with the customer if the verification remains incomplete for 30 days and 120 days after establishing the business relationship.

What are the requirements for Customer due diligence?

While undertaking the Customer due diligence, the regulated entity shall undertake the following measures:

A. Identification of a customer

The regulated entity shall obtain the following information from the natural person:

• Full name
• Identity card, card number, passport number etc.
• Date of birth
• Nationality
• Legal Domicile
• Present Residential address
• Contact details
• Any additional information

The regulated entity shall obtain the following information from a legal person or legal arrangement:

• Full name and trading name
• Tax identification number, incorporation number, business registration number
• Registered business address and place of business
• Date and place of incorporation or establishment
• Legal form, constitution and powers regulate the legal person or legal arrangement.

B. Verification of Identity of the Customer

The regulated entity shall verify the customer’s identity through independent and reliable sources, data or up-to-date documents. Where a Customer is a legal person or legal arrangement, the entity shall verify the proof of existence, legal form, constitution and powers. The regulated entity must rely on more accurate documents such as government-issued identity cards, reports from independent company registries, or any published or audited annual reports. The entity shall examine these documents and retain a copy of the same. Further, the regulated entity may obtain the following information at the time of verification:

Natural Person: Photograph of the Customer, name, unique identification number, nationality and date of birth, residential address, utility bill, and bank statements.

Legal Person or Legal Arrangements: Certificate of incorporation, partnership deed and agreement, trust deed, certificate of registration, constitutional documents, board resolution or similar account warranting the opening of an account and appointment of authorised persons.

Foreign national: National Identity card, Voter identification card used by the government of relevant jurisdiction or photograph, name, date of birth, address of foreign residence.

C. Identification & verification of the identity of the natural person appointed to act on behalf of the customer

The regulated shall obtain information about the person appointed by the natural or legal person for establishing a business relationship with the regulated entity. Further, the entity verifies the authorisation of such a person by obtaining the following information:

• Power of attorney, board resolution of the governing body to act on their behalf
• Where there are a large number of such persons, then the entity shall verify only those who will deal directly.

D. Identification and Verification of Identity of Beneficial Owners

The regulated entity must identify the beneficial owners of a customer if there are more than one and verify the identities while keeping the following things:

Customers that are natural persons: To identify the natural person who ultimately exercises control over the legal persons through ownership.

Customers that are legal arrangements: If the Customer is a trust, then the entity shall verify the identification of the author of the trust, beneficiaries, trustee, with 15% or more interest and any natural person having control over the trust through ownership.

E. Parameters to identify and verify the identity of beneficial owners

The following parameters shall be used:

Customer is a company:  The beneficial owner will be the natural person with a controlling ownership interest in more than 25% of the company’s capital or profits.

Customer is a partnership firm: The beneficial owner will be the natural person who has controlling ownership or entitlement to 15% of capital or profits in a partnership firm.

Customer is an unincorporated association or body of individuals: The beneficial owner will be the natural person who has controlling ownership or entitlement to 15% of capital or profits in an unincorporated association or body of individuals.

Customer is trust: The identification will be the author of the trust, trustee, and beneficiaries with 15 % or more interests or any natural person having control over the trust through ownership.

Exception: If the regulated entity doubts the veracity of the Customer Due Diligence or has suspicion that the customer is involved in ML or TF activities, in that case, the entity is not required to identify & verify the identity of a shareholder or beneficial owner where the client or owner is an:

• The entity listed in the stock exchange in India
• Entity resident in jurisdiction notified by the government
• Listed on the stock exchange in the jurisdiction notified by the government.

F. Identifying and verifying the beneficiary of a life insurance policy

The regulated entity shall, apart from the Customer Due Diligence measures undertaken, conduct the following CDD measures on the beneficiaries of life insurance and other related insurance policies:

• As soon as the beneficiary of the life insurance policy is identified, the regulated entity shall obtain the full name of such beneficiary.
• Obtain sufficient information on the beneficiary at the time of pay-out; such beneficiary is differentiated based on characteristics, class or other means.

F. Information on the Purpose and Intended Nature of Business Relations

The regulated entity shall, at the time of establishing the business relationship, obtain information on the customer’s purpose and intended nature of the business relations.

What measures should be undertaken when a Customer is a Politically Exposed Person?

The regulated entity must implement an internal risk management system, procedures and policies to identify if any customer or natural person or beneficial owner of the customer appointed is a politically exposed person^[1] (PEP). Further, the entity must undertake additional measures if the customer, natural person or beneficial owner is identified as PEP.

• Obtain information on the source of wealth & income of family members, close relatives and beneficial owners.
• Verify the identity of the customer identified as a PEP
• Obtain approval from senior management before opening any account of a Customer identified as a PEP
• Monitor ongoing business transactions and determine if the customer’s account transaction appears suspicious.

Further, the regulated entity undertakes a risk-based approach in determining whether the enhanced CDD is to be performed for:

• Politically exposed person, their family and close relatives
• International organisation PEP, their families and close relatives
• PEP who have exercised considerable influence in the step-down public functions.

What are Enhanced Due Diligence and Simplified Customer Due Diligence?

The enhanced and simplified Customer due diligence depends on the customer’s risk profile.

Enhanced Customer Due Diligence

The regulated entity conducts enhanced customer due diligence when Money laundering or Terrorist Financing risk is high. The measures undertaken under enhanced CDD are:

1. Obtain additional information from customers such as occupation, the volume of assets, internet, public information etc. and update more regularly.
2. Obtain information on the source of wealth and funds of the customer or beneficial owner. The regulated entity must examine the source of wealth and funds. It means from where the particular transaction comes. Further, to ensure that the funds are not the proceeds of crime, the entity shall examine the activity that generated the funds.
3. Obtain information on the purpose behind conducting specified transactions.
4. Obtain approval from senior management for commencing or continuing the business relationship.
5. Conduct enhanced monitoring of business relationships by increasing the number and timing of controls.
6. Selecting patterns that need further examination.

It is required that the first payment of the customer in furtherance of opening an account with an entity shall take place from a bank account of the customer’s name with the following:

• Bank
• Regulated financial Institution
• Subsidiary of Regulated Financial Institution

However, it is mandatory that approval from the senior manager or committee of senior managers may be needed for establishing account-based relationships with high-risk customers.

Simplified Customer Due Diligence

The enhanced customer due diligence is conducted by the regulated entity when Money laundering or Terrorist Financing risk is low. The measures undertaken under simplified CDD are:

1. Verify the customer’s identity and beneficial owner after establishing a business relationship.
2. Reduce the rate of customer frequency updates.
3. Reduce the degree of scrutinising and monitoring ongoing transactions after deciding a reasonable monetary threshold.
4. Not collecting specific information on understanding the nature and intended purpose of the business relationship but inferred from the purpose and nature of the type of transactions.

What is ongoing customer Due diligence?

The regulated entity must follow a robust and effective process for ongoing monitoring of all business relations. Further, the regulated entity must undertake the following activities:

1. It shall observe the conduct of the customer’s account and scrutinise transactions during business relations.

2. It shall pay attention to unusually large or unusual patterns and complex transactions during busies relations and make further checks on the background and purpose of the transactions. The entity also documents the findings to make them available to regulatory authorities.

3. It shall undertake a periodical review of each customer with respect to ML or TF risks when:

1. The entity changes its Customer Due Diligence documentation
2. There is an expected unusual transaction with the customer
3. There is a change in the business relationship with the customer
4. There is a change in the ownership and nature of the Customer

4. It shall ensure that the CDD data, documents and information are up to date so that entity can identify the changes in the risk profile of the customer. Further, the entity shall undertake the following activities:

1. For High risk rated Customers:  The entity shall obtain updated CDD information as part of their periodic review or when any trigger event occurs, whichever is earlier
2. For all other risk categories: The entity shall obtainlatest CDD information upon the occurrence of any trigger event.

What is the action on failure to conduct or complete customer due diligence?

The regulated entity shall undertake the following activities in case it is unable to conduct or complete Customer Due Diligence:

1. Not opening an account or providing service
2. Not carry out any transaction for or with customer
3. Not establish any business relationship
4. Terminate or suspend existing business relationship with the customer
5. Return any monies and assets received from the customer
6. Consider filing a Suspicious Transaction Report (STR)

What should be the manner of periodic updation for different customers?

The regulated entity shall periodically update the Customer Due Diligence in the manner provided below:

1. High-risk Customers- Annually
2. Medium risk Customers- Once in 3 years
3. Low-risk Customers- Once in 5 years

Moreover, the regulated entity shall document it as a policy as a part of its internal KYC policy, which the governing body shall further approve of the entity.

A. Individual Customers

1. No changes in CDD information: A self-declaration from the customer in this regard is to be obtained through a registered mobile number or digital channels
2. Change in address details:  A self-declaration of new-address from the customer to be obtained through the customer’s registered E-mail ID, mobile number, or digital channels. The address shall be verified within 2 months by sending an address verification letter, deliverables, contact information etc. Further, the entity shall obtain a copy of OVD or equivalent e-documents as proof of address.

B. Customers other than Natural Persons

• No change in CDD information: A Self-declaration from a customer in this regard shall be obtained through registered E-mail, digital channels, a letter duly signed by an authorised official and requisite resolutions. Further, it ensures that the beneficial ownership is accurate and up to date.
• Change in CDD information: The entity will undertake a new Customer Due Diligence process similarly undertaken when onboarding the new customer.  

C. Additional Measures

The regulated entity shall ensure that:

1. It holds the KYC documents for the customer according to current CDD standards. It shall also undertake a fresh CDD process in case the CDD documents validity is expired.
   • The pan details of the customer, in the case of Indian National, are verified from the date of issuing authority.
   • The acknowledgement receipt must be sent to the customer along with the receipt of relevant documents and self-declaration for carrying out periodic updation. Further, the entity shall update the record of documents in their database, and an intimation is sent to the customer for the due date of CDD details.
   • The facility of periodic updation of CDD is made available to any of its branches as a measure of its internal KYC.
   • It shall adopt a risk-based approach for periodic updation of Customer Due Diligence. Any exceptional and additional measures shall also be clearly mentioned in its approved internal KYC policy.
   • It shall be made sure that the internal KYC policy is transparent and that adverse action shall be avoided.

Conclusion

Customer due diligence protects the regulated entity from exposing itself to any money laundering and terrorist financing risks. The customer needs to further undertake customer due diligence requirements. Further, the entity must undertake customer due diligence for enhanced and simplified CDD based on the high and low-risk rating, respectively. The entity shall further monitor ongoing CDD for business relations and undertake period updation in the manner discussed above.

Read Our Article: Grants under IFSCA (FinTech Incentive) Scheme, 2022