- 43/45 Spencer Street, Birmingham, B18 6DE
- 0121 236 7597
- Email: [email protected]
1. Money Laundering and high value dealers 2. Responsibilities of senior managers 3. Policy, controls and procedures 4. Customer due diligence 5. Reporting suspicious activity 6. Record keeping 7. Staff awareness 8. High value dealer risk 9. High value dealers 10. Where to find more information
 This interim guidance and will be amended in due course. The section on politically exposed persons will be reviewed once the Financial Conduct Authority has published their own guidance.
General Introduction  Thank you for taking the time to study this guidance. It is designed to help you comply with the Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017 (referred to as “the Regulations†in this guidance) Meeting your legal obligations is important because it contributes to tackling the serious economic and social harm from organised crime, it also reduces the threat from terrorism in the UK and around the globe. If you would like to know more about some of the success of UK suspicious activity reporting (SAR) see the National Crime Agency SARs annual report.  Almost all businesses supervised by HMRC for anti-money laundering purposes are subject either to fit and proper or approval requirements under the Regulations. These requirements are to ensure that businesses beneficial owners and senior management are appropriate people to undertake those roles. Key personnel must pass the relevant test before the business can register, and can remain registered, with HMRC.  HMRC stresses that neither of those requirements test whether the business is professionally run or operated. Registration is a legal requirement to trade, it is not a recommendation or endorsement of the business.  HMRC advises registered businesses to carefully avoid using language in this context that might give the impression that registration was a form of endorsement or recommendation.    There is more detail about these requirements in the fit and proper test and HMRC approval guidance.  Status of the guidance  This guidance has been submitted for HM Treasury approval. This guidance replaces HMRC's anti-money laundering guidance for high value dealers published on 13 August 2014 and MLR9b published 13 September 2013. This guidance is effective from 26 June 2017. Meaning of words  In this guidance, the word 'must' denotes a legal obligation. Each chapter summarises the legal obligations under the heading 'minimum requirements', followed by the actions required to meet the legal obligations.  The word 'should' is a recommendation of good practice, and is the standard that HMRC expects to see. HMRC will expect you to be able to explain the reasons for any departures from that standard.  Further sources of guidance The Joint Money Laundering Steering Group (a group made up of trade associations in the financial services industry) also publishes free detailed guidance. The guidance is for members of the trade associations and firms supervised by the Financial Conduct Authority, for compliance with the Regulations. However, some of the sections in Part 1 of the guidance may be particularly relevant to high value dealers. They contain detailed coverage of how to do due diligence checks on different types of customers, report suspicious activity and do staff training and record keeping. The Joint Money Laundering Steering Group guidance: http://www.jmlsg.org.uk/industry-guidance/article/jmlsg-guidance-current  References to money laundering should generally be read as also covering terrorist financing unless it is clear from the context that one or other is specifically involved.   1. Money Laundering and high value dealers  Money laundering  1.1 Money laundering is how criminals change money and other assets into clean money or assets that have no obvious link to their criminal origins.  1.2 Money laundering can take many forms, but in the high value dealers sector it often involves:  ◠exchanging cash for high value items that can be easily transferred and sold on, sometimes at a loss, such as jewellery or vehicles â— exchanging cash for large quantities of lower value items that can be sold onwards easily such as alcohol â— exchanging cash for high value assets that are then returned and clean cash refunded.  1.3 Tax evasion is a criminal offence that can lead to money laundering. For example, sale or purchase of high value goods for cash can be underreported to avoid paying VAT or corporation tax.  1.4 There are a number of sub-sectors for high value dealers that cover a number of different types of goods that might be bought to launder money.  Terrorist financing  1.5 Terrorist financing involves dealing with money or goods that you’ve reasonable cause to suspect may be used for terrorism. The funds and goods may be from legitimate sources or criminal sources. They may be in small amounts.   Legislation  1.6 The main UK legislation covering anti-money laundering and counter-financing of terrorism for high value dealers are:  ◠Proceeds of Crime Act 2002 ◠Terrorism Act 2000 ◠Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017 (the Regulations) â— Criminal Finances Act 2017  1.7 The Proceeds of Crime Act sets out the primary offences related to money laundering:   ◠concealing, disguising, converting, transferring or removing criminal property from the UK ◠entering into or becoming involved in an arrangement which facilitates the acquisition, retention, use or control of criminal property by or on behalf of another person ◠the acquisition, use and/or possession of criminal property .  1.8 The main money laundering offences apply to everyone, and you commit an offence if you know or suspect that the property is criminal property.  1.9 Under the Proceeds of Crime Act it’s also an offence to fail to report suspicious activity or to tip off any person that you’ve made such a report. This applies to businesses in the regulated sector, such as high value dealers. This obligation extends across the whole business, so a high value dealer should also report any suspicious activity not related to a high value payment.  1.10 The Terrorism Act sets out the primary offences relating to terrorist funding. Regulated businesses, like high value dealers, must report belief or suspicion of offences related to terrorist financing, such as:  ◠fundraising for the purposes of terrorism ◠using or possessing money for the purposes of terrorism ◠involvement in funding arrangements ◠money laundering - facilitating the retention or control of money that’s destined for, or is the proceeds of, terrorism.  1.11 The Criminal Finances Act 2017 make important amendments to the Proceeds of Crime Act and the Terrorism Act. It extends the powers of law enforcement to seek further information, recover the proceeds of crime and combat the financing of terrorism. 1.12 The Money Laundering Regulations set out what relevant businesses like high value dealers, must do to prevent their services being used for money laundering or terrorist financing purposes. This guidance focuses on what you must do to meet your obligations in relation to:  ◠risk assessment â— policies, controls and procedures â— customer due diligence â— reporting suspicious activity â— record keeping â— staff awareness.  1.13 It also gives information on risk indicators within the sector and information in relation to different types of high value dealers.  1.14 The Joint Money Laundering Steering Group publishes more information about businesses’ obligations under the other relevant legislation.  1.15 The regulations apply to the following businesses when carried on in the UK:  ◠estate agents, that is businesses carrying on estate agency work ◠credit institutions ◠financial institutions ◠auditors, insolvency practitioners, external accountants and tax advisers ◠independent legal professionals ◠trust or company service providers ◠high value dealers ◠casinos   1.16 High value dealers must comply with the regulations. They must not make or accept high value payments for goods unless they register with HM Revenue and Customs (HMRC).   1.17 This is explained in more detail later in this guide.     Financial sanctions  1.18 All individuals and legal entities who are within or undertake activities within the UK’s territory must comply with the EU and UK financial sanctions that are in force. Your client and their property may be subject to sanctions.  1.19 Most financial sanctions are made through EU law which has direct effect under UK law. The Office of Financial Sanctions Implementation works closely with the EU Commission and other member states in implementing sanctions. Other financial sanctions are put in place by UK laws.  1.20 You should report any transactions carried out for persons subject to sanctions or if they try to use your services.  You can report a suspected breach, sign up for free email alerts and obtain Information on the current consolidated list of asset freeze targets and persons subject to restrictive measures at:.  https://www.gov.uk/government/organisations/office-of-financial-sanctionsimplementation  Data Protection 1.21 The Data Protection Act 1998 (DPA) governs the processing of information relating to individuals, including obtaining, holding, use or disclosure of information. 1.22 Personal data obtained by a business under the Regulations may only be processed for the prevention of money laundering and terrorist financing. You must inform your customers of this and the information specified in paragraph 2(3) of schedule 1 to the DPA.  1.23 This use is necessary in order to exercise a public function that is in the public interest and to carry out a function permitted by legislation.  1.24 No other use may be made of the information unless you have consent of the customer or it is allowed by other legislation.  Penalties  1.25 If a person or business fails to comply with the Regulations, they may face civil penalties or criminal prosecution. This could result in unlimited fines and/or a prison term of up to two years. 2. Responsibilities of senior managers  Senior managers  2.1 The senior managers of a high value dealer are personally liable if they don’t take the steps necessary to protect their business from money laundering and terrorist financing.  2.2 A senior manager is an officer or employee who has the authority to make decisions that affect your business’s exposure to money laundering and terrorist financing risk. Examples include a director, manager, company secretary, chief executive, member of the management body, or someone who carries out those functions, or any partner in a partnership, or a sole proprietor.  Minimum requirements  Senior managers must:  ◠identify, assess and manage effectively, the risks that their business may be exploited to launder money or finance terrorists â— take a risk-based approach to managing these risks that focuses more effort on higher risks â— appoint a nominated officer to report suspicious activity to the National Crime Agency â— devote enough resources to deal with money laundering and terrorist financing.  Responsibilities  2.3 Senior managers are responsible for making sure that the business has carried out a risk assessment for its business and has policies, controls and procedures to help reduce the risk that criminals may exploit the business for financial crime. Your policies controls and procedures must address the level of risk that the business may encounter in different circumstances.  2.4 You must also take account of the size and nature of your business and put in place additional measures to ensure your policies, controls and procedures are being complied with throughout your organisation including subsidiaries, branches and agents.  Actions required  Senior managers must:  ◠carry out a risk assessment identifying where your business is vulnerable to money laundering and terrorist financing â— prepare, maintain and approve a written policy statement, controls and procedures to show how the business will manage the risks of money laundering and terrorist financing identified in risk assessments â— review and update the policies, controls and procedures to reflect changes to the risk faced by the business â— make sure there are enough trained people equipped to implement policies adequately, including systems in place to support them â— make sure that the policies, controls and procedures are communicated to and applies to subsidiaries or branches in or outside the UK â— monitor effectiveness of the business’s policy, controls and procedures and make improvements where required â— have systems to identify when you are transacting with high risk third countries identified by the EU or financial sanctions targets advised by Office of Financial Sanctions Implementation and take additional measures to manage and lessen the risk  Risk assessment  2.5 Your risk assessment is how you identify the risks your business is exposed to. You must be able to understand all the ways that your business could be exposed to money laundering and terrorism financing risks, and design systems to deal with them.  2.6 You must:  ◠identify and monitor the risks of money laundering and terrorist financing that are relevant to your business - in other words, your business’s risk assessment â— take note of information on risk and emerging trends from the National Risk Assessment and HMRCs risk assessment and amend your procedures as necessary â— assess, and keep under regular review, the risks posed by your: â—‹ customers and any underlying beneficial owners (see sector guidance on customer due diligence on who is the beneficial owner) ○ services â—‹ financing methods ○ delivery channels, for example cash over the counter, wire transfer or cheque ○ geographical areas of operation, including sending money to, from or through high risk third countries, for example countries identified by the EU or Financial Action Task Force (FATF) as having deficient systems to prevent money laundering or terrorist financing  2.7 Your risk assessment must be in writing and kept up to date. You must give it to HMRC if we ask for it.  In some limited circumstances we may tell you that you do not need to keep a record of your risk assessment, for example a sole practitioner with no employees with a small number of well-established clients and where the money laundering and terrorist financing risk are understood. Contact HMRC if you think this applies to you.  3. Policy, controls and procedures  Policy statement  3.1 Your policy statement must lay out your policy, controls and procedures and how you and other senior managers will manage the business’s exposure to risk. It must make clear how you’ll lessen the risks identified in your risk assessment to prevent money laundering and terrorist financing and take account of any additional risk due to the size and nature of your business.  3.2 Policies, controls and procedures must be in writing and be communicated throughout your organisation to staff, branches and subsidiaries in and outside the UK. You must regularly review and update these policies controls and procedures and maintain a written record of when you do so.  Controls and procedures  3.3 Senior managers must put in place appropriate controls and procedures to reflect the degree of risk associated with the business and its customers.  3.4 You must take into account situations that, by their nature, can present a higher risk of money laundering or terrorist financing, and take enhanced measures to address them. The specific measures depend on the type of customer, business relationship, jurisdiction, product or transaction, especially large or complex transactions or unusual patterns of activity that have no apparent economic or lawful purpose.  Minimum requirements  You must also show how you will:  ◠Carry out customer due diligence checks and ongoing monitoring â— identify when a customer or beneficial owner is a politically exposed person or a family member or close associate of one and do enhanced due diligence ◠appoint a nominated officer to receive reports of suspicious activity from staff and make suspicious activity reports to the National Crime Agency ◠make sure the staff are trained to recognise money laundering and terrorist financing risks and understand what they should do to manage these, including the importance of reporting suspicious activity to the nominated officer â— maintain accurate, up-to-date record keeping and retention of records  Actions required  The following actions are also required and must be kept under regular review:  ◠ensure customer identification and acceptance procedures reflect the risk characteristics of customers â— take further measures for higher risk situations such as approving transactions with politically exposed persons â— ensure low risk situations are assessed and records retained to justify your assessment â— ensure arrangements for monitoring systems and controls are robust, and reflect the risk characteristics of customers and the business â— carry out regular assessments of your systems and internal controls to make sure they are working â— ensure staff training is appropriate to the individual and kept up to date and content regularly reviewed â— ensure staff know the names of the nominated officer and any deputy  Where you spot any weakness, you should document it and record the action taken to put the problem right.  3.5 The policy of a larger, or more complex business, must include:  ◠the appointment of a senior staff member who has responsibility for monitoring the effectiveness of and compliance with the policy, controls and procedures, including regular reviews to learn from experience ◠individual staff responsibilities under the Regulations ◠the process for reviewing and updating the business’s policies, controls and procedures ◠the process for auditing the business’s compliance with its policies, controls and procedures  Making relevant appointments within your business You must inform HMRC of the names of the compliance and nominated officers within 14 days of the appointment and if there is a change in the post holder.  Appointing a nominated officer for the business  3.6 You must appoint a nominated officer, from within your business, to receive reports of suspicious activity from staff and decide whether to report them to the National Crime Agency. You should also appoint a deputy to act in the absence of the nominated officer. If you're a sole trader with no employees you’ll be the nominated officer by default, and must report suspicious activity to the National Crime Agency.  3.7 The nominated officer should be at an appropriate level of seniority in your business to make decisions on transactions.   3.8 You should make sure that your staff know the name of the nominated officer and receive training on when and how to report their suspicions to the nominated officer (see reporting suspicious activity). HMRC expects the nominated officer to be based in the UK. Appointing a compliance officer for larger, more complex businesses  3.9 You should consider whether the size and nature of your business means that you must appoint a compliance officer to ensure your compliance with the Regulations. You should take into account your risk assessment and exposure to money laundering and terrorist financing risk, the number of employees, number of premises, agent network, geographical area you operate in, type of customers, and the complexity of the business.  3.10 HMRC would not expect you to appoint a compliance officer where you are a sole trader where you carry out regulated activity from one premises, have no more than two or three staff and run an uncomplicated business model or organisation.  Businesses with, for example, more premises, use branches or agents, high turnover of customers, non-local or cross border trading and complex ways to deliver services will need a compliance officer. This is so that the business can ensure that, for example, training, record keeping and compliance requirements are observed and consistent throughout the organisation.  3.11 Businesses with, for example, more premises, several branches, high turnover of customers, non-local or cross border trading and complex ways to deliver services will need a compliance officer.  3.12 Where a compliance officer is needed the business must:  ◠appoint a person from the board of directors, its equivalent or senior management, to act as a compliance officer. â— screen relevant employees when appointed and during the course of the appointment to ensure they have the ability to carry out their functions and are of good conduct and integrity   The compliance officer will be responsible for the business’s compliance with the regulations including: â— carrying out regular audit on compliance with the regulations such as: â—‹ actively check adherence to the policies, controls and procedures ○ review of how effective they are ○ recommend and carry out improvements â— ensure compliance throughout the business including subsidiaries and branches â— oversight of relevant staff screening  3.13 Relevant staff are persons involved in the identification of risk, controls and procedures to reduce risk and your compliance with the Regulations.  3.14 It is recommended that the compliance officer and nominated officer should not be the same person. This is because the responsibilities differ. The compliance officer needs to be at a senior management level and needs to review how the business carries out its obligations, including the reporting of suspicious activity. However, in some businesses, it may not be practical to have two individuals carrying out these functions and a compliance officer may have to act in the role of a nominated officer.  3.15 Given the importance of this role businesses may need to appoint a deputy compliance officer.  3.16 HMRC expects the compliance officer and nominated officers to be based in the UK.    3.17 Where a business is part of a group of companies an individual can carry out these roles for other parts of the group. If each subsidiary has their own compliance officer then one person should have oversight of this.  Personal liability of officers  3.18 You’ll be committing a crime if you don't comply with the Regulations. You may incur an unlimited fine and/or a prison term of up to 2 years if:  ◠you agree to, or are involved in committing a crime ◠a crime is committed because of your neglect.  Managing group subsidiaries and branches  3.19 A parent company must apply its policies, controls and procedures in all subsidiaries or branches, in or outside the UK. You must regularly review and update these policies, controls and procedures and keep a written record of when you do this.  3.20 This will involve:  ◠putting in place controls for data protection and information sharing to prevent money laundering and terrorist financing â— share information on risk within the corporate group â— ensure subsidiaries or branches in EU member states are complying with the requirements of that country â— ensure subsidiaries or branches in a third country that does not impose money laundering requirements are following similar measures to the UK.  3.21 Where a third country does not allow similar measures you must put in place extra controls to deal with this risk and inform HMRC.  Risk-based approach  3.22 A risk-based approach is where you assess the risks that your business may be used for money laundering or terrorist financing, and put in place appropriate measures to manage and lessen those risks.  3.23 Several features of the high value dealer sector make it attractive to criminals, such as the anonymity of cash, the one off nature of many transactions and the ease of carrying high value goods across borders.  3.24 A risk-based approach should balance the costs to your business and customers with a realistic assessment of the risk that your business may be exploited for the purpose of money laundering and terrorist financing. It allows you to focus your efforts on the most important areas and reduce unnecessary burdens. Risks your business may face  3.25 Assessing your business’s risk profile will help you understand the risks to your business and how they may change over time, or in response to the steps you take. This will help you design the right systems that will spot suspicious activity, and ensure that staff are aware of what sort of money laundering activities they are likely to encounter.  3.26 The risk profile depends on the nature of the business, branch network, the areas it operates in, who your customers are, where they are from and the vulnerability of your services or transactions to financial exploitation.  3.27 For each of these areas you should consider how they could be exposed, for example through the following questions. This generalised list is not exhaustive and will depend on individual business circumstances. (See Chapter 8 on risk indicators for high value dealers) Managing a branch network  3.28 If you manage a branch network these are some of the questions to consider to help inform your risk assessment:  ◠how will you apply risk management procedures to a network of branches ◠how will you manage and maintain records, what type of records ◠if you selected a number of customer files at random, would they all have a risk assessment and adequate customer due diligence for the customers and beneficial owners and will ongoing monitoring support the original assessment â— if you have applied simplified due diligence will the records show evidence for treating the customer as low risk â— do you have a system that will pick up where individuals, departments or branches are not implementing risk management procedures ◠could you demonstrate that all staff have been trained on the Regulations and the business’s   procedures, and given ongoing training on recognising and dealing with suspicious transactions ◠if asked, will staff know who the nominated officer is, what the firm’s policies are and where they can be found.  Customers  3.29 These are some of the questions to consider to help inform your risk assessment in relation to your customers:  ◠how does the way the customer comes to the business affect the risk for ○ non face-to-face customers ○ occasional transactions, as opposed to ongoing business â—‹ does the pattern of behaviour, or changes to it, pose a risk ◠are customers companies, partnerships, or trusts ◠do you undertake business in areas with a highly transient population ◠is the customer base stable or does it have a high turnover ◠do you act for international customers or customers you don’t meet ◠do you accept business from abroad, particularly those based in, or have beneficial owners in tax havens, or countries with high levels of corruption, (Transparency International corruption perception index) or where terrorist organisations operate ◠do you act for entities that have a complex ownership structure or a cross border element ◠do you accept payments that are made to or received from third parties ◠which customers should be looked at more carefully â—‹ customers carrying out very large, one-off cash transactions ○ customers that are not local to the business ○ overseas customers or from a high risk third country identified by the EU and FATF â—‹ individuals in public positions and/or locations that carry a higher exposure to the possibility of corruption, including politically exposed persons (see sector guidance on politically exposed persons) ○ complex business ownership structures with the potential for concealing beneficiaries.  3.30 When designing systems to identify and deal with suspicious activity, here are some warning signs of potentially suspicious activity that your systems should be capable of picking up and flagging for attention. Again, this is not an exhaustive list, and these signs aren’t always suspicious. It depends on the circumstances of each case.  New customers  3.31 These are some of the questions to consider in deciding risk and whether or not to submit a suspicious activity report when you take on new customers:  ◠checking the customer’s identity is difficult ◠the customer is reluctant to provide details of their identity or provides fake documents ◠the customer is trying to use intermediaries to protect their identity or hide their involvement ◠no apparent reason for using your business's services - for example, another business is better placed to handle the transaction ◠part or full settlement in cash or foreign currency, with weak reasons ◠they, or associates, are subject to, for example, adverse media attention, have been disqualified as directors or have convictions for dishonesty.  Regular and existing customers  3.32 These are some of the questions to consider when deciding risk and whether or not to submit a suspicious activity report in relation to your regular and existing customers:  ◠the transaction is different from the normal business of the customer ◠the size and frequency of the transaction is different from the customer’s normal pattern ◠the pattern has changed since the business relationship was established ◠there has been a significant or unexpected improvement in the customer’s financial position and the customer can't give a proper explanation of where money came from.  Transactions  3.33 These are some of the questions to consider when deciding risk and whether or not to submit a suspicious activity report in relation to the transactions you carry out:  ◠a third party, apparently unconnected with the customer, bears the costs, or otherwise pays the transaction costs ◠an unusually big cash or foreign currency transaction ◠the customer won’t disclose the source of the funds ◠unusual involvement of third parties, or large payments from private funds, particularly where the customer appears to have a low income ◠unusual source of funds.  Controls and procedures to put in place  3.34 Once you’ve identified and assessed the risks and warning signs, you must ensure that you put in place appropriate controls and procedures to reduce them. They’ll help to decide the level of due diligence to apply to each customer and beneficial owner. It's likely that there will be a standard level of due diligence that will apply to most customers, based on your business’s risk assessment.  3.35 Procedures should be easily accessible to staff and detailed enough to allow staff to understand and follow them easily. They should set out:  ◠the types of customers and transactions that you consider to be lower risk and those that qualify for simplified due diligence and those that are higher risk and merit closer scrutiny ◠how to do customer due diligence, the identification requirements for customers and beneficial owners and how to do enhanced due diligence on higher risk customers ◠any other patterns or activities that may signal that money laundering or terrorist financing is a real risk ◠how to keep records, where and how long they should be kept ◠how to conduct ongoing monitoring of transactions and customers ◠clear staff responsibilities and the name and role of the nominated officer ◠how policies and procedures will be reviewed ◠how to report suspicious activity to the nominated officer, and how the nominated officer should make a report to the National Crime Agency.  3.36 Examples of risk-based controls could include:  ◠introducing a customer identification and verification programme that varies depending on the assessed level of risk ◠requiring additional customer identity evidence in higher risk situations ◠reviewing low risk customers and applying more due diligence where changes are apparent â— varying the level of monitoring of customer transactions and activities depending on the assessed level of risk or activities that might be unusual or suspicious.  3.37 This list is not exhaustive. You could also have other risk-based controls depending on the circumstances of your business.  3.38 Identifying a customer or transaction as high risk does not automatically mean that they’re involved in money laundering or terrorist financing. Similarly, identifying a customer or transaction as low risk does not mean that they’re not involved in money laundering or terrorist financing. Effectiveness of the controls  3.39 Managing the money laundering and terrorist financing risks to your business is an ongoing process, not a one-off exercise.  3.40 You must document the risk assessment procedures and controls, such as internal compliance audits, as this helps to keep them under regular review. You should have a process for monitoring whether they are working effectively, and how to improve them, for example to reflect changes in the business environment, such as new product types or business models. 4. Customer due diligence  Core obligations  You must: ◠complete customer due diligence on all customers before entering into a business relationship or occasional transaction â— have procedures to identify those who can’t produce standard documents, for example, a person not able to manage their own affairs â— identify and verify a person acting on behalf of a customer and verify that they have authority to act ◠apply enhanced due diligence to take account of the greater potential for money laundering in higher risk cases, including in respect of politically exposed persons and when the customer is not physically present when being identified ◠apply customer due diligence, when you become aware that the circumstances of an existing customer relevant to their risk assessment has changed â— not deal with certain persons or entities if you cannot do customer due diligence and consider making a suspicious activity report â— have a system for keeping copies of customer due diligence and supporting records and to keep the information up to date.  The customer  4.1   The Regulations bring into scope a business who pays cash for goods in addition to a business          who receives cash for goods  4.2    For the purposes of the Regulations, the customer is the person you are selling goods to or                buying goods from. This means that you must:  ◠carry out due diligence on an individual or business buying goods from you for cash, i.e. your customer â— carry out due diligence on the individual or business you’re buying goods from and paying the cash to.  4.3    For example, a supplier of wholesale alcohol must carry out customer due diligence on the person  it is supplying the alcohol to. If the buyer is in business, then the buyer must carry out customer due diligence on the supplier, as if the supplier is a customer.  Any reference to a customer is to include any person you are required to carry out customer due diligence on.  It will also be the person or persons that the business establishes a business relationship with or the person that they carry out a transaction for.  4.4    You must check that customer is who they say they are. This is often referred to as ’know your customer’, or exercising customer due diligence. You must do customer due diligence on all customers, even if you knew them before they became your customers. This is because you must be able to show that you have verified the identity of all of your customers.   4.5   You must undertake customer due diligence when:   ◠establishing a business relationship with a customer ◠carrying out an occasional transaction with a customer valued at €10,000 or more â— a business makes a high value payment to a supplier â— you suspect money laundering or terrorist financing ◠you suspect that information obtained for due diligence checks on a customer is not reliable or adequate.    4.6     Customer due diligence means:  ◠identifying customers and verifying their identity (more details below) ◠identifying the supplier and verifying their identity â— identifying all beneficial owners, where applicable, and taking reasonable measures to verify their identity to satisfy yourself that you know who they are â— obtaining information on the purpose and intended nature of the business relationship  ◠conducting ongoing monitoring of the business relationship, to ensure transactions are consistent with what the business knows about the customer, and the risk profile â— retain records of these checks and update them when there are changes  4.7    If you are making a high value payment for goods by way of business, you will need to perform customer due diligence on the person receiving it. This might also include checking they are registered with HMRC to receive high value payments.  4.8    HMRC recommend it is good practice to perform customer due diligence if you give out your bank details to customers. This is in case your customers choose to deposit cash into your account when they originally told you they would pay by bank transfer. You may wish to raise a suspicious activity report in these circumstances.  Extent of customer due diligence  4.9    The extent of customer due diligence measures depends on the degree of risk. It depends on the type of customer, business relationship, product or transaction and any geographical risk.  4.10 It goes beyond simply carrying out identity checks to understanding who you’re dealing with. This is because even people you already know may well become involved in illegal activity at some time, for example where their personal circumstances change or they face some new financial pressure. Your due diligence measures should reduce the risk of this and the opportunities for staff to be corrupted.  4.11 This means that you’ll need to consider the level of identification, verification and ongoing monitoring that’s needed depending on the risks you assessed. You should be able to show that the extent of these procedures is appropriate when asked to do so.   Timing of customer due diligence   4.12 The customer's identity and where applicable the identity of a beneficial owner, must be verified before entering into a business relationship or occasional transaction.   4.13 You can make an exception to this practice only if both the following apply:    ◠it’s necessary not to interrupt the normal conduct of business â— there’s little risk of money laundering or terrorist financing.  4.14 However, this exception is very limited as the verification must still be completed by the time the business relationship is entered into. Not does this exception mean that you can use it where it is hard to identify a customer’s or beneficial owner’s identity.  To use this exception, a business will have to explain in its risk assessment why it considers the business relationship or transaction has little risk of money laundering or terrorist financing.   Non-compliance with customer due diligence  4.15 If you can’t comply with the customer due diligence measures, you must not:    ◠carry out a transaction with or for the customer ◠establish a business relationship or carry out an occasional transaction with the customer  4.16 You must:   ◠terminate any existing business relationship with the customer ◠consider whether to make a suspicious activity report  Business relationship   4.17 A business relationship is a business, professional or commercial relationship between a business and a customer, which the business expects, on establishing the contact, to have an element of duration. For example, a business relationship for a business exists where:  ◠another business is your customer ◠you set up a customer account ◠there's a contract to provide regular services ◠you give preferential rates to repeat customers ◠any other arrangement facilitates an ongoing business relationship or repeat custom, such as providing a unique customer identification number for the customer to use  Ongoing monitoring of a business relationship  4.18 You must continue to monitor a business relationship after it is established. This means you must monitor transactions, and where necessary the source of funds, to ensure they are consistent with what you know about the customer and the customer’s business and risk profile.  4.19 You must also keep the information you collect for this purpose up-to-date. It should be checked periodically and expired documents replaced with copies of newly issued documents.  Occasional transactions  4.20 An occasional transaction is a transaction of €10,000 or more (or the sterling equivalent) that’s not part of an ongoing business relationship. It also applies to a transaction totalling €10,000 or more, where the transaction appears to be broken down into several, linked operations to be below €10,000.  The value of the transaction here means the gross value of the goods in the transaction.  4.21 Linked operations may be several transactions by the same customer for goods such as purchasing £5,000 of alcohol several times over a short period. You must have procedures in place to detect this. Because linked operations are higher risk you will need to perform enhanced due diligence on the customer making them. You should also report any suspicious activity you detect, in accordance with your policy.  4.22 HMRC considers multiple cash payments against a single invoice, which together exceed the €10,000 threshold to be linked operations, regardless of how long it takes to make this payment. For example, if a customer pays monthly instalments of £1,000 for two years in cash against the cost of a car.   Politically exposed persons   4.23 Politically exposed persons are persons that are entrusted with prominent public functions, held in the UK or abroad.  The definition does not include:   middle ranking or more junior officials (However, your risk assessment should consider whether they may be representing someone who is a politically exposed person) ï‚· persons who were not a politically exposed person under the 2007 regulations where they ceased in office prior to 26 June 2017, such as former MPs or UK Ambassadors  In the UK, public servants below Permanent or Deputy Permanent Secretary will not normally be treated as having a prominent public function.   4.24 Politically exposed persons include::  heads of state, heads of government, ministers and deputy or assistant ministers  members of parliament or similar legislative bodies  includes regional governments in federalised systems and devolved administrations, including the Scottish Executive and Welsh Assembly, where such bodies have some form of executive decision-making powers. does not include local government in the UK but it may, where higher risks are assessed, be appropriate to do so in other countries.  members of the governing bodies of political parties  member of a governing body will generally only apply to the national governing bodies where a member has significant executive power (e.g. over the selection of candidates or distribution of significant party funds). political parties who have some representation in a national or supranational Parliament or similar legislative body.  members of supreme courts, of constitutional courts or of any judicial body the decisions of which are not subject to further appeal except in exceptional circumstances  in the UK: ï‚· this includes judges of the Supreme Court ï‚· does not include any other member of the judiciary   members of courts of auditors or boards of central banks  ambassadors, and high ranking officers in the armed forces  where persons holding these offices on behalf of the UK government are at Permanent Secretary or Deputy Permanent Secretary level, or hold the equivalent military rank e.g. Vice Admiral, Lieutenant General or Air Marshal   members of the administrative, management or supervisory bodies of state owned enterprises this only applies to for profit enterprises where the state has ownership of greater than 50% or   4.25 The definition includes family members such as spouse, partners, children (and their spouse or partner) brother, sisters and parents and known close associates.  4.26 Close associates are persons who have:  ◠joint legal ownership, with a politically exposed person, of a legal entity or arrangement â— any other close business relationship with a politically exposed person â— sole beneficial ownership of a legal entity or arrangement set up for the benefit of a politically exposed person.  Beneficial owners    4.27 Beneficial owners are individuals who ultimately own or control the customer, or on whose behalf a transaction or activity takes place.   Examples of beneficial owners may include:   ◠the business that is purchasing goods from you through their employee â— a business that purchases goods on behalf of another business that sells them â— a person that is using another person to shield them from coming into contact with you    4.28 For a corporate body, apart from one whose securities are listed on the regulated market, a beneficial owner is any individual who:  ◠owns or controls over 25% of the shares or voting rights ◠ultimately owns or controls whether directly or indirectly including bearer shares holdings or other means, more than 25% share or voting rights in the business â— exercises ultimate control over the management â— controls the corporate body  4.29 As well as companies incorporated under the Companies Acts, limited liability partnerships  where information reasonably available points to the state having control over the activities of such enterprises  directors, deputy directors and members of the board, or equivalent of an international organisation.  includes international public organisations such as the UN and NATO. does not include international sporting federations.  industrial & provident societies and some charities (often companies limited by guarantee or incorporated by an Act of Parliament or Royal Charter) are corporate bodies.  4.30 For a partnership, a beneficial owner is any individual who:  ◠owns more than 25% of the capital or profits of the partnership ◠more than 25% of the voting rights in the partnership â— exercises ultimate control over the management.    4.31 For a trust, a beneficial owner includes:   ◠the settlor â— the trustees â— the beneficiaries or the individuals who benefit from the trust and in whose main interest the trust is set up â— individuals who exercise control over the trust  For a foundation or other legal arrangement similar to a trust the beneficial owner includes the individuals with similar positions to a trust.  4.32 For other legal entities, or arrangements that administer or distribute funds, a beneficial owner includes:    ◠individuals who benefit from the entity’s property â— where beneficiaries have not been established, the class of persons in whose main interest the entity or arrangement is set up or operates â— any individual who exercises control over the property     4.33 For the estate of a deceased person in the course of administration, a beneficial owner means:    ◠the executor (original or by representation) or administrator for the time being of a deceased person in England, Wales or Northern Ireland ◠the executor for the purposes of the Executors (Scotland Act) 1900 in Scotland      A beneficial owner in any other case is the individual who ultimately owns or controls the entity or on whose behalf a transaction is being conducted.   Extent of customer due diligence measures   4.34 The extent of customer due diligence measures depends on the degree of risk. It depends on the type of customer, business relationship, product or transaction.  4.35 It goes beyond simply carrying out identity checks to understanding who you’re dealing with. This is because even people you already know well may become involved in illegal activity at some time, for example if their personal circumstances change or they face some new financial pressure. Your due diligence measures should reduce the risk of this, and the opportunities for staff to be corrupted.  4.36 This means that you must consider the level of identification, verification and ongoing monitoring that’s necessary, depending on the risk you assessed. You should be able to demonstrate that the extent of these procedures is appropriate when asked to do so.    Simplified due diligence    4.37 Your business may apply a simplified form of due diligence in some cases.  Simplified due diligence is where the business relationship or transaction is considered low risk in terms of money laundering or terrorist financing. It can apply to any person you assess as low risk with some exceptions.  4.38 You will have to risk assess the customer to establish that they are low risk.   4.39 This does not mean you do not have to do customer due diligence, and you are still required to verify customer and beneficial owner identity, but you can change when it is done, how much you do, or the type of measures you take to identify and verify a person. For example:   verifying the customer or beneficial owners identity: o during the establishment of a business relationship or o within a reasonable time, which HMRC would expect to normally be no more than 14 days from the start of the business relationship or transaction (this does not mean exemption from customer due diligence and any delay to customer due diligence must not be prohibited by any other legal requirement you are subject to) ï‚· if applicable verify the identity when transactions exceed a reasonably low level ï‚· use one document to verify identity  use information you have to determine the nature or purpose of a business relationship without requiring further information, for example, if your customer is a pension scheme you can assume what the purpose is ï‚· adjust the frequency of transaction monitoring such as checks triggered when a reasonable threshold is reached ï‚· adjust the frequency of customer due diligence reviews, for example, to when a change occurs  If verification is not immediate your system must be able to pick up on these cases so that verification of identity takes place.  4.40 To apply simplified due diligence you need to ensure that:   ◠your decision is supported by your customer risk assessment   ◠enhanced due diligence does not apply â— you monitor the business relationship or transactions to ensure that there is nothing unusual or suspicious â— it is not prevented by information on risk provided by HMRC or any other authority â— the customer is not from a high risk third country identified by the EU ◠the customer is not a politically exposed person, or a family member or known close associate of one â— the customer is seen face to face â— the source of funds or wealth are transparent and understood by your business â— where the customer is not an individual, that there is no beneficial ownership beyond that legal entity.    4.41 To decide whether a customer is suitable for simplified due diligence you should consider among other factors the type of customer, the underlying product or service and the geographical factors, in your risk assessment.  One factor, on its own, should not be taken to indicate low risk.  4.42 Type of customer, whether it is:   ◠a public authority or publicly owned body in the UK ◠a financial institution that is itself subject to anti money laundering supervision or equivalent regulation in another country â— a listed company that is subject to disclosure provisions ◠beneficial owners of pooled accounts held by a notary or independent legal professional, provided information on the identity of the beneficial owners is available upon request ◠the customer is a European Community institution   4.43 The underlying types of transaction it may apply to:  ◠low risk goods that cannot be resold easily     4.44 Geographical factors which may apply are where the customer is:  ◠resident or established in another EU state â— situated outside the EU in a country: o subject to equivalent anti money laundering measures o with a low level of corruption or terrorism o has been assessed by organisations such as Financial Action Task Force (FATF) and the World Bank as having in place effective anti-money laundering measures.    4.45 You must consider all of the factors, for example a customer from another EU state is not automatically low risk simply because they are from the EU. All of the information you have on a customer must indicate a lower risk.  4.46 You’ll need to record evidence, as part of your risk assessment, that a customer or service provided is eligible for simplified due diligence. You’ll also need to conduct ongoing monitoring in line with your risk assessment to ensure that the circumstances on which you based your original assessment have not changed.  4.47 Where a person says that they are representing a customer who may be low risk you should check that they have the authority to act for them or are an employee.  4.48 You should not automatically assume that a customer is low risk to avoid doing an appropriate level of customer due diligence. Persons or businesses well established in the community or persons of professional standing or who you have known for some time, may merit being categorised as low risk but you still must have evidence to base this decision on.  4.49 A business or person who has strong links to the community, is well established with a clear history, is credible and open, does not have a complex company structure, where the source of funds are transparent and where there are no other indicators of higher risk may be suitable, subject to your risk assessment, for simplified due diligence. Your decisions may be tested on the basis of the evidence that your business holds.  4.50 You must not continue with simplified due diligence if you:  ◠suspect money laundering or terrorist financing â— doubt whether documents obtained for identification are genuine  ◠circumstances change and your risk assessment no longer considers the customer, transactions or location as low risk.   Enhanced due diligence    4.51 ‘Enhanced due diligence’ applies in situations that are high risk, taking additional measures to identify and verify the customer and source of funds and doing additional ongoing monitoring.  4.52 You must do this when:   ◠you have identified in your risk assessment that there is a high risk of money laundering or terrorist financing â— HMRC or other supervisor or law enforcement authority provide information that a particular situation is high risk â— a customer or other party is from a high risk third country identified by the EU â— a person has given you false or stolen documents to identify themselves (consider making a suspicious activity report) â— a customer is a politically exposed person, an immediate family member or a close associate of a politically exposed person ◠the transaction is complex or unusually large and has no apparent legal or economic purpose  4.53 A branch or subsidiary of an EU entity located in a high risk third country who fully complies with the parents’ anti money laundering policies and procedures and where the parent is supervised under the 4th Directive may not be subject to enhanced due diligence if your risk assessment finds it is not high risk.  4.54 You should consider a number of factors in your risk assessment when deciding if enhanced due diligence needs to be applied. The following are some examples of things to take account of.  4.55 Customer factors based on information you have or behaviours indicating higher risk, such as: â— unusual aspects of a business relationship â— a person is resident in a high risk area â— use of a legal person or arrangement used to hold personal assets â— a company with nominee shareholders or share in bearer form â— a person or business that has an abundance of cash â— an unusual or complex company structure given the nature of the type of business â— searches on a person or associates show, for example, adverse media attention, disqualification as a director or convictions for dishonesty.  4.56 How the transaction is paid for or specific requests to do things in a certain way may indicate higher risk, for example:  ◠Use of private banking â— anonymity is preferred â— a person is not physically present ◠payment from third parties with no obvious association â— the service involves nominee directors, nominee shareholders or shadow directors, or a company formation is in a third country  4.57 Geographical factors indicating higher risk:  ◠Countries identified by a credible source as: o not subject to equivalent anti money laundering or counter terrorist measures o with a significant level of corruption, terrorism or supply of illicit drugs o subject to sanctions or embargoes issued by EU or UN o providing funding or support for terrorism o having organisations designated as “proscribed†by the UK o having terrorist organisations designated by the EU, other countries and international organisations â— has been assessed by organisations such as FATF, World Bank, Organisation for Economic Co-operation and Development and the International Monetary fund as not implementing requirements to counter money laundering and terrorist financing that are consistent with the FATF recommendations.   Additional measures to take  4.58 If enhanced due diligence is appropriate, then you must do more to verify identity and scrutinise the background and nature of the transactions, for example:   ◠obtain additional information or evidence to establish the identity ◠take additional measures to verify the documents supplied, or require certification or validation by a bank, financial institution, lawyer or notary ◠take more steps to understand the history, ownership, and financial situation of the parties to the transaction â— establish the source of wealth and source of funds ◠carry out more scrutiny of the business relationship and satisfy yourself that it is consistent with the stated purpose.  4.59 A certified document should have:  ◠a statement that the document is “Certified to be a true copy of the original seen by me†and where appropriate, “This is a true likeness of the person†◠an official stamp of the person certifying â— signed and dated with a printed name â— occupation, address and telephone number.  Politically exposed person risk  4.60 You must always apply enhanced due diligence on politically exposed persons, their family members or a known close associate of one. You must have appropriate risk management systems and procedures in place to determine whether a customer is a politically exposed person or a family member or known close associate of one. You should take account of:   your own assessment of the risks faced by your business in relation to politically exposed persons ï‚· a case by case assessment of the risk posed by a relationship with a politically exposed person ï‚· any information provided through the National Risk Assessment or HMRC  4.61 Information is available in the public domain that will help you to identify politically exposed persons. You can make use of a number of sources, for example:   news agencies and sources ï‚· government and parliament websites ï‚· Electoral Commission: http://search.electoralcommission.org.uk/ ï‚· Companies House Persons of Significant Control: https://beta.companieshouse.gov.uk/  Transparency International: https://www.transparency.org/ ï‚· Global Witness: https://www.globalwitness.org/en-gb/campaigns/oil-gas-andmining/myanmarjade/  You are not required to, but you may decide to use a commercial provider. 4.62 If a customer is a politically exposed person, family member or known close associate of one, then you must put in place the following enhanced due diligence measures:  ◠obtain senior management approval before establishing a business relationship with that person ◠take adequate steps to establish the source of wealth and source of funds that are involved in the proposed business relationship or transaction â— conduct enhanced ongoing monitoring where you’ve entered into a business relationship  More frequent and thorough measures should be taken if the politically exposed person is higher risk.  4.63 You must continue to apply enhanced due diligence when the politically exposed person has left the function or position and for a further period of at least 12 months. Any extension over 12 months will normally only apply to a politically exposed person you have assessed as higher risk. For family members and close associates the obligation to apply enhanced due diligence stops as soon as the politically exposed person no longer holds the office unless there are other reasons for treating them as higher risk. 4.64 You must assess, in each case, the level of risk that the politically exposed person presents and apply an appropriate level of enhanced due diligence.   4.65 A politically exposed person who has a prominent public function in the UK should be treated as lower risk unless other factors in your risk assessment indicate a higher risk. The same treatment should be applied to family members or close associates of lower risk UK politically exposed persons.  4.66 The level of risk of a politically exposed person may vary depending on where they are from and the public accountability they are subject to. The following are examples only.  4.67 A lower risk politically exposed person may be one who holds office in a country with traits such as:  ◠low levels of corruption â— political stability and free and fair elections â— strong state institutions where accountability is normal â— credible anti-money laundering measures â— a free press with a track record for probing official misconduct â— an independent judiciary and a criminal justice system free from political interference â— a track record for investigating political corruption and taking action against wrongdoers â— strong traditions of audit within the public sector â— legal protections for whistle blowers â— well-developed registries for ownership of land, companies and equities  4.68 A politically exposed person may be a lower risk if they, for example:  ◠are subject to rigorous disclosure requirements such as registers of interests or independent oversight of expenses â— do not have decision making responsibility such as a government MP with no ministerial responsibility or an opposition MP  4.69 A high risk politically exposed person may be from, or connected to, a country viewed as having a higher risk of corruption that may have with traits such as:  ◠high levels of corruption â— political instability â— weak state institutions â— weak anti-money laundering measures â— armed conflict â— non-democratic forms of government â— widespread organised criminality or illicit drug supply â— a political economy dominated by a small number of people or entities with close links to the state â— lacking a free press and where legal or other measures constrain journalistic investigation â— a criminal justice system vulnerable to political interference â— lacking expertise and skills related to book-keeping, accountancy and audit, particularly in the public sector â— law and culture hostile to the interests of whistle blowers â— weaknesses in the transparency of registries of ownership for companies, land and equities â— human rights abuses  4.70 A high risk politically exposed person may show characteristics such as:  ◠lifestyle or wealth does not match what you know of their income source â— credible allegations of financial misconduct have been made in relation to bribery or dishonesty â— there is evidence they have sought to hide the nature of their financial situation â— has responsibility for or can influence the awarding of large procurement contract where the process lacks transparency â— has responsibility for or can influence the allocation of government grant of licenses such as energy, mining or permission for major construction projects  4.71 A family member or close associate of a politically exposed person may pose a lower risk if they:  ◠are related or associated with a politically exposed person who poses a lower risk; â— are related or associated with a politically exposed person who is no longer in office â— are under 18 years of age.  4.72 The family and close associates of a politically exposed person may pose a higher risk if they have: â— wealth derived from the granting of government licences or contracts such as energy, mining or permission for major construction projects ◠wealth derived from preferential access to the privatisation of former state assets â— wealth derived from commerce in industry sectors associated with high-barriers to entry or a lack of competition, particularly where these barriers stem from law, regulation or other government policy â— wealth or lifestyle inconsistent with known legitimate sources of income or wealth â— subject to credible allegations of financial misconduct made in relation to bribery or dishonesty â— an appointment to a public office that appears inconsistent with personal merit.  Where you have assessed a politically exposed person as a higher risk it may be appropriate to consider a wider circle of family members, such as aunts or uncles, as part of your risk assessment.   4.73 You must always apply enhanced due diligence to politically exposed persons, their family members and close associates. However, where your risk assessment indicates a lower risk, the politically exposed person, family member and close associates may be subject to less scrutiny than those who present a higher risk, for example:  ◠supervision of the business relationship is at a less senior management level â— source of wealth and funds established from information you already have or publicly available information only â— ongoing monitoring is less intensive such as only when necessary to update due diligence information  4.74 You should identify when a politically exposed person is a beneficial owner of a corporate body and take appropriate measures based on your risk assessment. This does not make the legal entity or other beneficial owners politically exposed persons as well. If the politically exposed person has significant control and can use their own funds through the entity then a higher risk is indicated and enhanced due diligence may be required.  Identifying individuals  4.75 As part of your customer due diligence measures, you must identify individuals. You should obtain a private individual’s full name, date of birth and residential address as a minimum.   You should verify these using current government issued documents with the person’s full name and photo, with a date of birth or residential address such as:  ◠a valid passport ◠a valid photo card driving licence (full or provisional) ◠a national identity card   ◠a firearms certificate ◠an identity card issued by the Electoral Office for Northern Ireland    4.76 When verifying the identity of a customer using the above list of government-issued document you should take a copy and keep it in the customer’s file.  4.77 Where the customer doesn’t have one of the above documents, or the customer doesn’t meet the criteria in your risk assessment, you may wish to ask for the following:    ◠a government issued document (without a photo) which includes the customer’s full name and also secondary evidence of the customer’s address, for example an old style driving licence or recent evidence of entitlement to state or local authority funded benefit such as housing benefit, council tax benefit, pension, tax credit ◠secondary evidence of the customer’s address, not downloaded from the internet, for example a utility bill, bank, building society or credit union statement or a most recent mortgage statement     4.78 You should check the documents to satisfy yourself of the customer’s identity. This may include checking:   ◠spellings ◠validity ◠photo likeness ◠whether addresses match.  4.79 If you verify the customer’s identity by documents, you must see the originals and not accept photocopies, nor accept downloads of bills, unless certified (see “Additional measures to takeâ€) as described below:   ◠photocopied identity documents can be accepted as evidence provided that each copy document has an original certification by an appropriate person to confirm that it is a true copy and the person is who they say they are â— for standard customer due diligence an appropriate person is, for example, a bank, financial institution, solicitor or notary, independent professional person, a family doctor, chartered accountant, civil servant, or minister of religion The documents must be from a reliable source not connected to the customer.    4.80 More information on official documents and how to spot counterfeits and forgeries is published by the Home Office in their ‘Basic Guide to Forgery Awareness’ and ‘Guidance on examining identity documents.  http://www.devonaudit.gov.uk/wpcontent/uploads/downloads/2015/03/Recognising_Fraudulent_Identity_Documents_v3.pdf  The Nominated Officer, or other responsible person, should be aware of the issues within this and cascade relevant parts to staff as part of their training programme.  4.81 If a member of staff has visited an individual at their home address, a record of the visit may corroborate the individual's residential address (for the purposes of a second document). This should be covered in the risk assessment.  4.82 Where an agent, representative or any other person acts on behalf of the customer you must ensure that they are authorised to do so, identify them and verify the identity using documents from a reliable and independent source.   Electronic verification  4.83 If you verify an individual’s identity electronically, you should: â— use multiple positive information sources, such as addresses or bill payment ◠use negative sources, such as databases identifying identify fraud and deceased persons â— use data from multiple origins collected over a period of time ◠incorporate checks that assess the strength of the information supplied.   4.84 if using a service provider you should ensure that it is reliable and accurate using extensive source data. You should consider the following criteria in your selection: â— it is registered with the Information Commissioner’s Office to store personal data â— it is accredited to give identity verification services through a government, industry or trade association process that involves meeting minimum standards â— the standards it works to, or accreditation, require its information to be kept up to date â— it’s compliance with the standards are assessed ◠it uses a range positive information sources, and links a person, through other sources, to both current and previous circumstances â— it uses negative information sources, such as databases relating to identity fraud and deceased persons â— it uses a wide range of alert source, such as up to date financial sanctions information â— it has transparent processes that enable the firm to know what checks were carried out, what the results of these checks were, and what they mean in terms of how much certainty they give as to the identity of the subject. â— should be able keep records of the information used to verify identity information  4.85 You should ensure that you understand the meaning of the electronic checks results so that you can satisfy yourself that they meet an appropriate level of confirmation for the risk assessed for the customer and that you have further information to support and interpret the check.  An electronic records check establishes that an individual exists, not that your customer is that individual.  4.86 You should ensure that the checks you use show that you have identified the customer, verified the identity and that they are the individual exists and that it is, in fact, the same person that is using your services. You should therefore verify key facts, obtained from independent sources, which only the customer may know to establish who they say they are. For example testing background information like their place of birth, how long they have been resident at an address or education history.   Manual identity documents can be checked alongside electronic verification where greater risk is indicated.  4.87 An electronic records check is not always appropriate. For example, the Council for Mortgage Lenders notes that electronic verification products may not be suitable for fraud prevention purposes, such as verifying that a person's signature is genuine.   Individuals not resident in the UK  4.88 You should obtain the same types of identity documents for non UK residents as for UK residents. If you have concerns that an identity document might not be genuine, contact the relevant embassy or consulate or use the link to PRADO below.  Public Register of Authentic travel and identity Documents Online: http://www.consilium.europa.eu/prado/en/prado-start-page.html   If documents are in a foreign language, you must satisfy yourself that they do in fact provide evidence of the customer's identity. HMRC may require official translations when inspecting your customer due diligence records.  Identifying organisations as customers   4.89 For corporate entities, partnerships, trusts, charities and sole traders, you must obtain and verify identity information that is relevant to that entity. This includes:  ◠the full name of the company â— company or other registration number â— registered address and principal place of business  4.90 For private or unlisted companies you must take reasonable steps to obtain and verify: â— country of incorporation â— names of the members of management body, or if none, its equivalent and the name of the senior person responsible for the company  4.91 It will also be necessary to establish the beneficial owners of such entities, that is for private or unlisted companies, the names of all directors (or equivalent), and the names of individuals who own or control over 25% of its shares or voting rights – or the names of any individuals who otherwise exercise control over the management of the company.  4.92 You must verify the identity through reliable, independent sources that are relevant to that type of entity. For example:   ◠searching a relevant company registry ◠checking the customer is registered to make/receive high value payments â— obtaining a copy of the company's certificate of incorporation.    4.93 Where an individual claims to act on behalf of a customer, you must also obtain evidence that the individual has the authority to act for them, identify the individual and verify the identity.   Obligation of customers to provide information  4.94 Corporate bodies in the UK, who are not listed on a regulated market, have obligations to keep a register of people with significant control (a PSC register) and must provide this information when requested. When a corporate person enters into a transaction with an estate agency business you can request that they provide you with the following information:   ◠name, registered number, registered office and principal place of business â— names of the board of directors or equivalent body â— names of the senior person responsible for its operations â— the law to which it is subject â— its legal and beneficial owners â— its memorandum of association or similar documents    4.95 Guidance on the requirements to maintain PSC registers is available at: https://www.gov.uk/government/publications/guidance-to-the-people-  This information will assist in identifying beneficial owners but it will not provide you with all the information you need to verify their identity, for example, the address or date of birth of the individual.  4.96 Trustees have similar obligations to tell you that they are acting as a trustee, to identify all of the beneficial owners of the trust and any other person that may benefit.  The corporate person and trustees must notify you of any changes to the information supplied.   Beneficial owners   4.97 You must identify the existence of any beneficial owners (the section on customer due diligence gives information on who is a beneficial owner). You must verify the beneficial owner’s identity so that you are satisfied that you know who the beneficial owner is. If it is a legal person, you must take reasonable measures to understand the ownership structure.  4.98 You will not have satisfied your obligation to identify, verify and understand the structure of a beneficial ownership if you rely solely on the information contained in a register of persons with significant control.   4.99 Where a customer is incorporated and in exceptional circumstances, where you have made unsuccessful attempts, and have exhausted all ways, to identify the beneficial owner of a corporate body you may treat the most senior person managing the customer as the beneficial owner. You must keep records of all the steps you have taken to identify the beneficial owner and why they have been unsuccessful.   Reliance on third parties   4.100 You must do customer due diligence before entering into a business relationship with a customer. As high value dealers are usually approached independently to any other businesses, you are not usually able to rely on another business performing customer due diligence for you.  4.101 You can rely on the following persons to apply customer due diligence for you before entering into a business relationship with a customer:   another UK business subject to the Regulations  a business in the EEA who is subject to the 4th Money Laundering Directive ï‚· a branch or subsidiary established in a high risk third country who fully complies with an EEA parent’s procedures and policies ï‚· a business in a third country who is subject to equivalent measures.    4.102 You may not rely on a business established in a country that has been identified by the EU as a high risk third country.  The third party must agree that you will rely on them. The agreement must include arrangements to:    obtain immediately on request, copies of the due diligence information from the third party  ensure the third party retains copies of the due diligence information for five years from the date the reliance was agreed.    4.103 If you rely on a third party you’ll remain responsible for any failure to apply due diligence measures appropriately. This is particularly important when relying on a person outside the UK. It may not always be appropriate to rely on another person to undertake your due diligence checks and you should consider reliance as a risk in itself.   4.104 When you rely on a third party to undertake due diligence checks, you will still need to do your own risk assessment of the customer and the transaction and you must still carry on monitoring the business relationship.    4.105 Reliance doesn’t include accepting information from others to verify a person’s identity for your own due diligence obligations, nor electronic verification, which constitutes outsourcing a service.   4.106 You must not rely on simplified due diligence carried out by a third party or any other exceptional form of verification, such as the use of source of funds as evidence of identity.  A supplier and buyer carrying out an occasional transaction or in a business relationship together must not rely on each other.  5. Reporting suspicious activity  Core obligations  ◠Staff must raise an internal report where they know or suspect, or where there are reasonable grounds for having knowledge or suspicion, that another person is engaged in money laundering, or that a terrorist finance offence may be committed. â— The business’s nominated officer must consider all internal reports. The nominated officer must make a report to the National Crime Agency (NCA) as soon as it is practical to do so, even if no transaction takes place, if they consider that there is knowledge, suspicion or reasonable grounds for knowledge or suspicion that another person is engaged in money laundering, or financing terrorism. â— The business must consider whether it needs to seek a defence to a money laundering or terrorist financing offence (consent) from the NCA before proceeding with a suspicious transaction or entering into arrangements. â— It is a criminal offence for anyone to do or say anything that 'tips off' another person that a disclosure has been made where the tip-off is likely to prejudice any investigation that might take place.  Actions required:  ◠enquiries made in respect of internal reports must be recorded ◠the reasons why a report was, or was not, submitted should be recorded ◠keep a record of any communications to or from the NCA about a suspicious transaction report. A Suspicious activity report  5.1 This is the name given to a report sent to the NCA under the Proceeds of Crime Act or the Terrorism Act. The report identifies individuals who you, or an employee, suspect may be involved in laundering money or financing terrorism. The term suspicion is meant to be   applied in its everyday, normal sense. But if you’re still not sure of the meaning of suspicious, then the courts have said that 'it is a possibility that is more than fanciful'. 5.2 The suspicion is that the funds or property involved in the transaction is the proceeds of any crime. You don’t have to know what sort of crime they may have committed, but one or more warning signs of money laundering, which can’t be explained by the customer, will be relevant.  5.3 As a high value dealer in the regulated sector, you’re also required to make a suspicious activity report (SAR) as soon as possible after you know or suspect that money laundering or terrorist financing is happening. This means that the facts you have about the customer and the transaction would cause a reasonable professional in your position to have a suspicion. 5.                  There is guidance about submitting a SAR within the regulated sector in the How to report SARs section of the NCA website. The NCA document "Guidance on Submitting Better Quality SARs" takes you through the information you should provide and the SAR glossary codes you should use.  5.4 The NCA provide information and registration details online and the NCA prefers this method. The system doesn’t retain a file copy for your use, so you may wish to keep a copy of your report but this must be securely kept. This system lets you:  ◠register your business and contact persons â— receive a welcome pack with advice and contact details â— submit a report at any time of day â— receive email confirmation of each report.  5.5 The NCA also issues report forms for you to fill in but you will not receive an acknowledgement of a report sent this way.  5.6 For help in submitting a report or with online reporting to the NCA, contact the UK FIU helpdesk – Telephone: 020 7238 8282 or online at NCA.  5.7 Submitting a request for a defence to the NCA, whether you are granted a defence, or not, does not replace the requirement on the business to complete customer due diligence before entering into a business relationship (see Defence SAR below).  5.8 It is important that you have detailed policies, controls and procedures on internal reporting and the roll of the nominated officer (see nominated officer below).  5.9 You must provide regular training for your staff in what suspicious activity may look like in your business and you should keep records of that training, who has received it and when. The nominated officer must be conversant with guidance on how to submit a report and in particular be aware of the codes detailed in the glossary that must be used in each report.  5.10 A suspicious activity report must be made to the NCA no matter what part of your business the suspicion arises in.  5.11 The tests for making a report about terrorist financing are similar. You must make a report if you know, suspect or had reasonable grounds for knowing or suspecting that another person committed or attempted to commit a terrorist financing offence.   Nominated officer  5.12 You must appoint a nominated officer to make reports (see suspicious activity reports) from within your registered business. The nominated officer (or a deputy) must make a report if they know or suspect that someone is involved in money laundering or terrorist financing.   5.13 Staff must report to the nominated officer as soon as possible if they know or suspect that someone, not necessarily the customer, is involved in money laundering or terrorist financing. The nominated officer will then decide whether to make a report.  5.14 A sole trader with no employees does not need a nominated officer as they are the nominated officer by default.  5.15 The nominated officer should make a suspicious activity report even if no transaction takes place. The report should include details of how they know about, or suspect money laundering or terrorist financing. It should also include as much relevant information about the customer, transaction or activity as the business has on its records.  5.16 If a report is made before a transaction is completed or the start of a business relationship, you must ask for a defence to a money laundering or terrorist financing offence from the NCA to go ahead with the transaction. You should tick the “consent requested†box on the form.  A defence (consent)  5.17 It is an offence for the nominated officer to proceed with a transaction prior to receiving a granted letter from the NCA within the 7 working day statutory time periodâ€. This period starts from the day after submitting the report.  5.18 A defence relates to offences in Proceeds of Crime Act and the Terrorism Act but not to other criminal offences.   5.19 Seeking a defence, granting it or no reply from the NCA is not a permission to proceed or oblige you to proceed, nor is it an approval of an act or persons, or mean that there is no criminality involved. You should consider your position carefully. A defence does not mean you do not have to verify a customer’s identity or that of any beneficial owners. The business must continue to comply with all the requirements of the Regulations.  5.20 If you do not receive a refusal notification from the NCA within the notice period it is up to you to interpret your position and you may, if you consider that you have met the requirements for making a disclosure, assume a defence.  5.21 If the NCA refuses you a defence, you must not proceed with a transaction for up to a further 31 calendar days, i.e. the moratorium period. In terrorist financing cases the moratorium period does not apply, you do not have a defence until a request is granted.  5.22 The NCA has published information on obtaining a defence. Some of the key points include:   a defence is only valid for the transaction reported - any future transactions by the same customer have to be considered on their own merits (and in the light of the suspicions that arose for the original one)  you can’t ask for a general defence to trade with a customer, only to carry out a particular transaction ï‚· the initial notice period is 7 working days from the date of the report; and if a defence is refused, the moratorium period is a further 31 calendar days from the date of refusal - if you need a defence sooner, you should clearly state the reasons for the urgency and perhaps contact the National Crime Agency to discuss the situation   the National Crime Agency will contact you by telephone you and will confirm their decision in writing  Tipping off  5.23 It’s a criminal offence for anyone to say or do anything that may 'tip off' another person that a suspicion has been raised, or that a money laundering or terrorist financing investigation may be carried out. It’s also an offence to falsify, conceal or destroy documents relevant to investigations.  5.24 Nobody should tell or inform the person involved in the transaction or anyone else that:  ◠the transaction is being or was delayed because a suspicion has been raised ◠details of a transaction have or will be reported to the NCA ◠law enforcement agencies are investigating the customer  5.25 Such an offence carries a penalty of up to 5 year’s imprisonment and/or a fine.  6. Record keeping  Core obligations  You must retain:  ◠copies of the evidence obtained of a customer’s identity for five years after the end of the business relationship â— details of customer transactions for five years from the date of the transaction â— details of actions taken in respect of internal and external suspicion reports â— details of information considered by the nominated officer in respect of an internal report, where the nominated officer does not make a suspicious activity report â— copies of the evidence obtained if you are relied on by another person to carry out customer due diligence, for five years from the date of the agreement, the agreement should be in writing  You must also maintain:  ◠a written record of your risk assessment â— a written record of your policies, controls and procedure  Actions required  The points below are to be kept under regular review:  ◠maintain appropriate systems for retaining records ◠making records available when required, within the specified timescales   6.1 You must keep records of customer due diligence checks and business transactions:  ◠for identity checks - 5 years after the end of the customer relationship ◠for occasional transactions - 5 years from the date the transaction was completed ◠you should also keep supporting records for 5 years after the end of a business relationship  6.2 The records should be reviewed periodically to ensure, for example, that a fresh copy of expired documents is held.  6.3 After the period above the records can be deleted unless you are required to keep them in relation to legal or court proceedings. You will not be required to keep them for more than twenty five years.  6.4 Your risk assessment and policies, controls and procedures must be kept up to date and be amended to reflect any changes in your business.  6.5 You can keep records as original documents and photocopies of original documents in either hard copy or electronic form. The aim is to ensure that the business meets its obligations and, if requested, can show how it has done so.  6.6 This evidence may be used in court proceedings against the criminals.  6.7 If someone else carries out customer due diligence for you, you must make sure that they also comply with these record keeping requirements. You must be able to demonstrate that records of customer due diligence checks carried out by an outsourcing service, and which are stored on their server, will be available to you should you wish to move to another service or should that service go into liquidation.  6.8 All electronic records must be subject to regular and routine backups with off-site storage.  7. Staff awareness  Core obligations  You must:  ◠ensure relevant staff are aware of the risks of money laundering and terrorist financing, the relevant legislation, and their obligations under that legislation, know who the nominated officer is and what his responsibilities are, train in the firm’s procedures and in how to recognise and deal with potential money laundering or terrorist financing transactions or activity ◠staff are trained at regular intervals â— maintain a written record of what you have done to raise awareness and the training given to staff â— Ensure that a relevant director or senior manager has overall responsibility for establishing and maintaining effective training arrangements.  Larger and more complex businesses must:  ◠screen relevant staff before they take up post and at regular intervals to assess that they are effective in carrying out their function and are of good conduct and integrity.   Actions required  The points below are to be kept under regular review:  ◠provide appropriate training to make relevant staff aware of money laundering and terrorist financing issues, including how these crimes operate and how they might take place through the business ◠ensure that relevant employees have information on, and understand, the legal position of the business - individual members of staff and any changes to these positions ◠regularly share risk assessment, policy, control and procedures information within the business and with branches and subsidiaries â— consider providing relevant staff with case studies and examples related to the firm’s business â— train relevant staff in how to operate a risk based approach to assessing the risks of money laundering and terrorist financing â— set up a system to screen staff before they take up the post and during the course of the appointment â— keep records of training given  Staff  7.1   Your staff are the best defence against money launderers and terrorist financers who may try to abuse the services provided by your business.   You must:  ◠tell your staff about your anti money laundering and counter terrorism financing obligations â— tell your staff about data protection obligations â— give them suitable (risk-based) training on their legal obligations â— tell them how to identify and deal with the risks â— keep a written record of the training given to your staff.  7.2 If you don't do this and your staff don't know what is required, then you and your business        may be open to penalties or criminal charges.  7.3 Relevant staff are persons involved in the identification of risk, your controls and procedures         to reduce risk and your compliance with the Regulations.  Training  7.4 When you consider who needs to be trained you should include staff who deal with your customers, deal with money or help with compliance. Think about reception staff, administration staff and finance staff, because they’ll each have a different involvement in compliance, and have different training needs.  7.5 The training process should therefore cover the whole end to end process from sales and receiving customers’ instructions, through to valuation, dealing with offers and completion.  7.6 Nominated officers, senior managers and anyone who is involved in monitoring business relationships and internal controls must also be fully familiar with the requirements of their role and understand how to meet those requirements.  7.7 Each member of staff should be ready to deal with the risks posed by their role. Their training should be good enough, and often enough, to keep their knowledge and skills up to date.    7.8 It should cover:  ◠the staff member’s duties ◠the risks posed to the business ◠the business policies and procedures ◠how to conduct customer due diligence and check customers’ documents ◠how to spot and deal with suspicious persons and activity ◠how to make internal reports, including disclosures of suspicious activity ◠data protection requirements â— record keeping ◠the Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017; Part 7 of the Proceeds of Crime Act; and sections 18 and 21A of the Terrorism Act.  7.9 Training may include:  ◠face-to-face training ◠online training sessions ◠HMRC webinars â— going to conferences ◠taking part in special meetings to discuss the business procedures  ◠reading publications ◠meetings to look at the issues and risks â— Trade Body information.  7.10 A policy manual is useful to raise staff awareness and for reference between training sessions.  7.11 Staff training is necessary when staff join the business, move to a new job or when they change roles. They should also have ongoing training at least every 2 years or when a significant change happens, depending on the level of risks.  Evidence of training  7.12 You must keep evidence of your assessment of training needs and the steps you’ve taken to meet those needs. You may be asked to produce training records in court.   7.13 Training records include:  ◠a copy of the training materials ◠details of who provided training, if provided externally ◠a list of staff who have completed training, with dates, and their signatures confirmation of their understanding of the obligations or electronic training records ◠an updated training schedule. 8. High value dealer risk  Risk based approach  8.1 A risk based approach is where you assess the risks that your business may be used for money laundering or terrorist financing, and put in place appropriate measures to manage and lessen those risks.  8.2 A risk based approach should balance the costs to your business and customers with a realistic assessment of the risk that criminals may exploit the business for money laundering and terrorist financing. It allows you to focus your efforts on the most important areas and reduce unnecessary burdens.  8.3 You’ll need to:  ◠identify the risks of money laundering and terrorist financing that are relevant to your business, in other words, your business’s risk profile â— assess the risks posed by customers and any underlying beneficial owners (see the section on customer due diligence on who is a beneficial owner), services, financing methods, delivery channels and geographical areas of operation, including the location of the customer and the source of funds â— design and implement controls to mitigate these assessed risks â— monitor the effectiveness and implementation of the controls and make improvements where required â— record what has been done and why as part of your risk assessment, policies, controls and procedures  Your risk profile  8.4 Assessing your business’s risk profile will help you design the right systems that will spot suspicious activity, and ensure that staff are aware of what sort of money laundering activities they are likely to encounter.  8.5 A high value dealer that buys bulk, low value goods presents a different risk profile to a high value dealer that sells high-end luxury cars. However, both may be targeted by criminals if they have little or no controls in place.  8.6 The environment you do business in affects the individual customer’s risk assessment, if you have many high net-worth customers or deal with people from a particular country or region, this will influence the business wide assessment.  8.7 Cash is a key component in organised criminal activity and criminals will often try to dispose of cash through the purchase of goods. Because of this, high value dealers must be vigilant to high risk areas.  8.8 You should assess the risks to your own business and consider what is high risk in your own policies and procedures. The following is not an exhaustive list of risk indicators: â— assets that are particularly high value and easily portable such as jewellery ◠high risk goods that are commonly used to avoid tax such as alcohol or tobacco â— businesses with no security or insurance for large volumes of cash â— businesses that have no established presence â— a business you deal with is not applying the standard of due diligence you would expect â— a business wants to use cash for an “off the record†sale â— the customer asks for delivery in an unusual manner or to an address that is not their own â— visitors to the UK do not have a C9011 form (a form for declaring they are bringing more than £10,000 into the UK) â— the customer appears to be breaking down the transaction to fall below the €10,000 limit.  8.9 Low risk indicators should also be included in your risk assessment. The following is not an exhaustive list of low risk indicators and may not represent low risk in all cases. You must consider this list in regard to your own business practices and risk assessment:  ◠perishable goods that have a limited life â— local customers that fit with the area and your normal trade models â— highly regulated commodities such as guns. 8.10 The risk profile depends on the nature of the business, branch network, customers, and activities. For each of these areas you should consider how they could be exposed. For example:  ◠how you’ll apply risk management procedures to a network of branches ◠how you’ll manage and maintain records and the type of records ◠if you selected a number of customer files at random, would they all have a risk assessment and adequate customer due diligence for the customer and beneficial owners  ◠if you have a system that will pick up where individuals, departments or branches are not implementing risk management procedures ◠could you demonstrate that all staff have been trained on the regulations and given ongoing training on recognising and dealing with suspicious transactions  ◠if asked, would staff know who the nominated officer is, what the firm’s policies are and where they can be found.  9. High value dealers  9.1 Anyone who makes or accepts high value payments must comply with the Regulations. HMRC supervises High Value Dealers under these Regulations. A business must not make or accept high value payments unless they are registered with HMRC.  9.2 The Regulations define high value dealers as a firm or sole practitioner, who or whose employees make or accept cash payments of €10,000 or more, or its equivalent in another currency in exchange for goods, including when this payment is made into your bank account or to a third party for your benefit. It does not include payment made for services. Where a payment is made for goods and services, such as fitting a bathroom, the transaction is only in scope if the goods are valued at more than €10,000 or the equivalent in another currency.  High value dealer sub sectors  9.3 There are a number of sub sectors in the high value dealer sector, they include:  ◠alcohol â— antiques, art & music â— auction â— boats & yachts â— caravans â— cars â— cash & carry/wholesale â— electronics â— food â— gold â— household goods & furniture â— jewellery â— mobile phones â— plant, machinery & equipment â— recycling â— textiles & clothing â— vehicles other than cars 10. Where to find more information  If after reading this notice you have any queries, or would like further you can contact us by: Email: [email protected] Post: HMRC Anti Money Laundering Supervision Alexander House 21 Victoria Avenue Southend on Sea SS99 1AG If they’re unable to answer your query directly, they’ll be able to pass your query on to the relevant section. HMRC aims to give you the best possible service at all times. However if you’re unhappy with our service or the way we have treated you may wish to make a complaint. More information about how to complain can be found in our guidance on complaints and putting things right on the gov.uk website