aml terrorist financing code

8/3/2019 AML Terrorist Financing Code

1/64

ANTI-MONEY LAUNDERING

AND PREVENTION OF

TERRORIST FINANCING

CODE

Issued by

The Reporting Authority

of the Turks and Caicos Islands

December 3rd, 2007


2/64

1. INTRODUCTION

1.1 In common with all jurisdictions, both offshore and on-shore, the Turks andCaicos Islands (the TCI) has a responsibility to comply with internationalstandards concerning the prevention and detection of money laundering and the

combating of terrorist financing. These standards are primarily set by theFinancial Action Task Force (the FATF). The current FAFT standards areknown as the FATF 40 + 9, the 40 referring to the FATFs 40recommendations for the prevention and detection of money laundering and the9 referring to the FATFs 9 special recommendations on the combating ofterrorist financing.

However the Basle Committee, the International Organisation of SecuritiesCommissions (IOSCO) and the International Association of InsuranceSupervisors (the IAIS) also set sector specific anti-money laundering standardsfor banking, securities and investment business and insurance businessrespectively. In addition, the TCI is a member of the Caribbean Financial Action

Task Force (the CFATF), a grouping of Caribbean states that have agreed toimplement common counter measures to address money laundering and terroristfinancing.

1.2 The TCI is committed to complying with its international obligations and has hada framework of anti-money laundering legislation in place since 1988 [when theControl of Drugs (Trafficking) Ordinance was enacted]. The legislative frameworkwas extensively reviewed in 2006 and a new Proceeds of Crime Ordinance (thePCO) enacted in [month] 2007. The PCO consolidates the pre-existingprovisions, which were previously to be found in a patchwork of differentOrdinances, but also updates and reforms the law relating to money laundering.The PCO is supported by the Anti-Money Laundering Regulations, 2007 (theAMLR) and this Code. In summary, the PCO is designed to:

criminalise money laundering

provide for the confiscation of the proceeds of criminal conduct

enable the civil recovery of property which represents, or is obtainedthrough, unlawful conduct

provide the Reporting Authority with clear functions and enhance its powers

require persons in the financial sector to report knowledge or suspicionsconcerning money laundering to the Reporting Authority

give the Supreme Court the power to make a number of orders to assist thepolice in their investigations into money laundering

establish a National Forfeiture Fund

- 2 -


3/64

The PCO does not provide for the combating of terrorist financing, which iscovered separately by the Anti-terrorism (Financial and Other Measures) Order2002 (the Anti-terrorism Order), which came into force on 1 August 2002.

1.3 The PCO, the AMLR and this Code impose obligations on both the regulatedfinancial sector and certain other businesses specified in the AMLR 1, to put in

place and implement procedures to prevent money laundering.

In this Code:

a person that is subject to the AMLR and this Code, which could be anindividual, a partnership or a company, is termed a financial business; and

a financial business that is subject to supervision by the Commission istermed a regulated person2.

Failure to comply with the requirements of the PCO, the AMLR and, in someinstances this Code, may result in a financial business, and its partners or

directors, being prosecuted for a criminal offence. The status of this Code is morefully described in paragraph 2.7.

1.4 Regardless of the legal obligations imposed on financial businesses by the PCO,the AMLR and this Code, it is very much in the interests of every financialbusiness in the TCI to have strong systems in place to reduce its risk of beingused in connection with money laundering or terrorist financing. The use of a TCIfinancial business in connection with money laundering or terrorist financing islikely to damage the reputation of the business and of the TCI as a financialservices jurisdiction, which could lead to a loss of legitimate business. It istherefore important that every financial business understands the important role itplays in protecting the reputation of the TCI.

The obligations contained in the PCO, the AMLR and this Code will be rigorouslyenforced. However, it is in the interests of the TCI that efforts to prevent moneylaundering and terrorist financing are undertaken in a spirit of cooperationbetween the public and private sectors.

1.5 A financial business is best able to protect itself from being used in connectionwith money laundering or terrorist financing by maintaining effective procedures,systems and controls, including sound due diligence procedures, that complywith international standards, and rigorously implementing them. This Code setsout requirements imposed on financial businesses for the prevention of moneylaundering and the combating of terrorist financing that supplement the

requirements of the PCO and the AMLR. The Reporting Authority considers thatthe legal regime taken as a whole enables the TCI to meet internationalstandards.

1This includes dealers in high value goods, dealers in precious metals and stones, estate agents,

casinos, accountants and lawyers [when undertaking certain transactions on behalf of clients].2

See paragraph 2.11 for a complete list of financial businesses and regulated persons.

- 3 -


4/64

2. PURPOSE,STRUCTURE,STATUS AND APPLICATION OF THIS CODE

2.1 This Code is issued by the Reporting Authority under section 111(1) of the PCO.Subsection (2) of that section also empowers the Reporting Authority to issue

guidance concerning compliance with the requirements of the PCO, the AMLRand this Code and concerning such other matters as it considers relevant to itsfunctions.

Purpose of Code

2.2 The purpose of this Code is to:

outline the relevant requirements of the PCO and the AMLR with respect tothe prevention of money laundering

set out more detailed requirements for the prevention of money laundering

that must be met by financial businesses

provide guidance to assist financial business in interpreting therequirements of the PCO, the AMLR and this Code

assist financial businesses to design and implement appropriate systemsand controls for the prevention of money laundering and terrorist financing

to promote the use of a proportionate, risk-based approach to the preventionof money laundering and terrorist financing, in particular, to customer duediligence measures

Structure of Code

2.3 This Code outlines the requirements imposed by the PCO and the AMLR withrespect to the prevention of money laundering. These requirements aredesignated in the Code as statutory requirements. A contravention of astatutory requirement is a breach of the PCO or the AMLR and is an offence.

Reference is made throughout this Code to obligations imposed by the PCO andthe AMLR on financial businesses. However, in many instances, theseobligations also apply to the businesses referred to in the footnote to paragraph1.3. The fact that the Code does not state this, should not be taken as anindication to the contrary.

2.4 This Code sets out additional anti-money laundering requirements andrequirements concerning the prevention of terrorist financing.

In order to clearly distinguish between requirements of the Code, statutoryrequirements and guidance, all Code requirements are set out in a numberedrequirements box.

- 4 -


5/64

2.5 This Code also contains guidance on how financial businesses can comply with,and demonstrate compliance with, the statutory requirements and the additionalrequirements of the Code.

Where guidance is provided, the term may, should, or a similar term, is used.

2.6 The Code also provides background information that is intended to assistfinancial businesses to understand

the problems of money laundering and terrorist financing; and

their obligations under the PCO, the AMLR and this Code.

Status of Code

2.7 Certain requirements of the Code are imported into the AMLR. For example,regulation 4 of the AMLR requires a regulated person to establish and maintainidentification procedures that comply with the AMLR and the Code. A failure to

comply with the identification requirements in the Code is therefore a breach ofregulation 4(1) of the AMLR and is an offence under the AMLR.

2.8 The Code is fully enforceable against regulated persons under the FinancialServices Commission Ordinance. Section 33(1)(a(ii) of that Ordinance providesthe Commission with the power to take enforcement action against a regulatedperson if the regulated person has contravened or is in contravention of theAMLR or of any prescribed Ordinances or Codes relating to money laundering orterrorist financing. The PCO and this Code are both prescribed for this purpose.Therefore, where a regulated person contravenes the PCO, the AMLR or thisCode, the Commission may revoke the regulated persons licence or take otherregulatory or enforcement action against it. Any contraventions of the PCO, the

AMLR and the Code will also be taken into account by the Commission inassessing whether a regulated person is fit and proper to hold a licence.

Compliance with the statutory requirements and the requirements of this Codewill form part of the Commissions assessment of a regulated person whenundertaking on-site compliance visits. It will also form part of the Commissionson-going monitoring of those financial businesses that it is responsible forsupervising.

2.9 Where guidance is provided in this Code, a regulated person has some discretionas to how to apply the requirements of the PCO, the AMLR and this Code, giventhe particular circumstances of its business, products, services, transactions and

customers.

However, a regulated person should consider very carefully whether a departurefrom the guidance is justified. Regulation 11(2) of the AMLR provides:

. in determining whether a person has complied with these Regulations, theCourt may take account of any guidance issued by the Reporting Authority

- 5 -


6/64

Therefore, if a regulated person is not able to fully justify a departure from theguidance in this Code, the Court may find that the regulated person hascommitted an offence under the AMLR.

If a regulated person chooses not to follow the guidance provided in this Code, itmust be able to demonstrate that it has, nevertheless, complied with the statutory

requirements and the requirements of this Code.

Requirement 1

It is a requirement of this Code that any departures from this guidanceprovided in this Code are documented, together with the rationale forthe departure.

2.10 The particular circumstances of a regulated person, or of its business, mayrequire that person to take additional measures beyond those specified in theguidance in order to ensure compliance with the statutory requirements and therequirements of this Code. It is important, therefore, that in complying with thestatutory requirements and the requirements of this Code, a regulated personshould adopt an intelligent risk-based approach and establish and maintainsystems and procedures that are appropriate and proportionate to the risksidentified.

Application of Code

2.11 This Code applies to all financial businesses, whether the financial business is

carrying on business in, or from within, the TCI. The AMLR provide that a personis subject to this Code if he, or it, carries on any of the following businesses:

(a) banking business, as defined in the Banking Ordinance (Cap. 118);

(b) acting as a professional trustee within the meaning of the TrusteesLicensing Ordinance (Cap. 13);

(c) the business of company agent and the business of companymanagement as defined in the Company Management (Licensing)Ordinance (No. 1 of 1999);

(d) insurance business as defined in the Insurance Ordinance (Cap. 121);

(e) acting as an insurance intermediary or as an insurance manager asdefined in the Insurance Ordinance (Cap. 121);

(f) acting as a mutual funds administrator or manager within the meaningof the Mutual Funds Ordinance (No. 13 of 1998);

(g) being a promoter in respect of a mutual fund within the meaning of the

- 6 -


7/64

Mutual Funds Ordinance (No. 13 of 1998);

(h) acting as an investment dealer within the meaning of the InvestmentDealers (Licensing) Ordinance;

(i) money services business as defined in the Money TransmittersOrdinance, 13 of 2007;

(j) the business of

(i) trading in investments on ones own account;

(ii) providing advice on capital structure, industrial strategy and relatedquestions and advice and services relating to mergers and thepurchase of undertakings;

(iii) money broking;

(iv) the safekeeping and administration of securities;

(v) forming limited partnerships,

(vi) providing the registered office for limited partnerships,

(vii) lending, or

(viii) financial leasing;

(k) the activity of dealing in precious metals or precious stones by way ofbusiness, whenever a transaction involves accepting a total cashpayment of $15,000 or more, or the equivalent in any currency;

(l) the activity of dealing in goods of any description (other than preciousmetals or precious stones) by way of business whenever a transactioninvolves accepting a total cash payment of $50,000 or more, or theequivalent in another currency;

(m) the business of acting as a real estate agent;

(n) the provision by way of business of accountancy or audit services;

(o) the provision by way of legal services which involves participation in afinancial or real estate transaction (whether by assisting in the

planning or execution of any such transaction or otherwise by actingfor, or on behalf of, a client in any such transaction);

(p) operating a casino by way of business, whenever a transactioninvolves accepting a total cash payment of $3,000 or more, or theequivalent in another currency.

- 7 -


8/64

Note that regulated persons are those persons that carry on a business specifiedin paragraphs (a) to (i).

- 8 -


9/64

3. INTERNAL CONTROLS

Statutory Requirement to Establish and Maintain Internal Controls

3.1 The AMLR require a financial business to establish and maintain such

procedures of internal control as may be appropriate for the purposes offorestalling and preventing money laundering [regulation 8(1)(c)].

Regulation 8(2)(b) of the AMLR provides that the internal control proceduresmust provide for the assessment by the financial business of the risk that anybusiness relationship or one-off transaction will involve money laundering andshall be appropriate to the circumstances, having regard to the degree of riskassessed. The AMLR therefore specifically require a financial business to adopta risk-based approach.

The AMLR do not apply to the prevention of terrorist financing. However, it isequally important that the procedures of internal control established and

maintained by a financial business extend to the prevention of terrorist financing.

Requirement 2

The following are requirements of this Code:

a financial business must establish and maintain suchprocedures of internal control as may be appropriate for thepurposes of forestalling and preventing terrorist financing; and

the internal control procedures established and maintained by afinancial business must provide for the assessment by the

regulated person of the risk that any business relationship orone-off transaction will involve terrorist financing and shall beappropriate to the circumstances, having regard to the degree ofrisk assessed.

The elements and requirements of a risk-based approach to preventing moneylaundering and terrorist financing are covered in more detail later in this sectionof the Code [see paragraphs 3.6 to 3.13].

Responsibility of Senior Management

3.2 The senior management of a financial business has responsibility for ensuringthat the systems and controls of the business comply with the requirements ofthe AMLR. In most cases, the financial business will be a company and ultimateresponsibility for compliance is the responsibility of the directors or, where acompany has a single director, that director.

- 9 -


10/64

In this Code, where a financial business is a company, senior managementmeans the directors of the company or, where the company has a single director,that director.

Where a financial business fails to establish appropriate internal controlprocedures, and other procedures required by the AMLR, the financial business

commits an offence.

3.3 The AMLR require a financial business to appoint a Money Laundering ReportingOfficer and the Financial Services Commission Ordinance requires a financialbusiness to appoint a Compliance Officer, who may be the same person [seefurther paragraphs 3.14 to 4.1].

Senior management will be assisted in fulfilling their responsibilities by the MoneyLaundering Reporting and the Compliance Officer, if different.

3.4 Although senior management are responsible for ensuring that a financialbusiness complies with its obligations under the PCO, the AMLR and this Code,

the following additional specific obligations are imposed on senior managementby this Code:

- 10 -


11/64

Requirement 3

It is a requirement of this Code that senior management must:

adopt a formal, documented policy in relation to theprevention of money laundering and terrorist financing

ensure that the risk assessment required under paragraph3.10 below [the AML and CFT risk assessment] is carried outand submitted to them for consideration and approval

ensure that the prevention of money laundering and terroristfinancing policy and the AML and CFT risk assessment arereviewed at appropriate intervals and kept up to date

allocate responsibility for the establishment and maintenanceof risk-based anti-money laundering and terrorist financing

systems and controls and must be able to demonstrate thateffective risk-based systems and controls have beenestablished and appropriately documented

ensure that the financial businesss anti-money launderingand terrorist financing systems and controls are kept underregular review and that breaches are dealt with promptly

oversee compliance with the financial businesss anti-moneylaundering and terrorist financing systems and controls andensure that necessary action to remedy deficiencies is takenpromptly

ensure that regular and timely information relevant to themanagement of the regulated persons anti-money launderingand terrorist financing risks is made available to them

ensure that the Money Laundering Reporting Officer and theMoney Laundering Compliance Officer are adequatelyresourced

3.5 When conducting an on-site compliance visit, the Commission will, as part of itsassessment of a financial business, look for documented evidence that theobligations of senior management have been complied with.

- 11 -


12/64

Risk Based Approach

3.6 The directors of companies, both within and outside the financial sector,increasingly manage the affairs of their companies with regard to the risksinherent in its business and put in place systems, controls and procedures thateffectively manage these risks. A risk-based approach is also appropriate tomanaging the risks associated with money laundering and terrorist financing.

3.7 Furthermore, there are substantial differences between the various financialbusinesses in the TCI and in their clients and their clients businesses. Thediversity within the industry makes a prescriptive, and of necessity inflexible,approach to the measures required to prevent money laundering and combatterrorist financing impracticable. This Code therefore takes a risk-basedapproach.

3.8 A risk-based approach:

recognises that the money laundering and terrorist financing threat to afinancial business is dependent upon a number of factors, including itscustomers, the jurisdictions in which it operates, the products it offers and itsdelivery channels;

allows a financial business to differentiate between customers in a way thatmatches the risk in a particular business;

allows a financial business to apply its own approach to systems andcontrols and arrangements in particular circumstances; and

because it is not necessary to design systems and controls that fit allcircumstances, can be more cost effective for financial businesses.

3.9 It is important to appreciate that systems and controls will not detect and preventall money laundering or terrorist financing. A risk-based approach will, however,serve to balance the cost burden placed on a financial business and itscustomers with a realistic assessment of the threat of the business being used inconnection with money laundering or terrorist financing. It focuses the effortwhere it is needed and will have most impact.

3.10 A financial business can only fully appreciate the money laundering and terroristfinancing risks that it faces by undertaking a money laundering and terroristfinancing risk assessment [AML and CFT risk assessment].

- 12 -


13/64

Requirement 4

It is a requirement of this Code that a financial business carry out anAML and CFT risk assessment to:

assess the money laundering and terrorist financing risks that itfaces;

determine how to best manage these risks; and

design, establish and maintain anti-money laundering andterrorist financing systems and controls that are appropriate forthe risks that it faces, in accordance with the statutoryrequirements.

3.11 When undertaking on-site compliance visits, as part of its assessment of aregulated person, the Commission will require documented evidence that an AMLand CFT risk assessment has been undertaken, that appropriate anti-moneylaundering and terrorist financing systems and controls have been designed andthat these systems and controls are being effectively implemented.

3.12 The adoption of a risk-based approach precludes the prescription of detailedrules. However, this Code sets a number of more general rules that must befollowed by financial businesses and also provides guidance that will assistfinancial businesses to comply with the requirement imposed above.

3.13 The broad objective of a risk-based approach is to enable a financial business toknow who its customers are, what they do, and whether or not they are likely tobe engaged in criminal activity. This entails the preparation of a risk profile foreach customer, which will build up over time, allowing the financial business toidentify transactions or activities that may be suspicious. This is covered furtherin the next section of this Code.

Money Laundering Reporting Officer and Compliance Officer

3.14 It is a statutory requirement that a financial business appoints an individualapproved in writing by the Commission as its money laundering reporting officer(the MLRO) [regulation 8(1)(a) of the AMLR]. The MLRO has responsibility for

receiving internal money laundering disclosures, deciding whether thesedisclosures should be reported to the Reporting Authority and, if he so decides,making the reports to the Reporting Authority, and acting as the liaison point withthe Reporting Authority and the Commission.

3.15 More particularly, the AMLR [regulation 8(2)] provide that the internal reportingprocedures of a financial business must

- 13 -


14/64

require that where any information or other matter comes to the attention ofan employee in the course of its relevant financial business, as a result ofwhich the employee knows, suspects or has reasonable grounds forknowing or suspecting that another person is engaged in money laundering,that employee must, as soon as reasonably practicable after thatinformation or other matter comes to his attention, disclose it to the MLRO;

require that any disclosure made to the MLRO shall be considered by theMLRO in the light of all other relevant information for the purpose ofdetermining whether or not the information or other matter contained in thereport does give rise to such a knowledge or suspicion or such reasonablegrounds for knowledge or suspicion;

permit the MLRO to have reasonable access to any other information whichmay be of assistance to him in considering the report; and

if the MLRO determines that the information or other matter contained in thereport does give rise to a knowledge or suspicion, or reasonable grounds for

knowledge or suspicion, that another person is engaged in moneylaundering, he shall disclose that information or matter to the ReportingAuthority.

3.16 The Financial Services Commission Ordinance provides that a regulated personmust appoint an individual approved by the Commission as its compliance officer[CO]. The COs responsibilities include overseeing the regulated personscompliance with its obligations concerning the prevention of money launderingand terrorist financing.

Subject to the approval of the Commission, the MLRO may also serve as aregulated persons CO. However, a regulated person may split the reporting and

compliance functions and appoint different individuals as its MLRO and CO.

3.17 In determining whether to approve an individual for appointment as MLRO and/orCO, the Commission will need to be satisfied that the individual is fit and properfor the appointment. In particular, the Commission will need to be satisfied thatthe individual has sufficient experience and, if appropriate, qualifications to act asthe MLRO and/or the CO of the regulated person.

A financial business with a substantial business may need to appoint otherindividuals to assist the MLRO. Where such other individuals are appointed, it ispermissible for its procedures to permit employees to make internal reports tothese individuals, on behalf of the MLRO. However, the MLRO has ultimate

responsibility for all reports made by employees of the financial business and anyother individuals appointed must be answerable to the MLRO.

Financial businesses should refer to the separate requirements and guidanceissued by the Commission generally with regard to the CO of a financial businessand the compliance function.

3.18 The MLRO will usually have more knowledge and experience relevant to theprevention of money laundering and terrorist financing than other employees of

- 14 -


15/64

the financial business. The AMLR anticipate that the MLRO will use hisknowledge and experience to fully asses the disclosure that has been made tohim and that he will only make a suspicious transaction report to the ReportingAuthority if he considers, after his assessment, that the information disclosedgives rise to a knowledge or suspicion, or reasonable grounds for knowledge orsuspicion, of money laundering or terrorist financing. The Reporting Authority

expects the MLRO to act as a filter and not to routinely pass all disclosures madeto him to the Reporting Authority without making his own assessment.

3.19 Subject to certain exceptions, the Commission will normally require the MLROand the CO to be an employee of the financial business, who is based in the TCI.

Requirement 5

It is a requirement of this Code that a financial business must:

appoint the MLRO to a sufficient level of seniority within itsbusiness;

ensure that the MLRO has sufficient time to properly undertakehis duties as MLRO [although it is not a requirement that this ishis only function within the business, although in a largerbusiness this may be appropriate];

provide the MLRO with sufficient resources, [including staffresources, where appropriate] to properly undertake his duties asMLRO;

enable the MLRO to have direct access to the board of directorswith respect to matters concerning the prevention of moneylaundering and terrorist financing;

notify the Commission in writing within 14 days of an individualceasing to be its MLRO or its MLCO.

3.20 It is the responsibility of the MLRO to:

oversee any individuals appointed under paragraph 3.16; and

maintain a record of all enquiries

- 15 -


16/64

4. CUSTOMER DUE DILIGENCE

Why is customer due diligence necessary?

4.1 The maintenance and operation by financial businesses of adequate customer

due diligence measures is, and has for many years, been fundamental to theTCIs efforts to combat money laundering and terrorist financing.

A financial business needs to carry out proper customer due diligence for thefollowing reasons:

customer due diligence helps to protect a financial business, and the jurisdiction, from the risk of being used for money laundering, terroristfinancing or other financial crime, helps to protect the financial businessfrom becoming a victim of financial crime and helps to protect againstidentity fraud

a financial business that has carried out customer due diligence is able toassist law enforcement agencies by providing information on applicants forbusiness, customers or activities being investigated

customer due diligence has an important role to play in a financialbusinesss own risk management procedures

Customer due diligence information will also assist a financial business, and itsMLRO and employees, to assess whether a suspicion transaction report shouldbe made.

What is customer due diligence?

4.2 Effective customer due diligence measures will require the financial business tocarry out a number of steps, addressing:

identifying who the applicant for business, or intended customer, is andwhose identity needs to be verified

verifying the identity of the applicant for business or intended customerusing reliable evidence

understanding the applicants or customers circumstances and business,including where appropriate, the source of wealth and funds, the purpose ofthe business relationship with the financial business and the expectednature and level of transactions

keeping the information held up to date and valid

the ongoing monitoring of the transactions undertaken and the businessrelationship with the purpose of assessing the extent to which thetransactions and activity carried on by the customer are consistent with hiscircumstances and business and the intended business relationship

- 16 -


17/64

Where the applicant for business is not an individual acting in his own right,identifying and verifying identity is more complex. For example, where theapplicant is a legal entity, it will be necessary to consider the beneficial ownershipand control of the applicant. This is covered in more depth later in the Code.

Statutory Requirements

4.3 The principal requirements with respect to the identification procedures to bemaintained by a financial business are contained in regulation 4 of the AMLR.Regulations 5 and 6 specify certain circumstances in which a financial businessmay not be required to apply the identification procedures in full.

The statutory requirements as specified in regulation 4 of the AMLR include thefollowing:

Every financial business must establish and maintain identificationprocedures that comply with the AMLR and this Code [regulation 4(1)].

The identification procedures of a financial business must

(a) incorporate a money laundering risk assessment with respect to theintended business relationship or one off transaction

(b) be appropriate having regard to the degree of risk assessed

(c) take into account the greater risk of money laundering which ariseswhen the applicant for business is not physically present when beingidentified

(d) require a determination to be made as to whether the applicant is acting, orappears to act, for another person [regulation 4(2)].

Regulation 4(4) of the AMLR provides in general terms that satisfactoryevidence of identity is evidence which is reasonably capable of establishingand, to the satisfaction of the person who obtains the evidence, doesestablish, that the applicant for business is the person he claims to be. Thisis supplemented by regulation 4(5) which provides that the identificationprocedures must include evidence of

(a) the true full name of the applicant, together with any other namesused by the applicant; and

(b) the physical address of the applicant

The identification procedures must require that where, while the businessrelationship or one-off transaction continues, the applicant for businessappears to be acting for any other third party in respect of that business, thesatisfactory evidence of the identity of that other third party will be obtained[regulation 4(6)].

- 17 -


18/64

The above does not list all the AMLR requirements for which reference should bemade to the AMLR themselves.

4.4 This Code contains additional requirements as to the identification proceduresthat must be maintained by a financial business. As the AMLR require thatidentification procedures must comply with this Code, a failure to establish and

maintain identification requirements that comply with this Code is both a breachof the Code and the AMLR.

Risk Based Approach to Customer Due Diligence

Introduction

4.5 The AMLR require the identification procedures of a financial business to adopt arisk-based approach [see regulation 4(3)(a)]. The advantages and features of arisk-based approach are covered generally in section 3 of this Code and this partof the Code should be read together with that section.

A risk-based approach to customer due diligence requires a risk assessment tobe undertaken with respect to a particular applicant or customer. This willdetermine the extent of the identification and other customer due diligenceinformation that will be sought, how it will be verified and the extent to which theresulting relationship will be monitored. The specific requirements of this Codeconcerning the obtaining of identification information and the verification ofidentity are covered later in this section [see paragraphs 4.29 to 4.73].

It is important to appreciate that identifying an applicant or customer as carrying ahigher risk of involvement in money laundering or terrorist financing does notnecessarily mean that the applicant or customer is a money launderer orfinancing terrorism. Similarly, identifying an applicant or customer as carrying a

lower risk of involvement in money laundering or terrorist financing does notnecessarily mean that the applicant or customer is not a money launderer or isnot financing terrorism.

Establishing a Customer Risk Profile

4.6 As indicated in paragraph 3.13, the broad objective of a risk-based approach is toenable a financial business to know who its customers are, what they do, andwhether or not they are likely to be engaged in criminal activity. This is achievedby preparing a risk profile for each customer.

4.7 The building of a risk profile requires a financial business to:

Collect appropriate and relevant due diligence information, ie information onboth identity and on the business relationship

On the basis of the customer due diligence information, prepare and recordan initial risk assessment for the applicant

- 18 -


19/64

Using the risk assessment, determine the extent to which the identificationevidence needs to be verified

Once a business relationship is established, periodically update thecustomer due diligence information that it holds and adjust its riskassessment as the relationship develops.

4.8 Customer due diligence information comprises both information on the identity ofthe customer [identification information] and information on the businessrelationship [relationship information].

Requirement 6

It is a requirement of this Code that that a financial business must obtaincustomer due diligence information on every applicant for businesscomprising:

identification information; and

relationship information.

Identification information is covered in detail in the next section of this Code.

Information on the business relationship, or proposed business relationship, isthe information necessary to enable the financial business to fully understand thenature of the business that the applicant for business intends to conduct and the

rationale for the business relationship. This will include information on the sourceof the applicants funds and, if appropriate, the source of the applicants wealth.

4.9 The nature and extent of the relationship information obtained is a matter for thejudgment of the financial business and will depend on a number of factors, suchas the jurisdictions with which he is connected, the product or service to besupplied and how the product or service will be delivered. The principle objectiveis to obtain sufficient information to identify a pattern of expected activity and toidentify unusual, complex or higher risk activity and transactions that mayindicate money laundering or terrorist financing.

Financial businesses should consider the following as an essential part of the

relationship information collected:

The purpose and intended nature of the relationship

The type, volume and value of the expected activity

The source of the funds

Details of any existing relationships with the financial business

- 19 -


20/64

The reason for using a business based in the TCI

4.10 Where the applicant is the trustee of a trust or the applicant is a legal body, suchas a company, additional relationship information will be required. This shouldnormally include:

the type of trust or legal body

the nature of the activities of the trust or legal body and the place or placeswhere the activities are carried out

in the case of a trust:

where the trust is part of a more complex structure, details of thatstructure, including any underlying companies

classes of beneficiaries, charitable objects etc

in the case of a legal body, the ownership of the legal body and, where acompany, details of any group of which the company forms a part, includingdetails of the ownership of the group

whether the trust or the trustee(s), or the legal body, is subject to regulationand, if so, details of the regulator

4.11 When sufficient customer due diligence information has been obtained, thefinancial business should carry out a customer risk assessment. The followingfour risk elements are normally considered to be present in every businessrelationship:

Customer risk

Product risk

Delivery risk

Country risk

An assessment of each of these risks is combined to produce a risk profile for thecustomer.

Customer risk

4.12 Customer risk is the identification of the risk posed by the type of applicant (orcustomer).

In assessing customer risk, a financial business will need to consider a number offactors, including the following:

- 20 -


21/64

The type of applicant (or customer). For example, an individual in a publicposition and/or location which carries a higher exposure to the possibility ofcorruption, a politically exposed person will present a higher risk [seeparagraph 4.25].

The type and complexity of relationship. Complex business structures, for

example structures involving a mixture of companies and trusts or simply anumber of different companies, can make it easier to conceal underlyingbeneficiaries. Relationships involving these structures present a higher riskunless there is a clear and legitimate commercial rational for the structure.The use of bearer shares will also present a higher risk, particularly wherethe jurisdiction in which the company is incorporated or registered does notrequire bearer shares to be immobilised.

The value and nature of the funds or assets. Customers engaged in abusiness that generates significant amounts of cash, or wishing toundertake a large number of cash transactions, or with a high value offunds, especially where not fully explained, present a higher risk. The

geographic source of the funds is also relevant to risk.

Commercial rationale. Is there a clear commercial rationale for the customerpurchasing the product or service?

Requests to associate undue levels of secrecy with a transaction orrelationship or, in the case of a legal entity, reluctance to provide informationas to beneficial owners or controllers.

Situations where the source of funds an/or the origin of wealth cannot beeasily verified, or where the audit trail has been deliberately broken and/orunnecessarily layered.

Delegation of authority by the applicant or customer, for example, through apower of attorney.

Other factors may suggest a lower level of risk, for example, where the applicant(or customer):

has a strong reputation;

is subject to public disclosure rules, for example publicly listed companies;

is subject to regulation by a statutory regulator (not just a financial services

regulator).

4.13 Regard should always be had to external data sources that may indicate whethera person is high risk. These will include TCI legislation applying United Nationssanctions, guidance issued by the Commission and may include informationpublished by governments and law enforcement authorities on terrorists [e.g.United States government agencies such as the Federal Bureau of Investigationand OFAC], electronic subscription databases, the internet and other media. Inparticular, the Bank of England maintains a consolidated list of targets listed by

- 21 -


22/64

the UN, EU, and UK under legislation relating to current financial sanctionsregimes.

Product or service risk

4.14 Product risk is the risk posed by the product proposition itself.

The following indicate higher risk products:

Ability to make payments to third parties

Ability to pay in or withdraw cash

Ability to migrate from one product to another

Ability to hold boxes, parcels or sealed envelopes in safe custody

Ability to use numbered accounts or accounts that offer a layer of opacity

Ability to pool underlying customers

The use of correspondent banking relationships is common and commerciallyconvenient. However, there is an increased risk as other customers of the bankmay be using it to launder funds. Additional due diligence and/or controls aretherefore required.

Requirement 7

It is a requirement of this Code that that a financial business must not

maintain a correspondent relationship with

a shell bank; or

with any bank, unless it is satisfied that the bank is subject to anacceptable level of regulation.

4.15 Anonymous accounts or accounts operated using fictitious names wouldobviously present a very significant money laundering or terrorist financing risk.

It is therefore a requirement of this Code that a financial business does not permitproducts where the customers name is not identified or where an obviouslyfictitious name is used.

- 22 -


23/64

Delivery risk

4.16 Delivery risk is the risk posed by the mechanism through which the businessrelationship is commenced and transacted.

The following indicate higher risk delivery mechanisms:

Indirect relationship with the customer, for example through the use ofintermediaries

Non face to face relationships

Country risk

4.17 Country risk is the risk posed by the geographic providence of the economicactivity of the business relationship. It should be noted that this is wider than the

residence of the applicant (or customer) and will include for example the placewhere the applicant is carrying on business.

4.18 Jurisdictions falling into one or more of the following categories should beconsidered as higher risk jurisdictions:

Jurisdictions that have inadequate safeguards in place against moneylaundering or terrorist financing;

Jurisdictions that have high levels of organised crime; those that havestrong links with terrorist activities; and those that are vulnerable tocorruption.

In assessing which jurisdictions may present a higher risk, regard should be hadto objective data published by the IMF, FATF, US Department of State(International Narcotics Control Strategy Report), Office of Foreign AssetsControl (OFAC), and Transparency International (Corruption Perception Index).

Customer Risk Assessment

4.19 A financial business may demonstrate an effective process to determine an initialcustomer risk assessment by taking into account:

the customer due diligence information obtained and the evaluation of thatinformation; and

inconsistencies between the customer due diligence information obtained,for example, between specific information concerning source of funds orsource of wealth, and the nature of transactions

4.20 The sophistication of the risk assessment process may be determined accordingto factors established by the business risk assessment.

- 23 -


24/64

Where it is appropriate to do so, risk may be assessed generically for applicantsand customers falling into similar categories.

4.21 The business of some financial businesses, their products, and customer base,can be relatively simple, involving few products, with most applicants or

customers falling into similar risk categories. In such circumstances, a simpleapproach, building on the risk that the business products are assessed topresent, may be appropriate for most customers, with the focus being on thosecustomers who fall outside the norm.

Others may have a greater level of business, but large numbers of theircustomers may be predominantly retail, served through delivery channels thatoffer the possibility of adopting a standardised approach to many procedures.Here too, the approach for most customers may be relatively straight forward -building on product risk.

A more complex system may be appropriate for diverse customer bases or

financial businesses with broad ranges of produces or services.

Keeping Due Diligence up to Date

4.22 It is important that due diligence information is kept up to date.

Requirement 8


where a financial business has assessed a customer relationshipas presenting higher risk, it must review and update its customerdue diligence information on at least an annual basis;

where a financial business has assessed a customer relationshipas presenting a normal or low risk, it must review and update itscustomer due diligence information on a risk sensitive basis, butnot less than once every five years.

4.23 Trigger events e.g. the opening of a new account, the purchase of a furtherproduct, or meeting with a customer may present a convenient opportunity toupdate customer due diligence information.

- 24 -


25/64

Enhanced Due Diligence

4.24 It may be necessary for a financial business to perform enhanced due diligence.

Requirement 9


where a financial business assesses a relationship or transactionas presenting a higher risk, the financial business must performenhanced due diligence.

where a relationship or transaction involves a politically exposedperson [see below], then a financial business must alwaysconsider that customer to present a higher risk.

Politically exposed persons [PEPs]

4.25 For the purposes of this Code, PEPs are natural persons who are, or who havebeen, entrusted with prominent public functions in a jurisdiction other than theTCI, and their immediate family members, or persons known to be closeassociates, of such persons.

This definition of PEP would include heads of state or of government, seniorpoliticians, senior government, judicial or military officials, senior executives ofpublicly owned enterprises and important political party officials.

PEPs, and members of their families and close associates, present a higher riskto a financial business because their position makes them vulnerable tocorruption. Although PEP status puts an applicant for business [or customer] intoa higher risk category, it does not, of itself, incriminate individuals or entities.

Requirement 10

It is a requirement of this Code that a financial business:

has appropriate risk-based procedures to determine whether a anapplicant for business or a customer is a PEP

obtain appropriate senior management approval for establishing ormaintaining business relationships with such customers;

take reasonable measures to establish the source of wealth andsource of funds of such customers; and

conduct enhanced ongoing monitoring of the business relationship.

- 25 -


26/64

4.26 The nature and scope of a financial businesss business will generally determinewhether the existence of PEPs in their customer base is an issue for it, andwhether it needs to consider screening all customers for this purpose.

4.27 Establishing whether individuals or legal entities qualify as PEPs is not alwaysstraightforward and can present difficulties. Where financial businesses need tocarry out specific checks, they may be able to rely on an internet search engine,or consult relevant reports and databases on corruption risk published byspecialised national, international, non-governmental and commercialorganisations. Resources such as the Transparency International CorruptionPerceptions Index, which ranks approximately 150 countries according to theirperceived level of corruption, may be helpful in terms of assessing the risk. Ifthere is a need to conduct more thorough checks, or if there is a high likelihood ofa financial business having PEPs for customers, subscription to a specialist PEPdatabase may be the only adequate risk mitigation tool.

4.28 New and existing customers may not initially meet the definition of a PEP. Thefinancial business should, as far as practicable, be alert to public informationrelating to possible changes in the status of its customers with regard to politicalexposure.

Identification and Verification of Identity

Introduction

4.29 It is necessary to obtain and verify identity:

At the outset of a customer relationship;

When there is a change in the identification information of a customer;

When there is a change in the beneficial ownership or control of a customer;and

When there is a change in the third parties (or beneficial ownership orcontrol of third parties) on whose behalf an applicant or customer acts.

Identification and verification requirements also apply where there is knowledgeor suspicion of money laundering or where there is doubt as to the evidence ofidentity that is already held.

4.30 As indicated above, the AMLR [regulation 4(4)] provide that satisfactory evidenceof identity is evidence which is reasonably capable of establishing and, to thesatisfaction of the person who obtains the evidence, does establish, that theapplicant for business is the person he claims to be.

In order to be satisfied that an applicant (or a customer) is the person that heclaims to be a financial business will need to be satisfied:

- 26 -


27/64

that, on the basis of appropriate identity information, the named personactually exists; and

that the applicant (or customer) is that person, by verifying from reliable,independent documentary or other acceptable evidence, satisfactoryconfirmatory evidence of appropriate parts of his identity.

4.31 The identity of a person has a number of different aspects. In respect of anindividual, identity includes the individuals full name (which may change), genderand date and place of birth. Other facts about an individual may also be relevant,including family circumstances and addresses, employment and career, contactswith Government and other authorities and with other financial institutions, in andoutside the TCI, and physical appearance. In respect of a legal entity, identity is acombination of its constitution, its business and its legal and ownership structure.

Nature of Evidence

4.32 Evidence of identity can take a number of forms. In respect of individuals, much

weight is placed on identity documents, such as passports, and these are oftenthe easiest way of being reasonably satisfied as to someones identity. It is,however, possible to be reasonably satisfied as to a customers identity based onother forms of confirmation, including, in appropriate circumstances, written orotherwise documented assurances from persons or organizations that have dealtwith the customer for some time.

4.33 Subject to the specific requirements of this Code, how much identity informationor evidence to ask for, and what to verify, in order to be reasonably satisfied as toa customers identity, are matters for the judgment of the financial business,which will depend upon the risk assessment of that relationship.

4.34 When verifying identity, a financial business will need to be prepared to accept arange of documents, and may wish to also use independent data sources toverify information.

4.35 Documentation providing evidence of identity may emanate from a number ofsources. These documents may differ in their integrity, reliability andindependence. Some are issued after due diligence on an individuals identityhas been undertaken, others are issued on request, without any such checksbeing carried out. Financial businesses should recognise that some documentsare more easily forged than others.

If a financial business is not familiar with the form of evidence obtained to verify

identity, it may be necessary for the financial business to take appropriatemeasures to satisfy itself that the evidence is genuine.

4.36 The procedures of financial businesses may provide for a range of documents tobe utilized to verify identity. Financial businesses may also employ electronicchecks to verify identity.

Independent data sources can provide a wide range of confirmatory materialwithout involving an applicant for business or customer, and are becoming

- 27 -


28/64

increasingly accessible, for example, through improved availability of publicinformation and the emergence of commercially available data sources such aselectronic databases and research firms. Sources include:

Registers of electors.

Telephone directories.

Credit reference agencies.

Business information services.

Electronic checks provided by commercial agencies

4.37 Where a financial business is seeking to verify identity using an independent datasource, whether by accessing the source directly or by using an independentthird party organisation (such as a credit reference agency), an understanding ofthe depth, breadth and quality of the data is important to ensure that the method

of verification does in fact provide satisfactory evidence of identity.

Requirement 10

It is a requirement of this Code that where a financial business intendsto use independent data sources to verify components of identity, itmust ensure that:

The source, scope and quality of the data are satisfactory. Atleast two matches of each component of an individuals identitymust be obtained.

Processes allow the financial business to capture and record theinformation used to verify identity.

The level of satisfaction required will depend on the extent the financial businessrelies on the independent data sources to obtain satisfactory evidence of identity.

4.38 Where a financial business intends to use data held by independent third partyorganisations to verify identity, the financial business may demonstrate that it hasensured that data is satisfactory where the organisation is registered with a data

protection agency and where the organisation:

uses a range of positive information sources that can be called upon to linkan applicant to both current and historical data;

accesses negative information sources such as databases relating to fraudand deceased persons;

accesses a wide range of alert data sources; and

- 28 -


29/64

has transparent processes that enable a financial business to know whatchecks have been carried out, what the results of these checks were and tobe able to determine the level of satisfaction provided by those checks.

Individuals

4.39 It is essential that a financial business undertakes identification and verificationprocedures with respect to an individual, not just where the individual is anapplicant for business.

Requirement 11


A financial business must undertake identification and verificationprocedures with respect to an individual where:

the individual is the applicant for business or a joint applicant forbusiness;

the individual is the beneficial owner or controller of an applicant forbusiness; or

the applicant is acting on behalf of the individual.

A financial business must, in every case, obtain the followinginformation with respect to an individual:

full legal name, any former names and any other names used

gender

principal residential address

date of birth.

If a financial business determines from its risk assessment that theindividual, the product or the delivery channel presents a higher level ofrisk, the financial business should obtain additional information with

respect to the individual.

4.40 Where a financial business determines from its risk assessment that theindividual, the product or the delivery channel presents a higher level of risk, thenature of the additional information obtained is a matter for the judgment of the

- 29 -


30/64

financial business, but in most cases it would be appropriate to obtain thefollowing:

nationality

place of birth

a unique personal identification number, such as passport number,social security number or similar, that is contained in an unexpiredofficial document.

As previously indicated, it is important that the identification evidence obtained iskept up to date.

Requirement 12

It is a requirement of this Code that a financial business must, in everycase, verify the following aspects of an individuals identity:

full legal name; and

principal residential address.

If a financial business determines from its risk assessment that theindividual, the product or the delivery channel presents a higher level ofrisk, the financial business must verify other aspects of the individualsidentity.

As previously indicated, it is important that the identification evidence obtained iskept up to date.

4.41 If a financial business determines from its risk assessment that the individual, theproduct or the delivery channel presents a higher level of risk, the additionalaspects of identity that a financial business verifies in such a case is a matter forthe judgment of the financial business, but in most cases it would be appropriatefor the financial business to verify at least the following:

nationality

date and place of birth

However, a financial business should consider carefully whether other aspects ofan individuals identity should also be verified. A financial business will not betaken to have complied with the regulatory requirement specified in thisparagraph by verifying only an individuals nationality and date and place of birth

- 30 -


31/64

if, as a result of the risk assessment, it would be reasonable for the financialbusiness to verify other aspects of the individuals identity.

4.42 If documentary evidence of an individuals identity is to provide a high level ofconfidence, it will typically have been issued by a government department oragency, or by a court, because there is a greater likelihood that the authorities

will have checked the existence and characteristics of the persons concerned. Incases where such documentary evidence of identity may not be available to anindividual, other evidence of identity may give the financial business reasonableconfidence in the customers identity, although the financial business shouldweigh these against the risks involved.

4.43 Non-government-issued documentary evidence complementing identity shouldnormally only be accepted if it originates from a public sector body or anotherregulated financial services entity, or is supplemented by knowledge that thefinancial business has of the person or entity, which it has documented.

4.44 Aspects of an individuals identity may be verified using the following

documentary evidence:

Aspect of identity Documentary evidence

Full name, date and place of birthand nationality

At least one of the following:

Current passport that providesphotographic evidence of identity

Current national identity card thatprovides photographic evidence ofidentity

Current driving licence that provides

photographic evidence of identity, butonly where the licensing authoritycarries out a check on the holdersidentity before issuing the licence

Independent data sources, includingelectronic sources

Principal residential address At least one of the following:

One of the sources of documentaryevidence that may be utilized to verifyfull name, date and place of birth and

nationality, provided that it containsthe individuals residential address andit has not been used to verify full name,date and place of birth and nationality

Correspondence from an independentsource, such as a central or localgovernment department or agency

An original current bank statementissued by a bank that is subject to

- 31 -


32/64

adequate regulation (but not astatement that has been printed off theInternet)

A current utility billA personal visit to the residential

address

Where, on the basis of its risk assessment, a financial business considers that anindividual, product and delivery channel are all low risk, the individuals full nameand residential address may be verified using one of the pieces of documentaryevidence that may be utilized to verify full name, date and place of birth andnationality.

Applicants for Business and Customers that are not Individuals

4.45 There is a wide range of potential applicants that are not individuals. Theseinclude legal bodies, such as companies, and trusts (which are not strictly entities

at all). The legal owners of legal entities may be specific individuals or other legalentities. However, the beneficial ownership may rest with others, either becausethe legal owner is acting for the beneficial owner, or because there is a legalobligation for the ownership to be registered in a particular way.

4.46 In deciding who the customer is where the applicant is not an individual, theobjective of a financial business must be to know who has control over the fundswhich form or otherwise relate to the relationship, and/or form the controllingmind and/or management of any legal entity involved in the funds. Thesubsequent judgment as to whose identity to verify will be made following a risk-based approach, and will take account of the number of individuals, the natureand distribution of their interests in the entity and the nature and extent of any

business, contractual or family relationship between them.

4.47 Certain information about the entity comprising the non-individual customershould be obtained as a standard requirement. Thereafter, on the basis of themoney laundering/terrorist financing risk assessed in the customer riskassessment, a financial business should decide the extent to which the identity ofthe entity and of specific individuals should be verified, using reliable,independent source documents, data or information. The financial businessshould also decide what additional information in respect of the entity and,potentially, some of the individuals behind it should be obtained.

4.48 Whilst information on an entitys website may be useful, financial businesses will

understand that that this information should be treated with caution as it has notbeen independently verified before being made publicly available on the Internet.

Non-Regulated Legal Entities

4.49 Where the applicant for business is a legal entity, a financial business shouldensure that it fully understands the legal form, structure and ownership of thelegal entity and should obtain sufficient additional information on the nature of theentitys business, and the reasons for seeking the product or service.

- 32 -


33/64

Requirement 13

It is a requirement of this Code that a financial business undertakesidentification and verification procedures with respect to a legal entity

where:

the legal entity is an applicant for business in its own right;

the legal entity is a beneficial owner or controller of an applicant forbusiness; or

the legal entity is a third party (underlying customer) on whose behalfan applicant for business is acting

For the purposes of this Code, legal body includes bodies corporate,foundations, partnerships, associations, or any similar bodies that can establish apermanent customer relationship with a financial business or otherwise ownproperty and it also includes incorporated and unincorporated clubs, societies,charities, church bodies, institutes, mutual and friendly societies, co-operativeand provident societies.

Requirement 14

It is a requirement of this Code that a financial business must, in everycase, obtain the following information with respect to a legal entity:

full name of entity

official registration or other identification number

date and place of incorporation, registration or formation

address of registered office in country of incorporation and mailingaddress, if different

principal place of business

identification information with respect to each director of the entityand with respect to each individual who is the ultimate beneficialowner of 25% or more of the entity.

- 33 -


34/64

4.50 However, if a financial business determines from its risk assessment that theentity, the product or the delivery channel presents a higher level of risk, thefinancial business must obtain additional information with respect to the entity.

The nature of the additional information obtained is a matter for the judgment ofthe financial business, but in most cases it would be appropriate to obtain the

following:

any trading names of the entity

identification information with respect to each individual who is theultimate beneficial owner of a material interest in the entity.

Requirement 15

It is a requirement of this Code that a financial business must, inevery case, verify at least the following aspects of a legal entitysidentity:

full name of entity

official registration or other identification number

date and place of incorporation, registration or formation.

It is important that the identification evidence obtained is kept up to date.

4.51 However, if a financial business determines from its risk assessment that thelegal entity, the product or the delivery channel presents a higher level of risk, thefinancial business must verify other aspects of the entitys identity.

The additional aspects of identity that a financial business verifies in such a caseis a matter for the judgment of the financial business, but in most cases it wouldbe appropriate for the financial business to verify at least the following:

address of registered office

principal place of business

4.52 However, a financial business should consider carefully whether other aspects ofan entitys identity should also be verified. A financial business will not be takento have complied with the above paragraph by verifying only an entitysnationality and date of incorporation if, as a result of the risk assessment, it wouldbe reasonable for the financial business to verify other aspects of its identity.

- 34 -


35/64

4.53 Unless a financial business has assessed a legal entity as low risk, it shouldverify the identity of the legal entity using two of the following:

Certificate of incorporation

Memorandum and articles of association, or equivalent constituting

document

A search of the relevant company registry

Latest audited financial statements

Independent data source.

Where, on the basis of its risk assessment, a financial business considers that alegal entity, product and delivery channel are all low risk, the legal entitys identitymay be verified using one of the sources set out above.

Requirement 16

It is a requirement of this Code that a financial business takesreasonable measures to verify the beneficial owners and controllers ofa legal entity and any changes in beneficial ownership and control.

4.54 A financial business may demonstrate that it has complied with the aboverequirement where it verifies the identity of:

Individuals who are the ultimate beneficial owners of 25% or more of theentity or, in the case of a legal entity that the financial business hasassessed as high risk, each individual who is the ultimate beneficial ownerof a material interest in the entity

4.55 Where, on the basis of its risk assessment, a financial business considers that alegal entity, product and delivery channel are all low risk, it may demonstrate thatit has complied with the above requirement where it verifies the identity of those

directors, or equivalent, who have authority to operate the relationship or to givethe financial business instructions concerning transactions.

4.56 Where a director (or equivalent) holds this role by virtue of his employment by (orposition in) a regulated TCI trust company, a financial business may demonstratethat it has taken reasonable measures to identify that person and to verify hisidentity where it obtains the following:

The full name of the director; and

- 35 -


36/64

An assurance from the trust company that the individual is an officer oremployee of the trust company.

Trusts, Foundations and Similar Entities

4.57 There are a wide variety of trusts, ranging from large, nationally andinternationally active organisations subject to a high degree of public interest andquasi-accountability, through trusts set up under testamentary arrangements, andtrusts established for wealth management purposes. It is important, in puttingproportionate anti-money laundering or prevention of terrorism financing systemsand procedures in place, and in carrying out their risk assessments, that financialbusinesses take account of the different money laundering or terrorist financingrisks that trusts of different sizes and areas of activity present.

4.58 Trusts are not separate legal entities it is the trustees collectively who are theapplicant (or customer). In these cases, the obligation to identify the applicant or

customer attaches to the trustees, rather than to the trust itself. The purpose andobjects of most trusts are set out in a trust deed.

4.59 A trustee will also have to be identified and verified where a trustee is thebeneficial owner or the controller of an applicant for business or is a third party onwhose behalf an applicant for business is acting.

4.60 A financial business is not required to establish the detailed terms of the trust, norrights of the beneficiaries.

Requirement 17

It is a requirement of this Code that a financial business must, in everycase, obtain the following information with respect to a trust:

Full name of the trust

Date and country of establishment

Nature and purpose of the trust (e.g., discretionary, testamentary,bare)

Identification information with respect to each trustee

Identification information with respect to the settler

Identification information with respect to any protectors.

- 36 -


37/64

4.61 However, if a financial business determines from its risk assessment that therelationship, the product or the delivery channel presents a higher level of risk,the financial business must obtain additional information with respect to the trust.

The nature of the additional information obtained is a matter for the judgment of

the financial business, but at a minimum, the financial business must obtainIdentification information of all beneficiaries with a vested right.

Requirement 18

It is a requirement of this Code that a financial business must, inevery case, verify the following with respect to a trust:

The name and date of establishment of the trust

The appointment of the trustee, and the nature of his/its duties

The identity of the trustee(s) of the trust and any subsequentchange in trustee(s).

Where the financial business has assessed the relationship to presenta higher risk, it must also verify the identity of all beneficiaries with avested right.

Applicants Acting for Third Parties

4.62 As considered earlier in this Code, an applicant for business often acts on behalfof a third party (e.g. on behalf of an underlying customer or customers). Wherethat applicant for business is a regulated person and also meets certain othercriteria detailed in regulations 5 or 6, then the exemptions in those regulationsmay apply.

4.63 Regulation 4(2)(c) of the AMLR provides that the procedures of a financialbusiness must require a determination to be made as to whether the applicantacts, or appears to act, for another person.

Where an applicant acts, or appears to act, for a third party, regulation 4(3) of the

AMLR provides that identification procedures must require that reasonablemeasures are taken for the purposes of establishing the identity of that otherperson. This does not remove the requirement to identify the applicant, unlessone of the exemptions is regulations 5 or 6 apply.

4.64 It is a requirement of this Code that where there is a subsequent change of athird party or the beneficial owners or controllers of a third party, the new thirdparty or new beneficial owners or controllers are identified and reasonablemeasures are taken to verify their identity.

- 37 -


38/64

Non-Face to Face Identification and Verification Procedures

4.65 Face to face to contact with an applicant presents the lowest risk to a financialbusiness. This is because face to face contact enables the staff of the financialbusiness to verify the likeness of the applicant to the photograph on the

documentary evidence and to identify any inconsistencies.

4.66 It follows that any mechanism that enables an applicant to apply for a productwithout face to face contact increases the risk to the financial business. Indeed,many financial businesses only accept applications remotely and do not offerthem the opportunity of attending the financial businesss premises. Non-face toface applications are now increasingly common as applications are made andaccepted by post, telephone or via the Internet.

Although applications and transactions undertaken across the internet may, inthemselves, not pose any greater risk than other non face-to-face business, suchas applications submitted by post, there are other factors that may, taken

together, aggravate the typical risks, for example:

the ease of access to the facility, regardless of time and location;

the ease of making multiple fictitious applications without incurring extra costor the risk of detection;

the absence of physical documents; and

the speed of electronic transactions.

4.67 The extent of verification in respect of non face-to-face applicants for business

will depend on the nature and characteristics of the product or service requestedand the assessed money laundering risk presented by the applicant. There aresome circumstances where the applicant is typically not physically present, suchas when purchasing some types of collective investments, which would not inthemselves increase the risk attaching to the transaction or activity. A financialbusiness should take account of such cases in developing their systems andprocedures.

4.68 Where an applicant approaches a financial business remotely (by post, telephoneor over the internet), the financial business should carry out non face-to-faceverification, either electronically or by reference to documents.

4.69 Non face-to-face identification and verification carries an inherent risk of identityfraud, and financial businesses should need to take appropriate steps to mitigatethis risk in accordance with the requirements and guidance set out below.

4.70 It is a requirement of this Code that in the case of a non face to face application,where identity is verified electronically, or copy documents are relied on, afinancial business should apply an additional verification check to manage therisk of identity fraud.

- 38 -


39/64

4.71 Additional checks may include:

requiring the first payment to be carried out through an account in thecustomers name with a bank supervised by the Commission or by a bankwhich is a foreign regulated person;

verifying additional aspects of the customers identity or due diligenceinformation;

telephone contact with the customer prior to establishing a businessrelationship on a home or business number which has been verified or awelcome call to the customer before transactions are permitted, using it toverify additional aspects of personal identity information that have beenpreviously provided;

communicating with the customer at an address that has been verified (suchcommunication may take the form of a direct mailing of account openingdocumentation to him, which, in full or in part, might be required to be

returned completed or acknowledged without alteration);

internet sign-on following verification procedures where the customer usessecurity codes, tokens, and/or other passwords which have been set upduring the establishment of the relationship provided by mail (or securedelivery) to the named individual at an independently verified address;

requiring copy documents to be certified by an appropriate person (seebelow).

Appropriate certifiers

4.72 Use of a certifier guards against the risk that copy documentation provided is nota true copy of the original document and that the documentation does notcorrespond to the applicant whose identity is to be verified. For certification to beeffective, the certifier will need to have seen the original documentation and,where documentation is to be used to provide satisfactory evidence of identity foran individual, have met the individual (where certifying evidence of identitycontaining a photograph). A suitable certifier will also be subject to professionalrules (or equivalent) providing for the integrity of his conduct.

- 39 -


40/64

Requirement 19

It is a requirement of this Code that a financial business does not accept adocument as certified by an appropriate person unless:

the certifier is independent of the individual, trust or legal body forwhich the certification is being provided, and is subject toprofessional rules of conduct, which provide comfort as to theintegrity of the certifier;

the certifier has certified that:

he has seen original documentation verifying identity and/orresidential address;

the copy of the document (which he certifies) is a completeand accurate copy of that original; and

where the documentation is to be used to verify identity of anindividual and contains a photograph, the photographcontained in the document certified bears a true likeness tothe individual requesting certification,

the certifier has signed and dated the copy document, and providedadequate information so that he may be contacted in the event of aquery;

in circumstances where the suitable certifier is located in a higher riskjurisdiction, or where the financial business has some doubts as to the

veracity of the information or documentation provided by the applicant,the financial business must take steps to check that the suitable certifieris real.

4.73 Appropriate certifiers may include:

a member of the judiciary, a senior public servant, or a serving policeor customs officer;

an officer of an embassy, consulate or high commission of the countryof issue of documentary evidence of identity;

a lawyer or notary public who is a member of a recognisedprofessional body;

an actuary who is a member of a recognised professional body;

an accountant who is a member of a recognised professional body;

- 40 -


41/64

- 41 -

a notary public or equivalent

a director, officer, or manager of a regulated person, or of a branch orsubsidiary of a group headquartered in a well-regulated jurisdictionwhich applies group standards to subsidiaries and branches

worldwide, and tests the application of and compliance with suchstandards.

The certifier should include his name, position or capacity, his address and atelephone number or email address at which he can be contacted.

Exceptions to the identification procedures

4.74 The AMLR provide for certain exceptions to the identification procedures.However, these exceptions do not apply where any person handling thetransaction on behalf of the financial business knows or suspects that theapplicant for business is engaged in money laundering.

The exceptions are set out in regulations 5 [introduced business] and regulation 6[other exceptions].

Introduced business

4.75 An applicant, or customer, may often have contact with two or more financialservices providers. This may be the case where the applicant or customer isintroduced by one provider to the other or where the applicant or customer dealswith one provider through the other.

Where the two or more service providers are regulated persons, there should beno need for each of them to request the same information from the samecustomer. This does not assist in the prevention or detection of money launderingor terrorist financing and is usually inconvenient to the applicant or customer. Thesame argument applies where one or more of the service providers is regulatedin a jurisdiction other than the TCI provided that it is subject to legal requirementsto prevent money laundering and terrorist financing that are equivalent to those inplace in the TCI.

4.76 Regulation 5 therefore provides that where an applicant for business isintroduced to a person carrying on a relevant business by a third party (theintroducer) who is

(a) a regulated person; or

(b) a foreign regulated person;

a written assurance from the introducer that evidence of the identity of theapplicant for business has been obtained and recorded in accordance withidentification procedures maintained by the introducer which comply with theRegulations or [in the case of a foreign regulated person] which comply with


42/64


43/64

Requirements of this Code

4.78 Regulation 5(1)(a) of the AMLR applies where the introducer is another regulatedperson or a foreign regulated person, but by virtue of the requirements of thisCode, only where it is obliged to obtain and verify the identity of the applicant or

customer.

Where regulation 5(1)(a) applies, a financial business may rely on the introducingregulated person, or foreign regulated person, to have conducted identificationprocedures to identify and verify the identity of its underlying customer.

The following regulatory requirements apply where a financial business seeks torely on the assurance of an introducing regulated person or foreign regulatedperson.

Requirement 21

It is a requirement of this Code that a financial business must not rely onthe introduced business exemption in regulation 5 of the AMLR, wherethe introducer is a regulated person or a foreign regulated personunless:

It has reasonable grounds for believing that the introducer is aregulated person or foreign regulated person

It has reasonable grounds for believing that the introducer has abusiness relationship with an applicant or customer which requires itto obtain and verify his identity

Where the introducer is a foreign regulated person, it has reasonablegrounds for believing that the introducer meets the criteria for aforeign regulated person as specified in the AMLR.

Note that the AMLR require any assurance obtained to be in writing.

4.79 It should be noted that, even if an introducer appears to be a person that thefinancial business is entitled to rely on, it should consider whether the risksassociated with the customer, transaction or business are such that the

introducer should not be relied upon, either in whole or in part or that the financialbusiness should carry out additional customer due diligence.

Group Introducers

4.80 Where an applicant or customer is introduced between different parts of thesame group, entities that are part of the group should be able to rely onidentification procedures conducted by that part of the group which first dealt withthe applicant or customer. One member of a group should be able to confirm to

- 43 -


44/64

another part of the group that the identity of the customer has been appropriatelyverified.

4.81 Where an applicant or customer is introduced by one member of a group toanother member of the group, it is not necessary for his identity to be re-verified,provided that:

the identity of the cust

aml terrorist financing code

Documents