BAMF Guidance Document

Request

• Which must be from a reliable source independent of the customer e.g. Driving License.
• Documents should include a minimum of information.
• For example their full name, residential address and date of birth.
• What we receive must also help us verify identity, more on that shortly.

• Asking for highly personal information may raise concerns about safety, security, storage and use...
• Regulation such as GDPR requires how and what you do with the information you collect is documented and easily accessible to customers.
• Sales teams will require guidance and process to ensure a consistent customer experience.
• Dealing with new or unknown clients without having met face-to-face makes accurate verification of identity difficult. Asking for a driving license alone will not be sufficient for verification.

• Have you decided how you are informing and educating your clients about these changes and is it clear to them what yours and their obligations are?
• Do you have a Privacy Policy that explains what you are doing with the information you collect that is readily and easily accessible to clients and sales teams?
• Have you defined what you’re going to require to verify the identity of new and unknown clients?
• Is your sales team supported by a process and method to make it easy for them to nurture clients around the requesting of this information?

Verify

• Cybercriminals routinely hack into email accounts and intercept invoices. Receiving ID documents and other sensitive material through a non-secure channel like email, puts your clients information at risk.
• While useful for helping you spot fraudulent documents, coverage for Electronic ID verification services isn’t International, nor do they help you confirm that the person submitting the ID document to you is the legitimate document owner. Consider criminals who present stolen cards, while the card is legitimate, the person presenting the card is not.
• While one of the most accurate ways to verify identity, credit checks are the most intrusive method. You do not have an obligation to carry out credit checks and if you do, you will have to inform your customers that you are carrying out these checks.
• Saving ID documents on mobile phones or in inboxes makes the information vulnerable to theft or data corruption, while inaccessible to other members of the team For example - accounts, client services or operations.
• Making it cumbersome or unsafe for your client to submit their information may be detrimental to the relationship and could delay the sale. Ideally we want to minimise the amount of work the client has to do.
• Teams must be confident in using multiple different document types to verify identity.

• Have you determined how you’re going to receive documents securely outside email or mobile phones?
• Are you making it easy and secure for clients to share their information with you in a manner that is aligned with the customer experience you want to provide?
• Are you collecting at least two forms of proof of address from other regulated sectors e.g. Bank statement and utility bill?Is the information you receive, centralised and immediately available to other members of the team that might require access?
• Can the information be viewed on different devices and across multiple locations?
• Are teams regularly deleting any sensitive information from inboxes or their devices?
• Do you or your teams have access to guidance from the Home Office that may help them identify fraudulent identity documents?

How to detect basic forgeries in Identity Documents from the Home Office

Analyse

• Use a mixture of positive and negative information from a wide-range of data sources
• Assess whether or not there are any ‘red flags’.
• Determine if the client is Politically Exposed, is linked to a politically exposed person, is sanctioned or on any high-risk registers. Consider jurisdictional risk, or to which the client has links.
• Determine an appropriate course of action on a case-by-case basis. E.g. Carry out Enhanced Due Diligence.
• Ensure the Money Laundering Officer, or Deputy - in absence of the Officer - report any suspected suspicious activity identified by staff to the National Crime Agency and file a Suspicious Activity Report.

• Accurately assessing risk using multiple sources of information, available via different services takes time to collate and everything needs to be thoroughly documented.
• Correctly identifying ‘Red Flags’ in a context where there has been no prior experience in compliance or customer risk makes judgement difficult across the business.
• When dealing with a high-risk country Enhanced Due Diligence will be required. Electing decisions to a senior member of the business removes autonomy from sales teams and creates a bottle-neck if there are large numbers of customers to analyse.
  
• Where there are Red Flags, or suspected ‘foul play’ you’re likely going to need to create an alibi which will be relayed to the client so as to avoid ‘Tipping Off’.
• Failing to file a Suspicious Activity Report with the National Crime Agency if Money-Laundering is suspected is a Criminal Offence.
• Where there are multiple members of a team - or a large number of clients to analyse, for example before an auction - the likelihood for ‘human error’ and incorrect judgement is much greater.

• Have you identified a wide-range of data sources that are dependable and independent of the client?
• Do you feel comfortable and confident in identifying any ‘Red Flags’ when analysing customer information?
• Do you have any risk-based rules and criteria available to help guide your decision making?
  
• Can you accurately identify if your client is a Politically Exposed Person, or is linked to someone from the political sphere?
• Is it easy for your team to see if the client is Sanctioned or on any High-Risk registers?
• Where there are multiple members of a team - or a large number of clients to analyse, for example before an auction - the likelihood for ‘human error’ and incorrect judgement is much greater.Are you able to assess country risk easily and are you aware which countries are considered higher risk than others and require Enhanced Due Diligence?
• If teams are analysing lots of client information do you have measures in place to ensure any ‘Red Flags’ are automatically elected to the Money Laundering Officer or Deputy to avoid human error?
• Should you identify suspected suspicious activity, do you have an ‘alibi’ and process documented to help you deal with the situation?
• Are you clear on how to file a Suspicious Activity Report with the National Crime Agency?

Store

• Documentation and all supporting evidence received for Customer Due Diligence.
• Details of transactions with clients over a 5 year period.Details on occasional transactions with clients over a 5 year period.
• A report indicating actions taken if you suspect any suspicious activity which can be shared with the National Crime Agency.
  
• A report indicating actions taken and information considered if you decide it is safe to proceed with the transaction which can be shared externally.
  
• Any evidence of Customer Due Diligence where you have relied on another business over a 5 year period.

• Storing ID documents - physically or digitally - means you are responsible for the safety of the information and liable in the event it is stolen or compromised.
• Documenting and the creation of Customer Due Diligence reports requires organisation, on-going management and maintenance so that it is accurate, accessible to all members of a team and up-to-date.
• If information is saved locally on one computer, there is a possibility the information could become corrupted and is more vulnerable to theft or loss.
  
• Nominated officers should be regularly updated and aware of decisions and actions staff are taking when carrying out Customer Due Diligence.
  
• All documents, reports and evidence will need to be in a format that can be shared externally - and securely - as and when required.
  

• Do you have a secure, encrypted method of storage that is accessible to all members of staff that are dealing with clients?
• Have you defined a reporting process, what does this look like and how will it be delivered to your team?
• Is there a central, secure facility that offers nominated officers with an up-to-date picture of the businesses reporting?
  
• Do you have a process in place that will enable you to routinely - or automatically - back-up your reports and evidence of Due Diligence?
  
• Are you able to easily export or share reports and evidence of due diligence internally - or externally - through a secure channel?
  

File a Suspicious Activity Report with the National Crime Agency

Recommendations

• Document where change will occur to make it easier for you and your team to get up to speed.
• Draft a Security and Privacy Policy.
• Provide a secure, encrypted method to receive documents outside of email or text message.
• Be sure to collect two forms of proof of address from other regulated sectors to verify identity.
• Use guidance from the Home Office to help teams identify fraudulent ID documents.Centralise information so everyone has easy access.
  
• Familiarise yourself with ‘Red Flags’ and high-risk jurisdictions.
  
• Define risk-based criteria to help guide your decision making.
  
• Utilise governmental data to find out if someone is linked to, is Politically Exposed, on any sanctions or high-risk registers.
  
• Use a wide-range of ‘positive’ and ‘negative’ data sources to help in instances where Enhanced Due Diligence is required. Use an encrypted method of storage, do not store information on one computer locally and ensure regular back-ups are made.
  
• Ensure evidence of Due Diligence is easily shared and exported.
  

Guidance and Regulation

• Carry out customer due diligence measures on customers before they conclude a transaction
• Report suspicious transactions to the authoritiesKeep appropriate records of customer due diligence and of transactions

• Copies of evidence obtained to satisfy CDD obligations and details of customer transactions for at least five years after the end of the business relationship
• Details of occasional transactions for at least five years from the date of the transaction
• Details of actions taken in respect of internal and external suspicion reports
• Details of information considered by the nominated officer in respect of an internal report, where the nominated officer does not make a suspicious activity report
• Copies of the evidence obtained if the AMP is relied on by another person to carry out CDD, for five years from the date that the other person’s relationship with the AMP ends

• Obtaining or viewing original documents and ensuring that they are valid and genuine, by comparing them to published, authoritative guidance that outlines security features (which protect against forgeries)
• Comparing the likeness of the person to the document (for example, photograph comparison or comparison of information)
• Conducting electronic verification through a scheme which properly establishes the customer’s identity, not just that the customer exists
• Obtaining information from another person in the regulated sector (for example, from a bank), that can be used in conjunction with other documents and information to prove a customer’s legitimacy over time, or to provide other positive or negative information.
  

• Regulation 35(12)(b) 5.170;
• Regulation 35(12)(c) 5.171;
• Regulation 35(15) 5.173;
• Regulation 35(1), (5) 5.174;
  
• Regulation 35(3), (4) 5.179;
  

• where they know or
• where they suspect or
• where they have reasonable grounds for knowing or suspecting that a person is engaged in, or attempting, money laundering or terrorist financing.

• Regulation 39(7) 5.199;
• Regulation 39(7) 5.200;
• Regulation 39(7) 5.201;
• Regulation 39(7) 5.202;
• Regulation 39(7) 5.203;
• Regulation 39(3) 5.206;