The winner of the Compliance Register's recent award for "best regulatory lawyer in the UK" considers the wide-ranging implications of a private bank's or asset-manager's duty to know its customer and the consequences if one piece of the jigsaw is missing. In this 'back to basics' excursus, the building blocks of KYC/CDD are laid bare.

At all regulated firms, compliance problems are constantly growing and evolving. In the UK, the Financial Conduct Authority's recent spate of thematic reviews (and the resulting enforcement notices) has revealed a redoubled regulatory interest in the risks that specific market sectors pose to the fight against dirty money. Emma Radmore from Dentons considers the wide-ranging implications of a private bank's or asset-manager's duty to know its customer and the consequences if one piece of the jigsaw is missing.

All the pieces of the jigsaw together

Private banking and wealth management businesses take a variety of forms, but in principle at least they all have several things in common – in particular the nature of the customers for their services and the products and services that those customers typically want.

If we look at the KYC problem in the most reductionistic way, two branches of regulation dominate the scene, regardless of the business model:

• financial crime prevention; and

• conduct-of-business issues.

In each of these categories there is a vast array of rules and guidance – and not just from the FCA – with which firms must grapple in their attempts to come up with a holistic approach to compliance and compliance monitoring which complies with both the vaguest principles and the most detailed, involved minutiae to be found in rules.

Financial crime prevention

Firms are always struggling to comply with the diverse requirements of both the law – they can be and often are sued for negligence – and of regulatory expectation. As they attempt to make a success of this balancing act, they focus mainly on ensuring that the correct amount of 'customer due diligence' (CDD, a term that the Basel Committee on Banking Supervision invented at the beginning of the century in its desire to come up with a synonym for KYC) takes place at the outset of the relationship with each customer and at periodic stages thereafter if this is called for. But in terms of legal and regulatory requirements, every private bank or asset management firm should have a checklist to ensure that it observes the right standards for:

• enforcing sanctions;

• the prevention of money laundering, both in terms of CDD and in the reporting and handling of suspicions;

• the prevention of bribery and corruption; and

• dealing with fraud – and we should note here that new media are constantly evolving and presenting fraudsters with opportunities to impersonate their victims and defraud them in new ways.

Some of these present more challenges than others. Let us take each in turn.

Sanctions

Compliance with the laws that govern financial sanctions demands an approach that differs from other financial crime compliance, largely because risk management and the general weighing-up of regulatory risks is not called for at all. The patchwork of primary and secondary legislation that makes up the UK's sanctions regime demands that no person should make funds or economic resources available to any person on the consolidated list, or for the benefit of any such person, or do anything to circumvent these restrictions. It is an offence to make such funds or resources available in the knowledge (or having reasonable cause to suspect) that this is so. And this is only the UK sanctions; many firms find themselves legally or commercially obliged to take account of the sanctions regimes of other countries in their compliance programmes.

What does this mean for firms? Obviously it means that they ought to know their direct customers and should also undertake a reasonable assessment of any other person who may benefit. If the customer is a trust or special purpose vehicle, or if the direct customer or beneficiary is a high-net-worth overseas 'national' or resident, or if a politically exposed person (PEP) is involved, the firm in question must do extensive research. The more research it has to do, the greater the risk it runs of battling against secrecy laws and customers who are unwilling to provide it with the details for which it asks.

Once the firm has decided whom not to provide with funds or economic resources, it ought to think of how to prove to the regulators that it has no way of knowing or reasonably suspecting that it is providing the wrong people or firms with those things. Although nothing in the relevant British law explicitly requires any firm to follow a screening policy, this is obviously the only reliable way in which it can defend itself against an allegation that it has flouted sanctions in the event that its funds have been proven to have found their way into the hands of a government-blacklisted person such as a US 'specially designated national.' Every firm should long ago have been disabused of such misconceptions as, for example, the idea that no screening is required if its customers have dropped below a certain number, or that screening need not take place because no resident or citizen of the UK on its books is also on the sanctions lists, or that its obligation to screen customers applies only to specific products.

The Financial Conduct Authority's “Financial Crime Guide” makes the regulator's expectations clear. It is up to financial institutions how (and how often) they screen people and firms, but their decisions must be made and supported at the highest levels. To that extent, and that extent only, can, and indeed should, they base their decisions on assessments of risk. The guide also makes it clear that the FCA expects to see human involvement at least at some level. It expects firms to ensure that their screening software is calibrated properly. Finally, it tells firms never to assume anything – and particularly never to assume that they need not conduct screening because other firms in the so-called 'customer chain' have probably done so already.

Money-laundering control is usually the first compliance issue that springs to mind in private banking and wealth management. This is hardly surprising when one thinks of the high fines that regulators have levied against private banks for poor anti-money-laundering (AML) systems and controls. Firms have to obtain the right information to understand both their customers and the customers' businesses or investment needs and profile. In this sector, this can be difficult for many reasons, including some already mentioned above. Key obstacles can come with:

• opaque trust-based structures, often in tax havens;

• relationships with PEPs;

• reluctance to divulge information, whether because of bank secrecy or confidentiality laws in other jurisdictions or simply because of cultural differences; and

• known links to jurisdictions where corruption is prevalent.

In view of the nature of the services, the relationship manager will also often become close to the client. This can cause problems if he or she becomes reluctant to dig out 'awkward' information or turns a blind eye to activity that may merit further investigation and possibly a suspicious transaction report (STR). If an STR is made, the nature of the private bank's relationship with the customer could also make the job of dealing with the customer while waiting for a response from the National Crime Agency (NCA) difficult, in terms of striking the line between compliance with ethical standards and 'tipping off'. The relationship manager is clearly the crucial figure in his firm's attempts to apply the correct levels of CDD and monitoring. It is important for the firm to understand the customer's aims and his preference for any unusual structures if it wants to decide whether there is a genuine reason for opacity and to establish the ultimate beneficial owner(s). These concerns, according to the Joint Money Laundering Steering Group (JMLSG) Guidance (which provides an in-depth, official interpretation of the Money Laundering Regulations 1993, as amended many times), dictate that wealth management CDD must perforce take place at a more detailed level than 'normal' retail banking diligence. Firms whose customer relationship begins with a more low-risk service should have systems and controls in place to react to any change in the relationship. Such a change might occur if, for example, the firm starts to provide more risky services.

Added to this, a high proportion of wealth management business may take place with no face-to-face contact, which brings with it a greater need to guard against impersonation fraud and the other 'cyber-criminal' risks that this business presents.

Bribery and corruption risk

Firms' risks from bribery and corruption commonly focus on the distribution chain. However, no-one should discount the risk that clients may pose. As we have seen, many wealth management clients are based in, or have strong links with, jurisdictions that are traditionally at the mercy of corrupt practices. Firms must always be aware that if they deal with funds that a client has obtained as a result of corruption, there is a risk that they will be held to have handled laundered funds and therefore to have committed a money-laundering offence. For that reason, it is important that any KYC or CDD directed at clients should take the risk the firm runs of being exposed to corruption into account.

Additionally, firms should be aware of the risks they take on when they offer gifts or hospitality to clients who are PEPs. They must, at least, ensure that such a client's PEP connections are not relevant to the entertainment that he or she is receiving (for example if the PEP is a foreign public official and the firm is tendering to provide services to that PEP's governmental department).

Fraud and other risks

The FCA undertook a thematic review in August 2013 that set out the main risks that mobile banking and payments present. The resulting report, which is of particular relevance to the private wealth sector, noted that new risks have arisen with the increase in m-commerce and m-payments. Not all of the risks are the same as those of internet banking and the review noted specific dangers in relation to:

• fraud – for both firms and customers, but the FCA is concerned mainly with the risk of fraud against consumers;

• security and the risk of malware and viruses;

• the use of third parties, specifically in the chain of responsibility for problems or losses that occur;

• consumer awareness and understanding, with the FCA being very concerned that the smaller screens and limited keypads of smartphones and tablets might make consumers more likely to err;

• risk of IT failure and service interruption; and

• anti-money laundering systems and controls, particularly when mobile banking services are not linked to the customer's current account.

The FCA's plan was to visit a sample of high street banks and other firms that provided mobile banking services to assess the ways in which they were trying to offset these risks. The regulator will report again on the subject in mid-2014 but in the meantime encourages all providers to consider the risks and how to offset them.

The FCA's worries

The FCA has recently made its concerns clear in the thematic review on AML and anti-bribery and corruption (ABC) systems and controls that it published in October 2013. For the review, it focused on 22 firms in the asset management and platform sector, but many of the concerns it uncovered there are bound to apply equally to the private banking and wealth management sector. The report notes the specific AML and ABC risks in the sector, including:

• non face-to-face business;

• customers from, or with links to, highly risky jurisdictions;

• wealthy or powerful clients;

• the use of offshore structures;

• large or unexpected transactions; and

• unexplained payments to third parties.

  The FCA was disappointed with the results of the review. It found some good practices but said that it had expected the industry to have done more to evolve suitable systems and controls. It was particularly concerned about inadequacies at firms that were part of larger financial groups, some of which had previously attracted regulatory attention. Among the key concerns were:

• their inability to show that senior managers were overseeing things and challenging whatever they did not like;

• the tendency of firms to deal with AML and bribery and corruption risks as a compliance matter rather than as part of proactive risk management;

• the absence at some firms of proper controls to record the risks posed by new customers, which meant that enhanced due diligence (EDD) did not always take place when it should;

• the frequent inability of firms to measure and monitor the risks they identified;

• a tendency to regard a long-standing relationship as a substitute for keeping 'due diligence' up to date;

• a frequent failure to check the source of funds properly;

• a frequent failure to demonstrate the existence of adequate systems and controls for assessing bribery and corruption risks in third-party relationships; and

• an absence of properly tailored training programmes.

The FCA said that it expected all firms to consider these findings and take action to improve their AML and bribery and corruption prevention systems and controls where necessary. It plans to 'follow up' with some firms.

Conduct-of-business risks

Financial crime prevention, however, is not the only KYC-type concern for the sector. Increasingly, the FCA is focusing on compliance with its principles (both the “statements of principle and code of practice for approved persons” or APER and the “principles for business” or PRIN) and several specific conduct-of-business (COBS) rules relating to fair dealings with customers. Firms ought to consider, in particular:

• the post Retail Distribution Review (RDR) rules, when advising on retail investment products. In particular, each firm must ensure that it is providing customers with the right disclosures at the right times, that it is clear what range of providers and products its model includes, and that the charging structure is clear and compliant;

• inducements and conflicts of interest, especially where the advisory firm is receiving products, services or other benefits from a third party, be it a product provider, platform provider or other intermediary. Also, the role of the relationship manager is important here – it is particularly vital that the manager should not be given any monetary incentive to turn a blind eye to potential financial crime issues or to recommend unsuitable or potentially unsuitable products; and

• the rules on suitability and appropriateness. In several recent enforcement actions the FCA has demonstrated that it will not hesitate to take action if it feels customers have been sold products or in an inappropriate way or have been sold unsuitable products. Add to this the recent additional restrictions on the promotion of unregulated collective investment schemes, and the newly expressed concerns of the European Securities and Markets Authority that firms are not complying properly with the requirements of the Markets in Financial Instruments Directive (MiFID) when selling complex products, and the potential for misselling widens considerably.

Of course, further change is afoot. Those firms that include regulated mortgages within their product range must prepare for compliance with the significantly changed rules the mortgage market review (MMR) will bring from the end of April, and those that include consumer credit and related services will be preparing to adapt to FCA regulation from the beginning of April. And that is even without considering the changes close to agreement in the EU, in particular the changes to MiFID, the Insurance Mediation Directive and the new Packaged Retail Investment Products (PRIPs) Regulation.

Conduct-of-business: the FCA's worries

Also in October, John Griffith-Jones of the FCA spoke to the Wealth Management Association about the regulator's crusade to protect consumers – including high-net-worth individuals – from sharp practice. He focused on the importance of good business models, especially those that placed great importance on 'consumer interest', and said that the FCA would be looking at:

• the consequences of the Retail Distribution Review (RDR) and in particular how firms are filling the "advice gap";

• suitability, with a particular emphasis on firms keeping documents that show that they have considered suitability properly; and

• compliance with anti-money-laundering (AML) requirements.

As we have seen many times, the FCA is always looking to see how firms can produce evidence that they have complied with suitability requirements. The extended 'skilled persons' powers introduced in April 2013 may give the regulator more opportunities to conduct in-depth compliance reviews at firms.

The message from the FCA, then, is clear. It wants to see compliance, but it wants that compliance to be holistic and in line with each firm's risk management strategies and policies. Firms must assess the risks to their businesses from many angles and must then design policies and procedures that are 'fit for purpose'. For services and products commonly offered by private bankers and wealth managers, this means getting and keeping a thorough understanding of who the clients are, what they want, and how they want to achieve it. The information firms keep, and the way they analyse that information, is crucial both to the prevention of and fight against financial crime and to the UK's conduct-of-business rules. Enforcement notices to date in this field have focused on poor AML controls (particularly regarding PEPs) and, increasingly, on suitability. There is no sign of any let-up in principles-based enforcement and the recent reviews and speeches we have mentioned should give firms an indication of where FCA is planning to focus its supervisory resources.

* Emma Radmore (Managing Associate) is a member of Dentons’ Financial Services and Funds practice in London. She can be reached on +44 (0)20 7246 7000 or at emma.radmore@dentons.com.