Press enter to search, esc to close
In this article we examine how the UK's anti-money laundering regime impacts initial Know Your Customer (KYC) and ongoing Customer Due Diligence (CDD) requirements in the syndicated lending market. We will also look at the practical impact GDPR has had on the CDD process over the last year.
Lenders will be aware of the risk-based approach adopted in the Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017 (the 2017 Regulations) which came into force on 26 June 2017.
The difficulty or the benefit depending on your perspective, of a risk-based approach is that no one size fits all. Each firm must carry out its own risk assessment by reference to its customers, products or services, transactions, delivery channels and geographical areas of operation. When considering their policies, lenders can have regard to the (non-exhaustive) Risk Factor Guidelines issued by the European Supervisory Authorities as well as the sector specific guidance from the Joint Money Laundering Steering Group (JMLSG). In addition there is the FCA's Financial Crime Guide which applies to regulated firms. This guide is non-binding and utilises the same risk-based proportionality approach found in the 2017 Regulations.
With the regulatory spotlight on this area, it is important to adhere to these regulatory obligations throughout the lifecycle of the customer relationship. 2019 has already seen Standard Chartered Bank fined over £102 million while another international bank was previously fined £896,100 and prevented from accepting deposits from new customers from 147 days for Anti-Money Laundering (AML) systems and controls breaches. The FCA has made it clear that these breaches will not be tolerated, given the emphasis placed on adherence over the past decade. So what are the risk assessments saying?
The initial KYC or CDD involves identifying and verifying the identity of the customer as well as assessing the intended nature of the business relationship or transaction.
The 2017 Regulations contain a list of information to be obtained during CDD, for a body corporate this includes:
In syndicated transactions who the 'customer' is and on which parties CDD must be carried out is more complicated than bilateral lending. CDD parties include:
Regulation 39 of the 2017 Regulations expressly permits a firm to rely on CDD measures undertaken by another person/firm provided that person/firm is listed in Regulation 39(3). The relying firm however retains responsibility for any failure to comply with the 2017 Regulations. Whilst this option is available, in practice many syndicated lenders prefer to carry out their own CDD.
The JMLSG now provides expanded guidance on the specific AML risks associated with the lifecycle of a syndicated loan. While not binding it provides a useful indication of the regulators' and courts' expectations. The money laundering and terrorist financing risks associated with syndicated lending are generally considered to be low when compared to other types of lending. This is due in part to:
There was much fanfare prior to the GDPR coming into force on 25 May 2018. Commentators were nervous that the obligations placed on firms by the GDPR in relation to the processing of personal data would impinge on their ability to carry out CDD and ongoing monitoring effectively. Much has been written regarding the need to obtain the customer's consent to process their personal data. In reality the GDPR is much more permissive to the extent personal data is used to prevent or monitor financial crime. Firms will often act as controllers of personal data and in addition to the consent 'gateway' the GDPR also permits (i) processing which is necessary for compliance with a legal obligation to which the controller is subject and (ii) processing which is necessary for the purposes of the legitimate interests pursued by the controller or by a third party.
Regardless of which lawful basis is relied on for the processing of Customer personal data, it is recommended that you properly document the consideration of GDPR issues and in particular, the decisions made in relation to your firm's data processing in respect of CDD and AML monitoring. In order to demonstrate compliance, this may include ensuring you retain adequate records of obtaining consent, documentation as to what legal obligation is being complied with and in the case of legitimate interests, ensuring you have conducted a legitimate interest assessment.
Contributor: Jemma Shanks
This publication is intended for general guidance and represents our understanding of the relevant law and practice as at June 2019. Specific advice should be sought for specific cases. For more information see our terms and conditions.
27 June 2019
by Paul Gair
Insights 18 NOVEMBER 2022