Mastering AML compliance: Q&A for Estate Agents

Verifying identity and addresses

I don’t want to annoy my client. How do I explain what they need to do and make it as painless as possible? If I do not get the information do I advise lawyers and try to stop the transaction?

Purchasing property in the UK is a common method that organised criminals use to launder money from their criminal activities.

Due to the large size and high value of the UK property market, a single transaction can 'clean' extremely large amounts of criminal funds, making it appear as though the money was acquired legitimately.

There is a misconception that money laundering is victimless. Nothing could be further from the truth. The misconception is driven by the criminals and the notion that victims of money laundering are reimbursed for the financial crimes perpetrated against them. However, this is not always the case; it only extends to monetary loss and it isn’t just about the money involved. There are huge emotional and psychological impacts on people, people like me, you and all our family and friends.  It blights our economy, society and our communities.

The true cost is borne by the victims of the crimes which generate dirty cash. Drug dealing and trafficking, fraud, modern slavery, cybercrime, and corruption, among so many others, all leave a wake of suffering, and it is this that together we are all fighting to stop.

Whilst none of us are the police, we do have a part to play as gatekeepers by undertaking the necessary due diligence we can together protect society from fraud and money laundering.

Giving clients something to get behind will help them ultimately get on board, don’t just blame the law or compliance team. Be passionate about the mission and your role.

Ultimately, Regulation 31 provides that if you cannot complete CDD you cannot establish a business relationship with a client.

At the moment I take a copy of my clients passport, utility bills and google them. Is this enough?

It is great that the firm has measures in place and is thinking about fraud and AML compliance and how they can play their part in making a safer society for us all. I think I would ask the question of the person who asked this question: what are the risks you are trying to mitigate and do these steps go far enough to achieve the right mitigation? When we think about the risk of fraud, what steps can we implement? Often these are thoughts and considerations documented in your firm-wide risk assessment. The whole ethos of the regulations is centred on a risk-based approach. So the depth and time spent should always be proportionate to your risk assessment and ultimately the risk exposure.

Focusing on the three core initial stages of CDD. There are other elements such as ongoing monitoring and purpose and nature but the first three to discuss are:

1. Identification

2. Verification

3. Risk Assessment

What are the risks?

If you are meeting a client face to face and getting hands-on with original documents this may be a consideration for your risk assessment. But be alive to the risks. Do you think your team would spot a forgery or know what hallmarks to look for? Do you offer training and support? You should check the documents to satisfy yourself of the person’s identity. This may include, but is not limited to, checking: Spelling, validity, photo likeness, address match and other anomalies.

Where the delivery of your services is at a distance and you see only copies, again consider the risks. What is the reason for not meeting a client face-to-face? Does this create additional risk which should be taken into account?

There are also other elements that you would need to consider here such as PEP and Sanctions screening. Google is a great tool when it is used correctly. Are you confident that the net is being cast in the right direction? It might need a numerous search with different keywords. You need to look deeper than the first page of results due to the nature of Google.

Whatever steps you take, ensure these are carefully recorded as to how the evidence was checked and the outcome of the verification process.

How do I verify the address of an overseas client?

Verifying your client's address is an essential component of the customer due diligence process. Dealing with clients who live outside the UK can be much harder to obtain a level of verification.

Solutions like Thirdfort can help support regulated professionals in meeting their obligations when clients are based overseas, verifying the individuals and as part of that undertaking address verification. It works in the same way as domestic address verification depending on the jurisdiction; high-quality data sources enable electronic verification of a client's residential address.

Where that is not possible firms often ask for certified copies of proof of address from clients and according to the National risk assessment of money laundering and terrorist financing 2020 paragraph 10.13, notary services could be exploited for money laundering purposes by knowingly or unknowingly verifying forged documents. 

Depending on the wording of the certification, you may still need to verify the client's identity–anyone can take documents and have them certified. It does not have to be the person to whom they truly belong.

How can you manage this risk in practice? Firstly, you should ensure that internal guidance explicitly refers to certification and provide the exact wording required to achieve compliance. 

Secondly, you should consider who you rely on to carry out the certification. We often see examples where the identity and credentials of the certifier are impossible to obtain–for example, an employee of the Post Office. 

When establishing your verification process, you must carefully consider the following questions:

• How will you verify the certifier? 

• What training has that certifier received? 

• Are you confident they understand the significance of certification? 

• Is there a risk that they may not be independent or could be influenced?

It is best practice for firms to limit who can be relied upon for certification - i.e. Which occupations are acceptable to meet your requirements. You must be confident that you can locate the certifier again in the future and that they understand the significance of certification. 

I have more and more clients from China. What advice can you offer?

I would recommend that you take a look at a guidance note issued by the Legal Sector Affinity Group as this is fairly detailed and talks to the risks, red flags and considerations in detail.

Please could you define Safe Harbour?

Digital ID Standard is an enhanced level of check and is defined by reference to a set of requirements.

The standard is founded on the principles within the Government’s Good Practice Guide (GPG45). The requirements involve biometric and cryptographic checking of identity and verification that the individual(s) are genuine parties to a registrable transaction.

When followed correctly, the standard constitutes what is regarded by HMLR as a ‘discharge of the duty’ to verify the identity of a party to a registrable transaction.

A conveyancer and/or conveyancing firm that adopts this approach will have fulfilled their obligation to take reasonable steps in relation to the requirement to verify their client’s identity. In other words, the conveyancer will reach ‘Safe Harbour’.

If selling a property for someone in a nursing home who has given power of attorney to two solicitors who have instructed me do I have to do checks on them? I have the Power of Attorney documentation.

A power of attorney gives someone else the right to make or help make decisions about someone else’s property, including selling their home. As the attorneys in this instance are solicitors appointed in their professional capacity it is a little easier for us to verify them. You should ensure you validate their regulation on the SRA website.

The requirement to obtain suitable verification should not preclude access to legal services, especially to vulnerable, elderly or disadvantaged clients. In these situations, where it is not possible to obtain such documents, consider the reliability of other sources and the risks associated with the client and the matter.

Clients in care homes for example might be able to provide a letter from the manager.

Should we do ownership checks on landlords, even though the rent is below the AML threshold?

If the rent is below the threshold set then the matter and client fall outside of the regulated sectors. There is a business decision to make here, often firms do apply a firm-wide approach regardless of the threshold to ensure they are doing the right thing and know the clients they are working for. There are many wider-reaching benefits here beyond anti-money laundering. Confirming ownership and the identity of the landlord makes sure they're genuine and the property is let legitimately. For a property owner (like a landlord), it's crucial to link the verified person to the property they claim to be associated with. This provides peace of mind and reduces the risk of dealing with a property that they don't have a real interest in.

Dealing with PEPs

What do you do once you have identified someone is a PEP?

If your client is a PEP, you should apply enhanced due diligence measures. 

Under regulation 35 of the Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017, (MLR 2017) if your client is a PEP you must:

• Get senior management approval for the business relationship.

• Take adequate measures to establish the source of wealth and source of funds.

• Closely monitor the business relationship throughout.

But not all political roles are created equally. The risk of potential and opportunity for corruption will differ between PEPs, depending on the role. 

You can apply a risk-based approach, taking into consideration:

• The location of the PEP.

• The prominence of the PEP’s public function. 

• The nature of their business relationship. 

• The potential for misuse of their position.  

• Any other relevant factors, such as amount of time in office, connections, previous roles. 

There will be higher and lower risk PEPs and this judgement should form part of our risk assessment. A change in the law in January 2024 was made to cement the idea and concept of a risk based approach when dealing with PEPS. From January 10th 2024, the starting point when considering the treatment of domestic PEPs should be to treat them as inherently lower-risk than non-domestic PEPs. Noting that there should be a lower level of enhanced due diligence to domestic PEPs compared to non-domestic PEPs (unless other risk factors are present).

The changes don’t mean no enhanced due diligence is required, but just that the nature and extent should be appropriate to the risk. 

Source of funds (SoF)

What does HMRC expect regulated property businesses to collect as proof of funds for a transaction? How far back should we go? Is 3 months worth of bank statements ok or do I need 6?

I think it is important to understand what we are talking about here: proof of funds and source of funds can be confused. As an estate agent may ask about funds at different stages in a relationship with the client ultimately with different objectives in mind. At the initial stages the focus is more on proof of funds, generally, this is surface level, to ensure the buyer isn’t wasting time and they have a genuine interest in the property to avoid any disappointment for the seller. Especially when making agreements to remove the listing from the market etc. 

Whereas, SoF refers to the origin of the funds being used for the transaction.  The question you are seeking to answer should not simply be, “is the client in possession of the funds” or “Where did the money for the transaction come from,” but also “how and from where did the client get the money for this transaction. Possession matters, yet understanding the source and origin is paramount. It's vital to know the activity that generated these specific funds to prevent money laundering. It is necessary to look back far enough to build a clear picture of how the client accumulated their money for the transaction. For some, a six-month review may suffice, especially if it reveals a significant event like a large gift. For others, it might require looking back several years. This assessment varies from case to case, reflecting the level of risk identified in your client and/or matter risk assessment.

It is imperative to state that whilst everyone would love a definite answer, this is difficult to quantify. Unfortunately, ultimately, the answer is unique to each client and transaction. It is very much dependent on many factors.

The SoF should be evidenced in line with risk grading (and may impact the risk grading).

Maintaining written records detailing specific considerations, rationale, and why you believe the information obtained was sufficient, satisfactory and comfortable to enable you to continue is really important.

Always clarify why you are satisfied that the SoF or Source of Wealth (SoW) has been established – this could be a future defence.

But I would always say to keep asking yourself the following questions:

• Is this consistent with what I know about the client?

• Do I have information that makes me suspicious that criminal property is involved?

Remember, if the transaction is consistent and you do not suspect that criminal property is involved, you do not have to go further to prove that the funds are clean.

Ensure you document the questions, answers, and any supporting material received. Should the retainer later be queried by the regulator/supervisor or law enforcement, this will provide the substance to protect you as a regulated individual and the firm.

Keep in mind, it's not solely about gathering documents and ticking a box. SoF verification limit opportunities for criminals to use criminal property.

Do you need proper full bank account statements or can you accept just account overviews?

There is no prescriptive way in which to undertake SoF verification but consider what an overview might be masking. It could leave you exposed to unanswered questions. 

As a general rule, full bank account statements are preferable as they provide a comprehensive view of the client's financial activities. However, an account overview might be acceptable in some low-risk scenarios. Always ensure that the information provided is sufficient to give a clear picture of the client's source of funds. Remember when you are considering SoF you should be alert to and heed red flags and warnings such as: 

• Funds from High-risk third countries / geographical risks.

• Links to high risk sectors or cash intensive businesses.

• Unexplained income.

• Gifts.

• Third parties (especially those that are unexplained/ unrelated).

• Cash.

• Cryptocurrency.

• Gambling.

• Inactive or dormant accounts.

• Transfers in and out.

• Income vs account balance vs savings vs living expenses.

HMRC audits

If HMRC decides to carry out an audit, what are the key things they are going to look for as part of that process?

The purpose of the inspection is to make sure that you are compliant with the Money Laundering Regulations. So, the first thing they will look to establish is whether you understand the regulations. Inevitably this means they will speak with key stakeholders and could talk to some of the staff. They’ll look at your anti-money laundering risk assessment, policies, controls and procedures to check that it documents all elements, you’re doing what’s necessary and they will test them to make sure they’re working properly. 

The may also carry out checks on: 

• Transactions records.

• Customer due diligence procedures.

• CDD evidence/file review. 

• How effective your systems are for identifying and reporting suspicious activity to the National Crime Agency (NCA).

• Internal or external audits. 

• Bank statements.

• Training records.

• Records of suspicious transactions and of the action you took.

• Details of Suspicious Activity Reports (SARs) you have submitted.

Ongoing monitoring of corporate clients

If we carry out relevant checks on a company that we receive instruction from, do we need to re-do these every time we work with the company again or can we rely on the prior checks for a certain period of time?

R28(11) requires that you conduct ongoing monitoring of business relationships which includes undertaking reviews of existing records and keeping the documents, or information obtained for the purpose of applying Customer Due Diligence (CDD) up to date.

Renew and re-evaluate CDD at appropriate intervals (including during the course of a given transaction), noting that as outlined in R27(8), this is mandatory in certain circumstances. You must update the CDD when you become aware of any changes to the client’s identification information. This would include change of name, address, beneficial owner or business.

This comes down to a question of risk and what level of risk you're prepared to take.

The bigger the gap the more risk there is that something about the client has changed and if you are not aware of this change as you have not updated your CDD, then your firm does not meet the requirement of the regulations.

Each time you think about ongoing monitoring (which may or may not include full re-verification) record it. It is obvious when there has been changes but what if nothing has changed:

• What aspects of the issue did you consider?

• Action taken (if any).

• The reasons for that decision.

• Who undertook the monitoring and the date on which it was undertaken?