KYC (KNOW YOUR CUSTOMER)
Obliged entities need to know who they are dealing with and what the customer's normal activities are.
Key obligations:
-
Identification and verification of the customer's identity
-
Identification and verification of the identity of the customer's representative
-
Identification and, where appropriate, verification of the identity of the beneficial owner
-
Identification of the politically exposed person
-
Identification, obtaining information about the customer's activities, the nature and extent of her/his business and the reasons for using the service or product
-
Retention of identity data
In implementing these obligations, it is essential to assess, on a risk basis, the type of measures to be taken in the customer relationship and whether, for example, there is a requirement to apply enhanced customer due diligence.
If the obliged entity is unable to fulfil the obligations to identify the customer, the customer relationship may not be initiated or the transaction carried out. Obliged entity must also know the activities and background of its customer to the extent required by the customer relationship. Identifying the customer also requires the service provider to know on whose behalf and with whose funds the transactions are being carried out.
Customer identification and verification of identity
The obliged entity must verify the correct identity of the customer and, with certain exceptions to the law, there must be no anonymous or fictitious customer accounts.
Identifying the customer means finding out the customer's identity on the basis of information provided by the customer. Identity can be found out, for example, by an official certificate or, in the simplest case, by asking for the customer's name.
Identity verification means the verification of the identity of a customer on the basis of documents or information from a reliable and independent source.
The customer must be identified and their identity verified, for example:
-
always when establishing a customer relationship;
-
when carrying out an occasional transaction where the total value of the transaction to be carried out or the value of the interconnected transactions is amounting to EUR 10 000 or more;
-
where the amount of the cash sale of goods or related transactions is amounting to EUR 10 000 or more and the customer relationship is occasional;
-
in all cases where the transaction is suspicious or where the obliged entity suspects the legal origin of the funds or other property involved in the transaction or their use for the financing of terrorism or its criminalisation; or
-
whenever the obliged entity has doubts about the veracity or adequacy of previously obtained customer identification data
If the representative acts on behalf of the customer, the notifier must also identify and verify the identity of the representative and ensure the representative's right to act on behalf of the customer.
Beneficial owner
In simple terms, a beneficial owner is a natural person who, through ownership, voting rights or other means, exercises control on a legal entity.
The obliged entity must identify and maintain sufficient, accurate and up-to-date information on the beneficial owners of the customer and, where necessary, verify their identity.
The beneficial owner of the corporation is the natural person who ultimately:
-
directly or indirectly owns more than 25% of the shares of a legal entity or otherwise holds an equivalent interest in the legal person;
-
exercises, directly or indirectly, more than 25 % of the voting rights of the legal entity, and that proportion of the voting rights is based on ownership, membership, statutes, articles of association, partnership agreement or similar rules; or
-
otherwise effectively exercises control on a legal entity.
Direct ownership is taken to mean that a natural person owns more than 25% of the legal entity under consideration.
Indication of indirect ownership is considered to be:
-
a legal entity in which one or more natural persons exercise autonomous decision-making powers has a holding of more than 25 % of the voting rights in the legal entity concerned, or more than 25 % of the voting rights; or
-
a natural person or a legal entity in which a natural person exercises autonomous decision-making powers has the right, by virtue of ownership, membership, statutes, articles of association, partnership agreement or similar rules, to appoint or remove a majority of the members of the board of directors or similar body of the legal entity under review.
If it is not possible to identify the beneficial owner or if the above conditions are not met, the beneficial owner is considered to be the board of directors or general partners of the legal entity of the enterprise, the managing director or any other person in a similar position.
The obligation to identify the beneficial owner creates transparency, which is an important tool in the fight against money laundering and terrorist financing. The obliged entity must keep a record of the identification of the beneficial owner. The assessment of identification measures is facilitated by the obligation of most entities to submit a beneficiary declaration to the PRH.
If the beneficial owner cannot be identified and, if necessary, verified, the customer relationship must be terminated and, if necessary, a report must be made to the EU Financial Intelligence Units (FIU).
PEP - Politically exposed person
The law has imposed specific enhanced due diligence obligations on persons who are politically exposed, their family members and business partners.
A person is considered a politically exposed person (PEP) if he or she holds or has held a public office:
-
as Head of State, Head of Government, Minister, Deputy or Assistant Minister;
-
as Member of Parliament;
-
as a member of the governing bodies of political parties;
-
as a member of a supreme court, a constitutional court or any other similar judicial body, the decisions of which are not subject to further appeal, except in exceptional circumstances;
-
as a member of the Court of Auditors and of the highest decision-making body responsible for auditing the financial management of the State, corresponding to the State Audit Office;
-
as a member of the Board of Governors of the Central Bank;
-
as an ambassador or chargé d'affaires;
-
in the armed forces, as an officer of at least general rank;
-
as a member of the administrative, management or supervisory body of a wholly state-owned enterprise; or
-
as a director, deputy director or member of the board of directors of international organisations.
PEP's family members includes the following:
-
a spouse or partner who is treated as a spouse under the national law of the country concerned;
-
children and their spouses or partners; and
-
parents
PEP's partner means:
-
any natural person who is known to be a co-owner or beneficial owner of a community, business or legal arrangement or who is known to have any other close business relationship with a politically exposed person; and
-
any natural person who is a co-owner owner or beneficial owner of a community, business or legal arrangement known to be established for the benefit of a politically exposed person.
Identity data and its retention
The law requires obliged entities to keep all documents and information relating to the customer's identity and transactions up-to-date and accurate. After the end of a permanent customer relationship, the information must be kept in a reliable manner for five years and, in the case of an occasional transaction, that retention period should be fixed at five years after the transaction has taken place.
The types of customer data to be retained include:
-
name, date of birth, personal identification number and address;
-
name, date of birth and personal identification number of the representative;
-
the full name, registration number, date of registration and registration authority of the legal person and, where applicable, the articles of association of the legal person
-
full names, dates of birth and nationalities of the members of the board of directors or equivalent decision-making body of the legal person;
-
the sector of activity of the legal person;
-
the name, date of birth and personal identification number of the beneficial owner;
-
the name, number or other identifying information and the issuer of the document used to verify the identity or a copy of the document or, if the customer has been identified by remote identification, information on the procedure or sources used for the identification;
-
information about the customer's activities, the nature and extent of his business, his financial situation, the reasons for using the transaction, service or product and the source of funds, and any other relevant information; and
-
information obtained necessary to fulfil the obligation to obtain information and the enhanced obligation of due diligence in relation to politically exposed persons
Customer identifiers or other personal data obtained for the sole purpose of preventing and detecting money laundering and terrorist financing shall not be used for any purpose incompatible with those purposes.
Knowing the customer also entails an obligation to ensure that the transaction does not involve any persons or entities subject to sanctions.
Risk-based customer due diligence
Prevention of money laundering and terrorist financing is based on identifying and assessing the risks of money laundering and terrorist financing by obliged entities, taking into account risk factors including those relating to their customers, countries or geographic areas, products, services and transactions as well as delivery channels and technologies. Those steps shall be proportionate to the nature and size of the obliged entities.
The obliged entity may follow a simplified customer due diligence measures if, on the basis of a risk assessment, it considers that the customer relationship or individual transaction presents areas of lower risk of money laundering and terrorist financing. Even then, there is an obligation to carry out sufficient monitoring of customer relationship in order to detect unusual transactions and other provisions of the Money Laundering Act must continue to apply.
The law requires the obliged entity to apply an enhanced customer due diligence procedure if, based on a risk assessment, the obliged entity considers that the customer relationship or individual transaction poses a higher than normal risk of money laundering or terrorist financing or the customer has links to certain high-risk countries. The enhanced obligation to obtain information means, inter alia, that particular attention must be paid to the customer, his business and transactions. Examples of enhanced due diligence measures include ensuring that the customer identifiers are up-to-date on a shorter cycle, paying particular attention to the customer's transactions or investigating the origin of funds with a lower threshold. Related to politically exposed persons, there is a legal obligation to comply with enhanced customer due diligence.
Risk factors related to knowing the customer
As described earlier in this article, the measures of customer knowledge are based on a risk-based assessment. The obliged entity's actions are based on a risk assessment, which must include a sufficiently comprehensive evaluation of the risks associated with the activities of the company and its customer base. These identified risks are then used to adequately measure the customer relationship procedures.
Some of the risk factors that have been identified regarding to knowing the customer include:
-
Customer refuses to verify identity
-
Information provided by the customer is inconsistent with customer data or customer behaviour
-
Documents and reports required to know the customer are incomplete
-
There are ambiguities in the customer's activities and ownership structures or it is complex and difficult to clarify the structures
-
Frequent changes in the responsible persons/management of the client company
-
The transaction carried out by the customer does not correspond to the customer's financial situation
-
The customer engages in commercially unprofitable or otherwise irrational transactions
However, customer due diligence measures are ultimately relatively simple to implement, as long as your company understands the risks associated with customer relationships and the required procedures.