Covid-19 & consequences for anti-money laundering

Speedread: Anita Clifford considers the implications for anti-money laundering and Customer Due Diligence following the shift towards virtual client relationships in response to the global health emergency.

The global health emergency has upended business norms. With more regulated sector professionals working exclusively from home and client relationships entirely online, a business’s anti-money laundering procedures (AML) will be affected. Every effort is underway so business can carry on but there are likely to be delays to the submission of Suspicious Activity Reports (SARs) pursuant to sections 330 and 332 of the Proceeds of Crime Act 2002 (POCA). On 16 March 2020, the Financial Crimes Enforcement Network (FinCEN) in the United States issued guidance urging banks to foreshadow any concerns about the ability to submit timely reports in compliance with legal obligations.[1] At the time of writing, the United Kingdom’s National Crime Agency (NCA) is yet to do the same but it would be wise for regulated firms to keep a note of any disruptions caused by the health emergency to the submission of internal and, where appropriate, external SARs.

Practitioners and regulated professionals should also be aware that the unprecedented situation has generated new criminal and, consequently, further money laundering opportunities. On 22 March 2020 the NCA warned of criminals exploiting the Covid-19 pandemic in the form of malicious apps, fake medical apparatus and email phishing directed at the theft of personal data.[2] In the United States, FinCEN has urged vigilance in relation to investment schemes falsely touting medical services or cures and Covid-19 insider trading.

Out of sight, out of mind

The vital shift to remote working combined with an employee’s understandable desire to maintain productivity in a time of economic uncertainty risks AML compliance becoming a distant consideration. Prudent businesses should reinforce to their relevant employees and agents that although the office is empty, customer risk assessment and Customer Due Diligence (CDD), extending to verification of individual and corporate clients, including beneficial owners must still be performed before any work commences. An exception only arises if the prospective client is first assessed as posing a low risk of money laundering or terrorist financing and it is considered ‘necessary’ to delay verification to avoid interruption to business: Regulation 30(3) MLR 2017. If this exception is to be relied on, the reasons must be documented. Further, businesses of all sizes would be wise to review their AML policies to ensure they are equipped to deal with all AML, client on-boarding and CDD issues remotely, with a deputy MLRO to step in if required.

Lack of in-person contact & enhanced CDD

Relatedly, a question arises as to whether the total absence of face to face contact with a client and inability to have personal sight of a client’s identification documents means, in practice, more clients will attract enhanced CDD. Various AML guidance, such as that issued by the Legal Sector Affinity Group, identifies as a high risk factor a situation where the professional does not ‘meet’ their client. Regulated firms however should not assume that because a client is not personally met that this will propel that client in to a high risk category, mandating enhanced CDD. MLR 2017, as recently amended, encourages a non-prescriptive approach to CDD. The Legal Sector guidance urges fee earners to consider the circumstances why a meeting in person cannot take place and already recognises that relationships will be conducted with the aid of technology.[3] There is no reason why those in other sectors should not take a similar approach. Of itself, an inability to meet a client does not lead to enhanced CDD. The key to satisfying the AML obligations which remain in place notwithstanding the challenging circumstances is to mitigate the risk of identity fraud or failing to recognise a risky matter through the aid of technology. In practice, client screening and certified e-identification databases can be used, adverse media searches undertaken and video-conferencing facilities deployed so that prospective clients, insofar as possible, are still ‘met’. Where an arrangement is in place and CDD records can be swiftly provided, firms may also wish to consider relying on documents already gathered in relation to the prospective client by another regulated firm in the UK or a country with equivalently robust AML measures: Regulation 33 MLR 2017. The duty to conduct sensitive CDD is non-delegable but Regulation 33 may assist in overcoming the practical hurdle of gathering CDD records from a client presently unable to have identification documents certified and sent due to movement restrictions.

Simplified CDD remains possible

Building on this, there is no reason why a client that is met virtually using any of the myriad video conferencing apps could not still fit into the ‘low risk’ category where this is supported by a range of factors. Simplified CDD is permitted in low risk situations by Regulation 37. Regulated firms, however, should note that HMRC guidance, for instance in relation to Money Service Businesses, states that

“to apply simplified due diligence you need to ensure that…the customer is seen face to face.”[4]

Although the conventional understanding is likely to be that in-person contact is required, the guidance does not actually stretch that far. There is a strong argument that, given the current context, ‘face to face’ interaction can take place without needing to be in the same room as the client at all. This is particularly so when considered that the supposed need to see a client face to face in the first place for simplified CDD to apply is but another example of the guidance going further than what has been required by law. Regulation 37 of MLR 2017 does not refer at all to needing to see a client face to face in order to be able to apply simplified due diligence. Even so, firms should ensure that if they are contemplating simplified CDD they have at least had face to face contact with the prospective client virtually so as to not fall out with the regulator.




[3] See

[4] See 4.24.