BCL partner John Binns’s article has been published by Money Laundering Bulletin, discussing to what extent a business in the regulated sector, that provides a pooled client account (PCA) for a customer, has to do customer due diligence on its customer’s customers to address money-laundering and terrorist-financing risks.

Here’s an extract from the article:

Even as little as three years ago, the EU’s third Money Laundering Directive (MLD3) provided for a relatively relaxed approach to PCAs, at least where the customer was themselves a regulated firm – the theory being that such firms could be trusted to have done their own due diligence on their customers, and the funds in such accounts could safely be considered ‘low risk’ – so that only simplified due diligence (SDD) need be applied.

The risk-based approach

All that changed with the fourth Directive (MLD4), which encouraged a ‘risk-based approach’ to PCAs, as it did to due diligence in general. The prospect of SDD remained, but in practice only for a small minority of the very lowest-risk customers, who were not only regulated but also seen to be operating in low-risk jurisdictions and sectors. For all other PCAs, firms were left to work out for themselves how much due diligence was necessary, with the prospect that the highest risk might need enhanced due diligence (EDD), even to the extent of screening customers’ customers.

The approach of MLD4 has been justly criticised from a number of quarters, both for its lack of clarity and for the potentially serious impact on businesses who operate PCAs. In the UK the issue has had particular attention from letting agents, who are required to hold tenants’ deposits according to strict rules, but whose banks are increasingly nervous about the various sources of the funds held.

The expansion under the fifth directive (MLD5) of the regulated sector to include some letting agents (when dealing with particularly high-value properties) provided an opportunity to tackle the question, and the government raised it in its consultation on how to transpose MLD5’s requirements into domestic regulations.[1] In the end, though, there was nothing in the new regulations either to help firms generally to tackle the PCA question, or to help letting firms in particular with the combined impact of MLD4 and MLD5 on them.

What the draft guidance says

The role of the JMLSG, as ever, is to step in with some practical guidance to help firms know what to do. Among other things, the draft guidance it put out for consultation[2] says that firms ‘should take reasonable measures to establish and document the purpose of PCAs’, and ‘may need to establish information [on] the types of clients [and] level of assets deposited’ as well as any ‘exposure to [high risk] industries and geographies’. It also suggests checking whether the customer ‘applies robust and risk-sensitive CDD measures to their own clients [and] their beneficial owners’.

More controversially, the draft guidance goes on to say that the firm ‘must enter into a written agreement with the customer, in which the customer agrees to provide, on request, information on the identity… of the owners of the funds held in the PCAs’, and unless SDD is appropriate, ‘must either take reasonable measures to identify and verify the identity of the owners’ (which may be by way of a formal reliance agreement), or ‘take measures to decrease [the risk] until SDD can be applied’ (for instance, by ‘requesting’ the customer to enhance their own CDD process, or ‘restricting’ the PCA to lower-risk client funds).

This article was originally published by Money Laundering Bulletin on 06/07/2020. You can read the full version on their site.