As an Accountable Institution, one of the key compliance obligations in terms of the Financial Intelligence Centre Act, as amended (FICA), is to perform Customer Due Diligence (CDD) on clients. One of the sub elements of CDD is what is widely referred to as Know Your Client (KYC) obligations, which is the first process in the due diligence chain.
The FIC Act does not give AIs a prescriptive, Rules Based approach on how to perform CDD and instead states that a Risk Based Approach be used as there are various risk factors to consider based on your client’s jurisdiction, industry, source of funds, political exposure, sanctions and product and services risks, to name a few. This risk based approach can often be very overwhelming with many of our customers often saying they don’t know where to start or how to adapt a risk based approach to their everyday business interactions and practices with their clients.
Below are 5 examples of KYC and wider CDD tasks that you can perform to get you started on getting to know your client better.
1. Identity verification
In terms of FICA requirements, clients must provide a valid form of identification, such as a passport, drivers license or ID card. This ID document should not only be collected but should also be verified against 3rd party data sources such as Home Affairs data. The FICs guidance clearly states that it is not enough to have a mere reliance on scanned or e-mailed document for verification, and that steps need to be taken to confirm the client’s identity particulars.
“The accountable institution must ensure that the copies of documents received electronically are in a format that is not susceptible to tampering or manipulation. Client identification and verification must be done at the outset of the business relationship or single transaction. It is good business practice to date documents relating to the verification of a client. This is an indicator that the account opening and verification of the client was done simultaneously. Below we have listed some of the elements that you should collect to verify before you onboard a client.” Read more about this FIC Guidance Note 3A for Accountable Institutions on customer identification and verification and related matters.
Examples of some due diligence you can do when working with identity verification?
- Does the person's picture in the ID document look like them eg: compare the ID to what they look like now
- Is the client a South African citizen?
- Have you been able to verify the client’s ID number?
You can read more here about how DocFox simplifies this process.
2. Address verification
Customers must provide documentary proof of their current address, such as a utility bill, bank statement or mobile phone account. Decisions as to how addresses are verified should be based on your risk framework. It is suggested that in order to prevent a fraudulent or irrelevant / old document from being received, you should apply a risk based approach when receiving this document. Many of our customers apply a rule that documents received should not be older than 3 months as well as use the tool within our software to view the property location on Google Maps to make sure things tie up. The purpose behind verifying a client’s address is not only to ensure that the client is where they say they are but if where they are based, operating or transacting is firstly accurate, and secondly whether it presents a potentially higher risk - or in some cases if it even exists.
As per the FIC Guidance Note 3A, 15 Documents that may offer confirmation of residential address include the following, which document must also include the name of the client:
- utility bill;
- a bank statement;
- a recent lease or rental agreement;
- municipal rates and taxes invoice;
- mortgage statement from another institution;
- telephone or cellular account;
- valid television licence;
- recent long-term or short-term insurance policy document issued by an insurance company;
- recent motor vehicle licence;
- or a statement of account issued by a retail store.
*This list is not exhaustive
3. Identify source of funds
The FIC Act requires you to obtain information on the source of funds that a prospective client expects to use in the course of the business relationship. “Accountable institutions are not required to verify the information about the client’s source of wealth and source of funds, but will have to include this information in its client profile which will be used as the basis for enhanced ongoing monitoring." You can read more about this process in this FIC guidance note.
4. Identify if your client is on a watchlist or in the news
Screening your clients against various watchlists and adverse media is important in determining potential higher risks to you and your business. In addition, the FIC Act mandates identifying and verifying the identity of a Domestic and Foreign Politically Exposed Person (DPEPs and FPEPs) and/or a Prominent Influential Person (PIP) which requirement recognises that people in positions of political power, prominence and influence are more susceptible to bribery and corruption. As we have seen over recent years, there has been an increase in financial crimes that have links to those in government or who hold public or prominent positions in society. It is for this reason that DocFox screens your clients against a wide variety of sanctions watchlists in addition to the FICA required UN Targeted Financial Sanctions Lists, and combs through billions of online news articles searching for relevant adverse media. DocFox has also recently enhanced our screening database, which means that AIs no longer have to rely on potentially unreliable client disclosures, outdated data sources or waste time manually researching each individual DPEP or PIP client. This enhanced database is built into our comprehensive watchlist screening solution and automatically notifies you if any person or entity loaded onto DocFox is a DPEP or PIP.
In summary, some examples of due diligence you can do:
- Check the client does not appear on international sanctions lists such as the TFS list
- Is the client a DPEP or PIP?
- Can you find any adverse information about the client online?
5. Beneficial ownership
Criminals may look for opportunities to retain control over illegally derived assets by inhibiting the ability of law enforcement to trace the origin and ownership of assets.
The only way for Accountable Institutions to prevent these criminals from using complex structures or legal persons to conceal true ownership is by assessing their clients and truly understanding who profits from and operates the business. This is where the concept of identifying Ultimate Beneficial Owners (UBO) comes into play. This is typically the 5% natural person shareholder of your juristic person client. However, should there be no majority holder over 5% in the case of a listed company with thousands of shareholders, you can move from the ownership element to the control element and identify and verify the identity of the CEO, CFO or COO.
Trusts (section 21B(4) of FICA) are unique cases in terms of Ultimate Beneficial Ownership. A trust leverages all three levels of control and ownership factors of a UBO.
Therefore, you would be required to FICA:
- the Founder to see where the Trust assets come from;
- the Trustees to understand who can control the Trust assets; and
- the Beneficiaries to understand who can benefit from the Trust assets.
In addition to determining the UBO, related parties of your juristic person clients are also required to be FICA’d (UBOs are probably the most important related party). A related party is any person in the company who has executive control or management over a legal person. For example, the Directors of a company, Partners to a Partnership, an authorised signatory or authorised representative. These are the people who can decide how the entity operates, how any funds or assets are used or directed, or can instruct you on behalf of the client - so it's important to know who these people are. You can read more about identifying UBOs here.
It is important to remember that KYC and FICA requirements are in place to prevent money laundering, terrorist and proliferation financing, and other illegal activities’ risks to your business. Therefore the above are just 5 examples of things to do when performing KYC and CDD. In general you should apply a risk based approach which can vary based on your client’s industry, type of transaction as well as your client’s location.
DocFox can assist you with your KYC and CDD requirements by providing automated document collection and identity verification, risk assessment matrices, continuous monitoring, compliance reporting, and an enhanced customer experience. By using DocFox, you will save time, reduce costs, and be FICA compliant.
Steps to get your KYC and CDD processes automated and compliant:
- Choose DocFox as your digital KYC and CDD solution
- Use DocFox to collect customer data and information
- DocFox will take care of verifying your customer identity against external sources
- DocFox will verify that your clients documents are correct and have not been tampered with
- DocFox will record and store all data and documents as well as make sure it is easily accessible if needed for a regulatory compliance inspections
- DocFox ensures ongoing monitoring, we will continuously monitor your clients and notify you when there is any change as well as let you know when it is time for them to be reviewed in terms of ongoing due diligence obligations