Public Compliance Communications 17
PCC 43 – Guidance on shared clients
1 September 2023
Document
FIC
Financial Intelligence Centre
PUBLIC COMPLIANCE COMMUNICATION
PUBLIC COMPLIANCE COMMUNICATION
No 43 (PCC43)
ON CUSTOMER DUE DILIGENCE IN
RELATION TO SHARED CLIENTS OF
ACCOUNTABLE INSTITUTIONS
Public Compliance Communication Number 43 on customer due diligence in relation to shared clients
Page 2 of 8
PCC SUMMARY
Accountable institutions are required to conduct customer due diligence (CDD) on their clients in accordance with their risk management and compliance programme (RMCP), which governs the manner in which the accountable institution will comply with their obligations as set out in the FIC Act.
An accountable institution may request the assistance of another accountable institution to provide them with CDD information and/or documentation in relation to a shared client for the purposes of establishing and verifying the identity of the client.
Accountable institutions' requests for and supply of CDD information and/or other documentation must be done according to their risk based approached, and detailed in their RMCP as set out in Part 4 Section 42 of the Financial Intelligence Centre Act 2001 (Act 38 of 2001) (FIC Act)
DISCLAIMER
The publication of a PCC concerning any particular issue, as with other forms of guidance, which the Centre provides, does not relieve the user of the guidance from the responsibility to exercise their own skill and care in relation to the users legal position. The Centre accepts no liability for any loss suffered as a result of reliance on this publication.
COPYRIGHT NOTICE
This PCC is copyright. The material in a PCC may be used and reproduced in an unaltered form only for personal and non-commercial use within your institution.
Apart from any use permitted under the Copyright Act, 1978 (Act 98 of 1978), all other rights are reserved.
OBJECTIVE
The objective of this PCC is to provide accountable institutions with the Centre's view on compliance with their customer due diligence obligation in terms of Part 1, Chapter 3 of the FIC Act, where the accountable institution requests assistance from another accountable institution in relation to a shared client.
GLOSSARY
"Accountable institution" refers to an institution listed in Schedule 1 to the FIC Act.
"Customer due diligence (CDD)" refers to the duty to identify and verify clients as set out in sections 20A-21H of the FIC Act.
"Centre" means the Financial Intelligence Centre.
"FIC Act" refers to the Financial Intelligence Centre Act, 2001 (Act 38 of 2001).
"First party accountable institution" refers to the accountable institution that receives customer due diligence documentation and/or information on a shared client from the third party accountable institution.
"Group structure" refers to separate legal entities / accountable institutions who have a common shareholder.
"Third party accountable institution" refers to the accountable institution that has collected the customer due diligence documentation and/or information in respect of the shared client and provides this information and/or documentation to the first party accountable institution.
"Shared client" refers to the client of both the first party accountable institution and the third party accountable institution in relation to a single transaction or business relationship. This definition excludes a scenario where a client is coincidentally the client of both accountable institutions. Underlying clients are excluded from this definition.
Public Compliance Communication Number 43 on customer due diligence in relation to shared clients
Page 3 of 8
1. INTRODUCTION
1.1 Chapter 3, Part 1 of the FIC Act outlines an accountable institution's CDD obligations in relation to entering into either a single transaction or business relationship with a client.
1.2 A risk-based approach (RBA) underpins compliance with this CDD obligation, and as detailed in Chapter 3, Part 4 of the FIC Act, an accountable institution is required to understand the money laundering and terrorist financing (ML/TF) risks associated with each client. (See Guidance Note 7 for a detailed explanation on RBA).
1.3 When a first party accountable institution has a CDD obligation in respect of a shared client, it may request information and/or documentation, which will be used to supplement their own CDD measures, from a third party accountable institution.
1.4 A client must be a shared client of both the first party accountable institution and the third party accountable institution in relation to a single transaction or business relationship being entered into, that both accountable institutions are party to. It is not sufficient that a client is coincidentally the client of both accountable institutions.
1.5 The third party accountable intuition does not perform the CDD on behalf of the first party accountable institution. Rather, it provides the third party accountable institution with CDD information and/or documentation that it holds on the shared client as part of their own CDD process.
1.6 It is the Centre's expectation that the requesting and providing of assistance in relation to CDD information and/or documentation will only be applicable to accountable institutions in terms of the FIC Act and does not apply to accountable institutions in foreign jurisdictions.
1.7 This PCC is not applicable to outsourcing relationships.
1.8 See the FIC's Guidance Note 7 {insert link} for a detailed discussion on the risk-based approach and other CDD considerations.
Public Compliance Communication Number 43 on customer due diligence in relation to shared clients
Page 4 of 8
Public Compliance Communication Number 43 on customer due diligence in relation to shared clients
Page 5 of 8
2. CONSIDERATIONS IN OBTAINING CDD INFORMATION AND/OR DOCUMENTATION BY MEANS OF ASSISTANCE OF A THIRD PARTY ACCOUNTABLE INSTITUTION
2.1. Should a first party accountable institution request a third party accountable institution to provide CDD information and/or documentation in relation to a shared client, the procedure must be well documented in the first party institution's RMCP. It would be considered good compliance practice to, at a minimum, consider:
2.1.1. The first party accountable institution's risk tolerance in the receipt and subsequent use of CDD information and/or documentation provided by means of assistance by the third party accountable institution;
2.1.2. Whether the third party accountable institution completed the CDD for the client within the required and approved procedures of their own RMCP;
2.1.3. The extent to which the first party accountable institution will obtain CDD information and/or documentation from the third party accountable institution, including whether the first party accountable institution will be provided with or given full access to, requested CDD information and/or copies of documentation in relation to the shared client;
2.1.4. The risk posed by the client to the third party accountable institution for purposes of understanding the materiality and extent of the CDD information and/or documentation being provided;
2.1.5. Where the CDD information and/or documentation provided is not sufficient, the first party accountable institution would be required to perform additional due diligence measures. This includes where the client poses a higher ML/TF risk to the first party accountable institution, and the CDD information and/or documentation provided is insufficient in terms of its RMCP;
2.1.6. The record keeping of all CDD information and/or documentation;
2.1.7. The first party accountable institution would be required to provide evidence that they have made a concerted effort to determine and understand the CDD standards applied by the third party accountable institution. These CDD standards should be comparable to the first party accountable institutions RMCP; and
2.1.8. The steps to be taken when the first party accountable institution no longer accepts CDD information and/or documentation from a third party institution.
2.2. A third party accountable institution should have processes in place to ensure that they are aware that assistance is being requested by, and provided to, a first party accountable institution. This process should be documented accordingly.
3. RISK DETERMINATION
3.1. A first party accountable institution must apply its own processes and procedures to independently assess and understand the ML/TF risks in relation to their client.
3.2. Although the third party accountable institution may indicate their ML/TF risk associated to the client, the first party accountable institution must make their own determination of ML/TF risks within the context of their engagement with the client, as aligned within their RMCP.
3.3. The first party accountable institution's RMCP must clearly demonstrate how they will determine the risks associated with their client and the extent to which the ML/TF risks will be mitigated and managed.
4. ACCOUNTABILITY
4.1. The first party accountable institution remains at all times accountable for all aspects of AML/CFT compliance, including determining the ML/TF risk associated with their client and that the CDD information and/or documentation obtained for their client is sufficient in terms of their RMCP.
Public Compliance Communication Number 43 on customer due diligence in relation to shared clients
Page 6 of 8
4.2. A accountable institution may never delegate its compliance accountability to any other accountable institution and/or other entity.
4.3. In the event that the first party accountable institution is inspected by their supervisory body, and the CDD compliance measures and controls are found to be inadequate, the first party accountable institution will remain liable for this non-compliance and will not be able to transfer this non-compliance to the third party accountable institution that assisted by providing the CDD information.
5. SCOPE AND LIMITATION OF APPLICATION OF RELIANCE AGREEMENTS
5.1. In summary, a first party accountable institution can request assistance from a third party accountable institution for:
5.1.1. Identification of client and other required person's particulars.
5.1.2. Verification of client and other required person's particulars.
5.1.3. Information such as source of funds, source of wealth, geographic location.
5.2 A first party accountable institution cannot request assistance from a third party accountable institution for:
5.2.1 The ML/TF risk, and associated rating assigned to the client by the third party accountable institution.
5.2.2 The screening performed on the client by the third party accountable institution.
5.2.3 Ongoing due diligence.
5.2.4 Any reporting obligations in terms of the FIC Act.
6. GROUP STRUCTURES
6.1 It is not the Centre's expectation that when conducting CDD for a shared client within a group structure that the assistance between accountable institutions discussed in this PCC be applied.
6.2 The Centre encourages accountable institutions within a group structure to apply a groupwide AML/CFT programme. This would allow for a single standard to be applied across the group structure.
Public Compliance Communication Number 43 on customer due diligence in relation to shared clients
Page 7 of 8
Public Compliance Communication Number 43 on customer due diligence in relation to shared clients
Page 8 of 8
7. ENQUIRIES
For any further enquiries regarding this PCC43, please contact the Compliance Contact Centre on (012) 641 6000, or a query can be logged at http://www.fic.gov.za/Secure/Queries.aspx
Issued By:
The Director
Financial Intelligence Centre
27 February 2020