In our latest webinar, ‘how to get corporate client due diligence right’ we asked Jane Pritchard, and Kayleigh Smale, Legl’s respective Chief Product Officer and AML expert, to discuss the good, the bad, and the technology relating to corporate client onboarding. From effective communication with clients that never starts with an apology to overhauling your tech estate to make the data, rather than your analysts, work harder, we discussed a lot before opening the floor to a live corporate client due diligence (CDD) Q&A. 

While we were able to get through a lot of your questions, they were still a few we couldn’t get to in the allotted time. So! As promised, we bought them both a macchiato and got them to answer the ones we didn’t get to.

Frequently asked questions about corporate client due diligence  

1. How do you conduct CDD on companies overseas, and how do you get to the bottom of who is the ultimate beneficial owner and is there a better process for when they are based abroad?

KS: It’s important to remember that this is an ‘everyone problem’. Overseas jurisdictions won’t always have the same level of publicly available info as the UK; you might get some data like name address but you will often need to buy additional documents to get any more information about the company or if the company is registered in an secretive jurisdiction you probably won’t find much at all! My advice is to start with what you know, and then consider what you need in order to discharge your professional obligations. Also, if you’re a fee-earner with a compliance team gathering the evidence for you, if you know something about the client that will help, tell your analyst — even if you think it’s obvious. I can’t stress enough the power of over communication. 

2. How can you tell the difference between a trading vs. non-trading company? 

KS: For companies registered in the UK this is clearly recorded on the ‘Overview’ page on the company record at Companies House under the heading “Company Status”.

3. How do you carry out CDD on complex structures and entities in a corporate chain and how much should you deep dive into each entity in a large corporate chain, and what should you do when the client doesn’t even know their own structure?

KS: This comes down to what is and isn’t proportionate based on your client — is there PEP involvement, what overseas jurisdictions are involved, are the High Risk Third Countries? If the answer is yes, then you are probably going to want to dig a bit deeper into the corporate structure. But if the company is low risk, maybe it is a regulated company, say by the FCA or it is stock listed or it is a subsidiary of a regulated or stock listed company, and there are no other apparent red flags then I think you won’t need to do as much digging into the beneficial owner. 

If the client doesn’t know their own corporate structure, consider whether that is a potential red flag in itself. 

4. How do you deal with push back and objections from client’s objections who feel they should be 'above' the requirements and get directors and PSCs to respond positively to the onboarding experience?

JP: Be clear with your client from the outset and set expectations of what will follow and do that consistently! If you can introduce a non-invasive discovery process with a set workflow that is speedy and easy to understand — “we know this, but  we need that” — and removes the need for as many back and forths with the client, then you will be removing a lot of the pain out of the process, for you and your clients. This is all about providing a professional experience that actually onboards them with your processes, that sets a standard. This isn’t something firms need to do alone, it’s where technology can play a huge part — automating, streamlining — all the buzzwords that actually make a difference to how clients interact with your firm. 

KS: Consider whether you want to work with these types of companies not just from an AML perspective but from a matter perspective. If they’re being a pain at this stage, think what they might be like to act for! But if you do decide to continue to act for them, then I would suggest you have some set wording for everyone to use when requesting documents. This is so that there is consistency throughout the firm. One thing I would add is don’t blame the compliance team or apologise to your clients for asking for CDD evidence, this will make them think this is something you don’t want to be doing either or that you don’t care, when in reality you do care and you are doing what you need to do to keep yourself, the firm and your clients safe.

5. How can we ensure fee-earners are following the correct procedures?

JP: Again, workflows can do a lot of the legwork here: reduce what you need based on policy, create firmwide workflows so that expectations are consistent for every transaction and user type and then automate based on preferred communication options. It sounds easy, but with technology it really is: prescribe, automate, monitor. Don’t rely on policing bad practice, automate the good. Even if you’d prefer to be less prescriptive, then give analysts the ability to make the choices, but then even more than ever you need a monitoring tool that identifies risk at transaction and practice level. Having one application as a single source of truth for compliance with risk policy is the investment that no law firm should compromise on.

KS: Carrying out file reviews is a really great way of capturing whether policies and procedures are being followed. I don’t mean doing a review, asking the fee earner to carry out any remedial action and then put the file away. What you need to do is capture that information, this will help you evaluate if there are any trends. Is it just one person who is a repeat offender or is it most people who are not following procedures. If the latter then it could be that you have a policy and procedure that doesn’t work and you may need to consider a change in the process. It’s always important to understand the “why” in these situations.

6. What should be requested from beneficial owners versus directors and how can we obtain ID from a PSC /or UBO who we aren't in contact with?

KS: Not many people know this but there is no requirement under the Money Laundering Regulations to obtain director ID. There was a provision in the 2003 regulations to carry out ID&V on two directors, but when the rules surrounding incorporating a company changed to allow a company to have just one director the requirement was dropped and the focus was on beneficial owners.

Now I would always recommend that you still should obtain ID for one director, especially if they are the person who you are taking instructions from. I would say this is best practice.

When it comes to beneficial owners it hasn’t always been clear whether the MLR required firms to obtain ID from them. So in April last year the Legal Sector Affinity Group updated it guidance on this matter which can be found at section 6.14.10 Non-natural persons, paragraph 4: 

"you should verify the identity of the beneficial owner to the same standard as that applied to clients who are natural persons." 

So you should now be obtaining ID for beneficial owners. Having spoken to some law firms who have recently been audited by the SRA, the SRA are checking whether ID checks on beneficial owners are being conducted.

7. What ID should we get for companies without PSCs?

KS: Not all companies will have a PSC, think of a law firm Partnership, there could be 10 or more equity partners who all could have a share in the company which would be less than 25%. Remember though you should consider if any of those partners have control of the management of the company 

8. How can we decipher which documents we can rely on — how old they should be, and what should we do when there are no recent corporate documents for ownership?

KS: Assuming this question is for a company not based in the UK. I think it’s important to ask why they don’t have updated documents — is it because they are not required to under their company rules, or is this a red flag? 

It’s important to remember that even if the company is based in  the UK, that company structures and directorships can change quite frequently and the client may not think to tell you about the change. How do you know that the company CDD documents are up to date if you don’t ask? My suggestion would be to make sure, when you onboard the client, that you have all the information about the company, directors, shareholders etc in a nice document to send over to them every time you open a new matter for them (this needs to be proportionate) to ask them if there have been any changes. 

9. How do you carry out Source of Funds (SoF) checks on corporate clients and what is the best way to collect Source of Wealth (SoW) and SoF information?

JP: Honestly, with as few back-and-forths as possible. Consider taking advantage of dynamic evidence gathering tools that don’t overload the client with questions at the outset — that make it simpler for them to give you the right information when you need it. 

And, where Open Banking isn’t possible or feasible  for SoW or SoF,  accept the limitations of provenance of data. If it cannot be validated as a true document then use technology to assess the context for risk gaps and red flags.

KS: Again, I think you need to be proportionate. Consider: 

• The structure of the company
• Is the information publicly available
• Is it clear how the company made its money 
• Does it make sense that the company would have accrued the funds it has from the work that it does.
• Is it a smaller company (in which case you may need to see statements)
• Is it a household name (in which case you probably don’t need to see statements). 

10. How can you conduct ongoing due diligence / monitoring on corporate clients and how can you reduce and decipher false positives?

JP: First, get the data  right — use tech and smart analysis tools to reduce the noise and remove false positives (think of this as a first-pass) and only monitor valid and new results. The key here — automate and make the results impossible to miss and avoid. If you automate monitoring and are observing risk at a practice level post client onboarding, your risk practice will be infinitely stronger.

KS: Ask  yourself, how do you know they are being reviewed? Do you have a clear process and clear controls to ensure the monitoring is actually being done, do you have an audit trail? I’ve spoken to firms before where they had an outlook rule that would automatically file emails for ongoing monitoring into a folder that would never be looked at because the person who made the rule didn’t tell anyone what it was for when they left, the firm simply assumed it wasn’t important. So make sure you know the where, how, and when! 

11. How can you use AI for assessing risk and monitoring?

JP: Simply, GenAI, with its ability to consolidate and analyse vast quantities of disparate data can drastically improve the consistency of first cut analysis for risk. It’s something we’ve seen with Legl Assist (our GenAI analyst tool) — time-savings in respect of turnaround times and speed of service delivery.  Perhaps surprisingly, the output is often more consistent and joins the risk dots to create superior context. 

12. Which screening tool is most prevalent and how do you justify one over another?

JP: It’s less about one tool and more about the software that powers it. Tools that use AI to determine patterns are more likely to be able to return smarter, faster results from wider data searches and it’s one of the reasons Legl chooses data suppliers where screening is not wholly dependent on humans completing the task but reliable AI tools. Data is data (which may sound like a non-sentence), but it’s how the data is processed that can make all the difference for relevant context — by a human (or multiple humans), or by algorithms that crunch data for breakfast. Adding a Generative AI layer is where risk and compliance software delivers transformative smart output. 

Conclusion

Understanding the nuances of corporate CDD and implementing best practices is essential for law firms and compliance specialists. By embracing technology and adhering to a thorough due diligence process, firms can significantly reduce their risk and build stronger, more transparent relationships with their clients.

Everyone that joined the webinar got a free copy of our comprehensive guide to corporate client due diligence. So in the spirit of equality, feel free to download your free copy, here. 

For those who missed the live session or wish to revisit the discussion, register to watch the live recording, here.

Stay tuned for our next webinar and, if you’d like to talk to Jane or Kayleigh, please feel free to reach out (and offer a macchiato dairy free for Jane please). 

‍