What service is being provided?
IDR gives you access to an independent repository from which to obtain up to date ‘review ready’ Customer Due Diligence (CDD) in a cost-effective manner.
How does content comply with AML/CFT requirements specifically?
The standards within IDR are driven by the FATF Recommendations with specific consideration being given to the AML/CFT requirements applicable to UK and Channel Islands regulated businesses.
Enhanced Due Diligence (EDD)
- Enhanced due diligence requirements set out by Regulators are built into the system.
- We anticipate that the EDD fields already documented in IDR will satisfy the majority of EDD questions that will arise.
- We recognise that firms may require additional EDD information due to the particular risk factors presented by the profile owner.
- We have built in a mechanism to allow you to request the profile owner to place additional information into the profile.
Source of Funds
Source of Funds is not specifically documented in the profile on the basis that there will be different source of funds explanations for different regulated firms relying on the same profile.
Source of Wealth
Source of Wealth information is recorded in the profile for each profile owner.
Certification can be undertaken by two methods.
- The first is through the digital certification method built into the system where the profile owner uploads a document and requests a suitably qualified person to certify the document. This document will have certification wording digitally imprinted into the document.
- The second is through the uploading of previously certified documents where the profile owner will upload documents that have previously been certified in wet ink.
How does the indicative risk rating work?
The indicative risk rating calculation takes place real-time whilst the profile owner completes their profile. The risk rating methodology picks up on both the high and low risk factors set out by regulators, including:
- High risk jurisdictions
- High risk activities
- Regulated firms in equivalent jurisdictions
- Listed entities
- Pension schemes
- Public authorities
The risk rating will drive the level of required Customer Due Diligence for the profile owner.
Does this constitute outsourcing?
Your firm is not delegating any services or responsibilities to IDR. Your firm is entering into a contract for services, these being the access to an independent data source of Customer Due Diligence.
Is this ‘reliance’ or an introducer relationship?
Your firm is not placing any reliance on IDR to make introductions. The service being provided is access to a live Customer Due Diligence repository. By obtaining your Customer Due Diligence through idregister.com, we anticipate that reliance on introduction certificates should be reduced. IDR also provides added value services including real-time sanctions screening and communication of indicative AML risk ratings. It is at your discretion whether you choose to make use of this information provided on the platform.
What internal systems and controls do I need to update?
We expect that you will need to amend:
- Risk rating and/or Customer Due Diligence sign off forms in order to obtain CDD from www.idrgroup.com;
- AML/CFT Manual to make reference to the point that CDD information is being obtained from IDR as an independent repository of CDD;
- AML/CFT business risk assessment to reflect the use of IDR as a AML/CFT regtech product. See the section below for details of what to include in your risk assessment.
What is the technology risk assessment?
We will provide a full technology risk assessment on request which includes the following:
b. Electronic method
c. Anticipated use
f. External service or product provider
g. Information sources
i. Digital third-party certification to guard against fraud
j. Certification wording
k. Authenticity confirmation of digital signature
Is using a service provided by a company outside of my jurisdiction an issue?
By contracting for services from IDR, you are not outsourcing any services nor placing any reliance as envisaged by the AML/CFT regulations.
How often does IDR undergo sanctions screenings?
IDR undertakes ongoing sanctions screenings daily for every profile. Flags are escalated onto the profile and then notified to your firm. IDR obtains its source screening data from Refinitiv World-check.
What is Refinitiv World-check?
Refinitiv World-check is an industry recognised collator of global risk intelligence.
How frequently is the checking?
Information on IDR is checked daily.
What lists are being checked against?
The screening checks:
- Regulatory Enforcement and warnings
- Law Enforcement
- Adverse media
- Disciplinary actions and warnings
- Securities Exchange actions
- Fugitive lists
- Exclusions lists
- Fraud warnings
- Debarment lists
- Disciplinary actions
- Enforcement actions
- Law Enforcement Press
Who is clearing initial hits?
Hits below 85% match are automatically discounted. Remaining hits are listed in the profile.
How will I be notified of any hits?
Hits will be listed on the profile and sent to the e-mail address that you have registered on your profile.
What systems and controls does IDR have in place?
- Investor Services is cloud based and is supported by Microsoft Azure platforms. The use of this platform provides ongoing continuity and strong cyber security controls.
- Data security is provided through user e-mail, mobile phone verifications and the profile owner providing their consent for third parties to access their information stored on IDR.
- Records are securely maintained on IDR and CDD packs can be downloaded by linked profiles only or stored securely on the system. Records can only be accessed where the owner of the data has agreed to the sharing of profiles.
How do I know the status of client/investor profiles at any one time?
Through viewing windows, you will be able to quickly determine the status of each profile that you have connected to.
So, for example, when coming to a first close in an investment fund, you will be able to access the system at any time to check if the profiles for each intended investor have been completed and determine whether the investor can be accepted into the fund. Subsequently, the same method can be reviewed to determine whether you hold sufficient CDD to make either calls or distributions to investors?
What if I disagree with the indicative risk rating within IDR?
The risk rating is purely indicative as we recognise that you will have your own existing internal risk rating formula that you should continue to use, in conjunction with any internal sign-off forms to determine whether you have sufficient CDD from IDR.
How are documents kept up to date?
Automatic alerts will be generated by the system to ensure updated ID documents will be obtained subsequent to expiration.
We expect that for the profiles that have many connections, documents will be being updated on a more regular basis given the higher level of on-going activity. We expect over time that profiles will be maintained in a more up-to-date status than would otherwise be the case from a hard copy file.
How will investors know when to update documents?
Documents will be updated for the following reasons:
- When the photographic document expires;
- If a financial services firm requests a more up to date address verification document; or
- If the profile owner decides to upload updated documents.
Who is the contracting entity with idrgroup.com?
It is suggested that the financial services firms who maintain the relationship with the client/investor be the contracting parties with idregister.com. For example, if you want to access your client/investor profiles, your firm should be the contracting party.
If you want to access investor profiles on behalf of the Fund, the Fund should be the contracting party.
How are profiles created and linked?
Profiles can be created for either individuals or entities.
Profiles are then linked between the client and financial services business. In line with data protection requirements, the profile owner must either send the link request or accept the link request from the financial services business.
When are periodic CDD reviews?
IDR will allow you to undertake periodic CDD reviews on a more cost-effective basis and on the basis of having access to more real time CDD.
Is this system just meant to be used by clients/investors?
No, this system can be used for ongoing access to due diligence of subsidiary companies, underlying assets etc.
The prescribed wording of certifications differs between jurisdictions. How can a piece of evidence be certified once in order to cater to these different requirements?
Legislation prescribes parts of the wording that should be used. For example:
CI requirements require the certifier to confirm the document is a true copy of the original and that any photograph bears a true likeness of the individual. The certifier must be an independent professional.
JMLSG, CIMA and CSSF are silent on the detail of the certification wording. Both require the certifier to be an independent professional and to have seen the original document.
IDR caters to all these requirements with the following certification text:
“I hereby certify this to be a true copy of the original document, which I have seen, and that the photograph therein is a true likeness of the person described therein.”
“I hereby certify this to be a true copy of the original which I have seen.”
It is also important to view KYC in the round. If the specific wording is not provided this does not change the principle of reliance on a certified document.
How does IDR support the changes to AML regulations within the EU fourth Money Laundering Directive
The fourth EU Directive is bringing about important changes to the way in which a firm must comply with its AML/CFT obligations. The Directive will place a greater emphasis on firms being more risk focused, both in terms of which methods and sources are appropriate for use and when a firm should, for example, apply simplified and/or enhanced due diligence standards.
IDR already compliments its clients’ risk based approach by providing the firm with the CDD needed for each level of risk for each client type and provides, for example, as an inbuilt standard relevant enhanced due diligence measures, PEP identification and indicative customer risk ratings based on factors cited by regulators.
We constantly monitor the AML requirements in each jurisdiction and will continue to adjust IDR with any further changes as this directive is implemented into local law.