Customer due diligence
The supervised entity establishes its customer due diligence procedures and minimum criteria to be observed in its customer relationships applying the risk-based approach. The supervised entity must be able to demonstrate to the supervisor how it assesses the risks of money laundering related to its customer relationships and activities, and how it identifies its customers and knows and monitors their customers transactions and use of services.
A customer may also be identified and identity be verified, on behalf of the supervised entity, an agent who may be either another obliged reporting entity or another reliable cooperation partner. Customer due diligence information and documentation concerning the customer relationship must be submitted to the supervised entity or be available to the supervised entity without delay.
Obligations concerning customer due diligence
- customer identification and verification of identity
- identification, and where necessary, verification, of the beneficial owner (identifying ownership exceeding 25% and control relationships in the customer)
- identification and verification of the customer's representative
- obtaining information on the customers’ activities, the nature and extent of their business, and the grounds for the use of the service or product
- retention of customer due diligence information
- obligation to obtain information and report suspicious transactions
- internal instructions, training, contact persons, decision-making process
- development and use of risk-management and continuous monitoring methods.
Retention of customer due diligence data
Customer due diligence data must be documented and retained in accordance with chapter 3, sections 3, and chapter 4, section 3 of the AML Act.
Information obtained to fulfil the obligation to obtain information and the reporting obligation must be kept separate from the customer data. The customer does not have the right to check this information.
The retention period applicable to customer information and documents, as applicable, is five years form the end of the customer relationship or individual transaction. If the customer was identified remotely, information on the procedure or sources used in the verification must be retained.