Know Your Customers
It is important for customers to be aware that the provision of a Prepaid Card is subject to regulations and that the Card Issuer has an obligation to prevent Financial Crime.
What is KYC?
When providing products that are of a financial nature it is the requirement of UK and EU regulations placed on the Card Issuer that must identify the customer first to ensure we are aware of who the customer is for anti-money laundering purposes.
The term ‘customer’ is not defined in the Regulations, however, guidance from Electronic Money Regulations and other Payment Institutions within the Money Laundering Directive advises that it is generally accepted that customers are either:
Persons (legal or otherwise) with whom intends to maintain a ‘business relationship’ (i.e. a professional or commercial relationship which is expected to be of some duration but which need not involve us in an actual transaction).
Persons (legal or otherwise) on behalf of whom we may carry out an ‘occasional transaction’ (i.e. a transaction carried out other than in the course of a business relationship amounting to €10,000 or more which may be carried out in a single operation or a number of linked transactions).
HOW DO WE DO THIS?
When undertaking business with a customer, we are required to ensure that we know who our customer is and that their source of funds is legitimate. To enable us to do this, we have implemented customer due diligence procedures which require:
- Identification of the customer on the basis of documents or information obtained from a reliable and independent source,
- Identification of an entity including any beneficial owners, on the basis of documents or information obtained from a reliable and independent source,
- Obtaining information on the purpose and intended nature of the business relationship; and
- Conducting on-going monitoring of the business relationship including scrutiny of activity and transactions to ensure they are consistent with the profile of the customer and ensuring verification of identity is kept up to date.
Enhanced and Simplified Due Diligence
Once we have established who the customer is for anti-money laundering (AML) purposes, we should assess the level of money laundering risk which they may pose to our business to enable us to apply the correct level of customer due-diligence (CDD) to them.
The Regulations set out specific higher risk circumstances where enhanced due diligence (EDD) measures are required and the lower risk circumstances in which simplified due diligence (SDD) is permitted. Standard customer due diligence will be carried out where neither SDD or EDD apply.
Enhanced Due Diligence (EDD)
EDD measures are required in the following circumstances:
- where the customer has not been physically present for identification purposes, particularly if business is conducted via the internet;
- where a firm proposes to have a business relationship or carry out an occasional transaction with a Politically Exposed Person; or
- any other situation which by its nature can present a higher risk of money laundering and/or terrorist financing.
Factors which we may consider when assessing whether a customer may present a ‘higher level of risk’ include (but are not limited to):
- The geographical location of the customer;
- The type of customer with which we are dealing (e.g. individual, corporate, etc.)
- The customer’s source of wealth;
- The customer’s source of funds;
- Whether the customer is a PEP; and
- Whether the customer features on the Sanctions List.
Simplified Due Diligence (SDD)
Under the simplified approach we are not required to apply full customer due diligence measures in circumstances in which we have reasonable grounds for believing that:
- the customer is a company whose securities are listed on a regulated market (or an equivalent market) which is subject to specified disclosure obligations;
- the customer is an independent legal professional and the product is an account into which monies are pooled;
- the customer is a public authority in the UK; or
- certain specific categories of electronic money.
We are committed to ensuring compliance with the relevant legislation and regulation in relation to financial crime prevention:
- We will discharge our duties in relation to the prevention of financial crime in the clearest possible way and to the highest possible standards.
- We will remain aware of the risks associated with financial crime and of the legal requirements imposed upon us.
- We will establish, implement, monitor and maintain appropriate risk-based policies.
- We will not accept any new customer if there is the slightest hint that the customer concerned may have links to crime.
- We will verify customer details prior to the establishment of any relationship and ensure the on-going monitoring of any continuing relationships to ensure that we reduce the risk of our business being used to further financial crime.
- We will maintain appropriate records relating to our anti-financial crime controls.
- We will rely on third party verification only where it is appropriate to do so, and will conduct monitoring in respect of any third parties on which we rely to ensure that the reliance remains appropriate on an ongoing basis.
DATA PROTECTION PRINCIPLES
The Data Protection Act (DPA) requires that all our processing of personal data should be fair and lawful and should meet one of various specified conditions. In designing and implementing each Customer Management procedure involving the processing of personal data, we must take these requirements into account and ensure that they are met.
We expect that our routine processing of personal data for New Customers and the ongoing business relationship will meet the available conditions, which is known as the “legitimate interests” condition. The legitimate interests condition will apply, and allow us to process personal data, if both are achieved:
A: the processing is necessary for the purposes of legitimate interests that we, or a person to whom we disclose the data, pursue (these may be business, compliance or other purposes); and
B: the processing is not “unwarranted” because it prejudices the rights, freedoms or legitimate interests of the data subjects.
Each processing operation should, therefore, be assessed to ensure that part A of this condition is met – i.e. we have a legitimate business, compliance or other purpose for carrying out the processing before condition B: is assessed.
Processing is justified if it is necessary to fulfil a UK legal obligation. This will include, for example, processing in order to carry out legally-required anti-money-laundering checks; or in response to a UK court order.
The DPA also prohibits the processing of excessive, irrelevant or inadequate personal data. will not collect personal data which is either excessive or irrelevant (in particular: personal data will not be collected on a “just-in-case” basis) and, of course, the data collected are adequate for the relevant purposes.
Personal data collected for any given purpose should not then be used for a purpose which is incompatible with that purpose – we would not expect this to be an issue in the ordinary course of Customer and/or Transaction Management, however. We expect the general requirement that processing of personal data should be fair to be met if all the other requirements of this Policy are met.