Many will be familiar with when to obtain identification and verification for new clients, but if the relationship becomes a long-standing one, how often should you be monitoring this? Kate Burt explains 


In this article, I will be assessing the frequency in which private client practitioners should obtain identification and verification (ID&V) in long-running cases such as deputyships, executorships, trusts and tax work, as well as taking a look at how ongoing monitoring can work in practice.

It is first acknowledged that the Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017 as amended (the Regulations) are drafted very broadly, leaving room for those within scope to apply a risk-based approach to client due diligence (CDD).

The Legal Sector Affinity Group (LSAG) guidance (which is still awaiting HM Treasury approval) goes some way to provide a more prescriptive position of what is expected from practitioners, although there is still no ‘silver bullet’ to nail down the frequency in which CDD should be reapplied and this would be specific to the risk features of the firm, the client and the matter involved. While some may welcome this flexibility, others find the lack of clarity challenging.

It is further acknowledged that the topic of CDD is much broader than simply ID&V, and that CDD takes into account the wider circumstances of the client and transaction; indeed, the LSAG guidance on CDD runs to some 50 pages. The Regulations and the LSAG guidance both refer to CDD generally, rather than specifying when in particular a refresh of ID&V is required, which also adds to the frustration felt by some practitioners regarding the lack of clarity in this area.


Paraic images: ©

From my experience, the majority of private client practitioners are fairly confident in their understanding of when to apply ID&V for clients, beneficiaries, deputies, executors and beneficial owners. They are often less confident about when ID&V should be reapplied.


Some firms include details within their CDD procedures of the frequency in which ID&V should be reapplied for long-standing or repeat clients and other parties mentioned above. This length of time varies depending upon the particular risk profile of a firm – this can be anywhere from the opening of every new matter, to once a year, or as much as three years. What is reasonable for each firm will be determined though its practice-wide risk assessment (PWRA), mandated by regulation 18 of the Regulations.

Even where a firm is specific about frequency for standard situations, it may still be appropriate to refresh ID&V more frequently depending upon risk assessment on a client and matter level. For this reason, trigger points for review should be incorporated into your firm’s ongoing monitoring procedures. An example of this is where enhanced ongoing monitoring is automatically applied whenever enhanced due diligence (EDD) is applied (such as when the client is identified as a politically exposed person (PEP)). EDD may include, amongst other measures, undertaking more frequent ID&V.

Trigger points

The Regulations provide some clues as to when a firm should look to reapply ID&V when covering CDD requirements. One scenario is where there is doubt as to the veracity or adequacy of documents or information previously obtained for the purposes of identification or verification. This may arise where, in the course of the business relationship, further information comes to light that contradicts something you have already been told or information you already have. You should consider whether you are content with the level of verification you have and make further enquiries where necessary to satisfy yourself.

Regulation 27(9) sets out a list of trigger events to take into account when determining whether CDD should be reapplied in an existing client relationship, and the most relevant trigger relating to the need to refresh ID&V is where there is any indication that the identity of the client, or their beneficial owner, has changed.

The Regulations also provide that CDD should be reapplied when a practice has any legal duty during a calendar year to contact a client under the International Tax Compliance Regulations 2015, and further, that CDD should be refreshed for an existing client where you are under a legal duty to contact a client in the course of a calendar year for the purpose of reviewing any information which is relevant to the risk assessment for that customer and relates to the beneficial ownership of the customer. When considering CDD in these circumstances, consideration of ID&V held is required.


The LSAG guidance covers ongoing monitoring of CDD in some detail at paragraph 6.21 and, in particular, the need to renew and re-evaluate CDD at appropriate intervals. The guidance states that you should operate a system of regular review and renewal of CDD and should consider reviewing (although not necessarily redoing) the CDD upon each new matter. In practice, this could mean making a note on each new matter opened for a long-standing client who instructs you for assistance with their tax returns. In this scenario, following the LSAG guidance, it is advisable to review CDD including ID&V and make a note on the file that all is in order or, in the alternative, take steps to obtain ID&V as required.

One obvious trigger for obtaining further ID&V is where a client’s passport has expired or the client has changed address. Another trigger to obtain and verify further ID documentation is where there is any indication that the identity of the client or their beneficial owner’s details have changed.

Another area to be considered for ongoing monitoring is in relation to PEPs and sanctions. These can be manually checked at the required intervals using publicly available information. Some electronic identity providers offer ongoing monitoring, where you receive alerts should your client be identified as a PEP or being on a sanctions list following your initial CDD measures.

The Law Society’s practice note on CDD suggests that smaller firms, where ongoing monitoring is done by the fee-earner as opposed to a central team, may consider implementing a system of file reviews or using a matter spreadsheet to track high-risk matters and send reminders to fee-earners, so they remember to undertake ongoing monitoring.

Other parties

Whilst it is not prescribed in the LSAG guidance or the Regulations how frequently ID&V should be refreshed for parties other than the client, such as beneficiaries, deputies or executors, it would be prudent to adopt a similar approach – that being at the outset of a matter or the parties’ involvement (in the case of beneficiaries, before a payment or transfer of ownership is made), where there is any change in the risk profile of the matter, and for long-running matters at predetermined intervals, such as annually, depending upon your PWRA.

One area of challenge identified by some practitioners is the resistance from some clients to cooperate when verifying or attempting to reverify ID, particularly when those clients are elderly, vulnerable or long-standing.

This has become a heated talking point since the publication of the new LSAG guidance, which is unequivocal in clarifying that there is no provision in the Regulations for waiving CDD requirements on the basis of long-standing or personal relationships.

The guidance confirms at paragraph 6.2 that taking this approach will not satisfy the requirement to undertake independent verification, although these factors may inform your risk-based approach. This paragraph may confirm an inconvenient truth, but it usefully highlights to clients to avoid ruffling feathers unduly.

As ever, the vital piece of work in determining your firm’s approach to CDD is your PWRA and the policies, controls and procedures that flow from this. It is not only important to have the right documents in place but also that these policies, controls and procedures are implemented through training and tested for effectiveness through independent review.