The Criminal Finances Act (2017) has dramatically changed the compliance game for finance professionals, particularly when it comes to Customer Due Diligence (CDD). Why? Because failing to take proper precautions with client relationships could mean your firm ends up in hot water, and you might too. This means knowing what steps you need to take to stay compliant, and why getting this right isn't just about avoiding fines, it's about protecting your career and reputation.
If you work in finance, law,
compliance, or any kind of corporate advisory role,
you need to understand how this legislation connects with CDD.Let’s dig in.
What is the Criminal Finances Act?
The
Criminal Finances Act 2017 is UK legislation designed to tackle financial crime more aggressively. It gives regulators and enforcement agencies sharper teeth when it comes to fighting:
That means a company can now be prosecuted even if it didn't directly commit a financial crime—if someone acting on its behalf did, and the company failed to stop it, i.e. associated persons.
What makes these offences particularly noteworthy is
the concept of strict liability. This means that companies can be held responsible even if senior management has no knowledge or involvement in the wrongdoing. The only defence? Being able to demonstrate that you had "reasonable prevention procedures" in place.
This act has created "
seismic changes to UK corporate criminal liability". But it's not just UK companies that need to worry: any company with a UK connection falls under its scope.
Let that sink in.
The Economic Crime and Corporate Transparency Act 2023
There is a significant relationship between the Criminal Finances Act 2017 and the
Economic Crime and Corporate Transparency Act 2023 (ECCTA). Both are UK laws that form part of a progressive legislative framework aimed at combating financial crime and corporate misconduct.
Here's how they connect:
Criminal Finances Act 2017:
- Created corporate offences for failure to prevent facilitation of UK and foreign tax evasion.
- Established the principle of corporate criminal liability for failing to prevent certain financial crimes by associated persons.
Economic Crime and Corporate Transparency Act 2023:
- Received Royal Assent in October 2023 and represents a comprehensive overhaul of the UK's corporate and economic crime legal framework
- Extends the "failure to prevent" model with the introduction of new corporate offences, which include Failure to Prevent Fraud.
Legislative Continuity: The 2023 Act essentially expands upon the groundwork laid by the 2017 Act. Both use the same underlying principle of holding corporations criminally liable when they fail to implement adequate procedures to prevent associated persons from facilitating certain crimes.
The progression from the 2017 Act (focusing on tax evasion) to the 2023 Act (adding fraud and other economic crimes) demonstrates the UK government's systematic approach to strengthening corporate accountability in financial crime prevention.
How Does This Affect Customer Due Diligence?
Customer Due Diligence (CDD) forms the backbone of your "reasonable prevention procedures." But what exactly does effective CDD look like in the post-CFA world?
At its core, CDD means:
- Identifying and verifying your customers' identities
- Understanding the nature of their business and transactions
- Assessing the risk they might pose
- Monitoring relationships on an ongoing basis
Think of it like online dating. You don’t want to go all-in on someone without doing at least a little background check, right?
The Criminal Finances Act raises the stakes significantly. Previously, compliance could have been seen as a box-ticking exercise. Now, it's a critical shield against corporate criminal liability:
- Unlimited fines
- Regulatory sanctions
- Serious reputational damage
And here's the kicker: Senior management doesn't need to know about the wrongdoing for the company to be liable. Your CDD processes are your company's best defence.
When CDD Goes Wrong (with Examples)
Let’s make this more tangible:
Example 1: The Property Developer Case
A UK bank processed multiple large cash deposits for a property development company. The company claimed these were legitimate investor funds from overseas partners. Traditional CDD checks were performed—the client provided identification, the business seemed legitimate, and the bank filed the required reports for large transactions.
What went wrong? The bank didn't dig deeper into the source of funds or the overseas "partners." It turned out these funds were proceeds from tax fraud in another country, being laundered through UK property investments.
Under the Criminal Finances Act, the bank faced substantial penalties not because it actively helped with tax evasion, but because it failed to prevent it through inadequate due diligence.
Example 2: The Consulting Fees Problem
A financial services firm helped a corporate client structure "consulting fees" paid to offshore entities. Basic CDD was performed—the client was a long-standing customer with proper identification, and the transactions appeared to match their normal business activities.
The problem, however, was that these "consulting fees" were being used to evade corporate taxes. The financial firm didn't ask enough questions about the consulting services or verify whether they were genuine business expenses.
Under the CFA, the firm could be held liable for failing to prevent the facilitation of tax evasion, even though it didn't knowingly participate in it.
Common Pitfalls to Avoid
Even well-intentioned professionals can fall into these common CDD traps:
1. Over-Reliance on Client-Provided Information
It's easy to accept documents and information at face value, especially from long-standing clients who seem trustworthy. However, this creates significant vulnerabilities. Client-provided information should be treated as just the starting point of your verification process, not the end.
For example, a client might present perfectly legitimate-looking business registration documents, but without checking against official company registries, you might miss discrepancies in ownership structures or incorporation dates. Similarly, clients might provide financial statements that appear professional but contain inflated revenues or understated liabilities. Without cross-referencing against independent sources like credit reports, tax filings, or public records, these misrepresentations can go undetected.
Consider implementing specific verification steps like:
- Consulting independent databases and registries to confirm business existence and details
- Utilising adverse media screening to identify potential reputation issues
- Verifying addresses through third-party services
- Cross-checking transaction patterns against industry benchmarks
- Seeking confirmation from multiple sources for high-value or unusual activities
2. Treating CDD as a One-Time Event
Many professionals complete thorough due diligence during onboarding but fail to maintain the same vigilance throughout the relationship. Client circumstances, ownership structures, and risk profiles can change dramatically over time.
A client that starts as low-risk might gradually shift their business model toward higher-risk jurisdictions or customer bases. Transaction patterns might evolve slowly from legitimate to questionable. Without systematic ongoing monitoring, these gradual shifts often go unnoticed until a major problem emerges.
Effective ongoing monitoring requires:
- Scheduled reviews (frequency based on risk level)
- Automated transaction monitoring systems that flag unusual patterns
- Trigger-based reviews when significant events occur (like ownership changes)
- Periodic re-verification of key information
- Systems to capture and analyse changes in client behaviour over time
3. Applying a One-Size-Fits-All Approach
Limited resources mean you can't apply the highest level of scrutiny to every client. Yet many organisations use identical procedures for all clients, either applying unnecessarily rigorous checks to low-risk relationships (wasting resources) or insufficient scrutiny to high-risk ones (creating vulnerabilities).
A risk-based approach tailors your CDD efforts according to the level of risk presented. For example:
- A local retail business with consistent, predictable transaction patterns might require only basic verification and annual reviews
- An import/export business dealing with multiple jurisdictions would need more thorough initial checks and more frequent monitoring
- A company dealing with politically exposed persons or operating in high-risk sectors might require enhanced due diligence, senior management approval, and quarterly reviews
Without this calibration, you either waste resources or create dangerous blind spots.
4. Failing to Keep up with Regulatory Changes
Financial crime techniques evolve rapidly, and regulations change to address new threats. Criminals continuously develop innovative ways to disguise illicit funds and evade detection. Meanwhile, regulatory expectations around CDD constantly evolve through new guidance, enforcement actions, and legislative changes.
For instance, the rise of cryptocurrency has created new money laundering vectors that weren't addressed in older CDD frameworks. Virtual assets, digital payment platforms, and online-only businesses present verification challenges that traditional procedures might not adequately address.
Staying current requires:
- Regular staff training on emerging threats and typologies
- Subscribing to regulatory updates and industry alerts
- Periodic review and updating of CDD procedures
- Learning from enforcement actions against other organisations
5. Not Documenting the Rationale Behind CDD Decisions
Even the most thorough due diligence is of limited value if you can't demonstrate how and why decisions were made. In an investigation or audit, the quality of your documentation often matters as much as the quality of your actual procedures.
Many professionals make reasonable risk-based decisions but fail to record their reasoning. For example, you might decide to accept a client despite some unusual features because compensating controls are in place, but without documenting this rationale, regulators might see only the red flags and not your mitigation strategy.
Effective documentation includes:
- Recording the specific reasons for risk classifications
- Explaining any exceptions to standard procedures
- Maintaining decision logs for escalated cases
- Documenting the sources used for verification
- Creating clear audit trails showing who made decisions and when
- Storing supporting evidence in easily retrievable formats
When regulatory scrutiny comes—and eventually it will—the ability to show your thought process can make the difference between demonstrating "reasonable procedures" and facing penalties under the Criminal Finances Act.
What Should Your Company Be Doing Right Now?
So, how do you ensure your CDD practices are robust enough to provide a defence under the Criminal Finances Act? Let's break it down into a simple six essential elements checklist:
1.
Risk Assessment: Risk is client-dependent. Develop a system to categorise clients based on risk factors such as:
- Geographic location
- Industry type
- Transaction patterns
- Political exposure
2.
Enhanced Due Diligence: For higher-risk clients, standard checks aren't enough. You'll need to:
- Obtain additional identification and verification
- Understand the source of funds in greater detail
- Conduct more frequent reviews
- Get senior management approval
3.
Ongoing Monitoring: CDD isn't a one-time event. You need systems to:
- Track changes in customer behaviour
- Flag unusual transactions
- Review high-risk relationships regularly
- Update customer information periodically
4.
Train Your Team (And Yourself): Your team needs to understand:
- Red flags for potential tax evasion
- How to escalate concerns
- Their personal responsibilities under the CFA
- The consequences of non-compliance
5.
Clear Documentation: If you can't prove you did it, it's as good as not doing it at all:
- Document all CDD decisions and reasoning
- Maintain accessible records of checks performed
- Create audit trails for all verifications
- Keep records of training completion
6.
Technology Integration: Modern CDD requires technological support:
- Automated screening against sanction lists
- Transaction monitoring systems
- Digital identity verification
- AI-assisted risk assessment
The Benefits Beyond Compliance
While avoiding penalties is certainly important, effective CDD offers benefits beyond mere compliance:
- Better client relationships built on transparency and trust
- Protection against reputational damage from association with criminal activity
- More efficient onboarding through streamlined, risk-based processes
- Improved business intelligence by understanding your clients better
- Competitive advantage as a trusted, compliant partner
The Bigger Picture: Risk, Reputation, and Reality
The Criminal Finances Act has fundamentally changed how professionals must approach Customer Due Diligence.
By understanding the requirements, implementing risk-based procedures, and maintaining vigilant oversight, you can not only protect your organisation from liability but also contribute to a healthier financial system.
Remember, in the world of the CFA, what you don't know can hurt you. The defence isn't that you didn't know—it's that you took reasonable steps to prevent it.
Feeling overwhelmed by these requirements? You're not alone. Many professionals are looking for comprehensive training to navigate these complex regulations.
That's where a program on
Customer Due Diligence comes in. This intensive program will equip you with:
- Practical tools for implementing CFA-compliant CDD procedures
- Expert guidance on risk assessment methodologies
- Hands-on experience with case studies and real-world scenarios
- A certificate demonstrating your commitment to compliance excellence
Don't wait for a compliance issue to expose gaps in your knowledge. Invest in your professional development and future-proof your career with our industry-leading training. Your next promotion might just depend on mastering these critical skills.
FAQ
What are the sanctions of the Criminal Finance Act 2017?
The Criminal Finances Act 2017 guidance introduced corporate offences for failing to prevent the facilitation of tax evasion. Sanctions include unlimited fines, potential criminal prosecution, and significant reputational damage to companies. Individuals involved may also face prosecution. Firms can avoid liability by demonstrating they have reasonable prevention procedures in place.
What is the CCO Criminal Finances Act (Corporate Criminal Offence)?
The Corporate Criminal Offence (CCO) is a provision under the Criminal Finances Act 2017 policy that makes a company criminally liable if it fails to prevent someone acting on its behalf (like an employee or agent) from facilitating tax evasion. It applies to both UK and foreign tax evasion and targets firms that don’t have proper anti-evasion procedures in place.