Investment service providers have the statutory obligation to identify and know their customers. Banks, insurance companies, investment firms, management companies and payment institutions must assure themselves of their customers’ true identity. They must also know their customers’ activities and background to such an extent as required by the nature of the customer relationship. Customer due diligence also requires that the service provider knows on whose orders transactions are made and with whose funds.
Customer due diligence is required by, for example, the Act on Detecting and Preventing Money Laundering and Terrorist Financing (Money Laundering Act), the Credit Institutions Act, the Insurance Companies Act, the Investment Firms Act, the Mutual Funds Act, the Payment Institutions Act, the Act on the Book Entry System and the Act on Alternative Investment Fund Managers.
Customer due diligence is applied prior to commencement of the customer relationship
The service provider must, as a rule, identify the customer prior to the commencement of the customer relationship. A customer relationship refers to, for example:
- opening of an account
- entering into a credit agreement
- subscribing for fund units
- concluding a securities brokerage contract
- signing of an insurance policy or
- the presence of an equivalent permanent customer relationship.
Service providers have the right to refuse customers that do not give adequate information on themselves or their operations or whose size, place of business or nature of operations is in conflict with the business strategy of the service provider.
Identity is verified by a document, for example a passport or an official ID card
Service providers must assure themselves of the customer's true identity. Identity must be verified on the basis of a document obtained from a reliable and independent source. The person should be unambiguously identifiable and the relevant personal information explicitly verifiable from the verification document.
When a customer relationship is established face-to-face with the customer, the identity should be verified on the basis of a valid identification document issued by authorities. If the customer relationship is established without meeting the customer face-to-face, for example in an online service, the customer's identity can be verified without the customer being physically present by, for example using an electronic identification device that fulfils the criteria of strong electronic identification device, such as an online banking code or a mobile certificate.
In Finland, passports and identification cards issued by the police are the only documents issued explicitly for proving a person’s identity. The process of granting a driving licence is not equivalent to that for granting a passport and an identification card, and a driving licence has fewer security features.
The following documents issued by Finnish authorities are commonly used for identity verification:
- identification card
- driving licence
- diplomatic passport
- alien’s passport and refugee travel documents and SII card (Kela card) containing photo
- passport granted by foreign authorities
- identification card acceptable as travel document.
On the basis of its own risk management principles, the service provider may decide which documents it will accept for verification purposes.
Information necessary for customer due diligence
Section 10 of the Money Laundering Act contains provisions on the information that service providers are obliged to obtain for customer due diligence purposes. Some of the information is explicitly specified in section 10, while in the case of some information the level of detail required is left to the service provider’s risk-based assessment. The law requires service providers to obtain information on, for example, their customers’ transactions and the grounds for using a service or product. Service providers are also obliged to arrange adequate monitoring to identify potential discrepancies in customers’ transactions.
The following information is necessary and essential in establishing and maintaining a customer relationship involving basic banking services:
- customer’s name, address, personal identity number and nationality
- information on whether the customer holds an important public position abroad (politically exposed person, PEP) or whether he/she is a family member or a close associate of such a person
- information on the customer’s life situation, describing his/her financial status (e.g. employer, pensioner, student)
- information on whether the customer relationship to be established is the customer’s main banking customer relationship
- information on the origins or source of funds and regular payment transfers/cash flows
- assessment of the customer’s regular payment transaction volumes
- assessment of the customer’s foreign payment transaction volumes and the grounds for such transactions
In the context of basic banking services, a customer relationship refers to one in which the customer only has a payment account, a payment card and access to online banking.
In other customer relationships, the bank may be justified to request, in addition to the information referred to above, other information affecting customer due diligence. The necessity for such information depends on the nature and extent of the customer relationship.
When a person handles some other person’s matters, acting as his/her representative, for example a guardian of a minor, some other advocate, an administrator of an estate or an agent of anyone, it is not necessary to request from the representative due diligence information concerning him/herself. The service provider must, however, identify and verify the identity of the representative and ascertain that he/she has the right to act on behalf of the customer.
If necessary, the bank may request from the customer documentation to clarify information he/she has provided.
More detailed clarification may be requested on the origins of funds
Customer due diligence requires that the service provider knows on whose orders transactions are made and with whose funds. Service providers have a statutory obligation to request from the customer information on the customer's need to use the services and information on the customer's transactions, financial status and use of services.
In some situations, these clarifications may be referred to as a 'money laundering form' or 'money laundering questions', even though they generally only concern the statutory collection of information required for customer due diligence.
The service provider is entitled to enquire, if necessary, about the origin and purpose of funds paid into an account. A bank may, for example, request from the customer written clarification on the origin of funds paid into the customer's account as well as certificates on the customer's business, extracts from various registers, or other documents, such as bills of sale or a will.
Payer’s personal information may be examined in connection with payment of invoices in cash
The requesting of personal information, for example at a bank in connection with the payment of an invoice, is based on the EU regulation on information on the payer accompanying transfers of funds. In connection with cash deposits and cash payment of an invoice exceeding EUR 1,000, banks are required under the relevant regulation to verify the identity of their customers.
Banks and other service providers may apply stricter internal instructions on the verification of customer identity, and some banking groups may apply a lower limit for the verification of identity.
Identification records are documented and retained
Service providers must document the customer identification and due diligence information. The information may be documented by, for example, taking a copy of the verification document.
Under the relevant regulations, service providers are also required to keep records of the name, number or other identifying information of the document used in the verification of identity, and information on the authority that issued the document. The information must be retained for five years after the termination of a regular customer relationship.
Informing the customer on the processing of due diligence information
The Personal Data Act requires service providers to inform their customers in a clear manner as to why and for what purpose information is requested.
According to the Personal Data Act, only such information as is necessary for its purpose may be collected on customers. Processing of customer information must be planned in advance and specified according to the task in question.
The new Money Laundering Act, which enters into force in 2017, obliges service providers to inform their customers that customer information is used for the prevention of money laundering and terrorist financing. The new Act states that personal information obtained solely for purposes referred to in the Money Laundering Act may not be used for marketing. On the other hand, the same personal information collected on other grounds, such as for granting credit or providing investment services, for example, may be used for marketing if the customer has been informed accordingly. The customer has always the right to forbid the use of personal information for marketing purposes.