4.4.1. Ongoing Monitoring
Effective from 11/11/2021Under Article 7 of the AML-CFT Decision, LEH are required to ensure that the documents, data or information obtained under CDD measures are up-to-date and appropriate by reviewing the records, particularly those of high-risk customer categories. Ongoing monitoring allows the LEH to ensure that the Exchange Business is being used in accordance with the customer or relationship profile developed through KYC during onboarding, and that transactions are normal, reasonable, and legitimate.
As per Paragraphs 16.9.11 and 16.11.7 of the Standards, where the customer is a natural person (when CDD must be applied) or a legal person or arrangement, the customer profile must be reviewed and updated either annually, or at least upon the expiry of the ID, the trade license or the ID of any person authorized to make transactions on behalf of the customer, whichever comes first. At this time, the LEH must conduct ongoing monitoring on the customer which must consist of the following:
| • | The original ID must be verified (in accordance with Paragraphs 16.8.3, 16.9.6 and 16.9.7) and its copy must be held in the records during the review of a customer profile; | |||
| • | CDD (and, where appropriate, EDD) must be repeated and the customer profile updated, including the information required under Paragraph 16.9.4 or 16.11.2 of this Chapter. | |||
| • | CDD and EDD must also be repeated whenever there is a change in the profile of the customer; | |||
| • | LEH must scrutinize the transactions concluded by a customer to ensure that transactions are consistent with its knowledge of the customer, the customer’s business, risk profile, the source of funds and where necessary, source of the customer’s wealth; and | |||
| • | LEH must review transaction monitoring results for the customer to determine whether any STR/SARs or other reports have been filed or whether the customer’s behavior has generated alerts. | |||
Unless otherwise required, such as in the cases above mentioned, LEH should update the KYC information on customers and counterparties on a risk-based schedule, with KYC on higher-risk customers being updated more frequently. KYC updates should include a refresh of all elements of initial KYC, and in particular must ascertain whether:
| • | The customer/counterparty’s beneficial owners remain the same. | |||
| • | The customer continues to have an active status with the LEH Point of Sale system. | |||
| • | The customer/counterparty is domiciled in the same jurisdiction. | |||
| • | The customer/counterparty is engaged in the same type of business, and in the same geographies. | |||
| • | The customer/counterparty’s transactions continue to fit its profile and business, and are consistent with the business the customer expected to engage in when the business relationship was established, or the business that the LEH expected to engage in when it established the counterparty relationship. | |||
If any of the above characteristics have changed, the LEH should risk-rate the customer/counterparty again.
Furthermore, LEH should conduct EDD when the revised risk rating demands it or if the customer/counterparty’s history of transactions is not consistent with its profile and the expectations established at account opening. In particular, if the customer/counterparty’s transactions/behavior have resulted in the filing of an STR/SAR with the FIU, the LEH should review the customer/counterparty profile and the activity that led to the report and make a determination as to whether the risk rating should be raised or the relationship should be terminated. LEH may consider requiring that the customer/counterparty update them as to any changes in its beneficial ownership. Even if this requirement is in place, however, LEH must not rely on the customer/counterparty to notify it of a change, but must still update KYC on a schedule appropriate to the customer’s risk rating.