Client due diligence

(CDD) is at the core of our financial crime controls. It enables us to confirm who our clients are, understand their ownership and control structures, and assess the purpose and intended nature of their instructions. Without CDD, we cannot meet our regulatory and professional obligations, and we risk being used to facilitate criminal activity.

CDD consists of three key elements:

1. Identifying the client - establishing who they are. Where the client is not an individual, this includes identifying and verifying beneficial owners and persons of significant control.
2. Verifying their identity - checking documents or information from reliable, independent sources.
3. Understanding the purpose and intended nature of the business relationship or transaction.

Whenever a new client (that is, one not already known to you or the firm) contacts you, you must first decide whether you are willing to act. Before formally accepting instructions, you must:

• Consider who the client is, who you will be dealing with, and who controls them.
• Assess why they have approached Keystone, whether the instructions make commercial sense, and whether there are any red flags.
• Conduct an initial conflict check through the Clients Team.
• Where appropriate, carry out open-source checks (e.g. corporate websites, regulatory registers, press reports).

You should use a wide range of sources to build a clear picture of the client, including Google, LinkedIn, professional profiles, comments from referrers, and direct conversations with the client. The more you know, the better placed you are to judge risk.

Keep clear notes of the information you gather and your conclusions. If you agree to act, you must move those notes into your matter file as part of your Client/Matter Risk Assessment ("CMRA"), see below for full details. This information:

• Forms the foundation for your AML checks.
• Sets the benchmark for what is "normal" for that client, against which ongoing monitoring can be measured (i.e. reporting what's not normal and what has changed).
• Helps identify controlling parties, which is essential for conflict checks and risk assessment.

Your compliance induction will take you through this. You must read our Compliance Induction Guide and follow the procedures it sets out for every new matter.

You must always remain alert to (and check) higher-risk indicators, such as:

• Links to crime or terrorism.
• Connections to high-risk or sanctioned countries, or those that facilitate sanctions breaches.
• Politically Exposed Persons (PEPs) or their associates.
• Matters or structures that are unusually complex or unusually large given the nature of the transaction.

If any of these factors arise, you must escalate immediately to the MLRO or the Director of Operations and Compliance.

There are two ways to obtain CDD documentation:

1. Through the Clients Team (default option).
2. Directly by the acting lawyer.

Regardless of who collects the documents, they are stored centrally in the encrypted AML file maintained by the Clients Team. You may request access if needed by contacting the Clients Team during office hours.

For data protection reasons, you must not retain ID documents on your own matter file. Delete any copies received by email once they have been passed to the Clients Team, in line with the principle of data minimisation under UK GDPR.

While the Clients Team can handle the administration of obtaining documents, responsibility for compliance always rests with the acting lawyer. You must:

• Be satisfied that you know your client.
• Ensure you understand their ownership and control structure.
• Confirm that you have no suspicions about the client, their instructions, or the source of funds.

Pre-instruction checks (such as assessing the client's rationale and carrying out initial research) can only be undertaken by the lawyer bringing the client into the firm.

The CDD required depends on the type of entity that the client is. In this respect, see our Client Due Diligence Checklists (these differ depending on your jurisdiction and each one is listed below) and you should familiarise yourself with this. We include all counter-terrorism checks within our AML checks.

UK CDD Checklist Isle of Man CDD Checklist