Due Diligence

How can we verify identity when we carry out due diligence remotely?

Tom Noon
Published by Tom Noon
September 2, 2020


See how you can carry out remote customer due diligence in a few simple steps.
Watch Tutorial Video

Remote Due Diligence Checklist

Explored in detail in the video, download the remote due diligence checklist.
View the checklist
Video Transcript
How can we carry out due diligence on clients remotely?

When we’re unable to conduct business face-to-face, being remote from one another makes Due Diligence much more difficult.

Whether we’re dealing with a well known client - or someone entirely new - our obligations introduce new challenges and changes to processes that impact not only our business but our customers' experience too.

We’ll cover how to deal with museums, Companies, Corporations, Trusts - or ‘entities’ - in another video.  

Relevant regulations from HM Treasury’s approved guidance made available by the British Art Market Federation (BAMF) are included at the end of this transcript.

At is most simplistic, the Due Diligence process can be broken down into 4 steps:

Request: We ask our client for information.
Verify: Establish identity.
Analyse: We assess the client relative to risk.
Store: The evidence and documentation supporting our decision is saved for 5 years.

Part One


Our due diligence process starts by requesting information from the client.

For now, let’s explore how this may affect you and your client.


Part Two


Now we must verify Identity.

Accurate verification of Identification is not only a requirement, it is the foundation upon which subsequent customer due diligence rests and therefore a vitally important step.

Verification can be achieved in a number of ways and in most instances, if you are dealing with well known, long-standing clients whom you have met in person, verification is satisfied by comparing your client to the likeness of the photograph and other information on the ID document that you know to be true e.g. Residential address.

The difficulty lies in instances where you have never met the customer and the relationship entirely remote. Indeed, remote fraud accounted for more than 84% of all fraud by type in the UK alone last year.

Remoteness not only makes verification more difficult, in addition - how you plan on receiving all this information has the potential to place your customers' information at risk from interception and theft.

So what are some of the challenges here?

So how can we verify remote customers in an easy, unobtrusive way that meets the requirements?

Part Three


As part of a risk-based approach, we will need to analyse the information from our customer, which should see you:

How does this affect you and your client?


Part Four


We must have systems in place to Store and make available ‘within specified timescales’:

How does this affect you and your client?


Part Five


A short tutorial exploring covering how we can carry out remote due diligence is available on the page below, for now however, here’re some recommendations to help when you’re carrying out due diligence remotely:


Guidance and Regulation

Relevant Regulations from British Art Market Federation to which this article applies:
Section 2 “...The changes introduced mean that from the 10 January 2020, Art Market Participants (AMPs) as defined in the regulations must:"

Section 63: “AMPs must maintain appropriate systems for retaining records and making records available when required within specified timescales. The following must be retained:"

Regulation 18(4),(5),(6) Section 1.15. When identifying the risk associated with countries and geographic areas, AMP’s should consider the risk related to: the jurisdictions in which the customer (or beneficial owner) is based, or to which they have personal links…

Regulation 18(1),(2),(3) 1.2 [...] record appropriately what has been done, and why, and the steps taken to communicate the controls within the business.

Regulation 28 (2)(a)(b), 18 Section 5.30.
The Art Market Participant identifies a customer by obtaining a range of information about him. A customer’s identity must then be verified on the basis of documents or information obtained from a reliable source which is independent of the customer.

Regulation 28(2)(a)(b), 18. Section 5.31.
Evidence of identity can be obtained in a number of forms, In respect of individuals, much weight is placed on so-called ‘identity documents’, such as passports and photo card driving licenses, and these are often the easiest way of being reasonably satisfied as to someone’s identity.

Regulation 28(12) Section 5.33.
A person’s identity can be verified in different ways, for example by:

Regulation 28(12) 5.55.
The AMP should obtain the following information: full name, residential address and date of birth” […] 5.56. “other evidence of identity may give the AMP reasonable confidence in the customer’s identity, although the AMP should weigh these against the risks involved.

Regulation 28(12) 5.37.
In their procedures, therefore, AMPs will in many situations need to be prepared to accept a range of documents, assessing the appropriateness of each according to the risk presented by the customer.

Regulation 28(12) 5.41.
Others accumulate corroborative information which in principle is separately available elsewhere.

Regulation 28(12) 5.42.
In using an electronic or digital source to verify a customer’s identity [...] The use of biometric information is one way of achieving the latter confirmation, as is the use of private information or codes that incontrovertibly link the potential customer (or beneficial owner) to the electronic/digital identity information.

Regulation 28(12) 5.45.
Positive information (relating to full name, current address, date of birth) can prove that an individual exists, but some can offer a higher degree of confidence than others. Some electronic sources or digital identity schemes specify criteria-driven levels of authentication that are established through the accumulation of specific pieces of identity information.

Regulation 28(12) 5.47.
Negative information includes lists of individuals known to have committed fraud, including identity fraud, and registers of deceased persons.

Regulation 28(12) 5.48.
For an electronic/digital check to provide satisfactory evidence of identity on its own, it must use data from multiple sources, and across time, or incorporate qualitative checks that assess the strength of the information supplied. An electronic check that accesses data from a single source (e.g., a single check against the Electoral Register), or at a single point in time, is not normally enough on its own to verify identity.

Regulation 35(3)(a) 5.164.
Individuals who have, or have had, a high political profile, or hold, or have held, public office, can pose a higher money laundering risk to AMPs. PEPs can pose a high money laundering risk because they may be able to abuse their position for private gain. Not all PEPs, however, pose the same money laundering risk;

There is a hierarchy depending on country of origin and rank, from higher tier officials to individuals with significant or absolute control over the levers, patronage and resources in a given area. This risk also extends to members of their immediate families and to known close associates. PEP status itself does not, of course, incriminate individuals or entities. It does, however, put the customer, or the beneficial owner, into a higher risk category. The level of risk associated with any PEP, family member or close associate (and the extent of EDD measures to be applied) must be considered on a case- by-case basis.

See also:

Section 60.
The nominated officer must make a report to the National Crime Agency (NCA) in respect of information that comes to them within the course of business where they know or suspect or have reasonable grounds for knowing or suspecting that a person is engaged in, or attempting, money laundering or terrorist financing – even if no transaction goes ahead.

Regulation 40 7.3.
AMPs must retain records concerning customer identification and transactions as evidence of the work they have undertaken in complying with their legal and regulatory obligations, as well as for use as evidence in any investigation conducted by law enforcement.

Regulation 21(8),(9) Section 3.17.
AMPs must establish and maintain systems which enable them to respond fully and rapidly to enquiries from financial investigators accredited under s3 of POCA
POCA ss 330, 331 Terrorism Act s 21A 6.1. All persons in the regulated sector (which includes AMPs) are required to make a report in respect of information that comes to them within the course of a business in the regulated sector:

Regulation 28(12) 5.51.
In addition, a commercial organisation should have processes that allow the enquirer to capture and store the information they used to verify an identity.

Regulation 35(5)(b) Senior management approval 5.184.
Obtaining approval from senior management (see paragraph 5.174) for undertaking a transaction does not necessarily mean obtaining approval from the Board of directors (or equivalent body), but from a higher level of authority from the person seeking such approval. As risk dictates, AMPs should escalate decisions to more senior management levels.

Regulation 35(5)(b) 5.185.
The appropriate level of seniority for sign off should therefore be determined by the level of increased risk associated with the transaction; and the senior manager approving a PEP transaction should have sufficient seniority and oversight to take informed decisions on issues that directly impact the AMP’s risk profile, and not (solely) on the basis that the individual is a PEP. When considering whether to approve a PEP relationship, senior management should base their decision on the level of ML/TF risk the AMP would be exposed to if it entered into that transaction and how well equipped the AMP is to manage that risk effectively.

Regulation 39(7) 5.198.
For one AMP to rely on verification carried out by another AMP, the verification that the AMP being relied upon has carried out must have been based at least on the standard level of customer verification. It is not permissible to rely on the basis of simplified due diligence having been carried out, or any other exceptional form of verification. In order to judge whether to rely on another AMP, the relying AMP must know what CDD measures have been carried out.

See also:

Section 40.
An AMP’s policies and procedures must include [...] Ongoing monitoring activities
Regulation 40 7.3 AMPs must retain records concerning customer identification and transactions as evidence of the work they have undertaken in complying with their legal and regulatory obligations, as well as for use as evidence in any investigation conducted by law enforcement.

ArcartaPay (Arc-Pay Ltd) is registered with the Information Commissioner's Office (ICO), is an approved Service Provider by UK Trade Associations The British Antique Dealers Association (BADA) and LAPADA .
See Regulation 28(12) 5.50.


Official Guidance from the British Art Market Federation
right arrow
How to detect basic forgeries in Identity Documents from the Home Office
right arrow
File a Suspicious Activity report with the National Crime Agency
right arrow
right arrow