As more and more galleries register with HMRC for Money Laundering Supervision, it can feel unclear as to what the best course of action is for Due Diligence as an art market participant is. Is it necessary to use a due diligence platform, or is it possible to have effective independent systems in place? As with all businesses, concerns regarding time and costs can dominate conversations. But what does it actually mean to ‘go it alone’?
What is Due Diligence?
In order to fully understand the responsibilities of a gallery or art market participant it is helpful to understand what exactly is meant by due diligence. Due Diligence is about building up a picture of a client to determine a level of confidence or trust in them. For many galleries or art market participants this may seem arbitrary, as many have a roster of clients they know personally and have dealt with for many years. To ‘scope out' these people can feel given the high level of confidence and trust already established.
However, under current HMRC guidelines social trust is unfortunately not an effective form of due diligence on its own. This means that concrete, traceable actions need to be taken to prove what we already know, that the client is trustworthy and their funds legitimate. Quite simply put: There is actually a specific number of boxes that must be ticked before we can say Due Diligence has been performed correctly under AML regulations.
When using a platform to ascertain this information, the process is therefore formalised in the eyes of the client serving as the ‘face of the request’, when there is a requirement for providing personal and sensitive information. This allows for a gallery to maintain and preserve a level of trust with the client while satisfying their obligations. Indeed for many, removing friction during an already delicate sales process is a primary concern.
But for some, this may not be a concern. Perhaps they have decided that they are comfortable asking for this information directly. For these AMP’s (Art Market Participants) what factors need to be considered if they want to go it alone?
What is required to perform effective Due Diligence?
Let’s say, the gallery or art market participant decides they are comfortable making the request for information directly. In order to be well informed, a gallery or AMP has several options to understand and ensure they are HMRC compliant during this Due Diligence process. They can opt to consult with a lawyer, undertake HMRC provided training and/or take private courses on AML compliance and due diligence. However, several challenges may arise and it is helpful to consider that a gallery will have to create an in house system for every transaction over €10,000 (inc vat) which performs the following:
- Determines which documents are required to be compliant
- Ascertains what level of due diligence is needed
- Sets aside the time to securely collect, verify and analyse the information
- Ascertains whether their clients may be politically exposed persons or appear on sanctions lists
- Author a report - or record of - due diligence including a narrative as to why the AMP deems the relationship ‘safe’
- Comes to a conclusive decision on whether or not to proceed with the transaction
- Securely stores the information collected and the analysis performed for 5 years
Security and how to safely store confidential information
Specifically, the storage of information presents a whole new set of challenges that begins with the request for documents. To store information in a password protected folder in the cloud or on a hard drive presents high risk if the information falls into the wrong hands. Moreover, the information needs to be both easily and readily accessible for staff while remaining secure: Quite the challenge.
Aside from the technical infrastructure to support the saving and storage of documents (e.g dropbox), a business needs to ensure strict policies are in place for those who have access. It may help to ask some of the following questions:
- Does more than one person on my team need access to the file?
- Where and how is the password stored for this?
- Is there any 2FA (Two factor authentication) enforced to get access?
- What protocol is in place if a device is stolen or lost containing access to this file?
Going it Alone?
With this in mind, what does it really mean for a gallery to choose ‘to go it alone’? For a gallery looking to undertake this process independently their AML shopping list may look something like this:
- A way to request and transmit information without interference/interception (NOT in an email that can be hacked easily)
- Access to independently reliable, positive and negative data (e.g. reputational risk analysis, PEP, sanctions, social media, business profiling, occupational risks, company risks etc)
- A software to build reports that can store, log and timestamp your research/data results that can support multiple users to demonstrate an all important audit trail
- A report storage software that can run periodic checks/updates on your data and notify you of these checks
As this list reveals, going it alone is requires a significant time investment, exposes a business to increased risks either for non-compliance or missing something. There is also the financial investment required for an AMP set up all the infrastructure required to store and send information securely, but to further verify documents manually, navigate what level of due diligence is required and build a roster of reliable, accurate databases to reference for quickly against all the required sources.
To juggle all of this while running a gallery, while maintaining hard won trust with clients, requires an AMP to wear many hats: , A gallerist, investigator and policeman all in one; a huge ask that can detract from the main purpose of a gallery - to share their artwork with clients and the public.