Safe custody services firm review findings

Read what we found during our series of visits in 2010 to the known providers of safe custody services in the UK, what we would expect to see if we conducted a set of similar visits again in the future, and some examples of good and poor practice for businesses under the Money Laundering Regulations 2007 (the Regulations), tailored to safe deposit businesses.

Policies and procedures

We expect businesses to apply a risk-based approach and to have policies and procedures that are appropriate and proportionate to detect and prevent money laundering and terrorist financing.

Policies and procedures should be established for customer due diligence measures, ongoing monitoring, reporting, record-keeping, internal control, risk assessment and managing and communicating these policies and procedures to members of staff.

Our findings

Most businesses had policies and procedures in place, although we found some policies and procedures that had not been recently updated or reviewed. We expect businesses to keep policies and procedures updated, and for them to be reviewed regularly. You can keep up-to-date with legislation by checking the Joint Money Laundering Steering Group website as well as our website.

Your policies and procedures should document the way you run your business, and they could therefore be useful to help train new members of staff.

Questions to ask yourself

  • Do you have policies and procedures that are risk-based, appropriate and proportionate to your business?
  • Have your policies and procedures been recently updated and reviewed, and do they accurately reflect the way you run your business?
  • Do they refer to the current legislation?

Customer due diligence

Customers’ identities must be verified on the basis of documents, data or information obtained from a reliable and independent source. Information about the purpose and intended nature of the business relationship must also be obtained.

Our findings

All businesses were verifying the identity of new customers. However, not all were identifying and verifying beneficial owners (the person for whose benefit the asset is being held). We expect businesses to verify the identity of all customers and beneficial owners.

Many businesses had no formal way to satisfy themselves that they knew the nature and purpose of the business relationship with their customers. This is a requirement in the Regulations.

Some businesses only followed their identification and verification procedures for new customers and had not applied the same level of due diligence to all existing customers. We expect businesses to achieve the same level of customer due diligence procedures for both new and existing customers. This could be done, for example, at the time of the contract renewal.

Some businesses were relying on electronic systems to carry out background checks. We would also encourage businesses to ‘know their customer’ in the more traditional sense – for example, engaging them in conversation when they visit.

Questions to ask yourself

  • Do you identify and verify all new customers and beneficial owners, and have you verified the identity of existing customers and beneficial owners?
  • Has the due diligence for your existing customers been undertaken to the same level as that for new customers?
  • Do you understand the purpose and intended nature of the business relationship you have with all your customers?

Ongoing monitoring

Ongoing monitoring of a business relationship must be undertaken, including keeping the customer due diligence documents up-to-date.

Our findings

Most businesses carry out ongoing monitoring by recording when customers visit their box. We would encourage businesses to use this data to look at patterns of visits, and know what is ‘normal’ for your customers. This would help you identify when suspicious behaviour arises – for example, if a box is suddenly being visited more often, or at ‘unusual’ hours.

Questions to ask yourself

  • Do you monitor your customers on an ongoing basis, including scrutinising their visits to you and keeping customer due diligence documents up-to-date?
  • Would you notice if the nature or frequency of contact with one of your customers changed significantly, including whether their use of your services was at odds with your understanding of your business relationship?

Enhanced due diligence and enhanced ongoing monitoring

An appropriate, risk-based procedure must be formalised for dealing with those customers who pose a higher risk, including Politically Exposed Persons (PEPs): a prominent political figure or close relative at risk for involvement in corruption.

Higher-risk customers require an increased level of ongoing monitoring.

Our findings

Some businesses did not have in place adequate measures either to identify higher-risk customers, including PEPs, or to adequately mitigate the higher risks posed by these customers. We expect businesses to have such measures in place. Most businesses did not carry out enhanced ongoing monitoring of high-risk customers after they were identified, which is a requirement in the Regulations.

Questions to ask yourself

  • Do you take extra steps to know more about your customer when you believe they may pose a higher risk to your business?
  • Do you have a procedure in place to identify PEPs?
  • Do you carry out enhanced ongoing monitoring of customers who may pose a higher risk to your business? This might include, for example, repeating background searches, talking to them regularly or analysing the frequency of their visits.


Appropriate measures must be taken so that all employees are aware of their obligations relating to money laundering and terrorist financing, and are regularly trained in what to do if they know or suspect that money laundering or terrorist financing may be taking place.

Our findings

Most businesses provided some level of training for their staff – however, this rarely included a test of their understanding.

We would encourage businesses to train staff together regularly to facilitate questions being asked. Testing the knowledge of staff is also good practice, either through a formal test or by regular discussion of, for example, high-risk areas or suspicious transactions.

It is good practice to tailor training so that it is relevant to your business – for example, by using scenarios and examples that may occur in your industry.

Questions to ask yourself

  • Do you have a formal training programme to train your staff regularly?
  • How frequently are they required to repeat the training?
  • How do you check they have understood and remembered what they are learning?
  • Do you think your staff would be comfortable asking questions both inside and outside their training environment?


Anyone in the firm who suspects or has reasonable grounds for knowing or suspecting that a person is engaged in money laundering or terrorist financing must comply with Part 7 of POCA (Proceeds of Crime Act 2002), which includes making the disclosure to the Serious Organised Crime Agency (SOCA) as soon as is practical after the information comes to them.

Our findings

All businesses had an appointed Money Laundering Reporting Officer (MLRO) or nominated officer as required under the Regulations.

Most businesses were aware of the requirement to report suspicious activity to SOCA. However, some were unfamiliar with this process or had never submitted a Suspicious Activity Report (SAR).

All staff should be aware of their individual responsibility to report suspicions to their MLRO or nominated officer, and should familiarise themselves with their business’s procedure for doing so.

All MLROs or nominated officers should know how to submit a SAR to SOCA, and be fully aware of their responsibilities.

Questions to ask yourself

  • Have you ever had reasonable grounds for knowing or suspecting that someone was involved in money laundering or terrorist financing?
  • If so, did you submit a SAR?
  • Are you aware of your responsibilities, either as a member of staff or as an MLRO or nominated person?

Record keeping and client files

Records must be kept to evidence the customer’s identity. The supporting records should also be kept in respect of the business relationship which is the subject of customer due diligence measures or ongoing monitoring. Records should be kept for five years after the business relationship ends.

Our findings

Record keeping was the area where most of the businesses we visited had room for improvement. Businesses explained the processes they had in place, but often these were not evident when we conducted the file reviews. We would expect files to fully reflect the processes in place for your business.

Almost none of the businesses were able to demonstrate through their records that they had performed appropriate customer due diligence and, where relevant, enhanced due diligence checks on all their customers.

In particular, while most businesses were able to demonstrate appropriate customer checks when they take on a new customer, some were significantly exposed to the risk of criminal activity in their business due to the lack of retrospective checking done on customers taken on before the Regulations came into force, or before their business’s policies and procedures were put in place.

You may wish to consider using a checklist for each customer file to ensure that all appropriate customer due diligence and enhanced due diligence checks have been carried out for every customer, that these are appropriately documented, and that they are subject to appropriate review. This could include a section that helps you establish the nature of the business relationship you have with your customer at the outset, and helps you document whether the business transacted by the customer is consistent with your expectations.

Questions to ask yourself

  • Are your customer files consistent? Do your files demonstrate that you have achieved the same level of customer due diligence and, where relevant, enhanced due diligence for all of your customers, whether new or existing?
  • Do your files include information detailing the purpose and intended nature of the business relationship you have with your customers?
  • Do you keep records for five years after the end of the business relationship?

Other areas of good practice

It is good practice to ‘vet’ staff before they are recruited, and to keep that vetting under review.

Two further examples of good practice we identified were that:

  • several businesses had good relationships with the police and spoke to them regularly
  • some businesses had used police services, for example using ‘sniffer dogs’ to detect drugs, to assist them in the detection and prevention of money laundering