Teal blue header image

CDD and AML monitoring in syndicated lending

Part two in a series of six highlighting some of the key legal issues that can arise throughout the life of a syndicated loan facility.

In this article we examine how the UK's anti-money laundering regime impacts initial Know Your Customer (KYC) and ongoing Customer Due Diligence (CDD) requirements in the syndicated lending market. We will also look at the practical impact GDPR has had on the CDD process over the last year.

Overview – a risk-based approach

Lenders will be aware of the risk-based approach adopted in the Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017 (the 2017 Regulations) which came into force on 26 June 2017.

The difficulty or the benefit depending on your perspective, of a risk-based approach is that no one size fits all. Each firm must carry out its own risk assessment by reference to its customers, products or services, transactions, delivery channels and geographical areas of operation. When considering their policies, lenders can have regard to the (non-exhaustive) Risk Factor Guidelines issued by the European Supervisory Authorities as well as the sector specific guidance from the Joint Money Laundering Steering Group (JMLSG). In addition there is the FCA's Financial Crime Guide which applies to regulated firms. This guide is non-binding and utilises the same risk-based proportionality approach found in the 2017 Regulations.

With the regulatory spotlight on this area, it is important to adhere to these regulatory obligations throughout the lifecycle of the customer relationship. 2019 has already seen Standard Chartered Bank fined over £102 million while another international bank was previously fined £896,100 and prevented from accepting deposits from new customers from 147 days for Anti-Money Laundering (AML) systems and controls breaches. The FCA has made it clear that these breaches will not be tolerated, given the emphasis placed on adherence over the past decade. So what are the risk assessments saying?

KYC and CDD requirements

The initial KYC or CDD involves identifying and verifying the identity of the customer as well as assessing the intended nature of the business relationship or transaction.

The 2017 Regulations contain a list of information to be obtained during CDD, for a body corporate this includes:

  • Obtaining and verifying its name and registered number;
  • Verifying its registered address and principal place of business;
  • Undertaking reasonable measures to ascertain and verify the relevant law the corporate is subject to; and
  • Obtaining information on its constitution and names of the Board of Directors and its senior management (subject to exclusions for companies listed on a regulated market.

In syndicated transactions who the 'customer' is and on which parties CDD must be carried out is more complicated than bilateral lending. CDD parties include:

  • Each lending party may have to carry out CDD on each borrower at the outset of the transaction;
  • If the primary syndicate are not a party to the agreement on signing, the mandated lead arranger will need to carry out CDD on the lenders to whom they are selling their commitments in the primary market;
  • The facility agent will need to complete its own CDD on all parties, lender and borrower side; and
  • Some lenders carry out CDD on any guarantors securing the borrowers' obligations at the outset although the JMLSG guidance indicates that this could wait until the guarantee is called upon.

Regulation 39 of the 2017 Regulations expressly permits a firm to rely on CDD measures undertaken by another person/firm provided that person/firm is listed in Regulation 39(3). The relying firm however retains responsibility for any failure to comply with the 2017 Regulations. Whilst this option is available, in practice many syndicated lenders prefer to carry out their own CDD. 

Risk areas in syndicated lending

The JMLSG now provides expanded guidance on the specific AML risks associated with the lifecycle of a syndicated loan. While not binding it provides a useful indication of the regulators' and courts' expectations. The money laundering and terrorist financing risks associated with syndicated lending are generally considered to be low when compared to other types of lending. This is due in part to:

  • The relationship driven nature and general size of the facilities;
  • Loans are generally documented by LMA facility documents which provide for various restrictions on the parties, allowing a level of control by each lender;
  • Each lender in the syndicate is responsible for undertaking their own CDD and ongoing monitoring; and
  • The borrower(s) is often a multi-national whose securities are listed on EU or comparable regulated markets.

The main risks/difficulties include:

  • The point of prepayment/repayment. Lenders should carefully consider payments made without a commercial rationale. LMA documentation should include provisions that the borrower(s) must provide a number of business days' notice if they intend to make a prepayment, they are also obliged to supply information that a lender requires in connection with its financial condition and business;
  • Where loans are guaranteed, guarantors may be located in a different jurisdiction to the borrower. Particular care should be taken if that guarantor is not affiliated to the borrower. The risk specifically arises where the lender seeks to enforce the guarantee and firms must therefore consider the level of CDD they perform prior to the transaction;
  • Where loans are secured, the security may be given over assets outside the jurisdiction. Additional care should be taken in these circumstances. As with guarantors, the risk of money laundering specifically arises at the point of default where the lender seeks to enforce the security so lenders may want to consider whether to perform checks at the outset to avoid any issues which may affect their ability to rely on the security;
  • Syndicated facilities are by their nature designed to allow for the departure of existing and introduction of new parties on both sides. CDD must therefore be considered each time a new borrower, guarantor or lender are added via the secondary market;
  • A firm must carry out CDD where it suspects money laundering or terrorist financing or when it doubts the veracity or adequacy of documents or information previously obtained for identification or verification. A change to the beneficial owner of the customer will also be a trigger point for CDD; and
  • Practically speaking, the initial KYC checks, being carried out simultaneously by a number of different parties, on the same parties, can create confusion and delay as each lender may have different documentary requirements to fulfil the same obligations. This can cause frustration and must be managed.

GDPR impact on syndicated lending

There was much fanfare prior to the GDPR coming into force on 25 May 2018. Commentators were nervous that the obligations placed on firms by the GDPR in relation to the processing of personal data would impinge on their ability to carry out CDD and ongoing monitoring effectively. Much has been written regarding the need to obtain the customer's consent to process their personal data. In reality the GDPR is much more permissive to the extent personal data is used to prevent or monitor financial crime. Firms will often act as controllers of personal data and in addition to the consent 'gateway' the GDPR also permits (i) processing which is necessary for compliance with a legal obligation to which the controller is subject and (ii) processing which is necessary for the purposes of the legitimate interests pursued by the controller or by a third party.

Regardless of which lawful basis is relied on for the processing of Customer personal data, it is recommended that you properly document the consideration of GDPR issues and in particular, the decisions made in relation to your firm's data processing in respect of CDD and AML monitoring.  In order to demonstrate compliance, this may include ensuring you retain adequate records of obtaining consent, documentation as to what legal obligation is being complied with and in the case of legitimate interests, ensuring you have conducted a legitimate interest assessment.

Contributor: Jemma Shanks

This publication is intended for general guidance and represents our understanding of the relevant law and practice as at June 2019. Specific advice should be sought for specific cases. For more information see our terms and conditions.

Insights & events View all