The duty to periodically update customer data (KYC) with the banks where they hold accounts has been in force since the dawn of civilisation and the beginning of commercial relations.
The way in which KYC has been carried out has varied over the years, from personal knowledge, to the testimony of witnesses, to the current model, which is more or less global, based on self-declarations (forms), accompanied by documentary evidence to assertively determine the identity of the customer, including representatives and beneficial owners in the case of entities, their residence and/or registered office, the source/origin and amount of their income/wealth, as well as their tax identity.
The origin of the current KYC model is commonly attributed to the 1970 US Bank Secrecy Act (BSA), which introduced suspicious transaction reporting requirements in order to prevent fraud and money laundering.
The 1980s were marked by the fight against drug trafficking and more restrictive KYC and Anti-Money Laundering (AML) legislation. After the terrorist attack of 11 September 2001, Combating the Financing of Terrorism (CFT) became a crucial element of the legislative package combined with KYC, AML & CFT obligations.
In Mozambique, Law 03/96 of 04 January (the first Foreign Exchange Law) was the first practical attempt to establish controls on foreign exchange capital transactions, requiring prior authorisation by the Bank of Mozambique, which implied the collection of documents associated with the transaction and the parties involved (originator and beneficiary), embodying a kind of KYC and Know Your Transaction (KYT) requirements.
Law 07/2022 of 05 February was the first specialised anti-money laundering law. Meanwhile, the first Mozambican law to establish the KYC duty as we know it today was Law 14/2013 of 28 August (Law establishing the Legal Regime and Measures to Prevent and Combat Money Laundering and Terrorist Financing – repealed), which also included the duty to update KYC on a regular basis.
Banks and ICSFs must keep customer data up to date for as long as their accounts are active
Currently, the legislative package in force for KYC/AML & CFT matters consists of:
- Law no. 14/2023 of 28 August, which establishes the Legal Framework and Measures to Prevent and Combat Money Laundering and Terrorist Financing;
- Law no. 15/2023 of 28 August, which establishes the Legal Framework for preventing, suppressing and combating terrorism and the proliferation of weapons of mass destruction;
- Decree no. 53/2023 of 31 August: Approves the Regulation of Law no. 14/2023 of 28 August;
- Law no. 3/2024 of 22 March: Amends articles 7, 8, 9, 13, 15, 23, 50, 52, 79 and 80 of Law no. 14/2023 of 28 August;
- Law no. 4/2024 of 22 March: Amends articles 23, 26, 28, 29, 30, 33, 35 and 36 of Law no. 15/2023 of 28 August;
- Notice no. 10/GBM/2024 of 30 August: Approves the Guidelines on Preventing and Combating Money Laundering, Financing Terrorism and Financing the Proliferation of Weapons of Mass Destruction.
Legal obligations of commercial banks in customer identification
From the combination of various articles in the KYC/AML&CFT legislative package, it follows that:
- Banks and all other Credit Institutions and ICSF Financial Companies must identify and verify the identity and current address of their customers and understand the nature of their business, their sources of income, financial situation and the quality with which they intend to establish the business relationship with the institution. (Art. 32 of Notice no. 10/GBM/2024 of 30 August);
- Banks and ICSFs must require customers to provide, in writing, the identity and information of the natural person(s) who is/are the beneficial owner(s) of the business relationship or transaction, as part of surveillance measures to identify and verify their identity. (Art. 34 of Notice no. 10/GBM/2024 of 30 August);
- Banks and ICSFs must obtain all the information necessary to confirm the customer’s identity and to verify the information provided by the customer. To this end, they may use available national and international public information, cross-check information with other evidence, such as water, energy and telephone bills, telephone directories, credit registry centres, criminal records, and keep in their archives. (Art. 35 of Notice no. 10/GBM/2024 of 30 August).
What’s more, as part of the KYC duty laid down in Article 15 of Law 14/2023, banks and ICSFs must keep customer data up to date throughout the period in which their accounts are active.
Responsibilities of bank customers
The KYC duty is, by nature, a continuous and permanent duty, in that practically all the elements that make up this obligation are subject to change. For example:
- A customer’s name and marital status can change as a result of marriage and/or divorce.
- A person’s residence can change several times in the course of a lifetime.
- The source of income and/or wealth can change constantly with job changes, new commercial initiatives, expansion of a company’s business, realisation of various investments, among others.
- A company’s representatives and beneficial owners can change through decisions made in the normal course of an organisation’s activities.
In this context, bank customers and users of the financial system in general have an obligation to notify commercial banks whenever any of their identification details change.
To ensure that their clients fulfil these obligations, Article 41 of Decree 53/2023 (Regulation of the Law Establishing the Legal Framework and Measures to Prevent and Combat Money Laundering and Terrorist Financing) establishes that:
1. Financial institutions and low-risk non-financial entities must carry out regular due diligence and procedures to ensure that the information they already have, or should have, is up-to-date, accurate and complete:
(a) elements identifying customers, representatives and beneficial owners and all other documents, data and information obtained in the exercise of the duty of identification and diligence; and
b) other information provided for in these regulations.
2. The periodicity of updating the information referred to in the previous paragraph is defined according to the degree of risk associated with each client by the obliged entity, with the time intervals not exceeding three years for low risk and one year for high risk.
The updating of the information varies according to the client’s risk
In light of the above, different banks adopt different practices to ensure compliance with the legal obligation to update their customers’ KYC data, with the update period varying between 1 and 3 years for different customers and according to their risk classification, also based on criteria established in legislation.
In turn, Article 41 of Law 14/2023 gives banks the prerogative to refuse to establish a commercial relationship and/or terminate the business relationship already established if they are unable to identify their customer and/or obtain up-to-date information on this identification.
The importance of updating customer data in the functioning of the financial system and the potential consequences of non-cooperation
Mozambique is currently on the Financial Action Task Force’s (FATF) grey list, which signals that it urgently needs to improve its controls in the area of preventing money laundering and terrorist financing. KYC is the cornerstone of an effective AML/CFT programme, and commercial banks must obtain KYC data for the establishment of the business relationship and keep it updated at least annually and no more than every three years according to the customer’s risk.
It is up to customers to cooperate with banks’ efforts to comply with AML/CFT legislation and thereby help the country get off the FATF grey list in order to regain the confidence of international markets and boost the country’s economy.
From a more tangible perspective for clients, co-operation in banks’ KYC efforts is crucial to maintaining the ability to trade without restrictions with these same banks, as well as avoiding the termination of commercial relations with them due to legal requirements.