To Rely or Not to Rely: The Future of CDD Reliance for Investment Platforms

With regulators intensifying scrutiny on adviser reliance models, investment platforms face a pivotal question: continue to rely on third parties for CDD, or bring processes in-house? Michael Knight-Robson and Jessica Cath examine the shifting regulatory landscape, the practical realities of oversight, and how firms can balance operational efficiency with financial crime resilience.

As investment platforms continue to scale, the challenge of conducting effective Customer Due Diligence (CDD) processes without adding friction to onboarding flows has become more pronounced. The reliance model is widely used in the industry, with platforms dependent on advisers to perform CDD on the end investor. This model offers operational benefits and a streamlined experience for investors, yet it also brings compliance risks if not managed and controlled. Weaknesses in this model have been identified by the regulator, with increasing focus and oversight on the sector, and severe consequences when firms get it wrong. 

Since the Labour Party came into power, the UK government has said it wants the UK to be “open to business” and that it no longer wants heavy regulation to encourage financial services firms to operate in other jurisdictions. Therefore, there is an argument that now, more than ever, CDD reliance could be in favour. However, Thistle Initiatives’ experience on the ground may suggest otherwise. In this paper, we explore the big question for the industry - whether to continue with the reliance model or move to conducting in-house CDD?

The Benefits and Risks of Reliance

There are clear benefits to a CDD framework based on reliance, both for firms themselves and for customers. However, the potential financial crime and regulatory risks are also stark and must be considered when assessing any decision on CDD models.

Benefits

• Reducing friction: Reliance avoids repeated CDD on the same customer when different regulated firms legitimately interact (e.g., within financial groups, or between investment platforms and brokers/advisors), reducing onboarding friction and customer burden.
• Operational cost reduction: Reliance can reduce operational costs, such as paying for direct identity verification checks through a third-party provider, reducing barriers to entry for new businesses or facilitating investment into other areas of the business.  
• Enables specialist intermediation: Where a trusted intermediary (e.g., an advisor) has a direct relationship with the customer, relying firms can leverage that intermediary’s expertise, customer knowledge, and local presence (which may often involve face-to-face interactions) to meet CDD obligations effectively.

Risks

• Financial crime risks: If a relying firm does not properly verify, at onboarding and throughout the relationship, that the third party has sufficient CDD controls and is applying equivalent standards, the third party may not be applying effective CDD controls. Such gaps can be exploited by criminals, exposing the relying firm to financial crime risks.  
• Regulatory risks: Even when placing reliance, the relying firm is ultimately responsible for meeting its own regulatory requirements, which include conducting compliant CDD. If the relying firm does not have a strong oversight framework (at onboarding and on an ongoing basis) and the third party is conducting weak CDD controls, the relying firm is at risk of regulatory oversight, fines and enforcement.  
• Operational burdens: Counter to the benefits of reliance, an effective oversight framework often adds quite significant operational activities, including detailed review of the third party at onboarding and ongoing oversight through sample checking on an ongoing basis.  

Regulatory View of Reliance

When assessing whether to adopt a reliance or direct CDD model, firms must take into account the regulatory framework and current position of the UK Regulator.  

The background to CDD reliance, as almost all UK Money Laundering Regulations are, is from the Financial Action Task Force (‘FATF’) 40 recommendations. FATF’s Recommendation 17 notes that a firm may rely on a third party to perform CDD, provided the third party is regulated/supervised itself, can obtain the necessary CDD documentation when requested from the third party, and the relying firm obtains immediately the necessary information to complete the CDD. Note “information”, not “documentation”.  

This has subsequently been transposed into the UK’s Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017 (‘MLR 2017’) (as amended) in Regulation 39, which mirrors the controls required when relying upon another firm for CDD purposes. The Joint Money Laundering Steering Group (JMLSG) Guidance goes a little further by adding that firms should not rely on another party if Simplified Due Diligence (SDD) has been conducted. However, firms retain ultimate responsibility for compliance with the MLR 2017, even where reliance has been placed.  

Recent enforcement actions demonstrate an increasing focus on compliance with Regulation 39. In January 2025, the FCA fined Arian Financial LLP nearly £289,000 for financial crime control failings, including deficiencies in how it relied on third-party CDD checks performed by the Solo Group. Arian failed to define when reliance was acceptable (despite having written procedures for conducting due diligence itself) and lacked mechanisms to review the adequacy of Solo Group’s checks. The FCA concluded that Arian had placed reliance on a firm with no checks in place, trusting external due diligence without being comfortable with Solo Group’s processes and controls (contrary to Regulation 39). The case serves as a clear warning that reliance cannot be passive.  

This tightening supervisory stance is visible beyond enforcement, too. As reported by Citywire this time last year, a major investment platform began sending detailed questionnaires to advisers about their anti-money laundering (AML) and CDD practices after a third-party review identified weaknesses. Advisers were asked to provide information about their AML frameworks, screening tools, and governance processes, as a signal of growing regulatory pressure on platforms to evidence the quality of the CDD work carried out by those they rely upon.  

At Thistle, we have seen the regulator becoming more proactive and focused on the reliance model in the platforms sector. We have seen an increase in requests for information and regulatory-driven reviews, particularly on advisor reliance models and oversight frameworks. Put simply, if a platform has a reliance model in place, firms must demonstrate that reliance arrangements are supported by clear governance structures and ongoing oversight - the FCA expects platforms to evidence precisely how accountability is maintained. If this is not in place, firms have been subject to increased regulatory pressure, reviews, and remediation programmes. In practice, regulators have shifted from accepting reliance as the industry standard to demanding strong, evidence-based reliance models.  

Operationalising Reliance Effectively

In order to take advantage of the benefits of a reliance model, the framework needs to be designed carefully and operationalised effectively. Firms should treat reliance as a risk management decision, based on their appetite, and not view reliance as ‘passing on the duty’ to another firm. The framework must have the following components:  

Clear policy and risk appetite

• Policy: Within a firm’s AML Policy, it should define when reliance is permitted, the minimum standards a third party must meet, and escalation routes. And from experience, ensure the Policy highlights the difference between Reliance and Outsourcing.
• Risk appetite: Specify which customer types, jurisdictions, and products are in-scope for reliance (and which are not). The firm’s risk appetite statement should have quantitative key risk indicators (KRIs) and Key Performance Indicators (KPIs), which are continuously monitored, to ensure any deviation from appetite is appropriately managed.

Third-party assessment 

• Remediation: Should gaps be identified in the testing, the firm should impose immediate recommendations on the third party and ensure the third party agrees to remediating the gaps identified in the CDD files, as well as the root cause of the gaps. Furthermore, enhanced testing should be swiftly conducted to ensure the remedial actions have been appropriately closed.  

Moving Away from Reliance Using Technology 

For some firms, a combination of increasing regulatory pressure and opportunities provided by financial crime tooling has encouraged the move away from a reliance model to either non-reliance or a hybrid approach. Dependent on the firm’s risk appetite, technology stack, and particular situation with the regulator, this move may be the simplest and fastest way to provide the regulator with comfort in the firm’s CDD controls and address any immediate challenges.

Move to non-reliance

Technology now provides investment platforms with tools to modernise traditional reliance models. Through secure API connections or in-house built portals, adviser-collected CDD data can be transmitted directly to the platform and used for CDD purposes by the platform itself, often without any additional friction for the end investor. The following outlines some key functionality to be aware of:

• CDD data capture: Ensure your portal or data capture form collects all information you need to fully identify and verify the customer yourself, as well as assess customer risk in line with your risk appetite.  This will include basic information such as the customer's name, address, and date of birth, as well as factors in your risk appetite, such as income and occupation. Where possible, make sure to streamline the data capture process with the use of drop-down boxes, automated text pre-fill (for countries, for example), and mandatory fields, and any supporting identity documents requested should be uploaded within the same portal. This will enhance both the user experience from an advisor perspective and ensure you have all the necessary data in the format you need.  
• Electronic or digital identity verification: In the platform model, the adviser often meets the investor either face-to-face or through a video call, which supports the identification and verification process and helps to minimise the risk of identity fraud. However, the platform does not have any direct interactions with the investor in most cases. To close this gap, the platform should utilise electronic verification. As per JMLSG guidance, there are various ways and opportunities to conduct electronic verification checks through verification with independent sources or through selfie or liveness checking. The choice of verification method will depend on your risk profile and risk appetite.
• Automated screening: At the point of CDD data submission by the advisor, the platform is able to run automated screening checks for PEPs, sanctions, and adverse media (if the latter is undertaken). Whilst the advisor will also be responsible for conducting screening, this layer of screening will be configured and trained to the platform’s risk appetite and any hits addressed in line with the platform’s procedures, providing a further layer of comfort. To reduce operational burden, screening systems should be tuned to reduce false positives and only screen against lists you require.  
• Customer risk assessment: The final piece of the CDD puzzle is assessing the overall risk of the customer. An effective non-reliance model relies on having a clear set of criteria that automatically assesses customer risk in the back-end. This will minimise any manual review or data entry, apart from cases that may require manual adjustment.  
• Operations: Finally, the move to non-reliance requires a streamlined financial crime operational structure. Whilst there will always be operational costs associated with this model, the aim is to minimise the manual fall-out or false positive hits that require review by a financial crime analyst. To do this, any systems and tools must be configured correctly and subject to ongoing checks. Your customer risk rating methodology must also be appropriate, without over-weighting the book to ‘high risk’ and requiring more manual intervention for EDD.  

Hybrid reliance models

In reality, many platforms that have explored the move away from reliance are operating more in the hybrid reliance space. In such arrangements, advisers continue to capture client information and perform primary CDD checks, while platforms may layer some additional checks on top depending on risk appetite. For example, the platform may layer an additional identity verification check with an independent third-party source or its own PEP and sanctions checks. This approach facilitates a level of independent checks to provide assurance both to the regulator and financial crime and compliance teams at the platform, whilst allowing for a little more operational flexibility. However, as with both reliance and non-reliance, any hybrid checks and reliance placed must be clearly documented, along with a rationale as to why a duplicative check is being undertaken in a certain area.  

Conclusion

CDD reliance is a legitimate, efficient, and sometimes necessary feature of a firm’s AML framework. Yet it must be treated as an inherent risk and must have the appropriate systems and controls in place to mitigate the risk. Although the MLRs and JMLSG Guidance sets clear minimum requirements, firms must ensure they tread carefully, developing a risk-based reliance programme which is proportionate to their business and customer relationships. This model must have strong core components, including clear roles and responsibilities (between both entities), onboarding controls, ongoing oversight, and clear governance structures. Even with these components, however, firms must appreciate that any shortfalls identified will likely be heavily scrutinised by the FCA.  

In recent years, some firms have decided to pull back from utilising CDD reliance, fearing regulatory scrutiny. This is primarily based on firms not having an appropriate reliance oversight framework in place, leading to residual risks that they are unable to manage. Often, a move to non-reliance or hybrid reliance models can provide the regulator and compliance teams (at the relying firm) with additional comfort that risks are being mitigated. Platforms that invest in automating CDD flows transform reliance from a potential compliance weakness into a source of competitive strength in the long term.  

In short, reliance, when conducted well, is an efficient tool. Utilised poorly, reliance is a serious vulnerability.

Meet the Experts