Understanding CDD Exemptions: why Articles 17 and 18 still demand rigour

As part of its 2026 examination programme, the Jersey Financial Services Commission (JFSC) has announced that exemptions from Customer Due Diligence (CDD) requirements will be a key thematic focus. This emphasis reflects an ongoing concern: firms continue to demonstrate weaknesses in how they apply the exemptions available under Articles 17 and 18 of the Money Laundering Order.

At Cyan, we see the same challenges. Many firms struggle to understand not only when these exemptions can be used, but how to apply them correctly—particularly Article 17, which often requires a clear head, careful reading, and sometimes even a quiet room to interpret properly.

The JFSC has recently published an overview of the core obligations associated with these exemptions.

Building on that, the following article breaks down the underlying principles and the specific requirements of Articles 17 and 18 in a practical, accessible way.

The foundations that apply to Articles 17 and 18

A CDD exemption never means “no CDD”. Even when an exemption applies, firms must still:

• Obtain information on the purpose or nature of the business relationship or one‑off transaction
• Complete a customer risk assessment
• Scrutinise customer transactions and activity
• Maintain relevant records

And crucially, firms must keep written evidence showing:

• How the conditions for applying the exemption have been met
• Why the exemption is appropriate in the circumstances

There are also clear situations where exemptions are prohibited. You cannot apply a CDD exemption if:

• There is a higher risk of money laundering
• There is a suspicion of money laundering
• The customer is linked to jurisdictions that are non‑compliant with FATF standards or subject to FATF calls for enhanced CDD

As the JFSC has specified in its note on the thematic, it expects that where exemptions are used, firms must demonstrate strong governance and control, including:

• Effective board oversight
• Up‑to‑date policies and procedures
• Adequate employee training
• Ongoing monitoring of transactions, activity, and records
• Compliance monitoring and testing

Article 17: CDD Exemptions regarding Third Parties

Articles 17B–17D allow firms an exemption from applying identification measures to third parties for whom a customer is acting — such as investors in a limited partnership—but only where the risk is low. Even then, the exemption is far from a shortcut; it requires structured assessment and ongoing oversight.

Article 17B - risk assessment requirements

Under Article 17B, the exemption applies where the customer is a “relevant customer” — that is, supervised by the JFSC or an equivalent authority, or wholly owned by such a person—and carries on certain regulated business.

Before applying the exemption, firms must complete and record a risk assessment that considers:

• The inherent financial crime risk in the relevant customer’s business
• The risk of applying the exemption itself—specifically, the risk that the relevant customer may fail to complete adequate CDD on the third party or maintain required records

This assessment should also consider:

• The relevant customer’s risk appetite
• The nature and geographic location of the relevant customer’s own clients, including any PEPs or those that are higher risk
• How the relevant customer delivers its services (e.g., non‑face‑to‑face)
• The relevant customer’s stature and regulatory track record
• The strength of the relevant customer’s supervisory regime and jurisdictional AML framework
• The adequacy of the relevant customer’s CDD policies and procedures
• Whether the relevant customer relies on other parties to fulfil its own CDD obligations

Additional requirements under Article 17C

Where the relevant customer is involved in unregulated or non‑public funds—or, in some cases, trust company business or legal services—firms must:

• Complete and record a risk assessment (as explained above)
• Obtain a written assurance confirming that the relevant customer:
  • Has applied CDD to the third party
  • Will provide CDD information promptly on request
  • Has retained adequate identification records and will supply them without delay

Where using an exemption under Article 17C, firms must also conduct periodic testing to ensure:

• The relevant customer’s CDD policies and procedures are satisfactory
• The written assurances described above can be relied upon
• The relevant customer is not legally prevented from providing information (e.g. due to secrecy laws)

In practice, many firms also obtain written assurances under Article 17B.

If the relevant customer cannot provide the necessary CDD records—or you are not satisfied with their adequacy—you must apply identification measures to the third party yourself. You must also reassess whether continued reliance on the exemption for the relevant customer is appropriate in relation to other third parties.

Article 18: CDD requirements for customers and persons acting for them

Article 18 provides exemptions from:

• Identifying the customer
• Identifying and verifying persons acting on behalf of the customer
• Understanding the ownership and control structure (for non‑individual customers)

These exemptions apply in specific, lower‑risk scenarios, such as where the customer is:

• A pension, superannuation, employee benefit, share option, or similar scheme
• A public authority
• Listed on a regulated exchange or wholly owned by such an entity
• Regulated by the JFSC or an equivalent authority, or wholly owned by such an entity

Even here, firms must still complete a customer risk assessment and document:

• The rationale for applying the exemption
• How the exemption’s conditions have been met

Final Thoughts: Exemptions are not the easy option

CDD exemptions can be valuable tools, but they are not shortcuts. They require careful judgement, robust documentation, and ongoing monitoring. In many cases, applying an exemption will involve more work than simply completing standard CDD.

The key is always the same: ensure you can clearly evidence your rationale, demonstrate that all conditions have been met, and show that any arising risks are being effectively managed over time.

Used correctly, exemptions support efficient and risk‑based compliance. Used carelessly, they create vulnerabilities that regulators—and financial criminals—will quickly spot.

If you have any queries over how your business applies exemptions or would like an expert and independent review of relevant controls in preparation for a possible JFSC examination, please contact Cyan.