These extraordinary times are highlighting one very real issue for all businesses required to combat money laundering, namely: how to verify the identity of new customers and re-verify the identity of existing customers during the relationship lifecycle without any physical interaction.
Verifying that a person is who they say they are is the bedrock of any effective AML regime, but if customers are unable to present themselves with their ID docs – or even visit document certifiers – the system risks failing in a fundamental way.
What, then, are businesses to do?
The answer lies in RegTech advances, and the advent of electronic identity and verification (eIDV/eID&V) tools such as our own RiskScreen Verify. But while most businesses recognise the undoubted benefits such eIDV solutions bring both to their own processes and to their end-customer’s onboarding experience, there is also concern as to whether they meet local regulatory requirements.
What does FATF say?
Although AML regulations are specific to individual jurisdictions, there exists a great deal of commonality as all jurisdictions seek to satisfy the requirements set out by the global money laundering watchdog, FATF (Financial Action Task Force). On 1 April 2020, the FATF President, Xiangmin Liu, released a statement entitled ‘Covid-19 and measures to combat illicit financing’ in which he said the following:
In line with the FATF Standards, the FATF encourages the use of technology, including Fintech, Regtech and Suptech to the fullest extent possible. The FATF recently released Guidance on Digital ID, which highlights the benefits of trustworthy digital identity for improving the security, privacy and convenience of identifying people remotely for both onboarding and conducting transactions while also mitigating ML/TF risks. The FATF calls on countries to explore using digital identity, as appropriate, to aid financial transactions while managing ML/TF risks during this crisis.
Putting this into practice
Jersey is one FATF-compliant jurisdiction whose example is often followed by others. It’s worth taking a moment to consider Jersey’s approach to eIDV. See, for example:
The Jersey Money Laundering Order Art 3(4) defines “identification” as:
- Finding out the identity of that person, including name and legal status; and
- Obtaining evidence, on the basis of documents, data, or information from a reliable and independent source, that is reasonably capable of verifying that the person to be identified is who the person is said to be and satisfies the persons responsible for the ID that the evidence does establish that fact
The Jersey AML Handbook at 4.2 para 9 states:
Evidence of identity can take a number of forms. In respect of individuals, much weight is placed on identity documents and these are often the easiest way of providing evidence as to someone’s identity. It is, however, possible to be satisfied as to a customer’s identity by obtaining other forms of confirmation, including independent data sources, E-ID and, in appropriate circumstances, written assurances from obliged persons.
The Jersey Financial Services Commission (JFSC)’s Guidance on e-ID at 18.104.22.168 states:
Features of smart phone and tablet applications (and wrap-around systems) that may be used to mitigate the risk that documents have been tampered with or forged may include:
- The copy of the document is of a very high level of clarity and resolution, such that its contents can be adequately viewed and/or enlarged to aid review;
- The copy of the document is automatically matched to a “template’ for the particular form of identity document used;
- Data on the document is compared to biometric and other data stored on the machine readable code/algorithm on the document;
- Data on the document is automatically examined for use of unauthorised print fonts and unexpected character spacing;
- The copy of the document is automatically examined to confirm the existence of security features (e.g. watermarks, holograms, micro-text, etc.);
It’s not always about wet ink
During a JFSC update webinar on 27 April 2020, the JFSC made the following points to industry in an effort to explain the flexibility in the AML regime to help firms facing difficulties, stating that ‘eID&V is a very good tool for identity purposes’.
- It acknowledged FATF’s call of 1 April 2020 for the appropriate use of technology
- It acknowledged that firms who have moved away from paper-based methods are having fewer problems during Covid-19
- There is no requirement to use either certified copies or wet ink documents generally
- There are several valid options available to firms in line with the Guidance as follows:
- Original documents
- Certified copies (which is where the ‘wet ink’ requirement comes in)
- External data sources
- It encourages firms that have historically relied on traditional document-based methods to embrace other options
- All options are safe harbours and none are necessarily to be regarded as temporary solutions – so there is no need to revert back to a previous original or certified copy document procedure if a firm begins to embrace eIDV
- It would treat the decision by a firm to use eIDV in the same way as any other decision by a firm to embrace a new technology, process or procedure, i.e.: through the application of a risk-based approach
- It will want to see evidence of the firm’s thought processes in coming to a decision on a particular deployment, saying that even if they disagree with the final decision, the worst that could happen is that the firm is asked to amend its process.
The JFSC emphasised the criticality of checking the authenticity of identity documents. This is, in fact, a distinct advantage offered by eIDV solutions. RiskScreen Verify, for example, includes biometric, document and database checks that verify that documents have not been forged or tampered with. Such features offer a significantly higher level of AML assurance over traditional document-based ID processes.
Pragmatism is welcome
The pragmatic approach to identity verification outlined by the Jersey regulator is clearly sensible and welcome. Other regulators have issued similar guidance and it is hoped that more will follow suit to enable businesses to continue to conduct business in a fully AML-compliant manner throughout the lockdown and beyond. One happy coincidence of COVID-19 is the acceleration in the digitisation of AML workflows, facilitating process optimisation and higher levels of AML assurance – a movement that firms like ourselves, at RiskScreen, obviously welcome – but one that is also significantly beneficial to the customer experience.
To find out more about how easy it is to start using RiskScreen Verify to identify your prospects and customers remotely, please go to https://riskscreen.com/solutions_verify/.
For further reading, please see: