The GFSA's guide to video calling as a way of verifying identities
Chris Hamblin, Editor, London, 22 April 2020
By popular demand, the Guernsey Financial Services Commission is telling compliance officers who work from home that all is not lost merely because they cannot verify the identities of people by meeting them physically or handling official copies of their identifying documents.
Rule 5.27 of the Guernsey regulator's rulebook permits a firm to use electronic verification to verify, in whole or in part, the mandatory data points required by Rule 5.8. Rule 5.11 requires it to satisfy itself about the validity and veracity of the identifying data that it uses to verify the same. The GFSC has circulated a handy group of "frequently asked [in fact probably only once asked] questions" to explain how Rules 5.8 and 5.11 in the context of the Coronavirus lockdown that is occurring all over the civilised world. Verification using these rules can happen through a video call on a smartphone, webcam or other device.
A compliance officer could make a video call in circumstances where the person whom he wants to 'onboard' cannot arrange for the certification of his identifying documents but can provide (or has provided) the onboarding firm with an uncertified copy; or in circumstances where that individual cannot provide the documents to the firm physically or paper/virtual copies of them.
When making use of such means, the compliance officer can obey these rules if he makes sure that the following things happen.
- The video call allows the firm and the person to make both visual and verbal contact simultaneously. For this, the call must be of a good enough quality to guarantee clear verbal communication and to allow the firm to see the man's face and his identifying data (and security features in the identifying document) most clearly.
- The individual must have his original identifying document with him during the call and not a copy.
- The firm must be able to see that the image in the document is that of the right man.
- During the call the firm must be able to review the person’s identifying data in the original identifying document that he produces.
- The compliance officer must check the authenticity of the document during the call by reviewing the security features in the original identifying document. This process can be automated if the software being used for the video call itself (perhaps through an app) can do authentication checks. Other types of software, such as a programme that checks the algorithms that generate passport numbers, might work.
- The firm must keep the following records to meet the 'CDD' (customer due diligence) requirements of paragraph 14 of Schedule 3.
CDD records
There must be a record of the relevant file on the customer that explains how the firm verified his identity and which officer of the firm did it. The record must also include the date and time of the video call and the person's "address location," whatever that is. This could in part be satisfied by way of good screenshots of the person and the identifying document during the call.
Additionally, there ought to be an electronic copy of the identifying document. If the only such record comes from the call, good quality screenshots of it (including all relevant pages or sides) are vital. They must include the photographic evidence of identity and all the identifying information on the document. Everything must be clearly visible and legible from the screenshots.
The firm should take a risk-based approach when considering the use of a video call to verify somebody's identity. Regardless of the method by which it verifies it, the firm must be satisfied about the validity and veracity of the data it uses and its evidential value should be based on the assessed risk of the business relationship or occasional transaction in question. The video identification process should only be used in cases where nobody at the bank suspects that there is any money laundering or terrorist finance taking place. There must also be no doubts about the veracity or adequacy of previously obtained data.
In circumstances where the bank has decided that the business relationship or occasional transaction is highly risky, it ought to apply other "duly diligent" measures to verify extra aspects of the customer’s identity in accordance with paragraph 5(3)(a)(v)(A) Schedule 3.
Under paragraph 11 Schedule 3, a firm is required to review the identifying data that it holds on a business relationship periodically, the aim being to ensure that it is accurate and remains relevant.