• wblogo
  • wblogo
  • wblogo

Reliance on digital ID for AML purposes in the Channel Islands

Adam Pickering, Walkers, Associate, Guernsey, 18 July 2020

articleimage

The Guernsey and Jersey Financial Services Commissions have for several years said that the firms that they regulate may, subject to appropriate safeguards, use electronic or digital means to meet their anti-money-laundering obligations by identifying and verifying the identities of their customers. A digital future is in the offing.

Such rules apply also to firms' efforts to stop terrorist finance. The approach of the two regulators to the verification of identities by digital means is in line with the position taken by the Financial Action Task Force (FATF) – the US-dominated body whose famous "40 Recommendations" are the accepted international standard for money-laundering control – and many regulators around the world try to satisfy them.

Nevertheless, as far as I can see, regulated firms in the Channel Islands have in large part continued to rely on traditional, paper-based means of verifying identities. These typically entail customers either producing original identifying documents when they meet their financial service providers face-to-face, or by giving those financiers documents that have been certified in person by "suitable certifiers" such as lawyers or government officials.

However, ‘lockdowns’ imposed around the world in response to the Coronavirus pandemic – which has left Guernsey and is down to six cases in Jersey at the time of going to press – have in many cases made it highly impractical or impossible to verify customers' identities by such means, which has brought digital systems for the identification and verification of identities to the fore and may well persuade firms to move from paper-based to digital systems as the default means of verifying identities.

This is a transition that has been actively encouraged by the FATF, which published many guidelines on digital ID this March and subsequently suggested "encouraging the use of responsible digital identity and other responsible innovative solutions for identifying customers at on-boarding and while conducting transactions" as a potential "policy response" to Coronavirus-related money laundering and terrorist financing. We have already seen similar encouragement from some regulators, including the Jersey FSC, and expect that others will follow suit.

In what follows we shall explore the meaning of Digital ID, take a brief look at the FATF guidelines (which offer the most definitive guidance on the subject and are likely to form the basis of most regulators' approaches), and finally we shall take note of the current regulatory situation in relation to digital ID in Guernsey and Jersey.

What is digital ID?

In the broadest sense, digital ID encompasses any system that employs digital and electronic means to identify and verify the identities of people. It may range from the use of video calls to review identifying documents in cases where (as during lockdown) person-to-person meetings are impracticable, to sophisticated electronic ID applications or 'apps' which might, for example, rely on "biophysical biometrics" (such as fingerprint or facial recognition), "biomechanical biometrics" (for example, an individual's unique keyboard cadence or manner of holding a device or swiping a screen), and/or "behavioural biometrics" (for example, speech or language patterns). Such systems may also provide "continuous authentication" of identities (i.e. as well as identifying and verifying the identities of customers at the point of take-on).

Digital ID systems are not without their peculiar risks (which vary according to the system in question, but might include, for example, an especial weakness in the face of cyber-attacks and large-scale identity theft), but also potentially (again, depending on the system) confer significant advantages over traditional methods, including greater security and reliability, lower costs and greater efficiency for financial firms and greater convenience and a "higher level of financial inclusion" (the FATF's expression for persuading more and more poor people to use banks, the better to subject their financial habits to surveillance) for customers.

FATF digital ID guidance

The FATF guidelines purport to be "technology neutral," i.e. not favouring digital technology over manual work. They offer guidance to regulators, regulated entities and ID software vendors in respect of digital ID. Among other things they describe the desirable traits of a basic digital ID system, summarise the benefits and risks of digital ID for anti-money-laundering purposes and profer advice about ways to gauge the reliability and independence of a given digital ID system using a risk-based approach. The name of the game is "customer due diligence" or CDD, a term that the Basel Committee for Banking Supervision created at the beginning of the century as a more European way to describe the new American "know your customer" controls.

The FATF's to-do list

Although a full analysis of the FATF guidelines is beyond the remit of this article, it is worth outlining the FATF's recommendations to regulated entities on the use of digital ID. They ought to do the following.

  • Understand the basic components of digital ID systems.
  • Take an informed, risk-based approach to reliance on digital ID for CDD, often by understanding a chosen system's "assurance levels" (i.e. the degree of assurance that a given Digital ID system provides in identifying and verifying the identity of a subject) and ensuring that those levels are appropriate to the money-laundering-related risks of the cases in relation to which that system is to be used.
  • Consider whether digital ID systems with lower standards of "assurance" (an undefined term) may be enough for 'simplified' (lax) CDD in cases where the risks are lower.
  • Consider reviewing and revising policies that automatically classify non-face-to-face business as highly risky to the extent that digital ID may be used to identify and verify the identities of customers – although my advice is that any such review should always be subject to national regulatory rules relating to non-face-to-face business.
  • See about using anti-fraud and cyber-security processes to support digital ID (for example, anti-fraud authentication systems might help a firm monitor accounts for CDD purposes).
  • Ensure that the firm has access to, or a process for government bodies to obtain, the underlying identifying data and evidence that supports it.

The situation in Guernsey and Jersey

The rules, regulations and guidelines that lay down Guernsey's and Jersey's anti-money-laundering rules are consolidated in the GFSC's Handbook on Countering Financial Crime and Terrorist Financing and the JFSC's AML/CFT Handbooks for regulated financial service businesses and other sectors.

In short, both jurisdictions expressly allow for the use of digital ID (either on its own or together with more traditional methods) to identify and verify the identities of customers. Although there are some subtle differences in approach between the two regulators, the general principles are largely the same. These include the following.

  • Both approaches (like the FATF guidelines) are "technology neutral": that is, they set out principles relating to digital ID without endorsing any particular technology (although the GFSC has recently issued a briefing, in response to queries received from regulated entities during the lockdown, confirming that video calls may be used to verify identities, subject to certain conditions).
  • The anti-money-laundering regimes in both jurisdictions require regulated firms to carry out formal money-laundering risk assessments in relation to the adoption of any new technology, which will obviously apply to the adoption of digital ID as well.
  • The JFSC Handbook and the GFSC Handbook do not set out definitive principles relating to the assessment of a given digital ID system. Instead, it is for any firm that wishes to buy one to understands how it is going to work and to assess the "assurance" that it might provide.
  • The general obligations placed on regulated entities in relation to identify and verifying identities remain the same, whether they are met by traditional or digital means. A firm that wants to rely on a digital system must be satisfied that it will still meet its legal obligations in that regard.
  • In both jurisdictions, non-face-to-face business may be subject to "enhanced measures" relating to CDD: these requirements may apply to customers identified by digital means where no physical meeting has taken place or where the customer is resident outside of the jurisdiction.

A digital future

More and more advancements in this area are to be expected in the coming years, both technologically and in terms of regulators declaring themselves to be in favour of them. Some believe that firms will become more certain that people are who they say they are as a result. Some expect more and more standardisation to occur between jurisdictions. In all likelihood, the end of paper-based CDD is at hand.

* Adam Pickering can be reached on +44 (0) 1481 748 915 or at adam.pickering@walkersglobal.com

Latest Comment and Analysis

Latest News

Award Winners

Most Read

More Stories

Latest Poll