The use of eIDV for compliance purposes
Helen Wyatt, Mourant, Partner, Guernsey, 10 May 2021
Over recent years, regulators of financial services have issued guidelines about ways to verify people's identities by electronic means, a practice known as Electronic Identity Verification (eIDV). During the current pandemic, firms have overcome any reticence that they might have had about taking this digital approach.
Many businesses have had no choice but to take on new technology so that they can still work across borders seamlessly. Guidelines, and the criteria surrounding the use of eIDV, have been available in the pronouncements of the UK's Joint Money Laundering Steering Group (JMLSG) and the Anti-Money-Laundering (AML) Handbook published by the Guernsey Financial Services Commission (GFSC). More recently, a growing volume of user reviews has built up. This means that firms are now finding it fairly easy to follow in the footsteps of the 'early adopters' of eIDV.
Some commercial operators in this market offer services that include the verification of prospective clients' identities and/or addresses. In recent months, Mourant has been keen to explore its own options in this area. We thought about refining our own services by taking advantage of eIDV and knew that our clients would be thinking about doing the same.
Our risk and compliance teams, together with our Data Protection Officer, considered the products on the market in the sure knowledge that technology like this represents the future. We opted for an 'app' that offered an identity-verifying service in more than 100 jurisdictions, together with an address-verifying service in 24 jurisdictions. The latter is limited to countries whose land registries and electoral rolls are online, but this still accounts for approximately 88% of Mourant's client base.
Factors to weigh up
There are many things to consider when thinking about introducing eIDV. Among them, one has to ensure that the chosen service provider meets the regulatory requirements and guidelines of the jurisdiction in question.
A firm that wants to choose between service providers must gauge the safeguards built into their products to protect clients' privacy and reputations. The app-provider holds the data in a jurisdiction that the European Union (and, these days, also the UK) believes to have data-protection rules that are 'equivalent' to its own. The app in question processes the data to verify each individual's identity and then passes its verification on to the client-firm, before deleting the data. The provider does not retain the data once it has sent it to the firm.
It is vitally important for the firm to be satisfied that the app-provider's IT can verify and check information well enough. These checks can include, but are not limited to, the following.
- Facial matching. The software homes in on a person's facial features, measuring such things as the distance between the eyes to determine whether it matches the passport photograph. The software behind the app also observes the size, font, sequence and holographs of passports to make sure that they are genuine. This is considered superior to looking at a certified portable document format or PDF of a passport from a 'certifier' whom the firm has never met. ‘Certifiers’ are accountants, lawyers and notaries who attest in writing that someone is a real person.
- Identity document verification. Our chosen app conducts up to 70 technical checks on a passport or identifying document that an individual is holding to make sure that it matches authentic government-issued documents.
- "Liveness testing." This a vital step in the process whereby the app looks at the face of the person being 'onboarded' to determine whether the person is there at the time of verification. This is known in the trade as a "verified live visual." It protects the process from fraudsters who might try to trick the system by using a digital or physical representation of another person. All people blink or move in some way, exhibiting their own peculiar mannerisms while speaking. Some app providers analyse this process; others ask people to touch their ears on command and analyse that. When combined with facial matching, it proves that the holder of the identifying document is the bona fide holder.
- Address verification. The service provider in question usually confirms an individual's address by looking at several sources, which can include postal data, property ownership data, direct marketing data, credit bureau data, electoral roll data, data about such utilities as phones, natural gas, electricity and/or water services and records of telecommunications. This is better than relying on a single utility bill.
Limits to information technology
Financial firms are bound to keep on obtaining physical documents when they meet clients face-to-face; eIDV is not yet the norm for all businesses in all jurisdictions and firms still have to cater for clients' preferences in this area. Mourant still uses paper certification for people who do not want to use the app or who live in jurisdictions where the firm cannot use it to certify both identities and addresses.
A firm can use eIDV to minimise inconvenience for a client by avoiding the hassle of having to find an accountant, lawyer or notary to certify documents. Often we are required to verify the identities of company directors, beneficial owners, settlors, beneficiaries, protectors, trustees and enforcers with regard to trusts. Our team worked hard to find a piece of software that fitted our business and our target clients and, so far, the feedback from clients and from our own people has been great.
The area of eIDV is growing exponentially. Because of this, and because of the spreading use of the blockchain and its tamper-resistant technology, the use of hard-copy "blue ink" certified documents will cease to be widespread in the years ahead.
* Helen Wyatt can be reached at helen.wyatt@mourant.com