What are the AML Identification Requirements?
Before learning about the AML identification requirements, it is important to understand what a digital identity is. Nowadays, digital payments are at an annual growth of 12.7% and are estimated to reach 726 billion transactions by 2020. It’s also estimated that 60% of world GDP will be digitized by 2022. The digital identity space transformation has reached an inflection point and the standards, technology, and processes have evolved to a point where digital ID systems are becoming available at a large scale. As a response to this growth in digital identity systems, the Financial Action Task Force (FATF) recently released guidance to help governments and financial institutions integrate AML identification requirements into their compliance frameworks and ensure that their CDD and Know Your Customer (KYC), among other measures, remain effective.
What is a Digital ID System and How Does it Work?
Digital ID systems issue the process of identity proofing and authentication. The systems are used as an electronic means to check the official identity of a person online or in-person in different assurance levels. The system involves different operational models and relies on various entities and types of technologies and processes.
Identity proofing of digital ID systems can either be digital or in-person, or a combination of both, but the process of binding, authentication, credentialing, and portability must be completed digitally. Digital ID systems can use digital technology in the following ways:
- Electronic databases, which include distributed ledgers, to obtain, confirm, store, or manage identity evidence
- Credentials that are digital, to verify identity for accessing mobile, online, and offline applications
- Using biometrics to help identify or authenticate individuals
- Platforms and protocols that facilitate digital identification/verification, such as APIs.
The digital identity verification process comprises the following steps:
Collection: Customers are required to present and collect identity attributes and evidence, either in person and/or online. This is done by filling in an online form, sending a selfie photo, and uploading documents, such as a passport or driving license, etc.
Validation: Inspection is conducted digitally or in-person to ensure the authenticity of the documents and accuracy of the data. This is achieved by checking physical security features, expiration dates, and verifying attributes via other services.
Deduplication: Firms need to establish that the identification attributes and evidence relate to a unique person in the ID system via duplicate record searches, biometric recognition, or deduplication algorithms.
Verification: After collecting the evidence, firms need to link the individual to the identity evidence provided, using biometric solutions like facial recognition and liveness detection.
Enrolment in Identity Account and Binding: Firms create a new identity account and issue and link one or more authenticators with the identity account, such as passwords, a one-time code (OTC) generator on a smartphone, and so forth. This process enables the account’s authentication.
What are the FATF AML Identification Requirements?
AML Identification Requirements: FATF is committed to ensuring that the global AML/CFT standards encourage responsible financial innovation. The use of new technologies is supported in the financial sector, which strengthens the implementation of AML/CFT standards and financial inclusion goals.
Yet, FIs should also understand the risks in integrating large-scale digital ID systems, which can risk privacy, fraud, identity theft, data security, and so forth. The purpose of FATF Guidance is to assist governments, regulatory bodies, and other authorities in determining how digital ID systems can be used to conduct certain elements of customer due diligence (CDD), and how it works is essential to apply the risk-based approach.
The FATF AML Identification Requirements include the requirement to identify and verify customers’ identities using ‘reliable, independent’ source documents, data, or information.
Here, “identity” refers to an official identity, which is distinct from broader concepts of personal and social identity that may be relevant for unofficial purposes (e.g., unregulated commercial or social/peer-to-peer interactions, which are conducted in person or on the Internet).
Official identity is the specification of a unique natural person that is based on their characteristics or attributes which establishes their uniqueness in the population or particular context and is recognized by the state for regulatory and other relevant official purposes. It is required that digital source documents, data, or information must be reliable and independent. This means that the digital ID system used to conduct CDD relies upon the technology, adequate governance, processes, and procedures to provide assurance that the system produces correct results.
FATF Recommendations
The recommendations provided by the Financial Action Task Force (FATF) for Digital ID is applicable to government authorities, Digital ID service providers, and regulated entities, such as banks and credit unions, which must complete CDD.
Risk-Based Approach to Digital Identification
The FATF Guidance suggests a risk-based approach to using Digital ID systems for customer identification applied by the government, regulated entities, and other relevant authorities.
This requires:
- Understanding the assurance levels of the system’s technology main components to determine its reliability.
- Creating a broader, risk-based determination of whether the particular Digital ID system provides an appropriate level of reliability and independence in light of the potential AML and other illicit financing risks at stake.
Recommendations for Government Authorities
The following includes a number of recommendations for government authorities under the FATF Guidance:
- Clarity on regulation – Government authorities are required to develop clear guidelines or regulations that require regulated entities to adopt an appropriate and risk-based approach for their use of reliable, independent Digital ID systems.
- Collaboration between Industries – Consideration for the development of mechanisms should be made to promote cross-industry collaboration in identifying and addressing vulnerabilities in existing Digital ID systems.
- Financial Inclusion – The authorities should also take measures to foster financial inclusion to remove obstacles linked to the verification of a customer’s identity. This is also to ensure that financially excluded people can be captured under the identity proofing requirements.
Recommendations for Digital ID Service Providers
Recommendations for Digital ID service providers include understanding AML/CFT requirements. The service providers are required to understand the AML identification requirements for CDD (particularly customer identification/verification and ongoing due diligence) and other regulations in relation. Firms should seek assurance testing and certification by governmental or other reputable bodies and should provide transparent information to AML/CFT regulators regarding Digital ID systems.
Recommendations for Regulated Entities
Recommendations for regulated entities that are subject to CDD requirements include:
- Record-keeping requirements – Regulated entities using Digital ID systems should have access to a process for enabling authorities to obtain the underlying identity information and evidence needed for the identification and verification of individuals. Organizations should have a better understanding of what records they must keep when using Digital ID systems for CDD, as well as the challenges for meeting record-keeping requirements for both ongoing and onboarding due diligence or transaction monitoring.
- Diligencing Digital ID Systems – Regulated entities should conduct careful due diligence when determining whether to use Digital ID to conduct CDD.
If you wish to understand more about the role of an MLRO, who looks after a firm’s AML systems, read here.
Anti-Financial Crime Compliance with Tookitaki?