Money laundering: electronic verification of customer identity in the time of COVID-19
With lockdown currently in place and the prospect of many months of social distancing measures even after it has been lifted, many firms are rapidly having to rethink how they conduct customer due diligence. Traditional measures, including face-to-face customer contact and the collection of certified hard copies of documents may now be impossible.
In response, many firms are now exploring undertaking electronic due diligence to verify customer identities. This necessity was recognised by the FCA in its "Dear CEO" letter of 31 March 2020, aimed at firms providing services to retail investors. This made it clear that, while the FCA would entertain some flexibility, firms were nonetheless expected to continue operating within the FCA's rules and in accordance with The Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017 (MLR 2017).
Identifying and verifying non-face-to-face customers
The basic obligation to identify a customer and verify their identity by reference to documents obtained from a reliable independent source is set out in Regulation 28 MLR 2017, as supplemented by the Joint Money Laundering Steering Group (JMLSG) guidance for the UK financial sector.
The basic position is, however, augmented for non-face-to-face customers. Regulation 33 (6) (b) MLR 2017 identifies non-face-to-face business as a factor to consider when assessing whether there is a high risk of money laundering. This suggests that non-face-to-face customers should be subject to further verification.
In the current circumstances, firms which have previously undertaken due diligence by using traditional means are struggling to verify customer identity. Offices are closed and most customers are confined to their homes, making it impossible to inspect original copy documents and obtain certified copies. Firms are also querying the necessity of additional measures that may be appropriate in order to mitigate the risk posed by non-face-to-face relationships.
Electronic verification is not new and has been recognised for years as a feasible and even desirable route for conducting due diligence. Despite this, some firms are understandably apprehensive, particularly if adopting such measures entails a wholescale revision to their current processes and procedures at a time when they are already undergoing significant upheaval.
JMLSG guidance makes it clear that firms can use electronic sources to verify a customer's identity, provided that they have both (i) verified that the customer (and (where appropriate) beneficial owner) exists and (ii) satisfied themselves that the applicant seeking the business relationship is, in fact, that customer (or beneficial owner). The latter is particularly important in order to mitigate impersonation fraud, which is a particular concern with non-face-to-face customers.
The methods of applying electronic verification vary widely. There is no one-size-fits-all approach and firms will have to consider the specific risks posed by their customers. For individual personal customers, many firms use electronic biometric verification of government issued documents and customer "selfies" or "videos".
Where a firm does not have access to this functionality, or where it would not be appropriate, the FCA has also identified the following additional measures:
- accept scanned documentation sent by email, preferably as a PDF;
- place reliance on due diligence carried out by others, such as the client’s primary bank account provider, where appropriate agreements are in place to provide access to data
- use commercial providers who triangulate data sources to verify documentation provided;
- gather and analyse additional data to triangulate the evidence provided by the client, such as geolocation, IP addresses, verifiable phone numbers;
- verify phone numbers, emails and/or physical addresses by sending codes to the client’s address to validate access to accounts; and
- seek additional verification once restrictions on movement are lifted for the relevant client group.
It should be noted that it is likely that a combination of these measures will probably need to be implemented in order to adequately verify a customer and mitigate impersonation fraud.
In lieu of carrying out their own electronic verification, firms have turned to the numerous commercial providers of such services. In relation to such providers, JMLSG guidance cautions that firms must be satisfied that the information provided by the provider is adequate and sufficiently independent of the customer. Firms must also ensure that they understand the sources of information used by the provider and, where the provider uses a method of displaying results, they understand the methodology applied. As with all outsourcing relationships, ultimately the responsibility for ensuring that due diligence is carried out correctly remains with the firm. There may also be significant costs associated with using an external provider.
The new normal
It appears that the lockdown has provided the impetus for more firms to explore electronic verification, despite a previous reluctance to do so. Careful thought is required to ensure that the provisions put in place are adequate and meet the requirements of the MLR 2017. Nonetheless, as with many other things, it appears that electronic verification may become the "new normal", even after we emerge from the current crisis.