Technological solutions to verify the identity of natural persons by taking pictures of IDs or passports and recording a few frames or user’s face do not comply with the legal regulations on anti-money laundering and terrorism financing (KYC AML) in the financial industry.
The simple reason is its low technical security, the weakness of the electronic proof provided by the process, and the weakness from its lack of integrity. This means that the security level provided is low, far from the security required for formal customer identification according to the strictest regulations in this area, which have fixed in a higher standard the level of the technical requirements to use streaming video for these KYC and AML processes.
How can we check this information about KYC AML?
In US standards:
Given the multiple cases of fraud in customer identification in KYC AML processes, the US Department of Commerce though the National Institute of Standards and Technology (NIST) created digital identity guidelines (NIST SP 800-63A), updated in June 2017, which establish three assurance levels for registration and tests in the verification of identity that are classified from low (IAL1), medium (IAL2), and high (IAL3).
High assurance (IAL3) is the equivalent of in-person identification and is suitable for opening accounts remotely. This level requires human intervention (see point 4.5 of the document) and proposes continuous high-resolution video transmission (see 220.127.116.11 of the document).
This document allows solutions that take pictures/selfies for medium assurance (IAL2) if combined with other strong evidence of the person’s identity, in addition to pictures taken or scanned of the ID and recording of the person’s face. Strong evidence is usually bill recipes or proof of address, background checks of information on the identity of the person being identified.
This would make this kind of solution riskier in the European Union because for privacy reasons and unlike in the Anglo-Saxon world they are not allowed in Europe because personal data, even public data, cannot be processed by organizations before the affected people give their express consent.
In European standards:
Following the mentioned arguments related to the low security of pictures or selfies, there are no best practices, authorizations or non-in-person identification procedures from regulators in the financial industry in Europe to use identity verification solutions based on simple images.
Almost all the European Union’s Member States authorize or are preparing authorizations for procedures to identify customers using the online channel and not in-person. Some cases/references are:
BAFIN (Bundesanstalt für Finanzdienstleistungsaufsicht)- German regulator
FINMA (Swiss Financial Market Supervisory Authority) – Swiss regulator
CSSF (Commission de Surveillance du Secteur Financier) – Luxembourg regulator
BdP (Banco de Portugal) – Portuguese regulator
FCIS (Financial Crime Investigation Service under the Ministry of Interior) – Lithuanian regulator
SEPBLAC (Servicio Ejecutivo de Prevención de Blanqueo de Capitales) – Spanish regulator
In Latin American standards:
CNBV (Comisión Nacional Bancaria y de Valores)- Mexican Regulator
In Asia standards:
MAS (Monetary Authority of Singapore) – Singapore Regulator
Please, note that all these procedures/authorizations can be found free to read online.
There are two types of solutions for KYC AML
Continuous video transmission is becoming a standard to identify customers in the online channel. And we’re seeing two types of solutions, the so-called synchronous solutions (videoconferencing with an agent who interviews the customer online) and asynchronous (where a video is recorded in streaming, ensuring control over and integrity of the video recording process by the regulated entity and an offline verification by a qualified agent later).
These solutions can be combined depending on the use case: videoconferencing for consultative sales to capture new customers and asynchronous video in capture processes that require agility in contracting where the company’s goal is to bother the customer as little as possible.
Complaints about the illegal use of selfies
There are not a lot of fintech companies that carry an end-to-end customer onboarding process with digital selfies solutions. We haven’t found a single bank that uses them. The process’ low technical security, combined with a lack of legal regulations, has made the process to be denounced and be investigated by the regulators. This circumstance, besides being a scandal, can hurt, in a great way, the clients and the investors. This is because it opens a space for criminal activities and at the same time, will put at risk the deposit’s security for clients and the economic valuations of these companies.
If you want to know more about these complaints, you can check Archywordys and Tellerreport. You can also find information in Spanish in El Confidencial, and in French in La Tribune, NC, FrenchWeb, Scoop.it y cBANQUE. In Germany, you can have a look at the different news coming from WirtschaftsWoche: one, two, three y four; but also in Tages Spiegel, Handelsblatt, t3n, Spiegel, Heise, Gründerszene, Börsen-Zeitung, Private Banking Magazine and Tiroler Tageszeitung.