Technological solutions to verify the identity of natural persons by taking pictures of IDs or passports and recording a few frames or user’s face do not comply with the legal regulations on anti-money laundering and terrorism financing (KYC AML) in the financial industry.
The simple reason is its low technical security, the weakness of the electronic proof provided by the process, and the weakness from its lack of integrity. This means that the security level provided is low, far from the security required for formal customer identification according to the strictest regulations in this area, which have fixed in a higher standard the level of the technical requirements to use streaming video for these KYC and AML processes.
How can we check this information about KYC AML?
In US standards:
Given the multiple cases of fraud in customer identification in KYC AML processes, the US Department of Commerce though the National Institute of Standards and Technology (NIST) created digital identity guidelines (NIST SP 800-63A), updated in June 2017, which establish three assurance levels for registration and tests in the verification of identity that are classified from low (IAL1), medium (IAL2), and high (IAL3).
High assurance (IAL3) is the equivalent of in-person identification and is suitable for opening accounts remotely. This level requires human intervention (see point 4.5 of the document) and proposes continuous high-resolution video transmission (see 220.127.116.11 of the document).
This document allows solutions that take pictures/selfies for medium assurance (IAL2) if combined with other strong evidence of the person’s identity, in addition to pictures taken or scanned of the ID and recording of the person’s face. Strong evidence is usually bill recipes or proof of address, background checks of information on the identity of the person being identified.
This would make this kind of solution riskier in the European Union because for privacy reasons and unlike in the Anglo-Saxon world they are not allowed in Europe because personal data, even public data, cannot be processed by organizations before the affected people give their express consent.
In European standards:
Following the mentioned arguments related to the low security of pictures or selfies, there are no best practices, authorizations or non-in-person identification procedures from regulators in the financial industry in Europe to use identity verification solutions based on simple images.
Video usage in this kind of procedure is reinforced thanks to the coming into force of the new AML5 Directive, together with eIDAS Regulations for confidential services. This regulation sets out the legal framework which enables the adoption of Video-Identification for new procurement processes and the opening of accounts in the financial sector, thereby standardizing the Digital Single European Market.
If you want to learn more about your new EU market, download here the full whitepaper.
eIDAS came into force on July 1st 2015 in the 28 EU States Members, by additionally implementing the performance standard 2015/1502 which sets the security levels (from low to substantial through high levels) of electronic identification. AML5 itself, in force since July 9th 2018, relies on the eIDAS security framework to identify individuals and specifically for remote client identification.
The European Commission has an experience of more than twelve years working on the eIDAS security framework by relying on the qualification in order to validate that solutions comply with eIDAS, and in this case, with electronic identification security levels, in local standardization bodies and in the figure of the CAB – Conformity Assessment Body.
To ensure the compliance of a video-identification solution, the CABs carry out an audit and issue a report known as a CAR – Conformity Assessment Report. Should you wish to adopt a similar solution, you should request a CAR from your software provider which confirms that your solution has been audited and certified to be in compliance with eIDAS regulations, as well as the high level of security.
As additional back-up, Germany has recently released the first Technical Guideline called TR-03147, regulation which came into force in December 2018 and set out the Assurance Level Assessment of Procedures for Identity Verification of Natural Persons. This TG sets out security measures for remote identification of clients exclusively by video and through I.D. documents.
Prior to the AML5 directive and eIDAS coming into force, some European Union States Members already had regulators in the financial sector with off-site identification authorizations for identifying posted clients which allows suitably liable clients to exclusively use the video technology in streaming.
Some cases/references are:
BAFIN (Bundesanstalt für Finanzdienstleistungsaufsicht)- German regulator.
FMA (Financial Market Authority) – Austrian Regulator.
FINMA (Swiss Financial Market Supervisory Authority) – Swiss regulator.
CSSF (Commission de Surveillance du Secteur Financier) – Luxembourg Regulator.
BdP (Banco de Portugal) – Portuguese Regulator.
FCIS (Financial Crime Investigation Service under the Ministry of Interior) – Lithuanian Regulator.
SEPBLAC (Servicio Ejecutivo de Prevención de Blanqueo de Capitales) – Spanish Regulator.
In Latin American standards:
CNBV (Comisión Nacional Bancaria y de Valores)- Mexican Regulator
In Asia standards:
MAS (Monetary Authority of Singapore) – Singapore Regulator.
FSC (Financial Services Commission) – Korea Regulator.
FSA or JFSA (Japan Financial Services Agency) – Japan Regulator.
HKMA (Hong Kong Monetary Authority) – Hong Kong Regulator.
Please, note that all these procedures/authorizations can be found free to read online.
There are two types of solutions for KYC AML
Continuous video transmission is becoming a standard to identify customers in the online channel. And we’re seeing two types of solutions, the so-called synchronous solutions (videoconferencing with an agent who interviews the customer online) and asynchronous (where a video is recorded in streaming, ensuring control over and integrity of the video recording process by the regulated entity and an offline verification by a qualified agent later).
These solutions can be combined depending on the use case: videoconferencing for consultative sales to capture new customers and asynchronous video in capture processes that require agility in contracting where the company’s goal is to bother the customer as little as possible.
If you want to know which are the solutions that comply with KYC AML don’t hesitate to download this guide.