Legal substantiation and limitations

Ensure compliance while using Non-Doc Verification.

In order to meet a demand from both AML-regulated companies and their customers for automation, speed, and minimized involvement, Sumsub offers the Non-Doc Verification approach.

As a relatively new method, non-documentary verification has associated restrictions. At the same time, it becomes a regulatory recognized practice. Therefore, there are possible solutions and growth opportunities.

Regulatory recognition

Examples below demonstrate that document-free verification is accepted by national financial regulators.

The Unit of Financial Information (UIF) is the Argentinian AML office that regulates banks, financial institutions, online casinos, public registries, insurance companies and other industries

In Article 23(a) of Resolución 30-E/2017 of the UIF, it is established that all individual customers of a regulated entity must be identified by at least their full name, document number and type and that only Argentinian national ID cards, or passports or ID cards issued by a foreign country, are valid documents for this purpose. Regulated entities must collect a copy of the said documents. At the same time, it is stated that “[the aforementioned provisions] are without prejudice to the provisions of Article 26 on non-face-to-face methods of identification”.

Article 26 further sets out the rules to be followed when verifying a customer’s identity remotely, establishing that it can be done via two alternative methods:

  • ...through “rigorous biometric techniques or alternative technological methods of equal strength”. These imply a procedure that includes displaying the original identity document, which requirement may be fulfilled, e.g., via a videoconference or via using the online certificate (national digital ID) issued by the National Registry of Persons (RENAPER). It is the responsibility of the obliged entity to implement the technical safeguards that ensure the authenticity, validity and integrity of the identification documents used and the correspondence of the document’s owner with the individual undergoing verification;
  • ...by collecting, through the entity's website or other alternative channels, a copy of the customer’s documents as stipulated in Art. 23 and providing the customer with a personal and non-transferable credential, containing, inter alia, a set of control questions pertaining to their identity.

To enable banks and other institutions to safely verify national identity documents, the Argentinian government has set up the Digital Identity System(SID). Since the SID allows to confirm that (i) an individual's facial image coincides with that taken at the time of the generation of their ID and (ii) the presented ID (or data contained therein) is valid and belongs to the same person by cross-matching the respective information with the RENAPER database, it is considered sufficiently secure.

Accordingly, it is possible for an Argentinian customer to use their digital ID (including by accessing the ID data via SID) as an equivalent of a standard document copy for verification.

The anti-money laundering and counter terrorism financing legal framework in Australia is governed primarily by the “ Anti-Money Laundering and Counter-Terrorism Financing Act 2006” (the “AML/CTF Act”) and its related regulations. In turn, the "Anti-Money Laundering and Counter-Terrorism Financing Rules Instrument 2007 (No. 1)"(the “AML/CTF Rules”) are subsidiary legislative instruments made under the AML/CTF Act and elaborating on the obligations set out therein.

Specifically regarding customer identification and identity verification procedures, Part 4.2.3 of the AML/CTF Rules sets out the minimum KYC information to be collected about an individual customer: (i) full name, (ii) date of birth, and (iii) residential address; at least (i) and either (ii) or (iii) have to be subsequently verified, pursuant to Part 4.2.6.

Further, Part 4.2.7 lists the acceptable methods of verifying the above-mentioned customer data: "reliable and independent documentation; reliable and independent electronic data; or a combination of (1) and (2) above".

The AML/CTF Rules offer different “safe harbour” verification approaches (documentation-based and electronic-based) depending on the risk profile of the customer. In cases where the risk is medium or lower, the procedure should involve, respectively:

  • For the documentation-based approach: “(a) an original or certified copy of a primary photographic identification document; 10 or (b) both: (i) an original or certified copy of a primary non‑photographic identification document; and (ii) an original or certified copy of a secondary identification document” 11. The entity must also “verify that any document produced about the customer has not expired (other than in the case of a passport issued by the Commonwealth that expired within the preceding two years)” (AML/CTF Rules, Parts 4.2.10 - 4.2.11);
  • For the electronic-based approach: use of reliable and independent electronic data from at least two separate data sources is required. The entity must also verify that the customer has a transaction history for at least the past 3 years. (AML/CTF Rules, Parts 4.2.12 - 4.2.14).

At the same time, pursuant to Part 4.10.2 of the AML/CTF Rules, when choosing an electronic source as a verification basis the reporting entity must determine:

  • Whether the electronic data is reliable and independent, taking into account the following factors: the accuracy of the data; how secure the data is; how the data is kept up‑to‑date; how comprehensive the data is (for example, by reference to the range of persons included in the data and the period over which the data has been collected); whether the data has been verified from a reliable and independent source; whether the data is maintained by a government body or pursuant to legislation; and whether the electronic data can be additionally authenticated;
  • What reliable and independent electronic data the reporting entity will use for the purpose of verification;
  • The reporting entity’s pre‑defined tolerance levels for matches and errors;
  • Whether, and how, to confirm KYC information collected about a customer by independently initiating contact with the person that the customer claims to be”.

As one of possible solutions, the Australian Transaction Reports and Analysis Centre suggests the Document Verification Service (DVS):

“One option for verifying individual customer and beneficial owner identification using electronic data is the Document Verification Service (DVS). This is a secure online system managed by the Department of Home Affairs. The DVS matches government-issued identity documents directly with the government organisation that issued them. This lets you check in real time that the document is current and not lost or stolen”.

Article 10 of Law N° 9.613, commonly known as the Anti-Money Laundering Law, establishes the obligation of entities (such as banks, financial institutions, insurance companies, casinos, card issuers, leasing companies, real estate companies, and in general companies that trade luxury goods) that fall under the regulation of the Brazilian AML office (COAF) to “identify their clients and keep their registries up to date, according to the norms set out by the corresponding regulatory agency”.

In general, such regulator-specific norms are receptive of digital KYC mechanisms, with obliged entities granted relatively broad discretion in choosing the external sources to rely on.

For instance, the Securities and Exchange Commission of Brazil has established the following:

“The adoption of alternative registration systems is permitted, including by electronic means, provided that the solutions adopted satisfy the objectives of the current rules and the procedures are trustworthy. [...] the procedures adopted [must] allow to confirm the customer's identification with precision” ("CVM Instrução 617", Art. 12);

In the case of banks and financial institutions, the Central Bank of Brazil has set out the following rules:

“The institutions shall adopt identification procedures that allow verifying and validating the identity of the client. The procedures shall include obtaining, verifying and validating the authenticity of customer identification information, including, if necessary, by comparing this information with those available in public and private databases” ("BACEN/DC Circular No.3978 OF 01/23/2020", Art. 16(1));

Nevertheless, for the banking institutions a fully non-documentary KYC flow might only be possible in relation to local residents, since onboarding of a person who does not have a CPF (Natural Persons Register) taxpayer identification number requires to collect an ID copy:

“In the customer identification process, at least: - the full name and [CPF number], in the case of a natural person [must be collected]; [...] In the case of a client who is a natural person residing abroad who is not required to register with the CPF, in the form defined by the Federal Revenue Secretariat of Brazil, the use of a travel document in accordance with the Law is permitted, and at least the issuing country must be collected, the number and type of the document ("Circular No. 3978 by the Central Bank", Art. 16(2-3)).

The guidance on “Methods to verify the identity of persons and entities” by the Financial Transactions and Reports Analysis Centre of Canada (FINTRAC) recognizes five methods of KYC. Two of these methods don’t require referral to the customer’s identity document.

The credit file allows to verify the customer’s identity based on the information that is in their credit file. The credit file must be from the Canadian credit bureau and match the name, address, and date of birth of the customer.

The dual process allows to verify the customer’s name, address, date of birth, and/or financial account using two different reliable sources.

The guidance suggests the following definition of reliable sources: “To be considered reliable, the source should be well known and considered reputable. For example, a reliable source could be the federal, provincial, territorial or municipal levels of government, Crown corporations, federally regulated financial institutions, or utility providers. Social media is not an acceptable source of information to verify a person's identity”.

Overall, Colombian AML regulations do not impose any particular limitations on remote identity verification means. Law n. 1121 of 2006 Establishing Regulations for the Prevention, Detection, Investigation and Punishment of the Financing of Terrorism, Art. 27, refers to the general identification duty under the AML/CFT framework: “The Colombian State and the Territorial Entities must fully identify the natural and legal entities that enter into a contracted business relationship, as well as the origin of their funds in order to prevent criminal activity”.

External Circular 100-000005 by the Superintendencia Financiera de Colombia (SFC) provides some details on what this requirement could entail in practice in Art. 5.2(a):

“To strengthen the security of the process of KYC, and when the transaction allows it, it is recommended, as an example, the following: Get to know by any legal means the origin of resources, verify the customer's identity, their address and phone number, and according to the characteristics of the negotiation, request a certificate of good standing and power of representation in the case of corporations and any other additional documentation that is considered to be relevant. Information provided by the customer, as well as the name of the person that verified it, must be duly stored, with a time and date stamp, for evidence purposes of the due diligence”.

Art. 5.2(f) of the same Circular reiterates that, “if a certain negotiation does not require the physical presence of the parties, it is essential that the company adopts the necessary measures for the full identification of the natural or legal person with whom the transaction will be carried out”.

Additionally, the 2023 GAFILAT Report refers to the following requirements established by the SFC:

“...item 4.2.2.2.1 of the Legal Basic Circular <...> amended in 2020 sets forth that supervised entities may not initiate formal or legal relations with the potential customer before (i) information has been collected to conduct the know-your-customer procedure; (ii) necessary information has been checked, especially the identity of the potential customer (...). In addition, when external databases are used, supervised entities must conduct a risk analysis associated to such source to assess the quality, reliability, and accuracy of data for ML/TF risk management purposes. Supervised entities must make verifiable means that prove the performance of such risk analysis available to this Superintendence”.

E-KYC projects based on the national digital ID are actively being developed in Colombia, such as the National Registry Office conducting pilots of biometric authentication with several banks, with other businesses encouraged to follow the example. Therefore, in the absence of any explicit prohibition, it may be argued that Non-Doc KYC is generally acceptable under the local AML regulations.

The 2018 Anti-Money Laundering / Combating the Financing of Terrorism & the Proliferation of Weapons of Mass Destruction Guideline issued by the Financial Intelligence Centre and the Bank of Ghana states that, while an identity document is obligatory to collect from an individual customer, the regulated entity is, in general, not restricted in the options of verifying identification data:

“Types of customer information to be obtained and identification data to be used to verify the information are provided in Appendix A” (Section 1.5)

“For natural persons the following information should be obtained, where applicable: i. legal name and any other names used by the prospective client; ii. location including important landmarks close to the prospective client‟s residence; iii. telephone number, fax number and mailing address; iv. date and place of birth; v. nationality; vi. hometown; vii. occupation, position held and employer’s name; viii. identity document; ix. nature of business; x. type of account and nature of the banking relationship; and xi. signature.

The financial institution should verify this information by at least one of the following methods:

  • Confirming the date of birth from an official document (e.g. birth certificate, passport, identity card, social security records);
  • Confirming the permanent address (e.g. utility bill, tax assessment, bank statement, a letter from a public authority);
  • Contacting the customer by telephone, by letter or by e-mail to confirm the information supplied after an account has been opened (e.g. a disconnected phone, returned mail, or incorrect e-mail address should warrant further investigation);
  • Confirming the validity of the official documentation provided through certification by an authorized person (e.g. embassy official, notary public); and
  • any other means of verification the financial institution deems appropriate” (Appendix A).

Furthermore, acceptable solutions may include or, arguably, even be limited to non-documentary electronic database checks, so long as the overall verification result is conclusive:

“The confirmation of name and address is to be established by reference to a number of sources. The checks should be undertaken by cross-validation that the applicant exists at the stated address either through the sighting of actual documentary evidence or by undertaking electronic checks of suitable databases, or by a combination of the two. The overriding requirement to ensure that the identification evidence is satisfactory rests with the financial institution opening the account or providing the product/service” (Section 2.23)

Section 2.28 further confirms that electronic evidence may be “alternative or supplementary to documentary evidence of identity and address <...> Each source may be used separately as an alternative to one or more documentary checks”. However, regulated entities must ensure that the chosen databases are reliable, which is achieved, e.g., by “checking across a range of sources, preferably covering a period of time or through qualitative checks that assess the validity of the information supplied”. Examples of appropriate sources include: “i. An electronic search of the Electoral Register (is not to be used as a sole identity and address check); ii. Access to internal or external account database; and iii. An electronic search of public records where available”.

Therefore, whereas it is necessary to obtain an ID for identification purposes, verification may be carried out via electronic sources, provided that such sources are trustworthy and the regulated entity is convinced it knows the true identity of the applicant.

The Prevention of Money Laundering Act, 2002(“PMLA”) and the Prevention of Money-Laundering (Maintenance of Records) Rules, 2005 issued thereunder (“PML Rules”) provide the main legislative framework for combating ML / TF in India and, together with the guidance produced by the national Reserve Bank, explicitly prescribe e-KYC based on the customer’s Aadhaar number 2 or other identifiers as one of the possible (or, for certain entities, required) means of identity verification:

“Every reporting entity shall verify the identity of its clients and the beneficial owner by –

  • Authentication under the Aadhaar [...] Act, 2016 if the reporting entity is a banking company; or
  • Offline verification under the Aadhaar [...] Act, 2016; or
  • Use of passport issued under section of the Passports Act, 1967; or
  • Use of any other officially valid document or modes of identification as may be notified by the Central Government in this behalf” (PMLA, Section 11(A)(1)).

Non-banking entities may also be permitted, by special notification of the Central Government, to perform Aadhar authentication, provided that it is necessary to do so and that the entities in question comply with the standards of privacy and security under the Aadhaar Act. At the same time, the customer is allowed to choose between options.

“Where the client is an individual, they shall [...] submit to the reporting entity, – the Aadhaar number where,

  • He is desirous of receiving any benefit or subsidy under any scheme notified under section 7 of the Aadhaar (Targeted Delivery of Financial and Other subsidies, Benefits and Services) Act, 2016 (18 of 2016); or
  • He decides to submit his Aadhaar number voluntarily to a banking company or any reporting entity notified under first proviso to sub-section (1) of section 11A of the Act; or (aa) the proof of possession of Aadhaar number where offline verification can be carried out; or
  • The proof of possession of Aadhaar number where offline verification cannot be carried out or any officially valid document or the equivalent e-document thereof containing the details of his identity and address [...]” (PML Rules, Rule 9(4)).

Depending on which data the customer provides and whether offline verification is available, the reporting entity shall carry out the following procedures (“where the client has submitted –):

  • His Aadhaar number [...] to the banking company or a reporting entity notified under first proviso to sub-section (1) of section 11A, such banking company or reporting entity shall carry out authentication of the client's Aadhaar number using e-KYC authentication facility provided by the Unique Identification Authority of India;
  • Proof of possession of Aadhaar under clause (aa) of sub-rule (4) where offline verification can be carried out, the reporting entity shall carry out offline verification;
  • An equivalent e-document of any officially valid document, the reporting entity shall verify the digital signature as per the provisions of the Information Technology Act, 2000 (21 of 2000) and any rules issues thereunder and take a live photo as specified under Annex 1;
  • Any officially valid document or proof of possession of Aadhaar number under clause (ab) of sub-rule (4) where offline verification cannot be carried out, the reporting entity shall carry out verification through digital KYC as specified under Annex 1”.

Additionally, the Master Direction – Know Your Customer (KYC) Direction of Reserve Bank of India allows to verify a client’s identity based on the KYC identifier from the Central KYC Records Registry.

“For undertaking CDD, REs shall obtain the following from an individual while establishing an account-based relationship [...]: (ac) the KYC Identifier with an explicit consent to download records from CKYCR [...]”(Master Direction, section 16).

Therefore, the available options are: (i) Aadhaar-based authentication; (ii) Aadhaar-based offline verification; (iii) digital KYC; (iv) KYC identifier verification.

Aadhaar authentication, powered by the Unique Identification Authority of India (UIDAI),provides an instant mechanism to confirm one’s identity and does not require any other ID proof except Aadhaar number. It is, however, restricted to banking institutions and certain other requesting entities as described above. Accounts opened using Aadhaar OTP-based authentication, in non-face-to-face mode, are subject to a number of limitations as to the maximum balance, permitted operations, etc.

The UIDAI also enables “paperless offline e-KYC”, wherein the customer, using their Aadhaar number, creates a “Share Phrase” with their identification data encrypted and shares it with the entity performing KYC. The entity can then validate the data through its own OTP / face authentication mechanism.

Digital KYC means “the capturing of a live photo of the customer and their officially valid document / proof of possession of Aadhaar, where offline verification cannot be carried out, along with the latitude and longitude of the location where such live photo is being taken by an authorised officer of the reporting entity” in accordance with specific technical requirements (Master Direction, section 3(a)(viii)). This procedure, however, may only be carried out via a specialized application developed by the reporting entity (Master Direction, Annex I).

Where a customer submits a KYC Identifier to a reporting entity, with an explicit consent to download records from CKYCR, the reporting entity shall retrieve the KYC records online from the CKYCR using the KYC Identifier and the customer shall not be required to submit the same KYC records or information or any other additional identification documents or details, subject to certain exceptions (Master Direction, section 56).

As an alternative to the aforementioned procedures, the “V-CIP” mechanism was recently introduced, consisting of a video conference with the reporting entity’s operator in combination with a “liveness” check, geolocation check, and document analysis (Master Direction, section 18). V-CIP, however, is also dependent on external data sources, since the reporting entitiy is still required to validate the customer’s identity data based on Aadhaar number, KYC identifier or e-document.

In conclusion, the current regulation allows for various identity verification methods that can either involve the customer submitting an identity document to the reporting entity or omit this step altogether.

The most recent comprehensive legal act outlining the responsibilities of AML-subject entities in Indonesia is the Regulation (POJK) No. 8 of 2023(“OJK Regulation”) on the Implementation of Anti-Money Laundering (AML), Counter-Terrorist Financing (CFT), and Counter-Proliferation Financing of Weapons of Mass Destruction (CPF) Program in the Financial Services Sector by the Indonesian Financial Services Authority (Otoritas Jasa Keuangan, OJK), which regulates the country’s financial industry on par with Bank Indonesia.

Pursuant to Art. 21(2) of the OJK Regulation, identity verification of prospective customers may be conducted via: “a. direct face-to-face meetings; b. electronic face-to-face meetings; and/or c. non-face-to-face electronic mechanisms”. The solutions that may be employed by the supervised entity under subclause (c) are not limited, yet three main options are highlighted: the entity may rely on (i) its own software and hardware; (ii) software and hardware belonging to third parties (such as KYC providers) and accessed by the entity; or (iii) utilization of population databases, for which at least two authenticity factors must be used (something characteristic of the customer and something the customer possesses).

Regarding the scope of data to be collected in respect of an individual customer, Art. 25(1) of the OJK Regulation lists the following points:

  • Full name (including aliases, if any);
  • Identity document number;
  • Residential address according to the ID and other residential addresses, if any;
  • Place and date of birth;
  • Citizenship;
  • Occupation;
  • Address and telephone number of workplace, if any;
  • Gender;
  • Marital status;
  • Mother’s maiden name;
  • Identity of the beneficial owner, if any;
  • Source of funds;
  • Average annual income and/or net worth;
  • Aims and objectives of the business relationship or transaction.

Further, according to Art. 26(1) of the OJK Regulation, the aforementioned information has to be supported by an identity document. However, the Article further specifies that it can include: (i) for Indonesian citizens – a resident card or “digital population identity as intended in the laws and regulations regarding population data”; (ii) for foreign citizens – a passport accompanied by immigration documents; (iii) for “individuals from the Indonesian diaspora or Indonesian people abroad” – passports and identity cards issued to such individuals under the applicable laws and regulations.

In reference to non-document verification, therefore, it is safe to assume that Indonesia allows electronic KYC via national identity databases when it comes to local citizens (see, e.g., the e-KTP system). However, further checks are likely to be required to obtain all of the necessary customer data.

The Implementing Procedures of 2011 to the Prevention of Money Laundering and Funding of Terrorism Regulations (PMLFTR) issued by the Financial Intelligence Analysis Unit of Malta (FIAU)7 also distinguish non-documentary and documentary KYC approaches.

“The methods of verification of identity mentioned in this section do not entail the presentation of identification documents or other verification documents but rather allow for the identity of the customer to be verified remotely through electronic means”.

It’s allowed to use commercial electronic databases that are compliant with the data protection requirements and considered as independent and reliable.

The Amended Identity Verification Code of Practice of New Zealand (2013) provides two methods of performing remote KYC verification. One of these methods implies matching identity data against independent external sources.

According to the Code, a reporting entity must conduct electronic verification of a customer’s name and date of birth as follows:

  1. Verify the customer’s name
    • Using a single independent electronic source (only the RealMe biometric database is considered as such).
    • Using at least two independent and reliable matching electronic sources.
  2. Verify the customer’s date of birth using at least one independent and reliable electronic source.

The Code doesn’t specify which sources should be used. As for New Zealand residents, reporting entities should refer to the Confirmation Service of the Department of Internal Affairs (DIA), New Zealand Transport Agency (NZTA), or other common national electronic sources, such as credit bureaus, Land Registry (LINZ), etc.

The 2022 Money Laundering (Prevention and Prohibition) Act (“AML Act”), together with regulations and guidance by the Central Bank of Nigeria (“CBN”), lays out the legal provisions applicable to Nigerian AML-supervised entities, including those related to customer due diligence.

Art. 4(1) of the AML Act outlines the general principles of the identification and identity verification duty for financial institutions and DNFBs. While the document-based approach is framed as the default standard, the AML Act refers to secondary legislation for substantiation 10:

“A financial institution and a designated non-financial business and profession shall —

  • identify a customer, whether permanent or occasional, natural or legal person or any other form of legal arrangements, using identification documents as may be prescribed in any relevant regulation;
  • verify the identity of that customer using reliable, independent source documents, data or information <...>”.

In turn, Art. 6(a) of the Central Bank of Nigeria Customers Due Diligence Regulations 2023 (the “CDD Regulations”) lists the information to be collected in relation to individual customers, with Art. 7(2) elaborating on the possible means of its verification:

  • legal name and any other names used (such as maiden name),
  • permanent address (full physical address),
  • residential address (where the customer can be located),
  • telephone number, e-mail address and social media handle,
  • date and place of birth,
  • Bank Verification Number (BVN),
  • Tax Identification Number (TIN),
  • nationality,
  • occupation, public position held and name of employer,
  • an official personal identification number or other unique identifier contained in an unexpired document issued by a government agency, that bears a name, photograph and signature of the customer such as a passport, national identification card, residence permit, social security records or drivers’ license,
  • type of account and nature of the banking relationship,
  • signature, and
  • politically exposed persons (PEPs) status.

“FIs shall verify the identity of individuals by confirming the — (a) date of birth from a valid official document, such as birth certificate, passport, identity card and national or social security records; (b) residential address through physical visitation and use of other sources, including utility bill, tax assessment, bank statement, or letter from a public authority; (c) contact details provided by the customer through positive feedback from phone call, email or physical letter to the residential address; (d) validity of the official documentation provided through certification by an authorized person such as embassy official, notary public (in the case of foreign nationals); and (e) phone numbers, particularly for wallet providers, through independent process, including validation against the NCC database or geo-mapping”.

Therefore, the notion of official documentation that may be used for identity verification is quite broad, implying it is not necessarily required to collect a copy of any particular identity document. Furthermore, Arts. 14, 16 and 35 of the CDD Regulations as well as Art. 26 of the 2022 Central Bank of Nigeria (Anti-Money Laundering, Combatting the Financing of Terrorism and Countering Proliferation Financing of Weapons of Mass Destruction in Financial Institutions) Regulations (the “AML Regulations”) specify that both “physical” and “electronic” methods of customer onboarding may be adopted by financial institutions, so long as the “tiered” approach and other e-KYC standards endorsed by the CBN are complied with.

Referring, in turn, to the “tiered” approach as established in the 2013 CBN Circular FPR/DIR/CIR/GEN/02/001 (Introduction of Three-Tiered Know Your Customer (KYC) Requirements), it prescribes different CDD standards depending on the customer’s risk profile and the value of their account:

  • until recently, only a set of identity attributes (such as passport photo, name, place and date of birth, etc.) was required for Tier 1 (lowest-value) accounts with no evidence required;
  • Tier 2 demands the Tier 1 information provided by the customer to be supported with evidence and checked against official databases (such as National Identity Management Commission (NIMC), Independent National Electoral Commission (INEC) Voters Register, Federal Road Safety Commission, etc.), while “ID verification and monitoring” is also necessary;
  • Tier 3 further refers to the KYC standards established by the CBN AML/CFT Regulation, 2009 as amended (which would, at present, encompass both the AML Regulations and the CDD Regulations, in particular Arts. 6-7 of the latter as referenced above)

Furthermore, the 2023 CBN Circular PSM/DIR/PUB/CIR/001/053 enhanced the aforementioned requirements, stating that: (i) it is now mandatory for all Tier 1 accounts for individuals to have BVN and/or NIN (National Identification Number); (ii) both BVN and NIN are obligatory for Tier 2 and Tier 3 accounts; and (iii) “the process for account opening shall commence by electronically retrieving BVN or NIN related information from the NIBSS’ BVN or NIMC’s NIN databases [together with the underlying identity data, such as name, DoB, etc.] and for the same to become primary information for onboarding of new customers”. In addition, the same Circular prescribed all the BVNs and NINs already attached to existing accounts to be revalidated by January 31, 2024.

BVN- and NIN-based verification is generally widespread in the country. A BVN is a unique ID number issued to every customer of a Nigerian bank upon enrolment and linked to every account that the customer has in any other local banks, whereas a NIN is provided by the NIMC and used to link citizens’ and legal residents’ biometric data to the National Identity database, which may then be relied on for physical or digital verification and authentication. Both identifiers can therefore be easily validated against governmental databases.

In conclusion, banks and other financial institutions are generally encouraged (and, in certain cases, obliged) to refer to external official databases while onboarding Nigerian citizens and residents. However, in some instances these checks may have to be supplemented with obtaining supporting documentation from the customer depending on their account Level (risk profile).

The Republic Act nº 9160 (the Anti-Money Laundering Act of 2001), as well as the 2016 Revised Implementing Rules and Regulations(RIRR) thereto, endorse documentary evidence as the recognized means for customer identify verification:

“Sec. 9. <...> Covered institutions shall establish and record the true identity of its clients based on official documents” (Republic Act nº 9160)

“Rule 3.M. <...> “Official Document” refers to any of the following identification documents:

  • For Filipino citizens: Those issued by any of the following official authorities:
    • Government of the Republic of the Philippines, including its political subdivisions, agencies, and instrumentalities;
    • Government-Owned or -Controlled Corporations (GOCCs);
    • Covered persons registered with and supervised or regulated by the BSP, SEC or IC;
  • For foreign nationals: Passport or Alien Certificate of Registration;
  • For Filipino students: School ID signed by the school principal or head of the educational institution; and
  • For low-risk customers: Any document or information reduced in writing which the covered person deems sufficient to establish the client’s identity;

Rule 9.A. Covered persons shall establish and record the true identity of their clients based on official documents, as defined under Rule 3.M of this RIRR. <...> Customers who engage in a transaction with a covered person for the first time shall <...> submit a clear copy of at least one (1) official identification document” (RIRR)

At the same time, Circular No. 1170 issued by the Bangko Sentral ng Pilipinas (“BSP”) on 30 March 2023 provides additional guidelines on customer due diligence, including e-KYC via digital identity systems. Specifically, the Circular states that, “where the PCN [PhilSys Card Number] or PSN [PhilSys Number] derivative, or the Philippine ldentification (PhillD) card, in physical or digital form, is presented by the customer, it shall be accepted as official and sufficient proof of identity, subject to proper authentication, and the covered person shall no longer require additional document to verify the customer's identity”. Therefore, accessing an individual’s record in the Philippine Identification System (“PhilSys”) is considered a reliable way to verify their identity. Other digital ID systems are, in principle, also allowed to be used so long as they are “supported by robust technology, adequate governance, processes and procedures that provide appropriate level of confidence that the system produces accurate results”; however, there is no indication that the RIRR requirement to present an actual identity document is removed for foreigners not registered in PhilSys.

Accordingly, Non-Doc KYC is possible via solutions accessing PhilSys; in other cases, the document-based approach remains prevalent. However, as the scope of potentially acceptable documents is defined broadly for low-risk customers, it may be allowed to obtain reports or other excerpts from trustworthy external data sources instead of “conventional” IDs.

The 2017 Guidance Note 7 on the Implementation of Various Aspects of the Financial Intelligence Centre Act, 2001, issued by the Financial Intelligence Centre of South Africa, emphasizes that regulated institutions “have the flexibility to choose the type of information by means of which they will establish clients’ identities and also the means of verification of clients’ identities” (para. 74). More specifically, both “documents” and “electronic data issued or created by reliable and independent third-party sources” are permitted for confirming a customer’s identity (para. 83). The Guidance Note subsequently reiterates this approach, while stating that full name, date of birth and unique identifying number issued by a government source are “basic attributes” that should be collected from an individual in any event (para. 85) and outlining the following principles of e-verification:

  • The regulated entity should conduct a risk assessment of the data sources to be engaged (paras. 87, 90-91)
  • Only reliable and independent (e.g., not created or generated by the customer themselves) third-party sources may be used (paras. 87-88);
  • Where possible, the regulated entity should use the original sources of the information in question (i.e., government-issued or -controlled sources); using multiple data sources, including across time, is also encouraged (paras. 88-89, 92).
  • The use of electronic data sources does not, in itself, protect the obliged entity from regulatory action relating to its AML compliance duties (para. 90);
  • Data sources that can be manipulated and tampered with are not considered reliable (para. 91);
  • The Department of Home Affairs, records of the Companies and Intellectual Property Commission, records of the South African Revenue Service, eNaTIS records and records of the Master of the High Court are named as examples of acceptable data sources (para. 94).

Thus, electronic sources may be relied on for KYC measures so long as they are sufficiently robust and meet the aforementioned criteria and the information contained therein can be securely linked to the customer’s real identity.

The principal AML/CFT legislation within the UAE includes: (i) Federal Decree-Law No. (20) of 2018 On Anti-Money Laundering and Combating the Financing of Terrorism and Financing of Illegal Organisations (the “AML-CFT Law” or “Law”) and implementing regulations, such as (ii) Cabinet Decision No. (10) of 2019 Concerning the Implementing Regulation of Decree Law No. (20) of 2018 On Anti-Money Laundering and Combating the Financing of Terrorism and Illegal Organisations(the “AML-CFT Decision” or “Cabinet Decision”).

Besides, the UAE Central Bank (CBUAE) maintains Anti-Money Laundering and Combating the Financing of Terrorism and Illegal Organisations Guidelines for Financial Institutions (the “AML Guidelines”) as well as both general and sphere-specific guidances in order to ensure better understanding and effective performance of AML obligations.

The AML-CFT Decision provides the general identification and identity verification requirement in Article 8:

“Financial Institutions and [Designated Non-Financial Business or Professions] DNFBPs should identify the Customer’s identity, whether the Customer is permanent or walk-in, and whether the Customer is a natural or legal person or legal arrangement, and verify the Customer’s identity and the identity of the Beneficial Owner. This should be done using documents, data or information from a reliable and independent source or any other source to verify the identity as follows:

For Natural Persons: The name, as in the identification card or travel document, nationality, address, place of birth, name and address of employer, attaching a copy of the original and valid identification card or travel document, and obtain approval from the senior management, if the Customer or the Beneficial Owner is a PEP”.

Reinforcing this, Section 6.3.1 of the AML Guidelines further elaborates on the necessity to collect copies of identity documents:

“The verification of a customer’s identity, including their address, should be based on original, official (i.e. government-issued) documents whenever possible. When that is not possible, FIs should augment the number of verifying documents or the amount of information they obtain from different independent sources. In particular, when verifying the UAE ID card, FIs licensed by the Central Bank must use the online validation gateway of the Federal Authority for Identity & Citizenship and keep a copy of the UAE ID and its digital verification. They should also identify the lack of official documents and the use of alternative means of verification as risk factors when assessing the customer’s ML/FT risk classification”.

At the same time, both Section 6.3.1 of the AML Guidelines and Section 3.1 of the Guidance for Licensed Financial Institutions (‘LFI’s) on Digital Identification for Customer Due Diligence (the “Digital Identification Guidance”) seem to suggest that verification via electronic sources is an acceptable alternative to the documentary method:

“An example of alternative verification means is verification by way of digital identification systems. Such digital identification systems should rely upon technology, adequate governance, processes and procedures that provide appropriate levels of confidence that the system produces accurate results”;

“Under Article 8 of the AML-CFT Decision, LFIs are required to identify each customer and verify the customer’s identity using documents, data, or any other identification information from a reliable and independent source. This requirement is technology neutral and expressly permits LFIs to use documentary as well as non-documentary sources (i.e., information or data) when performing identification and verification; it does not impose any restrictions on the form—physical or digital—that identity evidence must take, nor does it impose limitations as to the use of digital ID systems for the purpose of linking a customer’s verified identity to a unique, real-life individual, provided this is done using a “reliable” and “independent” source. As such, LFIs are permitted to utilize digital ID systems as well as physical forms to perform customer identification and verification, consistent with the expectations set forth in this Guidance”.

Section 5 of the Guidance further prescribes the mandatory assessments the FIs should conduct before choosing a digital identification system:

  • “An assurance level assessment, through which the LFI can understand the assurance levels that the digital ID system provides based on its technology, architecture, and governance and determine its reliability and independence; and
  • An appropriateness assessment, through which the LFI can make a risk-based determination — given the digital ID system’s assurance levels — of whether the digital ID system is appropriately reliable and independent for CDD in light of potential ML, TF, fraud, and other illicit financing risks”

Section 2.1 of the Guidance describes several national identification systems approved for use by AML-regulated entities, including UAE Pass, Emirates ID and Emirates Facial Recognition. UAE Pass, in particular, is the UAE’s primary digital identity and signature solution with a high level of security.

The interpretation of the above-mentioned provisions, taken cumulatively, appears to be that, while usage of digital identification systems is in principle permitted for KYC purposes, it does not negate the overall document-based approach adopted by the UAE financial regulators and, in particular, the requirement to obtain a copy of the customer’s identity document under the AML-CFT Decision. Accordingly, digital ID systems may be relied on as a standalone solution when they allow access to all of the required customer data, including that related to the identity document. Alternatively, they may be used for supplementary checks (which are sometimes mandatory, as in the case of UAE ID).

While being the core legal sources of AML-related obligations, neither the Proceeds of Crime Act 2002 nor the Money Laundering, Terrorist Financing and Transfer of Funds (Informationon the Payer) Regulations 2017 (“MLR”) specify the exact KYC procedures that may or should be implemented, granting regulated entities a broad margin of discretion. The MLR mostly set out the general criteria that identity verification processes must conform to; for example, paras. 18-19 of Art. 27 provide the following guidance:

“(18) For the purposes of this regulation —

  • <...> “verify” means verify on the basis of documents or information in either case obtained from a reliable source which is independent of the person whose identity is being verified;
  • ...documents issued or made available by an official body are to be regarded as being independent of a person even if they are provided or made available to the relevant person by or on behalf of that person.

(19) For the purposes of this regulation, information may be regarded as obtained from a reliable source which is independent of the person whose identity is being verified where—

  • it is obtained by means of an electronic identification process <...>; and
  • that process is secure from fraud and misuse and capable of providing assurance that the person claiming a particular identity is in fact the person with that identity, to a degree that is necessary for effectively managing and mitigating any risks of money laundering and terrorist financing”.

The current Guidance by the Joint Money Laundering Steering Group (JMLSG), which is widely regarded to establish the industry standards for compliance with AML/CFT requirements, confirms that non-documentary checks (in particular, those involving external databases) are permissible as the primary KYC measure. Obliged entities are, however, instructed to choose multiple data sources (or one single source where it “has been issued by a government authority and contains cryptographic security features”) or to “incorporate qualitative checks that assess the strength of the information supplied” (para. 5.3.50). In addition, it is further reiterated that firms opting for electronic verification must “demonstrate that they have both verified that the customer exists, and satisfied themselves that the individual seeking the business relationship is, in fact, that customer” (para. 5.3.79). To fulfill this requirement, the Guidance recommends various methods, such as the use of biometric information or private codes that “incontrovertibly link the potential customer <...> to the electronic/digital identity information” (para. 5.3.44).

It follows that, under the UK AML regulations, Non-Doc KYC solutions may be relied upon insofar as they are complemented with additional security measures allowing to link a user to their claimed identity that has been confirmed as existent by an independent external data source.

Similarly to the AML regime of the UK, the Bank Secrecy Act (BSA) of the USA only broadly outlines the customer due diligence obligation; for instance, 31 CFR 1020.220 (section on “Customer Identification Program: minimum requirements”) lists the data to be collected in respect of every individual client but not the specific means of its verification. At the same time, para. 1020.220(a)(2) states that both documentary and non-documentary verification methods (as well as their combinations) are acceptable so long as (i) the chosen procedures “enable the [obliged entity] to form a reasonable belief that it knows the true identity of each customer”; and, (ii) in case a non-documentary solution is elected, the firm applies additional procedures to address the risks where “the customer opens the account without appearing in person”. Several examples of non-documentary KYC processes are also given for reference, such as “contacting a customer; independently verifying the customer's identity through the comparison of information provided by the customer with information obtained from a consumer reporting agency, public database, or other source; checking references with other financial institutions; and obtaining a financial statement”.

This approach is further confirmed in various explanatory or interpretative materials by the Financial Crimes Enforcement Network (FinCEN), e.g., Guidance FIN-2018-G001 of April 3, 2018:

“A financial institution’s CIP must contain procedures for verifying customer identification, including describing when the institution will use documentary, non-documentary, or a combination of both methods for identity verification”;

“Non-documentary methods of verification may include contacting a beneficial owner; independently verifying the beneficial owner’s identity through the comparison of information provided by the legal entity customer (or the beneficial owner, as appropriate) with information obtained from other sources; checking references with other financial institutions; and obtaining a financial statement”;

“<...> covered financial institutions may verify the identity of a beneficial owner who does not appear in person, through a photocopy or other reproduction of a valid identity document, or by non-documentary means <...>”.

Accordingly, the US AML regulations allow, in principle, non-documentary KYC methods; however, the obliged entity must be assured it knows the true identity of its customer, for which purpose additional KYC mechanisms aimed at connecting the user and the identity in question must be implemented.

Limitations and Solutions

Non-documentary KYC procedure demands to ensure both that:

  1. The identity presented by the applicant truly exists.
  2. The applicant has submitted their own applicant data. When implementing Non-Doc Verification, Sumsub achieves this in a few ways:
    • Using the data source containing the highly robust identity attribute (biometry) that can be compared against the data provided by the applicant. For instance, Sumsub takes this approach regarding the National Identity Management Commission Database in Nigeria. The applicant passes Liveness and submits their surname and BVN number (bank verification number which is unique to each individual and used in the local banking system). Then the database confirms whether the provided BVN is valid and returns personal data associated with it including photos that can be matched against the Liveness results.
    • Analyzing a combination of factors treated as sensitive information and cross-checking the obtained data using several independent sources. The following combinations may be used and considered as strong evidence when analyzed together: an ID number treated as sensitive information (such as CPF in Brazil) and a phone number or even email address when a database contains those.