The conventional address verification via collecting documentary evidence brings significant inconvenience to both AML-regulated companies and their clients, since these documents are usually not readily available and easily forged at the same time; therefore, it may take a lot of time and effort to provide and examine them.
To address this, apart from the standard PoA verification, Sumsub offers using geolocation as PoA. This increases the conversion rate since it does not require uploading and processing of any documents and can be passed by the applicant quicker.
The method of confirming an applicant address using geolocation relies on GPS, a Wi-Fi positioning system, and cell tower trilateration to provide the most accurate result.
PoA through Geolocation works as follows:
- The system asks the applicant for access to their geolocation to meet GDPR requirements.
- If the applicant agrees, Sumsub detects their location using GPS.
- The collected data is displayed to the applicant and they are offered to confirm it, retry geolocation, or correct the detected address manually. We only display and fill fields that were specified in the PoA step settings. Country and city cannot be changed by the applicant.
- The collected data is then verified against a list of forbidden countries — countries that were excluded in the level settings or against regulations. On demand, the GPS data is cross-validated against the address extracted from the PoA document or entered by the applicant.
- The applicant receives an approval or rejection message.
- If applicants are not comfortable sharing their GPS data, they are switched to the traditional proof of address verification procedure.
- If the applicants device does not support geolocation, they are offered to continue on a device that supports it.
Using GPS data to verify addresses remains an innovative approach that is not yet explicitly recognized in the national legislation of most countries. Therefore, AML-regulated companies may require additional legal justification for using it in their KYC procedures.
Below, you will find references to the trusted sources and their position on the procedure.
The Financial Action Task Force (FATF), providing guidance for global AML standards, has mentioned geolocation with approval on several occasions:
- in the Guidance on Digital Identity (March 2020), the FATF names geolocation among data sources useful for robust authentication processes, as well as for customer behavior monitoring and transaction risk analysis;
in the Guidance on Proliferation Financing Risk Assessment and Mitigation (June 2021), the FATF encourages regulated companies to use multiple data points, including geolocation, so as to detect the risk indicators and patterns pertaining to weapons proliferation more efficiently;
- in Opportunities and Challenges of New Technologies for AML/CFT (July 2021), the FATF highlights geolocation among “onboarding tools that allow for quick CDD and client traits analysis [and would also] enrich the CDD and monitoring process and lead to a more accurate understanding of the nature of the business relationship, as well as its impact to the institutions”;
- in the Guidance for a Risk-Based Approach to Virtual Assets and VASPs (October 2021), the FATF reiterates that regulated entities may benefit from collecting “additional, non-core identity information” such as geolocation data, to “to_assist them in verifying the customer’s identity [...]; _authenticate the identity of customers for account access; help determine the customer’s business and risk profile and conduct ongoing due diligence on the business relationship; and mitigate the ML/TF risks associated with the customer and the customer’s financial activities”.
Overall, the position of the FATF is that AML-regulated businesses should be encouraged to collect geolocation as a complementary data point and integrate it into their CDD procedures. Importantly, the FATF indicates that geolocation may be used, in particular, during the verification of a customer’s identity.
On a national level, geolocation is also beginning to gain explicit regulatory recognition.
For instance, in 2021, the Swiss Financial Market Supervisory Authority (FINMA) updated its 2016/07 Circular “Video and online identification” by, among other things, introducing geolocation as one of the allowed methods for financial intermediaries to “confirm the contracting party’s residential address”, on par with more traditional options such as utility bills.
Notably, FINMA does not specify how exactly geolocation data should be collected, giving obliged entities wide discretion in choosing the appropriate technological solution.
Several other regulators have either recommended or mandated obliged entities to collect geolocation data as an additional security measure.
Moreover, the National Banking and Securities Commission (CNBV) of Mexico required that financial institutions track the real-time geolocation of their customers with an otherwise unknown location when they performed remote operations via their devices, stating that this innovation was “derived from the international commitments adopted by Mexico as a member of the Financial Action Task Force” and “in line with the FATF Guidance on Digital Identity”.
In a similar way, the Office of Foreign Assets Control (“OFAC”) of the US Department of the Treasury issued Sanctions Compliance Guidance for the Virtual Currency Industry, where it strongly advises VASPs to implement internal controls, including “geolocation tools ”, to avoid onboarding users from sanctioned jurisdictions.
In some cases, national AML laws and regulations contain an exhaustive list of means by which address can be confirmed remotely, as well as of documents that can serve as sufficient proof of residence.
For instance, the Directives for the prevention of money laundering and terrorist financing issued by the Central Bank of Cyprus (“CBC”) and the Cyprus Securities and Exchange Commission (“CySec”) only allow to verify address either by a visit to the place of residence or by collecting “a recent (up to 6 months) utility bill (e.g. electricity, water), or housing insurance document, or municipal taxes and/or bank account statement” (CBC) / “a recent (up to 6 months) utility bill, local authority tax bill or a bank statement or any other document same with the aforesaid” (CySec).
It follows that geolocation, despite its increasing recognition, cannot yet be considered universally acceptable as the only PoA solution. However, the above-described situation is not a typical one; normally, regulators leave obligated entities a wide margin of discretion in how they prefer to verify addresses.
In general, GPS is one of the most reliable device-based data points allowing to establish a person’s location, especially when compared to more easily forged alternatives, such as IP addresses. Despite GPS’ limitations, Sumsub is able to address them in an efficient way:
- A device's geolocation can potentially be forged with a third-party app. Therefore, we rely on a device-based method for geolocation detection, which is much less prone to falsification than the network-based approach. The risk of geolocation fraud, in this case, is relatively low. Any instances of such fraud that do occur are registered so that we are able to prevent them in the future.
- Geolocation alone is frequently not precise enough for compliance purposes. This is another reason why we do not rely on the network-based approach, using GPS geolocation data instead. Additionally, we can allow users to alter certain data manually if it was detected by mistake.
- Some devices, such as desktop computers, do not have a GPS module for sharing geolocation. For that reason, we allow users to easily switch to mobile devices during the verification process via QR code scanning or a link. Besides, we always provide an option to switch to the traditional PoA verification process by uploading documents.
Updated 5 days ago