The anti-money laundering and counter terrorism financing legal framework in Australia is governed primarily by the Anti-Money Laundering and Counter-Terrorism Financing Act 2006 (the "AML/CTF Act") and its related regulations. In turn, the Anti-Money Laundering and Counter-Terrorism Financing Rules Instrument 2007 (No. 1) (the "AML/CTF Rules")are subsidiary legislative instruments made under the AML/CTF Act and elaborating on the obligations set out therein.

Specifically regarding customer identification and identity verification procedures, Part 4.2.3 of the AML/CTF Rules sets out the minimum KYC information to be collected about an individual customer: (i) full name, (ii) date of birth, and (iii) residential address; at least (i) and either (ii) or (iii) have to be subsequently verified, pursuant to Part 4.2.6.

Further, Part 4.2.7 lists the acceptable methods of verifying the above-mentioned customer data:

1. "reliable and independent documentation;

2. reliable and independent electronic data; or

3. a combination of (1) and (2) above".

The AML/CTF Rules offer different "safe harbour" verification approaches (documentation-based and electronic-based) depending on the risk profile of the customer. In cases where the risk is medium or lower, the procedure should involve, respectively:

• for the documentation-based approach: "(a) an original or certified copy of a primary photographic identification document;²⁷ or (b) both: (i) an original or certified copy of a primary non‑photographic identification document; and (ii) an original or certified copy of a secondary identification document"²⁸. The entity must also "verify that any document produced about the customer has not expired (other than in the case of a passport issued by the Commonwealth that expired within the preceding two years)" (AML/CTF Rules, Parts 4.2.10 - 4.2.11);
• for the electronic-based approach: use of reliable and independent electronic data from at least two separate data sources is required. The entity must also verify that the customer has a transaction history for at least the past 3 years. (AML/CTF Rules, Parts 4.2.12 - 4.2.14).

Accordingly, where the supervised entity relies on the electronic method only:

• if the customer's name and date of birth are verified independently via different electronic sources, address does not need to be confirmed at all;
• conversely, if the date of birth is only collected and not verified, a reference to a single reliable electronic source should suffice for address validation, so long as the name is not checked against the same source.

At the same time, pursuant to Part 4.10.2 of the AML/CTF Rules, when choosing an electronic source as a verification basis the reporting entity must determine:

1. "whether the electronic data is reliable and independent, taking into account the following factors:
   • (a) the accuracy of the data;
   • (b) how secure the data is;
   • (c) how the data is kept up‑to‑date;
   • (d) how comprehensive the data is (for example, by reference to the range of persons included in the data and the period over which the data has been collected);
   • (e) whether the data has been verified from a reliable and independent source;
   • (f) whether the data is maintained by a government body or pursuant to legislation; and
   • (g) whether the electronic data can be additionally authenticated; and
2. what reliable and independent electronic data the reporting entity will use for the purpose of verification;
3. the reporting entity's pre‑defined tolerance levels for matches and errors; and
4. whether, and how, to confirm KYC information collected about a customer by independently initiating contact with the person that the customer claims to be".

As one of possible solutions, the Australian Transaction Reports and Analysis Centre suggests the Document Verification Service (DVS):

"One option for verifying individual customer and beneficial owner identification using electronic data is the Document Verification Service (DVS). This is a secure online system managed by the Department of Home Affairs. The DVS matches government-issued identity documents directly with the government organisation that issued them. This lets you check in real time that the document is current and not lost or stolen".

In conclusion, the current AML/CTF legislation of Australia allows the use of electronic data as a verification basis for both identity and address verification purposes so long as proper due diligence of the sources to be used is carried out. In practice, the electronic-based approach is arguably more viable, as it may be impractical to obtain the originals or certified copies of identity documents in the context of remote onboarding.

²⁷ — As defined in Part 1.2.1 of the AML/CTF Rules.

²⁸ — As defined in Part 1.2.1 of the AML/CTF Rules.

The main source of AML/CFT-related requirements for reporting entities in Belgium is the Law on the prevention of money laundering and terrorist financing and on the restriction of the use of cash (the "AML Law"), last amended on February 8, 2023.

Pursuant to Art. 27(1) of the AML Law, the reporting entities are required to verify the identity of the customers against:

• "1° one or more supporting documents or reliable and independent sources of information enabling them to confirm [the identification data listed in Art. 26 - for natural persons, this would include "last name, first name, date and place of birth and, to the extent possible, address". Regarding verification of address specifically, the National Bank of Belgium Object of the identification and identity verification guidance ("NBB Guidance") states that "financial institutions' internal procedures should determine the measures to be taken to fulfill this legal obligation in a sufficiently precise manner" without providing an exhaustive list of ways to do so];
• 2° where applicable, the information obtained through electronic identification means such as those provided or recognised within the authentication service as referred to in Articles 9 and 10 of the Law of 18 July 2017 on electronic identification [implementing the eIDAS regulation and providing a regulatory framework for electronic identification in connection with digital public services in Belgium; the cited articles mostly refer to the data contained in the National Register], confirming the identity of persons online;
• 3° where applicable, information obtained through relevant trust services referred to in Regulation 910/2014".

At the same time, Article 1 of Annex III to the AML Law defines non-face-to-face business relationships as a factor of potentially higher risk if conducted without certain safeguards, namely "electronic means of identification or relevant trust services as defined in Regulation (EU) No 910/2014 or any other secure identification process that take place electronically or remotely and are regulated, recognised, approved or accepted by the relevant national authorities".

While there is no indication in the AML Law that alternative options (such as other external data sources or a combination of ID analysis and liveness / face match) are not permissible, the National Bank of Belgium ("NBB") states the following it its Guidance:

Still, this should not be read as a prohibition of any non-face-to-face onboarding mechanisms besides that stipulated in Art. 28 of the AML Law, since the NBB purposefully adopts a technologically neutral approach, emphasising that "neither the Anti-Money Laundering Law nor the Anti-Money Laundering Regulation of the NBB lists in a precise, uniform and prescriptive manner the supporting documents or the reliable and independent sources of information that can be used to fulfil the obligation to verify the identity of the persons involved", even though some of these sources are explicitly authorised. That said, the NBB strongly recommends regulated entities to:

• implement different KYC flows depending on the customer's risk profile, including a "correlation table of the supporting documents accepted for each risk class, as well as a list of the circumstances in which certain supporting documents need not be submitted";
• when authorising the use of innovative technologies other than electronic identification means as referred to in the AML Law in high-risk situations, tighten the terms and conditions for the application of this authorisation and carry out a prior analysis of whether such technologies are reliable. The Guidance does, however, confirm that reliability is enhanced when "electronic identification schemes notified in accordance with Article 9 of the eIDAS Regulation and meeting the requirements of "substantial" or "high" levels of assurance". The two electronic identification schemes notified by Belgium, both with a "high" level of assurance, are Belgian eID Scheme FAS / eCards and Belgian eID Scheme FAS / Itsme. These should therefore be regarded as acceptable solutions for identity verification.
• consult certain official data sources in case verification is performed on the basis of documentation (e.g., FPS Home Affairs - when there is a suspicion the ID may be stolen or lost; the National Register - while processing the data registered on the microprocessor of the ID; etc.);
• when relying on a photocopy or electronic image of a supporting document, incorporate multiple checks (that the data has not been altered or manipulated, that the necessary security features are present, etc.).

Overall, reporting entities have relatively broad discretion in choosing the means of remote identity verification, as long as they are able to justify their sufficiency and compatibility with the customer's risk profile. However, solutions explicitly approved under the AML Act or the NBB Guidance (including, in particular, eCards and Itsme eID scheme, or any services leveraging data from the National Register) are more likely to be considered compliant.

⁴⁵ — "Upon request from an obliged entity,and solely for the purposes of the verification, by such an entity, of the identity of the customers and their agents who are natural persons and who are not present during their identification [...] the professional associations designated by the King shall be authorised to:

• 1° use the identification number from the National Register;
• 2° access the data of the National Register of natural persons referred to in Article 3 of the Law of 8 August 1983 establishing a National Register of natural persons;
• 3° make a paper or electronic copy of the information consulted in said Register".

Article 10 of Law N° 9.613, commonly known as the Anti-Money Laundering Law, establishes the obligation of entities (such as banks, financial institutions, insurance companies, casinos, card issuers, leasing companies, real estate companies, and in general companies that trade luxury goods) that fall under the regulation of the Brazilian AML office (COAF) to "identify their clients and keep their registries up to date, according to the norms set out by the corresponding regulatory agency".

In general, such regulator-specific norms are receptive to digital KYC mechanisms, with obliged entities granted relatively broad discretion in choosing the external sources to rely on.

For instance, the Securities and Exchange Commission of Brazil has established the following:

• "The adoption of alternative registration systems is allowed, including by electronic means, provided that the solutions adopted meet the objectives of the current regulations and the procedures are subject to verification"¹⁹ ( CVM Instrução 50 of August 31, 2021 ("Resolution"), Art. 12);

In the case of banks and financial institutions, the Central Bank of Brazil has set out the following rules:

• "The institutions shall adopt identification procedures that allow verifying and validating the identity of the client. The procedures shall include obtaining, verifying and validating the authenticity of customer identification information, including, if necessary, by comparing this information with those available in public and private databases" ( BACEN/DC Circular No. 3978 OF 01/23/2020 ("Circular"), Art. 16(1));

Nevertheless, for these industries, a fully non-documentary KYC flow might only be possible in relation to local residents, since onboarding of a person who does not have a CPF (Natural Persons Register) taxpayer identification number requires to collect an ID copy:

"In the customer identification process, at least:

• the full name and [CPF number], in the case of a natural person [must be collected];²⁰
  [...] In the case of a client who is a natural person residing abroad who is not required to register with the CPF, in the form defined by the Federal Revenue Secretariat of Brazil, the use of a travel document in accordance with the Law is permitted, and at least the issuing country must be collected, the number and type of the document (Circular, Art. 16(2-3)).

With regard to CVM-regulated entities, It can be concluded that both Non-Doc verification is permissible in relation to both identity and address, so long as the chosen solution is sufficiently robust and ensures accuracy close to that of face-to-face identification. For identity verification purposes, it is highly recommended to add an authentication factor (such as active liveness-based recognition) to the procedure to ensure the data ownership and real-time presence of the individual.

For the Gambling sector specifically, Ordinance Nº 1.231 establishes that a scanned copy of the ID document is required for registration of new users (article 31 - XI). It also states that facial recognition with proof of liveness must be registered. Optionally other forms of biometrics can be registered. Therefore, Non-Doc KYC is considered permitted as a standalone method for onboarding only when a copy of the document can be obtained from the ultimate data source as a result of the verification process.

¹⁹ — Note that, as per Annex B to the Resolution, at least the following data must by default be present in an individual customer’s records: “a) full name; b) date of birth; c) birthplace; d) nationality; e) marital status; f) mother's name; g) identification document number and issuing body; h) registration number in the Registry of Natural Persons – ("Cadastro de Pessoas Físicas", CPF/MF); i) name and respective CPF/MF number of the spouse or partner, if applicable; j) place of residence (street, complement, district, city, federation unit, and ZIP code) and telephone number; k) email address for correspondence; l) professional occupation; m) name of the entity, with the respective customer records with the CNPJ, for which he/she works, when applicable; n) updated information on earnings and equity status; [etc.]”. Furthermore, a copy of the customer’ identification document and proof of residence or domicile is required for identification, even though no particular verification methods are mandatory.

²⁰ — Note that, as per Art. 18(1) of the Circular, identity verification procedures should also include information allowing to establish the customer’s place of residence, even though no particular methods are mandatory.

In Cyprus, the legal framework governing Anti-Money Laundering ('AML') and Combating the Financing of Terrorism ('CFT') is primarily set out by the Prevention and Suppression of Money Laundering and Terrorist Financing Laws of 2007, as subsequently amended (referred to as the 'AML/CFT Law'). Besides the stipulated obligations and requirements aimed at securing the financial environment from illicit activities, this law also outlines the key requirements for Customer Due Diligence ('CDD') and Know Your Customer ('KYC') procedures in Cyprus.

The implementation, enforcement and the adoption of the various domestic and international AML/CFT legislative instruments are overseen by the local Regulatory Bodies, such as:

1. Central Bank of Cyprus ('CBC'): The country's central monetary authority, responsible for the enforcement of the provisions of the legislation, regulations and supervision of banks, Electronic Money Institutions (EMIs), and Payment Service Providers (PSPs), Bureaux de Change and Credit Institutions, under section 59 (1)(a) of the AML/CFT Law.
2. Cyprus Securities and Exchange Commission ('CySEC'): It is a regulatory body that regulates Cyprus's financial services sector, overseeing entities like investment firms, financial institutions, and investment funds.
3. Cyprus Bar Association ('CyBAR'): It oversees lawyers and law firms in Cyprus, ensuring compliance with AML and CTF regulations as designated non-financial businesses and professions (DNFBPs)
4. Institute of Certified Public Accountants of Cyprus ('ICPAC'): It is the competent authority responsible for the regulation and supervision of certified public accountants and audit firms within the Republic of Cyprus.
5. Cyprus Real Estate Agents ('CREAA): It oversees real estate agents in Cyprus, ensuring their compliance with AML and CTF regulations.
6. Other relevant entities.

However, this assessment is largely based on the requirements of CySEC and CBC.

Cyprus Securities and Exchange Commission (CySEC) CDD provisions

In 2016 the Directive DI144-2007-08 (as amended), Section 2 vi, specifically mentions the use of electronic verification and permits its use as long as the following conditions are met:

• i. the electronic databases kept by the third party or to which the third party or the Financial Organization has access are registered to and/or approved by the Data Protection Commissioner in order to safeguard personal data (or the corresponding competent authority in the country the said databases are kept).
• ii. electronic databases provide access to information referred to both present and past situations showing that the person really exists and providing both positive information (at least the customer's full name, address and date of birth) and negative information (e.g. committing of offences such as identity theft, inclusion in deceased persons records, inclusion in sanctions and restrictive measures' list by the Council of the European Union and the UN Security Council).
• iii. electronic databases include a wide range of sources with information from different time periods with real-time update and trigger alerts when important data alter.
• iv. transparent procedures have been established allowing the Financial Organization to know which information was searched, the result of such search and its significance in relation to the level of assurance as to the customer's identity verification.
• v. procedures have been established allowing the Financial Organization to record and save the information used and the result in relation to identity verification.

In addition, according to the above-mentioned directive,Section 2.3information must come from two sources in the following manner:

• vi. identification of the customer's full name and current address from one source, and
• vii. identification of the customer's full name and either his current address or date of birth from a second source.

Also,a major recent advancement is the CySEC's amendment of the Anti-Money Laundering (AML) Directive, formalized through Directive 282/2024 and designed to strengthen the existing AML/CFT framework for obliged entities regulated by CySEC, by improving measures for the prevention of money laundering and terrorist financing, particularly clarifying identification document requirements and the use of electronic verification methods.

Directive 282/2024 introduces a significant amendment by replacing the previous derogation⁶¹ rule for video call onboarding. Under the prior framework,⁶² clients could be onboarded remotely primarily via video call with an annual deposit threshold of EUR 2,000. The updated Directive removes this derogation in response to advancements in digital technologies and evolving threats in financial crime. While video call verification remains an option, the new rules require financial institutions regulated by CySEC to implement robust KYC procedures for all clients, prior to the business relationship and regardless of deposit amounts.

Additionally, Obligated Entities must notify CySEC in advance of the specific electronic methods they intend to use for remote verification and validation of client identities ('RCOS'). However, there is no longer an exhaustive list of such electronic methods, meaning that video calls are not the only viable option.

On 6 August 2024, CySEC also issued a Policy Statement On The Enhancement Of The Non-face-to-face ('NFTF') Customer Onboarding Process With Electronic Methods, outlining new requirements for remote onboarding, such as mandatory liveness detection for unattended solutions, prior to establishing a business relationship, while observing the requirement of Section 61(1)(a) of the AML/CFT Law for 'data and information from a reliable and independent source'.

Despite the above provisions that are accounted for, the key principles of remote customer onboarding as per CySEC remain as follows:

Customer Identification

As a general rule, all customers are expected to provide valid identification documents issued by reliable and independent authorities. Beyond passports, Obliged Entities can now accept other IDs (under eIDAS identification schemes) issued by government bodies of the European Union or a third country, that state the full name and date of birth and include the individual's photograph. Additionally, information such as the individual's current residential address, occupation (to establish economic profile) or principal activity must be obtained as part of the verification process.

Address Verification

To verify the customer's residential address, documents such as recent utility bills (issued within the last six months), bank statements, or any other official documents that clearly indicate the permanent address must be provided. It is critical that these documents are issued by credible and independent sources to ensure their authenticity and reliability.

Certification of Documents

Documents submitted for identification and address verification must either be presented in their original form or as certified true copies. Certification may be conducted by the entity itself when the original documents are presented or by third parties authorized under applicable laws, such as notaries or other competent legal authorities. Where required, certified copies must include an apostille or notarization to validate the certification process. Nevertheless, the industry practice in Cyprus contradicts the requirement for certification of documents and most regulated entities, especially fintech companies, conduct due diligence on their customers by electronic submission of proof of identity and proof of address copies.

For instance, where originals or certified copies are not available, the Obliged Entity must: (i) ensure that at least one of the procedures referred to in paragraph 2 of the Fourth Annex of the AML Directive (including, inter alia, video calls, "penny drop", or "use of an electronic method or a combination of more of them for remoteness ascertaining and verifying the identity of customers, based on assessment, evaluation and money laundering and financing risk management terrorism") is present; and (ii)(a) collect a simple copy of the customer's ID or (ii)(b) perform identity verification by electronic means on the following cumulative conditions:

• the electronic databases employed provide access to information which refers to both current and previous situations that show that the person indeed exists and contain both positive information (at least the customer's full name, address and date of birth) as well as negative information (e.g. committing crimes such as identity theft, inclusion in records of deceased persons, inclusion in lists of sanctions and restrictive measures by Council of the European Union and the Security Council UN);
• the electronic databases employed contain a wide range of sources, with information from various time periods, updated to real time (real-time update), and send notifications (trigger alerts) when important data changes;
• the Obliged Entity knows what information was researched, what the results of the research are and their significance as to the verification of the customer's identity;
• has established procedures that allow the Obliged Entity to record and store the information used and the result in relation to the authentication;
• information must come from two or more sources: identification of the customer's full name and current address from one source; and identification of the customer's full name and either his current address or date of birth from a second source;
• in case the evidence is in a language other than Greek or English, it must be accompanied by a certified translation (true translation).

Non-Residents of Cyprus

For customers residing outside Cyprus, the same identification and verification procedures apply. However, additional measures may be necessary, including confirmation of the customer's identity through Cypriot embassies, consulates, or recognized financial institutions in the customer's country of residence-based approach. In relation to CySEC-regulated entities, these additional measures can also depend on the risk profile of the customers, as AML laws and guidelines mention that reporting entities are allowed to follow a risk-based approach. In general, Enhanced due diligence is mandatory in cases where there are concerns about the authenticity of the submitted documents or where the customer poses a higher risk.

It is also worth noting that, the new CySEC AML Directive entered into force on 5 August 2024, except for the provisions concerning Remote Customer Onboarding Solutions, as detailed in Annex IV of the AML Directive, Paragraph 2(iv), which will take effect on 1 December 2024.

Therefore, as per CySEC, with the described amendments entering into force, non-doc KYC may be relied on, provided that (i) the databases used meet the criteria described above and (ii) the database check is combined with at least one more electronic identity verification method (e.g., liveness). However, address verification may only be conducted based on an exhaustive list of documents.

Central Bank of Cyprus ('CBC')

The CBC is the competent authority for the enforcement of the provisions of the legislation in relation to the financial activities of supervised entities in Cyprus, under section 59(1)(a) of the Prevention and Suppression of Money Laundering Activities Laws of 2007 to 2019 ('the AML/CFT Law').

Under the Law, the CBC has issued the 5th edition of the Directive on the Prevention and Suppression of Money Laundering and Terrorist Financing ('the CBC AML/CFT Directive'). As well as the Law 58 (I) of 2016 and the CBC Directive for Compliance with the provisions of UN Security Council Resolutions and the decisions / regulations of the Council of the European Union .The Central Bank of Cyprus does not currently have specific legislation regarding the remote onboarding process. However, it has a set of documents to be obtained in relation to natural persons, such as:

Identity Data:

• for Cypriot citizens, copy of valid identity card;
• for citizens of other countries, copy of passport and valid Alien Registration Card (ARC).

Proof of Permanent Address:

• copy of utility bill, not older than six (6) months, (e.g. electricity, landline, water bill in Cyprus, or equivalent, where applicable, from your country of residence), or
• home insurance policy, or
• municipal tax bill and/or
• Bank account statement.

Contact details:

• telephone number;
• email address;
• mailing address (if different from your permanent address);
• Details of professional and other occupations, including the name of the employer/business and the position held in the business;
• Specimen signature;
• Source of Income / Source of Wealth;
• Any other information deemed necessary depending, among others, on the estimated risk. Please note that for natural persons who have experienced adverse circumstances (e.g. political asylum seekers, political refugees, beneficiaries of subsidiary protection, victims of human trafficking and/or exploitation) the above information may vary depending on the case.

The CBC Guidelines further support the use of electronic KYC as long as these means are secure and reliable.

On October 19 2023, the Central Bank of Cyprus officially launched a digital remote onboarding project aimed at modernizing customer identification and updating processes within credit institutions.

The first phase introduces remote digital onboarding, allowing customers to electronically submit and verify their details or update existing information without requiring a physical presence.

The second phase establishes integration with government services, enabling direct retrieval of customer data to streamline the KYC process.

The final phase facilitates secure information sharing among participating banks, simplifying account transfers and reducing administrative complexities.

Supported by major banks such as Bank of Cyprus, Hellenic Bank, Alpha Bank Cyprus, and others, the project underscores a collective effort to modernize the Cypriot banking sector. This phased rollout, supported by leading banks in Cyprus, aims to deliver streamlined and compliant banking services, with implementation progressing through 2024.

Despite the references to a requirement of submission of certified identification documents in the AML Law, the CDD framework overseen by the CBC and CySEC, is robust and aligned with EU directives (4AMLD, 5AMLD, 6AMLD, eIDAS), emphasizing a risk-based approach.There are also explicit references to the use of electronic verification methods which are not only permitted and supported by 5AMLD and 6AMLD, but also by CySEC's and CBC's directives,as long as these electronic methods are conducted through reliable and secure sources. Nevertheless, even if CySEC's Circular C367 and recent CBC announcements further enable flexibility in relation to electronic verification means, physical documents remain a preferable option. Also,the transition to 6AMLD and MiCAR preparations (November 2024) signal continued digital adoption, but challenges in infrastructure suggest a hybrid approach, combining electronic and traditional methods. Financial institutions are encouraged to leverage eIDAS-compliant tools while monitoring 2025 regulatory updates to address potential gaps.

⁶¹ — Even though the general rule, in accordance with article 62(1) of the AML Law, says that the verification of identity of a customer/beneficial owner takes place before the establishment of a business relationship with the said person, there is a derogation of this general rule described in article 62(2) of the AML Law. According to article 62(2) of the AML Law, the verification of identity of the customer/beneficial owner of an obliged entity may be completed during the establishment of a business relationship, provided that all the fulfilling conditions are met: a) if this is necessary so as not to interrupt the normal conduct of business, and b) where there is little risk of money laundering or terrorist financing occurring, and c) where the verification procedure is completed as soon as possible after the initial contact.

⁶² — The circular C367 specifies the limited circumstances under which Cyprus Investment Firms (CIFs) may defer customer identity verification. In all cases, this verification must be finalized within 15 days from the earlier of either the customer's acceptance of the CIF's terms and conditions or the date of the initial deposit.

In the AML/CFT legal framework of the Czech Republic, the relevant requirements to customer identity verification are largely reflected in Act No. 253/2008 Coll. on selected measures against legitimisation of proceeds of crime and financing of terrorism ("AML Act").

As a general rule, Section 8 of the AML Act states that the first identification of a customer who is an individual should be performed with (i) the said customer present in person and (ii) the obliged entity "recording identification data³⁶ and verifying them from an identity card should they be included thereon, and subsequently recording the type and serial number of the identity card, the issuing country or issuing authority and the card's validity; at the same time, [...] verifying the holder's appearance and the holder's facial image as pictured on the identity card".

However, Section 8a(1) provides for an alternative so long as the substituting solution is either compliant with Regulation (EU) No 910/2014 of the European Parliament and of the Council on electronic identification and trust services for electronic transactions in the internal market ("eIDAS Regulation") and the implementing regulations or prescribed by another legal act:

"An obliged entity may replace the process pursuant to section 8[...] by identification of a natural person who is a customer [...] performed by means of electronic identification which comply with the following:

• a) technical specification, standards, and procedures for a high level of assurance given by the directly applicable regulation of the European Union regulating minimum technical specifications, standards and procedures for levels of assurance of means of electronic identification³⁷) and which is issued and applied pursuant to the qualified system in line with the Act on Electronic Identification, or
• b) conditions pursuant to which means of electronic identification can be used for verification of identity required by a legal regulation or discharge of administrative responsibility outside the scope of the qualified system pursuant to the Bank Act".

In conclusion, non-documentary methods for identity verification are permitted as long as they correspond to the approved tools used for customer onboarding in accordance with the Sections 8a of the AML Act. As of now, electronic identification schemes notified by the Czech Republic pursuant to Article 9(1) of the eIDAS Regulation with the "high" level of assurance are the national eID card and "mojeID", a non-commercial service operated by the CZ.NIC association and allowing users to authenticate in various private sectors and public administration services by creating a digital identity.

³⁶ — As per Section 5(1) of the AML Act, for a natural person this would include: “all names and surnames, the birth identification number or, should the person have no birth identification number, the date of birth, gender, place of birth, address of permanent or other residence, and citizenship”. At the same time, no particular methods for verifying the address are prescribed where it is not featured in the identity document.

³⁷ — Commission Implementing Regulation (EU) 2015/1502 of 8 September 2015 on setting out minimum technical specifications and procedures for assurance levels for electronic identification means pursuant to Article 8 (3) of Regulation (EU) No 910/2014 of the European Parliament and of the Council on electronic identification and trust services for electronic transactions in the internal market.

In Denmark, the Consolidation Act on Measures to Prevent Money Laundering and Terrorism Financing (the Anti-Money Laundering Act) (" AML Act") is the main legal source of AML/CFT obligations for the reporting entities. The Finanstilsynet (also the Financial Supervisory Authority), which is a government agency responsible for regulating the financial sector, including AML/CFT compliance supervision, provides guidelines regarding the interpretation and application of the AML Act.

Section 11 of the AML Act grants regulated entities a relatively wide margin of discretion in selecting the appropriate means of customer identity verification, listing a broad range of electronic evidence as acceptable with some form of governmental recognition as the only qualifying criterion:

1. "The undertaking or person shall obtain the customer's identity information.
   a) If the customer is a natural person, the identity information shall include name and civil registration number or similar if the person in question does not have a civil registration number. Should the applicant not have a civil registration number or similar, the identity information shall include date of birth.⁴¹
   [...]
2. The undertaking or person shall verify the customer's identity information on the basis of documents, data or information obtained from a reliable and independent source. A reliable and independent source means, for example, electronic means of identification, relevant trust services or any other secure form of remote identification process or electronic identification process that is regulated, recognised, approved or accepted by the competent national authorities ".

The 2020 Guide to the AML Act ("FSA Guide") by the Finanstilsynet continues this approach in Sections 9.1-9.5, stating in particular that:

• the customer's identity details can, in principle, be obtained from non-documentary sources (e.g., CPR (Central Office of Civil Registration) or Danish Tax Agency);
• a "reliable external source" used for customer identification does not necessarily have to be government-owned or -operated;
• it is not an obligatory requirement that the customer presents photographic identification for non-face-to-face KYC, although it provides additional assurance;
• in the context of a remote relationship, the reporting entity must consider the potentially increased risk. NemID, for instance, is considered a "reliable and independent source" for that purpose, but, "when more than limited risk is involved, it will be necessary for the undertaking to use other control sources, or risk-mitigating measures along with NemID".

In 2023, NemID was replaced with MitID. Since, unlike NemID, MitID has both "substantial" and "high" levels of assurance and was generally intended as a more robust and secure solution, it can be argued that the FSA's reasoning applicable to NemID should not be fully transferable to the MitID and that MitID should be considered sufficient for identity verification outside of the SDD context. This is corroborated by the consultation paper on "Project AML/TEK", where the FSA expresses the following stance: "The DFSA is of the opinion that a MitID at a 'substantial' level under the eIDAS Regulation could act as the sole source of verification for distance customers who are not subject to enhanced KYC procedures. This is because the processes for verifying identities when issu- ing a MitID are at least as secure as the DFSA expects is the case, in principle, for distance customers under the MLA, cf. section 6.7. In addition, the assurance level of the means of authentication in the MitID solution is higher than in the NemID solution".

NemID or other forms of electronic ID as a source of control can be supplemented with other risk mitigation measures. Such measures could include:

1. "The first transaction takes place via the customer's Nemkonto or another bank account registered in the customer's name.
2. The undertaking sends a unique code to a mobile phone number that it has checked belongs to the customer, or by physical letter to the customer's registered address.
3. The undertaking verifies the customer's IP address in relation to geolocation.
4. The undertaking asks the customer questions, which can be subsequently verified by a reliable and independent source, e.g. information from the customer's personal tax folder" (Section 9.5 of the FSA Guide).

Accordingly, Non-Doc KYC solutions are permissible for both identity and address verification in principle so long as they sufficiently mitigate the risk posed by non-face-to-face onboarding and have been granted approval by the competent national authorities. In relation to MitID specifically, it can arguably be relied on as a standalone solution at both "substantial" and "high" levels of assurance at least in all instances when enhanced due diligence is not required (where customers may need to apply additional safeguards of their choice, such as: obtaining ID copies, verifying the source of funds where necessary, collecting further data items (e.g., geolocation), etc).

⁴¹ — The customer’s residential address is therefore not listed as part of the information obligatory to obtain. Section 14 of the FSA Guide suggests that collection and verification of address data may be leveraged as an EDD measure, but it is still referred to as one of possible alternatives only.

In Estonia, the main requirements to customer due diligence for AML/CFT purposes are established under the 2017 Money Laundering and Terrorist Financing Prevention Act (the "AML Act").

As per §21 and §31 of the AML Act, the exact procedures to be followed in relation to an individual customer depend on (i) the customer's country of residence and, if different, nationality; (ii) whether the customer is physically present during the onboarding process; and (iii) the actual or anticipated amount of transactions carried out within the business relationship. Specifically:

• by default, the customer who is a natural person has to be identified:
  • by their "person's name [and] personal identification code or, where the person does not possess one, their date of birth and the place of residence or location"⁵⁰ (§21, subsection 1, clauses 1-2);
  • with the collected identity data subsequently verified "using information originating from a credible and independent source for that purpose" (§21, subsection 2), which may include "personal identification data entered in the database of identity documents" (§31, subsection 5);
  • information concerning recognition and verification of the right of representation and scope thereof and, where the right of representation does not arise from law, the name of the document serving as the basis for that right, its date of issue, and the name of the issuer;
  • particulars of the person's means of telecommunication.

The obliged entity must also verify the correctness of the data specified in clauses 1 and 2 of subsection 1,using information originating from a credible and independent source for that purpose.

Where the person subject to due diligence procedure is not located in the same location with the party conducting due diligence, and it is not possible to employ a scheme or service mentioned in subsection 3 of this section, the means or service used to identify the person and verify data must ensure:

1. that the data and documents gathered in the course of applying due diligence measures are correct and up to date;
2. secure gathering and storage of images, video, audio and data in understandable form and with sufficient quality, such that unambiguous identifiability of the person is ensured;
3. in a situation where the connection is unexpectedly interrupted or on manifestation of other technical defects, the failure of identification.

In accordance with subsection 3 of section 21 of the AML Act the obliged entity identifying a natural person should do so using the following documents:

1. a document specified in subsection 2 of § 2 of the Identity Documents Act;
2. a valid travel document issued in a foreign country;
3. a driving licence that meets the requirements provided for in subsection 1 of § 4 of the Identity Documents Act, or
4. a birth certificate specified in § 30 of the Vital Statistics Registration Act in the case of a person below the age of seven years.

Where the original document specified in the list above, is not available, the identity can be verified on the basis of a document specified in subsection 3, which has been authenticated by a notary or certified by a notary or officially, or on the basis of other information originating from a credible and independent source, including means of electronic identification and trust services for electronic transactions, thereby using at least two different sources for verification of data in such an event.

With regard to special customer due diligence rules for financial and credit institutions and where the following cumulative conditions are met:

• (i) the customer is not physically present; and
• (ii)(a) "the customer's place of residence or seat is in a country outside the European Economic Area", or
• (ii)(b) "the total amount of outgoing payments related to the transaction or service contract per calendar month exceeds 15,000 euros in the case of a customer who is a natural person" (§31, subsection 1)
• (iii) Where the residence or seat of the customer or of the person who carries out the occasional transaction is in a high-risk third country or in a jurisdiction that falls under the provision of clause 4 of subsection 4 of § 37 of the Act.

The following remote KYC methods are prescribed: (additionally, the regulated entity must "establish rules of procedure that ensure secure identification of persons and verification of data, and that effectively alleviate and manage risks related to application of due diligence measures without being present in the same location as the person"):

• Option 1:

• "an electronic identification scheme that has been notified in accordance with Article 9 of Regulation (EU) 910/2014 of the European Parliament and of the Council on electronic identification and trust services for electronic transactions in the internal market and repealing Directive 1999/93/EC (OJ L 257, 28.08.2014, p. 73) and that corresponds to the assurance level provided for by subparagraph (b) or (c) of paragraph 2 of Article 8 of that Regulation;"; or
• "a qualified trust service that meets the requirements provided by Regulation (EU) 910/2014 of the European Parliament and of the Council";

• Option 2 (where Option 1 is not possible): the means or service used to identify the person and verify data must ensure:

• that the data and documents gathered in the course of applying due diligence measures are correct and up to date;
• secure gathering and storage of images, video, audio and data in understandable form and with sufficient quality, such that unambiguous identifiability of the person is ensured;
• in a situation where the connection is unexpectedly interrupted or on manifestation of other technical defects, the failure of identification.

• Option 1 and Option 2 (where Option 1 is not possible) as defined above are also applicable whenever the customer is not physically present, even if the corresponding qualifying criteria are not met;
• where the customer is not physically present and their residence or seat is in a country that "provides funding or support for terrorist activities, or that has designated terrorist organisations operating within their country, as identified by the European Union or the United Nations" or another high-risk country, only Option 1 as defined above is permissible (para. 31, subsection 11);
• where the customer is not physically present and an e-resident's digital identity document is used to identify them and verify data, another document mentioned in subsection 3 of § 21 of the AML Act⁵¹ must be used simultaneously (§31, subsection 4);
• furthermore, where the obliged entity is not a credit institution, a financial institution, or a notary, para. 31 of the AML Act does not apply, meaning a possible fallback to para. 21, subsection 4: "where the original document specified in subsection 3 of this section is not available, the identity can be verified [...] on the basis of other information originating from a credible and independent source, including means of electronic identification and trust services for electronic transactions, thereby using at least two different sources for verification of data in such an event".

Accordingly, the instances where the customer would not necessarily have to present an identity document during non-face-to-face KYC may include:

• (i) the obliged entity is not a credit institution, a financial institution, or a notary - meaning that identity data may be verified via two independent sources, whether documentary or non-documentary; or
• (ii) the obliged entity relies on an e-identification solution with a "high" or "substantial" level of assurance as per the eIDAS regulation or a qualified trust service meeting the requirements of the eIDAS regulation. For example, the electronic identification schemes notified by Estonia, all with a "high" level of assurance, are: ID card; RP card; Digi-ID; e-Residency Digi-ID; Mobile-ID; and diplomatic identity card;
• (iii) it is not possible to employ any solution falling within option (ii) above, in which case the obliged entity is not restricted in its choice of the onboarding flow so long as certain technical safeguards (e.g., data accuracy, secure data storage, uninterrupted connection) are implemented.

In summary, non-document identification can be used as long as it gives assurance equivalent to the eiDAS regulation, preferably through one of the prescribed electronic identification schemes notified by the Estonian government and as long as identity data comes from two independent sources. With regard to address verification, in the absence of instructions to the contrary, it may be assumed that, while regulated entities are indeed expected to verify address-related information, they are not restricted in their options of doing so and, provided that the customer’s address is not already reliably confirmed in the course of general identity verification, both documentary and non-documentary supplemental checks can be used.

⁵⁰ — There is no specific guidance regarding residential address / location verification; therefore, presumably, it can be achieved via any supplemental checks if necessary.

⁵¹ —

1. a document specified in subsection 2 of § 2 of the Identity Documents Act;
2. a valid travel document issued in a foreign country;
3. a driving licence that meets the requirements provided for in subsection 1 of § 4 of the Identity Documents Act; or
4. a birth certificate specified in § 30 of the Vital Statistics Registration Act in the case of a person below the age of seven years.

Finnish Financial Supervisory Authority (FIN-FSA) is the regulatory body overseeing the financial sector, including AML/CFT compliance supervision in Finland. Act on Preventing Money Laundering and Terrorist Financing (444/2017; amendments up to 599/2023 included) ("AML Act") and Regulations and Guidelines issued by FIN-FSA in 2/2023 Journal Number FIVA/2023/1289 ("Guidelines") provide the legal framework for combating money laundering and terrorist financing.

Customer Due Diligence (CDD) - general provisions:

A. Chapter 3, Section 2(1) of the AML Act and Para 17 of the Guidelines require "obliged entities to identify their customers and verify their identities when establishing a permanent customer relationship and even in the case of a customer relationship of an irregular nature [...]";

B. Chapter 1, Section 4(1)(6) of the AML Act and Para 18 of the Guidelines specify that "identification means establishing the customer's identity on the basis of information provided by the customer";

C. Chapter 1, Section 4(1)(7) of the AML Act and Para 19 of the Guidelines specify that "verification of identity means ascertaining the customer's identity on the basis of documents, data or information obtained from a reliable and independent source";

D. Para 22 of the Guidelines"recommends that, in assessing the reliability and independence of the sources referred to in chapter 1, section 4(7) of the AML Act, supervised entities consider paragraphs 4.26-4.28 of the EBA Risk Factors Guidelines ( ''EBA Guidelines"). In turn, para 4.27 of the EBA Guidelines reads:

"[...]

• a. [while deciding what makes data or information reliable], Firms should consider different degrees of reliability, which they should determine based on
  • (i) the extent to which the customer had to undergo certain checks to obtain the information or data provided;
  • (ii) the official status, if any, of the person or institution that carried out those checks;
  • (iii) the level of assurance associated with any digital ID system used; and
  • (iv) the ease with which the identity information or data provided can be forged [...]

In most cases, firms should be able to treat government-issued information or data as providing the highest level of independence and reliability"

E. Para. 34 of the Guidelines states that "The FIN-FSA recommends that supervised entities create procedures for ascertaining the authenticity of a document and information used to verify identity. [...] One method to ascertain the authenticity of the document and information used to verify the customer's identity could be comparing the information to information in the population register maintained by the Digital and Population Data Services Agency".

F. Chapter 3, Section 3(2) of the AML Act outlines the minimum data required for customer due diligence:

The following customer due diligence data shall be retained:

• 1) name, date of birth, personal identity code and address;
• 7) name, number or other identifier of document used to verify identity or a copy of the document or, in the case of non-face-to-face identification, data on the procedure or sources used in verification;
• If the customer is a foreign national without a Finnish personal identity code, data on the customer's citizenship and travel document in addition to the data under subsection 2 of this section shall be retained.

As outlined in the above guidelines, identification entails establishing the customer's identity based on information provided by the customer while verification of identity involves ascertaining the customer's identity using documents, data, or information obtained from reliable and independent sources.

In assessing the reliability of these sources, government-issued information or data typically provides the highest level of independence and reliability. Supervised entities are recommended to create procedures for authenticating documents and information used for identity verification, such as (but without limitation) comparing them to information in the population register maintained by the Digital and Population Data Services Agency.

Additionally, Chapter 3, Section 3(2) of the AML Act specifies the data that must be retained for customer due diligence only includes name, date of birth, personal identity code, and address (from which it can be inferred that a copy of an identity document is not necessary). However, for foreign nationals without a Finnish personal identity code, data on citizenship and travel documents must also be retained. Hence, a fully non-doc KYC solution would not be viable for non-Finnish residents.

In summary, if the customer's identity is being verified remotely and the method of verification involves using an official identification document, the name of the document used for verification, its number or any other identifying information, and the details of the issuer should be retained or copied. However, if the verification process is remote and does not involve directly using an official identification document, the supervised entity should instead store information about the specific procedure or sources used for authentication. This could include details about the verification method or technology employed, such as biometric authentication or data cross-referencing.

Non-Documentary Verification - specific provisions

1. Section 11 of the AML Act and Para 60 of the Guidelines define non-face-to-face identification as the scenario when the customer is not physically present when he or she is identified and his or her identity verified. These provisions further outline the following enhanced customer due diligence requirements for non-face-to-face identification, leaving supervised entities a broad margin of discretion in the choice of procedure:
   1. Verify the customer's identity using additional documents, data, or information obtained from a reliable source.
   2. ensure that the payment relating to the transaction is made from a credit institution's account or into the account that was opened earlier in the customer's name; or
   3. Verify the customer's identity through specific electronic means, such as the use of identification devices as stipulated in the Act on Strong Electronic Identification and Electronic Signatures (617/2009), qualified certificates for electronic signatures under Regulation (EU) No 910/2014, or other secure and verifiable electronic identification technology.
2. Para 63 of the Guidelines states that "the supervised entity does not have to apply other enhanced due diligence procedures in addition to the enhanced procedure related to non-face-to-face identification referred to in chapter 3, section 11 of the AML Act, if
   • the supervised entity applies the method referred to in chapter 3, section 11(3) to remote identification; and
   • the supervised entity finds that the customer is not associated with a higher than ordinary risk of money laundering and terrorist financing
3. Para 67 of the Guidelines "recommends that supervised entities applying remote identification in their activities, in connection with establishing a customer relationship, verify the customer's identity by means of an identification device referred to in the Identification Act or a qualified certificate for electronic signature as provided in Article 28 of Regulation (EU) No 910/2014 of the European Parliament and of the Council on electronic identification and trust services for electronic transactions in the internal market and repealing Directive 1999/93/EC or other secure and verifiable electronic identification technology".
4. Para 68 of the Guidelines further "recommends that, in considering the use of another electronic identification technology in the identification of a customer and the verification of identity, supervised entities assess the adequacy of the identification technology relative to the money laundering and terrorist financing risks involved".

Based on the above legal requirements, both the AML Act and Guidelines mandate enhanced customer due diligence requirements for non-face-to-face identification, including at least one of the following options:

1. Verify with Additional Sources: Use additional reliable data sources to confirm the customer's identity.
2. Verify Account Ownership: Ensure the customer's initial transaction originates from their account or into a pre-existing account held in their name.
3. Electronic Verification: Utilize specific electronic means like identification devices under the Act on Strong Electronic Identification and Electronic Signatures (617/2009).

However, the above-mentioned procedures are apparently not considered fully equivalent by the regulator; in particular, only the "Electronic Verification" method referred to in section 11(3) of the AML Act is considered completely self-sufficient for EDD purposes in all circumstances.

Given Finland's robust electronic identification solutions such as FINeID, BankID, and MobileID, all supported by the Digital and Population Data Services Agency and adhering to the Act on Strong Electronic Identification, these can be utilized for AML purposes. These solutions are part of the Finnish Trust Network (FTN) and provide secure and reliable electronic identification options.

At the same time, while "Electronic Verification" solutions are considered a "safe harbor," regulated entities have the flexibility to explore alternative options, including for non-documentary KYC, such as alternative external databases. However, such alternatives may be more difficult to justify from a risk-based approach perspective.

According to Para 67 of the Guidelines, it is recommended to opt for Section 11(3) of the AML Act ("Electronic Verification") rather than (1) (additional sources) or (2) (account ownership confirmation). Additionally, Para 68 advises against using methods from Section 11(1) and (2) for identity verification unless necessary circumstances warrant it.

Furthermore, in considering "other secure and verifiable electronic identification technology", supervised entities must ensure it corresponds to their risk profile and guarantees data security and method verifiability, as outlined in Paras 73-74 of the Guidelines.

To conclude, in setting up processes for non-documentary verification, supervised entities should prioritize the use of electronic identification technologies recognized under Finnish law, such as BankID/FTN solutions, to ensure compliance with both the AML Act and related guidelines; however, alternative options such as the use of external databases are also permissible so long as the regulated entity can justify their reliability through a risk-assessment of their clients profile.

⁵⁵ — English translated version of the AML Act.

⁵⁶ — According to the FIN-FSA’s interpretation, a supervised entity may decide, relying on its risk based procedures, what documents and information it considers obtained from a reliable and independent source and may create different procedures for the documentary evidence which shall be presented by customers to verify their identity on the one hand when establishing a customer relationship and on the other hand during the customer relationship. (paras. 32 & 33 of the Guidelines).

The Monetary and Financial Code of France (the "Code") establishes, under Art. L. 561-5, the general duty of AML-regulated entities to:

(i) "identify their client", which is achieved, as per Art. R561-5, "by collecting their first and last name, as well as their date and place of birth"⁵² where the customer is a natural person; and

(ii) "verify the identification elements upon presentation of any written document of a probative nature", which is further detailed in Arts. R561-5-1 and R561-5-2:

• as a general rule, an individual customer's identity data may be verified remotely according to one of the following methods (an electronic identification scheme notified as per the eIDAS Regulation either by France⁵³ or by another EU member state):
  • a) "electronic identification means certified or attested by the National Agency for the Security of Information Systems in accordance with the level of guarantee, either substantial or high, set by article 8 of Regulation (EU) No 910/2014 of the European Parliament and of the Council of 23 July 2014 on electronic identification and trust services for electronic transactions in the internal market", or
  • b) "electronic identification means issued within the framework of a scheme notified to the European Commission by a Member State of the European Union under the conditions provided for in paragraph 1 of Article 9 of this regulation and whose level of guarantee corresponds to the level either substantial or high set by article 8 of the same regulation" (Art. R561-5-1, 1°);
• where this is impossible, at least two measures from the list below (which, taken cumulatively, must allow for verification of all the identity data named in Article R. 561-5) must be implemented:
  • "obtain a copy of a document mentioned in 3° or 4° of article R. 561-5-1 [valid official document including the customer's photograph]";
  • "implement measures to verify and certify the copy of an official document or an extract from the official register mentioned in 3° or 4° of Article R. 561-5-1 by a third party independent of the person to be identified"⁵⁴;
  • "require that the first payment for transactions be made from or to an account opened in the client's name with a person mentioned in 1° to 6° bis of Article L. 561-2 [certain types of AML-regulated entities] that is established in a Member State of the European Union or in a State party to the agreement on the European Economic Area or in a third country imposing equivalent obligations in terms of the fight against money laundering and the financing of terrorism";
  • "obtain confirmation of the customer's identity directly from a third party fulfilling the conditions set out in 1° or 2° of I of Article L. 561-7" [third party itself subject to AML/CFT laws and located in an EU/EEA country or a third country imposing obligations equivalent to those contained in the Code, including those related to exchange of personal information];
  • "use a service certified as compliant by the National Information Systems Security Agency, or a certification body authorized by this agency, at the level of substantial guarantee of the requirements relating to proof and verification of identity, provided for in the appendix to the implementing regulation (EU) 2015/1502 of 8 September 2015";
  • "collect an advanced or qualified electronic signature or a valid advanced or qualified electronic seal based on a qualified certificate or use a qualified electronic registered delivery service bearing the identity of the signatory or the creator of the seal and issued by a qualified trust service provider registered on a national trust list pursuant to Article 22 of Regulation (EU) No 910/2014 of July 23, 2014" (Art. R561-5-2, 1-6°).

Regarding address verification (where this measure is used by regulated entities), the Code does not specify an approach for natural persons:

"The [obliged entity] verify the identity of their client by asking him to provide him with a copy of a valid official document containing his photograph and proving his identity and date of birth, verify his address and, when their customer wishes to fund his account or receive his assets by transfer, only carry out these transactions from or to a single payment account opened in his name by the player with a payment service provider established in a Member State of the European Union , in a State party to the agreement on the European Free Trade Agreement, in a third country in which these persons are authorized to organize and operate games of chance and have concluded with France a convention containing an administrative assistance clause to combat tax fraud and evasion or in a third country imposing equivalent obligations in the fight against money laundering and the financing of terrorism and appearing on a list drawn up by decree of the Minister for the Economy."

Therefore, non-documentary means of non-face-to-face identity verification are permissible, as long as they correspond to the requirements and standards established under the eIDAS Regulation (substantial or high level of assurance) or national legislation implementing it.

⁵² — The Article contains no similar reference to residential address or location. The ACPR Guide for identification, identity verification and customer due diligence ("ACPR Guide") further recognizes that, while address verification could be beneficial for determining the customer's risk profile or tax residence, it is not a necessary element of CDD procedures (para. 131).

⁵³ — Currently including the French eID scheme "FranceConnect+ / The Digital Identity La Poste" with a "substantial" level of assurance.

⁵⁴ — As per para. 46 of the ACPR Guide, this would primarily include "French or foreign [...] public authorities or ministerial public officers, such as notaries, embassy or consulate employees".

The 2022 Anti-Money Laundering / Combating the Financing of Terrorism & the Proliferation of Weapons of Mass Destruction Guideline ("Guideline") issued by the Financial Intelligence Centre and the Bank of Ghana is, in general, highly prescriptive regarding the minimum standards for customer identification and identity verification :

"AIs shall identify their customers and verify the customers' identities using the Ghana Card as the sole identifier for all financial transactions⁹ [...] Types of customer information to be obtained and identification data to be used to verify the information are provided in Appendix B" (Part B, Section 2.4.2(1)-(2)).

Appendix B, in turn, requires different sets of identity data and supporting evidence, depending on whether the individual in question is a citizen or resident of Ghana, as well as on their special status, if any (applicable to minors, students, refugees and asylum seekers, foreign diplomats and their dependents). By way of illustration, a Ghanian citizen and a foreign citizen permanently residing in Ghana would need to provide, respectively:

• Ghanian citizen:
• Ghana Card KYC Data Set.
• Additional minimum requirements:
• Proof of Residential Address
• i. GPS Address, or
• ii. Tenancy Agreement, or
• iii. Any other relevant document issued by an authorized government agency or institution;

• Foreign citizen permanently residing in Ghana:
• Non-Citizen Card KYC Data Set;
• Additional minimum requirements:
• Proof of Residential Address (local)
• i. GPS Address, or
• ii. Tenancy Agreement, or
• iii. Any other relevant document.
• Proof of Residential address (foreign)
• i. Utility Bill, or
• ii. Tenancy Agreement, or
• iii. Any other relevant document issued by an authorized government agency or institution.

Furthermore, the 2022 Bank of Ghana Supervisory Guidance Note on the Use of the Ghana Card for Accountable Institutions ("Supervisory Note") establishes a procedure for how exactly the Ghana Card or Non-Citizen Card should be processed during customer onboarding. In particular, certain data contained in the document itself must be extracted to determine if there is a match with the NIA records and, where necessary, request an update:

• "a. Verify the identity of the customer using the Ghana Card or Non-Citizen Card in the case of non-Ghanaians.
• b. Verify the Biometric information of both fingers and/or face of the customer
• c. Update customer KYC data set using the data set from National Identity Authority (NIA).
• d. In cases where the following data sets acquired from NIA differ:
  • Dynamic data - The AIs shall verify and update using procedures prescribed by the NIA in this Guideline. Such data set include phone numbers, addresses, occupation, next of kin and others.
  • Static data - The AIs shall refer the customer to NIA for the update. Such data set includes names, date of birth or place of birth" (Section 2).

"A "NO MATCH" verification is a case where:

• The data (Card/Biometric) presented to the verification system does not match with anyone in the system.
• Only the biometric data presented for verification is successfully captured but does not match the identity of a registered person.
• The Ghana Card PIN being used with the biometrics of the customer was mistyped.
• The customer presenting the Ghana Card as identification and verification for transaction is not the lawful owner of the Ghana Card" (Section 6.1)".

While Section 6.1.4 could be interpreted to rule out the non-documentary approach (as the customer is supposed to "present the Ghana Card"), Section 9.1 of the Supervisory Note sets out the following procedure for remote onboarding specifically (with Sections 10-13 also suggesting alternative biometry-based verification flows where the holder is unable to display the document):

"To perform a Yes/No or KYC face verification, the end users Ghana Card PIN and biometrics are required. The administrator inputs the card holders Ghana Card Pin Number, selects the operation being performed and takes the end users photograph to receive the result".

Accordingly, so long as the verification procedure involves collecting the customer's facial image data, alongside the Ghana Card PIN, full name, and date or place of birth and their subsequent matching against the official NIA records, it may arguably be considered compliant. At the same time, as demonstrated above, non-documentary confirmation of the customer's address is only possible via a GPS check and only if the place of residence is in Ghana; a non-Ghanian address would need to be verified based on additional documentation such as a utility bill or a tenancy agreement.

⁹ — The 2022 Bank of Ghana Supervisory Guidance Note on the Use of the Ghana Card for Accountable Institutions ("Supervisory Note"), however, provides a carve-out by stating that foreign citizens are expected to provide a Non-Citizen Card instead (section 2.2(a)). Similarly, an international passport may be taken as evidence of identity for diplomats as per Part C, section 3.1.3 of the Guideline and section 5 of the Supervisory Note.

The Anti-Money Laundering and Counter-Terrorist Financing Ordinance ("AMLO"), Cap. 615 is the primary legal source prescribing obligations applicable to the AML/CFT-regulated entities operating in Hong Kong and, in particular, setting out requirements regarding customer due diligence and record-keeping.

Pursuant to Part 2 Division 1 (Para. 2) of AMLO, supervised entities must identify the customer and verify the customer's identity on the basis of documents, data or information provided by:

• "(i) a governmental body;
• (ii) the relevant authority or any other relevant authority;
• (iii) an authority in a place outside Hong Kong that performs functions similar to those of the relevant authority or any other relevant authority;
• (iiia) a recognized digital identification system³⁰; or
• (iv) any other reliable and independent source that is recognized by the relevant authority".

At the same time, the responsibility for oversight of the financial market in Hong Kong is divided between the Hong Kong Monetary Authority (HKMA) and the Securities and Futures Commission (SFC). The HKMA regulates the banking industry, while the SFC oversees the securities and futures markets, including virtual asset service providers. Both regulators within their respective functions provide practical guidelines on AML/CFT compliance, such as the latest HKMA Guideline on Anti-Money Laundering and Counter-Financing of Terrorism For Authorized Institutions (Revised in May, 2023) (the "HKMA Guideline") or the Guideline on Anti-Money Laundering and Counter-Financing of Terrorism (For Licensed Corporations and SFC-licensed Virtual Asset Service Providers) (the 'SFC Guideline') by the SFC. However, the HKMA Guideline and the SFC Guideline include similar provisions regarding customer identification and verification procedures. Therefore, the analysis below could be relevant for entities supervised by either HKMA or SFC.

In particular, Para 4.3.1 of the HKMA Guideline replicates the above-mentioned requirement from AMLO regarding identity verification on the basis of reliable documents, data or information; however, it also clarifies in a footnote what an appropriate "digital identification system" could be:

"The HKMA recognises iAM Smart, developed and operated by the Hong Kong Government, as a digital identification system that can be used for identity verification of natural persons. The HKMA may in future recognise other similar digital identification systems developed and operated by governments in other jurisdictions having regard to market developments and specific circumstances"³¹.

At the same time, in accordance with Paras 4.3.2-4.3.5 and 4.3.13-4.3.17 of the HKMA Guideline, the following identification and verification requirements are applicable to FIs:

• for customers who are natural persons, the full name, date of birth, nationality, unique identification number and document type, as well as residential address, should be obtained for identification (although it is not mandatory to check the accuracy of every piece of information³²);
• the acceptable means of verification are documents, data or information provided by a reliable and independent source, the list of which is not exhaustive: (a) Hong Kong identity card or other national identity card; (b) valid travel document (e.g. unexpired passport); or (c) other relevant documents, data or information provided by a reliable and independent source (e.g. document issued by a government body);
• the obliged entity should ensure that documents, data or information obtained for the purpose of verifying the identity of a customer are current at the time they are provided to or obtained by the entity.

Section 4.10 on non-face-to-face CDD measures further states that regulated entities should "take additional measures to mitigate the risk (e.g. impersonation risk) associated with customers not physically present for identification purposes". However, where a customer's identity is verified via a digital identification system recognized by HKMA, no such additional measures are required.

Accordingly, the usage of non-documentary identity verification is considered compliant so long as it is based on the digital ID system "iAM Smart", operated by the Hong Kong government. Any other digital identification systems could be involved only if specifically approved by relevant authorities or regulatory bodies in Hong Kong and/or abroad.

³⁰ — A digital identification system that is a reliable and independent source that is recognized by the relevant authority or relevant regulatory body (the AMLO, Schedule 2, Part 1).

³¹ — The SFC Guideline provides a similar requirement for identity verification. However, the SFC-licensed institutions may only use digital identification systems recognised by the SFC correspondingly; currently, only iAM Smart system meets this criterion (the SFC Guidelines, Para 4.2.1).

³² — This applies to, in particular, address validation - based on the HKMA Guideline, an authorized entity is required to collect the address, but not necessarily verify it. However, pursuant to the footnote of Section 4.3.5 of the HKMA Guideline, an authorized entity may, under certain circumstances, require verification (on top of collection) of the customer's residential address for other purposes (e.g. group requirements, other local or overseas legal and regulatory requirements). In such circumstances, the authorized entity should communicate clearly to the customer the reasons for requiring verification of address. This section does not seem to exclude the use of alternative means, e.g. geolocation data, to establish the customer's address.

The Prevention of Money Laundering Act, 2002 ("PMLA") and the Prevention of Money-Laundering (Maintenance of Records) Rules, 2005 issued thereunder ("PML Rules") provide the main legislative framework for combating ML / TF in India and, together with the guidance produced by the national Reserve Bank, explicitly prescribe e-KYC based on the customer's Aadhaar number¹¹ or other identifiers as one of the possible (or, for certain entities, required) means of identity verification:

"Every reporting entity shall verify the identity of its clients and the beneficial owner by -

• (a) authentication¹² under the Aadhaar [...] Act, 2016 if the reporting entity is a banking company; or
• (b) offline verification¹³ under the Aadhaar [...] Act, 2016; or
• (c) use of passport issued under section 4 of the Passports Act, 1967; or
• (d) use of any other officially valid document¹⁴ or modes of identification as may be notified by the Central Government in this behalf" (PMLA, Section 11(A)(1)).

Non-banking entities may also be permitted, by special notification of the Central Government, to perform Aadhar authentication, provided that it is necessary to do so and that the entities in question comply with the standards of privacy and security under the Aadhaar Act. At the same time, the customer is allowed to choose between options (a)-(d).

"Where the client is an individual, he shall [...] submit to the reporting entity, -

• (a) the Aadhaar number where
  • (i) he is desirous of receiving any benefit or subsidy under any scheme notified under section 7 of the Aadhaar (Targeted Delivery of Financial and Other subsidies, Benefits and Services) Act, 2016 (18 of 2016); or
  • (ii) he decides to submit his Aadhaar number voluntarily to a banking company or any reporting entity notified under first proviso to sub-section (1) of section 11A of the Act; or
• (aa) the proof of possession of Aadhaar number where offline verification can be carried out; or
• (ab) the proof of possession of Aadhaar number where offline verification cannot be carried out or any officially valid document or the equivalent e-document¹⁵ thereof containing the details of his identity and address; and
• (b) the Permanent Account Number or the equivalent e-document thereof or Form No. 60 as defined in Income-tax Rules, 1962 [...]" (PML Rules, Rule 9(4)).

Depending on which data the customer provides and whether offline verification is available, the reporting entity shall carry out the following procedures:

"Where the client has submitted -

• (a) his Aadhaar number [...] to the banking company or a reporting entity notified under first proviso to sub-section (1) of section 11A, such banking company or reporting entity shall carry out authentication of the client's Aadhaar number using e-KYC authentication facility provided by the Unique Identification Authority of India;
• (b) proof of possession of Aadhaar under clause (aa) of sub-rule (4) where offline verification can be carried out, the reporting entity shall carry out offline verification;
• (c) an equivalent e-document of any officially valid document, the reporting entity shall verify the digital signature as per the provisions of the Information Technology Act, 2000 (21 of 2000) and any rules issues thereunder and take a live photo as specified under Annex 1;
• (d) any officially valid document or proof of possession of Aadhaar number under clause (ab) of sub-rule (4) where offline verification cannot be carried out, the reporting entity shall carry out verification through digital KYC as specified under Annex 1" (PML Rules, Rule 9(15)).

Additionally, the Master Direction - Know Your Customer (KYC) Direction of Reserve Bank of India ("Master Direction") allows to verify a client's identity based on the KYC identifier¹⁶ from the Central KYC Records Registry¹⁷:

"For undertaking CDD, REs shall obtain the following from an individual while establishing an account-based relationship [...]:

(ac) the KYC Identifier with an explicit consent to download records from CKYCR [...]" (Master Direction, section 16).

Therefore, the available options are:.

• (i) Aadhaar authentication, powered by the Unique Identification Authority of India (UIDAI), provides an instant mechanism to confirm one's identity and does not require any other ID proof except Aadhaar number. It is, however, restricted to banking institutions and certain other requesting entities as described above. Accounts opened using Aadhaar OTP-based authentication, in non-face-to-face mode, are subject to a number of limitations as to the maximum balance, permitted operations, etc.
• (ii) The UIDAI also enables " paperless offline e-KYC", wherein the customer, using their Aadhaar number, creates a "Share Phrase" with their identification data encrypted and shares it with the entity performing KYC. The entity can then validate the data through its own OTP / face authentication mechanism.
• (iii) Digital KYC means "the capturing of a live photo of the customer and their officially valid document / proof of possession of Aadhaar, where offline verification cannot be carried out, along with the latitude and longitude of the location where such live photo is being taken by an authorised officer of the reporting entity" in accordance with specific technical requirements (Master Direction, section 3(a)(viii)). This procedure, however, may only be carried out via a specialized application developed by the reporting entity (Master Direction, Annex I).
• (iv) Where a customer submits a KYC Identifier to a reporting entity, with an explicit consent to download records from CKYCR, the reporting entity shall retrieve the KYC records online from the CKYCR using the KYC Identifier and the customer shall not be required to submit the same KYC records or information or any other additional identification documents or details, subject to certain exceptions (Master Direction, section 56).

As an alternative to the aforementioned procedures, the "V-CIP'' mechanism was recently introduced, consisting of a video conference with the reporting entity's operator in combination with a "liveness" check, geolocation and IP address check, and document analysis (Master Direction, section 18). V-CIP, however, is also dependent on external data sources, since the reporting entity is still required to validate the customer's identity data based on Aadhaar number, KYC identifier or e-document.

In relation to address verification specifically, the options of conducting it are not limited to documentary evidence either. For certain specific exceptions, PML Rules, Rule 9(18-19) states that:

• "where an officially valid document furnished by the client does not contain updated address, the following documents [or the equivalent e-documents thereof] shall be deemed to be officially valid documents for the limited purpose of proof of address:
  • (a) utility bill which is not more than two months old of any service provider (electricity, telephone, post-paid mobile phone, piped gas, water bill);
  • (b) property or Municipal tax receipt;
  • (c) pension or family pension payment orders (PPOs) [...];
  • (d) letter of allotment of accommodation from employer [...]" - however, this only appears applicable where identity verification is being carried out based on the "officially valid document" in the first place and there is no confirmation of the customer's current address otherwise:
• "where a client has provided his Aadhaar number for identification under clause (a) of sub-rule (4) and wants to provide a current address, different from the address as per the identity information available in the Central Identities Data Repository, he may give a self-declaration to that effect to the reporting entity".

Based on the analysis above, Aadhaar-based authentication, Aadhaar-based offline verification, and KYC identifier verification can all be considered as possible solutions for non-documentary identity verification.

¹¹ — Aadhar number - an identification number issued to an individual pursuant to the Aadhaar Act.

¹² — Authentication - the process by which the Aadhaar number along with OTP, demographic information or biometric information of an individual is submitted to the Central Identities Data Repository for its verification and such Repository verifies the correctness, or the lack thereof, on the basis of information available with it. "Central Identities Data Repository" means a centralised database in one or more locations containing all Aadhaar numbers issued to Aadhaar number holders along with the corresponding demographic information and biometric information of such individuals and other information related thereto.

¹³ — Offline verification - the process of verifying the identity of the Aadhaar number holder without authentication, through such offline modes as may be specified by regulations.

¹⁴ — Officially valid document - the passport, the driving licence, proof of possession of Aadhaar number, the Voter's Identity Card issued by the Election Commission of India, job card issued by NREGA duly signed by an officer of the State Government, the letter issued by the Unique Identification Authority of India or the National Population Register containing details of name, address and Aadhaar number or any other document as notified by the Central Government in consultation with the Regulator. The list is not exhaustive.

¹⁵ — Equivalent e-document - equivalent of a document issued by the issuing authority of such document with its valid digital signature including documents issued to the digital locker account of the client as per rule 9 of the Information Technology (Preservation and Retention of Information by Intermediaries Providing Digital Locker Facilities) Rules, 2016.

¹⁶ — Know Your Client (KYC) Identifier - the unique number or code assigned to a client by the Central KYC Records Registry.

¹⁷ — Central KYC Records Registry - a reporting entity, substantially owned and controlled by the Central Government, and authorised by that Government through a notification in the Official Gazette to receive, store, safeguard and retrieve the KYC records in digital form.

The most recent comprehensive legal act outlining the responsibilities of AML-subject entities in Indonesia is the Regulation (POJK) No. 8 of 2023 ("OJK Regulation") on the Implementation of Anti-Money Laundering (AML), Counter-Terrorist Financing (CFT), and Counter-Proliferation Financing of Weapons of Mass Destruction (CPF) Program in the Financial Services Sector by the Indonesian Financial Services Authority (Otoritas Jasa Keuangan, OJK), which regulates the country's financial industry on par with Bank Indonesia.

Pursuant to Art. 21(2) of the OJK Regulation, identity verification of prospective customers may be conducted via: "a. direct face-to-face meetings; b. electronic face-to-face meetings; and/or c. non-face-to-face electronic mechanisms". The solutions that may be employed by the supervised entity under subclause (c) are not limited, yet three main options are highlighted: the entity may rely on (i) its own software and hardware; (ii) software and hardware belonging to third parties (such as KYC providers) and accessed by the entity; or (iii) utilization of population databases, for which at least two authenticity factors must be used (something characteristic of the customer and something the customer possesses).

Regarding the scope of data to be collected in respect of an individual customer, Art. 25(1) of the OJK Regulation lists the following points:

• full name (including aliases, if any);
• identity document number;
• residential address according to the ID and other residential addresses, if any;²⁹
• place and date of birth;
• citizenship;
• occupation;
• address and telephone number of workplace, if any;
• gender;
• marital status;
• mother's maiden name;
• identity of the beneficial owner, if any;
• source of funds;
• average annual income and/or net worth;
• aims and objectives of the business relationship or transaction.

Further, according to Art. 26(1) of the OJK Regulation, the aforementioned information has to be supported by an identity document. However, the Article further specifies that it can include: (i) for Indonesian citizens - a resident card or "digital population identity as intended in the laws and regulations regarding population data"; (ii) for foreign citizens - a passport accompanied by immigration documents; (iii) for "individuals from the Indonesian diaspora or Indonesian people abroad" - passports and identity cards issued to such individuals under the applicable laws and regulations.

Therefore, in reference to non-documentary verification, it is safe to assume that Indonesia allows identity verification via national identity databases when it comes to local citizens (see, e.g., the e-KTP system). At the same time, it is important for businesses to obtain all of the necessary identification data to stay fully compliant with national regulations.

²⁹ — For the scenario where the residential address differs from the one indicated in the ID, the OJK Regulation does not prescribe any particular verification procedures.

In Italy, the core legal act stipulating the AML/CFT obligations for regulated companies is the Legislative Decree 21 November 2007, n. 231 ("Legislative Decree"), which largely endorses the documentary approach to KYC, yet at the same time specifies that official sources and public identity systems may be used to verify the authenticity of the obtained documentation: "The obliged entities fulfill their customer due diligence obligations according to the following methods:

• a) the identification of the customer and the beneficial owner is carried out in the presence of the same customer [...] and consists in the acquisition of the identification data provided by the customer, upon presentation of a valid identity document or other equivalent identification document in accordance with current legislation, of which a copy is acquired in paper or electronic format [...];
• b) the verification of the identity of the customer [...] requires verification of the veracity of the identification data contained in the documents and of the information acquired at the time of identification, only where, in relation to them, there are doubts, uncertainties or inconsistencies. The verification can be carried out by consulting the public system for the prevention of identity theft referred to in the legislative decree of 11 April 2011, n. 64. Identity verification can also be carried out through the use of other reliable and independent sources including databases, with public access or conditional on the release of authentication credentials, referable to a public administration as well as those referable to private entities authorized to issue digital identities within the system provided for by article 64 of legislative decree no. 82 of 2005 or an electronic identification regime included in the list published by the European Commission pursuant to article 9 of EU regulation no. 910/2014" (Art. 19(1)).

In turn, the Bank of Italy Provisions on Customer Due Diligence implementing the Legislative Decree ( Disposizioni in materia di adeguata verifica della clientela per il contrasto del riciclaggio e del finanziamento del terrorismo as amended on June 13, 2023, "CDD Provisions"), while detailing the applicability of these requirements to the remote onboarding context, also insist on collecting a copy of the customer's ID (with additional checks performed at the reporting entity's discretion):

"In cases of remote operation, the recipients:

• a) acquire the identification data⁴² of the customer and the executor and verify it on a copy - obtained by fax, post, in electronic format or with similar methods - of a valid identity document, in accordance with current legislation;
• b) carry out checks in addition to those provided for in Section V on the data acquired, according to the most appropriate methods in relation to the specific risk. By way of example, the following methods are indicated: telephone contact on a fixed line (welcome call); sending communications to a physical address with return receipt; transfer made by the customer through a banking and financial intermediary based in Italy or in an EU country; request to send countersigned documentation; verification of residence, domicile, activity carried out, through requests for information to the competent offices or through on-site meetings, carried out using its own personnel or third parties.

In compliance with the risk-based approach, recipients can use feedback mechanisms based on innovative and reliable technological solutions (e.g. those that provide forms of biometric recognition), as long as they are assisted by robust security measures [...]" (Part 2, Section VIII).⁴³

However, the Provisions on Customer Due Diligence also envisage specific circumstances where neither physical presence nor presentation of an identity document is mandatory, including where the customer's identity is verified on the basis of an eIDAS-certified solution:

"[...] the identification obligation is considered fulfilled, even without their physical presence, for customers: [...]

2) in possession of a digital identity, of maximum security level, within the System referred to in Article 64 of Legislative Decree 7 March 2005, n. 82, and the related implementing legislation, or a digital identity with a maximum security level⁴⁴ or a certificate for the generation of a digital signature, issued as part of an electronic identification regime included in the list published by the European Commission in pursuant to Article 9 of Regulation (EU) No. 910/2014" (Part 2, Section III).

The two electronic identification schemes notified by Italy with a "high" level of assurance are Italian eID based on National ID card (CIE) and SPID (Public System of Digital Identity), although the latter one may also have "low" and "substantial" levels depending on the provider.

It therefore follows that Italian eID and SPID (at a “high” assurance level) can be relied on as standalone solutions for non-documentary KYC. Aside from that, remote identity verification would almost invariably require obtaining the customer’s identity document. Nonetheless, other non-documentary methods for data verification may be implemented as additional security checks (e.g., biometric technologies, external data sources, etc.) as they deem necessary, including for verification of residential address.

⁴² — Art. 1(2)(n) of the Legislative Decree defines "identification data" as "name and surname, place and date of birth, registered residence and domicile, where different from registered residence, and, where assigned, the tax code or, in the case of subjects other than a natural person, the name, registered office and, where assigned, the tax code". While the Decree or the CDD provisions do not explicitly mention "proof of address", the following can be inferred based on the rest of the analysis: (i) if the primary identification document contains the customer's current address, it likely fulfills both identification and proof of address requirements; (ii) if the primary ID lacks the current address, the law prescribes to collect it separately but does not explicitly specify how it should be verified; (iii) therefore, supplementary procedures adopted by obliged entities in this case could involve, e.g., requesting additional documents or consulting external data sources. The specific requirements for proof of address documents might vary depending on the customer's risk profile; higher-risk customers might require more robust verification.

⁴³ — Previously, video identification, as described in Annex 3 to the Bank of Italy Provisions on Customer Due Diligence, used to be accepted as an alternative to the mechanism outlined in Section VIII; however, it was repealed in June 2023.

⁴⁴ — Notably, Art. 19 of the Legislative Decree, providing for a similar exemption, only requires a "significant" (substantial) level of assurance and includes "secure and regulated electronic identification procedures authorized or recognized by the Agency for Digital Italy" as an additional option.

The Anti-Money Laundering, Anti-Terrorism Financing and Proceeds of Unlawful Activities Act 2001 (AMLA) is the primary statute governing the AML/CFT regime in Malaysia, whereas Bank Negara Malaysia (BNM), the country's central bank and financial regulator, issues policy documents setting out reporting entities' obligations concerning the AMLA-imposed requirements.

The AMLA, while establishing the general customer identification duty, provides a broad range of evidence acceptable for verifying identity-related data:

"A reporting institution, in undertaking customer due diligence measures, shall-

• (a) ascertain the identity, representative capacity, domicile, legal capacity, occupation or business purpose of any person, whether he is an occasional or usual customer;
• (b) verify, by reliable means or from an independent source, or from any document, data or information, the identity, representative capacity, domicile, legal capacity, occupation or business purpose of any person, through the use of documents which include identity card, passport, birth certificate, driver's licence, constituent document or any other official or private document as well as other identifying information relating to that person, whether he is an occasional or usual customer". (AMLA, Section 16(3))

Simultaneously, the BNM Anti-Money Laundering, Countering Financing of Terrorism and Targeted Financial Sanctions for Financial Institutions (AML/CFT and TFS for FIs) and Anti-Money Laundering, Countering Financing of Terrorism and Targeted Financial Sanctions for Designated Non-Financial Businesses and Professions (DNFBPs) & Non-Bank Financial Institutions (NBFIs) (AML/CFT and TFS for DNFBPs and NBFIs) policies do not list identity documents or copies thereof among the information mandatory for collection during standard CDD in relation to natural persons:

• "(a) full name;
• (b) National Registration Identity Card (NRIC) number or passport number or reference number of any other official documents of the customer or beneficial owner;
• (c) residential and mailing address;
• (d) date of birth;
• (e) nationality;
• (f) occupation type;
• (g) name of employer or nature of self-employment or nature of business;
• (h) contact number (home, office or mobile); and
• (i) purpose of transaction". (See, e.g., Section 14.10.1 of AML/CFT and TFS for DNFBPs and NBFIs, Section 14A.9.1 of AML/CFT and TFS for FIs).³³

BNM further provides for non-documentary means of identity verification and, specifically, those involving the use of specific external data sources:

"Reporting institutions must verify and be satisfied with the identity of the customer or beneficial owner through reliable and independent documentation, electronic data or any other measures that reporting institutions deem necessary". (See, e.g., Section 14A.5 of AML/CFT and TFS for FIs, Section 14.5 of AML/CFT and TFS for DNFBPs and NBFIs)

"[In the non-face-to-face context], reporting institutions may identify and verify a customer's identity by:

• (a) conducting video calls with the customer before setting up the customer's money changing account or allowing the customer to perform transactions;
• (b) communicating with the customer at a verified residential or office address where such communication shall be acknowledged by the customer;
• (c) verifying the customer's information against a database maintained by relevant authorities including the National Registration Department or Immigration Department of Malaysia; telecommunication companies, sanctions lists issued by credible domestic or international sources in addition to the mandatory sanctions lists or social media platforms with a broad outreach; or
• (d) requesting to sight additional documents such as recent utility bills, bank statements, student identification or confirmation of employment".³⁴ (See, e.g., Section 14C.16.12 of AML/CFT and TFS for FIs)

The minimum expected baseline for regulated entities applying non-face-to-face verification methods is for them to "ensure and be able to demonstrate on a continuing basis that appropriate measures for identification and verification of the customer's identity through e-KYC are secure and effective" (see, e.g., Section 14A.15.7 of AML/CFT and TFS for FIs). Other than that, BNM offers no indication that it is obligatory to obtain a copy of the customer's ID in the context of remote CDD. On the contrary, in the Guidance on Verification of Individual Customers for Customer Due Diligence , it emphasizes that "there is no restriction on the form of evidence to be taken by reporting institutions in verifying the identity" (para. 5.1) and that electronic data can be elected instead of documentary evidence, provided it is obtained from a reliable and independent source.

To conclude, financial institutions, DNFBPs and NBFIs supervised by the BNM may rely on non-documentary verification methods (specifically, external electronic databases) for identity data (including address), so long as they are sufficiently robust to be as effective as face-to-face CDD. However, additional mechanisms (e.g., a questionnaire) may need to be implemented in order to collect the necessary customer information that might not be contained in the consulted data source.

---

³³ — It should be noted that, in certain scenarios (e.g., simplified due diligence or, for specific types of business, transactions below a designated threshold), not all of the listed data may be necessary.

³⁴ — Given that (d) is presented as an equal alternative to the other options, it can be assumed that non-face-to-face verification of address, similarly to verification of identity in general, may be carried out via non-documentary evidence, e.g., by reference to external databases.

For New Zealand, the Amended Identity Verification Code of Practice 2013 (AIVCOP) mandates that electronic identity verification must use either:

• A single independent electronic source that can verify an individual's identity to a high level of confidence, such as a verified RealMe identity [only a verified RealMe identity meets this criterion, as it incorporates biometric information or provides an equivalent level of assurance], or
• At least two independent and reliable matching electronic sources, where one source must confirm both the name and date of birth, while another source must at least confirm the name.

Explanatory Note: Electronic Identity Verification Guideline, published by the Financial Markets Authority (FMA), provides detailed guidance on satisfying these regulatory requirements. It outlines examples of compliant verification processes, including verifying a customer's identity against two reliable and independent sources that match each other, and ensuring the customer is who they claim to be through additional methods such as examining ID documents and using liveness detection

The following sources are suggested by the FMA:

Primary sources:

• Confirmation Service (DIA).
• NZ Driver Licence (NZTA).

Secondary sources:

• Credit Bureaus.
• Companies Office.
• Land Registry (LINZ).
• Vehicle registration (NZTA).

Explanatory Note at the same time provides a more detailed example of a KYC flow that could be considered as compliant with the Code:

• a) Collecting the full name and date of birth of the customer, along with their New Zealand passport number and its expiry date.
• b) Capturing an image of that passport.
• c) Capturing an image of the person being dealt with online using a robust liveness detection system.
• d) Using facial recognition software to match the image of the person being dealt with online to the image of that person on the New Zealand passport.
• e) Checking there is no tempering of the passport, including validating machine-readable zone data and other passport security features.
• f) Verification of the full name and date of birth of the customer, and their NZ passport, is then undertaken using the DIA Confirmation Service.
• g) The customer's name is also verified from another electronic source.

In conclusion, non-documentary identity verification via the use of electronic sources is explicitly permitted for customer identification processes in New Zealand, as long as these processes are compliant with the AIVCOP and the Explanatory Note guidelines.

The 2022 Money Laundering (Prevention and Prohibition) Act ("AML Act"), together with regulations and guidance by the Central Bank of Nigeria ("CBN"), lays out the legal provisions applicable to Nigerian AML-supervised entities, including those related to customer due diligence.

Art. 4(1) of the AML Act outlines the general principles of the identification and identity verification duty for financial institutions and DNFBs. While the document-based approach is framed as the default standard, the AML Act refers to secondary legislation for substantiation²⁴:

"A financial institution and a designated non-financial business and profession shall -

• (a) identify a customer, whether permanent or occasional, natural or legal person or any other form of legal arrangements, using identification documents as may be prescribed in any relevant regulation;
• (b) verify the identity of that customer using reliable, independent source documents, data or information <...>".

In turn, Art. 6(a) of the Central Bank of Nigeria Customers Due Diligence Regulations 2023 (the "CDD Regulations") lists the information to be collected in relation to individual customers, with Art. 7(2) elaborating on the possible means of its verification:

• legal name and any other names used (such as maiden name);
• permanent address (full physical address);
• residential address (where the customer can be located);²⁵
• telephone number, e-mail address and social media handle;
• date and place of birth;
• Bank Verification Number (BVN);
• Tax Identification Number (TIN);
• nationality;
• occupation, public position held and name of employer;
• an official personal identification number or other unique identifier contained in an unexpired document issued by a government agency, that bears a name, photograph and signature of the customer such as a passport, national identification card, residence permit, social security records or drivers' license;
• type of account and nature of the banking relationship;
• signature; and
• politically exposed persons (PEPs) status.

"FIs shall verify the identity of individuals by confirming the -

• (a) date of birth from a valid official document, such as birth certificate, passport, identity card and national or social security records;
• (b) residential address through physical visitation and use of other sources, including utility bill, tax assessment, bank statement, or letter from a public authority;²⁶
• (c) contact details provided by the customer through positive feedback from phone call, email or physical letter to the residential address;
• (d) validity of the official documentation provided through certification by an authorized person such as embassy official, notary public (in the case of foreign nationals); and
• (e) phone numbers, particularly for wallet providers, through independent process, including validation against the NCC database or geo-mapping".

Therefore, the notion of official documentation that may be used for identity verification is quite broad, implying it is not necessarily required to collect a copy of any particular identity document. Furthermore, Arts. 14, 16 and 35 of the CDD Regulations as well as Art. 26 of the 2022 Central Bank of Nigeria (Anti-Money Laundering, Combatting the Financing of Terrorism and Countering Proliferation Financing of Weapons of Mass Destruction in Financial Institutions) Regulations (the "AML Regulations") specify that both "physical" and "electronic" methods of customer onboarding may be adopted by financial institutions, so long as the "tiered" approach and other e-KYC standards endorsed by the CBN are complied with. However, "additional measures or checks to supplement the documentary or electronic evidence [must be undertaken] to ensure that an applicant is who he/she claims to be", with at least one check "to guard against impersonation or fraud".

Referring, in turn, to the "tiered" approach as established in the 2013 CBN Circular FPR/DIR/CIR/GEN/02/001 (Introduction of Three-Tiered Know Your Customer (KYC) Requirements), it prescribes different CDD standards depending on the customer's risk profile and the value of their account:

• until recently, only a set of identity attributes (such as passport photo, name, place and date of birth, address, etc.) was required for Tier 1 (lowest-value) accounts with no evidence required;
• Tier 2 demands the Tier 1 information provided by the customer to be supported with evidence and checked against official databases (such as National Identity Management Commission (NIMC), Independent National Electoral Commission (INEC) Voters Register, Federal Road Safety Commission, etc.), while "ID verification and monitoring" is also necessary;
• Tier 3 further refers to the KYC standards established by the CBN AML/CFT Regulation, 2009 as amended (which would, at present, encompass both the AML Regulations and the CDD Regulations, in particular Arts. 6-7 of the latter as referenced above).

Furthermore, the 2023 CBN Circular PSM/DIR/PUB/CIR/001/053 enhanced the aforementioned requirements, stating that: (i) it is now mandatory for all Tier 1 accounts for individuals to have BVN and/or NIN (National Identification Number); (ii) both BVN and NIN are obligatory for Tier 2 and Tier 3 accounts; and (iii) "the process for account opening shall commence by electronically retrieving BVN or NIN related information from the NIBSS' BVN or NIMC's NIN databases[together with the underlying identity data, such as name, DoB, etc.] and for the same to become primary information for onboarding of new customers". In addition, the same Circular prescribed all the BVNs and NINs already attached to existing accounts to be revalidated by January 31, 2024.

BVN- and NIN-based verification is generally widespread in the country. A BVN is a unique ID number issued to every customer of a Nigerian bank upon enrolment and linked to every account that the customer has in any other local banks, whereas a NIN is provided by the NIMC and used to link citizens' and legal residents' biometric data to the National Identity database, which may then be relied on for physical or digital verification and authentication. Both identifiers can therefore be easily validated against governmental databases.

In conclusion, banks and other financial institutions are generally encouraged (and, in certain cases, obliged) to refer to external official databases while onboarding Nigerian citizens and residents. However, in some instances such as in cases involving non-nationals, these checks may have to be supplemented with obtaining supporting documentation from the customer depending on their account Level (risk profile) and resident status.

²⁴ — No similar reference is included for casinos; see Art. 5(1): "A casino shall - (a) verify the identity of any of its customers carrying out financial transactions by requiring its customer to present a valid original document bearing his name and address".

²⁵ — As per Art. 27(2) of the CDD Regulations, "where a foreign national has recently arrived in Nigeria, the residential address in the applicant's home country shall be notarized". For resident non-Nigerians, a valid residence permit is obligatory.

²⁶ — It appears that the word "including" here should not be understood as imposing a limitation, since "other sources" could in general be interpreted broadly so as to encompass, e.g., external databases. This is supported by Art. 26(1) of the CDD Regulations, applicable to non-residents and stating that "FIs shall obtain and verify applicant's name, date of birth and permanent residential address (in host country) directly through a reputable Credit Institution or FI in the applicant's country of residence or a correspondent bank, provided that particular care shall be taken when relying on identification evidence obtained from other countries".

In Norway, the primary legal statute governing the AML/CFT framework is the 2018 Act relating to Measures to Combat Money Laundering and Terrorist Financing ("AML Act"), with the 2018 Regulations relating to Measures to Combat Money Laundering and Terrorist Financing by the Ministry of Finance detailing its requirements (" AML Regulations"). The Finanstilsynet (also the Financial Supervisory Authority), which is a government agency responsible for regulating the financial sector, including AML/CFT compliance supervision, provides guidelines regarding the interpretation and application of the relevant laws and regulations.

The standard approach to identity verification as enshrined in Section 12 of the AML Act implies personal presence of the customer; however, remote onboarding is also permissible, provided that additional safeguards are implemented:

1. "When the customer is a natural person, the following information shall be obtained concerning the customer:
   • a. name;
   • b. personal identity number, D-number or, if the customer does not have any such number, another unique identity code. For persons who do not have a Norwegian personal identity number or D-number, the date of birth, the place of birth, the gender and the citizenship shall be obtained, including whether the person has multiple citizenships;
   • c. address³⁹ [...]
2. Information on the customer's identity shall be verified by personal appearance with a valid proof of identity. If verification of the identity shall take place without personal appearance, additional documentation shall be presented or additional measures shall be applied".

In turn, Section 4-3(4) of the AML Regulations states, without explicitly limiting alternative solutions, that eID mechanisms compliant with the eIDAS Regulation and relevant national legislation are suitable for non-face-to-face KYC:

"An electronic signature is valid proof of identity for natural persons when their identity shall not be verified upon personal appearance. The electronic signature shall comply with the requirements for eID solutions laid down in Section 3 of Regulations of 21 November 2019 No. 1578 relating to Self-Declaration Arrangements for Electronic Identification and be entered on a published list pursuant to Section 13, subsection 1, of the said Regulations". [Section 3 of the Regulations refers to schemes with a "high" level of assurance.]

The electronic identification schemes notified by Norway pursuant to Article 9(1) of the eIDAS Regulation include Buypass ID and BankID. This coincides with Finanstilsynet's 2019 Circular "Guide to the Anti-Money Laundering Act" ("Circular"), which provides the following:

"The reference to BankID as valid identification has been changed to apply to electronic identification in accordance with the Money Laundering Regulations section 4-3 fourth paragraph. This is to ensure that all electronic identification that meets the requirements is covered" (page 6).

From the Section 4.3.1.1 of the Circular it may also be inferred that no non-documentary KYC solutions are regarded as acceptable besides those falling under Section 4-3(4) of the AML Regulations, since the list is formulated restrictively:

• Norwegian and foreign passports (not emergency passports).
• Norwegian driver's license.
• Norwegian bank cards with picture.
• National ID cards issued by an EEA country (an overview of these can be found in Appendix 4 of the Immigration Regulations).
• Norwegian immigration passport (blue passport).
• Norwegian travel document for refugees (green passport).
• Electronic identification in accordance with the Money Laundering Regulations § 4-3 fourth paragraph".

Based on Section 4.3.1.3, supplementary non-face-to-face measures that could be additionally taken on a risk-based approach include:

• obtaining the customer's tax return, pay slip, confirmation of payment of social security, benefits, student loans or other public benefits;
• confirmation that the customer's first payment has been made from an account in the customer's name at a bank or credit institution established in the EEA area, or a jurisdiction with equivalent regulation and supervision;
• conversation with the customer on a telephone registered to the customer;
• video communication with the customer;
• other reassuring electronic solutions [potentially including, e.g., references to external databases or geolocation detection];
• communication with the customer via postal address or digital address registered to the customer (the communication should contain the customer's signature which can be checked against the copy of the identification document).

In conclusion, non-documentary methods for identity and address verification are permitted as long as they correspond to the approved methods for electronic identification under eIDAS and the Norwegian AML/CFT framework.⁴⁰ Currently, such methods include BankID, Buypass ID, as well as other solutions that may provide electronic signatures compliant with the regulations referred above.

³⁹ — While address needs to be collected, no obligatory verification measures are prescribed under the AML Act, AML Regulations, or the Circular so long as the customer’s identity in general is confirmed via acceptable evidence.

⁴⁰ — Notably, where the verification is carried out on documentary basis, the obliged entity must, as per Section 4.3.1.1 of the Circular, “check the security elements in the identification document, including that it is not falsified, facial and image similarity and assess the correctness of the document's specified personal data as well as checking these against external sources such as, for example the National Register”.

The Republic Act nº 9160 (the Anti-Money Laundering Act of 2001), as well as the 2018 Revised Implementing Rules and Regulations ("2018 RIRR") thereto, endorse documentary evidence as the recognized means for customer identify verification:

"Sec. 9. [...] Covered institutions shall establish and record the true identity of its clients based on official documents" (Republic Act nº 9160)

"3.2. First Time Transactions
Customers who engage in a transaction with a covered person for the first time shall be required to present the original and submit a clear copy of, at least, one (1) ID as herein defined.⁵

3.4 Required Identification Data from Natural Persons
For customers who are natural persons, covered persons shall gather the following identification information and ID before or during account opening or onboarding:

• (a) Identification Information:
  1. Full name;
  2. Date of birth;
  3. Place of birth;
  4. Sex;
  5. Citizenship or nationality;
  6. Address;
  7. Contact number or information, if any;
  8. Specimen signatures or biometric information;
• (b) Identification Documents:
  1. PhilID; or
  2. Other identification document, as herein defined" (Rule 18, 2018 RIRR)

The above-specified provisions, however, may be overridden by Rule 18, Section 3.7 of the 2018 RIRR, stating that "covered persons shall deem the provision and submission of the PSN⁶ or PhilID⁷ as official and sufficient proof of identity, subject to the authentication requirements under the PhilSys Act [Republic Act No. 11055, or the Philippines Identification System Act] and its IRR [ Implementing Rules and Regulations of Republic Act No. 11055]". This is further detailed in Circular No. 1170 issued by the Bangko Sentral ng Pilipinas ("BSP") on 30 March 2023, providing additional guidelines on customer due diligence for banks and non-bank financial institutions, including e-KYC via digital identity systems. Specifically, the Circular states that, "where the PCN [PhilSys Card Number] or PSN [PhilSys Number] derivative, or the Philippines Identification (PhillD) card, in physical or digital form, is presented by the customer, it shall be accepted as official and sufficient proof of identity, subject to proper authentication, and the covered person shall no longer require additional document to verify the customer's identity". Therefore, accessing an individual's record in the Philippine Identification System ("PhilSys") is considered a reliable way to verify their identity. Other digital ID systems are, in principle, also allowed to be used so long as they are "supported by robust technology, adequate governance, processes and procedures that provide appropriate level of confidence that the system produces accurate results"; however, there is no indication that the RIRR requirement to present an actual identity document is waived for foreigners not registered in PhilSys.

From the above it may be inferred that, so long as a customer's identity is verified via PhilSys (and all the required identity attributes as listed above are extracted in this manner), no additional procedures - such as further identity or address confirmation - are needed.

Conversely, where the obliged entity does not rely on PhilSys, it may be expected that address, like other identity data, will be verified based on documentary evidence. See, e.g., the BSP Manual of Regulations for Banks (MORB) / Manual of Regulations for Non-Bank Financial Institutions (MORNBFI) on Customer Due Diligence, Section 921/921Q:

• "the covered person obtain from individual customers, at the time of account opening/ establishing the relationship, the following minimum information [including address] and confirming this information with the official or valid identification documents":
• as one of possible additional safeguards for enhanced due diligence, it is suggested to verify the address "through evaluation of utility bills, bank or credit card statement, sending thank you letters, or other documents showing address or through on-site visitation".

Accordingly, Non-Doc KYC as the primary identity verification method for identity information including address, is possible via solutions accessing PhilSys; in other cases, the document-based approach remains prevalent. However, as the scope of potentially acceptable documents is defined broadly for low-risk customers, it may arguably be allowed to obtain reports or other excerpts from trustworthy external data sources instead of "conventional" IDs.

⁵ — As per Rule 2, Section 1(qq) of the 2018 RIRR, "identification document" means: "(1) For Filipino citizens: Those issued by any of the following official authorities: (a) PhilID; (b) Other identification documents issued by the Government of the Republic of the Philippines, including its political subdivisions, agencies, and instrumentalities; and (c) Other identification documents that can be verified using reliable, independent source documents, data or information. (2) For foreign nationals: (a) PhilID, for resident aliens; (b) Passport; (c) Alien Certificate of Registration; and (d) Other identification documents issued by the Government of the Republic of the Philippines, including its political subdivisions, agencies, and instrumentalities. (3) For Filipino students: (a) PhilID; (b) School ID signed by the school principal or head of the educational institution; and (c) Birth Certificate issued by the Philippine Statistics Authority; and (4) For low risk customers: Any document or information reduced in writing which the covered person deems sufficient to establish the client's identity".

⁶ — As per 2018 RIRR, Rule 2, Section 1(www), "PhilSys Number" (PSN) refers to the randomly generated, unique and permanent identification number assigned to every citizen or resident alien, upon birth or registration, by the Philippine Statistics Authority (PSA).

⁷ — As per 2018 RIRR, Rule 2, Section 1(uuu), "Philippine Identification Card" (PhilID) refers to the non-transferrable identification card issued by the Philippine Statistics Authority (PSA) to all citizens and resident aliens registered under the Philippine Identification System. It shall serve as the official government-issued identification document of cardholders in dealing with all government agencies, local government units, government and controlled corporations, government financial institutions, and all private sector entities.

The primary AML/CFT legislation of Saudi Arabia - namely, the Anti-Money Laundering Law (along with the Implementing Regulations thereto) and the Law on Combating the Financing of Terrorism (along with the Implementing Regulations thereto) - do not lay emphasis on the acceptable methods of identity verification, while stipulating that certain data must always be collected from individual customers and validated via "reliable and independent sources, documents, data or information":

"the financial institution or designated non-financial business and profession shall obtain and verify the full legal name, residential or the national address, date and place of birth, and nationality"⁶⁴ (Implementing Regulations to the AML Law, section 7/2(a); Implementing Regulations to the CFT Law, section 17(3)(a)).

The matter is regulated more precisely in relation to the respective industries by the Saudi Central Bank (SAMA), the Capital Market Authority (CMA), and other bodies such as the Ministry of Commerce and Investment (MOCI), which all demonstrate a divergence of approaches to non-documentary KYC:

(i) CMA:

As per the CMA AML/CFT Rules (addressed to the securities and investment sector):

• individual customer's identities must be verified "using the original documents" (copies are only acceptable in case of reliance on a third party) as follows:
• Saudi nationals:
• the client's National Identification Card or family record;
• the client's residential address & place of work and work address;
• individual expatriates:
• a residence permit (Iqamah) or a five-year special residence permit or a passport, and a National Identification for Gulf Cooperation Council (GCC) nationals or a diplomatic identification card for diplomats;
• the client's residential address & place of work and work address (Article 8(2), 8(4));

• furthermore, based on Articles 7(4) and 8(5), face-to-face identity verification is mandatory except when there is reliance on a third party;

• in turn, Articles 14(1) and 14(3) specify that a third party eligible for reliance must "either be a commercial bank or financial institution that engages in securities activities" and may only be engaged "to perform the CDD if the client is located in a country other than Saudi Arabia".

(ii) MOCI:

The Manual on AML-CFT (addressed to certain Designated Non-Financial Businesses and Professions (DNFBPs), specifically dealers in precious metals and precious stones, real estate agents, and chartered accountants), while not explicitly requiring face-to-face KYC, replicates the CMA AML/CFT Rules provision on the necessary documentary evidence to be collected from individual customers:"Establishing the identity of the client and continuously verifying the identity of all dealers against valid officially certified original documents proving their identity as follows:

1. Saudi nationals:
   • National identification card or family record.
   • Address of the person, place of residence and place of work.
2. Individual expatriates:
   • Residence permit (Iqamah) or a five-year special residence permit or a passport or National identification for GCC nationals or a diplomatic identification card for diplomats.
   • Address of the person, place of residence and place of work" (Section 3(1)).

(iii) SAMA:

Pursuant to Section 3.3 of the 2019 Anti-Money Laundering and Counter-Terrorism Financing (AML/CTF) Guide ("AML Guide"), addressed to SAMA-regulated financial institutions, "information and documents issued by government bodies are considered to be from reliable and independent sources". Sections 3.9-3.10 futher imply the possibility of non-documentary identity verification, so long as it is conducted via "reliable and independent electronic services", such as the National Information Center:

"3.9 The customer is not required to come to the financial institution when updating and reviewing their information for identity verification as long as electronic authentication services approved by the National Information Center are used. However, the financial institution shall determine the need for further documentation or the customer's presence based on the level of risk posed by the customer.

3.10 When using reliable and independent electronic services to verify a customer's identity, the financial institution shall determine if more documentation is required based on the level of risk posed by the customer . In addition, it must implement the necessary preventive measures to mitigate business relationship risks and set the necessary procedures and measures to verify and review the customer information obtained, including the information provided by the customer, using reliable and independent electronic services".

It follows that non-documentary identity verification is permissible for SAMA-regulated financial institutions to the extent it is carried out via "reliable and independent" government-maintained electronic sources, the only example explicitly named in the AML Guide being the National Information Center.

⁶⁴ — More information may be required under industry-specific regulations. E.g., source of income is necessary as per Article 3.3 of the 2019 Anti-Money Laundering and Counter-Terrorism Financing (AML/CTF) Guide; the 2022 Rules for Bank Accounts prescribe to collect ID number and expiry date and employer name (if any); etc.

While the Monetary Authority of Singapore maintains separate Notices and Guidelines addressing each type of AML-regulated business (e.g., banks, merchant banks, finance companies, specified payment services, digital payment token services), they are substantially similar in relation to customer due diligence procedures. In particular, photographic evidence is universally recognized as necessary for verifying a natural person's identity and, likewise, documentary evidence would also be generally required and prioritized over electronic sources (which, nevertheless, are encouraged as additional safeguards⁴) for verification of the customer's address. See, for example:

• "Where the person whose identity is to be verified is a natural person, the finance company should ask for some form of identification that contains a photograph of that person" ( Guidelines to MAS Notice 824 - Finance Companies , para. 23);
• "When relying on documents, a bank should be aware that the best documents to use to verify the identity of the customer are those most difficult to obtain illicitly or to counterfeit. These may include government-issued identity cards or passports, reports from independent company registries, published or audited annual reports and other reliable sources of information.
  
  Where the customer is a natural person, a bank should obtain identification documents that contain a clear photograph of that customer.
  
  In verifying the identity of a customer, a bank may obtain the following documents:
  
  (a) Natural Persons ―
  • (i) name, unique identification number, date of birth and nationality based on a valid passport or a national identity card that bears a photograph of the customer;
  • (ii) residential address based on national identity card, recent utility or telephone bill, bank statement or correspondence from a government agency"" ( Guidelines to MAS Notice 626 - Banks , paras. 6-3-1, 6-6-1, 6-6-2);
• "When relying on documents, a payment service provider should be aware that the best documents to use to verify the identity of the customer are those most difficult to obtain illicitly, counterfeit or falsify digitally. These may include government-issued identity cards or passports, reports from independent company registries, published or audited annual reports and other reliable sources of information.
  
  Where the customer is a natural person, a payment service provider should obtain identification documents that contain a clear photograph of that customer.
  
  In verifying the identity of a customer, a payment service provider may obtain the following documents: a) Natural Persons -
  • (i) name, unique identification number, date of birth and nationality based on a valid passport or a national identity card that bears a photograph of the customer;
  • (ii)residential address based on national identity card, recent utility or phone bill, bank statement or correspondence from a government agency" (Guidelines to MAS Notice PSN02 - Digital Payment Token Services, paras. 6-3-1, 6-6-1, 6-6-2).

An exception to this general rule is MyInfo, a government service that enables citizens and residents to manage the use of their personal data for simpler online transactions. MAS Circular No. AMLD 01/2018 on "Use of MyInfo and CDD Measures for Non-Face-To-Face Business Relations", para. 3, describes MyInfo as a "reliable and independent source for the purposes of verifying the customer's name, unique identification number, date of birth, nationality and residential address", as well as other personal attributes. It is simultaneously confirmed that, "where MyInfo is used, MAS will not require FIs to obtain additional identification documents [such as NRIC or passport] to verify a customer's identity, and will also not expect FIs to separately obtain a photograph of the customer". At the same time, MAS Circular No. AMLD 01/2022 on "Non-Face-To-Face Customer Due Diligence Measures", setting out industry good practices observed by the regulator, states that most supervised entities use solutions including "elements of biometrics technology, such as facial recognition" to further mitigate the risks of impersonation in the context of remote identification (para. 9).

Consequently, the only electronic source that could be involved as a standalone verification method of customer's identification data is MyInfo. Otherwise, in cases where MyInfo is not engaged, an individual customer is required to present a photo-bearing ID (such as a passport or national identity card) and, where necessary, an additional document for address confirmation. Arguably and in exceptional cases, alternative photographic evidence could be accepted (e.g., a report provided by a reliable government data source and containing the customer's facial image and other necessary information based on an official ID), but only subject to a proper risk assessment by the regulated entity. Non-documentary checks (in relation to either general identity verification or address verification) would only be an additional tool complementing the documentary evidence.

---

⁴ — For example, the Guidelines for Digital Payment Token Services name “collection of customer device identifiers, IP addresses with associated time stamps, geo-location data” as one of possible risk mitigation measures in the remote onboarding context (para. 6-12-3).

The 2017 Guidance Note 7 on the Implementation of Various Aspects of the Financial Intelligence Centre Act, 2001, issued by the Financial Intelligence Centre of South Africa, emphasizes that regulated institutions "have the flexibility to choose the type of information by means of which they will establish clients' identities and also the means of verification of clients' identities" (para. 74). More specifically, both "documents" and "electronic data issued or created by reliable and independent third-party sources" are permitted for confirming a customer's identity (para. 83) and, consequently, isolated identity attributed such as address. The Guidance Note subsequently reiterates this approach, while stating that full name, date of birth and unique identifying number issued by a government source are "basic attributes"⁸ that should be collected from an individual in any event (para. 85) and outlining the following principles of e-verification:

• the regulated entity should conduct a risk assessment of the data sources to be engaged (paras. 87, 90-91);
• only reliable and independent (e.g., not created or generated by the customer themselves) third-party sources may be used (paras. 87-88);
• where possible, the regulated entity should use the original sources of the information in question (i.e., government-issued or -controlled sources); using multiple data sources, including across time, is also encouraged (paras. 88-89, 92);
• the use of electronic data sources does not, in itself, protect the obliged entity from regulatory action relating to its AML compliance duties (para. 90);
• data sources that can be manipulated and tampered with are not considered reliable (para. 91);
• the Department of Home Affairs, records of the Companies and Intellectual Property Commission, records of the South African Revenue Service, eNaTIS records and records of the Master of the High Court are named as examples of acceptable data sources (para. 94).

Thus, electronic sources may be relied on for KYC measures for both identity and address verification so long as they are sufficiently robust and meet the aforementioned criteria and the information contained therein can be securely linked to the customer's real identity.

⁸ — In turn, identity attributes such as “physical appearance or other biometric information, place of birth, family circumstances, place of employment or business, residential address, contact particulars (e.g. telephone numbers, e-mail addresses, social media), contacts with the authorities (e.g. tax numbers) or with other accountable institutions” (para. 86) are considered as supplementary and therefore, presumably, not mandatory to establish as part of the KYC procedure.

South Korean AML regulations require financial institutions and other obliged entities to implement robust Customer Due Diligence (CDD) and customer verification procedures, similar to EEA countries and other jurisdictions with a well-established AML regulatory framework,however, it seems to be less specific and not as broad as a typical EU AML framework.The specific CDD requirements are typically detailed in implementing regulations issued by the Financial Intelligence Unit (FIU) and other supervisory bodies such as the Financial Supervisory Service (FSS) and the South Korean Ministry of Justice.

This South Korean Enforcement Decree on the Act on Prohibition against the Financing of Terrorismfocuses heavily on the process for designating and managing individuals/natural persons subject to restricted financial transactions. While it mentions the need for information relating to identification (like resident registration number, passport number, or alien registration number), it does not contain detailed provisions on broader Customer Due Diligence (CDD) procedures as they would apply to financial institutions under a general AML framework.

It focuses narrowly on the actions related to the designation of individuals subject to restrictions on financial activities. The reference to "details of the transaction or act triggering the relevant financial transaction" in Article 2 (2) 3 hints at a need for information gathering but doesn't prescribe a full CDD process.

Furthermore, theAct on Real Name Financial Transactions and Guarantee of Secrecy and the Financial Transaction Reports Act (FTRA) mandates CDD for financial institutions, including the prohibition of anonymous or fictitious accounts and the requirement to verify the real name of customers. CDD is required when:

• Opening new accounts: The FTRA requires customer identification when opening new accounts, broadly defined as initiating any financial transaction with a financial institution.
• Occasional transactions above KRW 20 million: Customer identification and verification are required for occasional domestic currency transactions exceeding this threshold. "Occasional transactions" are those done without an opened financial institution account.

The FTRA specifies the types of customer identification information that must be verified (Section 3 Table of the FTRA). For individuals/natural persons, this includes:

• Real full name.
• Resident registration number.
• Address.
• Contact information.

While the FTRA states that this information must be "checked and verified," it does not explicitly state that copies of documents must be submitted. The method of verification (e.g., checking against government databases) is neither explicitly permitted nor prohibited or restricted.FTRA does not explicitly mention electronic verification/ non-documentary verification methods as permitted alternatives tosubmitting physical documents. The FTRA focuses on the information required for verification and not the specific methods for obtaining it.

The2010 KoFIU notice on AML/CFT (KoFIU Notice) in South Korea details internal control requirements for financial institutions and does not directly address CDD in the same way as a broader AML law would. It focuses heavily on internal processes, reporting structures, and employee training. However, some sections are relevant to customer verification:

• Article 20 (Definition of CDD): Defines CDD as a process requiring due attention to customer identification and verification, purpose of business relationships, and beneficial ownership to prevent money laundering and terrorist financing. It also defines simplified and enhanced CDD, but does not specify which situations necessitate each type.
• Articles 37-40: Outline the principle of customer identification and verification (using reliable documents and sources, data, or information) and the specific information required for both natural and legal persons. However, the aforementioned Articles do not directly address the method of obtaining that information (e.g., submitting copies of documents or using electronic (non-document) methods).

The KoFIU Notice does not explicitly require submitting copies of identification documents or proof of address. Articles 38 and 39 list the required information for identification of natural persons, including name, date of birth, identification number, address, and contact information. The method of obtaining and verifying this information is not specified, thus non-document verification is neither excluded nor explicitly mentioned as a permitted method of customer verification.

For instance, Article 6(3) of the KoFIU Notice mentions measures to deal with new money laundering techniques in response to electronic banking; this is in relation to internal procedures for reporting officers, not explicit permission for non-documentary verification of customers.

With regard to a digital ID system, it is worth mentioning that according to several published articles, in South Korea the government is "working to collaborate with major banks and related agencies to allow mobile residence cards to be used for identity verification purposes in digital financial services."⁶⁷ This indicates that the digital residence card is intended to serve as a verifiable form of identification for KYC purposes within the digital financial sector in South Korea.The digital residence card is available to foreign nationals aged 14 and above residing in South Korea.

There is also information that the individuals with physical cards that have been issued before 2025 need to visit an immigration office to scan a QR code to obtain the digital version, and those with cards issued after January 1, 2025, can obtain the digital version by tapping their IC chip-embedded card on their smartphone. This implies that the existing information on the physical residence card will be used for the digital version. The key information would likely include the same information found on the physical residence card:

• Name.
• Nationality.
• Resident registration number (or other equivalent identification number).
• Photo (likely linked digitally).

Nevertheless, there is no secure information that the digital ID solution will necessarily be used as a stand-alone CDD/KYC tool. The successful implementation of the South Korean digital ID for KYC will depend on several factors such as security, privacy of the system and collaboration with Financial Institutions. There are also seem to be further regulatory steps required to fully integrate the aforementioned digital ID into the formal KYC requirements for financial institutions in South Korea.

While South Korea does not have a fully mature nationwide digital ID system in the same way some other countries do (e.g., a single, government-issued digital identity wallet accessible across all services), electronic/non-documentary customer verification (electronic/digital KYC) is increasingly being implemented and accepted, particularly within the financial sector by assessing the industry practices. It is not a blanket "yes" or "no" but rather a nuanced situation.

The use of electronic KYC methods is not prohibited and it is widely used and from an overall assessment it seems that it is also actively being developed in South Korea, particularly in the financial services industry. Nevertheless, South Korea does not have a single,universal digital ID system for all citizens that encompasses every aspect of their identity and is also readily used across all government and private sectors like some other countries.

However, the specific methods and the extent to which they are used will depend on several factors such as the model and complexity of specific financial institutions and how technologically advanced they are.

The conclusion from analysing South Korea's AML framework including The Act on Reporting and Use of Certain Financial Transactions Information, each institution should conduct its own risk assessment, meaning the risk level associated with a customer should be assessed as higher-risk customers may still require more traditional documentary verification.

In conclusion, non-documentary identity verification is permitted and growing in South Korea, primarily driven by the financial sector's need for efficient and secure identity verification. While a fully comprehensive, universally accepted digital ID system for all citizens does not yet exist, the country is actively developing various digital identity initiatives; such as the Mobile Driver's License; that will likely lead to broader adoption and integration of electronic CDD methods in the future.

⁶⁷ — The Korea Herald, digital newspaper.

In Sweden, the two main legal acts regulating anti-money laundering and counter-terrorist financing measures are the Money Laundering and Terrorist Financing (Prevention) Act ("AML Act") and the Act on Penalties for Money Laundering Offences. The Finansinspektionen (also the Financial Supervisory Authority), which is a government agency responsible for regulating the financial sector, including AML/CFT compliance supervision, provides guidelines regarding the interpretation and application of the relevant laws and regulations.

Chapter 3 Section 2 of Finansinspektionen's regulations regarding measures against money laundering and terrorist financing FFFS 2017:11 (" FI Regulations") issued on 26 June 2017 is mainly focused on the document-based approach to identity verification:

"An undertaking shall verify the identity of a natural person by means of a Swedish driver's licence, Swedish passport or identity card issued by a Swedish authority, or a Swedish certified identity card.

The undertaking shall verify the identity of natural persons who do not have a Swedish identity document against a passport or other identity document. The passport or identity document must contain a photograph of the person and information on citizenship, and must be issued by an authority or other authorised issuer. A copy of a foreign passport or other foreign identity document shall be retained in accordance with the requirements set out in Chapter 5, section 3 of the Act on Measures against Money Laundering and Terrorist Financing (2017:630)".

At the same time, Section 5 sets out specific requirements applicable directly to non-face-to-face customer relationships:

"An undertaking shall verify the identity in a non-face-to-face situation by:

1. Using electronic identification to produce an advanced electronic signature as set forth in the Act (2016:561) [eIDAS regulation] laying down additional requirements to the EU Regulation on electronic identification or by using any other technology for electronic identification which provides equivalent certainty , or
2. Verifying the natural person's identity in an appropriate manner by:
   • a) obtaining information regarding the person's name, address,³⁸ personal identity number or equivalent,
   • b) verifying the information against external registers, certificates, or other equivalent documentation, and
   • c) contacting the natural person by sending a confirmation to the person's address in the population register or other reliable address, or ensuring that the person sends a certified copy of an identity document, or other equivalent measure".

Since, in the context of remote CDD, obtaining a copy of the customer's ID is only one of the possible methods for identity verification, it could be concluded that Section 5 should be interpreted as substituting, not complementing, Chapter 3 Section 2.

It follows that Non-Doc KYC solutions can be relied on so long as they meet the requirements of the eIDAS Regulation or constitute a similarly robust and secure procedure. In particular, electronic identification schemes notified by Sweden pursuant to Article 9(1) of the eIDAS Regulation include BankID, Freja eID, and EFOS, of which three BankID is arguably the most feasible and most commonly used option, although it is only available to individuals with a Swedish personal identity number. Notably, eIDAS-based solutions also appear to rule out the necessity to collect and verify additional identity attributes, such as the customer's address.

³⁸ — No particular means of verifying address are prescribed besides contacting the customer at their place of residence; however, this would only be obligatory where the obliged entity relies on Section 5(2) of the FI Regulations, not Section 5(1).

Article 4 of the 2019 Prime Minister Office Notification on Customer Identification Methodology for Financial Institutions and Businesses and Professions ("Customer Identification Methodology"), enacted on the basis of the Anti-Money Laundering Act B.E.2542 (1999), provides the minimum identification information to be obtained in respect of an individual customer for CDD purposes:

• "(1) Full name;
• (2) Date of birth;
• (3) Personal identification number or, in case of a foreigner, passport number or other identification number issued by government or government agency of citizenship or identification number as appears in other identification document issued by the government of Thailand [and evidence thereof as per Article 5(1)];
• (4) Address as appears in personal identification card or in the house registration and current address. In case of a foreigner, the country of citizenship and current address⁵⁷ in Thailand shall be provided, except for the case of a foreigner with no address in Thailand, whose current address shall be used instead;
• (5) Other contact information such as phone number or email address".⁵⁸

In turn, the measures regulated entities may take to verify this data (either face-to-face or remotely) are generally detailed in the 2021 Anti-Money Laundering Office Notification Concerning Guideline for Identification and Verification of Customers and Ultimate Beneficial Owners ("AMLO Notification"):

- where the customer uses a low-risk product or service:

"(A) Where a national identity card is used as identification evidence, one of the following procedures or any other equally reliable procedures shall be conducted as appropriate:

1. Verifying such information using a smart ID card reader which is connected to the electronic verification system of a government agency.
2. Verifying such information using a smart ID card reader and comparing it against the information that appears on the ID card.
3. Verifying such information against another government agency's database.
4. Examining and verifying the correctness of such information to confirm that such customer is the owner of such information.

(B) Where a passport is used as identification evidence, one of the following procedures or any other equally reliable procedures shall be conducted as appropriate:

1. Using electronic data retrieved from the passport such as data from near field communication technology to compare against information that appears on the passport.
2. Examining and verifying the correctness of such information to confirm that such customer is the owner of such information";

- where the customer uses a high-risk product or service:

"(B) In verification of a non-face-to-face customer [...]

1. Where a smart ID card is used as identification evidence, information shall be examined by using smart ID card reader through the electronic examination system of a government agency or any other procedures having equivalent reliability.
2. Where a passport is used as identification evidence, data from the passport such as data retrieved from near field communication technology shall be compared with the information on the passport or other documents issued by government of the Kingdom of Thailand or government agency of citizenship or any other procedures having equivalent reliability.

In implementation under 1) and 2), a photograph of customer shall be taken and recorded and advanced technology under international standard or acceptable standard shall be used for comparing photograph of customer with biometric data retrieved from the smart ID card or electronic data retrieved from the passport to ensure that such person is genuinely the customer in place of their physical presence or any other method having equivalent reliability";

- in other cases:

"(B) In verification of a non-face-to-face customer [...].

1. For using smart identity card as identification information, one of the following procedures may be conducted:
   1. Verifying such information using a smart ID card reader and comparing it against the information that appears on the ID card of such a customer.
   2. Verifying the information that appears on the ID card and the ID card status through the electronic examination system of a government agency.
2. Where a passport is used as identification evidence, data from the passport such as data retrieved from near field communication technology shall be compared with information on the passport. In a case where information could not be retrieved from near field communication reading, comparison may be made against other documents issued by the government of the Kingdom of Thailand or government agency of citizenship.

For implementation under 1) and 2), a photograph of customer shall be taken and recorded and advanced technology under international standard or acceptable standard shall be used for comparing the photograph of the customer with the biometric data retrieved from the smart ID card or electronic data retrieved from the passport to ensure that such person is genuinely the customer in place of their physical presence or any other method having equivalent reliability".

The Bank of Thailand ("BOT") Notification No. SorNorChor. 1/2563 Re: Regulations on Know Your Customer (KYC) for e-Money Service Activation ("'BOT Regulations") largely stipulates the same non-face-to-face KYC methods (see, e.g., Clause 4.2 (2.2)). It is also reiterated that a reference to a "digital ID platform" may serve "as a replacement of customer verification or to be used for supporting the customer verification" (Clause 4.2.4).⁵⁹ However, Clause 4.5 of the BOT Regulations further states that, where alternative verification means not otherwise explicitly mentioned by the regulator are used, they need to be pre-approved by the BOT.

"Financial institutions can verify the accuracy, reality and up-to-date nature of identification data and documents, as well as verify that it truly is this customer or a person with final authorization from a juristic person (if any) through the digital verification and identification system such as National Digital ID Platform (NDID Platform) to substitute or support the documentary verification approach".

From the above, it is clear that non-documentary identity verification is permissible to substitute or support the documentary verification approach in the non-face-to-face scenario, as long as the method in use is accepted under the BOT Regulations. Currently, such method includes the NDID Platform. At the same time, alternative verification means that are not explicitly mentioned by the regulator should be pre-approved on a case-by-case basis.

⁵⁷ — This would imply that, where the customer's address is verified via electronic sources, the obliged entity would have to confirm that the same address is indeed featured in the customer's personal identification card or house registration. At the same time, no specific procedures are prescribed for validating a residential address that is different from the one indicated in the personal identification card or house registration. Additional documentation such as utility bills may normally only be required as a possible EDD measure, as per Art. 5 of the AMLO Notification.

⁵⁸ — In the case of standard CDD, the list would also include "information on occupation including name and address of work place" as per Article 5(2) of the Customer Identification Methodology. The same set of data is typically required under industry-specific AMLO Guidelines (see, e.g., page 9 of the AMLO Guideline on Customer Due Diligence For Banks).

⁵⁹ — A similar approach is adopted in Clause 5.3.2 (2) of the Notification of the Bank of Thailand No. FPG. 19/2562 Re: Regulations on Know Your Customer (KYC) for deposit-account opening at financial institutions , explicitly providing the possibility of digital identification and verification systems usage:

"Financial institutions can verify the accuracy, reality and up-to-date nature of identification data and documents, as well as verify that it truly is this customer or a person with final authorization from a juristic person (if any) through the digital verification and identification system such as National Digital ID Platform (NDID Platform) to substitute or support the documentary verification approach".

The core legal sources of AML-related obligations in the UK, the Proceeds of Crime Act 2002 and the Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017 ("MLR"), do not specify the exact KYC procedures that may or should be implemented by regulated entities, granting them a broad margin of discretion. The MLR mostly set out the general criteria that identity verification processes must conform to; for example, paras. 18-19 of Art. 27 provide the following guidance:

"(18) For the purposes of this regulation -

• (a) <...> "verify" means verify on the basis of documents or information in either case obtained from a reliable source which is independent of the person whose identity is being verified;
• (b) documents issued or made available by an official body are to be regarded as being independent of a person even if they are provided or made available to the relevant person by or on behalf of that person.

(19) For the purposes of this regulation, information may be regarded as obtained from a reliable source which is independent of the person whose identity is being verified where-

• (a) it is obtained by means of an electronic identification process <...>; and
• (b) that process is secure from fraud and misuse and capable of providing assurance that the person claiming a particular identity is in fact the person with that identity, to a degree that is necessary for effectively managing and mitigating any risks of money laundering and terrorist financing".

The Financial Conduct Authority also makes references to electronic verification through its Rulebook, FCG 3.2.4, reiterating that "an electronic identification process may be regarded as a reliable source for the purposes of CDD verification where that process is independent of the person whose identity is being verified, secure from fraud and misuse and capable of providing an appropriate level of assurance that the person claiming a particular identity is in fact that person with that identity".

Furthermore, the Guidance by the Joint Money Laundering Steering Group (JMLSG), Part I ("Guidance"), which is widely regarded to establish the industry standards for compliance with AML/CFT requirements, confirms that non-documentary checks (in particular, those involving external databases) are permissible as the primary KYC measure, provided that at least the following identifying data is collected in respect of individual customers:

• full name;
• residential address;
• date of birth (para. 5.3.71).

When opting for electronic verification, however, obliged entities are instructed to:

• choose multiple data sources (or one single source where it "has been issued by a government authority and contains cryptographic security features") or to "incorporate qualitative checks that assess the strength of the information supplied" (para. 5.3.50);
• "demonstrate that they have both verified that the customer exists, and satisfied themselves that the individual seeking the business relationship is, in fact, that customer" (paras. 5.3.44, 5.3.79). To fulfill this requirement, the Guidance recommends various methods, such as the use of biometric information or private codes that "incontrovertibly link the potential customer <...> to the electronic/digital identity information" (para. 5.3.44);
• "if suspicions are raised in relation to the integrity of any electronic information obtained, [...] take whatever practical and proportionate steps are available to establish whether these suspicions are substantiated, and if so, whether the relevant source should be used" (para 5.3.45);
• when choosing the data providers, assess whether they are sufficiently robust, reliable, and accurate (e.g., if they are accredited for KYC purposes through a governmental or industry process; use both positive and negative information sources; maintain appropriate data retention procedures; etc.) (paras. 5.3.52-5.3.53).

In relation to proof of address specifically, para. 5.3.29 of the Guidance emphasizes that "knowledge of an individual's residential address is central to being reasonably satisfied that the customer is who they say they are". However, no particular method of verifying address is explicitly promoted. Furthermore, para. 5.3.112 states that address does not even necessarily have to be verified in all cases (e.g., it may be omitted when the customer lacks a permanent place of residence); this is a matter within obliged entities' discretion. At the same time, as per para. 5.3.80, address - like any other identity attributes - may be confirmed via electronic checks. This may include, e.g., external databases maintained by private or government entities and, arguably, geolocation data (where the identity in general is verified via more robust sources and/or the customer's risk profile is low).

It follows that, under the UK AML regulations, non-doc identity and address verification solutions may be relied upon as long as i) the solution is able to link the user to their claimed identity that has been confirmed as existent by an independent external data source and ii) additional security measures allowing to link the user to the claimed identity are involved.

The Bank Secrecy Act (BSA), imposing AML obligations on financial institutions and other reporting entities, only broadly outlines the customer due diligence obligation. For instance, 31 CFR 1020.220 (section on "Customer Identification Program: minimum requirements") lists the data to be collected in respect of every individual client but not the specific means of its verification. At the same time, para. 1020.220(a)(2) states that both documentary and non-documentary verification methods (as well as their combinations) are acceptable so long as the chosen procedures "enable the [obliged entity] to form a reasonable belief that it knows the true identity of each customer". Several examples of non-documentary KYC processes are also given for reference, such as "contacting a customer; independently verifying the customer's identity through the comparison of information provided by the customer with information obtained from a consumer reporting agency, public database, or other source; checking references with other financial institutions; and obtaining a financial statement".

In particular (but without limitation), based on para. 1020.220(a)(2)(ii)(B), non-documentary procedures may be used, subject to the financial institution implementing additional safeguards to mitigate the ensuing risks, where:

• an individual is unable to present an unexpired government-issued identification document that bears a photograph or similar safeguard;
• the institution is not familiar with the documents presented; the account is opened without obtaining documents;
• the customer opens the account without appearing in person at the institution; and
• where the institution is otherwise presented with circumstances that increase the risk that the institution will be unable to verify the true identity of a customer through documents.

This approach is further confirmed in various explanatory or interpretative materials by the Financial Crimes Enforcement Network (FinCEN), e.g., Guidance FIN-2018-G001 of April 3, 2018:

"A financial institution's CIP must contain procedures for verifying customer identification, including describing when the institution will use documentary, non-documentary, or a combination of both methods for identity verification";

"Non-documentary methods of verification may include contacting a beneficial owner; independently verifying the beneficial owner's identity through the comparison of information provided by the legal entity customer (or the beneficial owner, as appropriate) with information obtained from other sources; checking references with other financial institutions; and obtaining a financial statement";

"<...> covered financial institutions may verify the identity of a beneficial owner who does not appear in person, through a photocopy or other reproduction of a valid identity document, or by non-documentary means <...>".

No specific procedures are prescribed for address verification; since information sources that could potentially be used for non-documentary checks are not restricted, both external databases and geolocation data (as well as other sources) could be suitable for this purpose. Notably, FinCEN has repeatedly encouraged IP address detection as an additional security measure to be incorporated into the KYC process.

Accordingly, the US AML regulations allow, in principle, non-documentary KYC methods within the risk-based approach. However, the obliged entity must be assured it knows the true identity of its customer, for which purpose additional KYC mechanisms aimed at connecting the user and the identity in question must be implemented.

³ —

1. Name;
2. Date of birth, for an individual;
3. Address, which shall be:
   • (i) For an individual, a residential or business street address;
   • (ii) For an individual who does not have a residential or business street address, an Army Post Office (APO) or Fleet Post Office (FPO) box number, or the residential or business street address of next of kin or of another contact individual [...]; and
4. Identification number, which shall be:
   • (i) For a U.S. person, a taxpayer identification number; or
   • (ii) For a non-U.S. person, one or more of the following: A taxpayer identification number; passport number and country of issuance; alien identification card number; or number and country of issuance of any other government-issued document evidencing nationality or residence and bearing a photograph or similar safeguard.

The 2017 Resolution of Board of Central Bank of the Republic of Uzbekistan (as amended) (the "CBU Resolution") outlines a comprehensive approach to customer identity verification, emphasizing both document-based and electronic methods:

"Identification of an individual client by a commercial bank is carried out on the basis of an identitydocument (passport or ID card or a document replacing them) or biometric data. In this case, a commercial bank, when identifying an individual client:

• on the basis of an identity document (passport or ID card or a document replacing them) - must familiarize itself with the original of such document;
• on the basis of biometric data - must verify such data via the information system of the Ministry of Internal Affairs of the Republic of Uzbekistan" (clause 26).

Regarding the scope of data by which an individual customer must be identified, clause 25 of the CBU Resolution refers to Appendix 1 thereto, which, in turn, contains the following list:

1. Surname, first name and patronymic
2. Date and place of birth
3. Citizenship
4. Place of permanent and (or) temporary residence
5. Details of the passport or ID card or the document replacing them: series and number of the document, date of issue of the document, name of the authority that issued the document
6. Personal identification number
7. Home telephone number (if available).

In parallel, the 2021 Central Bank Decision "About the Approval of the Regulation on the Procedure for Digital Identification of Customers" authorizes (i) digital identification with human interaction and (ii) digital authentication without human interaction via information systems for banks, microfinance organizations, pawn shops and payment organizations in relation to citizens of Uzbekistan, foreign citizens and stateless persons residing permanently or temporarily in Uzbekistan:

(i) the procedure for digital identification is as follows (section 6):

• "the obliged entity receives from the customer photos of the parts of their identity document (biometric passport or ID card or driver's license of a new model) containing the relevant information;
• the obliged entity receives the customer's photo and (or) video⁶⁵;
• the information obtained, including the photo and (or) video of the customer, is compared with that stored in the "Electronic Government" system ("central database");
• the obliged entity verifies the customer's mobile phone number (e.g., by sending an SMS message);
• the obliged entity checks whether the customer's risk profile is high (which would make them ineligible for the procedure);
• the obliged entity establishes an online video conference with the customer and checks that the submitted documents belong to them."

(ii) the procedure for digital authentication is as follows (section 7):

• "the obliged entity receives from the customer the series and number of their identity document (biometric passport or ID card or driver's license or a new model), or personal identification number and date of birth, or all of these data, together with a photo or video of the customer taken in real time;
• the obliged entity sends a request to the central database and receives the following personal data of the customer:
  • digital photograph (if available);
  • personal identification number ("ЖШШИР");
  • date of issue of biometric passport or ID card, its validity period and place of issue;
  • surname, first name, patronymic in the state language (in Latin script);
  • information about gender, country of birth, place of birth, nationality, citizenship and place of permanent or temporary residence;
• the obliged entity compares the customer's photo or a snapshot from the video taken in real time with the image extracted from the central database (if available) in an automated manner (without human involvement);
• the obliged entity verifies the customer's mobile phone number (e.g., by sending an SMS message);
• the obliged entity compares the received data with the List [the list of persons participating or suspected of participating in organized terrorist activities or proliferation of weapons of mass destruction, prepared by the Department for Combating Economic Crimes under the General Prosecutor's Office of the Republic of Uzbekistan] automatically (without human involvement)".

Therefore, the AML/CFT regulations of Uzbekistan currently provide for two options of fully non-documentary identity verification: (i) via the Ministry of Internal Affairs databases (the customer's biometric data being the input); and (ii) via the Electronic Government database (the customer's real-time photo / video, as well as certain non-biometric personal data (ID details or personal identification number and date of birth), being the input), subject to several procedural requirements, such as impersonation risk mitigation, obligatory consultation of specific AML screening sources, mobile phone verification, collection of all necessary attributes, etc.

⁶⁵ — As per section 10, in case of both digital identification and digital authentication, the photo / video: needs to be in color; the video must have sound; it is not allowed to have persons other than the customer in the photo and (or) video; the matching mechanism must allow for impersonation risk mitigation; etc.