Solution compliance assessment
Ensure business compliance using Non-Doc Address Verification.
Sumsub offers its state-of-the-art Non-Doc Address Verification solution to address the growing demand for automation, speed, and reduced manual intervention in KYC onboarding processes for both obligated financial institutions and their customers.
While Non-Doc Address Verification is a relatively new user residency verification method, it has already been widely recognized by regulatory authorities on a global basis and made a significant operational impact for clients who have decided to implement it.
The following analyses elaborate on the compliance of Non-Doc Address Verification with national AML/CTF regulations of multiple jurisdictions by examining in detail the requirements for customer risk assessment, data collection, and verification.
Regulatory recognition
The following scope indicates the markets where document-free address verification is accepted by national financial regulators..
Cited Sources:
- UIF Resolution 14/2023 (RESOL-2023-14-APN-UIF#MEC, "UIFResolution")
Is it required to collect user address information?
Yes; as per Article 22 of the UIF Resolution, all individual customers of a regulated entity must be identified by, inter alia, their "actual address (street, number, town, province, country and postal code)".
Is it required to verify user address information?
The UIF Resolution is mostly silent on address validation. Notably, Article 22 does specify how the customer's full name and surname, type and number of identity document should be verified (namely, by a copy of an identity document), but no similar guidance is provided for other identity attributes such as address. Therefore, presumably, it is the obliged entities' choice whether and via which means to perform address verification.
Is it permissible to use document-free methods for address verification?
Since no mandatory procedures for address verification are prescribed, nor is it evident from the UIF Resolution that it is necessary in the first place, regulated entities may choose any methods of validating their customers' addresses they consider reasonable.
Cited Sources:
- The Anti-Money Laundering and Counter-Terrorism Financing Rules Instrument 2007 (No. 1) ("AML/CFT Rules")
Is it required to collect user address information?
Yes; Part 4.2.3 of the AML/CFT Rules sets out the minimum KYC information to be collected about an individual customer, which includes their residential address.
Is it required to verify user address information?
As per Part 4.2.6 of the AML/CFT Rules, at least the customer's (i) full name and either (ii)(a) date of birth or (ii)(b) residential address have to be verified.
Is it permissible to use document-free methods for address verification?
Part 4.2.7 of the AML/CFT Rules lists the acceptable methods of verifying the above-mentioned customer data: " (1) reliable and independent documentation; (2) reliable and independent electronic data; or (3) a combination of (1) and (2) above".
Furthermore, the AML/CTF Rules offer different "safe harbour" verification approaches (documentation-based and electronic-based) depending on the risk profile of the customer. Where the risk is medium or lower and the electronic method is chosen, "u se of reliable and independent electronic data from at least two separate data sources is required. The entity must also verify that the customer has a transaction history for at least the past 3 years" (AML/CTF Rules, Parts 4.2.12 - 4.2.14).Thus, it is permissible to verify addresses electronically, provided that the customer's full name is validated against a different source.
Cited Sources:
- 2019 Guidelines on Electronic Know Your Customer (e-KYC) ("2019 Guidelines")
- Guidance Notes on Prevention of Money Laundering and Terrorist Financing for Financial Institutions ("Guidance Notes")
Is it required to collect user address information?
As per both the Guidance Notes (see, e.g., section 7.3.5) and the 2019 Guidelines (see, e.g., section 3.3), both the current and permanent addresses of an individual customer (if different) need to be collected.
Is it required to verify user address information?
As per section 7.3.5 of the Guidance Notes, it is recommended to verify address via one of the following methods:
- provision of a recent utility bill, tax assessment or bank statement containing details of the address (to guard against forged copies it is strongly recommended that original documents are examined);
- checking the voter lists;
- checking the telephone directory;
- visiting home/office;
- sending thanks letter.
Is it permissible to use document-free methods for address verification?
While the above-cited provision of the Guidance Notes is phrased as a recommendation rather than an obligation, address verification methods not listed therein might require additional justification from the regulated entity. If the regulated entity chooses to rely on electronic sources for this check, it may therefore be advisable to consult either the "voter lists" or the "telephone directory".
Cited Sources:
- Law on the prevention of money laundering and terrorist financing and on the restriction of the use of cash(" AML Law")
- National Bank of Belgium Object of the identification and identity verification guidance (" NBB Guidance")
Is it required to collect user address information?
As per Article 26(2) of the AML Law, an individual customer' identification data shall include "last name, first name, date and place of birth and, to the extent possible, address".
Is it required to verify user address information?
In accordance with Article 27(2) of the AML Law, unless simplified due diligence measures are warranted, it is required to verify all information collected pursuant to Article 26(2) (where this is the case) against " one or more supporting documents or reliable and independent sources of information enabling them to confirm this data".
In relation to address validation specifically, section 2.3.2(a) of the NBB Guidance further explains that "financial institutions' internal procedures should determine the measures to be taken to fulfil this legal obligation in a sufficiently precise manner. When the supporting document used to verify the customer's identity provides relevant information on the customer's address, this document should logically also be considered as the source of relevant information on their address. When this is not possible (in particular if the supporting document does not mention the customer's address), the internal procedures should determine how this information can be obtained. In these cases, a simple declaration signed by the customer, agent or beneficial owner concerning their address generally suffices if the customer, business relationship or transaction does not present a high ML/FT risk".
Is it permissible to use document-free methods for address verification?
Based on the above-cited position of the NBB, address needs to be corroborated by evidence stronger than a self-declaration only if the customer's risk profile is high. However, even in that case regulated entities retain a broad margin of discretion and apparently may choose whatever means of address verification they deem appropriate, so long as such means allow them to confirm the data in question with sufficient precision.
Cited Sources:
- External Circular 100-000005
- Prudential standards regarding Anti-Money Laundering and Counter-Terrorism Financing (AML/CTF) risk management and other related provisions ("Prudential Standards")
Is it required to collect user address information?
Yes; for example, Part I, Title IV, section 4.2.2.2.1.1.3.2 of the Prudential Standards lists address among other identity attributes to always be "obtained and kept updated" as part of the KYC procedure.
Likewise, Art. 5.2(a) of the External Circular 100-000005 states: " To strengthen the security of the process of KYC, and when the transaction allows it, it is recommended, as an example, the following: get to know by any legal means the origin of resources, verify the customer's identity, their address [...]".
Is it required to verify user address information?
Based on the following provision of the Prudential Standards, only the identity document presented by the customer is subject to mandatory verification (while a separate procedure for address validation is recommended as shown above but not obligatory):
" 4.2.2.2.1.1.1.1. Client identification. The supervised institutions must have policies and procedures that allow them to identify and verify the identity of the potential client, whether it is a natural person, legal entity or structure without legal status, at the time of their linking in face-to-face environments or not.
In the case of natural persons, such policies and procedures must consist in verifying the identity document issued by the competent authority[...]".
Is it permissible to use document-free methods for address verification?
Should the regulated entity choose to verify the customer's address separately, they have broad discretion in choosing the exact method. For instance, section 4.2.2.2.1 of the Prudential Standards allows to use, among other KYC solutions, "public databases, digital citizen services providers, their own databases and/or external databases", as long as the engaged source undergoes prior risk assessment.
Cited Sources:
Is it required to collect user address information?
Yes; in accordance with Section 5(1) of the AML Act, an individual customer's " address of permanent or other residence" must be obtained as part of their "identification data".
Is it required to verify user address information?
Based on Sections 8 and 8a of the AML Act, there are two self-sufficient ways of verifying an individual customer's identity:
- where the customer is physically present, "an obliged entity records identification data [including address] and verifies them from an identity card should they be included thereon , and subsequently records the type and serial number of the identity card, the issuing country or issuing authority and the card's validity; at the same time, the obliged entity verifies the holder's appearance and the holder's facial image as pictured on the identity card ". It can therefore be inferred that, where the submitted identity document does not contain the holder's address, the latter does not need to be verified separately. Likewise, there is no prescribed procedure in case of a mismatch between the address featured in the ID and that of the customer's actual residence ("document-based KYC option"); and
- where the onboarding is conducted remotely either (i) in accordance with the eIDAS Regulation and the Act on Electronic Identification or (ii) as otherwise explicitly permitted under the Bank Act, in which case no subsequent address verification measures are mentioned ("e-KYC option").
Is it permissible to use document-free methods for address verification?
Since there is no explicit requirement to verify the address via any separate procedure insofar as either the document-based KYC option or the e-KYC option is fully followed through, regulated entities may, if they nevertheless consider this check necessary, choose any methods they deem appropriate.
Cited Sources:
- 2020 Guide to the AML Act by the Finanstilsynet (“FSA Guide”)
Is it required to collect user address information?
Section 11(1) of the AML Act prescribes to collect the following identification data of natural persons: “ name and civil registration number or similar if the person in question does not have a civil registration number. Should the applicant not have a civil registration number or similar, the identity information shall include date of birth ”. Therefore, address is not explicitly required.
Is it required to verify user address information?
Danish AML/CFT regulations stipulate no separate obligation to verify the customer’s address. However, it is mentioned in Section 14 of the FSA Guide as one of possible enhanced due diligence measures.
Is it permissible to use document-free methods for address verification?
Since no mandatory procedures for address verification exist, regulated entities may choose any methods they consider reasonable.
Cited Sources:
Is it required to collect user address information?
Yes; as per §21, subsection 1, clauses 1-2 of the AML Act, a customer who is a natural person has to be identified by, inter alia, their "place of residence or location".
Is it required to verify user address information?
As a general rule, §21, subsection 2 of the AML Act prescribes to verify customer identification data (including address) "using information originating from a credible and independent source". However, no further detailed guidance is offered in relation to the validation of address specifically.
Is it permissible to use document-free methods for address verification?
In the absence of instructions to the contrary, it may be assumed that, while regulated entities are indeed expected to verify address-related information, they are not restricted in their options of doing so and, provided that the customer's address is not already reliably confirmed in the course of general identity verification, both documentary and non-documentary supplemental checks can be used.
Cited Sources:
Is it required to collect user address information?
Yes; Chapter 3, Section 3(2) of the AML Act, outlining the minimum data required for customer due diligence, encompasses address among other identity attributes. Para. 104 of the FIN-FSA Guidelines further elaborates that this requirement refers "as a rule to the address of the customer's permanent place of residence. Where necessary, a temporary address may be saved instead of, or in addition to, a permanent address".
Is it required to verify user address information?
In relation to address verification, para. 105 of the FIN-FSA Guidelines suggests that "it is enough as a rule that the supervised entity records the customer's contact address through which the customer can be reached by letter mail if the customer does not have a permanent or temporary address, or the customer does not want to disclose the address due to a valid non-disclosure for personal safety. The supervised entity shall assess on a risk-sensitive basis the importance of the lack of the customer's permanent or temporary home address on the overall risk involved in the customer relationship and whether the supervised entity is able to manage these risks ". Beyond that, no detailed instructions are provided, implying a broad margin of discretion reserved for regulated entities.
Is it permissible to use document-free methods for address verification?
Since no mandatory procedures for address verification exist, regulated entities may choose any methods they consider appropriate.
Cited Sources:
Is it required to collect user address information?
Whereas Art. R561-5 of the Monetary and Financial Code of France requires regulated entities to identify their individual customers by collecting their "first and last name, as well as their date and place of birth", this obligation does not encompass residential address.
Is it required to verify user address information?
Whereas regulated entities may choose to verify a customer's residential address as part of risk mitigation or enhanced due diligence, para. 131 of the ACPR Guide appears to suggest that it is not a necessity:" The collection of [proof of address] is therefore not essential for knowledge of the business relationship. Financial institutions determine, in their internal procedure, using a risk-based approach, whether proof of the home address is an element to be collected and, in this case, the type of proof to be collected ".
Is it permissible to use document-free methods for address verification?
Since no mandatory procedures for address verification exist, regulated entities may choose any methods they consider appropriate.
Cited Sources:
-
2022 Supervisory Guidance Note on the use of Ghana Card (" Guidance Note")
Is it required to collect user address information?
Appendix B to the Guideline requires different sets of identity data and supporting evidence, depending on whether the individual in question is a citizen or resident of Ghana, as well as on their special status, if any (applicable to minors, students, refugees and asylum seekers, foreign diplomats and their dependents). By way of illustration, a Ghanian citizen and a foreign citizen permanently residing in Ghana would need to provide, respectively, in relation to their address:
-
Ghanian citizen:
-
Proof of residential address:
-
i. GPS Address, or
-
ii. Tenancy Agreement, or
-
iii. Any other relevant document issued by an authorized government agency or institution;
-
-
-
foreign citizen permanently residing in Ghana:
-
Proof of Residential Address (local)
-
i. GPS Address, or
-
ii. Tenancy Agreement, or
-
iii. Any other relevant document;
-
-
Proof of Residential address (foreign)
-
i. Utility Bill, or
-
ii. Tenancy Agreement, or
-
iii. Any other relevant document issued by an authorized government agency or institution.
-
-
Is it required to verify user address information?
Based on the provisions cited above, user address information needs to be corroborated with evidence, specifically certain types of documentation and/or (where the customer resides in Ghana) GPS data.
Is it permissible to use document-free methods for address verification?
As demonstrated above, non-documentary confirmation of the customer's address is only possible via a GPS check and only if the place of residence is in Ghana. A non-Ghanian address (including one belonging to a foreign citizen permanently residing in Ghana) would need to be verified based on additional documentation such as a utility bill or a tenancy agreement.
Cited Sources:
- Guideline on Anti-Money Laundering and Counter-Financing of Terrorism For Authorised Institutions (Revised in May, 2023) ("HKMA Guideline")
- Guideline on Anti-Money Laundering and Counter-Financing of Terrorism (For Licensed Corporations and SFC-licensed Virtual Asset Service Providers) ("SFC Guideline")
Is it required to collect user address information?
Yes; as per sections 4.3.2-4.3.5 and 4.3.13-4.3.17 of the HKMA Guideline, the following identification and verification requirements are applicable to financial institutions:
- "for customers who are natural persons, the full name, date of birth, nationality, unique identification number and document type, as well as residential address".
Section 4.2.4 of the SFC Guideline contains an identical requirement to collect an individual customer's residential address.
Is it required to verify user address information?
No; based on the HKMA Guideline, authorized entities are required to collect the address, but not necessarily verify it. However, pursuant to the footnote of section 4.3.5 of the HKMA Guideline, an authorized entity may, under certain circumstances, require such verification for other purposes (e.g. group requirements, other local or overseas legal and regulatory requirements). In this case, it should communicate clearly to the customers the reasons why it requires proof of residential address.
The SFC Guideline (see the footnote to section 4.2.4) adopts the same approach.
Is it permissible to use document-free methods for address verification?
Since no mandatory procedures for address verification exist, regulated entities may choose any methods they consider reasonable.
Cited Sources:
Is it required to collect user address information?
Out of all acceptable methods of identity verification listed in Chapter VI, Part I, section 16 of the KYC Direction, only one explicitly mentions address specifically:
"For undertaking CDD, REs shall obtain the following from an individual [...]:
(a) the Aadhaar number [...]; or
(aa) the proof of possession of Aadhaar number where offline verification can be carried out; or
(ab) the proof of possession of Aadhaar number where offline verification cannot be carried out or any OVD[officially valid document] or the equivalent e-document thereof containing the details of their identity and address; or
(ac) the KYC Identifier with an explicit consent to download records from CKYCR; and
(b) the Permanent Account Number or the equivalent e-document thereof or Form No. 60 as defined in Income-tax Rules, 1962; and
(c) such other documents including in respect of the nature of business and financial status of the customer, or the equivalent e-documents thereof as may be required by the RE".
It can be inferred that, where the customer does not present an OVD featuring their address (or its substitute), address collection is still necessary but already implied under the other permitted procedures. See, for instance, regarding the Aadhaar number valiation: "if customer wants to provide a current address, different from the address as per the identity information available in the Central Identities Data Repository , they may give a self-declaration to that effect to the RE".
Is it required to verify user address information?
Chapter 1, section 3(xiv) of the KYC Direction states that, " where the OVD furnished by the customer does not have updated address, the following documents or the equivalent e-documents thereof shall be deemed to be OVDs for the limited purpose of proof of address:-
- utility bill which is not more than two months old of any service provider (electricity, telephone, post-paid mobile phone, piped gas, water bill);
- property or Municipal tax receipt;
- pension or family pension payment orders (PPOs) issued to retired employees by Government Departments or Public Sector Undertakings, if they contain the address;
- letter of allotment of accommodation from employer issued by State Government or Central Government Departments, statutory or regulatory bodies, public sector undertakings, scheduled commercial banks, financial institutions and listed companies and leave and licence agreements with such employers allotting official accommodation ".
No separate verification procedure is prescribed in case the customer's identity is verified via means other than their OVD. This is subject to a restriction set out in section 40(c):" Following EDD measures shall be undertaken by REs for non-face-to-face customer onboarding (other than customer onboarding [using Aadhaar OTP based e-KYC]): [...]
- c) Apart from obtaining the current address proof, RE shall verify the current address through positive confirmation before allowing operations in the account. Positive confirmation may be carried out by means such as address verification letter, contact point verification, deliverables, etc. "
Is it permissible to use document-free methods for address verification?
With the exception of the case where the customer presents an OVD not featuring their current address and provided they are being onboarded via Aadhaar OTP-based e-KYC, no additional address verification procedures appear to be required. However, if the regulated entity prefers to further confirm the customer's address, they may choose any means of doing so.
Cited Sources:
- Regulation (POJK) No. 8 of 2023 (" OJK Regulation")
Is it required to collect user address information?
Yes; Art. 25(1) of the OJK Regulation specifies it is necessary to collect an individual customer's "residential address according to the ID and other residential addresses, if any".
Is it required to verify user address information?
It appears that the fact a person's identity document contains address serves as sufficient evidence of the latter's validity. The OJK Regulation further states that, where the actual residential address of the customer differs from the one indicated in the ID, the alternative address needs to be recorded as well; however, no particular verification procedures are prescribed.
Is it permissible to use document-free methods for address verification?
Since no mandatory procedures for address verification exist (besides extracting the address information out of the customer's ID), regulated entities may choose any methods they consider reasonable.
Cited Sources:
- Legislative Decree 21 November 2007, n. 231 (" Legislative Decree")
- Disposizioni in materia di adeguata verifica della clientela per il contrasto del riciclaggio e del finanziamento del terrorismo ("CDD Provisions")
Is it required to collect user address information?
Yes; Art. 1(2)(n) of the Legislative Decree defines "identification data" as "name and surname, place and date of birth, registered residence and domicile (where different from registered residence) and, where assigned, the tax code or, in the case of subjects other than a natural person, the name, registered office and, where assigned, the tax code".
Is it required to verify user address information?
Part 2, Section VIII of the CDD Provisions states that an individual's "identification data" (which, as shown above, includes address) needs to be " verified via a copy - obtained by fax, post, in electronic format or with similar methods - of a valid identity document" (unless the customer's identity is being confirmed via an eIDAS-compliant solution, in which scenario, as follows from Part 2, Section III, such a copy is not necessary). However, no mandatory verification procedure is prescribed where the submitted ID does not contain address-related information (or if the regulated entity becomes aware that the address indicated in the ID is different from the customer's actual place of residence).
Is it permissible to use document-free methods for address verification?
While neither the Legislative Decree nor the CDD Provisions explicitly mention "proof of address", the following can be inferred: (i) if the presented identity document contains the customer's current address, it will likely be sufficient for address verification purposes; (ii) if the ID lacks the customer's current address, the regulator prescribes to collect it separately but does not explicitly specify how it should be verified; (iii) therefore, supplementary procedures adopted by regulated entities in this case could involve, e.g., requesting additional documents or consulting external data sources. The specific requirements for proof of address might vary depending on the customer's risk profile.
Cited Sources:
- ANNEXE A LA DECISION N° 26 du 02/07/2015/CM/UMOA (" Uniform AML/CFT Regulation")
Is it required to collect user address information?
Yes; as per Article 27 of the Uniform AML/CFT Regulation, obtaining the address of the customer's main residence is one of the essential identification procedure elements.
Is it required to verify user address information?
Yes; in accordance with the same Article 27, "verification of [an individual customer's] address is carried out by the presentation of a document capable of providing proof [thereof] or by any other means . [...] The financial institution verifies the authenticity of the document presented".
Is it permissible to use document-free methods for address verification?
Based on the above-cited provision, there are no restrictions regarding possible address verification methods; therefore, regulated entities may choose such solutions as they consider appropriate.
Cited Sources:
- 2013 Prudential Guidelines issued by the Central Bank of Kenya ("Prudential Guidelines")
Is it required to collect user address information?
Yes; section 5.6.7.2 of the Prudential Guidelines, addressing non-face-to-face onboarding specifically, emphasizes an obliged entity must "ensure that there is sufficient communication to confirm address and personal identity" of an individual customer.
Is it required to verify user address information?
Yes; as per section 5.6.7.4 of the Prudential Guidelines, "the procedures to check identity must serve two purposes: (i) they must ensure that a person bearing the name of the applicant exists and lives at the address provided; and (ii) that the applicant is that person". From this, it can be inferred that user address information needs to be supported with evidence.
Is it permissible to use document-free methods for address verification?
In terms of address verification specifically, obtaining a utility bill or other forms of documentation is recommended under paras. 5.6.5.1 and 5.6.7.7 of the Prudential Guidelines as the best practice and there are no explicit references to the possibility of relying on electronic sources instead. However, para. 5.6.7.5 suggests this method is not the only permissible one and ultimately " it is for each institution to decide upon which checks to employ".
Cited Sources:
Is it required to collect user address information?
Neither the AML Law nor the Order stipulates a necessity to collect user address information. However, as per Art. 10(1)(6) of the AML Law, it is required to understand an individual customer's "citizenship (except for the cases where it is optional in the identification document) and in the case of a stateless person - the state which issued their identification document". While obliged entities may still be expected to collect data related to the customer's location (e.g., to determine whether enhanced due diligence should be applied to the customer or to fulfill the requirement to obtain the customer's IP data as set out in para. 26 of the Order), the format in which this information should be gathered and confirmed is determined by the obliged entity itself.
Is it required to verify user address information?
The AML/CFT regulations of Lithuania do not specify any particular means for verifying the customer's residential address.
Is it permissible to use document-free methods for address verification?
Yes, insofar as this matter is not explicitly regulated under the AML Law or the Order and obliged entities have the freedom of discretion in it.
Cited Sources:
- Anti-Money Laundering, Anti-Terrorism Financing and Proceeds of Unlawful Activities Act 2001 ("AMLA")
- Bank Negara Malaysia Anti-Money Laundering, Countering Financing of Terrorism and Targeted Financial Sanctions for Financial Institutions Policy ("AML/CFT Policy for FIs")
- Bank Negara Malaysia Anti-Money Laundering, Countering Financing of Terrorism and Targeted Financial Sanctions for Designated Non-Financial Businesses and Professions (DNFBPs) & Non-Bank Financial Institutions (NBFIs) Policy ("AML/CFT Policy for DNFBPs / NBFIs")
Is it required to collect user address information?
Yes; section 16(3)(a) of the AMLA requires reporting institutions to ascertain the domicile of any person as part of customer due diligence measures. Likewise, AML/CFT Policies for both FIs and DNFBPs / NBFIs (sections 14A.9 and 14.10.1 respectively), as well as section 3.3 of the CDD Guidance, name "residential and mailing address" among the minimum identification data.
Is it required to verify user address information?
Yes; as per section 16(3)(b) of the AMLA, domicile, among certain other identification data, needs to be "verified, by reliable means or from an independent source, or from any document, data or information [...] through the use of documents which include identity card, passport, birth certificate, driver's licence, constituent document or any other official or private document as well as other identifying information relating to that person ".
Is it permissible to use document-free methods for address verification?
Malaysian AML/CFT regulations explicitly permit reliance on electronic sources (including databases) for CDD purposes; e.g., section 14C.16.11(c) of the AML/CFT Policy for FIs allows, in the context of non-face-to-face onboarding, to use " a database maintained by relevant authorities including the National Registration Department or Immigration Department of Malaysia; telecommunication companies, sanctions lists issued by credible domestic or international sources in addition to the mandatory sanctions lists or social media platforms with a broad outreach ". This is mentioned as an equivalent alternative to requesting additional documentation such as "recent utility bills, bank statements, student identification or confirmation of employment".
Similarly, section 5.1 of the CDD Guidance emphasizes that " there is no restriction on the form of evidence to be taken by reporting institutions in verifying the identity. Reporting institutions may accept either physical documents, electronic or digital information and data, or a combination of both ". The only instance where it is recommended to obtain documentary proof of address (specifically, a utility bill) is when "residential and NRIC address are different" (section 6.1).
Cited Sources:
- Central Bank of Nigeria Customers Due Diligence Regulations 2023 ("CDD Regulations")
- 2022 Central Bank of Nigeria (Anti-Money Laundering, Combating the Financing of Terrorism and Countering Proliferation Financing of Weapons of Mass Destruction in Financial Institutions) Regulations ("AML Regulations")
- 2023 CBN Circular PSM/DIR/PUB/CIR/001/053 ("2023 Circular")
Is it required to collect user address information?
Yes; Art. 6(a) of the CDD Regulations lists both "permanent address (full physical address)" and "residential address (where the customer can be located)" among data items to be collected as part of the KYC procedure.
Is it required to verify user address information?
Yes; Art. 7(2) of the CDD Regulations elaborates on the possible means of address verification:"FIs shall verify the identity of individuals by confirming the - [...]
(b) residential address through physical visitation and use of other sources, including utility bill, tax assessment, bank statement, or letter from a public authority".
In addition, as per Art. 27(2) of the CDD Regulations, "where a foreign national has recently arrived in Nigeria, the residential address in [their] home country shall be notarized". For resident non-Nigerians, a valid residence permit is obligatory.
Is it permissible to use document-free methods for address verification?
It appears that the word "including" in Art. 7(2)(b) of the CDD Regulations should not be understood as imposing a limitation, since "other sources" could in general be interpreted broadly so as to encompass, e.g., external databases. This is supported by Art. 26(1) of the CDD Regulations, applicable to non-residents and stating that " FIs shall obtain and verify applicant's name, date of birth and permanent residential address (in host country) directly through a reputable Credit Institution or FI in the applicant's country of residence or a correspondent bank, provided that particular care shall be taken when relying on identification evidence obtained from other countries ".
Additionally, Nigerian AML/CFT regulations are generally favourable towards non-documentary KYC solutions. For instance, Arts. 14, 16 and 35 of the CDD Regulations, as well as Art. 26 of the AML Regulations, specify that both "physical" and "electronic" methods of customer onboarding may be adopted by financial institutions, so long as the "tiered" approach and other e-KYC standards endorsed by the CBN are complied with. In turn, the CBN 2023 Circular not only permits, but prescribes to validate customer identity data via governmental NIBSS' BVN or NIMC's NIN databases.
Therefore, it may be assumed that, where technically possible, addresses may be verified electronically at least through official national databases such as NIBSS or NIMC.
Cited Sources:
- 2018 Act relating to Measures to Combat Money Laundering and Terrorist Financing ("AML Act")
- 2018 Regulations relating to Measures to Combat Money Laundering and Terrorist Financing ("AML Regulations")
- 2019 Circular "Guide to the Anti-Money Laundering Act" ("2019 Circular")
Is it required to collect user address information?
Yes; Section 12(1) of the AML Act stipulates that, in the case of a natural person, address needs to be collected among other identity data.
Is it required to verify user address information?
Based on Section 12(2) of the AML Act, " information on the customer's identity shall be verified by personal appearance with a valid proof of identity. If verification of the identity shall take place without personal appearance, additional documentation shall be presented or additional measures shall be applied ". Beyond that, no obligatory address verification measures are prescribed under the AML Act, AML Regulations, or the 2019 Circular so long as the customer's identity in general is confirmed via acceptable evidence as described below.
Is it permissible to use document-free methods for address verification?
As per Section 4-3(4) of AML Regulations, where the customer is not physically present, the only acceptable onboarding solution is an eIDAS-compliant electronic signature, which is self-sufficient for KYC purposes insofar as all the required identity data (including address) had been previously obtained. However, regulated entities may choose to further validate their customers' residential addresses as part of risk mitigation or enhanced due diligence procedures. In this case, they are not limited in the choice of methods; for example, Section 4.3.1.3 of the 2019 Circular mentions "other reassuring electronic solutions" on par with " communication with the customer via postal address or digital address" or "video communication".
Cited Sources:
-
2018 Revised Implementing Rules and Regulations ("2018 RIRR")
-
Manual of Regulations for Banks (MORB) / Manual of Regulations for Non-Bank Financial Institutions (MORNBFI)
Is it required to collect user address information?
As per Rule 18, Section 3.4 of the 2018 RIRR, address is indeed among other identity attributes that should be collected from an individual customer before or during account opening or onboarding.
Is it required to verify user address information?
Overall, documentary evidence of identity-related information (including address) appears mandatory. See, e.g., the BSP Manual of Regulations for Banks (MORB) / Manual of Regulations for Non-Bank Financial Institutions (MORNBFI) on Customer Due Diligence, Section 921/921Q:
-
"the covered person obtains from individual customers, at the time of account opening / establishing the relationship, the following minimum information [including address] and confirms this information with the official or valid identification documents";
-
as one of possible additional safeguards for enhanced due diligence, it is suggested to verify the address "through evaluation of utility bills, bank or credit card statement, sending thank you letters, or other documents showing address or through on-site visitation".
The above-specified provisions, however, may be overridden by Rule 18, Section 3.7 of the 2018 RIRR, stating that "covered persons shall deem the provision and submission of the PSN or PhilID as official and sufficient proof of identity, subject to the authentication requirements under the PhilSys Act [Republic Act No. 11055, or the Philippines Identification System Act] and its IRR [Implementing Rules and Regulations of Republic Act No. 11055]". This is further detailed in Circular No. 1170. Specifically, the Circular states that, "where the PCN or PSN derivative, or the Philippine ldentification (PhillD) card, in physical or digital form, is presented by the customer, it shall be accepted as official and sufficient proof of identity, subject to proper authentication, and the covered person shall no longer require additional documents to verify the customer's identity". Therefore, accessing an individual's record in the Philippine Identification System ("PhilSys") is considered a reliable way to verify their identity.
From the above it may be inferred that, so long as a customer's identity is verified via PhilSys (and their address is also extracted in this manner), no further address confirmation is needed. Conversely, where the obliged entity does not rely on PhilSys, it may be expected that address, like other identity data, will be verified based on documentary evidence.
Is it permissible to use document-free methods for address verification?
Based on the reasoning above, non-documentary address verification is possible via solutions accessing PhilSys; in other cases, the document-based approach remains prevalent.
Cited Sources:
-
MAS Circular No. AMLD 01/2018 on "Use of MyInfo and CDD Measures for Non-Face-To-Face Business Relations" ("2018 MAS Circular")
Is it required to collect user address information?
While the Monetary Authority of Singapore (MAS) maintains separate Notices and Guidelines addressing each type of AML-regulated business (e.g., banks, merchant banks, finance companies, specified payment services, digital payment token services), the requirement to collect an individual customer's residential address is universal. See, for instance: "where a customer is a natural person, a bank must obtain residential address based on national identity card, recent utility or telephone bill, bank statement or correspondence from a government agency" ( Guidelines to MAS Notice 626 - Banks , para. 6-6-2) .
Is it required to verify user address information?
Based on the same para. 6-6-2 of the Guidelines to MAS Notice 626 - Banks (and identical provisions contained in the Guidelines related to other industries), user address information needs to be corroborated with evidence, specifically certain types of documentation.
Is it permissible to use document-free methods for address verification?
An exception to the document-based approach to address verification is MyInfo, a government service that enables citizens and residents to manage the use of their personal data for simpler online transactions. The 2018 MAS Circular, para. 3, describes MyInfo as a "reliable and independent source for the purposes of verifying the customer's name, unique identification number, date of birth, nationality and residential address", as well as other personal attributes. It is simultaneously confirmed that, "where MyInfo is used, MAS will not require FIs to obtain additional identification documents to verify a customer's identity".
Cited Sources:
-
2017 Guidance Note 7 on the Implementation of Various Aspects of the Financial Intelligence Centre Act, 2001 ("Guidance Note")
Is it required to collect address information?
The Guidance Note, while stating that full name, date of birth and unique identifying number issued by a government source are "basic attributes" that should be collected from an individual customer in any event (para. 85), also describes data such as residential address as supplementary (para. 86) and therefore, presumably, not mandatory to establish as part of the KYC procedure.
Is it required to verify user address information?
Since it is not necessary for obliged entities to collect address information in the first place, whether to do so and whether to subsequently verify such data remains within their discretion.
Is it permissible to use document-free methods for address verification?
Para. 74 of the Guidance Note emphasizes that regulated entities "have the flexibility to choose the type of information by means of which they will establish clients' identities and also the means of verification of clients' identities". More specifically, both "documents" and "electronic data issued or created by reliable and independent third-party sources" are permitted for confirming a customer's identity (para. 83) and, consequently, isolated identity attributes such as address.
Cited Sources:
- Prevention of Money Laundering and Terrorist Financing Law 10/2010 of 28 April ("AML Law")
- Regulation on the Prevention of Money Laundering and Terrorist Financing approved by Royal Decree 304/2014 of 5 May (" Royal Decree")
Is it required to collect user address information?
As per Article 4bis of the AML Law, in relation to natural persons that are ultimate beneficial owners for the purposes of the business relationship in question, only the "country of residence" is required to ascertain their address. There are no further indications in the AML Law or the Royal Decree that the information on the customer's place of residence needs to be collected with higher precision.
Is it required to verify user address information?
In terms of the overall identity verification duty, Articles 3 and 12 of the AML Law generally require a copy of the customer's "reliable document" (unless the KYC procedure is being conducted via an eIDAS-compliant qualified electronic signature, which exemption is provided under Article 12(1)(a) of the AML Law). In turn, a "reliable document", pursuant to Article 6(1)(a) of the Royal Decree, means:
- for individuals who are Spanish nationals, the national identity card;
- for foreign individuals, the residence card, foreign identity card, passport or, in the case of citizens of the European Union or the European Economic Area, the official personal identity document, letter or card issued by the home authorities;
- exceptionally, obliged subjects may accept other personal identification documents issued by a government authority provided they enjoy adequate guarantees of authenticity and show a photograph of the holder.
However, no mandatory verification procedures are prescribed where the presented identity document does not feature the customer's address.
Is it permissible to use document-free methods for address verification?
Since no mandatory procedures for address verification (besides collecting a copy of the customer's identity document) exist, regulated entities may choose any methods they consider appropriate.
Cited Sources:
- Finansinspektionen's regulations regarding measures against money laundering and terrorist financing("FI Regulations")
Is it required to collect user address information?
Chapter 3, Section 5 of the FI Regulations, governing non-face-to-face onboarding, sets out two alternative methods for performing KYC remotely:
- " using electronic identification to produce an advanced electronic signature as set forth in the Act (2016:561) laying down additional requirements to the EU Regulation on electronic identification or by using any other technology for electronic identification which provides equivalent certaint y" ("e-KYC option"), or
- "verifying the natural person's identity in an appropriate manner by
- a) obtaining information regarding the person's name, address, personal identity number or equivalent;
- b) verifying the information against external registers, certificates, or other equivalent documentation, and
- c) contacting the natural person by sending a confirmation to the person's address in the population register or other reliable address, or ensuring that the person sends a certified copy of an identity document, or other equivalent measure " ("document-based KYC option").
Accordingly, only the "document-based KYC option" requires a separate procedure for address collection.
Is it required to verify user address information?
As demonstrated above, only the "document-based KYC option" necessitates address verification; furthermore, it needs to be conducted specifically via physical correspondence with the customer.
Is it permissible to use document-free methods for address verification?
Consequently, only the "e-KYC option" (which does not prescribe address verification specifically in the first place) permits reliance on non-documentary sources as a standalone solution.
Cited Sources:
Is it required to collect user address information?
Yes, it is required to collect user address information based on the FINMA Circular 2016/7 on "Video and online identification", Section IV(B)(a), margin 34, stating that "the financial intermediary must also [in addition to other identity data] confirm the contracting party's residential address".
Is it required to verify user address information?
Yes, it is required to verify user address information. As per the FINMA Circular 2016/7 on "Video and online identification", Section IV(B)(a), margin 34, such information must be not simply obtained, but also further "confirmed".
Is it permissible to use document-free methods for address verification?
The FINMA Circular 2016/7 on "Video and online identification", Section IV(B)(a), margins 35-37.1, provides an exhaustive list of means by which a contracting party's residential address can be confirmed, namely: "tax invoice or any other official invoice or power, water or telephone invoices (utility bill); postal delivery; a public register, or a trustworthy, privately managed database/directory; or geolocation". Therefore, address data can be validated via both documentary and non-documentary solutions, even though, where external databases are engaged, they are expected to meet certain quality standards (being government-maintained or otherwise "trustworthy").
Cited Sources:
- Prime Minister Office Notification on Customer Identification Methodology for Financial Institutions and Businesses and Profession ("Prime Minister Notification")
- Anti-Money Laundering Office Notification Concerning Guideline for Identification and Verification of Customers and Ultimate Beneficial Owners ("AMLO Notification")
- AMLO Guideline on Customer Due Diligence For Banks ("AMLO Guideline", as an example of industry-specific AMLO Guidelines)
Is it required to collect user address information?
Yes; Article 4 of the Prime Minister Notification, providing the minimum identification information to be obtained in respect of an individual customer for CDD purposes, specifically mentions " address as appears in personal identification card or in the house registration and current address. In case of a foreigner, the country of citizenship and current address in Thailand shall be provided, except for the case of a foreigner with no address in Thailand, whose current address shall be used instead ". The ALMO Guideline further confirms this requirement refers to:
- in case of Thai national, meaning address in the house registration book and in case of not living therein, stating also the present address;
- in case of alien, meaning address in the country of nationality and address in Thailand.
Is it required to verify user address information?
There appears to be no obligatory procedure for address verification prescribed under the AML/CFT regulations of Thailand. Whereas Article 5 of the AMLO Notification suggests requesting additional documentation (such as utility bills) as an enhanced due diligence measure where the customer's risk profile is high, nothing indicates that this is the only acceptable way of validating address in principle.
Is it permissible to use document-free methods for address verification?
Since no mandatory procedures for address verification exist, regulated entities may choose any methods they consider appropriate.
Cited Sources:
- Cabinet Decision No. (10) of 2019 Concerning the Implementing Regulation of Decree Law No. (20) of 2018 On Anti-Money Laundering and Combating the Financing of Terrorism and Illegal Organisations ("AML-CFT Decision")
- Anti-Money Laundering and Combating the Financing of Terrorism and Illegal Organisations Guidelines for Financial Institutions ("AML Guidelines")
- Guidance for Licensed Financial Institutions ('LFI's) on Digital Identification for Customer Due Diligence ("CDD Guidance")
Is it required to collect user address information?
Yes; in accordance with Article 8(1) of the AML-CFT Decision, an individual customer's address needs to be obtained along with their "name, as in the identification card or travel document, nationality, [...] place of birth, name and address of employer, attaching a copy of the original and valid identification card or travel document", cumulatively referred to as "identity".
Is it required to verify user address information?
The same Article 8(1) of the AML-CFT Decision states that the customer's "identity" (consisting of the elements as cited above) needs to be verified, which therefore applies to address in particular. This is further corroborated by section 6.3.1 of the AML Guidelines:
"The verification of a customer's identity, including their address, should be based on original, official (i.e. government-issued) documents whenever possible. When that is not possible, FIs should augment the number of verifying documents or the amount of information they obtain from different independent sources".
Is it permissible to use a non-document method to verify an address?
Despite the overall preference for documentary evidence, section 6.3.1 of the AML Guidelines and section 3.1 of the CDD Guidance seem to suggest that verification via electronic sources is an acceptable alternative:
"An example of alternative verification means is verification by way of digital identification systems. Such digital identification systems should rely upon technology, adequate governance, processes and procedures that provide appropriate levels of confidence that the system produces accurate results";
"Under Article 8 of the AML-CFT Decision, LFIs are required to identify each customer and verify the customer's identity using documents, data, or any other identification information from a reliable and independent source. This requirement is technology neutral and expressly permits LFIs to use documentary as well as non-documentary sources (i.e., information or data) when performing identification and verification; it does not impose any restrictions on the form-physical or digital-that identity evidence must take, nor does it impose limitations as to the use of digital ID systems for the purpose of linking a customer's verified identity to a unique, real-life individual, provided this is done using a "reliable" and "independent" source. As such, LFIs are permitted to utilise digital ID systems as well as physical forms to perform customer identification and verification, consistent with the expectations set forth in this Guidance".
Therefore, it may be argued that, so long as a copy of the customer's ID is collected as required under Article 8(1) of the AML-CFT Decision, the address may be subsequently verified via any sufficiently reliable means, whether documentary or electronic.
Cited Sources:
-
Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017 ("ML Regulations")
-
Guidance by the Joint Money Laundering Steering Group, Part I ("Guidance")
Is it required to collect user address information?
Yes, it is necessary to collect an individual customer's residential address, according to the Joint Money Laundering Steering Group (JMLSG) Guidance. Para. 5.3.29 thereof specifically states that "knowledge of an individual's residential address is central to being reasonably satisfied that the customer is who they say they are".
Is it required to verify user address information?
No particular method of verifying address is explicitly promoted. Furthermore, para. 5.3.112 of the Guidance emphasizes that address data does not even necessarily have to be validated in all cases (e.g., it may be omitted when the customer lacks a permanent place of residence); this is a matter within obliged entities' discretion.
Is it permissible to use document-free methods for address verification?
As a general rule, Art. 27(19) of the ML Regulations explains that "information may be regarded as obtained from a reliable source [...] where - (a) it is obtained by means of an electronic identification process [...]; and (b) that process is secure from fraud and misuse and capable of providing assurance that the person claiming a particular identity is in fact the person with that identity, to a degree that is necessary for effectively managing and mitigating any risks of money laundering and terrorist financing". Therefore, obliged entities are granted a broad margin of discretion in their choice of CDD procedures, and electronic solutions are within the scope of permissible remote onboarding methods.
Furthermore, as per paras. 5.3.72 and 5.3.80 of the Guidance, address - like any other identity attributes - may be confirmed via electronic checks, including by relying on external databases so long as they are sufficiently robust.
Cited Sources:
Is it required to collect user address information?
Yes, as per the BSA ("Customer Identification Program: minimum requirements", section 1020.220(a)(2)(i)(A)), identity data to be collected from each individual customer includes: "address, which shall be: (i) for an individual, a residential or business street address; (ii) for an individual who does not have a residential or business street address, an Army Post Office (APO) or Fleet Post Office (FPO) box number, or the residential or business street address of next of kin or of another contact individual".
Is it required to verify user address information?
As a general rule, the BSA (section 1020.220(a)(2)(ii)) dictates that financial institutions must have in place "procedures for verifying the identity of the customer, using information obtained in accordance with paragraph (a)(2)(i) of this section" [identity data, including address]. Therefore, it would likely be expected for a financial institution to validate the previously collected user address information unless it can reasonably demonstrate that, even without this check, it knows the customer's identity.
Is it permissible to use document-free methods for address verification?
Yes, the BSA (section 1020.220(a)(2)(ii)) states that both documentary and non-documentary verification methods (as well as their combinations) are acceptable so long as the chosen procedures "enable the [obliged entity] to form a reasonable belief that it knows the true identity of each customer". Several examples of non-documentary KYC processes are also given for reference, such as "contacting a customer; independently verifying the customer's identity through the comparison of information provided by the customer with information obtained from a consumer reporting agency, public database, or other source; checking references with other financial institutions; and obtaining a financial statement".
Cited Sources:
- 2022 Law on Anti-Money Laundering ("AML Law")
Is it required to collect user address information?
Yes; based on Article 10(1) of the AML Law, an individual customer's address in Vietnam and/or abroad (whichever is applicable depending on the person's citizenship and residence) needs to be collected.
Is it required to verify user address information?
Yes; while Article 10(1) of the AML Law lists residential address as part of "customer identification data", Article 12(1) stipulates the obligation to verify this dataset via documents and information which, in the case of individual customers, must include "identity card, citizen identification card or passport with valid term of use; other documents issued by competent authorities".
Is it permissible to use document-free methods for address verification?
According to Article 12(2) of the AML Law, " reporting subjects can exploit information in national databases according to the provisions of law, through competent state agencies and other organizations specified in Article 13 [a third-party provider engaged by the reporting subject] or regulated third parties specified in Article 14 [a financial institution or a legal entity in a related non-financial industry that has established relationships with customers (excluding agency and outsourcing relationships); conducts CDD according to the AML Act of, for foreign entities, the FATF recommendations; is subject to the management and supervision of a competent authority] of this Law to compare and verify information provided by customers". This grants regulated entities an option to validate address via official electronic sources where it is not already featured in the identity document presented by the customer.
Updated about 22 hours ago