Documentation
API ReferenceChangelogFAQDashboard

Solution compliance assessment

Global compliance made effortless using Non-Doc Address Verification.

Sumsub offers its state-of-the-art Non-Doc Address Verification solution to address the growing demand for automation, speed, and reduced manual intervention in KYC onboarding processes for both obligated financial institutions and their customers.

While Non-Doc Address Verification is a relatively new user residency verification method, it has already been widely recognized by regulatory authorities on a global basis and made a significant operational impact for clients who have decided to implement it.

The following analyses elaborate on the compliance of Non-Doc Address Verification with national AML/CTF regulations of multiple jurisdictions by examining in detail the requirements for customer risk assessment, data collection, and verification.

Regulatory recognition

The table below provides a regulatory compliance scoring framework designed by the Sumsub's Legal team. Each in-scope jurisdiction is given an overall rating based on the degree to which it permits document-free methods for customer Address Verification under the national AML/CTF laws.

Each individual country assessment offers detailed information on the nature of the findings, the rationale for the compliance score, the regulatory basis for the assessment, and a summary outlining Sumsub's interpretation and position.

For convenience purposes, the jurisdictions have also been segmented into tabs based on the overall score they were given.

ScoreDescription
1The use of document-free address verification as a standalone method is expressly allowed.
2AThe use of document-free address verification as a standalone method is not expressly prohibited.
2BThe use of document-free address verification as a standalone method is expressly allowed in specific cases.
3The use of document-free address verification as a standalone method is expressly ruled out.

📘

Note

In Brazil, both the Score 2A and the Score 3 levels are applied:

  • Score 2A — for Betting Operators and Financial Institutions regulated by the Central Bank of Brazil.
  • Score 3 — for entities regulated by the Securities and Exchange Commission of Brazil.

Cited Sources:

Is it required to collect user address information?

Yes; Part 4.2.3 of the AML/CFT Rules sets out the minimum KYC information to be collected about an individual customer, which includes their residential address.

Is it required to verify user address information?

As per Part 4.2.6 of the AML/CFT Rules, at least the customer's (i) full name and either (ii)(a) date of birth or (ii)(b) residential address have to be verified.

Is it permissible to use document-free methods for address verification?

Part 4.2.7 of the AML/CFT Rules lists the acceptable methods of verifying the above-mentioned customer data: "(1) reliable and independent documentation; (2) reliable and independent electronic data; or (3) a combination of (1) and (2) above".

Furthermore, the AML/CTF Rules offer different "safe harbour" verification approaches (documentation-based and electronic-based) depending on the risk profile of the customer. Where the risk is medium or lower and the electronic method is chosen, "use of reliable and independent electronic data from at least two separate data sources is required. The entity must also verify that the customer has a transaction history for at least the past 3 years" (AML/CTF Rules, Parts 4.2.12 - 4.2.14).Thus, it is permissible to verify addresses electronically, provided that the customer's full name is validated against a different source.

Cited Sources:

Is it required to collect user address information?

As per Article 26(2) of the AML Law, an individual customer' identification data shall include "last name, first name, date and place of birth and, to the extent possible, address".

Is it required to verify user address information?

In accordance with Article 27(2) of the AML Law, unless simplified due diligence measures are warranted, it is required to verify all information collected pursuant to Article 26(2) (where this is the case) against "one or more supporting documents or reliable and independent sources of information enabling them to confirm this data".

In relation to address validation specifically, section 2.3.2(a) of the NBB Guidance further explains that "financial institutions' internal procedures should determine the measures to be taken to fulfil this legal obligation in a sufficiently precise manner. When the supporting document used to verify the customer's identity provides relevant information on the customer's address, this document should logically also be considered as the source of relevant information on their address. When this is not possible (in particular if the supporting document does not mention the customer's address), the internal procedures should determine how this information can be obtained. In these cases, a simple declaration signed by the customer, agent or beneficial owner concerning their address generally suffices if the customer, business relationship or transaction does not present a high ML/FT risk".

Is it permissible to use document-free methods for address verification?

Based on the above-cited position of the NBB, address needs to be corroborated by evidence stronger than a self-declaration only if the customer's risk profile is high. However, even in that case regulated entities retain a broad margin of discretion and apparently may choose whatever means of address verification they deem appropriate, so long as such means allow them to confirm the data in question with sufficient precision.

Cited Sources:

Is it required to collect user address information?

As per both the Guidance Notes (see, e.g., section 7.3.5) and the 2019 Guidelines (see, e.g., section 3.3), both the current and permanent addresses of an individual customer (if different) need to be collected.

Is it required to verify user address information?

As per section 7.3.5 of the Guidance Notes, it is recommended to verify address via one of the following methods:

  • provision of a recent utility bill, tax assessment or bank statement containing details of the address (to guard against forged copies it is strongly recommended that original documents are examined);
  • checking the voter lists;
  • checking the telephone directory;
  • visiting home/office;
  • sending thanks letter.

Is it permissible to use document-free methods for address verification?

While the above-cited provision of the Guidance Notes is phrased as a recommendation rather than an obligation, address verification methods not listed therein might require additional justification from the regulated entity. If the regulated entity chooses to rely on electronic sources for this check, it may therefore be advisable to consult either the "voter lists" or the "telephone directory".

Cited Sources:

Is it required to collect user address information?

Yes; for example, Part I, Title IV, section 4.2.2.2.1.1.3.2 of the Prudential Standards lists address among other identity attributes to always be "obtained and kept updated" as part of the KYC procedure.

Likewise, Art. 5.2(a) of the External Circular 100-000005 states: "To strengthen the security of the process of KYC, and when the transaction allows it, it is recommended, as an example, the following: get to know by any legal means the origin of resources, verify the customer's identity, their address [...]".

Is it required to verify user address information?

Based on the following provision of the Prudential Standards, only the identity document presented by the customer is subject to mandatory verification (while a separate procedure for address validation is recommended as shown above but not obligatory):

"4.2.2.2.1.1.1.1. Client identification. The supervised institutions must have policies and procedures that allow them to identify and verify the identity of the potential client, whether it is a natural person, legal entity or structure without legal status, at the time of their linking in face-to-face environments or not.

In the case of natural persons, such policies and procedures must consist in verifying the identity document issued by the competent authority[...]".

Is it permissible to use document-free methods for address verification?

Should the regulated entity choose to verify the customer's address separately, they have broad discretion in choosing the exact method. For instance, section 4.2.2.2.1 of the Prudential Standards allows the use, among other KYC solutions, "public databases, digital citizen services providers, their own databases and/or external databases", as long as the engaged source undergoes prior risk assessment.

Cited Sources:

Is it required to collect user address information?

Yes; both the CBC AML/CFT Directive (section 4.13.1, para. 122) and the CySEC AML/CFT Directive (Fifth Appendix, para. 1) mention the customer's residential address as a necessary element of the identification procedure,therefore,its collection is mandatory.

Is it required to verify user address information?

Yes; this is emphasized in both the CBC AML/CFT Directive and the CySEC AML/CFT Directive:

  • "it is pointed out that a person's residential address is considered an integral part of the identity of the person and, thus, there needs to be a separate procedure for the verification of the customer's address" (the CBC AML/CFT Directive, section 4.11, para. 104);
  • "the address of residence and work is considered a basic element of identity of a person and, therefore, a separate procedure is followed for its verification [...] Under no circumstances shall the same evidence be accepted for the verification of the customer's identity and residential address" (the CySEC AML/CFT Directive, section 21).

Is it permissible to use document-free methods for address verification?

Both the CBC AML/CFT Directive and the CySEC AML/CFT Directive set out an exhaustive list of address verification methods that do not include electronic sources as a standalone alternative:

  • "further to the verification of name, the customer's permanent residence address is verified by one of the following ways: (i) visit to the place of residence [...], (ii) the presentation of a recent (up to 6 months) utility bill (e.g. electricity, water), or housing insurance document, or municipal taxes and/or bank account statement" (the CBC AML/CFT Directive, section 4.13.1 , para. 126);

An identical provision is contained in the Fifth Appendix to the CySEC AML/CFT Directive; additionally, it is required to obtain "a recent (up to 6 months) telephone bill, electricity bill, municipal taxes or bank account statement, or other similar document" as part of the identification data.

Nevertheless, the Directive DI144-2007-08 permits electronic verification as long as information can be retrieved from electronic databases which provide access to information referred to both present and past situations showing that the person really exists and also provide both positive information (at least the customer's full name, address and date of birth), they provide real-time updates, have transparent procedures and are approved by the Data Protection Commissioner.

Also,CySEC's amendment of theAnti-Money Laundering (AML) Directive, formalized through Directive 282/2024was designed to strengthen the existing AML/CFT framework for obliged entities regulated by CySEC, by improving measures for the prevention of money laundering and terrorist financing, particularly clarifying identification document requirements and the use of electronic verification methods.

The Cyprus regulations also aligns with the EU5AMLD and 6AMLD which emphasize a risk-based approach.There are also explicit references to the use of electronic verification methods which are not only permitted and supported by both directives.

In general, there is no explicit allowance to address verification through electronic means and on standalone basis, however, the adoption of the EU directives and the references to electronic verification methods-which are permitted as long as they are sucre and reliable-allow us to conclude that electronic address verification is also permitted as long as this is based on a risk-based approach. The Cyprus AML Law referring to the requirement of submission of documentation seems to not align with the current industry practice or the adoption of EU AML Directives.

Cited Sources:

Is it required to collect user address information?

Yes; in accordance with Section 5(1) of the AML Act, an individual customer's "address of permanent or other residence" must be obtained as part of their "identification data".

Is it required to verify user address information?

Based on Sections 8 and 8a of the AML Act, there are two self-sufficient ways of verifying an individual customer's identity:

  • where the customer is physically present, "an obliged entity records identification data [including address] and verifies them from an identity card should they be included thereon, and subsequently records the type and serial number of the identity card, the issuing country or issuing authority and the card's validity; at the same time, the obliged entity verifies the holder's appearance and the holder's facial image as pictured on the identity card". It can therefore be inferred that, where the submitted identity document does not contain the holder's address, the latter needs to be verified separately. However, there is no prescribed procedure in case of a mismatch between the address featured in the ID and that of the customer's actual residence ("document-based KYC option"); and
  • where the onboarding is conducted remotely either (i) in accordance with the eIDAS Regulation and the Act on Electronic Identification or (ii) as otherwise explicitly permitted under the Bank Act, in which case the address information is retrieved alongside the rest of the identity information ("e-KYC option").

Is it permissible to use document-free methods for address verification?

Yes; in accordance with the Sections 8a of the AML Act, non-documentary methods for address verification are permitted as long as they correspond to the approved tools used for customer onboarding.

Cited Sources:

Is it required to collect user address information?

Yes; Art. 1(2)(n) of the Legislative Decree defines "identification data" as "name and surname, place and date of birth, registered residence and domicile (where different from registered residence) and, where assigned, the tax code or, in the case of subjects other than a natural person, the name, registered office and, where assigned, the tax code".

Is it required to verify user address information?

Part 2, Section VIII of the CDD Provisions states that an individual's "identification data" (which, as shown above, includes address) needs to be "verified via a copy - obtained by fax, post, in electronic format or with similar methods - of a valid identity document", unless the customer's identity is being confirmed via an eIDAS-compliant solution (the two electronic identification schemes notified by Italy with a "high" level of assurance are Italian eID based on National ID card (CIE) and SPID (Public System of Digital Identity) identities with the Level of Assurance (LoA) 3), in which scenario, as follows from Part 2, Section III, such a copy is not necessary. However, no mandatory verification procedure is prescribed where the submitted ID does not contain address-related information (or if the regulated entity becomes aware that the address indicated in the ID is different from the customer's actual place of residence).

Is it permissible to use document-free methods for address verification?

Yes; as per Part 2, Section III of the CDD Provisions, if the person’s identity is verified using an eIDAS-notified electronic identification scheme, the address information can be verified relying on the same source. However, if the ID lacks the customer’s current address, the regulator prescribes to collect it separately but does not explicitly specify how it should be verified. Therefore, supplementary procedures adopted by regulated entities in this case could involve, e.g., requesting additional documents or consulting external data sources. The specific requirements for proof of address might vary depending on the customer's risk profile.

Cited Sources:

Is it required to collect user address information?

Yes; as per Article 27 of the Uniform AML/CFT Regulation, obtaining the address of the customer's main residence is one of the essential identification procedure elements.

Is it required to verify user address information?

Yes; in accordance with the same Article 27, "verification of [an individual customer's] address is carried out by the presentation of a document capable of providing proof [thereof] or by any other means. [...] The financial institution verifies the authenticity of the document presented".

Is it permissible to use document-free methods for address verification?

Based on the above-cited provision, there are no restrictions regarding possible address verification methods; therefore, regulated entities may choose such solutions as they consider appropriate.

Cited Sources:

Is it required to collect user address information?

Yes; section 16(3)(a) of the AMLA requires reporting institutions to ascertain the domicile of any person as part of customer due diligence measures. Likewise, AML/CFT Policies for both FIs and DNFBPs / NBFIs (sections 14A.9 and 14.10.1 respectively), as well as section 3.3 of the CDD Guidance, name "residential and mailing address" among the minimum identification data.

Is it required to verify user address information?

Yes; as per section 16(3)(b) of the AMLA, domicile, among certain other identification data, needs to be "verified, by reliable means or from an independent source, or from any document, data or information [...] through the use of documents which include identity card, passport, birth certificate, driver's licence, constituent document or any other official or private document as well as other identifying information relating to that person".

Is it permissible to use document-free methods for address verification?

Malaysian AML/CFT regulations explicitly permit reliance on electronic sources (including databases) for CDD purposes; e.g., section 14C.16.11(c) of the AML/CFT Policy for FIs allows, in the context of non-face-to-face onboarding, to use "a database maintained by relevant authorities including the National Registration Department or Immigration Department of Malaysia; telecommunication companies, sanctions lists issued by credible domestic or international sources in addition to the mandatory sanctions lists or social media platforms with a broad outreach". This is mentioned as an equivalent alternative to requesting additional documentation such as "recent utility bills, bank statements, student identification or confirmation of employment".

Similarly, section 5.1 of the CDD Guidance emphasizes that "there is no restriction on the form of evidence to be taken by reporting institutions in verifying the identity. Reporting institutions may accept either physical documents, electronic or digital information and data, or a combination of both". The only instance where it is recommended to obtain documentary proof of address (specifically, a utility bill) is when "residential and NRIC address are different" (section 6.1).

Cited sources:

Is it required to collect user address information?

Yes, in accordance with several guidelines and acts and especially if a customer is conducting a transaction or when there is a business relationship to be established and not a mere inquiry, customer address must be collected.

The AML Act of 2009-Section 11- dictates that a reporting entity must conduct customer due diligence on:

  • a. a customer
  • b. any beneficial owner of a customer
  • c. any person acting on behalf of a customer

At the same time, the AML Act of 2011, Section 5, mentions that address must be collected for any customer conducting or seeking to conduct a transaction or proposed transaction, or service or proposed service, or making an inquiry about a service, or for each person acting on behalf of any such customer.

In accordance with Section 8 of the same Act, this requirement also applies in case of wire and transfers. However, the requirement does not apply to individuals who merely are looking to make an inquiry about a service, as clarified by Section 4 of the same Act.

In a similar manner, the above-mentioned Act, also clarifies that reporting entities must identify and collect all beneficial owners' individual addresses along with other details that must be obtained.

Referring to Enhanced Due Diligence (EDD) guideline, even though the guideline refers mainly to EDD, it also clarifies that the information that is required for standard CDD includes the customer's address (if an individual) or company identifier or registration number and registered office (if legal entity) and any other information prescribed by the Act or regulations.

Is it required to verify user address information?

The AIVCOP mentions that the reporting entity must conduct verification of a customer's address using documents (which typically includes utility bills,bank statements and other documents issued by a legitimate body) data or information issued by a reliable and independent source. This code of practice does not prescribe the way in which reporting entities can fulfil this obligation.

Furthermore, according to a Knowledge Hub related to AML and owned by the NZ government, it is clarified that there is no code of practice for verifying the address of a customer, giving flexibility in the approach a reporting entity takes. For instance, it is mentioned that hardcopies or electronic copies of bills/statements to verify addresses can be used as long as the information is accurate.

In addition, theBeneficial Ownership Guideline and Customer Due Diligence Fact Sheets (e.g., for sole traders, companies, trusts) dictate that customer information including addresses must be verified through independent and reliable sources, assuming that the use of official records, such as the Companies Office, electoral rolls, or utility bills are preferred even if in electronic form, in contrast to other document-free methods such as geolocation where reliability of information cannot be guaranteed.

Even if in general the AML regulatory and legal framework of New Zealand offers the option of a risk-assessment approach, as also dictated by the AML Act of 2009 (Section 12 and Section 58) and AML Act of 2011 (Section 13 and Schedule 1-Part 2- Section 4) giving the freedom to reporting entities to assess the risk of their company model and customer based, verification methods (either documentary or electronic) based on official records such as government data based seem to be endorsed.

Is it permissible to use document-free methods for address verification?

The AIVCOP and related guidelines, updated as recently as 2024, specify that verification should generally rely on government-issued documents or electronic data through official channels that can be independently verified.

For example,the Customer Due Diligence Guidelines (e.g., for companies, trusts, and individuals) 2024 suggest that using documents is a reliable way to verify information without excluding the use of an electronic official database.

Also, according to the AML Act 2009, electronic verification is mentioned as an option, particularly through trusted databases or digital identity verification systems, but these still typically require a document or data source (e.g., government records, credit bureau data) to cross-check information.

A reporting entity is required to conduct customer due diligence through the use of documents, data, or information issued by a reliable and independent source; following an appropriate method based on the specific situation, customer, product, service, business relationship, or transaction prescribed by regulations.

Nevertheless, self-declared addresses or purely digital methods (e.g., geolocation or IP address tracking) without corroboration are not specifically mentioned and included in the the risk-based approach of the AML/CFT Act as an option for even lower risk cases, but, at the same time, nothing prohibits their use as a supplementary check for enhancement of due diligence. All is clarified that reporting entities must ensure the verification method is robust enough to meet regulatory standards and mitigate ML/TF risks.

Additionally, Explanatory Note of 2017 on Electronic Identity Verification supports even further the endorsement of government/ other official data endorsement by dictating that an electronic source is the underlying database where authenticated core identity information is held, and against which the individual's identity is verified. In most circumstances, this is going to be information that is maintained by a government body or pursuant to legislation.

Therefore, electronic verification of address is permitted as a standalone method as long as these methods are based on verifiable data - often a document or government-issued record to confirm the address. For instance, services such as RealMe, which is a digital identity verification platform in New Zealand that includes biometric verification, database checks, and electronic identity confirmation and relying on government data and documents or other official records, seems to be highly endorsed by the Department of Internal Affairs.

Users can apply to verify their residential address through RealMe's verified identity service. This involves a process where the user's selected residential address is checked against trusted online data sources, such as New Zealand Post's records. If a match is found, the address is marked as "NZ Post verified", and no further action is required. This verified address can then be shared with organizations that use RealMe to prove where the user lives. A RealMe verified identity does not automatically include address information unless the user opts to verify it.

Thus, one could conclude that any method of non-documentary address verification, equivalent to the aforementioned local system, is accepted as a means of verification for customer information.

New Zealand's AML/CFT regime operates on a risk-based approach, meaning reporting entities can tailor their CDD measures based on the risk level of the customer or transaction. For low-risk customers (e.g., individuals with a long-standing relationship with the entity or those in low-risk jurisdictions), simplified CDD are permissible under Section 19 of the AML/CFT Act.

The Supervisory Framework Guideline (November 2019) and Sector Risk Assessments (e.g., for financial institutions, 2019 ) highlight that supervisors (e.g., Reserve Bank, Department of Internal Affairs, Financial Markets Authority) expect robust, auditable, and verifiable processes for CDD through independent and official channels implying that document-free methods of verification are not endorsed, however, electronic verification based on official and independent records could be accepted as a standalone verification method.

It is also worth mentioning that the Guidance on Expired Passports for Identification in Customer Due Diligence (2024) indicates that even electronic verification must align with the AIVCOP and rely on verifiable data, not purely document-free approaches.

In summary, as long as address verification is based on the use of official/government data (even if in electronic form) or through a system equally reliable to a governmental identity verification platform, non-documentary methods are permitted. Obliged entities should, however, always conduct a risk-assessment for different customer profiles and adopt a verification approach that properly addresses each of them. Other document-free methods (e.g., relying solely on geolocation, IP addresses, or customer statements) are not explicitly addressed or endorsed in the AML/CFT guidelines or regulations. Such methods could be seen as insufficiently reliable under the Act, as they lack the independent verification required to meet regulatory standards and there is explicit requirement that reporting entities use independent and reliable channels for verification (for both identity and address information).

Cited Sources:

Is it required to collect user address information?

Yes; Art. 6(a) of the CDD Regulations lists both "permanent address (full physical address)" and "residential address (where the customer can be located)" among data items to be collected as part of the KYC procedure.

Is it required to verify user address information?

Yes; Art. 7(2) of the CDD Regulations elaborates on the possible means of address verification:"FIs shall verify the identity of individuals by confirming the - [...]

(b) residential address through physical visitation and use of other sources, including utility bill, tax assessment, bank statement, or letter from a public authority".

In addition, as per Art. 27(2) of the CDD Regulations, "where a foreign national has recently arrived in Nigeria, the residential address in [their] home country shall be notarized". For resident non-Nigerians, a valid residence permit is obligatory.

Is it permissible to use document-free methods for address verification?

It appears that the word "including" in Art. 7(2)(b) of the CDD Regulations should not be understood as imposing a limitation, since "other sources" could in general be interpreted broadly so as to encompass, e.g., external databases. This is supported by Art. 26(1) of the CDD Regulations, applicable to non-residents and stating that "FIs shall obtain and verify applicant's name, date of birth and permanent residential address (in host country) directly through a reputable Credit Institution or FI in the applicant's country of residence or a correspondent bank, provided that particular care shall be taken when relying on identification evidence obtained from other countries".

Additionally, Nigerian AML/CFT regulations are generally favourable towards non-documentary KYC solutions. For instance, Arts. 14, 16 and 35 of the CDD Regulations, as well as Art. 26 of the AML Regulations, specify that both "physical" and "electronic" methods of customer onboarding may be adopted by financial institutions, so long as the "tiered" approach and other e-KYC standards endorsed by the CBN are complied with. In turn, the CBN 2023 Circular not only permits, but prescribes to validate customer identity data via governmental NIBSS' BVN or NIMC's NIN databases.

Therefore, it may be assumed that, where technically possible, addresses may be verified electronically at least through official national databases such as NIBSS or NIMC.

Cited Sources:

Is it required to collect user address information?

Yes; Section 12(1) of the AML Act stipulates that, in the case of a natural person, address needs to be collected among other identity data.

Is it required to verify user address information?

Based on Section 12(2) of the AML Act, "information on the customer's identity shall be verified by personal appearance with a valid proof of identity. If verification of the identity shall take place without personal appearance, additional documentation shall be presented or additional measures shall be applied". Beyond that, no obligatory address verification measures are prescribed under the AML Act, AML Regulations, or the 2019 Circular so long as the customer's identity in general is confirmed via acceptable evidence as described below.

Is it permissible to use document-free methods for address verification?

As per Section 4-3(4) of AML Regulations, where the customer is not physically present, the only acceptable onboarding solution is an eIDAS-compliant electronic signature, which is self-sufficient for KYC purposes insofar as all the required identity data (including address) had been previously obtained. However, regulated entities may choose to further validate their customers' residential addresses as part of risk mitigation or enhanced due diligence procedures. In this case, they are not limited in the choice of methods; for example, Section 4.3.1.3 of the 2019 Circular mentions "other reassuring electronic solutions" on par with "communication with the customer via postal address or digital address" or "video communication".

Cited Sources:

Is it required to collect user address information?

As per Rule 18, Section 3.4 of the 2018 RIRR, address is indeed among other identity attributes that should be collected from an individual customer before or during account opening or onboarding.

Is it required to verify user address information?

Overall, documentary evidence of identity-related information (including address) appears mandatory. See, e.g., the BSP Manual of Regulations for Banks (MORB) / Manual of Regulations for Non-Bank Financial Institutions (MORNBFI) on Customer Due Diligence, Section 921/921Q:

  • "the covered person obtains from individual customers, at the time of account opening / establishing the relationship, the following minimum information [including address] and confirms this information with the official or valid identification documents";
  • as one of possible additional safeguards for enhanced due diligence, it is suggested to verify the address "through evaluation of utility bills, bank or credit card statement, sending thank you letters, or other documents showing address or through on-site visitation".

The above-specified provisions, however, may be overridden by Rule 18, Section 3.7 of the 2018 RIRR, stating that "covered persons shall deem the provision and submission of the PSN or PhilID as official and sufficient proof of identity, subject to the authentication requirements under the PhilSys Act [Republic Act No. 11055, or the Philippines Identification System Act] and its IRR [Implementing Rules and Regulations of Republic Act No. 11055]". This is further detailed in Circular No. 1170. Specifically, the Circular states that, "where the PCNor PSN derivative, or the Philippine ldentification (PhillD) card, in physical or digital form, is presented by the customer, it shall be accepted as official and sufficient proof of identity, subject to proper authentication, and the covered person shall no longer require additional documents to verify the customer's identity". Therefore, accessing an individual's record in the Philippine Identification System ("PhilSys") is considered a reliable way to verify their identity.

From the above it may be inferred that, so long as a customer's identity is verified via PhilSys (and their address is also extracted in this manner), no further address confirmation is needed. Conversely, where the obliged entity does not rely on PhilSys, it may be expected that address, like other identity data, will be verified based on documentary evidence.

Is it permissible to use document-free methods for address verification?

Based on the reasoning above, non-documentary address verification is possible via solutions accessing PhilSys; in other cases, the document-based approach remains prevalent.

Cited Sources:

Is it required to collect user address information?

While the Monetary Authority of Singapore (MAS) maintains separate Notices and Guidelines addressing each type of AML-regulated business (e.g., banks, merchant banks, finance companies, specified payment services, digital payment token services), the requirement to collect an individual customer's residential address is universal. See, for instance: "where a customer is a natural person, a bank must obtain residential address based on national identity card, recent utility or telephone bill, bank statement or correspondence from a government agency" (Guidelines to MAS Notice 626 - Banks, para. 6-6-2).

Is it required to verify user address information?

Based on the same para. 6-6-2 of the Guidelines to MAS Notice 626 - Banks (and identical provisions contained in the Guidelines related to other industries), user address information needs to be corroborated with evidence, specifically certain types of documentation.

Is it permissible to use document-free methods for address verification?

An exception to the document-based approach to address verification is MyInfo, a government service that enables citizens and residents to manage the use of their personal data for simpler online transactions. The 2018 MAS Circular, para. 3, describes MyInfo as a "reliable and independent source for the purposes of verifying the customer's name, unique identification number, date of birth, nationality and residential address", as well as other personal attributes. It is simultaneously confirmed that, "where MyInfo is used, MAS will not require FIs to obtain additional identification documents to verify a customer's identity".

Cited sources:

Is it required to collect address information?

The Guidance Note, while stating that full name, date of birth and unique identifying number issued by a government source are "basic attributes" that should be collected from an individual customer in any event (para. 85), also describes data such as residential address as supplementary (para. 86) and therefore, presumably, not mandatory to establish as part of the KYC procedure.

Is it required to verify user address information?

Since it is not necessary for obliged entities to collect address information in the first place, whether to do so and whether to subsequently verify such data remains within their discretion.

Is it permissible to use document-free methods for address verification?

Para. 74 of the Guidance Note emphasizes that regulated entities "have the flexibility to choose the type of information by means of which they will establish clients' identities and also the means of verification of clients' identities". More specifically, both "documents" and "electronic data issued or created by reliable and independent third-party sources" are permitted for confirming a customer's identity (para. 83) and, consequently, isolated identity attributes such as address.

Cited sources:

Is it required to collect user address information?

Yes, it is required to collect user address information based on the FINMA Circular 2016/7 on "Video and online identification", Section IV(B)(a), margin 34, stating that "the financial intermediary must also [in addition to other identity data] confirm the contracting party's residential address".

Is it required to verify user address information?

Yes, it is required to verify user address information. As per the FINMA Circular 2016/7 on "Video and online identification", Section IV(B)(a), margin 34, such information must be not simply obtained, but also further "confirmed".

Is it permissible to use document-free methods for address verification?

The FINMA Circular 2016/7 on "Video and online identification", Section IV(B)(a), margins 35-37.1, provides an exhaustive list of means by which a contracting party's residential address can be confirmed, namely: "tax invoice or any other official invoice or power, water or telephone invoices (utility bill); postal delivery; a public register, or a trustworthy, privately managed database/directory; or geolocation".

Cited Sources:

Is it required to collect user address information?

Yes; in accordance with Article 8(1) of the AML-CFT Decision, an individual customer's address needs to be obtained along with their "name, as in the identification card or travel document, nationality, [...] place of birth, name and address of employer, attaching a copy of the original and valid identification card or travel document", cumulatively referred to as "identity".

Is it required to verify user address information?

The same Article 8(1) of the AML-CFT Decision states that the customer's "identity" (consisting of the elements as cited above) needs to be verified, which therefore applies to address in particular. This is further corroborated by section 6.3.1 of the AML Guidelines:

"The verification of a customer's identity, including their address, should be based on original, official (i.e. government-issued) documents whenever possible. When that is not possible, FIs should augment the number of verifying documents or the amount of information they obtain from different independent sources".

Is it permissible to use a non-document method to verify an address?

Despite the overall preference for documentary evidence, section 6.3.1 of the AML Guidelines and section 3.1 of the CDD Guidance seem to suggest that verification via electronic sources is an acceptable alternative:

"An example of alternative verification means is verification by way of digital identification systems. Such digital identification systems should rely upon technology, adequate governance, processes and procedures that provide appropriate levels of confidence that the system produces accurate results";

"Under Article 8 of the AML-CFT Decision, LFIs are required to identify each customer and verify the customer's identity using documents, data, or any other identification information from a reliable and independent source. This requirement is technology neutral and expressly permits LFIs to use documentary as well as non-documentary sources (i.e., information or data) when performing identification and verification; it does not impose any restrictions on the form-physical or digital-that identity evidence must take, nor does it impose limitations as to the use of digital ID systems for the purpose of linking a customer's verified identity to a unique, real-life individual, provided this is done using a "reliable" and "independent" source. As such, LFIs are permitted to utilise digital ID systems as well as physical forms to perform customer identification and verification, consistent with the expectations set forth in this Guidance".

Therefore, according to the Article 8(1) of the AML-CFT Decision, the address as well as personal identifiable information may be verified via any sufficiently reliable means, whether documentary or electronic.

Cited Sources:

Is it required to collect user address information?

Yes, it is necessary to collect an individual customer's residential address, according to the Joint Money Laundering Steering Group (JMLSG) Guidance. Para. 5.3.29 thereof specifically states that "knowledge of an individual's residential address is central to being reasonably satisfied that the customer is who they say they are".

Is it required to verify user address information?

No particular method of verifying address is explicitly promoted. Furthermore, para. 5.3.112 of the Guidance emphasizes that address data does not even necessarily have to be validated in all cases (e.g., it may be omitted when the customer lacks a permanent place of residence); this is a matter within obliged entities' discretion.

Is it permissible to use document-free methods for address verification?

As a general rule, Art. 27(19) of the ML Regulations explains that "information may be regarded as obtained from a reliable source [...] where - (a) it is obtained by means of an electronic identification process [...]; and (b) that process is secure from fraud and misuse and capable of providing assurance that the person claiming a particular identity is in fact the person with that identity, to a degree that is necessary for effectively managing and mitigating any risks of money laundering and terrorist financing". Therefore, obliged entities are granted a broad margin of discretion in their choice of CDD procedures, and electronic solutions are within the scope of permissible remote onboarding methods.

Furthermore, as per paras. 5.3.72 and 5.3.80 of the Guidance, address - like any other identity attributes - may be confirmed via electronic checks, including by relying on external databases so long as they are sufficiently robust.

Cited sources:

Is it required to collect user address information?

Yes, as per the BSA ("Customer Identification Program: minimum requirements", section 1020.220(a)(2)(i)(A)), identity data to be collected from each individual customer includes: "address, which shall be: (i) for an individual, a residential or business street address; (ii) for an individual who does not have a residential or business street address, an Army Post Office (APO) or Fleet Post Office (FPO) box number, or the residential or business street address of next of kin or of another contact individual".

Is it required to verify user address information?

As a general rule, the BSA (section 1020.220(a)(2)(ii)) dictates that financial institutions must have in place "procedures for verifying the identity of the customer, using information obtained in accordance with paragraph (a)(2)(i) of this section" [identity data, including address]. Therefore, it would likely be expected for a financial institution to validate the previously collected user address information unless it can reasonably demonstrate that, even without this check, it knows the customer's identity.

Is it permissible to use document-free methods for address verification?

Yes, the BSA (section 1020.220(a)(2)(ii)) states that both documentary and non-documentary verification methods (as well as their combinations) are acceptable so long as the chosen procedures "enable the [obliged entity] to form a reasonable belief that it knows the true identity of each customer". Several examples of non-documentary KYC processes are also given for reference, such as "contacting a customer; independently verifying the customer's identity through the comparison of information provided by the customer with information obtained from a consumer reporting agency, public database, or other source; checking references with other financial institutions; and obtaining a financial statement".

Cited sources:

Is it required to collect user address information?

Yes; as per Appendix 1 to the 2017 CBU Resolution, permanent and/or temporary address is among the data attributes to be collected from individual customers for identification purposes.

Is it required to verify user address information?

There is no explicit requirement to verify address in the cited sources, arguably because every national ID acceptable for KYC purposes as per the 2017 CBU Resolution (passport, ID card, new-model driving license) already contains this data.

Is it permissible to use document-free methods for address verification?

  • where the identity verification is conducted on the basis of identity documents, address is considered confirmed as a result of being featured in such documents;
  • where the identity verification is conducted via "digital authentication" (as per the 2021 CBU Decision), which does not require the customer to present an ID, the obliged entity is expected to retrieve the information about the customer's place of residence from the "Electronic Government" database;
  • otherwise, the address verification method is determined by the obliged entity within its discretion.

Cited sources:

Is it required to collect user address information?

Yes; based on Article 10(1) of the AML Law, an individual customer's address in Vietnam and/or abroad (whichever is applicable depending on the person's citizenship and residence) needs to be collected.

Is it required to verify user address information?

Yes; while Article 10(1) of the AML Law lists residential address as part of "customer identification data", Article 12(1) stipulates the obligation to verify this dataset via documents and information which, in the case of individual customers, must include "identity card, citizen identification card or passport with valid term of use; other documents issued by competent authorities".

Is it permissible to use document-free methods for address verification?

According to Article 12(2) of the AML Law, "reporting subjects can exploit information in national databases according to the provisions of law, through competent state agencies and other organizations specified in Article 13 [a third-party provider engaged by the reporting subject] or regulated third parties specified in Article 14 [a financial institution or a legal entity in a related non-financial industry that has established relationships with customers (excluding agency and outsourcing relationships); conducts CDD according to the AML Act of, for foreign entities, the FATF recommendations; is subject to the management and supervision of a competent authority] of this Law to compare and verify information provided by customers". This grants regulated entities an option to validate address via official electronic sources where it is not already featured in the identity document presented by the customer.

Cited Sources:

Is it required to collect user address information?

Yes; as per Article 22 of the UIF Resolution, all individual customers of a regulated entity must be identified by, inter alia, their "actual address (street, number, town, province, country and postal code)".

Is it required to verify user address information?

The UIF Resolution is mostly silent on address validation. Notably, Article 22 does specify how the customer's full name and surname, type and number of identity document should be verified (namely, by a copy of an identity document), but no similar guidance is provided for other identity attributes such as address. Therefore, presumably, it is the obliged entities' choice whether and via which means to perform address verification.

Is it permissible to use document-free methods for address verification?

Since no mandatory procedures for address verification are prescribed, nor is it evident from the UIF Resolution that it is necessary in the first place, regulated entities may choose any methods of validating their customers' addresses they consider reasonable.

Cited Sources:

Is it required to collect user address information?

The Securities and Exchange Commission (CVM) and the Central Bank of Brazil do require at least address collection; respectively:

  • in accordance with Annex B, Article 1 of the CVM Resolution, complete address (street, complement, district, city, state and zip code) along with other data such as name and date of birth should be obtained;
  • as per Article 18 of the CB Circular, obliged entities "must adopt procedures that allow them to qualify their clients through the collection, verification and validation of information [...]" including, in the case of natural persons, their place of residence.

Additionally to address of residence, obligated betting operators must collect bettors' IP addresses at the registration stage and during each change in registration, as stipulated in Articles 31-32 of Portaria 1231.

Is it required to verify user address information?

As shown above, Art. 18 of the CB Circular indeed prescribes to not only collect, but also verify address information. Similarly, Annex B, Article 1 of the CVM Resolution specifies that an individual customer's records must include "proof of residence or domicile" as a document copy (although there is no exhaustive list of acceptable documents).

Is it permissible to use a non-document method to verify PoA?

In the case of banks and financial institutions, Article 16(1) of the CB Circular states: "The institutions shall adopt identification procedures that allow verifying and validating the identity of the client. The procedures shall include obtaining, verifying and validating the authenticity of customer identification information, including, if necessary, by comparing this information with those available in public and private databases". This is applicable to verification of both identity and its isolated components such as residential address.

However, as per the above-cited provisions of the CVM Resolution, only documentary proof of address may be accepted by CVM-regulated entities; electronic sources may only be relied on for supplementary evidence.

As for the betting operators specifically, the requirements regarding residential address verification are not described; however, they must collect bettors' IP addresses at the registration stage and during each change in registration.

Cited Sources:

Is it required to collect user address information?

Section 11(1) of the AML Act prescribes to collect the following identification data of natural persons: "name and civil registration number or similar if the person in question does not have a civil registration number. Should the applicant not have a civil registration number or similar, the identity information shall include date of birth". Therefore, address is not explicitly required.

Is it required to verify user address information?

Danish AML/CFT regulations stipulate no separate obligation to verify the customer's address. However, it is mentioned in Section 14 of the FSA Guide as one of possible enhanced due diligence measures.

Is it permissible to use document-free methods for address verification?

Since no mandatory procedures for address verification exist, regulated entities may choose any methods they consider reasonable.

Cited Sources:

Is it required to collect user address information?

Yes; as per §21, subsection 1, clauses 1-2 of the AML Act, a customer who is a natural person has to be identified by, inter alia, their "place of residence or location".

Is it required to verify user address information?

As a general rule, §21, subsection 2 of the AML Act prescribes to verify customer identification data (including address) "using information originating from a credible and independent source". However, no further detailed guidance is offered in relation to the validation of address specifically.

Is it permissible to use document-free methods for address verification?

In the absence of instructions to the contrary, it may be assumed that, while regulated entities are indeed expected to verify address-related information, they are not restricted in their options of doing so and, provided that the customer's address is not already reliably confirmed in the course of general identity verification, both documentary and non-documentary supplemental checks can be used.

Cited Sources:

Is it required to collect user address information?

Yes; Chapter 3, Section 3(2) of the AML Act, outlining the minimum data required for customer due diligence, encompasses address among other identity attributes. Para. 104 of the FIN-FSA Guidelines further elaborates that this requirement refers "as a rule to the address of the customer's permanent place of residence. Where necessary, a temporary address may be saved instead of, or in addition to, a permanent address".

Is it required to verify user address information?

In relation to address verification, para. 105 of the FIN-FSA Guidelines suggests that "it is enough as a rule that the supervised entity records the customer's contact address through which the customer can be reached by letter mail if the customer does not have a permanent or temporary address, or the customer does not want to disclose the address due to a valid non-disclosure for personal safety. The supervised entity shall assess on a risk-sensitive basis the importance of the lack of the customer's permanent or temporary home address on the overall risk involved in the customer relationship and whether the supervised entity is able to manage these risks". Beyond that, no detailed instructions are provided, implying a broad margin of discretion reserved for regulated entities.

Is it permissible to use document-free methods for address verification?

Since no mandatory procedures for address verification exist, regulated entities may choose any methods they consider appropriate.

Cited Sources:

Is it required to collect user address information?

Whereas Art. R561-5 of the Monetary and Financial Code of France requires regulated entities to identify their individual customers by collecting their "first and last name, as well as their date and place of birth", this obligation does not encompass residential address.

Is it required to verify user address information?

Whereas regulated entities may choose to verify a customer's residential address as part of risk mitigation or enhanced due diligence, para. 131 of the ACPR Guide appears to suggest that it is not a necessity:"The collection of [proof of address] is therefore not essential for knowledge of the business relationship. Financial institutions determine, in their internal procedure, using a risk-based approach, whether proof of the home address is an element to be collected and, in this case, the type of proof to be collected".

Is it permissible to use document-free methods for address verification?

Since no mandatory procedures for address verification exist, regulated entities may choose any methods they consider appropriate.

Cited Sources:

Is it required to collect user address information?

Yes; as per sections 4.3.2-4.3.5 and 4.3.13-4.3.17 of the HKMA Guideline, the following identification and verification requirements are applicable to financial institutions:

  • "for customers who are natural persons, the full name, date of birth, nationality, unique identification number and document type, as well as residential address".

Section 4.2.4 of the SFC Guideline contains an identical requirement to collect an individual customer's residential address.

Is it required to verify user address information?

No; based on the HKMA Guideline, authorized entities are required to collect the address, but not necessarily verify it. However, pursuant to the footnote of section 4.3.5 of the HKMA Guideline, an authorized entity may, under certain circumstances, require such verification for other purposes (e.g. group requirements, other local or overseas legal and regulatory requirements). In this case, it should communicate clearly to the customers the reasons why it requires proof of residential address. The SFC Guideline (see the footnote to section 4.2.4) adopts the same approach.

The SFC Guideline (see the footnote to section 4.2.4) adopts the same approach.

Is it permissible to use document-free methods for address verification?

Since no mandatory procedures for address verification exist, regulated entities may choose any methods they consider reasonable.

Cited Sources:

Is it required to collect user address information?

Out of all acceptable methods of identity verification listed in Chapter VI, Part I, section 16 of the KYC Direction, only one explicitly mentions address specifically:

"For undertaking CDD, REs shall obtain the following from an individual [...]:

(a) the Aadhaar number [...]; or

(aa) the proof of possession of Aadhaar number where offline verification can be carried out; or

(ab) the proof of possession of Aadhaar number where offline verification cannot be carried out or any OVD[officially valid document] or the equivalent e-document thereof containing the details of their identity and address; or

(ac) the KYC Identifier with an explicit consent to download records from CKYCR; and

(b) the Permanent Account Number or the equivalent e-document thereof or Form No. 60 as defined in Income-tax Rules, 1962; and

(c) such other documents including in respect of the nature of business and financial status of the customer, or the equivalent e-documents thereof as may be required by the RE".

It can be inferred that, where the customer does not present an OVD featuring their address (or its substitute), address collection is still necessary but already implied under the other permitted procedures. See, for instance, regarding the Aadhaar number validation: “if a customer wants to provide a current address, different from the address as per the identity information available in the Central Identities Data Repository, they may give a self-declaration to that effect to the RE”.

Is it required to verify user address information?

Chapter 1, section 3(xiv) of the KYC Direction states that, "where the OVD furnished by the customer does not have updated address, the following documents or the equivalent e-documents thereof shall be deemed to be OVDs for the limited purpose of proof of address:-

  • utility bill which is not more than two months old of any service provider (electricity, telephone, post-paid mobile phone, piped gas, water bill);
  • property or Municipal tax receipt;
  • pension or family pension payment orders (PPOs) issued to retired employees by Government Departments or Public Sector Undertakings, if they contain the address;
  • letter of allotment of accommodation from employer issued by State Government or Central Government Departments, statutory or regulatory bodies, public sector undertakings, scheduled commercial banks, financial institutions and listed companies and leave and licence agreements with such employers allotting official accommodation".

No separate verification procedure is prescribed in case the customer's identity is verified via means other than their OVD. This is subject to a restriction set out in section 40(c):"Following EDD measures shall be undertaken by REs for non-face-to-face customer onboarding (other than customer onboarding [using Aadhaar OTP based e-KYC]): [...]

c) Apart from obtaining the current address proof, RE shall verify the current address through positive confirmation before allowing operations in the account. Positive confirmation may be carried out by means such as address verification letter, contact point verification, deliverables, etc."

Is it permissible to use document-free methods for address verification?

With the exception of the case where the customer presents an OVD not featuring their current address and provided they are being onboarded via Aadhaar OTP-based e-KYC, no additional address verification procedures appear to be required. However, if the regulated entity prefers to further confirm the customer's address, they may choose any means of doing so.

Cited Sources:

Is it required to collect user address information?

Yes; Art. 25(1) of the OJK Regulation specifies it is necessary to collect an individual customer's "residential address according to the ID and other residential addresses, if any".

Is it required to verify user address information?

It appears that the fact a person's identity document contains an address serves as sufficient evidence of the latter's validity. The OJK Regulation further states that, where the actual residential address of the customer differs from the one indicated in the ID, the alternative address needs to be recorded as well; however, no particular verification procedures are prescribed.

Is it permissible to use document-free methods for address verification?

Since no mandatory procedures for address verification exist (besides extracting the address information out of the customer's ID), regulated entities may choose any methods they consider reasonable.

Cited Sources:

Is it required to collect user address information?

Yes; section 5.6.7.2 of the Prudential Guidelines, addressing non-face-to-face onboarding specifically, emphasizes an obliged entity must "ensure that there is sufficient communication to confirm address and personal identity" of an individual customer.

Is it required to verify user address information?

Yes; as per section 5.6.7.4 of the Prudential Guidelines, "the procedures to check identity must serve two purposes: (i) they must ensure that a person bearing the name of the applicant exists and lives at the address provided; and (ii) that the applicant is that person". From this, it can be inferred that user address information needs to be supported with evidence.

Is it permissible to use document-free methods for address verification?

In terms of address verification specifically, obtaining a utility bill or other forms of documentation is recommended under paras. 5.6.5.1 and 5.6.7.7 of the Prudential Guidelines as the best practice and there are no explicit references to the possibility of relying on electronic sources instead. However, para. 5.6.7.5 suggests this method is not the only permissible one and ultimately "it is for each institution to decide upon which checks to employ".

Cited Sources:

Is it required to collect user address information?

Neither the AML Law nor the Order stipulates a necessity to collect user address information. However, as per Art. 10(1)(6) of the AML Law, it is required to understand an individual customer's "citizenship (except for the cases where it is optional in the identification document) and in the case of a stateless person - the state which issued their identification document". While obliged entities may still be expected to collect data related to the customer's location (e.g., to determine whether enhanced due diligence should be applied to the customer or to fulfill the requirement to obtain the customer's IP data as set out in para. 26 of the Order), the format in which this information should be gathered and confirmed is determined by the obliged entity itself.

Is it required to verify user address information?

The AML/CFT regulations of Lithuania do not specify any particular means for verifying the customer's residential address.

Is it permissible to use document-free methods for address verification?

Yes, insofar as this matter is not explicitly regulated under the AML Law or the Order and obliged entities have the freedom of discretion in it.

Cited Sources:

Is it required to collect user address information?

Pursuant to Art. 12 of the General Rules and Annexes thereto, the scope of identification data to be collected from individual customers depends on whether the person is a local citizen or permanent resident and whether they have their current place of residence abroad. In the latter case, both the foreign residential address and the address in Mexico where the customer "can receive correspondence" must be submitted. See, e.g., Annex 3 (relating to natural persons who are citizens of Mexico or foreign citizens with a temporary or permanent residence permit):"vi) Home address at your place of residence, consisting of the following information: name of the street, avenue or road in question, duly specified; exterior number and, where applicable, interior number; neighborhood or urbanization; territorial demarcation, municipality or similar political demarcation that corresponds, where applicable; city or town, federal entity, state, province, department or similar political demarcation that corresponds, where applicable; postal code and country";"[...] Additionally, in the case of persons who have their place of residence abroad and at the same time have an address in national territory where they can receive correspondence addressed to them, the data relating to said address must be entered in the file, with the same elements as those contemplated in section vi) above".

Additionally, in 2021, it was prescribed that financial institutions track the real-time geolocation of their customers with an otherwise unknown location when they perform remote operations via their devices.

Is it required to verify user address information?

Regarding address verification, the approach also varies depending on the customer's citizenship and place of residence:

  • for Mexican citizens permanently residing in Mexico, no specific requirements are prescribed;
  • for Mexican citizens or foreign citizens with a temporary or permanent Mexican residence permit who reside abroad, proof of address is necessary when "the address stated by the [person] does not match the one on the identity document or the latter does not contain it" (General Rules, Annex 3);
  • for foreign citizens permanently residing abroad and without a Mexican residence permit, proof of address is necessary in relation to "the address in the national territory where the [person] may receive correspondence addressed to them" and when "the address stated by the [person] does not match the one on the identity document or the latter does not contain it" (General Rules, Annex 5).

Is it permissible to use document-free methods for address verification?

Insofar as no address verification methods are prescribed as mandatory in relation to Mexican citizens permanently residing in Mexico, it can be assumed that document-free solutions are permissible. Otherwise, where proof of address is explicitly required, both Annex 3 and Annex 5 to the General Rules specify it needs to be in the form of "a copy of a document that proves the [customer's] address, which may be a receipt for payment for home services or bank statements, all of them [...] not older than three months from the date of issue, or the contract of lease in force on the date of submission by the [customer] and registered with the competent tax authority, the Certificate of registration in the Federal Registry of Taxpayers, as well as any other documents that, where applicable, are approved by the UIF".

Cited sources:

Is it required to collect user address information?

In terms of wire transfers and in accordance with the Reports Act which concerns financial transactions of financial institutions and its provisions in Article 5-3, part 2 relevant to "foreign transfers", the address and the residence registration number of the remitter must be recorded. In addition, under the same act, the address of a customer subject to Enhanced Due Diligence must be recorded.

Is it required to verify user address information?

With regard to Financial Institutions subject to KoFIU's regulations and guidelines and customers who are natural persons, addresses need to be verified in accordance with the AML Regime Policy. On the other hand, the Policy makes reference to the Article 10(4) of the Enforcement Decree which is now removed and deleted from the Act. Therefore, there is doubt whether the verification obligation prescribed by the KoFIU is up to date.

Is it permissible to use document-free methods for address verification?

The use of electronic KYC methods is not expicitly prohibited and from an overall industry practice assessment it seems that it is widely used and also actively being developed in South Korea, particularly in the financial services industry. Nevertheless, South Korea does not have a single, universal digital ID system for all citizens that encompasses every aspect of their identity and is also readily used across all government and private sectors like some other countries.

There is also information that the individuals with physical cards that have been issued before 2025 need to visit an immigration office to scan a QR code to obtain the digital version, and those with cards issued after January 1, 2025, can obtain the digital version by reading their IC chip-embedded card on their smartphone. This implies that the existing information on the physical residence card will be used for the digital version. The key information would likely include the same information found on the physical residence card:

  • Name.
  • Nationality.
  • Resident registration number (or other equivalent identification number).
  • Photo.

Thus, the address information verification with regard to South Korean residents will be possible to verify via a universal digital identity system, through the provision of a resident registration number.

The conclusion from analysing South Korea's AML framework including The Act on Reporting and Use of Certain Financial Transactions Information, each institution should conduct its own risk assessment, meaning the risk level associated with a customer should be assessed as higher-risk customers may still require more traditional documentary verification.

Cited Sources:

Is it required to collect user address information?

As per Article 4bis of the AML Law, in relation to natural persons that are ultimate beneficial owners for the purposes of the business relationship in question, only the "country of residence" is required to ascertain their address. There are no further indications in the AML Law or the Royal Decree that the information on the customer's place of residence needs to be collected with higher precision.

Is it required to verify user address information?

In terms of the overall identity verification duty, Articles 3 and 12 of the AML Law generally require a copy of the customer's "reliable document" (unless the KYC procedure is being conducted via an eIDAS-compliant qualified electronic signature, which exemption is provided under Article 12(1)(a) of the AML Law). In turn, a "reliable document", pursuant to Article 6(1)(a) of the Royal Decree, means:

  • for individuals who are Spanish nationals, the national identity card;
  • for foreign individuals, the residence card, foreign identity card, passport or, in the case of citizens of the European Union or the European Economic Area, the official personal identity document, letter or card issued by the home authorities;
  • exceptionally, obliged subjects may accept other personal identification documents issued by a government authority provided they enjoy adequate guarantees of authenticity and show a photograph of the holder.

However, no mandatory verification procedures are prescribed where the presented identity document does not feature the customer's address.

Is it permissible to use document-free methods for address verification?

Since no mandatory procedures for address verification (besides collecting a copy of the customer's identity document) exist, regulated entities may choose any methods they consider appropriate.

Cited Sources:

Is it required to collect user address information?

Chapter 3, Section 5 of the FI Regulations, governing non-face-to-face onboarding, sets out two alternative methods for performing KYC remotely:

  • "using electronic identification to produce an advanced electronic signature as set forth in the Act (2016:561) laying down additional requirements to the EU Regulation on electronic identification or by using any other technology for electronic identification which provides equivalent certainty" ("e-KYC option"), or
  • "verifying the natural person's identity in an appropriate manner by:
    • obtaining information regarding the person's name, address, personal identity number or equivalent;
    • verifying the information against external registers, certificates, or other equivalent documentation, and
    • contacting the natural person by sending a confirmation to the person's address in the population register or other reliable address, or ensuring that the person sends a certified copy of an identity document, or other equivalent measure" ("document-based KYC option").

Accordingly, only the "document-based KYC option" requires a separate procedure for address collection.

Is it required to verify user address information?

As demonstrated above, only the "document-based KYC option" necessitates address verification; furthermore, it needs to be conducted specifically via physical correspondence with the customer.

Is it permissible to use document-free methods for address verification?

Consequently, only the "e-KYC option" (which does not prescribe address verification specifically in the first place) permits reliance on non-documentary sources as a standalone solution.

Cited sources:

Is it required to collect user address information?

Yes; in accordance with Article 13 of the Regulations, reporting entities when dealing with transactions above a certain cash amount, must record the address of customers among other details such as name and date of birth. Recording address is presented as an integral part of "CDD"

Is it required to verify user address information?

Yes; even though there are no prescribed specific references to a list of acceptable methods of verifying a customer's address/proof of address, reporting entities need to verify a customer's address in the AML Act, entities must verify a customer's address. Banks are also subject to guidelines which prescribe a documentary approach when it comes to address verification.

For instance, according to the Guidelines , Section IV, concerning banks and other financial institutions that are subject to them, reporting entities must verify a customer's address (applies to both natural and legal persons):

"IV.A bank should obtain at least following information to identify the customer identity when applying the requirements under last subparagraph:

[...]

(iii) Permanent or residence address;

V. For an individual customer that is identified by a bank as a high-risk customer or a customer that has certain high-risk factors in accordance with the bank's relevant requirements on customer ML/TF risk assessment, the bank should obtain at least any of the following information when establishing business relationship: [...] (ii) Employer's address, post office box address [...]

Also, according to Section VIII of the same Guidelines for a customer with whom a bank establishes business relationship, the bank should take following measures to verify the address of the customer through documents such as "bills, account statements, or official documents" and so forth.

In certain circumstances, financial institutions may begin the CDD process (such as obtaining identification information) before completing verification, especially to avoid disrupting business operations and always based on a risk-based approach, as dictated by Article 2 and Article 6 of the Regulations, meaning that prior to deciding that, the risk profile of the customer must be assessed based on various factors, such as the location of the client or whether they are a Politically Exposed Person (PEP). However, reporting institutions must ensure that the verification is completed as soon as reasonably practicable. Therefore, regarding certain lower risk situations, verification of address does not seem mandatory to be conducted prior to the establishment of a business relationship

Also, by assessing the industry practice of Taiwan, it is concluded that additional documents may be requested to verify the customer's address, such as utility bills, bank statements, or other official documents that clearly show the individual's name and residential address.

Is it permissible to use document-free methods for address verification?

As mentioned above, the Guidelines which banks are subject to, prescribe a documentary approach with regard to address verification and one can assume that non-documentary methods for address verification are excluded from banks' options.

In concern with the Taiwan's digital ID system, in order to verify an individual's address in conjunction with identity, residents may need to provide supporting documents such as:

  • i. Utility bills
  • ii. Bank statements
  • iii. Other official correspondence that displays the resident's name and address.

On the other hand, in accordance with Article 8 of the Act, Financial Institutions are free to adopt a risk-based approach when it comes to verifying the identity of the customer and conducting CDD. Nevertheless, it is not clear whether address is part of the identity and and there are no references to address verification therein.

In general, there are also no references found, to the use of geolocation data such as IP address as an acceptable method of verifying resident address through the national digital ID system.

In summary, the applicable Acts and Regulations in Taiwan, although there is no written exclusion or prohibition of non-documentary address verification methods, seem to give freedom to financial institutions to implement CDD measures based on a risk-based approach for lower-risk transactions. Conversely, banks appear to be obliged to follow a documentary verification approach for cash transactions and above a certain amount.

Cited Sources:

Is it required to collect user address information?

Yes; Article 4 of the Prime Minister Notification, providing the minimum identification information to be obtained in respect of an individual customer for CDD purposes, specifically mentions "address as appears in personal identification card or in the house registration and current address. In case of a foreigner, the country of citizenship and current address in Thailand shall be provided, except for the case of a foreigner with no address in Thailand, whose current address shall be used instead". The ALMO Guideline further confirms this requirement refers to:

  • in case of Thai national, meaning address in the house registration book and in case of not living therein, stating also the present address;
  • in case of alien, meaning address in the country of nationality and address in Thailand.

Is it required to verify user address information?

There appears to be no obligatory procedure for address verification prescribed under the AML/CFT regulations of Thailand. Whereas Article 5 of the AMLO Notification suggests requesting additional documentation (such as utility bills) as an enhanced due diligence measure where the customer's risk profile is high, nothing indicates that this is the only acceptable way of validating address in principle.

Is it permissible to use document-free methods for address verification?

Since no mandatory procedures for address verification exist, regulated entities may choose any methods they consider appropriate.

Cited Sources:

Is it required to collect user address information?

Appendix B to the Guideline requires different sets of identity data and supporting evidence, depending on whether the individual in question is a citizen or resident of Ghana, as well as on their special status, if any (applicable to minors, students, refugees and asylum seekers, foreign diplomats and their dependents). By way of illustration, a Ghanian citizen and a foreign citizen permanently residing in Ghana would need to provide, respectively, in relation to their address:

  • Ghanian citizen:
    • Proof of residential address:
      • GPS Address, or
      • Tenancy Agreement, or
      • Any other relevant document issued by an authorized government agency or institution;
  • Foreign citizen permanently residing in Ghana:
    • Proof of Residential Address (local)
      • GPS Address, or
      • Tenancy Agreement, or
      • Any other relevant document;
    • Proof of Residential address (foreign)
      • Utility Bill, or
      • Tenancy Agreement, or
      • Any other relevant document issued by an authorized government agency or institution.

Is it required to verify user address information?

Based on the provisions cited above, user address information needs to be corroborated with evidence, specifically certain types of documentation and/or (where the customer resides in Ghana) GPS data.

Is it permissible to use document-free methods for address verification?

As demonstrated above, non-documentary confirmation of the customer's address is only possible via a GPS check and only if the place of residence is in Ghana. A non-Ghanian address (including one belonging to a foreign citizen permanently residing in Ghana) would need to be verified based on additional documentation such as a utility bill or a tenancy agreement.

Cited Sources:

Is it required to collect user address information?

Yes; pursuant to Part 2, Section 6(1) of the FI Regulations, the data subject to ascertainment in relation to a natural person includes, inter alia:

  • where the person is a citizen or resident of Botswana, the person's residential address in Botswana;
  • where the person is not a citizen or resident of Botswana, the residential address in his or her country of domicile and physical address in Botswana.

Is it required to verify user address information?

Yes; Part 2, Section 6(1) of the FI Regulations requires to collect, among other identification data, "an original of the recent council rate or utility bill receipt". The same is expressed in Section 15, stating that at least one of the following measures has to be adopted in relation to non-face-to-face onboarding: "(a) obtaining a reference from a well known professional, an employer of the customer of the specified party, or a known customer of the specified party who knows the natural person; or (b) requesting original recent council rates or utility bill receipt".

Is it permissible to use document-free methods for address verification?

Based on the above-cited provisions, while regulated entities are not prohibited from relying on electronic sources to conduct a supplementary address check, this does not negate the general obligation to collect documentary proof of address either.

Cited Sources:

Is it required to collect user address information?

The Securities and Exchange Commission (CVM) and the Central Bank of Brazil do require at least address collection; respectively:

  • in accordance with Annex B, Article 1 of the CVM Resolution, complete address (street, complement, district, city, state and zip code) along with other data such as name and date of birth should be obtained;
  • as per Article 18 of the CB Circular, obliged entities "must adopt procedures that allow them to qualify their clients through the collection, verification and validation of information [...]" including, in the case of natural persons, their place of residence.

Additionally to address of residence, obligated betting operators must collect bettors' IP addresses at the registration stage and during each change in registration, as stipulated in Articles 31-32 of Portaria 1231.

Is it required to verify user address information?

As shown above, Art. 18 of the CB Circular indeed prescribes to not only collect, but also verify address information. Similarly, Annex B, Article 1 of the CVM Resolution specifies that an individual customer's records must include "proof of residence or domicile" as a document copy (although there is no exhaustive list of acceptable documents).

Is it permissible to use a non-document method to verify PoA?

In the case of banks and financial institutions, Article 16(1) of the CB Circular states: "The institutions shall adopt identification procedures that allow verifying and validating the identity of the client. The procedures shall include obtaining, verifying and validating the authenticity of customer identification information, including, if necessary, by comparing this information with those available in public and private databases". This is applicable to verification of both identity and its isolated components such as residential address.

However, as per the above-cited provisions of the CVM Resolution, only documentary proof of address may be accepted by CVM-regulated entities; electronic sources may only be relied on for supplementary evidence.

As for the betting operators specifically, the requirements regarding residential address verification are not described; however, they must collect bettors' IP addresses at the registration stage and during each change in registration.

Cited sources:

Is it required to collect user address information?

There is only one reference with regard to address collection and that is found in the Law of 2012and Article 23, part 3, which dictates that in relevance to international electronic transfers, the sender's address of the customer must be recorded.

Is it required to verify user address information?

No; there is only reference to verification in the Law of 2012 which only mentions verification of identity which is an integral part of Customer Due Diligence. For instance, it defines verification in Article 1 as "a procedure for verifying information about the identity of the customer and (or) the beneficial owner or beneficiary, using reliable primary documents or information obtained as a result of identification" without clarifying if address is part of the aforementioned identity.

In addition, Article 13 part 4, mentions that A financial institution and certain categories of persons are obliged to implement the following measures for customer due diligence: identification and verification of the identity of the customer, beneficial owner.

Also, with regard to electronic transfers, Article 23 mentions only the collection of identification details of the sender, including the residential address, but does not mention verification of address.

Is it permissible to use document-free methods for address verification?

Even though in the Law of 2018 there are neither prescribed methods of verification and specific references regarding methods of verification such as submission of copies of identification and proof of address of customers, nor explicit exclusion of a non-documentary verification method, the use of the word "verification data" therein could indicate that verification does not have to occur only through the submission of documents but it can be conducted through discovering customer data in general as long as it is obtained through "reliable" and "independent" sources.

On the other hand, in terms of banks and other relevant financial institutions, according to The Order, remote customer identification can occur through non-documentary methods as long as they are conducted as supplementary checks for an extra layer of protection, since the regulation promotes a combination of both documentary and non-documentary checks. The guidelines emphasize the need for financial institutions to adopt and follow a stricter approach that combines both documentary and non-documentary customer verification.

Cited Sources:

Is it required to collect user address information?

Yes; in accordance with Article 4(1) of the FIAML Regulations, the "current and permanent address" of each individual customer has to be both obtained and verified, on par with other identification data, as part of the KYC procedure.

Is it required to verify user address information?

Yes; this follows from Article 4(1) of the FIAML Regulations as referred to above. Furthermore, Section 5.11 of the AML/CFT Handbook states that, where a financial institution is unsatisfied with its verification of a customer's identity or address, the respective business relationship must be terminated immediately.

Is it permissible to use document-free methods for address verification?

As per Article 4(2) of the FIAML Regulations, identification data needs to be supported with "documentary evidence as may be specified by a relevant regulatory body or supervisory authority". This is further reiterated in section 5.3 of the AML/CFT Handbook, setting out an exhaustive list of documents via which address can be validated (identity documents, utility bills, bank statements, etc.). Notwithstanding this, Section 5.11 of the AML/CFT Handbook permits reliance on electronic data sources as a supplementary safeguard, emphasizing that "the use of more than one confirmatory source to match data enhances the assurance of authenticity".

Updated 2 days ago