Legal substantiation and limitations
Ensure compliance while using Non-Doc Verification.
Sumsub offers its state-of-the-art Non-Doc Identity Verification solution to address the growing demand for automation, speed, and reduced manual intervention in KYC onboarding processes for both obligated financial institutions and their customers.
While Non-Doc Identity Verification is a relatively new user verification method, it has already been widely recognized by regulatory authorities on a global basis and made a significant operational impact for clients who have decided to implement it.
The following analyses elaborate on the compliance of Non-Doc Identity Verification with national AML/CTF regulations of multiple jurisdictions by examining in detail the requirements for customer risk assessment, data collection, and verification.
Regulatory recognition
Examples below demonstrate that document-free verification is accepted by national financial regulators.
The Unit of Financial Information (UIF) is the Argentinian AML office that regulates banks, financial institutions, online casinos, public registries, insurance companies and other industries
In Article 23(a) of Resolución 30-E/2017 of the UIF, it is established that all individual customers of a regulated entity must be identified by at least their full name, document number and type and that only Argentinian national ID cards, or passports or ID cards issued by a foreign country, are valid documents for this purpose. Regulated entities must collect a copy of the said documents. At the same time, it is stated that “[the aforementioned provisions] are without prejudice to the provisions of Article 26 on non-face-to-face methods of identification”.
Article 26 further sets out the rules to be followed when verifying a customer’s identity remotely, establishing that it can be done via two alternative methods:
- ...through “rigorous biometric techniques or alternative technological methods of equal strength”. These imply a procedure that includes displaying the original identity document, which requirement may be fulfilled, e.g., via a videoconference or via using the online certificate (national digital ID) issued by the National Registry of Persons (RENAPER). It is the responsibility of the obliged entity to implement the technical safeguards that ensure the authenticity, validity and integrity of the identification documents used and the correspondence of the document’s owner with the individual undergoing verification;
- ...by collecting, through the entity's website or other alternative channels, a copy of the customer’s documents as stipulated in Art. 23 and providing the customer with a personal and non-transferable credential, containing, inter alia, a set of control questions pertaining to their identity.
To enable banks and other institutions to safely verify national identity documents, the Argentinian government has set up the Digital Identity System(SID). Since the SID allows to confirm that (i) an individual's facial image coincides with that taken at the time of the generation of their ID and (ii) the presented ID (or data contained therein) is valid and belongs to the same person by cross-matching the respective information with the RENAPER database, it is considered sufficiently secure.
Accordingly, it is possible for an Argentinian customer to use their digital ID (including by accessing the ID data via SID) as an equivalent of a standard document copy for verification.
The FINTRAIL audit report:
FINTRAIL has conducted a regulatory-led audit of Sumsub’s non-documentary identity verification product, and has confirmed at the time of review in Argentina non-documentary identity verification is permissible and the solution deployed by Sumsub is compliant with local regulation and guidance.
The anti-money laundering and counter terrorism financing legal framework in Australia is governed primarily by the “ Anti-Money Laundering and Counter-Terrorism Financing Act 2006” (the “AML/CTF Act”) and its related regulations. In turn, the " Anti-Money Laundering and Counter-Terrorism Financing Rules Instrument 2007 (No. 1)"(the “AML/CTF Rules”) are subsidiary legislative instruments made under the AML/CTF Act and elaborating on the obligations set out therein.
Specifically regarding customer identification and identity verification procedures, Part 4.2.3 of the AML/CTF Rules sets out the minimum KYC information to be collected about an individual customer: (i) full name, (ii) date of birth, and (iii) residential address; at least (i) and either (ii) or (iii) have to be subsequently verified, pursuant to Part 4.2.6.
Further, Part 4.2.7 lists the acceptable methods of verifying the above-mentioned customer data: "reliable and independent documentation; reliable and independent electronic data; or a combination of (1) and (2) above".
The AML/CTF Rules offer different “safe harbour” verification approaches (documentation-based and electronic-based) depending on the risk profile of the customer. In cases where the risk is medium or lower, the procedure should involve, respectively:
- For the documentation-based approach: “(a) an original or certified copy of a primary photographic identification document; 10 or (b) both: (i) an original or certified copy of a primary non‑photographic identification document; and (ii) an original or certified copy of a secondary identification document” 11. The entity must also “verify that any document produced about the customer has not expired (other than in the case of a passport issued by the Commonwealth that expired within the preceding two years)” (AML/CTF Rules, Parts 4.2.10 - 4.2.11);
- For the electronic-based approach: use of reliable and independent electronic data from at least two separate data sources is required. The entity must also verify that the customer has a transaction history for at least the past 3 years. (AML/CTF Rules, Parts 4.2.12 - 4.2.14).
At the same time, pursuant to Part 4.10.2 of the AML/CTF Rules, when choosing an electronic source as a verification basis the reporting entity must determine:
- Whether the electronic data is reliable and independent, taking into account the following factors: the accuracy of the data; how secure the data is; how the data is kept up‑to‑date; how comprehensive the data is (for example, by reference to the range of persons included in the data and the period over which the data has been collected); whether the data has been verified from a reliable and independent source; whether the data is maintained by a government body or pursuant to legislation; and whether the electronic data can be additionally authenticated;
- What reliable and independent electronic data the reporting entity will use for the purpose of verification;
- The reporting entity’s pre‑defined tolerance levels for matches and errors;
- Whether, and how, to confirm KYC information collected about a customer by independently initiating contact with the person that the customer claims to be”.
As one of possible solutions, the Australian Transaction Reports and Analysis Centre suggests the Document Verification Service (DVS):
“One option for verifying individual customer and beneficial owner identification using electronic data is the Document Verification Service (DVS). This is a secure online system managed by the Department of Home Affairs. The DVS matches government-issued identity documents directly with the government organisation that issued them. This lets you check in real time that the document is current and not lost or stolen”.
Article 10 of Law N° 9.613, commonly known as the Anti-Money Laundering Law, establishes the obligation of entities (such as banks, financial institutions, insurance companies, casinos, card issuers, leasing companies, real estate companies, and in general companies that trade luxury goods) that fall under the regulation of the Brazilian AML office (COAF) to “identify their clients and keep their registries up to date, according to the norms set out by the corresponding regulatory agency”.
In general, such regulator-specific norms are receptive of digital KYC mechanisms, with obliged entities granted relatively broad discretion in choosing the external sources to rely on.
For instance, the Securities and Exchange Commission of Brazil has established the following:
“The adoption of alternative registration systems is permitted, including by electronic means, provided that the solutions adopted satisfy the objectives of the current rules and the procedures are trustworthy. [...] the procedures adopted [must] allow to confirm the customer's identification with precision” ("CVM Instrução 617", Art. 12);
In the case of banks and financial institutions, the Central Bank of Brazil has set out the following rules:
“The institutions shall adopt identification procedures that allow verifying and validating the identity of the client. The procedures shall include obtaining, verifying and validating the authenticity of customer identification information, including, if necessary, by comparing this information with those available in public and private databases” (" BACEN/DC Circular No.3978 OF 01/23/2020", Art. 16(1));
Nevertheless, for the banking institutions a fully non-documentary KYC flow might only be possible in relation to local residents, since onboarding of a person who does not have a CPF (Natural Persons Register) taxpayer identification number requires to collect an ID copy:
“In the customer identification process, at least: - the full name and [CPF number], in the case of a natural person [must be collected]; [...] In the case of a client who is a natural person residing abroad who is not required to register with the CPF, in the form defined by the Federal Revenue Secretariat of Brazil, the use of a travel document in accordance with the Law is permitted, and at least the issuing country must be collected, the number and type of the document ("Circular No. 3978 by the Central Bank", Art. 16(2-3)).
The FINTRAIL audit report:
FINTRAIL has conducted a regulatory-led audit of Sumsub’s non-documentary identity verification product, and has confirmed at the time of review in Brazil non-documentary identity verification is permissible and the solution deployed by Sumsub is compliant with local regulation and guidance.
The guidance on “Methods to verify the identity of persons and entities” by the Financial Transactions and Reports Analysis Centre of Canada (FINTRAC) recognizes five methods of KYC. Two of these methods don’t require referral to the customer’s identity document.
The credit file allows to verify the customer’s identity based on the information that is in their credit file. The credit file must be from the Canadian credit bureau and match the name, address, and date of birth of the customer.
The dual process allows to verify the customer’s name, address, date of birth, and/or financial account using two different reliable sources.
The guidance suggests the following definition of reliable sources: “To be considered reliable, the source should be well known and considered reputable. For example, a reliable source could be the federal, provincial, territorial or municipal levels of government, Crown corporations, federally regulated financial institutions, or utility providers. Social media is not an acceptable source of information to verify a person's identity”.
The FINTRAIL audit report:
FINTRAIL has conducted a regulatory-led audit of Sumsub’s non-documentary identity verification product, and has confirmed at the time of review in Canada non-documentary identity verification is permissible and the solution deployed by Sumsub is compliant with local regulation and guidance.
Overall, Colombian AML regulations do not impose any particular limitations on remote identity verification means. Law n. 1121 of 2006 Establishing Regulations for the Prevention, Detection, Investigation and Punishment of the Financing of Terrorism, Art. 27, refers to the general identification duty under the AML/CFT framework: “The Colombian State and the Territorial Entities must fully identify the natural and legal entities that enter into a contracted business relationship, as well as the origin of their funds in order to prevent criminal activity”.
External Circular 100-000005 by the Superintendencia Financiera de Colombia (SFC) provides some details on what this requirement could entail in practice in Art. 5.2(a):
“To strengthen the security of the process of KYC, and when the transaction allows it, it is recommended, as an example, the following: Get to know by any legal means the origin of resources, verify the customer's identity, their address and phone number, and according to the characteristics of the negotiation, request a certificate of good standing and power of representation in the case of corporations and any other additional documentation that is considered to be relevant. Information provided by the customer, as well as the name of the person that verified it, must be duly stored, with a time and date stamp, for evidence purposes of the due diligence”.
Art. 5.2(f) of the same Circular reiterates that, “if a certain negotiation does not require the physical presence of the parties, it is essential that the company adopts the necessary measures for the full identification of the natural or legal person with whom the transaction will be carried out”.
Additionally, the 2023 GAFILAT Report refers to the following requirements established by the SFC:
“...item 4.2.2.2.1 of the Legal Basic Circular <...> amended in 2020 sets forth that supervised entities may not initiate formal or legal relations with the potential customer before (i) information has been collected to conduct the know-your-customer procedure; (ii) necessary information has been checked, especially the identity of the potential customer (...). In addition, when external databases are used, supervised entities must conduct a risk analysis associated to such source to assess the quality, reliability, and accuracy of data for ML/TF risk management purposes. Supervised entities must make verifiable means that prove the performance of such risk analysis available to this Superintendence”.
E-KYC projects based on the national digital ID are actively being developed in Colombia, such as the National Registry Office conducting pilots of biometric authentication with several banks, with other businesses encouraged to follow the example. Therefore, in the absence of any explicit prohibition, it may be argued that Non-Doc KYC is generally acceptable under the local AML regulations.
In the AML/CFT legal framework of the Czech Republic, the relevant requirements to customer identity verification are largely reflected in Act No. 253/2008 Coll. on selected measures against legitimisation of proceeds of crime and financing of terrorism (“AML Act”).
As a general rule, Section 8 of the AML Act states that the first identification of a customer who is an individual should be performed with (i) the said customer present in person and (ii) the obliged entity “recording identification data and verifying them from an identity card should they be included thereon, and subsequently recording the type and serial number of the identity card, the issuing country or issuing authority and the card’s validity; at the same time, [...] verifying the holder’s appearance and the holder’s facial image as pictured on the identity card”.
However, Section 8a(1) provides for an alternative so long as the substituting solution is either compliant with Regulation (EU) No 910/2014 of the European Parliament and of the Council on electronic identification and trust services for electronic transactions in the internal market (“eIDAS Regulation”) and the implementing regulations or prescribed by another legal act:
“An obliged entity may replace the process pursuant to section 8[...] by identification of a natural person who is a customer [...] performed by means of electronic identification which comply with the following:
- a) technical specification, standards, and procedures for a high level of assurance given by the directly applicable regulation of the European Union regulating minimum technical specifications, standards and procedures for levels of assurance of means of electronic identification) and which is issued and applied pursuant to the qualified system in line with the Act on Electronic Identification, or
- b) conditions pursuant to which means of electronic identification can be used for verification of identity required by a legal regulation or discharge of administrative responsibility outside the scope of the qualified system pursuant to the Bank Act”.
As of now, electronic identification schemes notified by the Czech Republic pursuant to Article 9(1) of the eIDAS Regulation with the “high” level of assurance are the national eID card and “mojeID”, a non-commercial service operated by the CZ.NIC association and allowing users to authenticate in various private sector and public administration services by creating a digital identity.
The FINTRAIL audit report:
FINTRAIL has conducted a regulatory-led audit of Sumsub’s non-documentary identity verification product, and has confirmed at the time of review in Czech Republic non-documentary identity verification is permissible and the solution deployed by Sumsub is compliant with local regulation and guidance.
In Denmark, the Consolidation Act on Measures to Prevent Money Laundering and Terrorism Financing (the Anti-Money Laundering Act) (“AML Act”) is the main legal source of AML/CFT obligations for the reporting entities. The Finanstilsynet (also the Financial Supervisory Authority), which is a government agency responsible for regulating the financial sector, including AML/CFT compliance supervision, provides guidelines regarding the interpretation and application of the AML Act.
Section 11 of the AML Act grants regulated entities a relatively wide margin of discretion in selecting the appropriate means of customer identity verification, listing a broad range of electronic evidence as acceptable with some form of governmental recognition as the only qualifying criterion:
“1) The undertaking or person shall obtain the customer's identity information. a) If the customer is a natural person, the identity information shall include name and civil registration number or similar if the person in question does not have a civil registration number. Should the applicant not have a civil registration number or similar, the identity information shall include date of birth.[...]
2) The undertaking or person shall verify the customer's identity information on the basis of documents, data or information obtained from a reliable and independent source. A reliable and independent source means, for example, electronic means of identification, relevant trust services or any other secure form of remote identification process or electronic identification process that is regulated, recognised, approved or accepted by the competent national authorities ”.
The 2020 Guide to the AML Act by the Finanstilsynet continues this approach in Sections 9.1-9.5, stating in particular that:
- the customer’s identity details can, in principle, be obtained from non-documentary sources (e.g., CPR (Central Office of Civil Registration) or Danish Tax Agency);
- a “reliable external source” used for customer identification does not necessarily have to be government-owned or -operated;
- it is not an obligatory requirement that the customer presents photographic identification for non-face-to-face KYC, although it provides additional assurance;
- in the context of a remote relationship, the reporting entity must consider the potentially increased risk. NemID, for instance, is considered a “reliable and independent source” for that purpose, but, “when more than limited risk is involved, it will be necessary for the undertaking to use other control sources, or risk-mitigating measures along with NemID”.
In 2023, NemID wasreplaced with MitID. Since, unlike NemID, MitID has both “substantial” and “high” levels of assurance and was generally intended as a more robust and secure solution, it can be argued that the FSA’s reasoning applicable to NemID should not be fully transferable to the MitID and that MitID should be considered sufficient for identity verification outside of the SDD context. This is corroborated by the consultation paper on “Project AML/TEK”, where the FSA expresses the following stance:
“The DFSA is of the opinion that a MitID at a 'substantial' level under the eIDAS Regulation could act as the sole source of verification for distance customers who are not subject to enhanced KYC procedures. This is because the processes for verifying identities when issu- ing a MitID are at least as secure as the DFSA expects is the case, in principle, for distance customers under the MLA, cf. section 6.7. In addition, the assurance level of the means of authentication in the MitID solution is higher than in the NemID solution”.
Accordingly, Non-Doc KYC solutions are permissible in principle so long as they sufficiently mitigate the risk posed by non-face-to-face onboarding and have been granted approval by the competent national authorities. In relation to MitID specifically, it can arguably be relied on as a standalone solution at both “substantial” and “high” levels of assurance at least in all instances when enhanced due diligence is not required (where customers may need to apply additional safeguards of their choice, such as: obtaining ID copies, verifying the source of funds where necessary, collecting further data items (e.g., geolocation), etc).
The FINTRAIL audit report:
FINTRAIL has conducted a regulatory-led audit of Sumsub’s non-documentary identity verification product, and has confirmed at the time of review in Denmark non-documentary identity verification is permissible and the solution deployed by Sumsub is compliant with local regulation and guidance.
The 2018 Anti-Money Laundering / Combating the Financing of Terrorism & the Proliferation of Weapons of Mass Destruction Guideline issued by the Financial Intelligence Centre and the Bank of Ghana states that, while an identity document is obligatory to collect from an individual customer, the regulated entity is, in general, not restricted in the options of verifying identification data:
“Types of customer information to be obtained and identification data to be used to verify the information are provided in Appendix A” (Section 1.5)
“For natural persons the following information should be obtained, where applicable: i. legal name and any other names used by the prospective client; ii. location including important landmarks close to the prospective client‟s residence; iii. telephone number, fax number and mailing address; iv. date and place of birth; v. nationality; vi. hometown; vii. occupation, position held and employer’s name; viii. identity document; ix. nature of business; x. type of account and nature of the banking relationship; and xi. signature.
The financial institution should verify this information by at least one of the following methods:
- Confirming the date of birth from an official document (e.g. birth certificate, passport, identity card, social security records);
- Confirming the permanent address (e.g. utility bill, tax assessment, bank statement, a letter from a public authority);
- Contacting the customer by telephone, by letter or by e-mail to confirm the information supplied after an account has been opened (e.g. a disconnected phone, returned mail, or incorrect e-mail address should warrant further investigation);
- Confirming the validity of the official documentation provided through certification by an authorized person (e.g. embassy official, notary public); and
- any other means of verification the financial institution deems appropriate” (Appendix A).
Furthermore, acceptable solutions may include or, arguably, even be limited to non-documentary electronic database checks, so long as the overall verification result is conclusive:
“The confirmation of name and address is to be established by reference to a number of sources. The checks should be undertaken by cross-validation that the applicant exists at the stated address either through the sighting of actual documentary evidence or by undertaking electronic checks of suitable databases, or by a combination of the two. The overriding requirement to ensure that the identification evidence is satisfactory rests with the financial institution opening the account or providing the product/service” (Section 2.23)
Section 2.28 further confirms that electronic evidence may be “alternative or supplementary to documentary evidence of identity and address <...> Each source may be used separately as an alternative to one or more documentary checks”. However, regulated entities must ensure that the chosen databases are reliable, which is achieved, e.g., by “checking across a range of sources, preferably covering a period of time or through qualitative checks that assess the validity of the information supplied”. Examples of appropriate sources include: “i. An electronic search of the Electoral Register (is not to be used as a sole identity and address check); ii. Access to internal or external account database; and iii. An electronic search of public records where available”.
Therefore, whereas it is necessary to obtain an ID for identification purposes, verification may be carried out via electronic sources, provided that such sources are trustworthy and the regulated entity is convinced it knows the true identity of the applicant.
The FINTRAIL audit report:
FINTRAIL has conducted a regulatory-led audit of Sumsub’s non-documentary identity verification product, and has confirmed at the time of review in Ghana non-documentary identity verification is permissible and the solution deployed by Sumsub is compliant with local regulation and guidance.
The Anti-Money Laundering and Counter-Terrorist Financing Ordinance (“AMLO”), Cap. 615 is the primary legal source prescribing obligations applicable to the AML/CFT-regulated entities operating in Hong Kong and, in particular, setting out requirements regarding customer due diligence and record-keeping.
Pursuant to Part 2 Division 1 (Para. 2) of AMLO, supervised entities must identify the customer and verify the customer’s identity on the basis of documents, data or information provided by:
- “(i) a governmental body;
- (ii) the relevant authority or any other relevant authority;
- (iii) an authority in a place outside Hong Kong that performs functions similar to those of the relevant authority or any other relevant authority;
- (iiia) a recognized digital identification system; or
- (iv) any other reliable and independent source that is recognized by the relevant authority”.
At the same time, the responsibility for oversight of the financial market in Hong Kong is divided between the Hong Kong Monetary Authority (HKMA) and the Securities and Futures Commission (SFC). The HKMA regulates the banking industry, while the SFC oversees the securities and futures markets, including virtual asset service providers. Both regulators within their respective functions provide practical guidelines on AML/CFT compliance, such as the latest HKMA Guideline on Anti-Money Laundering and Counter-Financing of Terrorism For Authorized Institutions (Revised in May, 2023) (the “AML Guideline”) or the Guideline on Anti-Money Laundering and Counter-Financing of Terrorism (For Licensed Corporations and SFC-licensed Virtual Asset Service Providers) (the ‘SFC Guideline’) by the SFC. However, the AML Guideline and the SFC Guideline include similar provisions regarding customer identification and verification procedures. Therefore, the analysis below could be relevant for entities supervised by either HKMA or SFC.
In particular, Para 4.3.1 of the AML Guideline replicates the above-mentioned requirement from AMLO regarding identity verification on the basis of reliable documents, data or information; however, it also clarifies in a footnote what an appropriate “digital identification system” could be:
- “The HKMA recognises iAM Smart, developed and operated by the Hong Kong Government, as a digital identification system that can be used for identity verification of natural persons. The HKMA may in future recognise other similar digital identification systems developed and operated by governments in other jurisdictions having regard to market developments and specific circumstances.”.
At the same time, in accordance with Paras 4.3.2-4.3.5 and 4.3.13-4.3.17 of the AML Guideline, the following identification and verification requirements are applicable to FIs:
- for customers who are natural persons, the full name, date of birth, nationality, unique identification number and document type, as well as residential address, should be obtained for identification (although it is not mandatory to check the accuracy of every piece of information);
- the acceptable means of verification are documents, data or information provided by a reliable and independent source, the list of which is not exhaustive: (a) Hong Kong identity card or other national identity card; (b) valid travel document (e.g. unexpired passport); or (c) other relevant documents, data or information provided by a reliable and independent source (e.g. document issued by a government body);
- the obliged entity should ensure that documents, data or information obtained for the purpose of verifying the identity of a customer are current at the time they are provided to or obtained by the entity.
Section 4.10 on non-face-to-face CDD measures further states that regulated entities should “take additional measures to mitigate the risk (e.g. impersonation risk) associated with customers not physically present for identification purposes”. However, where a customer’s identity is verified via a digital identification system recognized by HKMA, no such additional measures are required.
Accordingly, the usage of non-documentary sources for verification purposes is not prohibited. However, verification requirements for both HKMA- and SFC-supervised institutions currently provide two specific options: identity documents or the digital ID system “iAM Smart” operated by the Hong Kong government. Any other digital identification systems could be involved only if specifically approved by relevant authorities or regulatory bodies in Hong Kong and/or abroad.
The Prevention of Money Laundering Act, 2002(“PMLA”) and the Prevention of Money-Laundering (Maintenance of Records) Rules, 2005 issued thereunder (“PML Rules”) provide the main legislative framework for combating ML / TF in India and, together with the guidance produced by the national Reserve Bank, explicitly prescribe e-KYC based on the customer’s Aadhaar number 2 or other identifiers as one of the possible (or, for certain entities, required) means of identity verification:
“Every reporting entity shall verify the identity of its clients and the beneficial owner by –
- Authentication under the Aadhaar [...] Act, 2016 if the reporting entity is a banking company; or
- Offline verification under the Aadhaar [...] Act, 2016; or
- Use of passport issued under section of the Passports Act, 1967; or
- Use of any other officially valid document or modes of identification as may be notified by the Central Government in this behalf” (PMLA, Section 11(A)(1)).
Non-banking entities may also be permitted, by special notification of the Central Government, to perform Aadhar authentication, provided that it is necessary to do so and that the entities in question comply with the standards of privacy and security under the Aadhaar Act. At the same time, the customer is allowed to choose between options.
“Where the client is an individual, they shall [...] submit to the reporting entity, – the Aadhaar number where,
- He is desirous of receiving any benefit or subsidy under any scheme notified under section 7 of the Aadhaar (Targeted Delivery of Financial and Other subsidies, Benefits and Services) Act, 2016 (18 of 2016); or
- He decides to submit his Aadhaar number voluntarily to a banking company or any reporting entity notified under first proviso to sub-section (1) of section 11A of the Act; or (aa) the proof of possession of Aadhaar number where offline verification can be carried out; or
- The proof of possession of Aadhaar number where offline verification cannot be carried out or any officially valid document or the equivalent e-document thereof containing the details of his identity and address [...]” (PML Rules, Rule 9(4)).
Depending on which data the customer provides and whether offline verification is available, the reporting entity shall carry out the following procedures (“where the client has submitted –):
- His Aadhaar number [...] to the banking company or a reporting entity notified under first proviso to sub-section (1) of section 11A, such banking company or reporting entity shall carry out authentication of the client's Aadhaar number using e-KYC authentication facility provided by the Unique Identification Authority of India;
- Proof of possession of Aadhaar under clause (aa) of sub-rule (4) where offline verification can be carried out, the reporting entity shall carry out offline verification;
- An equivalent e-document of any officially valid document, the reporting entity shall verify the digital signature as per the provisions of the Information Technology Act, 2000 (21 of 2000) and any rules issues thereunder and take a live photo as specified under Annex 1;
- Any officially valid document or proof of possession of Aadhaar number under clause (ab) of sub-rule (4) where offline verification cannot be carried out, the reporting entity shall carry out verification through digital KYC as specified under Annex 1”.
Additionally, the Master Direction – Know Your Customer (KYC) Direction of Reserve Bank of India allows to verify a client’s identity based on the KYC identifier from the Central KYC Records Registry.
“For undertaking CDD, REs shall obtain the following from an individual while establishing an account-based relationship [...]: (ac) the KYC Identifier with an explicit consent to download records from CKYCR [...]”(Master Direction, section 16).
Therefore, the available options are: (i) Aadhaar-based authentication; (ii) Aadhaar-based offline verification; (iii) digital KYC; (iv) KYC identifier verification.
Aadhaar authentication, powered by the Unique Identification Authority of India (UIDAI),provides an instant mechanism to confirm one’s identity and does not require any other ID proof except Aadhaar number. It is, however, restricted to banking institutions and certain other requesting entities as described above. Accounts opened using Aadhaar OTP-based authentication, in non-face-to-face mode, are subject to a number of limitations as to the maximum balance, permitted operations, etc.
The UIDAI also enables “ paperless offline e-KYC”, wherein the customer, using their Aadhaar number, creates a “Share Phrase” with their identification data encrypted and shares it with the entity performing KYC. The entity can then validate the data through its own OTP / face authentication mechanism.
Digital KYC means “the capturing of a live photo of the customer and their officially valid document / proof of possession of Aadhaar, where offline verification cannot be carried out, along with the latitude and longitude of the location where such live photo is being taken by an authorised officer of the reporting entity” in accordance with specific technical requirements (Master Direction, section 3(a)(viii)). This procedure, however, may only be carried out via a specialized application developed by the reporting entity (Master Direction, Annex I).
Where a customer submits a KYC Identifier to a reporting entity, with an explicit consent to download records from CKYCR, the reporting entity shall retrieve the KYC records online from the CKYCR using the KYC Identifier and the customer shall not be required to submit the same KYC records or information or any other additional identification documents or details, subject to certain exceptions (Master Direction, section 56).
As an alternative to the aforementioned procedures, the “V-CIP” mechanism was recently introduced, consisting of a video conference with the reporting entity’s operator in combination with a “liveness” check, geolocation check, and document analysis (Master Direction, section 18). V-CIP, however, is also dependent on external data sources, since the reporting entitiy is still required to validate the customer’s identity data based on Aadhaar number, KYC identifier or e-document.
In conclusion, the current regulation allows for various identity verification methods that can either involve the customer submitting an identity document to the reporting entity or omit this step altogether.
The FINTRAIL audit report:
FINTRAIL has conducted a regulatory-led audit of Sumsub’s non-documentary identity verification product, and has confirmed at the time of review in India non-documentary identity verification is permissible and the solution deployed by Sumsub is compliant with local regulation and guidance.
The most recent comprehensive legal act outlining the responsibilities of AML-subject entities in Indonesia is the Regulation (POJK) No. 8 of 2023(“OJK Regulation”) on the Implementation of Anti-Money Laundering (AML), Counter-Terrorist Financing (CFT), and Counter-Proliferation Financing of Weapons of Mass Destruction (CPF) Program in the Financial Services Sector by the Indonesian Financial Services Authority (Otoritas Jasa Keuangan, OJK), which regulates the country’s financial industry on par with Bank Indonesia.
Pursuant to Art. 21(2) of the OJK Regulation, identity verification of prospective customers may be conducted via: “a. direct face-to-face meetings; b. electronic face-to-face meetings; and/or c. non-face-to-face electronic mechanisms”. The solutions that may be employed by the supervised entity under subclause (c) are not limited, yet three main options are highlighted: the entity may rely on (i) its own software and hardware; (ii) software and hardware belonging to third parties (such as KYC providers) and accessed by the entity; or (iii) utilization of population databases, for which at least two authenticity factors must be used (something characteristic of the customer and something the customer possesses).
Regarding the scope of data to be collected in respect of an individual customer, Art. 25(1) of the OJK Regulation lists the following points:
- Full name (including aliases, if any);
- Identity document number;
- Residential address according to the ID and other residential addresses, if any;
- Place and date of birth;
- Citizenship;
- Occupation;
- Address and telephone number of workplace, if any;
- Gender;
- Marital status;
- Mother’s maiden name;
- Identity of the beneficial owner, if any;
- Source of funds;
- Average annual income and/or net worth;
- Aims and objectives of the business relationship or transaction.
Further, according to Art. 26(1) of the OJK Regulation, the aforementioned information has to be supported by an identity document. However, the Article further specifies that it can include: (i) for Indonesian citizens – a resident card or “digital population identity as intended in the laws and regulations regarding population data”; (ii) for foreign citizens – a passport accompanied by immigration documents; (iii) for “individuals from the Indonesian diaspora or Indonesian people abroad” – passports and identity cards issued to such individuals under the applicable laws and regulations.
In reference to non-document verification, therefore, it is safe to assume that Indonesia allows electronic KYC via national identity databases when it comes to local citizens (see, e.g., the e-KTP system). However, further checks are likely to be required to obtain all of the necessary customer data.
The FINTRAIL audit report:
FINTRAIL has conducted a regulatory-led audit of Sumsub’s non-documentary identity verification product, and has confirmed at the time of review in Indonesia non-documentary identity verification is permissible and the solution deployed by Sumsub is compliant with local regulation and guidance.
The Anti-Money Laundering, Anti-Terrorism Financing and Proceeds of Unlawful Activities Act 2001 (AMLA) is the primary statute governing the AML/CFT regime in Malaysia, whereas Bank Negara Malaysia (BNM), the country’s central bank and financial regulator, issues policy documents setting out reporting entities’ obligations concerning the AMLA-imposed requirements.
The AMLA, while establishing the general customer identification duty, provides a broad range of evidence acceptable for verifying identity-related data:
- “A reporting institution, in undertaking customer due diligence measures, shall—(a) ascertain the identity, representative capacity, domicile, legal capacity, occupation or business purpose of any person, whether he is an occasional or usual customer;
- (b) verify, by reliable means or from an independent source, or from any document, data or information, the identity, representative capacity, domicile, legal capacity, occupation or business purpose of any person, through the use of documents which include identity card, passport, birth certificate, driver’s licence, constituent document or any other official or private document as well as other identifying information relating to that person, whether he is an occasional or usual customer”. (AMLA, Section 16(3))
Simultaneously, the BNM Anti-Money Laundering, Countering Financing of Terrorism and Targeted Financial Sanctions for Financial Institutions (AML/CFT and TFS for FIs) and Anti-Money Laundering, Countering Financing of Terrorism and Targeted Financial Sanctions for Designated Non-Financial Businesses and Professions (DNFBPs) & Non-Bank Financial Institutions (NBFIs) (AML/CFT and TFS for DNFBPs and NBFIs) policies do not list identity documents or copies thereof among the information mandatory for collection during standard CDD in relation to natural persons:
- “(a) full name;
- (b) National Registration Identity Card (NRIC) number or passport number or reference number of any other official documents of the customer or beneficial owner;
- (c) residential and mailing address;
- (d) date of birth;
- (e) nationality;
- (f) occupation type;
- (g) name of employer or nature of self-employment or nature of business;
- (h) contact number (home, office or mobile); and
- (i) purpose of transaction”. (See, e.g., Section 14.10.1 of AML/CFT and TFS for DNFBPs and NBFIs, Section 14A.9.1 of AML/CFT and TFS for FIs)
BNM further provides for non-documentary means of identity verification and, specifically, those involving the use of specific external data sources:
“Reporting institutions must verify and be satisfied with the identity of the customer or beneficial owner through reliable and independent documentation, electronic data or any other measures that reporting institutions deem necessary”. (See, e.g., Section 14A.5 of AML/CFT and TFS for FIs, Section 14.5 of AML/CFT and TFS for DNFBPs and NBFIs)
“[In the non-face-to-face context], reporting institutions may identify and verify a customer’s identity by:
- (a) conducting video calls with the customer before setting up the customer’s money changing account or allowing the customer to perform transactions;
- (b) communicating with the customer at a verified residential or office address where such communication shall be acknowledged by the customer;
- (c) verifying the customer’s information against a database maintained by relevant authorities including the National Registration Department or Immigration Department of Malaysia; telecommunication companies, sanctions lists issued by credible domestic or international sources in addition to the mandatory sanctions lists or social media platforms with a broad outreach; or
- (d) requesting to sight additional documents such as recent utility bills, bank statements, student identification or confirmation of employment”. (See, e.g., Section 14C.16.12 of AML/CFT and TFS for FIs)
The minimum expected baseline for regulated entities applying non-face-to-face verification methods is for them to “ensure and be able to demonstrate on a continuing basis that appropriate measures for identification and verification of the customer’s identity through e-KYC are secure and effective” (see, e.g., Section 14A.15.7 of AML/CFT and TFS for FIs). Other than that, BNM offers no indication that it is obligatory to obtain a copy of the customer’s ID in the context of remote CDD. On the contrary, in the Guidance on Verification of Individual Customers for Customer Due Diligence , it emphasizes that “there is no restriction on the form of evidence to be taken by reporting institutions in verifying the identity” (para. 5.1) and that electronic data can be elected instead of documentary evidence, provided it is obtained from a reliable and independent source.
To conclude, financial institutions, DNFBPs and NBFIs supervised by the BNM may rely on non-documentary identity verification methods (specifically, external electronic databases), so long as they are sufficiently robust to be as effective as face-to-face CDD. However, additional mechanisms (e.g., a questionnaire) may need to be implemented in order to collect the necessary customer information that might not be contained in the consulted data source.
The Implementing Procedures of 2011 to the Prevention of Money Laundering and Funding of Terrorism Regulations (PMLFTR) issued by the Financial Intelligence Analysis Unit of Malta (FIAU)7 also distinguish non-documentary and documentary KYC approaches.
“The methods of verification of identity mentioned in this section do not entail the presentation of identification documents or other verification documents but rather allow for the identity of the customer to be verified remotely through electronic means”.
It’s allowed to use commercial electronic databases that are compliant with the data protection requirements and considered as independent and reliable.
The Amended Identity Verification Code of Practice of New Zealand (2013) provides two methods of performing remote KYC verification. One of these methods implies matching identity data against independent external sources.
According to the Code, a reporting entity must conduct electronic verification of a customer’s name and date of birth as follows:
- Verify the customer’s name
- Using a single independent electronic source (only the RealMe biometric database is considered as such).
- Using at least two independent and reliable matching electronic sources.
- Verify the customer’s date of birth using at least one independent and reliable electronic source.
The Code doesn’t specify which sources should be used. As for New Zealand residents, reporting entities should refer to the Confirmation Service of the Department of Internal Affairs (DIA), New Zealand Transport Agency (NZTA), or other common national electronic sources, such as credit bureaus, Land Registry (LINZ), etc.
The 2022 Money Laundering (Prevention and Prohibition) Act (“AML Act”), together with regulations and guidance by the Central Bank of Nigeria (“CBN”), lays out the legal provisions applicable to Nigerian AML-supervised entities, including those related to customer due diligence.
Art. 4(1) of the AML Act outlines the general principles of the identification and identity verification duty for financial institutions and DNFBs. While the document-based approach is framed as the default standard, the AML Act refers to secondary legislation for substantiation 10:
“A financial institution and a designated non-financial business and profession shall —
- identify a customer, whether permanent or occasional, natural or legal person or any other form of legal arrangements, using identification documents as may be prescribed in any relevant regulation;
- verify the identity of that customer using reliable, independent source documents, data or information <...>”.
In turn, Art. 6(a) of the Central Bank of Nigeria Customers Due Diligence Regulations 2023 (the “CDD Regulations”) lists the information to be collected in relation to individual customers, with Art. 7(2) elaborating on the possible means of its verification:
- legal name and any other names used (such as maiden name),
- permanent address (full physical address),
- residential address (where the customer can be located),
- telephone number, e-mail address and social media handle,
- date and place of birth,
- Bank Verification Number (BVN),
- Tax Identification Number (TIN),
- nationality,
- occupation, public position held and name of employer,
- an official personal identification number or other unique identifier contained in an unexpired document issued by a government agency, that bears a name, photograph and signature of the customer such as a passport, national identification card, residence permit, social security records or drivers’ license,
- type of account and nature of the banking relationship,
- signature, and
- politically exposed persons (PEPs) status.
“FIs shall verify the identity of individuals by confirming the — (a) date of birth from a valid official document, such as birth certificate, passport, identity card and national or social security records; (b) residential address through physical visitation and use of other sources, including utility bill, tax assessment, bank statement, or letter from a public authority; (c) contact details provided by the customer through positive feedback from phone call, email or physical letter to the residential address; (d) validity of the official documentation provided through certification by an authorized person such as embassy official, notary public (in the case of foreign nationals); and (e) phone numbers, particularly for wallet providers, through independent process, including validation against the NCC database or geo-mapping”.
Therefore, the notion of official documentation that may be used for identity verification is quite broad, implying it is not necessarily required to collect a copy of any particular identity document. Furthermore, Arts. 14, 16 and 35 of the CDD Regulations as well as Art. 26 of the 2022 Central Bank of Nigeria (Anti-Money Laundering, Combatting the Financing of Terrorism and Countering Proliferation Financing of Weapons of Mass Destruction in Financial Institutions) Regulations (the “AML Regulations”) specify that both “physical” and “electronic” methods of customer onboarding may be adopted by financial institutions, so long as the “tiered” approach and other e-KYC standards endorsed by the CBN are complied with.
Referring, in turn, to the “tiered” approach as established in the 2013 CBN Circular FPR/DIR/CIR/GEN/02/001 (Introduction of Three-Tiered Know Your Customer (KYC) Requirements), it prescribes different CDD standards depending on the customer’s risk profile and the value of their account:
- until recently, only a set of identity attributes (such as passport photo, name, place and date of birth, etc.) was required for Tier 1 (lowest-value) accounts with no evidence required;
- Tier 2 demands the Tier 1 information provided by the customer to be supported with evidence and checked against official databases (such as National Identity Management Commission (NIMC), Independent National Electoral Commission (INEC) Voters Register, Federal Road Safety Commission, etc.), while “ID verification and monitoring” is also necessary;
- Tier 3 further refers to the KYC standards established by the CBN AML/CFT Regulation, 2009 as amended (which would, at present, encompass both the AML Regulations and the CDD Regulations, in particular Arts. 6-7 of the latter as referenced above)
Furthermore, the 2023 CBN Circular PSM/DIR/PUB/CIR/001/053 enhanced the aforementioned requirements, stating that: (i) it is now mandatory for all Tier 1 accounts for individuals to have BVN and/or NIN (National Identification Number); (ii) both BVN and NIN are obligatory for Tier 2 and Tier 3 accounts; and (iii) “the process for account opening shall commence by electronically retrieving BVN or NIN related information from the NIBSS’ BVN or NIMC’s NIN databases [together with the underlying identity data, such as name, DoB, etc.] and for the same to become primary information for onboarding of new customers”. In addition, the same Circular prescribed all the BVNs and NINs already attached to existing accounts to be revalidated by January 31, 2024.
BVN- and NIN-based verification is generally widespread in the country. A BVN is a unique ID number issued to every customer of a Nigerian bank upon enrolment and linked to every account that the customer has in any other local banks, whereas a NIN is provided by the NIMC and used to link citizens’ and legal residents’ biometric data to the National Identity database, which may then be relied on for physical or digital verification and authentication. Both identifiers can therefore be easily validated against governmental databases.
In conclusion, banks and other financial institutions are generally encouraged (and, in certain cases, obliged) to refer to external official databases while onboarding Nigerian citizens and residents. However, in some instances these checks may have to be supplemented with obtaining supporting documentation from the customer depending on their account Level (risk profile).
The FINTRAIL audit report:
FINTRAIL has conducted a regulatory-led audit of Sumsub’s non-documentary identity verification product, and has confirmed at the time of review in Nigeria non-documentary identity verification is permissible and the solution deployed by Sumsub is compliant with local regulation and guidance.
In Norway, the primary legal statute governing the AML/CFT framework is the 2018 Act relating to Measures to Combat Money Laundering and Terrorist Financing (“ AML Act”), with the 2018 Regulations relating to Measures to Combat Money Laundering and Terrorist Financing by the Ministry of Finance detailing its requirements (“AML Regulations”). The Finanstilsynet (also the Financial Supervisory Authority), which is a government agency responsible for regulating the financial sector, including AML/CFT compliance supervision, provides guidelines regarding the interpretation and application of the relevant laws and regulations.
The standard approach to identity verification as enshrined in Section 12 of the AML Act implies personal presence of the customer; however, remote onboarding is also permissible, provided that additional safeguards are implemented:
- “(1) When the customer is a natural person, the following information shall be obtained concerning the customer:
- a. name;
- b. personal identity number, D-number or, if the customer does not have any such number, another unique identity code. For persons who do not have a Norwegian personal identity number or D-number, the date of birth, the place of birth, the gender and the citizenship shall be obtained, including whether the person has multiple citizenships;
- c. address [...]
- (2) Information on the customer's identity shall be verified by personal appearance with a valid proof of identity. If verification of the identity shall take place without personal appearance, additional documentation shall be presented or additional measures shall be applied”.
In turn, Section 4-3(4) of the AML Regulations states, without explicitly limiting alternative solutions, that eID mechanisms compliant with the eIDAS Regulation and relevant national legislation are suitable for non-face-to-face KYC:
“An electronic signature is valid proof of identity for natural persons when their identity shall not be verified upon personal appearance. The electronic signature shall comply with the requirements for eID solutions laid down in Section 3 of Regulations of 21 November 2019 No. 1578 relating to Self-Declaration Arrangements for Electronic Identification and be entered on a published list pursuant to Section 13, subsection 1, of the said Regulations”. [Section 3 of the Regulations refers to schemes with a “high” level of assurance.]
The electronic identification schemes notified by Norway pursuant to Article 9(1) of the eIDAS Regulation include Buypass ID and BankID. This coincides with Finanstilsynet's 2019 Circular “Guide to the Anti-Money Laundering Act”, which provides the following:
“The reference to BankID as valid identification has been changed to apply to electronic identification in accordance with the Money Laundering Regulations section 4-3 fourth paragraph. This is to ensure that all electronic identification that meets the requirements is covered” (page 6).
From the Section 4.3.1.1 of the Circular it may also be inferred that no non-documentary KYC solutions are regarded as acceptable besides those falling under Section 4-3(4) of the AML Regulations, since the list is formulated restrictively:
“Valid identification for natural persons is, according to the Norwegian Financial Supervisory Authority's opinion:
- Norwegian and foreign passports (not emergency passports
- Norwegian driver's license
- Norwegian bank cards with picture
- National ID cards issued by an EEA country (an overview of these can be found in Appendix 4 of the Immigration Regulations)
- Norwegian immigration passport (blue passport)
- Norwegian travel document for refugees (green passport)
- Electronic identification in accordance with the Money Laundering Regulations § 4-3 fourth paragraph”.
To conclude, onboarding methods not requiring a customer to present their identity document are currently limited to BankID, Buypass ID, as well as other solutions that may provide electronic signatures compliant with the regulations referred above.
The FINTRAIL audit report:
FINTRAIL has conducted a regulatory-led audit of Sumsub’s non-documentary identity verification product, and has confirmed at the time of review in Norway non-documentary identity verification is permissible and the solution deployed by Sumsub is compliant with local regulation and guidance.
The Republic Act nº 9160 (the Anti-Money Laundering Act of 2001), as well as the 2016 Revised Implementing Rules and Regulations(RIRR) thereto, endorse documentary evidence as the recognized means for customer identify verification:
“Sec. 9. <...> Covered institutions shall establish and record the true identity of its clients based on official documents” (Republic Act nº 9160)
“Rule 3.M. <...> “Official Document” refers to any of the following identification documents:
- For Filipino citizens: Those issued by any of the following official authorities:
- Government of the Republic of the Philippines, including its political subdivisions, agencies, and instrumentalities;
- Government-Owned or -Controlled Corporations (GOCCs);
- Covered persons registered with and supervised or regulated by the BSP, SEC or IC;
- For foreign nationals: Passport or Alien Certificate of Registration;
- For Filipino students: School ID signed by the school principal or head of the educational institution; and
- For low-risk customers: Any document or information reduced in writing which the covered person deems sufficient to establish the client’s identity;
Rule 9.A. Covered persons shall establish and record the true identity of their clients based on official documents, as defined under Rule 3.M of this RIRR. <...> Customers who engage in a transaction with a covered person for the first time shall <...> submit a clear copy of at least one (1) official identification document” (RIRR)
At the same time, Circular No. 1170 issued by the Bangko Sentral ng Pilipinas (“BSP”) on 30 March 2023 provides additional guidelines on customer due diligence, including e-KYC via digital identity systems. Specifically, the Circular states that, “where the PCN [PhilSys Card Number] or PSN [PhilSys Number] derivative, or the Philippine ldentification (PhillD) card, in physical or digital form, is presented by the customer, it shall be accepted as official and sufficient proof of identity, subject to proper authentication, and the covered person shall no longer require additional document to verify the customer's identity”. Therefore, accessing an individual’s record in the Philippine Identification System (“PhilSys”) is considered a reliable way to verify their identity. Other digital ID systems are, in principle, also allowed to be used so long as they are “supported by robust technology, adequate governance, processes and procedures that provide appropriate level of confidence that the system produces accurate results”; however, there is no indication that the RIRR requirement to present an actual identity document is removed for foreigners not registered in PhilSys.
Accordingly, Non-Doc KYC is possible via solutions accessing PhilSys; in other cases, the document-based approach remains prevalent. However, as the scope of potentially acceptable documents is defined broadly for low-risk customers, it may be allowed to obtain reports or other excerpts from trustworthy external data sources instead of “conventional” IDs.
The FINTRAIL audit report:
FINTRAIL has conducted a regulatory-led audit of Sumsub’s non-documentary identity verification product, and has confirmed at the time of review in Philippines non-documentary identity verification is permissible and the solution deployed by Sumsub is compliant with local regulation and guidance.
The 2017 Guidance Note 7 on the Implementation of Various Aspects of the Financial Intelligence Centre Act, 2001, issued by the Financial Intelligence Centre of South Africa, emphasizes that regulated institutions “have the flexibility to choose the type of information by means of which they will establish clients’ identities and also the means of verification of clients’ identities” (para. 74). More specifically, both “documents” and “electronic data issued or created by reliable and independent third-party sources” are permitted for confirming a customer’s identity (para. 83). The Guidance Note subsequently reiterates this approach, while stating that full name, date of birth and unique identifying number issued by a government source are “basic attributes” that should be collected from an individual in any event (para. 85) and outlining the following principles of e-verification:
- The regulated entity should conduct a risk assessment of the data sources to be engaged (paras. 87, 90-91)
- Only reliable and independent (e.g., not created or generated by the customer themselves) third-party sources may be used (paras. 87-88);
- Where possible, the regulated entity should use the original sources of the information in question (i.e., government-issued or -controlled sources); using multiple data sources, including across time, is also encouraged (paras. 88-89, 92).
- The use of electronic data sources does not, in itself, protect the obliged entity from regulatory action relating to its AML compliance duties (para. 90);
- Data sources that can be manipulated and tampered with are not considered reliable (para. 91);
- The Department of Home Affairs, records of the Companies and Intellectual Property Commission, records of the South African Revenue Service, eNaTIS records and records of the Master of the High Court are named as examples of acceptable data sources (para. 94).
Thus, electronic sources may be relied on for KYC measures so long as they are sufficiently robust and meet the aforementioned criteria and the information contained therein can be securely linked to the customer’s real identity.
The FINTRAIL audit report:
FINTRAIL has conducted a regulatory-led audit of Sumsub’s non-documentary identity verification product, and has confirmed at the time of review in South Africa non-documentary identity verification is permissible and the solution deployed by Sumsub is compliant with local regulation and guidance.
In Sweden, the two main legal acts regulating anti-money laundering and counter-terrorist financing measures are the Money Laundering and Terrorist Financing (Prevention) Act (“AML Act”) and the Act on Penalties for Money Laundering Offences. The Finansinspektionen (also the Financial Supervisory Authority), which is a government agency responsible for regulating the financial sector, including AML/CFT compliance supervision, provides guidelines regarding the interpretation and application of the relevant laws and regulations.
Chapter 3 Section 2 of Finansinspektionen’s regulations regarding measures against money laundering and terrorist financing FFFS 2017:11 (“FI Regulations”) issued on 26 June 2017 is mainly focused on the document-based approach to identity verification:
“An undertaking shall verify the identity of a natural person by means of a Swedish driver’s licence, Swedish passport or identity card issued by a Swedish authority, or a Swedish certified identity card.
The undertaking shall verify the identity of natural persons who do not have a Swedish identity document against a passport or other identity document. The passport or identity document must contain a photograph of the person and information on citizenship, and must be issued by an authority or other authorised issuer. A copy of a foreign passport or other foreign identity document shall be retained in accordance with the requirements set out in Chapter 5, section 3 of the Act on Measures against Money Laundering and Terrorist Financing (2017:630)”.
At the same time, Section 5 sets out specific requirements applicable directly to non-face-to-face customer relationships:
“An undertaking shall verify the identity in a non-face-to-face situation by:
- 1. using electronic identification to produce an advanced electronic signature as set forth in the Act (2016:561) [eIDAS regulation] laying down additional requirements to the EU Regulation on electronic identification or by using any other technology for electronic identification which provides equivalent certainty, or
- 2. verifying the natural person’s identity in an appropriate manner by:
- 2. verifying the natural person’s identity in an appropriate manner by:
- b) verifying the information against external registers, certificates, or other equivalent documentation, and
- c) contacting the natural person by sending a confirmation to the person’s address in the population register or other reliable address, or ensuring that the person sends a certified copy of an identity document, or other equivalent measure”.
Since, in the context of remote CDD, obtaining a copy of the customer’s ID is only one of the possible methods for identity verification, it could be concluded that Section 5 should be interpreted as substituting, not complementing, Chapter 3 Section 2.
It follows that Non-Doc KYC solutions can be relied on so long as they meet the requirements of the eIDAS Regulation or constitute a similarly robust and secure procedure. In particular, electronic identification schemes notified by Sweden pursuant to Article 9(1) of the eIDAS Regulation include BankID, Freja eID, and EFOS, of which three BankID is arguably the most feasible and most commonly used option, although it is only available to individuals with a Swedish personal identity number.
The principal AML/CFT legislation within the UAE includes: (i) Federal Decree-Law No. (20) of 2018 On Anti-Money Laundering and Combating the Financing of Terrorism and Financing of Illegal Organisations (the “AML-CFT Law” or “Law”) and implementing regulations, such as (ii) Cabinet Decision No. (10) of 2019 Concerning the Implementing Regulation of Decree Law No. (20) of 2018 On Anti-Money Laundering and Combating the Financing of Terrorism and Illegal Organisations (the “AML-CFT Decision” or “Cabinet Decision”).
Besides, the UAE Central Bank (CBUAE) maintains Anti-Money Laundering and Combating the Financing of Terrorism and Illegal Organisations Guidelines for Financial Institutions (the “AML Guidelines”) as well as both general and sphere-specific guidances in order to ensure better understanding and effective performance of AML obligations.
The AML-CFT Decision provides the general identification and identity verification requirement in Article 8:
“Financial Institutions and [Designated Non-Financial Business or Professions] DNFBPs should identify the Customer’s identity, whether the Customer is permanent or walk-in, and whether the Customer is a natural or legal person or legal arrangement, and verify the Customer’s identity and the identity of the Beneficial Owner. This should be done using documents, data or information from a reliable and independent source or any other source to verify the identity as follows:
For Natural Persons: The name, as in the identification card or travel document, nationality, address, place of birth, name and address of employer, attaching a copy of the original and valid identification card or travel document, and obtain approval from the senior management, if the Customer or the Beneficial Owner is a PEP”.
Reinforcing this, Section 6.3.1 of the AML Guidelines further elaborates on the necessity to collect copies of identity documents:
“The verification of a customer’s identity, including their address, should be based on original, official (i.e. government-issued) documents whenever possible. When that is not possible, FIs should augment the number of verifying documents or the amount of information they obtain from different independent sources. In particular, when verifying the UAE ID card, FIs licensed by the Central Bank must use the online validation gateway of the Federal Authority for Identity & Citizenship and keep a copy of the UAE ID and its digital verification. They should also identify the lack of official documents and the use of alternative means of verification as risk factors when assessing the customer’s ML/FT risk classification”.
At the same time, both Section 6.3.1 of the AML Guidelines and Section 3.1 of the Guidance for Licensed Financial Institutions (‘LFI’s) on Digital Identification for Customer Due Diligence (the “Digital Identification Guidance”) seem to suggest that verification via electronic sources is an acceptable alternative to the documentary method:
“An example of alternative verification means is verification by way of digital identification systems. Such digital identification systems should rely upon technology, adequate governance, processes and procedures that provide appropriate levels of confidence that the system produces accurate results”;
“Under Article 8 of the AML-CFT Decision, LFIs are required to identify each customer and verify the customer’s identity using documents, data, or any other identification information from a reliable and independent source. This requirement is technology neutral and expressly permits LFIs to use documentary as well as non-documentary sources (i.e., information or data) when performing identification and verification; it does not impose any restrictions on the form—physical or digital—that identity evidence must take, nor does it impose limitations as to the use of digital ID systems for the purpose of linking a customer’s verified identity to a unique, real-life individual, provided this is done using a “reliable” and “independent” source. As such, LFIs are permitted to utilize digital ID systems as well as physical forms to perform customer identification and verification, consistent with the expectations set forth in this Guidance”.
Section 5 of the Guidance further prescribes the mandatory assessments the FIs should conduct before choosing a digital identification system:
- “An assurance level assessment, through which the LFI can understand the assurance levels that the digital ID system provides based on its technology, architecture, and governance and determine its reliability and independence; and
- An appropriateness assessment, through which the LFI can make a risk-based determination — given the digital ID system’s assurance levels — of whether the digital ID system is appropriately reliable and independent for CDD in light of potential ML, TF, fraud, and other illicit financing risks”
Section 2.1 of the Guidance describes several national identification systems approved for use by AML-regulated entities, including UAE Pass, Emirates ID and Emirates Facial Recognition. UAE Pass, in particular, is the UAE’s primary digital identity and signature solution with a high level of security.
The interpretation of the above-mentioned provisions, taken cumulatively, appears to be that, while usage of digital identification systems is in principle permitted for KYC purposes, it does not negate the overall document-based approach adopted by the UAE financial regulators and, in particular, the requirement to obtain a copy of the customer’s identity document under the AML-CFT Decision. Accordingly, digital ID systems may be relied on as a standalone solution when they allow access to all of the required customer data, including that related to the identity document. Alternatively, they may be used for supplementary checks (which are sometimes mandatory, as in the case of UAE ID).
While being the core legal sources of AML-related obligations, neither the Proceeds of Crime Act 2002 nor the Money Laundering, Terrorist Financing and Transfer of Funds (Informationon the Payer) Regulations 2017 (“MLR”) specify the exact KYC procedures that may or should be implemented, granting regulated entities a broad margin of discretion. The MLR mostly set out the general criteria that identity verification processes must conform to; for example, paras. 18-19 of Art. 27 provide the following guidance:
“(18) For the purposes of this regulation —
- <...> “verify” means verify on the basis of documents or information in either case obtained from a reliable source which is independent of the person whose identity is being verified;
- ...documents issued or made available by an official body are to be regarded as being independent of a person even if they are provided or made available to the relevant person by or on behalf of that person.
(19) For the purposes of this regulation, information may be regarded as obtained from a reliable source which is independent of the person whose identity is being verified where—
- it is obtained by means of an electronic identification process <...>; and
- that process is secure from fraud and misuse and capable of providing assurance that the person claiming a particular identity is in fact the person with that identity, to a degree that is necessary for effectively managing and mitigating any risks of money laundering and terrorist financing”.
The current Guidance by the Joint Money Laundering Steering Group (JMLSG), which is widely regarded to establish the industry standards for compliance with AML/CFT requirements, confirms that non-documentary checks (in particular, those involving external databases) are permissible as the primary KYC measure. Obliged entities are, however, instructed to choose multiple data sources (or one single source where it “has been issued by a government authority and contains cryptographic security features”) or to “incorporate qualitative checks that assess the strength of the information supplied” (para. 5.3.50). In addition, it is further reiterated that firms opting for electronic verification must “demonstrate that they have both verified that the customer exists, and satisfied themselves that the individual seeking the business relationship is, in fact, that customer” (para. 5.3.79). To fulfill this requirement, the Guidance recommends various methods, such as the use of biometric information or private codes that “incontrovertibly link the potential customer <...> to the electronic/digital identity information” (para. 5.3.44).
It follows that, under the UK AML regulations, Non-Doc KYC solutions may be relied upon insofar as they are complemented with additional security measures allowing to link a user to their claimed identity that has been confirmed as existent by an independent external data source.
The FINTRAIL audit report:
FINTRAIL has conducted a regulatory-led audit of Sumsub’s non-documentary identity verification product, and has confirmed at the time of review in the United Kingdom non-documentary identity verification is permissible and the solution deployed by Sumsub is compliant with local regulation and guidance.
Similarly to the AML regime of the UK, the Bank Secrecy Act (BSA) of the USA only broadly outlines the customer due diligence obligation; for instance, 31 CFR 1020.220 (section on “Customer Identification Program: minimum requirements”) lists the data to be collected in respect of every individual client but not the specific means of its verification. At the same time, para. 1020.220(a)(2) states that both documentary and non-documentary verification methods (as well as their combinations) are acceptable so long as (i) the chosen procedures “enable the [obliged entity] to form a reasonable belief that it knows the true identity of each customer”; and, (ii) in case a non-documentary solution is elected, the firm applies additional procedures to address the risks where “the customer opens the account without appearing in person”. Several examples of non-documentary KYC processes are also given for reference, such as “contacting a customer; independently verifying the customer's identity through the comparison of information provided by the customer with information obtained from a consumer reporting agency, public database, or other source; checking references with other financial institutions; and obtaining a financial statement”.
This approach is further confirmed in various explanatory or interpretative materials by the Financial Crimes Enforcement Network (FinCEN), e.g., Guidance FIN-2018-G001 of April 3, 2018:
“A financial institution’s CIP must contain procedures for verifying customer identification, including describing when the institution will use documentary, non-documentary, or a combination of both methods for identity verification”;
“Non-documentary methods of verification may include contacting a beneficial owner; independently verifying the beneficial owner’s identity through the comparison of information provided by the legal entity customer (or the beneficial owner, as appropriate) with information obtained from other sources; checking references with other financial institutions; and obtaining a financial statement”;
“<...> covered financial institutions may verify the identity of a beneficial owner who does not appear in person, through a photocopy or other reproduction of a valid identity document, or by non-documentary means <...>”.
Accordingly, the US AML regulations allow, in principle, non-documentary KYC methods; however, the obliged entity must be assured it knows the true identity of its customer, for which purpose additional KYC mechanisms aimed at connecting the user and the identity in question must be implemented.
The FINTRAIL audit report:
FINTRAIL has conducted a regulatory-led audit of Sumsub’s non-documentary identity verification product, and has confirmed at the time of review in the United States of America non-documentary identity verification is permissible and the solution deployed by Sumsub is compliant with local regulation and guidance.
Vietnam's 2022 Law on Anti-Money Laundering (“AML Law”) establishes сustomer due diligence (CDD) procedures applicable to AML-obliged entities, including those related to customer identification and identity verification.
Pursuant to Article 10 of the AML Law, reporting subjects must collect identity data of individual customers depending on their nationality and residence:
- “1. Customer identification information, including information about the individual customer's representative (if any):
- a) For individual customers whose nationality is Vietnamese: full name; date of birth; nationality; profession, job position; phone number; ID card number or Citizen Identification Number or personal identification number or passport number, date of issue, place of issue; permanent residence registration address and other current residence (if any);
- b) For individual customers with one nationality who are foreigners residing in Vietnam: full name; date of birth; nationality; profession, job position; phone number; passport number, date of issue, place of issue; entry visa number, except in cases of visa exemption as prescribed by law; residential address abroad and registered residence address in Vietnam;
- c) For individual customers with one nationality who are foreigners not residing in Vietnam: full name; date of birth; nationality; profession, job position; passport number or identification number issued by a foreign competent authority, date of issue, place of issue; residential address abroad;
- d) For individual customers who have two or more nationalities: corresponding information specified in point a, b or c of this clause; nationality, residential address in the country of the other nationality;
- dd) For individual customers who are stateless: full name; date of birth; profession, job position; number of the document valid for international travel (if any), visa number; entry visa-issuing agency, except in cases of visa exemption as prescribed by law; residence address abroad (if any), residence registration address in Vietnam”.
In addition, Article 12 of the AML Act lists the following means for verifying the information referred to above:
- “1. Reporting subjects use documents and other data to verify customer identification information, including:
- a) For individual customers: ID card, citizen identification card or valid passport; other documents issued by competent authorities; [...]
- 2. Reporting subjects can exploit information in national databases according to the provisions of law, through competent state agencies and organizations”.
It therefore appears that the documentary approach to KYC is not mandatory so long as the alternative is one of the national identity databases. However, additional mechanisms (e.g., a questionnaire) may need to be implemented in order to collect the necessary customer information that might not be contained in the consulted data source.
Limitations and Solutions
Non-documentary KYC procedure demands to ensure both that:
- The identity presented by the applicant truly exists.
- The applicant has submitted their own applicant data. When implementing Non-Doc Verification, Sumsub achieves this in a few ways:
- Using the data source cntaining the highly robust identity attribute that can be compared against the data provided by the applicant. For instance, Sumsub takes this approach regarding the National Identity Management Commission Database in Nigeria. The applicant passes Liveness and submits their surname and BVN number (bank verification number which is unique to each individual and used in the local banking system). Then the database confirms whether the provided BVN is valid and returns personal data associated with it including photos that can be matched against the Liveness results.
- Analyzing a combination of factors treated as sensitive information and cross-checking the obtained data using several independent sources. The following combinations may be used and considered as strong evidence when analyzed together: an ID number treated as sensitive information (such as CPF in Brazil) and a phone number or even email address when a database contains those.
Updated 2 months ago