The Unit of Financial Information (UIF) is the Argentinian AML office that regulates banks, financial institutions, online casinos, public registries, insurance companies and other industries

In Article 23(a) of Resolución 30-E/2017 of the UIF, it is established that all individual customers of a regulated entity must be identified by at least their full name, document number and type and that only Argentinian national ID cards, or passports or ID cards issued by a foreign country, are valid documents for this purpose. Regulated entities must collect a copy of the said documents. At the same time, it is stated that “[the aforementioned provisions] are without prejudice to the provisions of Article 26 on non-face-to-face methods of identification”.

Article 26 further sets out the rules to be followed when verifying a customer’s identity remotely, establishing that it can be done via two alternative methods:

• ...through “rigorous biometric techniques or alternative technological methods of equal strength”. These imply a procedure that includes displaying the original identity document, which requirement may be fulfilled, e.g., via a videoconference or via using the online certificate (national digital ID) issued by the National Registry of Persons (RENAPER). It is the responsibility of the obliged entity to implement the technical safeguards that ensure the authenticity, validity and integrity of the identification documents used and the correspondence of the document’s owner with the individual undergoing verification;
• ...by collecting, through the entity's website or other alternative channels, a copy of the customer’s documents as stipulated in Art. 23 and providing the customer with a personal and non-transferable credential, containing, inter alia, a set of control questions pertaining to their identity.

To enable banks and other institutions to safely verify national identity documents, the Argentinian government has set up the Digital Identity System(SID). Since the SID allows to confirm that (i) an individual's facial image coincides with that taken at the time of the generation of their ID and (ii) the presented ID (or data contained therein) is valid and belongs to the same person by cross-matching the respective information with the RENAPER database, it is considered sufficiently secure.

Accordingly, it is possible for an Argentinian customer to use their digital ID (including by accessing the ID data via SID) as an equivalent of a standard document copy for verification.

In Bangladesh, non-documentary identity verification is currently endorsed under the 2019 Guidelines on Electronic Know Your Customer (e-KYC) (“Guidelines”), issued by the Bangladesh Financial Intelligence Unit (BFIU) and applicable to all reporting entities. However, it implies several restrictions:

• the Guidelines only apply to KYC conducted in respect of natural persons holding a valid national ID card (NID) of Bangladesh with biometric data stored therein;
• fully remote KYC (where the customer does not visit the premises of the reporting entity) prescribes a seamless procedure with the following steps: (i) the NID is captured from both sides, with the data extracted by OCR; (ii) the customer’s face is captured with a high-resolution camera; (iii) the necessary identity data (name, parental names, address, phone number, etc.) is collected in digital format; (iv) the client’s wet signature or electronic signature or digital signature or PIN is collected for future reference; (v) the data is authenticated against the official database held by the NID Wing of Election Commission; and (vi) AML screening is carried out (see Section 3.3 of the Guidelines).

As for individuals that do not hold a NID, the document-based approach is predominant. For example, the Guidance Notes on Prevention of Money Laundering and Terrorist Financing for Financial Institutions by the BFIU and the Central Bank of Bangladesh suggest a photo-bearing ID (which, furthermore, has to be certified and, as per Section 7.3.5.1, supplemented with at least one additional check to “guard against impersonation”) is a necessary element in the KYC procedure:

“The original, certified copy of the following Photo ID also plays vital role to identify the customer: (i) Current valid passport; (ii) Valid driving license; (iii) National ID Card; (iv) Employer provided ID Card, bearing the photograph and signature of the applicant; Identification documents which do not bear photographs or signatures, or are easy to obtain, are normally not appropriate as sole evidence of identity [...]” (Section 7.3.5).

Likewise, in terms of confirming the customer’s address, one or more of the following steps is recommended:

• “provision of a recent utility bill, tax assessment or bank statement containing details of the address (to guard against forged copies it is strongly recommended that original documents are examined);
• checking the Voter lists;
• checking the telephone directory [the only reference to non-documentary evidence];
• visiting home/office;
• sending thanks letter” (Section 7.3.5).

Accordingly, the only explicitly permitted electronic-based KYC solution is limited to NID holders and requires the customer to actually present the NID at the onboarding stage for capturing.

Article 10 of Law N° 9.613, commonly known as the Anti-Money Laundering Law, establishes the obligation of entities (such as banks, financial institutions, insurance companies, casinos, card issuers, leasing companies, real estate companies, and in general companies that trade luxury goods) that fall under the regulation of the Brazilian AML office (COAF) to “identify their clients and keep their registries up to date, according to the norms set out by the corresponding regulatory agency”.

In general, such regulator-specific norms are receptive of digital KYC mechanisms, with obliged entities granted relatively broad discretion in choosing the external sources to rely on.

For instance, the Securities and Exchange Commission of Brazil has established the following:

“The adoption of alternative registration systems is permitted, including by electronic means, provided that the solutions adopted satisfy the objectives of the current rules and the procedures are trustworthy. [...] the procedures adopted [must] allow to confirm the customer's identification with precision” ("CVM Instrução 617", Art. 12);

In the case of banks and financial institutions, the Central Bank of Brazil has set out the following rules:

“The institutions shall adopt identification procedures that allow verifying and validating the identity of the client. The procedures shall include obtaining, verifying and validating the authenticity of customer identification information, including, if necessary, by comparing this information with those available in public and private databases” (" BACEN/DC Circular No.3978 OF 01/23/2020", Art. 16(1));

Nevertheless, for the banking institutions a fully non-documentary KYC flow might only be possible in relation to local residents, since onboarding of a person who does not have a CPF (Natural Persons Register) taxpayer identification number requires to collect an ID copy:

“In the customer identification process, at least: - the full name and [CPF number], in the case of a natural person [must be collected]; [...] In the case of a client who is a natural person residing abroad who is not required to register with the CPF, in the form defined by the Federal Revenue Secretariat of Brazil, the use of a travel document in accordance with the Law is permitted, and at least the issuing country must be collected, the number and type of the document ("Circular No. 3978 by the Central Bank", Art. 16(2-3)).

The Prevention of Money Laundering Act, 2002(“PMLA”) and the Prevention of Money-Laundering (Maintenance of Records) Rules, 2005 issued thereunder (“PML Rules”) provide the main legislative framework for combating ML / TF in India and, together with the guidance produced by the national Reserve Bank, explicitly prescribe e-KYC based on the customer’s Aadhaar number 2 or other identifiers as one of the possible (or, for certain entities, required) means of identity verification:

“Every reporting entity shall verify the identity of its clients and the beneficial owner by –

• Authentication under the Aadhaar [...] Act, 2016 if the reporting entity is a banking company; or
• Offline verification under the Aadhaar [...] Act, 2016; or
• Use of passport issued under section of the Passports Act, 1967; or
• Use of any other officially valid document or modes of identification as may be notified by the Central Government in this behalf” (PMLA, Section 11(A)(1)).

Non-banking entities may also be permitted, by special notification of the Central Government, to perform Aadhar authentication, provided that it is necessary to do so and that the entities in question comply with the standards of privacy and security under the Aadhaar Act. At the same time, the customer is allowed to choose between options.

“Where the client is an individual, they shall [...] submit to the reporting entity, – the Aadhaar number where,

• He is desirous of receiving any benefit or subsidy under any scheme notified under section 7 of the Aadhaar (Targeted Delivery of Financial and Other subsidies, Benefits and Services) Act, 2016 (18 of 2016); or
• He decides to submit his Aadhaar number voluntarily to a banking company or any reporting entity notified under first proviso to sub-section (1) of section 11A of the Act; or (aa) the proof of possession of Aadhaar number where offline verification can be carried out; or
• The proof of possession of Aadhaar number where offline verification cannot be carried out or any officially valid document or the equivalent e-document thereof containing the details of his identity and address [...]” (PML Rules, Rule 9(4)).

Depending on which data the customer provides and whether offline verification is available, the reporting entity shall carry out the following procedures (“where the client has submitted –):

• His Aadhaar number [...] to the banking company or a reporting entity notified under first proviso to sub-section (1) of section 11A, such banking company or reporting entity shall carry out authentication of the client's Aadhaar number using e-KYC authentication facility provided by the Unique Identification Authority of India;
• Proof of possession of Aadhaar under clause (aa) of sub-rule (4) where offline verification can be carried out, the reporting entity shall carry out offline verification;
• An equivalent e-document of any officially valid document, the reporting entity shall verify the digital signature as per the provisions of the Information Technology Act, 2000 (21 of 2000) and any rules issues thereunder and take a live photo as specified under Annex 1;
• Any officially valid document or proof of possession of Aadhaar number under clause (ab) of sub-rule (4) where offline verification cannot be carried out, the reporting entity shall carry out verification through digital KYC as specified under Annex 1”.

Additionally, the Master Direction – Know Your Customer (KYC) Direction of Reserve Bank of India allows to verify a client’s identity based on the KYC identifier from the Central KYC Records Registry.

“For undertaking CDD, REs shall obtain the following from an individual while establishing an account-based relationship [...]: (ac) the KYC Identifier with an explicit consent to download records from CKYCR [...]”(Master Direction, section 16).

Therefore, the available options are: (i) Aadhaar-based authentication; (ii) Aadhaar-based offline verification; (iii) digital KYC; (iv) KYC identifier verification.

Aadhaar authentication, powered by the Unique Identification Authority of India (UIDAI),provides an instant mechanism to confirm one’s identity and does not require any other ID proof except Aadhaar number. It is, however, restricted to banking institutions and certain other requesting entities as described above. Accounts opened using Aadhaar OTP-based authentication, in non-face-to-face mode, are subject to a number of limitations as to the maximum balance, permitted operations, etc.

The UIDAI also enables “ paperless offline e-KYC”, wherein the customer, using their Aadhaar number, creates a “Share Phrase” with their identification data encrypted and shares it with the entity performing KYC. The entity can then validate the data through its own OTP / face authentication mechanism.

Digital KYC means “the capturing of a live photo of the customer and their officially valid document / proof of possession of Aadhaar, where offline verification cannot be carried out, along with the latitude and longitude of the location where such live photo is being taken by an authorised officer of the reporting entity” in accordance with specific technical requirements (Master Direction, section 3(a)(viii)). This procedure, however, may only be carried out via a specialized application developed by the reporting entity (Master Direction, Annex I).

Where a customer submits a KYC Identifier to a reporting entity, with an explicit consent to download records from CKYCR, the reporting entity shall retrieve the KYC records online from the CKYCR using the KYC Identifier and the customer shall not be required to submit the same KYC records or information or any other additional identification documents or details, subject to certain exceptions (Master Direction, section 56).

As an alternative to the aforementioned procedures, the “V-CIP” mechanism was recently introduced, consisting of a video conference with the reporting entity’s operator in combination with a “liveness” check, geolocation check, and document analysis (Master Direction, section 18). V-CIP, however, is also dependent on external data sources, since the reporting entitiy is still required to validate the customer’s identity data based on Aadhaar number, KYC identifier or e-document.

In conclusion, the current regulation allows for various identity verification methods that can either involve the customer submitting an identity document to the reporting entity or omit this step altogether.

The most recent comprehensive legal act outlining the responsibilities of AML-subject entities in Indonesia is the Regulation (POJK) No. 8 of 2023(“OJK Regulation”) on the Implementation of Anti-Money Laundering (AML), Counter-Terrorist Financing (CFT), and Counter-Proliferation Financing of Weapons of Mass Destruction (CPF) Program in the Financial Services Sector by the Indonesian Financial Services Authority (Otoritas Jasa Keuangan, OJK), which regulates the country’s financial industry on par with Bank Indonesia.

Pursuant to Art. 21(2) of the OJK Regulation, identity verification of prospective customers may be conducted via: “a. direct face-to-face meetings; b. electronic face-to-face meetings; and/or c. non-face-to-face electronic mechanisms”. The solutions that may be employed by the supervised entity under subclause (c) are not limited, yet three main options are highlighted: the entity may rely on (i) its own software and hardware; (ii) software and hardware belonging to third parties (such as KYC providers) and accessed by the entity; or (iii) utilization of population databases, for which at least two authenticity factors must be used (something characteristic of the customer and something the customer possesses).

Regarding the scope of data to be collected in respect of an individual customer, Art. 25(1) of the OJK Regulation lists the following points:

• Full name (including aliases, if any);
• Identity document number;
• Residential address according to the ID and other residential addresses, if any;
• Place and date of birth;
• Citizenship;
• Occupation;
• Address and telephone number of workplace, if any;
• Gender;
• Marital status;
• Mother’s maiden name;
• Identity of the beneficial owner, if any;
• Source of funds;
• Average annual income and/or net worth;
• Aims and objectives of the business relationship or transaction.

Further, according to Art. 26(1) of the OJK Regulation, the aforementioned information has to be supported by an identity document. However, the Article further specifies that it can include: (i) for Indonesian citizens – a resident card or “digital population identity as intended in the laws and regulations regarding population data”; (ii) for foreign citizens – a passport accompanied by immigration documents; (iii) for “individuals from the Indonesian diaspora or Indonesian people abroad” – passports and identity cards issued to such individuals under the applicable laws and regulations.

In reference to non-document verification, therefore, it is safe to assume that Indonesia allows electronic KYC via national identity databases when it comes to local citizens (see, e.g., the e-KTP system). However, further checks are likely to be required to obtain all of the necessary customer data.

Pursuant to Art. 45(1) of Kenya’s 2009 Proceeds of Crime and Anti-Money Laundering Act, a natural person’s identity must always be verified based on an official identification document, which should be obtained directly from the customer rather than from an external source:

“A reporting institution shall take reasonable measures to satisfy itself as to the true identity of any applicant seeking to enter into a business relationship with it or to carry out a transaction or series of transactions with it, by requiring the applicant to produce an official record reasonably capable of establishing the true identity of the applicant, such as — (a) in the case of an individual — (i) a birth certificate; (ii) a national identity card; (iii) a driver’s licence; (iv) a passport; or (v) any other official means of identification as may be prescribed”.

This is supported by the 2013 Prudential Guidelines issued by the Central Bank of Kenya:

“An institution shall take measures to satisfy itself as to the true identity of any applicant seeking to enter into a business relationship with it, or to carry out a transaction or series of transactions with it, by requiring the applicant to produce an official record for the purposes of establishing the true identity of the applicant. At a minimum the mandatory requirements are as follows: (i) In the case of an individual: A birth certificate; or Passport; or National identity card; or Drivers licence” (para. 5.6.5.1)

Accordingly, Non-Doc KYC solutions alone are not sufficient for regulatory compliance.

The 2022 Money Laundering (Prevention and Prohibition) Act (“AML Act”), together with regulations and guidance by the Central Bank of Nigeria (“CBN”), lays out the legal provisions applicable to Nigerian AML-supervised entities, including those related to customer due diligence.

Art. 4(1) of the AML Act outlines the general principles of the identification and identity verification duty for financial institutions and DNFBs. While the document-based approach is framed as the default standard, the AML Act refers to secondary legislation for substantiation 10:

“A financial institution and a designated non-financial business and profession shall —

• identify a customer, whether permanent or occasional, natural or legal person or any other form of legal arrangements, using identification documents as may be prescribed in any relevant regulation;
• verify the identity of that customer using reliable, independent source documents, data or information <...>”.

In turn, Art. 6(a) of the Central Bank of Nigeria Customers Due Diligence Regulations 2023 (the “CDD Regulations”) lists the information to be collected in relation to individual customers, with Art. 7(2) elaborating on the possible means of its verification:

• legal name and any other names used (such as maiden name),
• permanent address (full physical address),
• residential address (where the customer can be located),
• telephone number, e-mail address and social media handle,
• date and place of birth,
• Bank Verification Number (BVN),
• Tax Identification Number (TIN),
• nationality,
• occupation, public position held and name of employer,
• an official personal identification number or other unique identifier contained in an unexpired document issued by a government agency, that bears a name, photograph and signature of the customer such as a passport, national identification card, residence permit, social security records or drivers’ license,
• type of account and nature of the banking relationship,
• signature, and
• politically exposed persons (PEPs) status.

“FIs shall verify the identity of individuals by confirming the — (a) date of birth from a valid official document, such as birth certificate, passport, identity card and national or social security records; (b) residential address through physical visitation and use of other sources, including utility bill, tax assessment, bank statement, or letter from a public authority; (c) contact details provided by the customer through positive feedback from phone call, email or physical letter to the residential address; (d) validity of the official documentation provided through certification by an authorized person such as embassy official, notary public (in the case of foreign nationals); and (e) phone numbers, particularly for wallet providers, through independent process, including validation against the NCC database or geo-mapping”.

Therefore, the notion of official documentation that may be used for identity verification is quite broad, implying it is not necessarily required to collect a copy of any particular identity document. Furthermore, Arts. 14, 16 and 35 of the CDD Regulations as well as Art. 26 of the 2022 Central Bank of Nigeria (Anti-Money Laundering, Combatting the Financing of Terrorism and Countering Proliferation Financing of Weapons of Mass Destruction in Financial Institutions) Regulations (the “AML Regulations”) specify that both “physical” and “electronic” methods of customer onboarding may be adopted by financial institutions, so long as the “tiered” approach and other e-KYC standards endorsed by the CBN are complied with.

Referring, in turn, to the “tiered” approach as established in the 2013 CBN Circular FPR/DIR/CIR/GEN/02/001 (Introduction of Three-Tiered Know Your Customer (KYC) Requirements), it prescribes different CDD standards depending on the customer’s risk profile and the value of their account:

• until recently, only a set of identity attributes (such as passport photo, name, place and date of birth, etc.) was required for Tier 1 (lowest-value) accounts with no evidence required;
• Tier 2 demands the Tier 1 information provided by the customer to be supported with evidence and checked against official databases (such as National Identity Management Commission (NIMC), Independent National Electoral Commission (INEC) Voters Register, Federal Road Safety Commission, etc.), while “ID verification and monitoring” is also necessary;
• Tier 3 further refers to the KYC standards established by the CBN AML/CFT Regulation, 2009 as amended (which would, at present, encompass both the AML Regulations and the CDD Regulations, in particular Arts. 6-7 of the latter as referenced above)

Furthermore, the 2023 CBN Circular PSM/DIR/PUB/CIR/001/053 enhanced the aforementioned requirements, stating that: (i) it is now mandatory for all Tier 1 accounts for individuals to have BVN and/or NIN (National Identification Number); (ii) both BVN and NIN are obligatory for Tier 2 and Tier 3 accounts; and (iii) “the process for account opening shall commence by electronically retrieving BVN or NIN related information from the NIBSS’ BVN or NIMC’s NIN databases [together with the underlying identity data, such as name, DoB, etc.] and for the same to become primary information for onboarding of new customers”. In addition, the same Circular prescribed all the BVNs and NINs already attached to existing accounts to be revalidated by January 31, 2024.

BVN- and NIN-based verification is generally widespread in the country. A BVN is a unique ID number issued to every customer of a Nigerian bank upon enrolment and linked to every account that the customer has in any other local banks, whereas a NIN is provided by the NIMC and used to link citizens’ and legal residents’ biometric data to the National Identity database, which may then be relied on for physical or digital verification and authentication. Both identifiers can therefore be easily validated against governmental databases.

In conclusion, banks and other financial institutions are generally encouraged (and, in certain cases, obliged) to refer to external official databases while onboarding Nigerian citizens and residents. However, in some instances these checks may have to be supplemented with obtaining supporting documentation from the customer depending on their account Level (risk profile).

The 2017 Guidance Note 7 on the Implementation of Various Aspects of the Financial Intelligence Centre Act, 2001, issued by the Financial Intelligence Centre of South Africa, emphasizes that regulated institutions “have the flexibility to choose the type of information by means of which they will establish clients’ identities and also the means of verification of clients’ identities” (para. 74). More specifically, both “documents” and “electronic data issued or created by reliable and independent third-party sources” are permitted for confirming a customer’s identity (para. 83). The Guidance Note subsequently reiterates this approach, while stating that full name, date of birth and unique identifying number issued by a government source are “basic attributes” that should be collected from an individual in any event (para. 85) and outlining the following principles of e-verification:

• The regulated entity should conduct a risk assessment of the data sources to be engaged (paras. 87, 90-91)
• Only reliable and independent (e.g., not created or generated by the customer themselves) third-party sources may be used (paras. 87-88);
• Where possible, the regulated entity should use the original sources of the information in question (i.e., government-issued or -controlled sources); using multiple data sources, including across time, is also encouraged (paras. 88-89, 92).
• The use of electronic data sources does not, in itself, protect the obliged entity from regulatory action relating to its AML compliance duties (para. 90);
• Data sources that can be manipulated and tampered with are not considered reliable (para. 91);
• The Department of Home Affairs, records of the Companies and Intellectual Property Commission, records of the South African Revenue Service, eNaTIS records and records of the Master of the High Court are named as examples of acceptable data sources (para. 94).

Thus, electronic sources may be relied on for KYC measures so long as they are sufficiently robust and meet the aforementioned criteria and the information contained therein can be securely linked to the customer’s real identity.

While being the core legal sources of AML-related obligations, neither the Proceeds of Crime Act 2002 nor the Money Laundering, Terrorist Financing and Transfer of Funds (Informationon the Payer) Regulations 2017 (“MLR”) specify the exact KYC procedures that may or should be implemented, granting regulated entities a broad margin of discretion. The MLR mostly set out the general criteria that identity verification processes must conform to; for example, paras. 18-19 of Art. 27 provide the following guidance:

“(18) For the purposes of this regulation —

• <...> “verify” means verify on the basis of documents or information in either case obtained from a reliable source which is independent of the person whose identity is being verified;
• ...documents issued or made available by an official body are to be regarded as being independent of a person even if they are provided or made available to the relevant person by or on behalf of that person.

(19) For the purposes of this regulation, information may be regarded as obtained from a reliable source which is independent of the person whose identity is being verified where—

• it is obtained by means of an electronic identification process <...>; and
• that process is secure from fraud and misuse and capable of providing assurance that the person claiming a particular identity is in fact the person with that identity, to a degree that is necessary for effectively managing and mitigating any risks of money laundering and terrorist financing”.

The current Guidance by the Joint Money Laundering Steering Group (JMLSG), which is widely regarded to establish the industry standards for compliance with AML/CFT requirements, confirms that non-documentary checks (in particular, those involving external databases) are permissible as the primary KYC measure. Obliged entities are, however, instructed to choose multiple data sources (or one single source where it “has been issued by a government authority and contains cryptographic security features”) or to “incorporate qualitative checks that assess the strength of the information supplied” (para. 5.3.50). In addition, it is further reiterated that firms opting for electronic verification must “demonstrate that they have both verified that the customer exists, and satisfied themselves that the individual seeking the business relationship is, in fact, that customer” (para. 5.3.79). To fulfill this requirement, the Guidance recommends various methods, such as the use of biometric information or private codes that “incontrovertibly link the potential customer <...> to the electronic/digital identity information” (para. 5.3.44).

It follows that, under the UK AML regulations, Non-Doc KYC solutions may be relied upon insofar as they are complemented with additional security measures allowing to link a user to their claimed identity that has been confirmed as existent by an independent external data source.

Similarly to the AML regime of the UK, the Bank Secrecy Act (BSA) of the USA only broadly outlines the customer due diligence obligation; for instance, 31 CFR 1020.220 (section on “Customer Identification Program: minimum requirements”) lists the data to be collected in respect of every individual client but not the specific means of its verification. At the same time, para. 1020.220(a)(2) states that both documentary and non-documentary verification methods (as well as their combinations) are acceptable so long as (i) the chosen procedures “enable the [obliged entity] to form a reasonable belief that it knows the true identity of each customer”; and, (ii) in case a non-documentary solution is elected, the firm applies additional procedures to address the risks where “the customer opens the account without appearing in person”. Several examples of non-documentary KYC processes are also given for reference, such as “contacting a customer; independently verifying the customer's identity through the comparison of information provided by the customer with information obtained from a consumer reporting agency, public database, or other source; checking references with other financial institutions; and obtaining a financial statement”.

This approach is further confirmed in various explanatory or interpretative materials by the Financial Crimes Enforcement Network (FinCEN), e.g., Guidance FIN-2018-G001 of April 3, 2018:

“A financial institution’s CIP must contain procedures for verifying customer identification, including describing when the institution will use documentary, non-documentary, or a combination of both methods for identity verification”;

“Non-documentary methods of verification may include contacting a beneficial owner; independently verifying the beneficial owner’s identity through the comparison of information provided by the legal entity customer (or the beneficial owner, as appropriate) with information obtained from other sources; checking references with other financial institutions; and obtaining a financial statement”;

“<...> covered financial institutions may verify the identity of a beneficial owner who does not appear in person, through a photocopy or other reproduction of a valid identity document, or by non-documentary means <...>”.

Accordingly, the US AML regulations allow, in principle, non-documentary KYC methods; however, the obliged entity must be assured it knows the true identity of its customer, for which purpose additional KYC mechanisms aimed at connecting the user and the identity in question must be implemented.