Country:
🇦🇺 Australia
🇧🇩 Bangladesh
🇧🇼 Botswana
🇨🇾 Cyprus
🇨🇿 Czech Republic
🇪🇪 Estonia
🇫🇮 Finland
🇫🇷 France
🇬🇭 Ghana
🇭🇰 Hong Kong
🇮🇳 India
🇮🇩 Indonesia
🇮🇹 Italy
🇱🇹 Lithuania
🇳🇬 Nigeria
🇳🇴 Norway
🇵🇭 Philippines
🇸🇦 Saudi Arabia
🇸🇬 Singapore
🇪🇸 Spain
🇸🇪 Sweden
🇹🇭 Thailand
🇦🇪 UAE
🇺🇿 Uzbekistan
🇻🇳 Vietnam
The anti-money laundering and counter terrorism financing legal framework in Australia is governed primarily by the
Anti-Money Laundering and Counter-Terrorism Financing Act 2006 (the "AML/CTF Act") and its related regulations. In turn,
the Anti-Money Laundering and Counter-Terrorism Financing Rules Instrument 2007 (No. 1) (the "AML/CTF Rules")are subsidiary legislative instruments made under the AML/CTF
Act and elaborating on the obligations set out therein.
Specifically regarding customer identification and identity verification procedures, Part 4.2.3 of the AML/CTF Rules sets out the minimum KYC information to be collected about an individual customer: (i) full name, (ii) date of birth,
and (iii) residential address; at least (i) and either (ii) or (iii) have to be subsequently verified, pursuant to Part 4.2.6.
Further, Part 4.2.7 lists the acceptable methods of verifying the above-mentioned customer data:
"reliable and independent documentation;
reliable and independent electronic data; or
a combination of (1) and (2) above".
The AML/CTF Rules offer different "safe harbour" verification approaches (documentation-based and electronic-based) depending on the risk profile of the customer. In cases where the risk is medium or lower, the procedure should involve,
respectively:
for the documentation-based approach: "(a) an original or certified copy of a primary photographic identification document;27 or (b) both: (i) an original or certified copy of a primary non‑photographic identification document; and
(ii) an original or certified copy of a secondary identification document"28 . The entity must also "verify that any document produced about the customer has not expired (other than in the case of a passport issued by the Commonwealth
that expired within the preceding two years)" (AML/CTF Rules, Parts 4.2.10 - 4.2.11);
for the electronic-based approach: use of reliable and independent electronic data from at least two separate data sources is required. The entity must also verify that the customer has a transaction history for at least the past 3
years. (AML/CTF Rules, Parts 4.2.12 - 4.2.14).
Accordingly, where the supervised entity relies on the electronic method only:
if the customer's name and date of birth are verified independently via different electronic sources, address does not need to be confirmed at all;
conversely, if the date of birth is only collected and not verified, a reference to a single reliable electronic source should suffice for address validation, so long as the name is not checked against the same source.
At the same time, pursuant to Part 4.10.2 of the AML/CTF Rules, when choosing an electronic source as a verification basis the reporting entity must determine:
"whether the electronic data is reliable and independent, taking into account the following factors:
(a) the accuracy of the data;
(b) how secure the data is;
(c) how the data is kept up‑to‑date;
(d) how comprehensive the data is (for example, by reference to the range of persons included in the data and the period over which the data has been collected);
(e) whether the data has been verified from a reliable and independent source;
(f) whether the data is maintained by a government body or pursuant to legislation; and
(g) whether the electronic data can be additionally authenticated; and
what reliable and independent electronic data the reporting entity will use for the purpose of verification;
the reporting entity's pre‑defined tolerance levels for matches and errors; and
whether, and how, to confirm KYC information collected about a customer by independently initiating contact with the person that the customer claims to be".
As one of possible solutions, the Australian Transaction Reports and Analysis Centre suggests the Document Verification Service (DVS):
"One option for verifying individual customer and beneficial owner identification using electronic data is the Document Verification Service (DVS). This is a secure online system managed by the Department of Home Affairs. The DVS
matches government-issued identity documents directly with the government organisation that issued them. This lets you check in real time that the document is current and not lost or stolen".
In conclusion, the current AML/CTF legislation of Australia allows the use of electronic data as a verification basis for both identity and address verification purposes so long as proper due diligence of the sources to be used is
carried out. In practice, the electronic-based approach is arguably more viable, as it may be impractical to obtain the originals or certified copies of identity documents in the context of remote onboarding.
27 — As defined in Part 1.2.1 of the AML/CTF Rules.
28 — As defined in Part 1.2.1 of the AML/CTF Rules.
In Bangladesh, non-documentary identity verification is currently endorsed under the
2019 Guidelines on Electronic Know Your Customer (e-KYC) ("Guidelines "), issued by the Bangladesh Financial Intelligence Unit (BFIU) and
applicable to all reporting entities. However, it implies several restrictions:
the Guidelines only apply to KYC conducted in respect of natural persons holding a valid national ID card (NID) of Bangladesh with biometric data stored therein;
fully remote KYC (where the customer does not visit the premises of the reporting entity) prescribes a seamless procedure with the following steps: (i) the NID is captured from both sides, with the data extracted by OCR; (ii) the customer's face is captured with a high-resolution camera; (iii) the necessary identity data (name, parental names, address, phone number, etc.)18 is collected in digital format; (iv) the client's wet signature or electronic signature or digital signature or PIN is collected for future reference; (v) the data is authenticated against the official database held by the NID Wing of Election Commission; and (vi) AML screening is carried out (see Section 3.3 of the Guidelines).
As for individuals that do not hold a NID, the document-based approach is predominant. For example, the
Guidance Notes on Prevention of Money Laundering and Terrorist Financing for Financial Institutions by the BFIU and the Central Bank of Bangladesh suggest a photo-bearing ID
(which, furthermore, has to be certified and, as per Section 7.3.5.1, supplemented with at least one additional check to "guard against impersonation") is a necessary element in the KYC procedure:
"The original, certified copy of the following Photo ID also plays vital role to identify the customer: (i) Current valid passport; (ii) Valid driving license; (iii) National ID Card; (iv) Employer provided ID Card, bearing the
photograph and signature of the applicant; Identification documents which do not bear photographs or signatures, or are easy to obtain, are normally not appropriate as sole evidence of identity [...]" (Section 7.3.5).
Likewise, in terms of confirming the customer's address, one or more of the following steps is recommended:
"provision of a recent utility bill, tax assessment or bank statement containing details of the address (to guard against forged copies it is strongly recommended that original documents are examined);
checking the Voter lists ;
checking the telephone directory ;
visiting home/office;
sending thanks letter" (Section 7.3.5).
Accordingly, the only explicitly permitted electronic-based KYC solution is limited to NID holders and requires the customer to actually present the NID at the onboarding stage for capturing. Address may be verified via electronic
evidence, but only in a limited number of scenarios as demonstrated above.
18 — The full list including: Applicant’s Name; Mother’s Name; Father’s Name; Spouse Name; Gender (M/F/T); Profession; Nationality; Monthly Income and Source of Funds; Mobile Phone Number; Present Address; Permanent Address. The fact that “present address” and “permanent address” are required separately may imply that geolocation / IP data, in combination with other sources, has to be collected so that the obliged entity can obtain both data points (unless it opts for a self-declaration); the Guidelines encourage this, stating that “financial institutions also may collect other complementary data (such as, geolocation, IP addresses, etc.) which could also support ongoing due diligence”. However, no specific procedures for verifying address are prescribed for the NID-based procedure.
The Financial Intelligence Act of 2022 (the "FI Act") provides a comprehensive legal basis for AML/CFT efforts in Botswana. The FI
Act, along with the Financial Intelligence Regulations 2022 (the "FI Regulations"), outlines the obligations for
accountable institutions.
Article 20(1) of the FI Act sets out the general identification and identity verification requirement, with no detailed clarifications:
"A specified party shall, where required to conduct customer due diligence in terms of section 16 and before establishing a business relationship or carrying out a transaction - (a) establish and verify the identity of a customer,
unless the identity of that customer is known and has been verified by the specified party".
Nevertheless, Article 20(6) also emphasizes that identity verification should be conducted based on an official document:
"Proof of identity of a customer under this section shall be through -
(a) production of a National Identity Card for citizens;
(b) production of a passport for non-citizens;
(c) production of a refugee identity card issued under the Refugees (Recognition and Control) Act; [...]; or
(f) such other identity document as the Minister may prescribe".
This is further clarified in the FI Regulations:
"14. (1) Any information or particulars ascertained by a specified party as required under Part II of these Regulations shall, be verified by the specified party by comparing such information obtained with the applicable and
corresponding independent and reliable information set out in the following documentation -
(a) a trust instrument or deed of trust;(b) a national identification document issued by the person's country of origin, domicile or citizenship;
(c) a passport;
(d) a refugee identity card;
(e) a birth certificate; ... or
(h) any reliable document, data or information that reasonably serves to verify any of the information obtained by the specified party in ascertaining the information set out in Part Il of these Regulations.
(2) If it is deemed to be reasonably necessary, taking into account any guidance notes concerning the verification of identity that may apply to a specified party,the specified party shall, in addition to the verification undertaken in
terms of subregulation (1), verify any of the information or particulars ascertained as part of establishing identity by comparing such particulars with any applicable and corresponding reliable document, data or information.
"
Based on the above-cited provisions, taken cumulatively, the expectation appears to be that an individual customer's identity document needs to be processed as part of the KYC procedure unless there is a compelling reason for the
obliged entity's inability to obtain it. However, there is no explicit requirement that the document must be collected from the customer directly.
Meanwhile, the following data is subject to ascertainment in relation to individual customers pursuant to Part 2, Section 6(1) of the FI Regulations:
"(a) the person's full name;
(b) the person's nationality;
(c) where the person is a citizen or resident of Botswana, the identity cardnumber and date of birth of such person;
(d) where the person is not citizen or resident of Botswana, the passportnumber and date of birth of such person;
(e) where the person is a refugee, a refugee identity card number and dateof birth of such person;
(f) where the person is a citizen or resident of Botswana, the person'sresidential address in Botswana;
(g) where the person is not a citizen or resident of Botswana, the residentialaddress in his or her country of domicile and physical address inBotswana;
(h) the person's contact details;
(i) the person's occupation or source of income;
(j) nature and location of business activities, if any;
(k) the source of funds involved in the transaction; and
(l) an original of the recent council rate or utility bill receipt".
Furthermore, Section 15 of the FI Regulations provides additional requirements for non-face-to-face customer onboarding:
"(1) Where a specified party ascertained information, in terms of these Regulations, about a customer without contact in person , with the natural person or with the representative of the customer, the specified party
shall take reasonable steps to ensure the existence and to establish the identity of that customer, taking into account any guidance notes concerning the verification of identities that may apply to that specified party.
(2) Where the customer referred to under subregulation (1) is a natural person, the specified party shall ensure the existence and to establish the identity of that customer by -
(a) obtaining a reference from a well known professional, an employer of the customer of the specified party, or a known customer of the specified party who knows the natural person; or
(b) requesting original recent council rates or utility bill receipt. "
To conclude, the involvement of a digital source as the primary KYC method could be used for identity verification, provided that a copy of the customer's ID can be extracted from the source in question. However, additional documents
would in any event be required for address verification (council rate or utility bill receipt specifically).
In Cyprus, the legal framework governing Anti-Money Laundering ('AML') and Combating the Financing of Terrorism ('CFT') is primarily set out by the
Prevention and Suppression of Money Laundering and Terrorist Financing Laws of 2007 ,
as subsequently amended (referred to as the 'AML/CFT Law'). Besides the stipulated obligations and requirements aimed
at securing the financial environment from illicit activities, this law also outlines the key requirements for Customer Due Diligence ('CDD') and Know Your Customer ('KYC') procedures in Cyprus.
The implementation, enforcement and the adoption of the various domestic and international AML/CFT legislative instruments are overseen by the local Regulatory Bodies, such as:
Central Bank of Cyprus ('CBC'): The country's central monetary authority, responsible for the enforcement of the provisions of the legislation, regulations and supervision of banks, Electronic Money Institutions
(EMIs), and Payment Service Providers (PSPs), Bureaux de Change and Credit Institutions, under section 59 (1)(a) of the AML/CFT Law.
Cyprus Securities and Exchange Commission ('CySEC'): It is a regulatory body that regulates Cyprus's financial services sector, overseeing entities like investment firms, financial institutions, and investment
funds.
Cyprus Bar Association ('CyBAR'): It oversees lawyers and law firms in Cyprus, ensuring compliance with AML and CTF regulations as designated non-financial businesses and professions (DNFBPs).
Institute of Certified Public Accountants of Cyprus ('ICPAC'): It is the competent authority responsible for the regulation and supervision of certified public accountants and audit firms within the Republic of Cyprus.
Cyprus Real Estate Agents ('CREAA): It oversees real estate agents in Cyprus, ensuring their compliance with AML and CTF regulations.
Other relevant entities.
This assessment is largely based on the requirements of CySEC and CBC.
Recent Amendments by the Cyprus Securities and Exchange Commission (CySEC)
A major recent advancement is the CySEC's amendment of the Anti-Money Laundering (AML) Directive , formalized through
Directive 282/2024 and designed to strengthen the existing AML/CFT framework for obliged entities regulated by CySEC, by improving
measures for the prevention of money laundering and terrorist financing, particularly clarifying identification document requirements and the use of electronic verification methods.
Directive 282/2024 introduces a significant amendment by replacing the previous derogation60 rule for video call onboarding. Under the prior framework,61 clients could be onboarded remotely primarily via video call with an
annual deposit threshold of EUR 2,000. The updated Directive removes this derogation in response to advancements in digital technologies and evolving threats in financial crime. While video call verification remains an
option, the new rules require financial institutions to implement robust KYC procedures for all clients, prior to the business relationship and regardless of deposit amounts .
Additionally, Obligated Entities must notify CySEC in advance of the specific electronic methods they intend to use for remote verification and validation of client identities ('RCOS') . However, there is no longer an
exhaustive list of such electronic methods, meaning that video calls are not the only viable option.
On 6 August 2024, CySEC also issued a
Policy Statement On The Enhancement Of The Non-face-to-face ('NFTF') Customer Onboarding Process With Electronic Methods , outlining
new requirements for remote onboarding, such as mandatory liveness detection for unattended solutions, prior to establishing a business relationship, while observing the requirement of Section
61(1)(a) of the AML/CFT Law for 'data and information from a reliable and independent source'.
With these updates accounted for, the key principles of remote customer onboarding as per CySEC remain as follows:
Customer Identification
As a general rule, all customers are expected to provide valid identification documents issued by reliable and independent authorities . Beyond passports, Obliged Entities can now accept other IDs (under eIDAS
identification schemes) issued by government bodies of the European Union or a third country, that state the full name and date of birth and include the individual's photograph. Additionally, information such as the individual's current
residential address, occupation (to establish economic profile) or principal activity must be obtained as part of the verification process.
Address Verification
To verify the customer's residential address, documents such as recent utility bills (issued within the last six months), bank statements, or any other official documents that clearly indicate the permanent address must be provided. It
is critical that these documents are issued by credible and independent sources to ensure their authenticity and reliability.
Certification of Documents
Documents submitted for identification and address verification must either be presented in their original form or as certified true copies. Certification may be conducted by the entity itself when the original documents are presented
or by third parties authorized under applicable laws, such as notaries or other competent legal authorities. Where required, certified copies must include an apostille or notarization to validate the certification process.
Alternatively, where originals or certified copies are not available, the Obliged Entity must: (i) ensure that at least one of the procedures referred to in paragraph 2 of the Fourth Annex of the AML Directive (including, inter alia,
video calls, "penny drop", or "use of an electronic method or a combination of more of them for remoteness ascertaining and verifying the identity of customers, based on assessment, evaluation and money laundering and financing risk
management terrorism") is present; and (ii)(a) collect a simple copy of the customer's ID or (ii)(b) perform identity verification by electronic means on the following cumulative conditions:
the electronic databases employed provide access to information which refers to both current and previous situations that show that the person indeed exists and contain both positive information (at least the customer's full name,
address and date of birth) as well as negative information (e.g. committing crimes such as identity theft, inclusion in records of deceased persons, inclusion in lists of sanctions and restrictive measures by Council of the European
Union and the Security Council UN);
the electronic databases employed contain a wide range of sources, with information from various time periods, updated to real time (real-time update), and send notifications (trigger alerts) when important data changes;
the Obliged Entity knows what information was researched, what the results of the research are and their significance as to the verification of the customer's identity;
has established procedures that allow the Obliged Entity to record and store the information used and the result in relation to the authentication;
information must come from two or more sources: identification of the customer's full name and current address from one source; and identification of the customer's full name and either his current address or date of birth from a
second source;
in case the evidence is in a language other than Greek or English, it must be accompanied by a certified translation (true translation).
Non-Residents of Cyprus
For customers residing outside Cyprus, the same identification and verification procedures apply. However, additional measures may be necessary, including confirmation of the customer's identity through Cypriot embassies, consulates, or
recognized financial institutions in the customer's country of residence. Enhanced due diligence is mandatory in cases where there are concerns about the authenticity of the submitted documents or where the customer poses a higher risk.
The new CySEC AML Directive entered into force on 5 August 2024 , except for the provisions concerning Remote Customer Onboarding Solutions, as detailed in Annex IV of the AML Directive, Paragraph 2(iv), which will take
effect on 1 December 2024.
Therefore, as per CySEC, with the described amendments entering into force, non-doc KYC may be relied on, provided that (i) the databases used meet the criteria described above and (ii) the database check is combined with at least
one more electronic identity verification method (e.g., liveness). However, address verification may only be conducted based on an exhaustive list of documents.
Central Bank of Cyprus ('CBC')
The CBC is the competent authority for the enforcement of the provisions of the legislation in relation to the financial activities of supervised entities in Cyprus, under section 59(1)(a) of the
Prevention and Suppression of Money Laundering Activities Laws of 2007 to 2019 ('the AML/CFT Law' ). Under the Law, the CBC has issued the
5th edition of the
Directive on the Prevention and Suppression of Money Laundering and Terrorist Financing ('the CBC AML/CFT Directive') . As well as the Law 58 (I) of 2016 and the CBC Directive for
Compliance with the provisions of UN Security Council Resolutions and the decisions / regulations of the Council of the European Union .
The Central Bank of Cyprus does not currently have specific legislation regarding the remote onboarding process. However, it has a set of documents to be obtained in relation to natural persons, such as:
Identity Data:
for Cypriot citizens, copy of valid identity card;
for citizens of other countries, copy of passport and valid Alien Registration Card (ARC).
Proof of Permanent Address:
copy of utility bill, not older than six (6) months, (e.g. electricity, landline, water bill in Cyprus, or equivalent, where applicable, from your country of residence), or
home insurance policy, or
municipal tax bill and/or
bank account statement.
Contact details:
telephone number;
email address;
mailing address (if different from your permanent address);
details of professional and other occupations, including the name of the employer/business and the position held in the business;
specimen signature;
source of income / source of wealth;
any other information deemed necessary depending, among others, on the estimated risk. Please note that for natural persons who have experienced adverse circumstances (e.g. political asylum seekers, political refugees, beneficiaries
of subsidiary protection, victims of human trafficking and/or exploitation) the above information may vary depending on the case.
On October 19 2023, the Central Bank of Cyprus officially launched a digital remote onboarding project aimed at modernizing customer identification and updating processes within credit institutions.
The first phase introduces remote digital onboarding, allowing customers to electronically submit and verify their details or update existing information without requiring a physical presence.
The second phase establishes integration with government services, enabling direct retrieval of customer data to streamline the KYC process.
The final phase facilitates secure information sharing among participating banks, simplifying account transfers and reducing administrative complexities.
Supported by major banks such as Bank of Cyprus, Hellenic Bank, Alpha Bank Cyprus, and others, the project underscores a collective effort to modernize the Cypriot banking sector. This phased rollout, supported by leading banks in
Cyprus, aims to deliver streamlined and compliant banking services, with implementation progressing through 2024.
Therefore, the CBC does not currently permit non-doc KYC as a standalone solution for either identity or address verification.
60 — Even though the general rule, in accordance with article 62(1) of the AML Law , says that the verification of identity of a
customer/beneficial owner takes place before the establishment of a business relationship with the said person, there is a derogation of this general rule described in article
62(2) of the AML Law . According to article
62(2) of the AML Law , the verification of identity of the customer/beneficial owner of an obliged entity may be completed during the
establishment of a business relationship, provided that all the fulfilling conditions are met: a) if this is necessary so as not to interrupt the normal conduct of business, and b) where there is little risk of money laundering or
terrorist financing occurring, and c) where the verification procedure is completed as soon as possible after the initial contact.
61 — The circular C367 specifies the limited circumstances under which Cyprus Investment Firms (CIFs) may defer customer identity
verification. In all cases, this verification must be finalized within 15 days from the earlier of either the customer's acceptance of the CIF's terms and conditions or the date of the initial deposit.
In the AML/CFT legal framework of the Czech Republic, the relevant requirements to customer identity verification are largely reflected in
Act No. 253/2008 Coll. on selected measures against legitimisation of proceeds of crime and financing of terrorism
("AML Act ").
As a general rule, Section 8 of the AML Act states that the first identification of a customer who is an individual should be performed with (i) the said customer present in person and (ii) the obliged entity "recording identification data36 and verifying them from an identity card should they be included thereon, and subsequently recording the type and serial number of the identity card, the issuing country or issuing authority and the card's validity; at the same
time, [...] verifying the holder's appearance and the holder's facial image as pictured on the identity card".
However, Section 8a(1) provides for an alternative so long as the substituting solution is either compliant with Regulation (EU) No 910/2014 of the European Parliament and of the Council on electronic identification and trust services
for electronic transactions in the internal market ("eIDAS Regulation ") and the implementing regulations or prescribed by another legal act:
"An obliged entity may replace the process pursuant to section 8[...] by identification of a natural person who is a customer [...] performed by means of electronic identification which comply with the following:
a) technical specification, standards, and procedures for a high level of assurance given by the directly applicable regulation of the European Union regulating minimum technical specifications, standards and
procedures for levels of assurance of means of electronic identification37 ) and which is issued and applied pursuant to the qualified system in line with the Act on Electronic Identification , or
b) conditions pursuant to which means of electronic identification can be used for verification of identity required by a legal regulation or discharge of administrative responsibility outside the scope of the qualified system
pursuant to the Bank Act".
As of now, electronic identification schemes notified by the Czech Republic pursuant to
Article 9(1) of the eIDAS Regulation with the "high" level of assurance are the national eID card and "mojeID ", a non-commercial
service operated by the CZ.NIC association and allowing users to authenticate in various private sector and public administration services by creating a digital identity.
Both can therefore be considered acceptable for remote KYC.
36 — As per Section 5(1) of the AML Act, for a natural person this would include: “all names and surnames, the birth identification number or, should the person have no birth identification number, the date of birth, gender, place of birth, address of permanent or other residence, and citizenship”. At the same time, no particular methods for verifying the address are prescribed where it is not featured in the identity document.
37 — Commission Implementing Regulation (EU) 2015/1502 of 8 September 2015 on setting out minimum technical specifications and procedures for assurance levels for electronic identification means pursuant to Article 8 (3) of Regulation (EU) No 910/2014 of the European Parliament and of the Council on electronic identification and trust services for electronic transactions in the internal market.
In Estonia, the main requirements to customer due diligence for AML/CFT purposes are established under the
2017 Money Laundering and Terrorist Financing Prevention Act (the "AML Act ").
As per §21 and §31 of the AML Act, the exact procedures to be followed in relation to an individual customer depend on (i) the customer's country of residence and, if different, nationality; (ii) whether the customer is physically
present during the onboarding process; and (iii) the actual or anticipated amount of transactions carried out within the business relationship. Specifically:
by default, the customer who is a natural person has to be identified:
by their "person's name [and] personal identification code or, where the person does not possess one, their date of birth and the place of residence or location"50 (§21, subsection 1, clauses 1-2);
with the collected identity data subsequently verified "using information originating from a credible and independent source for that purpose" (§21, subsection 2), which may include "personal identification data entered in the
database of identity documents" (§31, subsection 5);
information concerning recognition and verification of the right of representation and scope thereof and, where the right of representation does not arise from law, the name of the document serving as the basis for that right,
its date of issue, and the name of the issuer;
particulars of the person's means of telecommunication.
The obliged entity must also verify the correctness of the data specified in clauses 1 and 2 of subsection 1,using information originating from a credible and independent source for that purpose.
Where the person subject to due diligence procedure is not located in the same location with the party conducting due diligence, and it is not possible to employ a scheme or service mentioned in subsection 3 of this section, the means
or service used to identify the person and verify data must ensure:
that the data and documents gathered in the course of applying due diligence measures are correct and up to date;
secure gathering and storage of images, video, audio and data in understandable form and with sufficient quality, such that unambiguous identifiability of the person is ensured;
in a situation where the connection is unexpectedly interrupted or on manifestation of other technical defects, the failure of identification.
In accordance with subsection 3 of section 21 of the AML Act the obliged entity identifying a natural person should do so using the following documents:
a document specified in subsection 2 of § 2 of the Identity Documents Act;
a valid travel document issued in a foreign country;
a driving licence that meets the requirements provided for in subsection 1 of § 4 of the Identity Documents Act, or
a birth certificate specified in § 30 of the Vital Statistics Registration Act in the case of a person below the age of seven years.
Where the original document specified in the list above, is not available, the identity can be verified on the basis of a document specified in subsection 3, which has been authenticated by a notary or certified by a notary or
officially, or on the basis of other information originating from a credible and independent source, including means of electronic identification and trust services for electronic transactions, thereby using at least two different
sources for verification of data in such an event.
With regard to special customer due diligence rules for financial and credit institutions and where the following cumulative conditions are met:
(i) the customer is not physically present; and
(ii)(a) "the customer's place of residence or seat is in a country outside the European Economic Area", or
(ii)(b) "the total amount of outgoing payments related to the transaction or service contract per calendar month exceeds 15,000 euros in the case of a customer who is a natural person" (§31, subsection 1)
(iii) Where the residence or seat of the customer or of the person who carries out the occasional transaction is in a high-risk third country or in a jurisdiction that falls under the provision of clause 4 of subsection 4 of § 37 of the
Act.
The following remote KYC methods are prescribed: (additionally, the regulated entity must "establish rules of procedure that ensure secure identification of persons and verification of data, and that effectively alleviate and manage
risks related to application of due diligence measures without being present in the same location as the person"):
"an electronic identification scheme that has been notified in accordance with Article 9 of Regulation (EU) 910/2014 of the European Parliament and of the Council on electronic identification and trust services for electronic
transactions in the internal market and repealing Directive 1999/93/EC (OJ L 257, 28.08.2014, p. 73) and that corresponds to the assurance level provided for by subparagraph (b) or (c) of paragraph 2 of Article 8 of that
Regulation;"; or
"a qualified trust service that meets the requirements provided by Regulation (EU) 910/2014 of the European Parliament and of the Council";
Option 2 (where Option 1 is not possible): the means or service used to identify the person and verify data must ensure:
that the data and documents gathered in the course of applying due diligence measures are correct and up to date;
secure gathering and storage of images, video, audio and data in understandable form and with sufficient quality, such that unambiguous identifiability of the person is ensured;
in a situation where the connection is unexpectedly interrupted or on manifestation of other technical defects, the failure of identification.
Option 1 and Option 2 (where Option 1 is not possible) as defined above are also applicable whenever the customer is not physically present, even if the corresponding qualifying criteria are not met ;
where the customer is not physically present and their residence or seat is in a country that "provides funding or support for terrorist activities, or that has designated terrorist organisations operating within their country, as
identified by the European Union or the United Nations" or another high-risk country, only Option 1 as defined above is permissible (para. 31, subsection 11);
where the customer is not physically present and an e-resident's digital identity document is used to identify them and verify data, another document mentioned in subsection 3 of § 21 of the AML Act51 must be used simultaneously (§31,
subsection 4);
furthermore, where the obliged entity is not a credit institution, a financial institution, or a notary, para. 31 of the AML Act does not apply, meaning a possible fallback to para. 21, subsection 4: "where the original document
specified in subsection 3 of this section is not available, the identity can be verified [...] on the basis of other information originating from a credible and independent source , including means of electronic
identification and trust services for electronic transactions, thereby using at least two different sources for verification of data in such an event".
Accordingly, the instances where the customer would not necessarily have to present an identity document during non-face-to-face KYC may include:
(i) the obliged entity is not a credit institution, a financial institution, or a notary - meaning that identity data may be verified via two independent sources, whether documentary or non-documentary; or
(ii) the obliged entity relies on an e-identification solution with a "high" or "substantial" level of assurance as per the eIDAS regulation or a qualified trust service meeting the requirements of the eIDAS regulation. For example, the
electronic identification schemes notified by Estonia, all with a "high" level of
assurance, are: ID card; RP card; Digi-ID; e-Residency Digi-ID; Mobile-ID; and diplomatic identity card;
(iii) it is not possible to employ any solution falling within option (ii) above, in which case the obliged entity is not restricted in its choice of the onboarding flow so long as certain technical safeguards (e.g., data accuracy,
secure data storage, uninterrupted connection) are implemented.
In summary, non-document identification can be used as long as it gives assurance equivalent to the eiDAS regulation, preferably through one of the prescribed electronic identification schemes notified by the Estonian government and as
long as identity data comes from two independent sources.
With regard to address verification,in the absence of instructions to the contrary, it may be assumed that, while regulated entities are indeed expected to verify address-related information, they are not restricted in their options of
doing so and, provided that the customer's address is not already reliably confirmed in the course of general identity verification, both documentary and non-documentary supplemental checks can be used.
50 — There is no specific guidance regarding residential address / location verification; therefore, presumably, it can be achieved via any supplemental checks if necessary.
51 —
a document specified in subsection 2 of § 2 of the Identity Documents Act;
a valid travel document issued in a foreign country;
a driving licence that meets the requirements provided for in subsection 1 of § 4 of the Identity Documents Act; or
a birth certificate specified in § 30 of the Vital Statistics Registration Act in the case of a person below the age of seven years.
Finnish Financial Supervisory Authority (FIN-FSA) is the regulatory body overseeing the financial sector, including AML/CFT compliance supervision in Finland.
Act on Preventing Money Laundering and Terrorist Financing (444/2017; amendments up to 599/2023 included) 55 ("AML Act" ) and
Regulations and Guidelines issued by FIN-FSA in 2/2023 Journal Number FIVA/2023/1289
("Guidelines" ) provide the legal framework for combating money laundering and terrorist financing.
Customer Due Diligence (CDD) - general provisions:
A. Chapter 3, Section 2(1) of the AML Act and Para 17 of the Guidelines require "obliged entities to identify their customers and verify their identities when establishing a permanent customer
relationship and even in the case of a customer relationship of an irregular nature [...]";
B. Chapter 1, Section 4(1)(6) of the AML Act and Para 18 of the Guidelines specify that "identification means establishing the customer's identity on the basis of information provided by the customer ";
C. Chapter 1, Section 4(1)(7) of the AML Act and Para 19 of the Guidelines specify that "verification of identity means ascertaining the customer's identity on the basis of documents, data or information obtained from
a reliable 56 and independent source ";
D. Para 22 of the Guidelines"recommends that, in assessing the reliability and independence of the sources referred to in chapter 1, section 4(7) of the AML Act, supervised entities consider paragraphs 4.26-4.28 of the
EBA Risk Factors Guidelines (
''EBA Guidelines" ). In turn, para 4.27 of the EBA Guidelines reads:
"[...]
(a) [while deciding what makes data or information reliable ], Firms should consider different degrees of reliability, which they should determine based on
(i) the extent to which the customer had to undergo certain checks to obtain the information or data provided;
(ii) the official status, if any, of the person or institution that carried out those checks;
(iii) the level of assurance associated with any digital ID system used ; and
(iv) the ease with which the identity information or data provided can be forged [...] In most cases, firms should be able to treat government-issued information or data as providing the highest level of independence and reliability"
E. Para. 34 of the Guidelines states that "The FIN-FSA recommends that supervised entities create procedures for ascertaining the authenticity of a document and information used to verify identity . [...] One method to
ascertain the authenticity of the document and information used to verify the customer's identity could be comparing the information to information in the population register maintained by the
Digital and Population Data Services Agency ".
F. Chapter 3, Section 3(2) of the AML Act outlines the minimum data required for customer due diligence:
The following customer due diligence data shall be retained:
1) name, date of birth, personal identity code and address ;
7) name, number or other identifier of document used to verify identity or a copy of the document or, in the case of non-face-to-face identification, data on the procedure or sources used in verification; If the customer is a foreign national without a Finnish personal identity code, data on the customer's citizenship and travel document in addition to the data under subsection 2 of this section shall be retained.
As outlined in the above guidelines, identification entails establishing the customer's identity based on information provided by the customer while verification of identity involves ascertaining the customer's identity
using documents, data, or information obtained from reliable and independent sources .
In assessing the reliability of these sources, government-issued information or data typically provides the highest level of independence and reliability. Supervised entities are recommended to create procedures for authenticating
documents and information used for identity verification, such as (but without limitation) comparing them to information in the population register maintained by the Digital and Population Data Services Agency.
Additionally, Chapter 3, Section 3(2) of the AML Act specifies the data that must be retained for customer due diligence only includes name, date of birth, personal identity code, and address (from which it can be inferred that a copy
of an identity document is not necessary). However, for foreign nationals without a Finnish personal identity code, data on citizenship and travel documents must also be retained. Hence, a fully non-doc KYC solution would not be viable
for non-Finnish residents.
In summary, if the customer's identity is being verified remotely and the method of verification involves using an official identification document, the name of the document used for verification, its number or any other identifying
information, and the details of the issuer should be retained or copied. However, if the verification process is remote and does not involve directly using an official identification document, the supervised entity should instead store
information about the specific procedure or sources used for authentication. This could include details about the verification method or technology employed, such as biometric authentication or data cross-referencing.
Proof of Address - specific provisions:
Regarding the verification of address data specifically, paras. 104-105 of the Guidelines state:
"According to the FIN-FSA's interpretation, the address, as referred to in chapter 3, section 3(2)(1) of the AML Act, refers as a rule to the address of the customer's permanent place of residence .
Where necessary, a temporary address may be saved instead of, or in addition to, a permanent address.
According to the FIN-FSA's interpretation, as regards the address of domicile referred to in chapter 3, section 3(2)(1) of the AML Act, it is enough as a rule that the supervised entity records the customer's contact address through
which the customer can be reached by letter mail if the customer does not have a permanent or temporary address. The supervised entity shall assess on a risk-sensitive basis the importance of the lack of the customer's permanent or
temporary home address on the overall risk involved in the customer relationship and whether the supervised entity is able to manage these risks. [...]."
Therefore, whether address data must be collected, it is the regulated entity's discretion whether it should be subsequently verified. Where it opts to do so, while the AML Act does not specify any particular methods for verifying the
customer's residential address, the Guidelines propose the following:
Collection of Address Information : Supervised entities should collect the address of the customer's permanent place of residence as a general rule. Temporary addresses may be accepted if necessary.
Contact Address : In cases where the customer does not have a permanent or temporary address, the supervised entity can collect the customer's contact address through which the customer can be reached by letter mail.
However, this scenario requires a risk assessment to determine the appropriateness of relying solely on a contact address and the need for additional CDD measures.
Reliability Considerations : Government-issued information or data is considered highly independent and reliable. Additionally, comparing and verifying the identification document and information to data in the
population register maintained by the Digital and Population Data Services Agency is also considered highly reliable and independent. Finland has adopted various electronic ID verification methods, including
FINeID, BankID, and MobileID , which are all supported by the Digital and Population Data Services Agency. These electronic ID verification methods adhere to the Act on Strong Electronic Identification, which
satisfies AML requirements.
Verification Requirement : Address verification may not always be explicitly required, depending on circumstances and the entity's risk appetite. Nevertheless, where such verification is conducted, supervised
entities should consider verifying the authenticity of documents and other information used in the process.
Non-Documentary Verification - specific provisions:
Section 11 of the AML Act and Para 60 of the Guidelines define non-face-to-face identification as the scenario when the customer is not physically present when he or she is identified and his or her identity verified. These
provisions further outline the following enhanced customer due diligence requirements for non-face-to-face identification, leaving supervised entities a broad margin of discretion in the choice of procedure:
Verify the customer's identity using additional documents, data, or information obtained from a reliable source.
ensure that the payment relating to the transaction is made from a credit institution's account or into the account that was opened earlier in the customer's name; or
Verify the customer's identity through specific electronic means, such as the use of identification devices as stipulated in the Act on Strong Electronic Identification and Electronic Signatures (617/2009), qualified certificates
for electronic signatures under Regulation (EU) No 910/2014, or other secure and verifiable electronic identification technology .
Para 63 of the Guidelines states that "the supervised entity does not have to apply other enhanced due diligence procedures in addition to the enhanced procedure related to non-face-to-face identification referred to in chapter 3,
section 11 of the AML Act, if
the supervised entity applies the method referred to in chapter 3, section 11(3) to remote identification; and
the supervised entity finds that the customer is not associated with a higher than ordinary risk of money laundering and terrorist financing
Para 67 of the Guidelines "recommends that supervised entities applying remote identification in their activities, in connection with establishing a customer relationship, verify the customer's identity by means of an
identification device referred to in the Identification Act or a qualified certificate for electronic signature as provided in Article 28 of Regulation (EU) No 910/2014 of the European Parliament and of the Council on electronic
identification and trust services for electronic transactions in the internal market and repealing Directive 1999/93/EC or other secure and verifiable electronic identification technology".
Para 68 of the Guidelines further "recommends that, in considering the use of another electronic identification technology in the identification of a customer and the verification of identity, supervised entities assess the adequacy
of the identification technology relative to the money laundering and terrorist financing risks involved". br>Based on the above legal requirements, both the AML Act and Guidelines mandate enhanced customer due diligence requirements for non-face-to-face identification, including at least one of the following options:
Verify with Additional Sources: Use additional reliable data sources to confirm the customer's identity.Verify Account Ownership: Ensure the customer's initial transaction originates from their account or into a pre-existing account held in their name.Electronic Verification: Utilize specific electronic means like identification devices under the Act on Strong Electronic Identification and Electronic Signatures (617/2009).
However, the above-mentioned procedures are apparently not considered fully equivalent by the regulator; in particular, only the "Electronic Verification" method referred to in section 11(3) of the AML Act is considered completely
self-sufficient for EDD purposes in all circumstances.
Given Finland's robust electronic identification solutions such as FINeID, BankID, and MobileID, all supported by the Digital and Population Data Services Agency and adhering to the Act on Strong Electronic Identification, these can be
utilized for AML purposes. These solutions are part of the Finnish Trust Network (FTN) and provide secure and reliable electronic identification options.
At the same time, while "Electronic Verification" solutions are considered a "safe harbor," regulated entities have the flexibility to explore alternative options, including for non-documentary KYC, such as alternative external
databases. However, such alternatives may be more difficult to justify from a risk-based approach perspective.
According to Para 67 of the Guidelines, it is recommended to opt for Section 11(3) of the AML Act ("Electronic Verification") rather than (1) (additional sources) or (2) (account ownership confirmation). Additionally, Para 68 advises
against using methods from Section 11(1) and (2) for identity verification unless necessary circumstances warrant it.
Furthermore, in considering "other secure and verifiable electronic identification technology", supervised entities must ensure it corresponds to their risk profile and guarantees data security and method verifiability, as outlined in
Paras 73-74 of the Guidelines.
Therefore, in setting up processes for non-documentary verification, supervised entities should prioritize the use of electronic identification technologies recognized under Finnish law, such as BankID/FTN solutions, to ensure
compliance with both the AML Act and related guidelines; however, alternative options such as the use of external databases are also permissible so long as the regulated entity can justify their reliability through a risk-assessment of
their clients profile.
55 — English translated version of the AML Act .
56 — According to the FIN-FSA's interpretation, a supervised entity may decide, relying on its risk based procedures, what documents and information it considers obtained from a reliable and independent source and may create different
procedures for the documentary evidence which shall be presented by customers to verify their identity on the one hand when establishing a customer relationship and on the other hand during the customer relationship. (paras. 32 & 33 of
the Guidelines).
The Monetary and Financial Code of France (the "Code") establishes, under Art. L. 561-5, the general duty of AML-regulated entities to:
(i) "identify their client", which is achieved, as per Art. R561-5, "by collecting their first and last name, as well as their date and place of birth"52 where the customer is a natural person; and
(ii) "verify the identification elements upon presentation of any written document of a probative nature", which is further detailed in Arts. R561-5-1 and R561-5-2:
as a general rule, an individual customer's identity data may be verified remotely according to one of the following methods (an electronic identification scheme notified as per the eIDAS Regulation either by France53 or by another EU
member state):
a) "electronic identification means certified or attested by the National Agency for the Security of Information Systems in accordance with the level of guarantee, either substantial or high, set by article 8 of Regulation (EU) No
910/2014 of the European Parliament and of the Council of 23 July 2014 on electronic identification and trust services for electronic transactions in the internal market", or
b) "electronic identification means issued within the framework of a scheme notified to the European Commission by a Member State of the European Union under the conditions provided for in paragraph 1 of Article 9 of this regulation
and whose level of guarantee corresponds to the level either substantial or high set by article 8 of the same regulation" (Art. R561-5-1, 1°);
where this is impossible, at least two measures from the list below (which, taken cumulatively, must allow for verification of all the identity data named in Article R. 561-5) must be implemented:
"obtain a copy of a document mentioned in 3° or 4° of article R. 561-5-1 [valid official document including the customer's photograph]";
"implement measures to verify and certify the copy of an official document or an extract from the official register mentioned in 3° or 4° of Article R. 561-5-1 by a third party independent of the person to be identified"54 ;
"require that the first payment for transactions be made from or to an account opened in the client's name with a person mentioned in 1° to 6° bis of Article L. 561-2 [certain types of AML-regulated entities] that is established
in a Member State of the European Union or in a State party to the agreement on the European Economic Area or in a third country imposing equivalent obligations in terms of the fight against money laundering and the financing of
terrorism";
"obtain confirmation of the customer's identity directly from a third party fulfilling the conditions set out in 1° or 2° of I of Article L. 561-7" [third party itself subject to AML/CFT laws and located in an EU/EEA country or
a third country imposing obligations equivalent to those contained in the Code, including those related to exchange of personal information];
"use a service certified as compliant by the National Information Systems Security Agency, or a certification body authorized by this agency , at the level of substantial guarantee of the requirements relating to proof and
verification of identity, provided for in the appendix to the implementing regulation (EU) 2015/1502 of 8 September 2015";
"collect an advanced or qualified electronic signature or a valid advanced or qualified electronic seal based on a qualified certificate or use a qualified electronic registered delivery service bearing the identity of the
signatory or the creator of the seal and issued by a qualified trust service provider registered on a national trust list pursuant to Article 22 of Regulation (EU) No 910/2014 of July 23, 2014" (Art. R561-5-2, 1-6°).
Regarding address verification (where this measure is used by regulated entities), the Code does not specify an approach for natural persons:
"The [obliged entity] verify the identity of their client by asking him to provide him
with a copy of a valid official document containing his photograph and proving his identity and date of birth, verify his address and, when their customer wishes to fund his account or receive his assets by transfer, only carry out
these transactions from or to a single payment account opened in his name by the player with a payment service provider established in a Member State of the European Union
, in a State party to the agreement on the European Free Trade Agreement, in a third country in which these persons are authorized to organize and operate games of chance and have concluded with France a convention containing an
administrative assistance clause to combat tax fraud and evasion or in a third country imposing equivalent obligations in the fight against money laundering and the financing of terrorism and appearing on a list drawn up by decree of
the Minister for the Economy."
Therefore, non-documentary means of non-face-to-face identity verification are permissible, but would in practice be generally reliant on the requirements and standards established under the eIDAS Regulation or national legislation
implementing it. Besides, the presence of the identity document in the records would almost always be necessary.
52 — The Article contains no similar reference to residential address or location. The
ACPR Guide for identification, identity verification and customer due diligence
("ACPR Guide") further recognizes that, while address verification could be beneficial for determining the customer's risk profile or tax residence, it is not a necessary element of CDD procedures (para. 131).
53 — Currently including the French eID scheme "FranceConnect+ / The Digital Identity La
Poste" with a "substantial" level of assurance.
54 — As per para. 46 of the ACPR Guide, this would primarily include "French or foreign [...] public authorities or ministerial public officers, such as notaries, embassy or consulate employees".
The
2022 Anti-Money Laundering / Combating the Financing of Terrorism & the Proliferation of Weapons of Mass Destruction Guideline
("Guideline") issued by the Financial Intelligence Centre and the Bank of Ghana is, in general, highly prescriptive regarding the minimum standards for customer identification and identity verification :
"AIs shall identify their customers and verify the customers' identities using the Ghana Card as the sole identifier for all financial transactions9 [...] Types of customer information to be obtained and identification data to be used to verify the information are provided in Appendix B" (Part B, Section 2.4.2(1)-(2)).
Appendix B, in turn, requires different sets of identity data and supporting evidence, depending on whether the individual in question is a citizen or resident of Ghana, as well as on their special status, if any (applicable to minors,
students, refugees and asylum seekers, foreign diplomats and their dependents). By way of illustration, a Ghanian citizen and a foreign citizen permanently residing in Ghana would need to provide, respectively:
Ghanian citizen:
Ghana Card KYC Data Set.
Additional minimum requirements:
Proof of Residential Address
i. GPS Address, or
ii. Tenancy Agreement, or
iii. Any other relevant document issued by an authorized government agency or institution;
Foreign citizen permanently residing in Ghana:
Non-Citizen Card KYC Data Set;
Additional minimum requirements:
Proof of Residential Address (local)
i. GPS Address, or
ii. Tenancy Agreement, or
iii. Any other relevant document.
Proof of Residential address (foreign)
i. Utility Bill, or
ii. Tenancy Agreement, or
iii. Any other relevant document issued by an authorized government agency or institution.
Furthermore, the
2022 Bank of Ghana Supervisory Guidance Note on the Use of the Ghana Card for Accountable Institutions
("Supervisory Note") establishes a procedure for how exactly the Ghana Card or Non-Citizen Card should be processed during customer onboarding. In particular, certain data contained in the document itself must be extracted to determine
if there is a match with the NIA records and, where necessary, request an update:
"a. Verify the identity of the customer using the Ghana Card or Non-Citizen Card in the case of non-Ghanaians.
b. Verify the Biometric information of both fingers and/or face of the customer
c. Update customer KYC data set using the data set from National Identity Authority (NIA).
d. In cases where the following data sets acquired from NIA differ:
Dynamic data - The AIs shall verify and update using procedures prescribed by the NIA in this Guideline. Such data set include phone numbers, addresses, occupation, next of kin and others.
Static data - The AIs shall refer the customer to NIA for the update. Such data set includes names, date of birth or place of birth " (Section 2).
"A "NO MATCH" verification is a case where:
The data (Card/Biometric) presented to the verification system does not match with anyone in the system.
Only the biometric data presented for verification is successfully captured but does not match the identity of a registered person.
The Ghana Card PIN being used with the biometrics of the customer was mistyped.The customer presenting the Ghana Card as identification and verification for transaction is not the lawful owner of the Ghana Card" (Section 6.1)".
While Section 6.1.4 could be interpreted to rule out the non-documentary approach (as the customer is supposed to "present the Ghana Card"), Section 9.1 of the Supervisory Note sets out the following procedure for remote onboarding
specifically (with Sections 10-13 also suggesting alternative biometry-based verification flows where the holder is unable to display the document):
"To perform a Yes/No or KYC face verification, the end users Ghana Card PIN and biometrics are required. The administrator inputs the card holders Ghana Card Pin Number, selects the operation being performed and takes the end users
photograph to receive the result".
Accordingly, so long as the verification procedure involves collecting the customer's facial image data, alongside the Ghana Card PIN, full name, and date or place of birth and their subsequent matching against the official NIA records,
it may arguably be considered compliant. At the same time, as demonstrated above, non-documentary confirmation of the customer's address is only possible via a GPS check and only if the place of residence is in Ghana; a non-Ghanian
address would need to be verified based on additional documentation such as a utility bill or a tenancy agreement.
9 — The
2022 Bank of Ghana Supervisory Guidance Note on the Use of the Ghana Card for Accountable Institutions
("Supervisory Note"), however, provides a carve-out by stating that foreign citizens are expected to provide a Non-Citizen Card instead (section 2.2(a)). Similarly, an international passport may be taken as evidence of identity for
diplomats as per Part C, section 3.1.3 of the Guideline and section 5 of the Supervisory Note.
The Anti-Money Laundering and Counter-Terrorist Financing Ordinance ("AMLO"), Cap. 615 is the primary legal source prescribing obligations applicable to the AML/CFT-regulated
entities operating in Hong Kong and, in particular, setting out requirements regarding customer due diligence and record-keeping.
Pursuant to Part 2 Division 1 (Para. 2) of AMLO, supervised entities must identify the customer and verify the customer's identity on the basis of documents, data or information provided by:
"(i) a governmental body;
(ii) the relevant authority or any other relevant authority;
(iii) an authority in a place outside Hong Kong that performs functions similar to those of the relevant authority or any other relevant authority;
(iiia) a recognized digital identification system 30 ; or
(iv) any other reliable and independent source that is recognized by the relevant authority ".
At the same time, the responsibility for oversight of the financial market in Hong Kong is divided between the Hong Kong Monetary Authority (HKMA) and the Securities and Futures Commission (SFC). The HKMA regulates the banking industry,
while the SFC oversees the securities and futures markets, including virtual asset service providers. Both regulators within their respective functions provide practical guidelines on AML/CFT compliance, such as the latest HKMA
Guideline on Anti-Money Laundering and Counter-Financing of Terrorism For Authorized Institutions (Revised in May, 2023)
(the "HKMA Guideline") or the
Guideline on Anti-Money Laundering and Counter-Financing of Terrorism (For Licensed Corporations and SFC-licensed Virtual Asset Service Providers)
(the 'SFC Guideline') by the SFC. However, the HKMA Guideline and the SFC Guideline include similar provisions regarding customer identification and verification procedures. Therefore, the analysis below could be relevant for entities
supervised by either HKMA or SFC.
In particular, Para 4.3.1 of the HKMA Guideline replicates the above-mentioned requirement from AMLO regarding identity verification on the basis of reliable documents, data or information; however, it also clarifies in a footnote what
an appropriate "digital identification system" could be:
"The HKMA recognises iAM Smart , developed and operated by the Hong Kong Government, as a digital identification system that can be used for identity verification of natural persons. The HKMA may in future recognise other similar digital
identification systems developed and operated by governments in other jurisdictions having regard to market developments and specific circumstances"31 .
At the same time, in accordance with Paras 4.3.2-4.3.5 and 4.3.13-4.3.17 of the HKMA Guideline, the following identification and verification requirements are applicable to FIs:
for customers who are natural persons, the full name, date of birth, nationality, unique identification number and document type, as well as residential address, should be obtained for identification (although it is not mandatory to
check the accuracy of every piece of information32 );
the acceptable means of verification are documents, data or information provided by a reliable and independent source, the list of which is not exhaustive: (a) Hong Kong identity card or other national identity card; (b) valid
travel document (e.g. unexpired passport); or (c) other relevant documents, data or information provided by a reliable and independent source (e.g. document issued by a government body);
the obliged entity should ensure that documents, data or information obtained for the purpose of verifying the identity of a customer are current at the time they are provided to or obtained by the entity.
Section 4.10 on non-face-to-face CDD measures further states that regulated entities should "take additional measures to mitigate the risk (e.g. impersonation risk) associated with customers not physically present for identification
purposes". However, where a customer's identity is verified via a digital identification system recognized by HKMA, no such additional measures are required.
Accordingly, the usage of non-documentary identity verification is considered compliant so long as it is based on the digital ID system "iAM Smart", operated by the Hong Kong government. Any other digital identification systems could be
involved only if specifically approved by relevant authorities or regulatory bodies in Hong Kong and/or abroad.
30 — A digital identification system that is a reliable and independent source that is recognized by the relevant authority or relevant regulatory body (the AMLO, Schedule 2, Part 1).
31 — The SFC Guideline provides a similar requirement for identity verification. However, the SFC-licensed institutions may only use digital identification systems recognised by the SFC correspondingly; currently, only iAM Smart system meets
this criterion (the SFC Guidelines, Para 4.2.1).
32 — This applies to, in particular, address validation - based on the HKMA Guideline, an authorized entity is required to collect the address, but not necessarily verify it. However, pursuant to the footnote of Section 4.3.5 of the HKMA
Guideline, an authorized entity may, under certain circumstances, require verification (on top of collection) of the customer's residential address for other purposes (e.g. group requirements, other local or overseas legal and
regulatory requirements). In such circumstances, the authorized entity should communicate clearly to the customer the reasons for requiring verification of address. This section does not seem to exclude the use of alternative means,
e.g. geolocation data, to establish the customer's address.
The Prevention of Money Laundering Act, 2002 ("PMLA ") and the
Prevention of Money-Laundering (Maintenance of Records) Rules, 2005 issued thereunder ("PML Rules ") provide the main legislative framework
for combating ML / TF in India and, together with the guidance produced by the national Reserve Bank, explicitly prescribe e-KYC based on the customer's Aadhaar number11 or other identifiers as one of the possible (or, for certain
entities, required) means of identity verification:
"Every reporting entity shall verify the identity of its clients and the beneficial owner by -
(a) authentication 12 under the Aadhaar [...] Act
(b) offline verification 13 under the Aadhaar [...] Act , 2016; or
(c) use of passport issued under section 4 of the Passports Act, 1967; or
(d) use of any other officially valid document14 or modes of identification as may be notified by the Central Government in this behalf" (PMLA, Section 11(A)(1)).
Non-banking entities may also be permitted, by special notification of the Central Government, to perform Aadhar authentication, provided that it is necessary to do so and that the entities in question comply with the standards of
privacy and security under the Aadhaar Act. At the same time, the customer is allowed to choose between options (a)-(d).
"Where the client is an individual, he shall [...] submit to the reporting entity, -
(a) the Aadhaar number where
(i) he is desirous of receiving any benefit or subsidy under any scheme notified under section 7 of the Aadhaar (Targeted Delivery of Financial and Other subsidies, Benefits and Services) Act, 2016 (18 of 2016); or
(ii) he decides to submit his Aadhaar number voluntarily to a banking company or any reporting entity notified under first proviso to sub-section (1) of section 11A of the Act; or
(aa) the proof of possession of Aadhaar number where offline verification can be carried out ; or
(ab) the proof of possession of Aadhaar number where offline verification cannot be carried out or any officially valid document or the equivalent e-document15 thereof containing the details of his identity and address; and
(b) the Permanent Account Number or the equivalent e-document thereof or Form No. 60 as defined in Income-tax Rules, 1962 [...]" (PML Rules, Rule 9(4)).
Depending on which data the customer provides and whether offline verification is available, the reporting entity shall carry out the following procedures:
"Where the client has submitted -
(a) his Aadhaar number [...] to the banking company or a reporting entity notified under first proviso to sub-section (1) of section 11A, such banking company or reporting entity shall carry out authentication of the client's Aadhaar
number using e-KYC authentication facility provided by the Unique Identification Authority of India ;
(b) proof of possession of Aadhaar under clause (aa) of sub-rule (4) where offline verification can be carried out, the reporting entity shall carry out offline verification ;
(c) an equivalent e-document of any officially valid document, the reporting entity shall verify the digital signature as per the provisions of the Information Technology Act, 2000 (21 of 2000) and any rules issues
thereunder and take a live photo as specified under Annex 1 ;
(d) any officially valid document or proof of possession of Aadhaar number under clause (ab) of sub-rule (4) where offline verification cannot be carried out, the reporting entity shall carry out
verification through digital KYC as specified under Annex 1 " (PML Rules, Rule 9(15)).
Additionally, the Master Direction - Know Your Customer (KYC) Direction of Reserve Bank of India ("Master Direction ")
allows to verify a client's identity based on the KYC identifier16 from the Central KYC Records Registry17 :
"For undertaking CDD, REs shall obtain the following from an individual while establishing an account-based relationship [...]:
(ac) the KYC Identifier with an explicit consent to download records from CKYCR [...]" (Master Direction, section 16).
Therefore, the available options are:.
(i) Aadhaar authentication, powered by the Unique Identification Authority of India (UIDAI), provides an instant mechanism to confirm
one's identity and does not require any other ID proof except Aadhaar number. It is, however, restricted to banking institutions and certain other requesting entities as described above. Accounts opened using Aadhaar OTP-based
authentication, in non-face-to-face mode, are subject to a number of limitations as to the maximum balance, permitted operations, etc.
(ii) The UIDAI also enables "
paperless offline e-KYC ", wherein the customer,
using their Aadhaar number, creates a "Share Phrase" with their identification data encrypted and shares it with the entity performing KYC. The entity can then validate the data through its own OTP / face authentication mechanism.
(iii) Digital KYC means "the capturing of a live photo of the customer and their officially valid document / proof of possession of Aadhaar, where offline verification cannot be carried out, along with the latitude and longitude of the
location where such live photo is being taken by an authorised officer of the reporting entity" in accordance with specific technical requirements (Master Direction, section 3(a)(viii)). This procedure, however, may only be carried out
via a specialized application developed by the reporting entity (Master Direction, Annex I).
(iv) Where a customer submits a KYC Identifier to a reporting entity, with an explicit consent to download records from CKYCR, the reporting entity shall retrieve the KYC records online from the CKYCR using the KYC Identifier and the
customer shall not be required to submit the same KYC records or information or any other additional identification documents or details, subject to certain exceptions (Master Direction, section 56).
As an alternative to the aforementioned procedures, the "V-CIP'' mechanism was recently introduced, consisting of a video conference with the reporting entity's operator in combination with a "liveness" check, geolocation and IP address
check, and document analysis (Master Direction, section 18). V-CIP, however, is also dependent on external data sources, since the reporting entity is still required to validate the customer's identity data based on Aadhaar number, KYC
identifier or e-document.
In relation to address verification specifically, the options of conducting it are not limited to documentary evidence either. For certain specific exceptions, PML Rules, Rule 9(18-19) states that:
"where an officially valid document furnished by the client does not contain updated address, the following documents [or the equivalent e-documents thereof] shall be deemed to be officially valid documents for the
limited purpose of proof of address:
(a) utility bill which is not more than two months old of any service provider (electricity, telephone, post-paid mobile phone, piped gas, water bill);
(b) property or Municipal tax receipt;
(c) pension or family pension payment orders (PPOs) [...];
(d) letter of allotment of accommodation from employer [...]" - however, this only appears applicable where identity verification is being carried out based on the "officially valid document" in the first place and there is no
confirmation of the customer's current address otherwise:
"where a client has provided his Aadhaar number for identification under clause (a) of sub-rule (4) and wants to provide a current address, different from the address as per the identity information available in the Central
Identities Data Repository, he may give a self-declaration to that effect to the reporting entity".
Based on the analysis above, Aadhaar-based authentication, Aadhaar-based offline verification, and KYC identifier verification can all be considered as possible solutions for non-documentary identity verification.
11 — Aadhar number - an identification number issued to an individual pursuant to the Aadhaar Act.
12 — Authentication - the process by which the Aadhaar number along with OTP, demographic information or biometric information of an individual is submitted to the Central Identities Data Repository for its verification and
such Repository verifies the correctness, or the lack thereof, on the basis of information available with it. "Central Identities Data Repository" means a centralised database in one or more locations containing all Aadhaar numbers
issued to Aadhaar number holders along with the corresponding demographic information and biometric information of such individuals and other information related thereto.
13 — Offline verification - the process of verifying the identity of the Aadhaar number holder without authentication, through such offline modes as may be specified by regulations.
14 — Officially valid document - the passport, the driving licence, proof of possession of Aadhaar number, the Voter's Identity Card issued by the Election Commission of India, job card issued by NREGA duly signed by an
officer of the State Government, the letter issued by the Unique Identification Authority of India or the National Population Register containing details of name, address and Aadhaar number or any other document as notified by the
Central Government in consultation with the Regulator. The list is not exhaustive.
15 — Equivalent e-document - equivalent of a document issued by the issuing authority of such document with its valid digital signature including documents issued to the digital locker account of the client as per rule 9 of
the Information Technology (Preservation and Retention of Information by Intermediaries Providing Digital Locker Facilities) Rules, 2016.
16 — Know Your Client (KYC) Identifier - the unique number or code assigned to a client by the Central KYC Records Registry.
17 — Central KYC Records Registry - a reporting entity, substantially owned and controlled by the Central Government, and authorised by that Government through a notification in the Official Gazette to receive, store,
safeguard and retrieve the KYC records in digital form.
The most recent comprehensive legal act outlining the responsibilities of AML-subject entities in Indonesia is the
Regulation (POJK) No. 8 of 2023 ("OJK Regulation") on the
Implementation of Anti-Money Laundering (AML), Counter-Terrorist Financing (CFT), and Counter-Proliferation Financing of Weapons of Mass Destruction (CPF) Program in the Financial Services Sector by the Indonesian Financial Services
Authority (Otoritas Jasa Keuangan, OJK), which regulates the country's financial industry on par with Bank Indonesia.
Pursuant to Art. 21(2) of the OJK Regulation, identity verification of prospective customers may be conducted via: "a. direct face-to-face meetings; b. electronic face-to-face meetings; and/or c. non-face-to-face electronic mechanisms".
The solutions that may be employed by the supervised entity under subclause (c) are not limited, yet three main options are highlighted: the entity may rely on (i) its own software and hardware; (ii) software and hardware belonging to
third parties (such as KYC providers) and accessed by the entity; or (iii) utilization of population databases, for which at least two authenticity factors must be used (something characteristic of the customer and something the
customer possesses).
Regarding the scope of data to be collected in respect of an individual customer, Art. 25(1) of the OJK Regulation lists the following points:
full name (including aliases, if any);
identity document number;
residential address according to the ID and other residential addresses, if any;29
place and date of birth;
citizenship;
occupation;
address and telephone number of workplace, if any;
gender;
marital status;
mother's maiden name;
identity of the beneficial owner, if any;
source of funds;
average annual income and/or net worth;
aims and objectives of the business relationship or transaction.
Further, according to Art. 26(1) of the OJK Regulation, the aforementioned information has to be supported by an identity document. However, the Article further specifies that it can include: (i) for Indonesian citizens - a resident
card or "digital population identity as intended in the laws and regulations regarding population data"; (ii) for foreign citizens - a passport accompanied by immigration documents; (iii) for "individuals from the Indonesian diaspora or
Indonesian people abroad" - passports and identity cards issued to such individuals under the applicable laws and regulations.
In reference to non-document verification, therefore, it is safe to assume that Indonesia allows identity verification via national identity databases when it comes to local citizens (see, e.g., the
e-KTP system ). At the same time, it is important for businesses to obtain all of the necessary identification data to stay fully compliant with national regulations.
29 — For the scenario where the residential address differs from the one indicated in the ID, the OJK Regulation does not prescribe any particular verification procedures.
In Italy, the core legal act stipulating the AML/CFT obligations for regulated companies is the
Legislative Decree 21 November 2007, n. 231 ("Legislative Decree"), which
largely endorses the documentary approach to KYC, yet at the same time specifies that official sources and public identity systems may be used to verify the authenticity of the obtained documentation: "The obliged entities fulfill their
customer due diligence obligations according to the following methods:
a) the identification of the customer and the beneficial owner is carried out in the presence of the same customer [...] and consists in the acquisition of the identification data provided by the customer, upon presentation of a
valid identity document or other equivalent identification document in accordance with current legislation, of which a copy is acquired in paper or electronic format [...];
b) the verification of the identity of the customer [...] requires verification of the veracity of the identification data contained in the documents and of the information acquired at the time of identification, only where, in
relation to them, there are doubts, uncertainties or inconsistencies. The verification can be carried out by consulting the public system for the prevention of identity theft referred to in the legislative decree of 11 April 2011, n.
64. Identity verification can also be carried out through the use of other reliable and independent sources including databases, with public access or conditional on the release of authentication credentials, referable to a public
administration as well as those referable to private entities authorized to issue digital identities within the system provided for by article 64 of legislative decree no. 82 of 2005 or an electronic identification regime included
in the list published by the European Commission pursuant to article 9 of EU regulation no. 910/2014" (Art. 19(1)).
In turn, the Bank of Italy Provisions on Customer Due Diligence implementing the Legislative Decree (
Disposizioni in materia di adeguata verifica della clientela per il contrasto del riciclaggio e del finanziamento del terrorismo
as amended on June 13, 2023, "CDD Provisions"), while detailing the applicability of these requirements to the remote onboarding context, also insist on collecting a copy of the customer's ID (with additional checks performed at the
reporting entity's discretion):
"In cases of remote operation, the recipients:
a) acquire the identification data42 of the customer and the executor and verify it on a copy - obtained by fax, post, in electronic format or with similar methods - of a valid identity document , in accordance with
current legislation;
b) carry out checks in addition to those provided for in Section V on the data acquired, according to the most appropriate methods in relation to the specific risk. By way of example, the following methods are indicated: telephone
contact on a fixed line (welcome call); sending communications to a physical address with return receipt; transfer made by the customer through a banking and financial intermediary based in Italy or in an EU country; request to send
countersigned documentation; verification of residence, domicile, activity carried out, through requests for information to the competent offices or through on-site meetings, carried out using its own personnel or third parties.
In compliance with the risk-based approach, recipients can use feedback mechanisms based on innovative and reliable technological solutions (e.g. those that provide forms of biometric recognition), as long as they are assisted by robust
security measures [...]" (Part 2, Section VIII).43
However, the Provisions on Customer Due Diligence also envisage specific circumstances where neither physical presence nor presentation of an identity document is mandatory, including where the customer's identity is verified on the
basis of an eIDAS-certified solution:
"[...] the identification obligation is considered fulfilled, even without their physical presence, for customers: [...]
2) in possession of a digital identity, of maximum security level, within the System referred to in Article 64 of Legislative Decree 7 March 2005, n. 82, and the related implementing legislation, or a digital identity with a maximum
security level44 or a certificate for the generation of a digital signature,
issued as part of an electronic identification regime included in the list published by the European Commission in pursuant to Article 9 of Regulation (EU) No. 910/2014 " (Part 2, Section III).
The two electronic identification schemes notified by Italy with a "high" level of
assurance are Italian eID based on National ID card (CIE) and SPID (Public System of Digital Identity), although the latter one may also have "low" and "substantial" levels depending on the provider.
It therefore follows that: (i) Italian eID and SPID (at a "high" assurance level) can be relied on as standalone solutions for non-documentary KYC; (ii) aside from that, it would be almost invariably required to obtain the customer's
identity document; (iii) to the extent the requirement under (ii) is fulfilled, obliged entities may implement such additional checks (e.g., biometric technologies, external data sources, etc.) as they deem necessary, including for
verification of residential address (where such address is not already confirmed via option (i) or (ii)).
42 — Art. 1(2)(n) of the Legislative Decree defines "identification data" as "name and surname, place and date of birth, registered residence and domicile, where different from registered residence, and, where assigned, the tax code or, in
the case of subjects other than a natural person, the name, registered office and, where assigned, the tax code". While the Decree or the CDD provisions do not explicitly mention "proof of address", the following can be inferred based
on the rest of the analysis: (i) if the primary identification document contains the customer's current address, it likely fulfills both identification and proof of address requirements; (ii) if the primary ID lacks the current address,
the law prescribes to collect it separately but does not explicitly specify how it should be verified; (iii) therefore, supplementary procedures adopted by obliged entities in this case could involve, e.g., requesting additional
documents or consulting external data sources. The specific requirements for proof of address documents might vary depending on the customer's risk profile; higher-risk customers might require more robust verification.
43 — Previously, video identification, as described in Annex 3 to the Bank of Italy Provisions on Customer Due Diligence, used to be accepted as an alternative to the mechanism outlined in Section VIII; however, it was
repealed in June 2023.
44 — Notably, Art. 19 of the Legislative Decree, providing for a similar exemption, only requires a "significant" (substantial) level of assurance and includes "secure and regulated electronic identification procedures authorized or
recognized by the Agency for Digital Italy" as an additional option.
In Lithuania, the relevant legal acts establishing the procedure for remote KYC are a) the
Law on the Prevention of Money Laundering and Terrorist Financing No. VIII 275 ("AML Law ") and b) the
Order on technical requirements for the customer identification process for remote identification by electronic means of direct image transmission No. V-314
("Order ").
As follows from the AML Law, the legislator sets out an exhaustive list of possible ways for obliged entities to carry out remote identity verification. Arguably, the most practical option is described in Art. 11(1)(4)(b):
"1. The identity of the customer that is a natural person <...> may be established without the physical presence of the customer only in the following cases:
<…>
4) when using electronic means allowing direct video streaming in one of the following ways:
<...>;
b) the facial image of the customer and the original of the identification document2 or an equivalent residence permit in the Republic of Lithuania shown by the customer is recorded at the time of direct video streaming".
In turn, the Order sets out two alternative ways of conducting "video streaming" as per Art. 11(1)(4)(b) of the AML Law: i) via "live video transmission" (which implies a real-time video conference with the user) or ii) via "direct
transmission of photographs" (which can be assimilated to the "liveness" technology). In both cases, the user must display the identity document in a specific manner, and the obliged entity must assess it and compare it with the user's
facial image in order to confirm their identity.
The "physical" ID demonstration can be, however, rendered unnecessary where the obliged entity relies on an eIDAS-compliant eID- or QES-based procedure, as per Arts. 11(1)(2) and 11(1)(3) of the AML Law:
"using electronic identification means issued in the European Union which operate under the electronic identification schemes with the assurance levels high or substantial, as specified by [eIDAS Regulation]";
"information about a person's identity is confirmed with a qualified electronic signature supported by a qualified certificate for electronic signature which conforms to the requirements of [eIDAS Regulation]".
However, three necessary preconditions for using either of these two options must be present:
before the identification of the customer by the obliged entity, the customer must have been previously identified (i) by a third party (i)(a) with the physical presence of the customer or
(i)(b) using electronic means allowing direct video streaming or (i)(c) in the way specified in point 5 of paragraph 1 of Art. 11 [bank transfer / "penny drop"], or (ii) with the
physical presence of the customer at the time of issuance of an electronic identification means which operates under the electronic identification scheme with the assurance levels high or substantial, or (iii) with
the physical presence of the customer before the issuance of a qualified certificate for electronic signature for them (Art. 11(2)(1));
the customer must have been previously identified by the obliged entity on the basis of the documents specified in Article 10 of the AML Law ["an identity document of the Republic of Lithuania or a foreign state or a residence
permit in the Republic of Lithuania or a driving licence issued in a state of the European Economic Area in accordance with the requirements laid down in Annex I to Directive 2006/126/EC of the European Parliament and of the Council
of 20 December 2006 on driving licences (recast)"] (Art. 11(2)(2));
obliged entities must obtain the data [on the customer's name, surname, personal number (for foreigners - date of birth and Lithuanian RP data), citizenship] (Art. 11(3)(2)).
Regarding the customer's residential address, neither the AML Law nor the Order prescribe any particular means of its verification. It can be inferred that, while obliged entities may still be expected to collect data related to the
customer's location (e.g., to determine whether enhanced due diligence should be applied to the customer or to fulfill the requirement to obtain the customer's IP data as set out in para. 26 of the Order), the format in which this
information should be gathered and confirmed is determined by the obliged entity itself.
Accordingly, so long as the user journey does not contain eID validation (with a substantial or high level of assurance) or QES Verification as described above, the current AML regulations of Lithuania do not allow obliged entities to
rely solely on Non-Doc KYC solutions for remote client onboarding, even though they could be used for separate elements of the KYC procedure (such as, e.g., address verification).
2 — As per Art. 10(1) of the AML Law, an "identification document" is defined as "an identity document of the Republic of Lithuania or a foreign state or a residence permit in the Republic of Lithuania or a driving licence issued in a state
of the European Economic Area in accordance with the requirements laid down in Annex I to Directive 2006/126/EC of the European Parliament and of the Council of 20 December 2006 on driving licences, which contains the following data:
name/names;
surname/surnames;
personal number (in the case of a foreigner - date of birth (where available - personal number or any other unique sequence of symbols granted to that person, intended for personal identification), the number and period of validity
of the residence permit in the Republic of Lithuania and the place and date of its issuance (applicable to foreigners);
photograph;
signature (except for the cases where it is optional in the identification document);
citizenship (except for the cases where it is optional in the identification document) and in the case of a stateless person - the state which issued his identification document".
The 2022 Money Laundering (Prevention and Prohibition) Act ("AML Act"), together with regulations and guidance by the
Central Bank of Nigeria ("CBN"), lays out the legal provisions applicable to Nigerian AML-supervised entities, including those related to customer due diligence.
Art. 4(1) of the AML Act outlines the general principles of the identification and identity verification duty for financial institutions and DNFBs. While the document-based approach is framed as the default standard, the AML Act refers
to secondary legislation for substantiation24 :
"A financial institution and a designated non-financial business and profession shall -
(a) identify a customer, whether permanent or occasional, natural or legal person or any other form of legal arrangements, using identification documents as may be prescribed in any relevant regulation ;
(b) verify the identity of that customer using reliable, independent source documents, data or information <...>".
In turn, Art. 6(a) of the Central Bank of Nigeria Customers Due Diligence Regulations 2023 (the "CDD Regulations") lists the
information to be collected in relation to individual customers, with Art. 7(2) elaborating on the possible means of its verification:
legal name and any other names used (such as maiden name);
permanent address (full physical address);
residential address (where the customer can be located);25
telephone number, e-mail address and social media handle;
date and place of birth;
Bank Verification Number (BVN);
Tax Identification Number (TIN);
nationality;
occupation, public position held and name of employer;
an official personal identification number or other unique identifier contained in an unexpired document issued by a government agency, that bears a name, photograph and signature of the customer such as a passport, national
identification card, residence permit, social security records or drivers' license;
type of account and nature of the banking relationship;
signature; and
politically exposed persons (PEPs) status.
"FIs shall verify the identity of individuals by confirming the -
(a) date of birth from a valid official document, such as birth certificate, passport, identity card and national or social security records ;
(b) residential address through physical visitation and use of other sources, including utility bill, tax assessment, bank statement, or letter from a public authority;26
(c) contact details provided by the customer through positive feedback from phone call, email or physical letter to the residential address;
(d) validity of the official documentation provided through certification by an authorized person such as embassy official, notary public (in the case of foreign nationals); and
(e) phone numbers, particularly for wallet providers, through independent process, including validation against the NCC database or geo-mapping".
Therefore, the notion of official documentation that may be used for identity verification
is quite broad, implying it is not necessarily required to collect a copy of any particular identity document. Furthermore, Arts. 14, 16 and 35 of the CDD Regulations as well as Art. 26 of the
2022 Central Bank of Nigeria (Anti-Money Laundering, Combatting the Financing of Terrorism and Countering Proliferation Financing of Weapons of Mass Destruction in Financial Institutions) Regulations
(the "AML Regulations") specify that both "physical" and "electronic" methods of customer onboarding may be adopted by financial institutions, so long as the "tiered" approach and other e-KYC standards endorsed by the CBN are complied
with. However, "additional measures or checks to supplement the documentary or electronic evidence [must be undertaken] to ensure that an applicant is who he/she claims to be", with at least one check "to guard against impersonation or
fraud".
Referring, in turn, to the "tiered" approach as established in the
2013 CBN Circular FPR/DIR/CIR/GEN/02/001 (Introduction of Three-Tiered Know Your Customer (KYC) Requirements) , it prescribes different CDD standards
depending on the customer's risk profile and the value of their account:
until recently, only a set of identity attributes (such as passport photo, name, place and date of birth, address, etc.) was required for Tier 1 (lowest-value) accounts with no evidence required;
Tier 2 demands the Tier 1 information provided by the customer to be supported with evidence and checked against official databases (such as National Identity Management Commission (NIMC), Independent National Electoral Commission
(INEC) Voters Register, Federal Road Safety Commission, etc.), while "ID verification and monitoring" is also necessary;
Tier 3 further refers to the KYC standards established by the CBN AML/CFT Regulation, 2009 as amended (which would, at present, encompass both the AML Regulations and the CDD Regulations, in particular Arts. 6-7 of the latter as
referenced above).
Furthermore, the
2023 CBN Circular PSM/DIR/PUB/CIR/001/053
enhanced the aforementioned requirements, stating that: (i) it is now mandatory for all Tier 1 accounts for individuals to have BVN and/or NIN (National Identification Number); (ii) both BVN and NIN are obligatory for Tier 2 and Tier 3
accounts; and (iii) "the process for account opening shall commence by electronically retrieving BVN or NIN related information from the NIBSS' BVN or NIMC's NIN databases[together with the underlying identity data, such as name, DoB,
etc.] and for the same to become primary information for onboarding of new customers". In addition, the same Circular prescribed all the BVNs and NINs already attached to existing accounts to be revalidated by January 31, 2024.
BVN- and NIN-based verification is generally widespread in the country. A BVN is a unique ID number issued to every customer of a Nigerian bank upon
enrolment and linked to every account that the customer has in any other local banks, whereas a NIN is provided by the NIMC and used to link citizens' and legal residents' biometric data to the National Identity database, which may then
be relied on for physical or digital verification and authentication. Both identifiers can therefore be easily validated against governmental databases.
In conclusion, banks and other financial institutions are generally encouraged (and, in certain cases, obliged) to refer to external official databases while onboarding Nigerian citizens and residents. However, in some instances such as
in cases involving non-nationals, these checks may have to be supplemented with obtaining supporting documentation from the customer depending on their account Level (risk profile) and resident status.
24 — No similar reference is included for casinos; see Art. 5(1): "A casino shall - (a) verify the identity of any of its customers carrying out financial transactions by requiring its customer to present a valid original document bearing
his name and address".
25 — As per Art. 27(2) of the CDD Regulations, "where a foreign national has recently arrived in Nigeria, the residential address in the applicant's home country shall be notarized". For resident non-Nigerians, a valid residence permit is
obligatory.
26 — It appears that the word "including" here should not be understood as imposing a limitation, since "other sources" could in general be interpreted broadly so as to encompass, e.g., external databases. This is supported by Art. 26(1) of
the CDD Regulations, applicable to non-residents and stating that "FIs shall obtain and verify applicant's name, date of birth and permanent residential address (in host country) directly through a reputable Credit Institution or FI in
the applicant's country of residence or a correspondent bank, provided that particular care shall be taken when relying on identification evidence obtained from other countries".
In Norway, the primary legal statute governing the AML/CFT framework is the
2018 Act relating to Measures to Combat Money Laundering and Terrorist Financing AML Act "), with the
2018 Regulations relating to Measures to Combat Money Laundering and Terrorist Financing AML Regulations "). The Finanstilsynet (also the Financial Supervisory Authority), which is a government agency responsible for regulating the financial sector, including AML/CFT compliance supervision, provides
guidelines regarding the interpretation and application of the relevant laws and regulations.
The standard approach to identity verification as enshrined in Section 12 of the AML Act implies personal presence of the customer; however, remote onboarding is also permissible, provided that additional safeguards are implemented:
"When the customer is a natural person, the following information shall be obtained concerning the customer:
a. name;
b. personal identity number, D-number or, if the customer does not have any such number, another unique identity code. For persons who do not have a Norwegian personal identity number or D-number, the date of birth, the place of birth,
the gender and the citizenship shall be obtained, including whether the person has multiple citizenships;
c. address39 [...]
Information on the customer's identity shall be verified by personal appearance with a valid proof of identity . If verification of the identity shall take place without personal appearance,
additional documentation shall be presented or additional measures shall be applied ".
In turn, Section 4-3(4) of the AML Regulations states, without explicitly limiting alternative solutions, that eID mechanisms compliant with the eIDAS Regulation and relevant national legislation are suitable for non-face-to-face KYC:
"An electronic signature is valid proof of identity for natural persons when their identity shall not be verified upon personal appearance. The electronic signature shall comply with the
requirements for eID solutions laid down in Section 3 of
Regulations of 21 November 2019 No. 1578 relating to Self-Declaration Arrangements for Electronic Identification and be entered on a published list pursuant to Section 13, subsection 1, of the said Regulations ". [Section 3 of the Regulations refers to schemes with a "high" level of assurance.]
The electronic identification schemes notified by Norway pursuant to Article 9(1) of the
eIDAS Regulation include Buypass ID and BankID. This coincides with Finanstilsynet's
2019 Circular "Guide to the Anti-Money Laundering Act" ("Circular"), which provides the following:
"The reference to BankID as valid identification has been changed to apply to electronic identification in accordance with the Money Laundering Regulations section 4-3 fourth paragraph. This is to ensure that all electronic
identification that meets the requirements is covered" (page 6).
From the Section 4.3.1.1 of the Circular it may also be inferred that no non-documentary KYC solutions are regarded as acceptable besides those falling under Section 4-3(4) of the AML Regulations, since the list is formulated
restrictively:
"Valid identification for natural persons is, according to the Norwegian Financial Supervisory Authority's opinion:
Norwegian and foreign passports (not emergency passports).
Norwegian driver's license.
Norwegian bank cards with picture.
National ID cards issued by an EEA country (an overview of these can be found in Appendix 4 of the Immigration Regulations).
Norwegian immigration passport (blue passport).
Norwegian travel document for refugees (green passport).
Electronic identification in accordance with the Money Laundering Regulations § 4-3 fourth paragraph ".
Based on Section 4.3.1.3, supplementary non-face-to-face measures that could be additionally taken on a risk-based approach include:
obtaining the customer's tax return, pay slip, confirmation of payment of social security, benefits, student loans or other public benefits;
confirmation that the customer's first payment has been made from an account in the customer's name at a bank or credit institution established in the EEA area, or a jurisdiction with equivalent regulation and supervision;
conversation with the customer on a telephone registered to the customer;
video communication with the customer;
other reassuring electronic solutions [potentially including, e.g., references to external databases or geolocation detection];
communication with the customer via postal address or digital address registered to the customer (the communication should contain the customer's signature which can be checked against the copy of the identification document).
To conclude, onboarding methods not requiring a customer to present their identity document40 (and therefore qualifying as Non-Doc) are currently limited to BankID, Buypass ID, as well as other solutions that may provide electronic
signatures compliant with the regulations referred above.
39 — While address needs to be collected, no obligatory verification measures are prescribed under the AML Act, AML Regulations, or the Circular so long as the customer’s identity in general is confirmed via acceptable evidence.
40 — Notably, where the verification is carried out on documentary basis, the obliged entity must, as per Section 4.3.1.1 of the Circular, “check the security elements in the identification document, including that it is not falsified, facial and image similarity and assess the correctness of the document's specified personal data as well as checking these against external sources such as, for example the National Register” .
The Republic Act nº 9160 (the Anti-Money Laundering Act of 2001), as well as the
2018 Revised Implementing Rules and Regulations ("2018 RIRR ") thereto, endorse documentary evidence as the recognized means for customer identify
verification:
"Sec. 9. [...] Covered institutions shall establish and record the true identity of its clients based on official documents " (Republic Act nº 9160)
"3.2. First Time Transactions
Customers who engage in a transaction with a covered person for the first time shall be required to present the original and submit a clear copy of, at least, one (1) ID as herein defined. 5
3.4 Required Identification Data from Natural Persons
For customers who are natural persons, covered persons shall gather the following identification information and ID before or during account opening or onboarding:
(a) Identification Information:
Full name;
Date of birth;
Place of birth;
Sex;
Citizenship or nationality;
Address;
Contact number or information, if any;
Specimen signatures or biometric information;
(b) Identification Documents:
PhilID; or
Other identification document, as herein defined" (Rule 18, 2018 RIRR)
The above-specified provisions, however, may be overridden by Rule 18, Section 3.7 of the 2018 RIRR, stating that "covered persons shall deem the provision and submission of the PSN6 or PhilID7 as official and sufficient proof of
identity, subject to the authentication requirements under the PhilSys Act [Republic Act No. 11055, or the Philippines Identification System Act ] and its IRR [
Implementing Rules and Regulations of Republic Act No. 11055 ]". This is further detailed in
Circular No. 1170 issued by the Bangko Sentral ng Pilipinas ("BSP ") on 30 March 2023, providing additional guidelines on customer due diligence
for banks and non-bank financial institutions, including e-KYC via digital identity systems. Specifically, the Circular states that, "where the PCN [PhilSys Card Number] or PSN [PhilSys Number] derivative, or the Philippines
Identification (PhillD) card, in physical or digital form, is presented by the customer, it shall be accepted as official and sufficient proof of identity, subject to proper authentication, and the covered person shall no longer require
additional document to verify the customer's identity". Therefore, accessing an individual's record in the Philippine Identification System ("PhilSys") is considered a reliable way to verify their identity. Other digital ID systems are,
in principle, also allowed to be used so long as they are "supported by robust technology, adequate governance, processes and procedures that provide appropriate level of confidence that the system produces accurate results"; however,
there is no indication that the RIRR requirement to present an actual identity document is waived for foreigners not registered in PhilSys.
From the above it may be inferred that, so long as a customer's identity is verified via PhilSys (and all the required identity attributes as listed above are extracted in this manner), no additional procedures - such as further
identity or address confirmation - are needed.
Conversely, where the obliged entity does not rely on PhilSys, it may be expected that address, like other identity data, will be verified based on documentary evidence. See, e.g., the BSP
Manual of Regulations for Banks (MORB) /
Manual of Regulations for Non-Bank Financial Institutions (MORNBFI) on Customer Due Diligence, Section 921/921Q:
"the covered person obtain from individual customers, at the time of account opening/ establishing the relationship, the following minimum information [including address] and confirming this information with the official or valid
identification documents":
as one of possible additional safeguards for enhanced due diligence, it is suggested to verify the address "through evaluation of utility bills, bank or credit card statement, sending thank you letters, or other documents showing
address or through on-site visitation".
Accordingly, Non-Doc KYC as the primary identity verification method for identity information including address, is possible via solutions accessing PhilSys; in other cases, the document-based approach remains prevalent. However, as the
scope of potentially acceptable documents is defined broadly for low-risk customers, it may arguably be allowed to obtain reports or other excerpts from trustworthy external data sources instead of "conventional" IDs.
5 — As per Rule 2, Section 1(qq) of the 2018 RIRR, "identification document" means: "(1) For Filipino citizens: Those issued by any of the following official authorities: (a) PhilID; (b) Other identification documents issued by the
Government of the Republic of the Philippines, including its political subdivisions, agencies, and instrumentalities; and (c) Other identification documents that can be verified using reliable, independent source documents, data or
information. (2) For foreign nationals: (a) PhilID, for resident aliens; (b) Passport; (c) Alien Certificate of Registration; and (d) Other identification documents issued by the Government of the Republic of the Philippines, including
its political subdivisions, agencies, and instrumentalities. (3) For Filipino students: (a) PhilID; (b) School ID signed by the school principal or head of the educational institution; and (c) Birth Certificate issued by the Philippine
Statistics Authority; and (4) For low risk customers: Any document or information reduced in writing which the covered person deems sufficient to establish the client's identity".
6 — As per 2018 RIRR, Rule 2, Section 1(www), "PhilSys Number" (PSN) refers to the randomly generated, unique and permanent identification number assigned to every citizen or resident alien, upon birth or registration, by the Philippine
Statistics Authority (PSA).
7 — As per 2018 RIRR, Rule 2, Section 1(uuu), "Philippine Identification Card" (PhilID) refers to the non-transferrable identification card issued by the Philippine Statistics Authority (PSA) to all citizens and resident aliens registered
under the Philippine Identification System. It shall serve as the official government-issued identification document of cardholders in dealing with all government agencies, local government units, government and controlled corporations,
government financial institutions, and all private sector entities.
The primary AML/CFT legislation of Saudi Arabia - namely, the Anti-Money Laundering Law (along with the
Implementing Regulations thereto) and the
Law on Combating the Financing of Terrorism (along with the
Implementing Regulations thereto) - do not lay emphasis on the
acceptable methods of identity verification, while stipulating that certain data must always be collected from individual customers and validated via "reliable and independent sources, documents, data or information":
"the financial institution or designated non-financial business and profession shall obtain and verify the full legal name, residential or the national address, date and place of birth, and nationality"64 (Implementing Regulations to the
AML Law, section 7/2(a); Implementing Regulations to the CFT Law, section 17(3)(a)).
The matter is regulated more precisely in relation to the respective industries by the Saudi Central Bank (SAMA), the Capital Market Authority (CMA), and other bodies such as the Ministry of Commerce and Investment (MOCI), which all
demonstrate a divergence of approaches to non-documentary KYC:
(i) CMA :
As per the CMA AML/CFT Rules (addressed to the securities and investment sector):
individual customer's identities must be verified "using the original documents" (copies are only acceptable in case of reliance on a third party) as follows:
Saudi nationals:
the client's National Identification Card or family record;
the client's residential address & place of work and work address;
individual expatriates:
a residence permit (Iqamah) or a five-year special residence permit or a passport, and a National Identification for Gulf Cooperation Council (GCC) nationals or a diplomatic identification card for diplomats;
the client's residential address & place of work and work address (Article 8(2), 8(4));
furthermore, based on Articles 7(4) and 8(5), face-to-face identity verification is mandatory except when there is reliance on a third party;
in turn, Articles 14(1) and 14(3) specify that a third party eligible for reliance must "either be a commercial bank or financial institution that engages in securities activities" and may only be engaged "to perform the CDD if the
client is located in a country other than Saudi Arabia".
(ii) MOCI :
The Manual on AML-CFT (addressed to certain Designated Non-Financial Businesses and Professions (DNFBPs), specifically
dealers in precious metals and precious stones, real estate agents, and chartered accountants), while not explicitly requiring face-to-face KYC, replicates the CMA AML/CFT Rules provision on the necessary documentary evidence to be
collected from individual customers:"Establishing the identity of the client and continuously verifying the identity of all dealers against valid officially certified original documents proving their identity as
follows:
Saudi nationals:
National identification card or family record.
Address of the person, place of residence and place of work.
Individual expatriates:
Residence permit (Iqamah) or a five-year special residence permit or a passport or National identification for GCC nationals or a diplomatic identification card for diplomats.
Address of the person, place of residence and place of work" (Section 3(1)).
(iii) SAMA :
Pursuant to Section 3.3 of the 2019
Anti-Money Laundering and Counter-Terrorism Financing (AML/CTF) Guide
("AML Guide "), addressed to SAMA-regulated financial institutions, "information and documents issued by government bodies are considered to be from reliable and independent sources". Sections 3.9-3.10 futher imply the
possibility of non-documentary identity verification, so long as it is conducted via "reliable and independent electronic services", such as the National Information Center:
"3.9 The customer is not required to come to the financial institution when updating and reviewing their information for identity verification
as long as electronic authentication services approved by the National Information Center are used. However, the financial institution shall determine the need for further documentation or the customer's presence based
on the level of risk posed by the customer.
3.10 When using reliable and independent electronic services to verify a customer's identity, the financial institution shall determine if more documentation is required based on the level of risk posed by the customer
. In addition, it must implement the necessary preventive measures to mitigate business relationship risks and set the necessary procedures and measures to verify and review the customer information obtained, including
the information provided by the customer, using reliable and independent electronic services".
It follows that non-documentary identity verification is permissible for SAMA-regulated financial institutions to the extent it is carried out via "reliable and independent" government-maintained electronic sources, the only example
explicitly named in the AML Guide being the National Information Center.
64 — More information may be required under industry-specific regulations. E.g., source of income is necessary as per Article 3.3 of the 2019 Anti-Money Laundering and Counter-Terrorism Financing (AML/CTF) Guide; the
2022 Rules for Bank Accounts prescribe to collect ID number and expiry date and employer name (if any); etc.
While the Monetary Authority of Singapore maintains separate Notices and Guidelines addressing each type of AML-regulated business (e.g., banks, merchant banks, finance companies, specified payment services, digital payment token
services), they are substantially similar in relation to customer due diligence procedures. In particular, photographic evidence is universally recognized as necessary for verifying a natural person's identity and, likewise, documentary
evidence would also be generally required and prioritized over electronic sources (which, nevertheless, are encouraged as additional safeguards4 ) for verification of the customer's address. See, for example:
"Where the person whose identity is to be verified is a natural person, the finance company should ask for some form of identification that contains a photograph of that person " (
Guidelines to MAS Notice 824 - Finance Companies
, para. 23);
"When relying on documents, a bank should be aware that the best documents to use to verify the identity of the customer are those most difficult to obtain illicitly or to counterfeit. These may include government-issued identity
cards or passports, reports from independent company registries, published or audited annual reports and other reliable sources of information.
Where the customer is a natural person, a bank should obtain identification documents that contain a clear photograph of that customer.
In verifying the identity of a customer, a bank may obtain the following documents :
(a) Natural Persons ―
(i) name, unique identification number, date of birth and nationality based on a valid passport or a national identity card that bears a photograph of the customer ;
(ii) residential address based on national identity card, recent utility or telephone bill, bank statement or correspondence from a government agency "" (
Guidelines to MAS Notice 626 - Banks
, paras. 6-3-1, 6-6-1, 6-6-2);
"When relying on documents, a payment service provider should be aware that the best documents to use to verify the identity of the customer are those most difficult to obtain illicitly, counterfeit or falsify digitally. These may
include government-issued identity cards or passports, reports from independent company registries, published or audited annual reports and other reliable sources of information.
Where the customer is a natural person, a payment service provider should obtain identification documents that contain a clear photograph of that customer .
In verifying the identity of a customer, a payment service provider may obtain the following documents :
a) Natural Persons -
(i) name, unique identification number, date of birth and nationality based on a valid passport or a national identity card that bears a photograph of the customer;
(ii)residential address based on national identity card, recent utility or phone bill, bank statement or correspondence from a government agency " (Guidelines to MAS Notice PSN02 - Digital Payment Token Services , paras. 6-3-1, 6-6-1, 6-6-2).
An exception to this general rule is MyInfo, a government service that enables citizens and residents to manage the use of their personal data for simpler online transactions.
MAS Circular No. AMLD 01/2018
on "Use of MyInfo and CDD Measures for Non-Face-To-Face Business Relations", para. 3, describes MyInfo as a "reliable and independent source for the purposes of verifying the customer's name, unique identification number, date of birth,
nationality and residential address", as well as other personal attributes. It is simultaneously confirmed that, "where MyInfo is used, MAS will not require FIs to obtain additional identification documents [such as NRIC or passport] to
verify a customer's identity, and will also not expect FIs to separately obtain a photograph of the customer". At the same time,
MAS Circular No. AMLD 01/2022 on "Non-Face-To-Face Customer Due Diligence
Measures", setting out industry good practices observed by the regulator, states that most supervised entities use solutions including "elements of biometrics technology, such as facial recognition" to further mitigate the risks of
impersonation in the context of remote identification (para. 9).
Consequently, the only electronic source that could be involved as a standalone verification method of customer's identification data is MyInfo. Otherwise, in cases where MyInfo is not engaged, an individual customer is required to
present a photo-bearing ID (such as a passport or national identity card) and, where necessary, an additional document for address confirmation. Arguably and in exceptional cases, alternative photographic evidence could be accepted
(e.g., a report provided by a reliable government data source and containing the customer's facial image and other necessary information based on an official ID), but only subject to a proper risk assessment by the regulated entity.
Non-documentary checks (in relation to either general identity verification or address verification) would only be an additional tool complementing the documentary evidence.
4 — For example, the Guidelines for Digital Payment Token Services name “collection of customer device identifiers, IP addresses with associated time stamps, geo-location data” as one of possible risk mitigation measures in the remote onboarding context (para. 6-12-3).
In Spain, the legal AML/CFT framework is primarily governed by the Prevention of Money Laundering and Terrorist Financing Law 10/2010 of 28 April (the "AML Law"), which,
among other things, provides the requirements for customer due diligence.
Article 3 of the AML Law sets out the general identity verification duty:
"2. Prior to the establishment of the business relationship or the execution of any operations, the obligated subjects will verify the identity of the parties involved through reliable documents. In the event that it is not possible to
verify the identity of the parties involved through reliable documents at first, the provisions of article 12 may be considered, unless there are elements of risk in the operation".46
Furthermore, as per Article 4bis of the AML Law, the following identity data is prescribed for collection in relation to natural persons that are ultimate beneficial owners for the purposes of the business relationship in question:
name and surname;
date of birth;
type and number of identification document (in the case of Spanish nationals or residents, a document issued in Spain shall always be provided);
country of issue of the identification document, if the Spanish national identity card or resident card is not used;
country of residence;47
nationality; etc.
In turn, Article 12(1) addresses non-face-to-face business relationships and transactions:48
"Obligated subjects may establish business relationships or execute operations through telephone, electronic or telematic means with clients who
are not physically present, provided that any of the following circumstances occur:
a) The identity of the client is proven by means of the qualified electronic signature regulated by Regulation (EU) No. 910/2014 of the European Parliament and of the Council of 23 July 2014 on electronic identification and trust
services for electronic transactions in the internal market and repealing Directive 1999/93/EC. In this case, it will not be necessary to obtain a copy of the document, although the conservation of identification data that justify
the validity of the procedure will be mandatory. In the rest of the cases, when the electronic signature used does not meet the requirements of the qualified electronic signature, obtaining a copy of the identification document
within one month will continue to be mandatory.
b) The first deposit comes from an account in the name of the same client opened in an entity domiciled in Spain, the European Union or equivalent third countries.
c) The requirements determined by regulation are verified49 .
In any case [but excluding Art. 12(1)(a)], within a period of one month from the establishment of the business relationship, the obligated subjects must obtain from these clients a copy of the documents necessary to carry out due
diligence".
It follows that the non-documentary approach can only be used if the customer's identity is verified via eIDAS-compliant QES; otherwise, it is mandatory to obtain the customer's ID immediately during or within one month after the
establishment of the business relationship.
46 — As per Art. 6(1) of the
Regulation on the Prevention of Money Laundering and Terrorist Financing approved by Royal Decree 304/2014 of 5 May ("Decree"), "reliable
documents" means:
"For individuals who are Spanish nationals, the national identity card.
For foreign individuals, the Residence Card, Foreign Identity Card, Passport or, in the case of citizens of the European Union or the European Economic Area, the official personal identity document, letter or card issued by the home
authorities. The identity document issued by the Ministry of Foreign Affairs and Cooperation for diplomatic and consular personnel of third countries in Spain shall also be valid for the identification of foreign nationals.
Exceptionally, obliged subjects may accept other personal identification documents issued by a government authority provided they enjoy adequate guarantees of authenticity and show a photograph of the holder".
47 — There are no further explicit references to a necessity to collect and/or verify the customer's residential address in the AML Law or the Decree.
48 — Art. 21 of the Regulation on the Prevention of Money Laundering and Terrorist Financing approved by Royal Decree 304/2014 of 5 May contains a similar rule listing one additional alternative condition: "The customer's identity is
evidenced by means of a copy of the relevant identity document as set out in article 6, provided that the copy is issued by a notary public".
49 — Referring to (i) SEPBLAC specifications regarding authorization of remote identification by videoconference , 12
February, 2016, and (ii) SEPBLAC specifications regarding authorization of remote identification by video recording , 11 May, 2017.
Both (i) and (ii), however, require presentation of an identity document as part of the process.
In Sweden, the two main legal acts regulating anti-money laundering and counter-terrorist financing measures are the Money Laundering and Terrorist Financing (Prevention) Act ("AML Act ") and the
Act on Penalties for Money Laundering Offences
Chapter 3 Section 2 of
Finansinspektionen's regulations regarding measures against money laundering and terrorist financing FI Regulations ") issued on 26 June 2017 is mainly focused on the document-based approach to identity verification:
"An undertaking shall verify the identity of a natural person by means of a Swedish driver's licence, Swedish passport or identity card issued by a Swedish authority, or a Swedish certified identity card.
The undertaking shall verify the identity of natural persons who do not have a Swedish identity document against a passport or other identity document. The passport or identity document must contain a photograph of the person and
information on citizenship, and must be issued by an authority or other authorised issuer. A copy of a foreign passport or other foreign identity document shall be retained in accordance with the requirements set out in Chapter 5,
section 3 of the Act on Measures against Money Laundering and Terrorist Financing (2017:630)".
At the same time, Section 5 sets out specific requirements applicable directly to non-face-to-face customer relationships:
"An undertaking shall verify the identity in a non-face-to-face situation by:
Using electronic identification to produce an advanced electronic signature as set forth in the Act (2016:561) [eIDAS regulation] laying down additional requirements to the EU Regulation on electronic identification or by using
any other technology for electronic identification which provides equivalent certainty
, or
Verifying the natural person's identity in an appropriate manner by:
a) obtaining information regarding the person's name, address,38 personal identity number or equivalent,
b) verifying the information against external registers, certificates, or other equivalent documentation, and
c) contacting the natural person by sending a confirmation to the person's address in the population register or other reliable address,
or ensuring that the person sends a certified copy of an identity document, or other equivalent measure ".
Since, in the context of remote CDD, obtaining a copy of the customer's ID is only one of the possible methods for identity verification, it could be concluded that Section 5 should be interpreted as substituting, not complementing, Chapter 3 Section 2.
It follows that Non-Doc KYC solutions can be relied on so long as they meet the requirements of the eIDAS Regulation or constitute a similarly robust and secure procedure. In particular, electronic identification schemes
notified by Sweden pursuant to Article 9(1) of the eIDAS Regulation include BankID,
Freja eID, and EFOS, of which three BankID is arguably the most feasible and most commonly used option, although it is only available to individuals with a Swedish personal identity number.
Notably, eIDAS-based solutions also appear to rule out the necessity to collect and verify additional identity attributes, such as the customer's address.
38 — No particular means of verifying address are prescribed besides contacting the customer at their place of residence; however, this would only be obligatory where the obliged entity relies on Section 5(2) of the FI Regulations, not Section 5(1).
Article 4 of the 2019
Prime Minister Office Notification on Customer Identification Methodology for Financial Institutions and Businesses and Professions
("Customer Identification Methodology"), enacted on the basis of the Anti-Money Laundering Act B.E.2542 (1999), provides the minimum identification information to be obtained in respect of an individual customer for CDD purposes:
Full name.
Date of birth.
Personal identification number or, in case of a foreigner, passport number or other identification number issued by government or government agency of citizenship or identification number as appears
in other identification document issued by the government of Thailand [and evidence thereof as per Article 5(1)].
Address as appears in personal identification card or in the house registration and current address.57 In case of a
foreigner, the country of citizenship and current address in Thailand shall be provided, except for the case of a foreigner with no address in Thailand, whose current address shall be used instead.
Other contact information such as phone number or email address.58
In turn, the measures regulated entities may take to verify this data (either face-to-face or remotely) are generally detailed in the 2021
Anti-Money Laundering Office Notification Concerning Guideline for Identification and Verification of Customers and Ultimate Beneficial Owners
("AMLO Notification"):
where the customer uses a low-risk product or service:
"(A) Where a national identity card is used as identification evidence, one of the following procedures or any other equally reliable procedures shall be conducted as appropriate:
Verifying such information using a smart ID card reader which is connected to the electronic verification system of a government agency.
Verifying such information using a smart ID card reader and comparing it against the information that appears on the ID card.
Verifying such information against another government agency's database .Examining and verifying the correctness of such information to confirm that such customer is the owner of such information.
(B) Where a passport is used as identification evidence, one of the following procedures or any other equally reliable procedures shall be conducted as appropriate:
Using electronic data retrieved from the passport such as data from near field communication technology to compare against information that appears on the passport.
Examining and verifying the correctness of such information to confirm that such customer is the owner of such information";
where the customer uses a high-risk product or service:
"(B) In verification of a non-face-to-face customer [...]
Where a smart ID card is used as identification evidence, information shall be examined by using smart ID card reader through the electronic examination system of a government agency
or any other procedures having equivalent reliability .
Where a passport is used as identification evidence, data from the passport such as data retrieved from near field communication technology shall be compared with the information on the passport or other documents issued by
government of the Kingdom of Thailand or government agency of citizenship or any other procedures having equivalent reliability .
In implementation under 1) and 2), a photograph of customer shall be taken and recorded and advanced technology under international standard or acceptable standard shall be used for comparing photograph of customer with biometric data
retrieved from the smart ID card or electronic data retrieved from the passport to ensure that such person is genuinely the customer in place of their physical presence or any other method having equivalent reliability";
"(B) In verification of a non-face-to-face customer [...].
For using smart identity card as identification information, one of the following procedures may be conducted:
Verifying such information using smart ID card reader and comparing it against the information that appears on ID card of such customer.
Verifying the information that appears on the ID card and the ID card status through the electronic examination system of a government agency .
Where a passport is used as identification evidence, data from the passport such as data retrieved from near field communication technology shall be compared with information on the passport. In a case where information could not be
retrieved from near field communication reading, comparison may be made against other documents issued by government of the Kingdom of Thailand or government agency of citizenship.
For implementation under 1) and 2), a photograph of customer shall be taken and recorded and advanced technology under international standard or acceptable standard shall be used for comparing the photograph of the customer with the
biometric data retrieved from the smart ID card or electronic data retrieved from the passport to ensure that such person is genuinely the customer in place of their physical presence
or any other method having equivalent reliability ".
The Bank of Thailand ("BOT")
Notification No. SorNorChor. 1/2563 Re: Regulations on Know Your Customer (KYC) for e-Money Service Activation ("'BOT Regulations") largely
stipulates the same non-face-to-face KYC methods (see, e.g., Clause 4.2 (2.2)). It is also reiterated that a reference to a "digital ID platform" may serve "as a replacement of customer verification or to be used for supporting the
customer verification" (Clause 4.2.4).59 However, Clause 4.5 of the BOT Regulations further states that, where alternative verification means not otherwise explicitly mentioned by the regulator are used, they need to be pre-approved by
the BOT.
From the above, the following inferences can be made: (i) it is expected that either the passport or the smart identity card will be presented as evidence of the identification data, ruling out a fully document-free KYC flow; (ii)
nevertheless, validation of the data contained in a smart identity card against official governmental resources is an appropriate way of conducting identity verification, on par with NFC chip reading and with no other obvious
alternatives; (iii) generally, it is expected that an additional "liveness" check will be carried out if the customer is not physically present.
57 — This would imply that, where the customer's address is verified via electronic sources, the obliged entity would have to confirm that the same address is indeed featured in the customer's personal identification card or house
registration. At the same time, no specific procedures are prescribed for validating residential address that is different from the one indicated in the personal identification card or house registration. Additional documentation such
as utility bills may normally only be required as a possible EDD measure, as per Art. 5 of the AMLO Notification.
58 — In case of standard CDD, the list would also include "information on occupation including name and address of work place" as per Article 5(2) of the Customer Identification Methodology. The same set of data is typically required under
industry-specific AMLO Guidelines (see, e.g., page 9 of the
AMLO Guideline on Customer Due Diligence For Banks ).
59 — A similar approach is adopted in Clause 5.3.2 (2) of the
Notification of the Bank of Thailand No. FPG. 19/2562 Re: Regulations on Know Your Customer (KYC) for deposit-account opening at financial institutions
, explicitly providing the possibility of digital identification and verification systems usage:
"Financial institutions can verify the accuracy, reality and up-to-date nature of identification data and documents, as well as verify that it truly is this customer or a person with final authorization from a juristic person (if
any) through the digital verification and identification system such as National Digital ID Platform (NDID Platform) to substitute or support the documentary verification approach ".
The principal AML/CFT legislation within the UAE includes: (i)
Federal Decree-Law No. (20) of 2018 On Anti-Money Laundering and Combating the Financing of Terrorism and Financing of Illegal Organisations
(the "AML-CFT Law" or "Law") and implementing regulations, such as (ii)
Cabinet Decision No. (10) of 2019 Concerning the Implementing Regulation of Decree Law No. (20) of 2018 On Anti-Money Laundering and Combating the Financing of Terrorism and Illegal Organisations
(the "AML-CFT Decision" or "Cabinet Decision").
Besides, the UAE Central Bank (CBUAE) maintains
Anti-Money Laundering and Combating the Financing of Terrorism and Illegal Organisations Guidelines for Financial Institutions (the
"AML Guidelines") as well as both general and sphere-specific guidances in order to ensure better understanding and effective performance of AML obligations.
The AML-CFT Decision provides the general identification and identity verification requirement in Article 8 :
"Financial Institutions and [Designated Non-Financial Business or Professions] DNFBPs should identify the Customer's identity, whether the Customer is permanent or walk-in, and whether the Customer is a natural or legal person or legal
arrangement, and verify the Customer's identity and the identity of the Beneficial Owner. This should be done using documents, data or information from a reliable and independent source or any other source to verify the identity as
follows:
For Natural Persons:The name, as in the identification card or travel document , nationality, address, place of birth, name and address of employer, attaching a copy of the original and valid identification card or travel document ,
and obtain approval from the senior management, if the Customer or the Beneficial Owner is a PEP".
In general, under Article 8.1 of the AML-CFT Decision and section 6.3.1 of the AML Guidelines, required identity attributes for CDD under UAE regulations and guidance include, for a natural person, the name (as in the passport or
identity card, number, country of issuance, date of issuance and expiration date of the identity card or passport), the nationality, the address (i.e., the permanent residential address), the date and place of birth, and the name and
address of employer (if applicable).
Reinforcing this, Section 6.3.1 of the AML Guidelines further elaborates on the necessity to collect copies of identity documents:
"The verification of a customer's identity, including their address, should be based on original, official (i.e. government-issued) documents whenever possible .22 When that is not possible, FIs should augment the number of verifying
documents or the amount of information they obtain from different independent sources. In particular, when verifying the UAE ID card, FIs licensed by the Central Bank must use the online validation gateway of the Federal Authority for
Identity & Citizenship and keep a copy of the UAE ID and its digital verification .23 They should also identify the lack of official documents and the use of alternative means of verification as risk factors when assessing the customer's
ML/FT risk classification".
At the same time, both Section 6.3.1 of the AML Guidelines and Section 3.1 of the
Guidance for Licensed Financial Institutions ('LFI's) on Digital Identification for Customer Due Diligence
(the "Digital Identification Guidance ") seem to suggest that verification via electronic sources is an acceptable alternative to the documentary method:
"An example of alternative verification means is verification by way of digital identification systems . Such digital identification systems should rely upon technology, adequate governance, processes and procedures that provide
appropriate levels of confidence that the system produces accurate results";
"Under Article 8 of the AML-CFT Decision, LFIs are required to identify each customer and verify the customer's identity using documents, data, or any other identification information from a reliable and independent source. This
requirement is technology neutral and expressly permits LFIs to use documentary as well as non-documentary sources (i.e., information or data) when performing identification and verification; it does not impose any restrictions on the
form-physical or digital-that identity evidence must take, nor does it impose limitations as to the use of digital ID systems for the purpose of linking a customer's verified identity to a unique, real-life individual, provided this is
done using a "reliable" and "independent" source. As such, LFIs are permitted to utilize digital ID systems as well as physical forms to perform customer identification and verification, consistent with the expectations set forth in
this Guidance".
Section 5 of the Guidance further prescribes the mandatory assessments the FIs should conduct before choosing a digital identification system:
"An assurance level assessment , through which the LFI can understand the assurance levels that the digital ID system provides based on its technology, architecture, and governance and determine its reliability and independence; and
An appropriateness assessment , through which the LFI can make a risk-based determination - given the digital ID system's assurance levels - of whether the digital ID system is appropriately reliable and independent for CDD in light of
potential ML, TF, fraud, and other illicit financing risks".
Section 2.1 of the Guidance describes several national identification systems approved for use by AML-regulated entities, including UAE Pass, Emirates ID and Emirates Facial Recognition. UAE Pass, in particular, is the UAE's primary
digital identity and signature solution with a high level of security.
The interpretation of the above-mentioned provisions, taken cumulatively, appears to be that, while usage of digital identification systems is in principle permitted for KYC purposes, it does not negate the overall document-based
approach adopted by the UAE financial regulators and, in particular, the requirement to obtain a copy of the customer's identity document under the AML-CFT Decision. Accordingly, digital ID systems may be relied on as a standalone
solution when they allow access to all of the required customer data, including that related to the identity document and a copy of the identity document itself. Alternatively, they may be used for supplementary checks (which are
sometimes mandatory, as in the case of Emirates ID).
22 — For address verification, this could imply that geolocation detection alone would not be adequate; this is supported by the Digital Identification Guidance, referring to geolocation / IP address data mostly as supporting identity attributes to leverage for ongoing due diligence and transaction monitoring (see, e.g., Section 3.2). However, since there is no exhaustive list of documentation that can serve as proof of address, arguably records obtained from a reliable external database could suffice.
23 — Section 2.2 of the Digital Identification Guidance also states that, “when verifying the Emirates ID card, either physically or by way of digital or electronic “Know Your Customer (“e-KYC”) solutions, LFIs should use the online validation gateway of the Federal Authority for Identity, Citizenship, Customs & Port Security, the UAE Pass Application, or other UAE Government-supported solutions, and keep a copy of the Emirates ID and its digital verification record”.
The 2017 Resolution of Board of Central Bank of the Republic of Uzbekistan (as amended) (the "CBU Resolution ") outlines a comprehensive approach to customer
identification and identity verification, emphasizing both document-based and electronic methods:
"Identification of an individual client by a commercial bank is carried out on the basis of an identity document (passport or ID card or a document replacing them) or biometric data . In
this case, a commercial bank, when identifying an individual client:
on the basis of an identity document (passport or ID card or a document replacing them) - must familiarize itself with the original of such document ;
on the basis of biometric data - must verify such data via the information system of the Ministry of Internal Affairs of the Republic of Uzbekistan" (clause 26).
Regarding the scope of data by which an individual customer must be identified, clause 25 of the CBU Resolution refers to Appendix 1 thereto, which, in turn, contains the following list:
Surname, first name and patronymic.
Date and place of birth.
Citizenship.
Place of permanent and (or) temporary residence.
Details of the passport or ID card or the document replacing them: series and number of the document, date of issue of the document, name of the authority that issued the document .Personal identification number .Home telephone number (if available).
In parallel, the 2021 Central Bank Decision "About the Approval of the Regulation on the Procedure for Digital Identification of Customers" authorizes (i) digital identification with human
interaction and (ii) digital authentication without human interaction via information systems for banks, microfinance organizations, pawn shops and payment organizations in relation to citizens of Uzbekistan, foreign citizens and
stateless persons residing permanently or temporarily in Uzbekistan:
(i) the procedure for digital identification is as follows (section 6):
the obliged entity receives from the customer photos of the parts of their identity document (biometric passport or ID card or driver's license of a new model) containing the relevant information;
the obliged entity receives the customer's photo and (or) video;65
the information obtained, including the photo and (or) video of the customer, is compared with that stored in the "Electronic Government" system ("central database");
the obliged entity verifies the customer's mobile phone number (e.g., by sending an SMS message);
the obliged entity checks whether the customer's risk profile is high (which would make them ineligible for the procedure);
the obliged entity establishes an online video conference with the customer and checks that the submitted documents belong to them.
(ii) the procedure for digital authentication is as follows (section 7):
the obliged entity receives from the customer the series and number of their identity document (biometric passport or ID card or driver's license or a new model), or personal identification number and date of birth, or all of these
data, together with a photo or video of the customer taken in real time;
the obliged entity sends a request to the central database and receives the following personal data of the customer:
digital photograph (if available);
personal identification number ("ЖШШИР");
date of issue of biometric passport or ID card, its validity period and place of issue;
surname, first name, patronymic in the state language (in Latin script);
information about gender, country of birth, place of birth, nationality, citizenship and place of permanent or temporary residence;
the obliged entity compares the customer's photo or a snapshot from the video taken in real time with the image extracted from the central database (if available) in an automated manner (without human involvement);
the obliged entity verifies the customer's mobile phone number (e.g., by sending an SMS message);
the obliged entity compares the received data with the List [the list of persons participating or suspected of participating in organized terrorist activities or proliferation of weapons of mass destruction, prepared by the
Department for Combating Economic Crimes under the General Prosecutor's Office of the Republic of Uzbekistan] automatically (without human involvement)".
Therefore, the AML/CFT regulations of Uzbekistan currently provide for two options of fully non-documentary identity verification: (i) via the Ministry of Internal Affairs databases (the customer's biometric data being the input); and
(ii) via the Electronic Government database (the customer's real-time photo / video, as well as certain non-biometric personal data (ID details or personal identification number and date of birth), being the input), subject to several
procedural requirements (impersonation risk mitigation, obligatory consultation of specific AML screening sources, mobile phone verification, collection of all necessary attributes, etc).
65 — As per section 10, in case of both digital identification and digital authentication, the photo / video: needs to be in color; the video must have sound; it is not allowed to have persons other than the customer in the photo and (or) video; the matching mechanism must allow for impersonation risk mitigation; etc.
Vietnam's 2022Law on Anti-Money Laundering AML Law ") establishes сustomer due diligence (CDD) procedures
applicable to AML-subject entities, including those related to customer identification and identity verification.
Pursuant to Article 10 of the AML Law, reporting subjects must collect identity data of individual customers depending on their nationality and residence:
"1. Customer identification information, including information about the individual customer's representative (if any):
a) For individual customers whose nationality is Vietnamese: full name; date of birth; nationality; profession, job position; phone number; ID card number or Citizen Identification Number or personal identification number or
passport number, date of issue, place of issue; permanent residence registration address and other current residence (if any);
b) For individual customers with one nationality who are foreigners residing in Vietnam: full name; date of birth; nationality; profession, job position; phone number; passport number, date of issue, place of issue; entry visa
number, except in cases of visa exemption as prescribed by law; residential address abroad and registered residence address in Vietnam;
c) For individual customers with one nationality who are foreigners not residing in Vietnam: full name; date of birth; nationality; profession, job position; passport number or identification number issued by a foreign competent
authority, date of issue, place of issue; residential address abroad;
d) For individual customers who have two or more nationalities: corresponding information specified in point a, b or c of this clause; nationality, residential address in the country of the other nationality;
dd) For individual customers who are stateless: full name; date of birth; profession, job position; number of the document valid for international travel (if any), visa number; entry visa-issuing agency, except in cases of visa
exemption as prescribed by law; residence address abroad (if any), residence registration address in Vietnam".
In addition, Article 12 of the AML Act lists the following means for verifying the information referred to above:
Reporting subjects use documents and other data to verify customer identification information, including:
a) For individual customers: ID card, citizen identification card or valid passport; other documents issued by competent authorities; [...]
Reporting subjects can exploit information in national databases according to the provisions of law, through competent state agencies and other organizations specified in Article 13 [a third-party provider engaged
by the reporting subject] or regulated third parties specified in Article 14 [a financial institution or a legal entity in a related non-financial industry that has established relationships with customers (excluding agency and
outsourcing relationships); conducts CDD according to the AML Act of, for foreign entities, the FATF recommendations; is subject to the management and supervision of a competent authority] of this Law to compare and verify
information provided by customers".
It is not entirely obvious from the text of Article 12 whether (i) paras. 1 and 2 are alternative or (ii) para. 1 is obligatory, while para. 2 only sets out a possible supplementary means of data validation. At the same time, secondary
legislation and industry-specific guidance, together with the current market practice, seem to suggest that, while reliance on national identity databases is permissible and even obligatory in certain instances, the only way of
validating the customer's identity via such databases remains to present an identity document. .
For instance, the
2023 Decision on Implementing Safety and Security in Online Payment and Bank Card Payment
requires "e-authentication" for certain types of transactions, e.g.:"Credit institutions, foreign bank branches, and payment intermediary service providers must implement solutions to minimize risks in online payments as follows:
For individual customers, before making the first transaction using the Mobile Banking application or before making a transaction on a device different from the device that made the last Mobile Banking transaction, the customer must
be authenticated:
By the customer's biometric identification mark: (i) matching the biometric data stored in the chip of the customer's CCCD card issued by the Public Security agency; (ii) or through authentication of the customer's electronic
identification account created by the electronic identification and authentication system;
Or by the customer's biometric identification mark matching the biometric data stored in the collected and verified customer biometric database, combined with the OTP authentication method sent via SMS/Voice or Soft OTP/Token OTP"
(Art. 2).
Likewise, Art. 12 of
Circular 17/2024/TT-NHNN
(State Bank of Vietnam, Regulations on opening and Using Payment Accounts at Payment Service Provider) further implies that, for both Vietnamese and foreign citizens, identity verification should be achieved either via documentary or a
combination of documentary and electronic means:
The payment account opening file includes the following documents, information and data:
a) Agreement to open and use payment accounts as prescribed in Article 13 of this Circular;
b) Documents, information, and data to verify customer identification information as prescribed in Clauses 2 and 3 of this Article; [...]
Documents, information, data on personal identification papers of individual customers:
a) In case the individual is a Vietnamese citizen: Citizen Identification Card, Identity Card or Electronic Identity Card (through accessing the level 02 electronic identification account) or Identity Card
or Birth Certificate for people under 14 years old;
b) In case the individual is of Vietnamese origin and nationality is not yet determined: Identity card;
c) In case the individual is a foreigner:
(i) Passport, for foreigners residing in Vietnam, there must be an additional entry visa or document of equivalent value to a visa or document proving visa exemption; or
(ii) Electronic identity (through access to a level 02 electronic identification account) ".
This is further confirmed in Art. 1635 of the same Circular, specifying that regulated entities' internal procedures on electronic account opening should include, inter alia, collection of the account owners' (where they are natural
persons) biometric data, as well as its subsequent matching against:
"(i) Biometric data stored in the encrypted information storage unit of the citizen identification card or the identity card that has been accurately authenticated as issued by the police agency
or through authentication of that person's electronic identification account created by the Electronic Identification and Authentication System ; or
(ii) Biometric data has been collected and checked (ensuring the correct match between the person's biometric data and the biometric data in the encrypted information storage of the citizen identification card or the identity card
has been accurately authenticated as being issued by the Public Security agency or with the person's biometric data through the
authentication of the electronic identification account created by the Electronic Identification and Authentication System )".
In turn, the meaning behind "level 02 electronic identification account" is clarified in Art. 20 of Decree 69/2024/ND-CP as
follows:
"1. The electronic identification and authentication system provides the following levels of electronic identification account authentication: [...]
b) Level 02: Electronic identification account authentication is performed based on two different authentication factors [authentication means used to confirm and accurately affirm the electronic identity subject before accessing and
exploiting information in the electronic identification and authentication system] and the corresponding authentication means in Clause 8, Article 3 of this Decree [methods that allow users to use to perform electronic authentication:
password, secret code, barcode, terminal, one-time password device or software, cryptographic device or software, identity card, citizen identification card, passport, facial photo, fingerprint, voice, iris or other tools and methods
used for the purpose of electronic authentication], which does not include biometric information".
Importantly, Arts. 3(9) and 22(2) of the same Decree emphasize that electronic authentication services may only be conducted by "a public service unit or enterprise [authorized by] the Ministry of Public Security".
Consequently, e-verification and e-authentication appear not only permissible, but mandatory in at least two scenarios: (i) the customer opens a payment account using their Electronic Identity or Electronic Identity Card; and (ii) the
customer conducts certain types of transactions as listed in the 2023 Decision on Implementing Safety and Security in Online Payment and Bank Card Payment. However, this KYC method must be enabled by an entity duly authorized by the
Ministry of Public Security.
Furthermore, at present, the underlying national databases leveraged to perform e-verification and e-authentication are only accessible by using the data extracted from an eID with an embedded NFC chip (which makes a fully
non-documentary flow impossible in practice)
. Also, additional mechanisms (e.g., a questionnaire) may need to be implemented in order to collect the necessary identity information that might not be contained in the consulted data source - this may apply to, e.g., residential
address (which may be verified by both documentary and non-documentary means, subject to the regulated entity's choice).
35 — Notably, Art. 16(3) also contains a carve-out for cases where an account may not be opened via electronic means: “a) Joint payment account; b) Foreign currency payment account; c) Individual customers as prescribed in Point b, c Clause 1 Article 11 of this Circular [persons under 15 years of age; persons with limited or lost civil act capacity according to the provisions of Vietnamese law; persons with difficulty in cognition and behavior control according to the provisions of Vietnamese law], individual customers who are people from 15 years old to under 18 years old”.
