Country:
🇦🇺 Australia
🇧🇪 Belgium
🇧🇼 Botswana
🇧🇷 Brazil
🇨🇦 Canada
🇨🇾 Cyprus
🇨🇿 Czech Republic
🇩🇰 Denmark
🇪🇪 Estonia
🇫🇮 Finland
🇫🇷 France
🇬🇭 Ghana
🇭🇰 Hong Kong
🇮🇳 India
🇮🇩 Indonesia
🇮🇹 Italy
🇯🇵 Japan
🇰🇿 Kazakhstan
🇱🇹 Lithuania
🇲🇾 Malaysia
🇳🇿 New Zealand
🇳🇬 Nigeria
🇳🇴 Norway
🇵🇭 Philippines
🇵🇱 Poland
🇸🇦 Saudi Arabia
🇸🇬 Singapore
🇿🇦 South Africa
🇰🇷 South Korea
🇪🇸 Spain
🇸🇪 Sweden
🇹🇭 Thailand
🇦🇪 UAE
🇬🇧 UK
🇺🇸 USA
🇺🇿 Uzbekistan
The anti-money laundering and counter terrorism financing legal framework in Australia is governed primarily by the
Anti-Money Laundering and Counter-Terrorism Financing Act 2006 (the "AML/CTF Act") and its related regulations. In turn,
the Anti-Money Laundering and Counter-Terrorism Financing Rules Instrument 2007 (No. 1) (the "AML/CTF Rules")are subsidiary legislative instruments made under the AML/CTF
Act and elaborating on the obligations set out therein.
Specifically regarding customer identification and identity verification procedures, Part 4.2.3 of the AML/CTF Rules sets out the minimum KYC information to be collected about an individual customer: (i) full name, (ii) date of birth,
and (iii) residential address; at least (i) and either (ii) or (iii) have to be subsequently verified, pursuant to Part 4.2.6.
Further, Part 4.2.7 lists the acceptable methods of verifying the above-mentioned customer data:
"reliable and independent documentation;
reliable and independent electronic data; or
a combination of (1) and (2) above".
The AML/CTF Rules offer different "safe harbour" verification approaches (documentation-based and electronic-based) depending on the risk profile of the customer. In cases where the risk is medium or lower, the procedure should involve,
respectively:
for the documentation-based approach: "(a) an original or certified copy of a primary photographic identification document;27 or (b) both: (i) an original or certified copy of a primary non‑photographic identification document; and
(ii) an original or certified copy of a secondary identification document"28 . The entity must also "verify that any document produced about the customer has not expired (other than in the case of a passport issued by the Commonwealth
that expired within the preceding two years)" (AML/CTF Rules, Parts 4.2.10 - 4.2.11);
for the electronic-based approach: use of reliable and independent electronic data from at least two separate data sources is required. The entity must also verify that the customer has a transaction history for at least the past 3
years. (AML/CTF Rules, Parts 4.2.12 - 4.2.14).
Accordingly, where the supervised entity relies on the electronic method only:
if the customer's name and date of birth are verified independently via different electronic sources, address does not need to be confirmed at all;
conversely, if the date of birth is only collected and not verified, a reference to a single reliable electronic source should suffice for address validation, so long as the name is not checked against the same source.
At the same time, pursuant to Part 4.10.2 of the AML/CTF Rules, when choosing an electronic source as a verification basis the reporting entity must determine:
"whether the electronic data is reliable and independent, taking into account the following factors:
(a) the accuracy of the data;
(b) how secure the data is;
(c) how the data is kept up‑to‑date;
(d) how comprehensive the data is (for example, by reference to the range of persons included in the data and the period over which the data has been collected);
(e) whether the data has been verified from a reliable and independent source;
(f) whether the data is maintained by a government body or pursuant to legislation; and
(g) whether the electronic data can be additionally authenticated; and
what reliable and independent electronic data the reporting entity will use for the purpose of verification;
the reporting entity's pre‑defined tolerance levels for matches and errors; and
whether, and how, to confirm KYC information collected about a customer by independently initiating contact with the person that the customer claims to be".
As one of possible solutions, the Australian Transaction Reports and Analysis Centre suggests the Document Verification Service (DVS):
"One option for verifying individual customer and beneficial owner identification using electronic data is the Document Verification Service (DVS). This is a secure online system managed by the Department of Home Affairs. The DVS
matches government-issued identity documents directly with the government organisation that issued them. This lets you check in real time that the document is current and not lost or stolen".
Consequently, an evaluation of the relevant client verification methods in Australia reveals the following:
Verifying a customer’s full name and date of birth using two separate electronic sources meets AML/CFT Rules (Part 4.2.6), and, especially, the requirements of verifying the full name and either date of birth or address .
Verifying the name and date of birth against one source, and name as well as the address against a separate source .
Verifying the customer’s full name and residential address using two separate electronic sources fulfills the minimum requirement (Part 4.2.6) of verifying the name and one other element, with the compliance assessment noting that if the date of birth is verified together with the name, address verification is not needed. However, if the date of birth is collected but not verified, the name and address can be verified against a single source with different sources for the name and address; using two sources here exceeds the minimal threshold and meets regulatory standards, though omission of date of birth verification is permissible but less common than name plus date of birth combinations.
Further clarification indicates that verifying a name and date of birth using two sources removes the need for address verification,while verifying name and address against a single source is sufficient if date of birth is collected but not verified, provided name and address utilize different sources.
In conclusion, the current AML/CTF legislation of Australia allows the use of electronic data as a verification basis for both identity and address verification purposes so long as proper due diligence of the sources to be used is carried out. In practice, the electronic-based approach is arguably more viable (particularly for remote customer onboarding), as it may be impractical to obtain the originals or certified copies of identity documents. All verification methods that verify at least two required elements across two independent sources, align with the broader AML framework and requirements for low-risk and medium-risk cases, while being flexible.
27 — As defined in Part 1.2.1 of the AML/CTF Rules.
28 — As defined in Part 1.2.1 of the AML/CTF Rules.
The main source of AML/CFT-related requirements for reporting entities in Belgium is the
Law on the prevention of money laundering and terrorist financing and on the restriction of the use of cash (the "AML Law"), last amended on
February 8, 2023.
Pursuant to Art. 27(1) of the AML Law, the reporting entities are required to verify the identity of the customers against:
"1° one or more supporting documents or reliable and independent sources of information enabling them to confirm [the identification data listed in Art. 26 - for natural persons, this would include "last name, first name, date and place
of birth and, to the extent possible, address". Regarding verification of address specifically, the National Bank of Belgium
Object of the identification and identity verification guidance ("NBB Guidance") states that "financial
institutions' internal procedures should determine the measures to be taken to fulfill this legal obligation in a sufficiently precise manner" without providing an exhaustive list of ways to do so];
2° where applicable, the information obtained through electronic identification means such as those provided or recognised within the authentication service as referred to in Articles 9 and 10 of the Law of 18 July 2017 on electronic
identification [implementing the eIDAS regulation and providing a regulatory framework for electronic identification in connection with digital public services in Belgium; the cited articles mostly refer to the data contained in the
National Register], confirming the identity of persons online;
3° where applicable, information obtained through relevant trust services referred to in Regulation 910/2014" .
At the same time, Article 1 of Annex III to the AML Law defines non-face-to-face business relationships as a factor of potentially higher risk if conducted without certain safeguards, namely "electronic means of identification or
relevant trust services as defined in Regulation (EU) No 910/2014 or any other secure identification process that take place electronically or remotely and are regulated, recognised, approved or accepted by the relevant national
authorities".
While there is no indication in the AML Law that alternative options (such as other external data sources or a combination of ID analysis and liveness / face match) are not permissible, the National Bank of Belgium ("NBB") states the
following it its Guidance:
"[...] a simple copy or electronic image of a supporting document is insufficiently reliable in itself to be accepted as a supporting document in standard-risk situations without being verified through the
National Register as stipulated in Article 28 of the Anti-Money Laundering Law".
45
Still, this should not be read as a prohibition of any non-face-to-face onboarding mechanisms besides that stipulated in Art. 28 of the AML Law, since the NBB purposefully adopts a technologically neutral approach, emphasising that
"neither the Anti-Money Laundering Law nor the Anti-Money Laundering Regulation of the NBB lists in a precise, uniform and prescriptive manner the supporting documents or the reliable and independent sources of information that can be
used to fulfil the obligation to verify the identity of the persons involved", even though some of these sources are explicitly authorised. That said, the NBB strongly recommends regulated entities to:
implement different KYC flows
depending on the customer's risk profile, including a "correlation table of the supporting documents accepted for each risk class, as well as a list of the circumstances in which certain supporting documents need not be submitted";
when authorising the use of innovative technologies other than electronic identification means as referred to in the AML Law in high-risk situations, tighten the terms and conditions for the application of this authorisation and carry
out a prior analysis of whether such technologies are reliable. The Guidance does, however, confirm that reliability is enhanced when "electronic identification schemes notified in accordance with Article 9 of the eIDAS Regulation and
meeting the requirements of "substantial" or "high" levels of assurance". The two electronic identification schemes
notified by Belgium, both with a "high" level of assurance, are Belgian eID Scheme FAS /
eCards and Belgian eID Scheme FAS / Itsme. These should therefore be regarded as acceptable solutions for identity verification.
consult certain official data sources in case verification is performed on the basis of documentation (e.g., FPS Home Affairs - when there is a suspicion the ID may be stolen or lost; the National Register - while processing the data
registered on the microprocessor of the ID; etc.);
when relying on a photocopy or electronic image of a supporting document, incorporate multiple checks (that the data has not been altered or manipulated, that the necessary security features are present, etc.).
Overall, reporting entities have relatively broad discretion in choosing the means of remote identity verification, as long as they are able to justify their sufficiency and compatibility with the customer's risk profile. However,
solutions explicitly approved under the AML Act or the NBB Guidance (including, in particular, eCards and Itsme eID scheme, or any services leveraging data from the National Register) are more likely to be considered compliant.
45 — "Upon request from an obliged entity,and solely for the purposes of the verification, by such an entity, of the identity of the customers and their agents who are natural persons and who are not present during their identification [...]
the professional associations designated by the King shall be authorised to:
1° use the identification number from the National Register;
2° access the data of the National Register of natural persons referred to in Article 3 of the Law of 8 August 1983 establishing a National Register of natural persons;
3° make a paper or electronic copy of the information consulted in said Register".
The Financial Intelligence Act of 2022 (the "FI Act") provides a comprehensive legal basis for AML/CFT efforts in Botswana. The FI
Act, along with the Financial Intelligence Regulations 2022 (the "FI Regulations"), outlines the obligations for
accountable institutions.
Article 20(1) of the FI Act sets out the general identification and identity verification requirement, with no detailed clarifications:
"A specified party shall, where required to conduct customer due diligence in terms of section 16 and before establishing a business relationship or carrying out a transaction - (a) establish and verify the identity of a customer,
unless the identity of that customer is known and has been verified by the specified party".
Nevertheless, Article 20(6) also emphasizes that identity verification should be conducted based on an official document:
"Proof of identity of a customer under this section shall be through -
(a) production of a National Identity Card for citizens;
(b) production of a passport for non-citizens;
(c) production of a refugee identity card issued under the Refugees (Recognition and Control) Act; [...]; or
(f) such other identity document as the Minister may prescribe".
This is further clarified in the FI Regulations:
"14. (1) Any information or particulars ascertained by a specified party as required under Part II of these Regulations shall, be verified by the specified party by comparing such information obtained with the applicable and
corresponding independent and reliable information set out in the following documentation -
(a) a trust instrument or deed of trust;(b) a national identification document issued by the person's country of origin, domicile or citizenship;
(c) a passport;
(d) a refugee identity card;
(e) a birth certificate; ... or
(h) any reliable document, data or information that reasonably serves to verify any of the information obtained by the specified party in ascertaining the information set out in Part Il of these Regulations.
(2) If it is deemed to be reasonably necessary, taking into account any guidance notes concerning the verification of identity that may apply to a specified party,the specified party shall, in addition to the verification undertaken in
terms of subregulation (1), verify any of the information or particulars ascertained as part of establishing identity by comparing such particulars with any applicable and corresponding reliable document, data or information.
"
Based on the above-cited provisions, taken cumulatively, the expectation appears to be that an individual customer's identity document needs to be processed as part of the KYC procedure unless there is a compelling reason for the
obliged entity's inability to obtain it. However, there is no explicit requirement that the document must be collected from the customer directly.
Meanwhile, the following data is subject to ascertainment in relation to individual customers pursuant to Part 2, Section 6(1) of the FI Regulations:
"(a) the person's full name;
(b) the person's nationality;
(c) where the person is a citizen or resident of Botswana, the identity cardnumber and date of birth of such person;
(d) where the person is not citizen or resident of Botswana, the passportnumber and date of birth of such person;
(e) where the person is a refugee, a refugee identity card number and dateof birth of such person;
(f) where the person is a citizen or resident of Botswana, the person'sresidential address in Botswana;
(g) where the person is not a citizen or resident of Botswana, the residentialaddress in his or her country of domicile and physical address inBotswana;
(h) the person's contact details;
(i) the person's occupation or source of income;
(j) nature and location of business activities, if any;
(k) the source of funds involved in the transaction; and
(l) an original of the recent council rate or utility bill receipt".
Furthermore, Section 15 of the FI Regulations provides additional requirements for non-face-to-face customer onboarding:
"(1) Where a specified party ascertained information, in terms of these Regulations, about a customer without contact in person , with the natural person or with the representative of the customer, the specified party
shall take reasonable steps to ensure the existence and to establish the identity of that customer, taking into account any guidance notes concerning the verification of identities that may apply to that specified party.
(2) Where the customer referred to under subregulation (1) is a natural person, the specified party shall ensure the existence and to establish the identity of that customer by -
(a) obtaining a reference from a well known professional, an employer of the customer of the specified party, or a known customer of the specified party who knows the natural person; or
(b) requesting original recent council rates or utility bill receipt. "
To conclude, the involvement of a digital source as the primary KYC method could be used for identity verification, provided that a copy of the customer's ID can be extracted from the source in question. However, additional documents
would in any event be required for address verification (council rate or utility bill receipt specifically).
Article 10 of Law N° 9.613 , commonly known as the Anti-Money Laundering Law, establishes the obligation of entities (such as banks, financial institutions, insurance
companies, casinos, card issuers, leasing companies, real estate companies, and in general companies that trade luxury goods) that fall under the regulation of the Brazilian AML office (COAF) to "identify their clients and keep their
registries up to date, according to the norms set out by the corresponding regulatory agency".
In general, such regulator-specific norms are receptive to digital KYC mechanisms, with obliged entities granted relatively broad discretion in choosing the external sources to rely on.
For instance, the Securities and Exchange Commission of Brazil has established the following:
"The adoption of alternative registration systems is allowed, including by electronic means , provided that the solutions adopted meet the objectives of the current regulations and the procedures are subject to verification"19 (
CVM Instrução 50 of August 31, 2021 ("Resolution"), Art. 12);
In the case of banks and financial institutions, the Central Bank of Brazil has set out the following rules:
"The institutions shall adopt identification procedures that allow verifying and validating the identity of the client. The procedures shall include obtaining, verifying and validating the authenticity of customer identification
information, including, if necessary, by comparing this information with those available in public and private databases " (
BACEN/DC Circular No. 3978 OF 01/23/2020 ("Circular"), Art. 16(1));
Nevertheless, for these industries, a fully non-documentary KYC flow might only be possible in relation to local residents , since onboarding of a person who does not have a CPF (Natural Persons Register) taxpayer identification number
requires to collect an ID copy:
"In the customer identification process, at least:
the full name and [CPF number], in the case of a natural person [must be collected];20
[...] In the case of a client who is a natural person residing abroad who is not required to register with the CPF, in the form defined by the Federal Revenue Secretariat of Brazil, the use of a travel document in accordance with the
Law is permitted, and at least the issuing country must be collected, the number and type of the document (Circular, Art. 16(2-3)).
With regard to CVM-regulated entities, It can be concluded that both Non-Doc verification is permissible in relation to both identity and address, so long as the chosen solution is sufficiently robust and ensures accuracy close to that
of face-to-face identification. For identity verification purposes, it is highly recommended to add an authentication factor (such as active liveness-based recognition) to the procedure to ensure the data ownership and real-time
presence of the individual.
For the Gambling sector specifically, Ordinance Nº 1.231 establishes that a scanned copy of the ID document is required for
registration of new users (article 31 - XI). It also states that facial recognition with proof of liveness must be registered. Optionally other forms of biometrics can be registered. Therefore, Non-Doc KYC is considered permitted as a
standalone method for onboarding only when a copy of the document can be obtained from the ultimate data source as a result of the verification process.
19 — Note that, as per Annex B to the Resolution, at least the following data must by default be present in an individual customer’s records: “a) full name; b) date of birth; c) birthplace; d) nationality; e) marital status; f) mother's name; g) identification document number and issuing body; h) registration number in the Registry of Natural Persons – ("Cadastro de Pessoas Físicas", CPF/MF); i) name and respective CPF/MF number of the spouse or partner, if applicable; j) place of residence (street, complement, district, city, federation unit, and ZIP code) and telephone number; k) email address for correspondence; l) professional occupation; m) name of the entity, with the respective customer records with the CNPJ, for which he/she works, when applicable; n) updated information on earnings and equity status; [etc.]”. Furthermore, a copy of the customer’ identification document and proof of residence or domicile is required for identification, even though no particular verification methods are mandatory.
20 — Note that, as per Art. 18(1) of the Circular, identity verification procedures should also include information allowing to establish the customer’s place of residence, even though no particular methods are mandatory.
According to section 6.1 of Proceeds of Crime (Money Laundering) and Terrorist Financing Act (the “AML/CFT Act ”) and sections 86-88 of the Proceeds of Crime (Money Laundering) and Terrorist Financing Regulations (the “AML/CFT Regulations ”), a financial entity shall verify the person for whom it opens an account. Sections 12-14 of the AML/CFT Regulations specify the following scope of data shall be kept in respect of an account holder:
Name
Address
Date of birth
Nature of the occupation.
In addition, section 9.3 of the AML/CFT Act mandates that the financial entity shall determine whether it deals with a politically exposed person (the “PEP ”).
AML/CFT Regulations provide for both documentary and non-documentary methods for identity verification.
Even though paragraph 105 of the AML/CFT Regulations lists several acceptable verification methods that seem to be non-documentary (e.g., referring to information from a federal or provincial government body that is authorized in Canada to verify the identity of persons; referring to information from reliable sources), at the moment, FINTRAC Guidance on the methods to verify the identity of persons and entities (the “FINTRAC Guidance ”) mentions the only fully non-documentary verification method available, which is the credit file method. FINTRAC Guidance does not address at all the method of referring to information from a federal or provincial government body that is authorized to verify the identity of persons, so, we understand that there is currently no such process available in Canada. As to referring to information from reliable sources, FINTRAC Guidance addresses it as an acceptable identity verification method that, given the examples of such reliable sources provided for in the said guidance, seem to rely mostly on documentary sources. However, if a credit file is used for a dual-process method, under certain conditions this method could be used as a non-documentary option (for more information, please, refer to the section “Dual-Process Method” below).
Credit File Method
The credit file method is to conduct the search of the verified person’s credit file at the time the financial entity is verifying such a person’s identity and to confirm that the individual’s name, address, and date of birth match with the credit file data. When getting a credit file, the financial entity may request it without including a credit assessment part, as this information is not required for the purpose of verifying the person’s identity. This method may be implemented via an automated matching. It is also acceptable to refer to a third-party vendor authorized by a Canadian credit bureau.
For this method to be valid, the credit file shall meet all of the following requirements:
It is located in Canada (i.e., it is issued by a Canadian credit bureau).
It has been in existence for at least three years.
It contains information that is derived from more than one source (i.e. more than one tradeline).
It matches the name, address and date of birth of the person being identified.
If there is a minor discrepancy in the name or address (e.g., a typo or a secondary address), the reporting entity may still determine that the information matches. However, if there is a mismatch in the date of birth, it is more likely that the reporting entity will determine that the information does not match. In this case, an alternative identity verification method or a different credit file will be used. The process and any remediation steps must be documented in the organization’s compliance policies and procedures.
Dual-Process Method
The dual-process method is to perform any two of the following actions:
Refer to the information from a reliable source that confirms the person’s name and address
Refer to the information from a reliable source that confirms the person’s name and date of birth
Refer to the information that confirms the person’s name and an account with a financial entity (e.g., deposit, prepaid, credit card, or loan account).
Annex 5 of the FINTRAC Guidance provides examples of sources that can be used for the dual-process method: mostly, various types of documents (not necessarily an original version of a document, but, for example, its photocopy, scan, or electronic image will work). The only electronic source that is listed is a “Canadian credit file that has been in existence for at least six months”.
If a Canadian credit bureau acts as an aggregator and it can provide the financial entity with the information from at least two independent original sources (where each source will confirm one of the two types of information that shall be confirmed under the dual-process method), this will be considered as sufficient confirmation for the dual-process method. However, if there is only one source on basis of which data the Canadian credit bureau issues the credit file or if the credit file does not comply with the requirements (e.g., it exists for less than six months), the sole utilization of the credit file will not suffice as the dual-process method is meant to use two different sources (i.e. the verified information must not be from, or derived from, the same source). In this case, the other source shall be used that will imply getting certain documents from the individual whose identity is being verified.
Similarly to the credit file method, if there is a minor typo in the name or address, the reporting entity may still determine that the information matches. However, if there is a mismatch in the date of birth, it is more likely to determine that the information does not match. In this case, information from a different source under the dual-process method or an alternative identity verification method will be used.
To conclude, it may be possible to onboard individual customers using a non-documentary identity verification procedure under both the credit file and dual-process methods, provided the regulatory criteria referred above are satisfied. Otherwise, it will be needed to use a document-based method.
In Cyprus, the legal framework governing Anti-Money Laundering ('AML') and Combating the Financing of Terrorism ('CFT') is primarily set out by the
Prevention and Suppression of Money Laundering and Terrorist Financing Laws of 2007 ,
as subsequently amended (referred to as the 'AML/CFT Law'). Besides the stipulated obligations and requirements aimed
at securing the financial environment from illicit activities, this law also outlines the key requirements for Customer Due Diligence ('CDD') and Know Your Customer ('KYC') procedures in Cyprus.
The implementation, enforcement and the adoption of the various domestic and international AML/CFT legislative instruments are overseen by the local Regulatory Bodies, such as:
Central Bank of Cyprus ('CBC'): The country's central monetary authority, responsible for the enforcement of the provisions of the legislation, regulations and supervision of banks, Electronic Money Institutions
(EMIs), and Payment Service Providers (PSPs), Bureaux de Change and Credit Institutions, under section 59 (1)(a) of the AML/CFT Law.
Cyprus Securities and Exchange Commission ('CySEC'): It is a regulatory body that regulates Cyprus's financial services sector, overseeing entities like investment firms, financial institutions, and investment
funds.
Cyprus Bar Association ('CyBAR'): It oversees lawyers and law firms in Cyprus, ensuring compliance with AML and CTF regulations as designated non-financial businesses and professions (DNFBPs)
Institute of Certified Public Accountants of Cyprus ('ICPAC'): It is the competent authority responsible for the regulation and supervision of certified public accountants and audit firms within the Republic of
Cyprus.
Cyprus Real Estate Agents ('CREAA): It oversees real estate agents in Cyprus, ensuring their compliance with AML and CTF regulations.
Other relevant entities.
However, this assessment is largely based on the requirements of CySEC and CBC.
Cyprus Securities and Exchange Commission (CySEC) CDD provisions
In 2016 the Directive DI144-2007-08 (as amended), Section 2 vi, specifically mentions the use of electronic verification and permits its use as long as the following conditions are met:
i. the electronic databases kept by the third party or to which the third party or the Financial Organization has access are registered to and/or approved by the Data Protection Commissioner in order to safeguard personal data (or
the corresponding competent authority in the country the said databases are kept).
ii. electronic databases provide access to information referred to both present and past situations showing that the person really exists and providing both positive information (at least the customer's full name, address and date
of birth) and negative information (e.g. committing of offences such as identity theft, inclusion in deceased persons records, inclusion in sanctions and restrictive measures' list by the Council of the European Union and the UN
Security Council).
iii. electronic databases include a wide range of sources with information from different time periods with real-time update and trigger alerts when important data alter.
iv. transparent procedures have been established allowing the Financial Organization to know which information was searched, the result of such search and its significance in relation to the level of assurance as to the customer's
identity verification.
v. procedures have been established allowing the Financial Organization to record and save the information used and the result in relation to identity verification.
In addition, according to the above-mentioned directive,Section 2.3information must come from two sources in the following manner:
vi. identification of the customer's full name and current address from one source, and
vii. identification of the customer's full name and either his current address or date of birth from a second source.
Also,a major recent advancement is the CySEC's amendment of the Anti-Money Laundering (AML) Directive , formalized through
Directive 282/2024 and designed to strengthen the existing AML/CFT framework for obliged entities regulated by CySEC, by improving
measures for the prevention of money laundering and terrorist financing, particularly clarifying identification document requirements and the use of electronic verification methods.
Directive 282/2024 introduces a significant amendment by replacing the previous derogation61 rule for video call onboarding. Under the prior framework,62 clients could be onboarded remotely primarily via video call with an
annual deposit threshold of EUR 2,000. The updated Directive removes this derogation in response to advancements in digital technologies and evolving threats in financial crime. While video call verification remains an
option, the new rules require financial institutions regulated by CySEC to implement robust KYC procedures for all clients, prior to the business relationship and regardless of deposit amounts.
Additionally, Obligated Entities must notify CySEC in advance of the specific electronic methods they intend to use for remote verification and validation of client identities ('RCOS') . However, there is no longer an
exhaustive list of such electronic methods, meaning that video calls are not the only viable option.
On 6 August 2024, CySEC also issued a
Policy Statement On The Enhancement Of The Non-face-to-face ('NFTF') Customer Onboarding Process With Electronic Methods , outlining
new requirements for remote onboarding, such as mandatory liveness detection for unattended solutions, prior to establishing a business relationship, while observing the requirement of Section
61(1)(a) of the AML/CFT Law for 'data and information from a reliable and independent source'.
Despite the above provisions that are accounted for, the key principles of remote customer onboarding as per CySEC remain as follows:
Customer Identification
As a general rule, all customers are expected to provide valid identification documents issued by reliable and independent authorities . Beyond passports, Obliged Entities can now accept other IDs (under eIDAS
identification schemes) issued by government bodies of the European Union or a third country, that state the full name and date of birth and include the individual's photograph. Additionally, information such as the individual's current
residential address, occupation (to establish economic profile) or principal activity must be obtained as part of the verification process.
Address Verification
To verify the customer's residential address, documents such as recent utility bills (issued within the last six months), bank statements, or any other official documents that clearly indicate the permanent address must be provided. It
is critical that these documents are issued by credible and independent sources to ensure their authenticity and reliability.
Certification of Documents
Documents submitted for identification and address verification must either be presented in their original form or as certified true copies. Certification may be conducted by the entity itself when the original documents are presented
or by third parties authorized under applicable laws, such as notaries or other competent legal authorities. Where required, certified copies must include an apostille or notarization to validate the certification process. Nevertheless,
the industry practice in Cyprus contradicts the requirement for certification of documents and most regulated entities, especially fintech companies, conduct due diligence on their customers by electronic submission of proof of identity
and proof of address copies.
For instance, where originals or certified copies are not available, the Obliged Entity must: (i) ensure that at least one of the procedures referred to in paragraph 2 of the Fourth Annex of the AML Directive (including, inter alia,
video calls, "penny drop", or "use of an electronic method or a combination of more of them for remoteness ascertaining and verifying the identity of customers, based on assessment, evaluation and money laundering and financing risk
management terrorism") is present; and (ii)(a) collect a simple copy of the customer's ID or (ii)(b) perform identity verification by electronic means on the following cumulative conditions:
the electronic databases employed provide access to information which refers to both current and previous situations that show that the person indeed exists and contain both positive information (at least the customer's full name,
address and date of birth) as well as negative information (e.g. committing crimes such as identity theft, inclusion in records of deceased persons, inclusion in lists of sanctions and restrictive measures by Council of the European
Union and the Security Council UN);
the electronic databases employed contain a wide range of sources, with information from various time periods, updated to real time (real-time update), and send notifications (trigger alerts) when important data changes;
the Obliged Entity knows what information was researched, what the results of the research are and their significance as to the verification of the customer's identity;
has established procedures that allow the Obliged Entity to record and store the information used and the result in relation to the authentication;
information must come from two or more sources: identification of the customer's full name and current address from one source; and identification of the customer's full name and either his current address or date of birth from a
second source;
in case the evidence is in a language other than Greek or English, it must be accompanied by a certified translation (true translation).
Non-Residents of Cyprus
For customers residing outside Cyprus, the same identification and verification procedures apply. However, additional measures may be necessary, including confirmation of the customer's identity through Cypriot embassies, consulates, or
recognized financial institutions in the customer's country of residence-based approach. In relation to CySEC-regulated entities, these additional measures can also depend on the risk profile of the customers, as AML laws and guidelines
mention that reporting entities are allowed to follow a risk-based approach. In general, Enhanced due diligence is mandatory in cases where there are concerns about the authenticity of the submitted documents or where the customer poses
a higher risk.
It is also worth noting that, the new CySEC AML Directive entered into force on 5 August 2024 , except for the provisions concerning Remote Customer Onboarding Solutions, as detailed in Annex IV of the AML Directive,
Paragraph 2(iv), which will take effect on 1 December 2024.
Therefore, as per CySEC, with the described amendments entering into force, non-doc KYC may be relied on, provided that (i) the databases used meet the criteria described above and (ii) the database check is combined with at least one
more electronic identity verification method (e.g., liveness). However, address verification may only be conducted based on an exhaustive list of documents.
Central Bank of Cyprus ('CBC')
The CBC is the competent authority for the enforcement of the provisions of the legislation in relation to the financial activities of supervised entities in Cyprus, under section 59(1)(a) of the
Prevention and Suppression of Money Laundering Activities Laws of 2007 to 2019 ('the AML/CFT Law' ).
Under the Law, the CBC has issued the 5th edition of the
Directive on the Prevention and Suppression of Money Laundering and Terrorist Financing ('the CBC AML/CFT Directive') . As well as the Law 58 (I) of 2016 and the CBC Directive for
Compliance with the provisions of UN Security Council Resolutions and the decisions / regulations of the Council of the European Union
.The Central Bank of Cyprus does not currently have specific legislation regarding the remote onboarding process. However, it has a set of documents to be obtained in relation to natural persons, such as:
Identity Data:
for Cypriot citizens, copy of valid identity card;
for citizens of other countries, copy of passport and valid Alien Registration Card (ARC).
Proof of Permanent Address:
copy of utility bill, not older than six (6) months, (e.g. electricity, landline, water bill in Cyprus, or equivalent, where applicable, from your country of residence), or
home insurance policy, or
municipal tax bill and/or
Bank account statement.
Contact details:
telephone number;
email address;
mailing address (if different from your permanent address);
Details of professional and other occupations, including the name of the employer/business and the position held in the business;
Specimen signature;
Source of Income / Source of Wealth;
Any other information deemed necessary depending, among others, on the estimated risk. Please note that for natural persons who have experienced adverse circumstances (e.g. political asylum seekers, political refugees, beneficiaries
of subsidiary protection, victims of human trafficking and/or exploitation) the above information may vary depending on the case.
The CBC Guidelines further support the use of electronic KYC as long as these means are secure and reliable.
On October 19 2023, the Central Bank of Cyprus officially launched a digital remote onboarding project aimed at modernizing customer identification and updating processes within credit institutions.
The first phase introduces remote digital onboarding, allowing customers to electronically submit and verify their details or update existing information without requiring a physical presence.
The second phase establishes integration with government services, enabling direct retrieval of customer data to streamline the KYC process.
The final phase facilitates secure information sharing among participating banks, simplifying account transfers and reducing administrative complexities.
Supported by major banks such as Bank of Cyprus, Hellenic Bank, Alpha Bank Cyprus, and others, the project underscores a collective effort to modernize the Cypriot banking sector. This phased rollout, supported by leading banks in
Cyprus, aims to deliver streamlined and compliant banking services, with implementation progressing through 2024.
Despite the references to a requirement of submission of certified identification documents in the AML Law, the CDD framework overseen by the CBC and CySEC, is robust and aligned with EU directives (4AMLD, 5AMLD, 6AMLD, eIDAS),
emphasizing a risk-based approach.There are also explicit references to the use of electronic verification methods which are not only permitted and supported by 5AMLD and 6AMLD, but also by CySEC's and CBC's directives,as long as these
electronic methods are conducted through reliable and secure sources. Nevertheless, even if CySEC's Circular C367 and recent CBC announcements further enable flexibility in relation to electronic verification means, physical documents
remain a preferable option. Also,the transition to 6AMLD and MiCAR preparations (November 2024) signal continued digital adoption, but challenges in infrastructure suggest a hybrid approach, combining electronic and traditional methods.
Financial institutions are encouraged to leverage eIDAS-compliant tools while monitoring 2025 regulatory updates to address potential gaps.
61 — Even though the general rule, in accordance with article 62(1) of the AML Law , says that the verification of identity of a
customer/beneficial owner takes place before the establishment of a business relationship with the said person, there is a derogation of this general rule described in article
62(2) of the AML Law . According to article
62(2) of the AML Law , the verification of identity of the customer/beneficial owner of an obliged entity may be completed during the
establishment of a business relationship, provided that all the fulfilling conditions are met: a) if this is necessary so as not to interrupt the normal conduct of business, and b) where there is little risk of money laundering or
terrorist financing occurring, and c) where the verification procedure is completed as soon as possible after the initial contact.
62 — The circular C367 specifies the limited circumstances under which Cyprus Investment Firms (CIFs) may defer customer identity
verification. In all cases, this verification must be finalized within 15 days from the earlier of either the customer's acceptance of the CIF's terms and conditions or the date of the initial deposit.
In the AML/CFT legal framework of the Czech Republic, the relevant requirements to customer identity verification are largely reflected in
Act No. 253/2008 Coll. on selected measures against legitimisation of proceeds of crime and financing of terrorism
("AML Act ").
As a general rule, Section 8 of the AML Act states that the first identification of a customer who is an individual should be performed with (i) the said customer present in person and (ii) the obliged entity "recording identification data36 and verifying them from an identity card should they be included thereon, and subsequently recording the type and serial number of the identity card, the issuing country or issuing authority and the card's validity; at the same
time, [...] verifying the holder's appearance and the holder's facial image as pictured on the identity card".
However, Section 8a(1) provides for an alternative so long as the substituting solution is either compliant with Regulation (EU) No 910/2014 of the European Parliament and of the Council on electronic identification and trust services
for electronic transactions in the internal market ("eIDAS Regulation ") and the implementing regulations or prescribed by another legal act:
"An obliged entity may replace the process pursuant to section 8[...] by identification of a natural person who is a customer [...] performed by means of electronic identification which comply with the following:
a) technical specification, standards, and procedures for a high level of assurance given by the directly applicable regulation of the European Union regulating minimum technical specifications, standards and
procedures for levels of assurance of means of electronic identification37 ) and which is issued and applied pursuant to the qualified system in line with the Act on Electronic Identification , or
b) conditions pursuant to which means of electronic identification can be used for verification of identity required by a legal regulation or discharge of administrative responsibility outside the scope of the qualified system
pursuant to the Bank Act".
In conclusion, non-documentary methods for identity verification are permitted as long as they correspond to the approved tools used for customer onboarding in accordance with the Sections 8a of the AML Act. As of now, electronic
identification schemes notified by the Czech Republic pursuant to Article 9(1) of the
eIDAS Regulation with the "high" level of assurance are the national eID card and "mojeID ", a non-commercial
service operated by the CZ.NIC association and allowing users to authenticate in various private sectors and public administration services by creating a digital identity.
36 — As per Section 5(1) of the AML Act, for a natural person this would include: “all names and surnames, the birth identification number or, should the person have no birth identification number, the date of birth, gender, place of birth, address of permanent or other residence, and citizenship”. At the same time, no particular methods for verifying the address are prescribed where it is not featured in the identity document.
37 — Commission Implementing Regulation (EU) 2015/1502 of 8 September 2015 on setting out minimum technical specifications and procedures for assurance levels for electronic identification means pursuant to Article 8 (3) of Regulation (EU) No 910/2014 of the European Parliament and of the Council on electronic identification and trust services for electronic transactions in the internal market.
In Denmark, the Consolidation Act on Measures to Prevent Money Laundering and Terrorism Financing (the Anti-Money Laundering Act) ("
AML Act ") is the main legal source of AML/CFT obligations for the reporting entities. The Finanstilsynet (also the Financial Supervisory Authority), which is a government agency responsible for regulating the financial
sector, including AML/CFT compliance supervision, provides guidelines regarding the interpretation and application of the AML Act.
Section 11 of the AML Act grants regulated entities a relatively wide margin of discretion in selecting the appropriate means of customer identity verification, listing a broad range of electronic evidence as acceptable with some form
of governmental recognition as the only qualifying criterion:
"The undertaking or person shall obtain the customer's identity information.
a) If the customer is a natural person, the identity information shall include name and civil registration number or similar if the person in question does not have a civil registration number. Should the applicant not have a civil
registration number or similar, the identity information shall include date of birth.41
[...]
The undertaking or person shall verify the customer's identity information on the basis of documents, data or information obtained from a reliable and independent source . A reliable and independent source means, for
example,
electronic means of identification, relevant trust services or any other secure form of remote identification process or electronic identification process that is regulated, recognised, approved or accepted by the competent national
authorities
".
The 2020 Guide to the AML Act ("FSA Guide") by the
Finanstilsynet continues this approach in Sections 9.1-9.5, stating in particular that:
the customer's identity details can, in principle, be obtained from non-documentary sources (e.g., CPR (Central Office of Civil Registration) or Danish Tax Agency);
a "reliable external source" used for customer identification does not necessarily have to be government-owned or -operated;
it is not an obligatory requirement that the customer presents photographic identification for non-face-to-face KYC, although it provides additional assurance;
in the context of a remote relationship, the reporting entity must consider the potentially increased risk. NemID, for instance, is considered a "reliable and independent source" for that purpose, but, "when more than limited risk
is involved, it will be necessary for the undertaking to use other control sources, or risk-mitigating measures along with NemID".
In 2023, NemID was replaced with MitID. Since, unlike NemID, MitID has
both "substantial" and "high" levels of assurance and was generally intended as a more
robust and secure solution, it can be argued that the FSA's reasoning applicable to NemID should not be fully transferable to the MitID and that MitID should be considered sufficient for identity verification outside of the SDD context.
This is corroborated by the consultation paper on "Project AML/TEK" , where the FSA expresses the following stance:
"The DFSA is of the opinion that a MitID at a 'substantial' level under the eIDAS Regulation could act as the sole source of verification for distance customers who are not subject to enhanced KYC procedures. This is because the processes for verifying identities when issu- ing a MitID are at least as secure as the DFSA expects is the case, in principle, for distance customers under the MLA, cf. section 6.7. In addition, the assurance level of the means of authentication in the MitID solution is higher than in the NemID solution".
NemID or other forms of electronic ID as a source of control can be supplemented with other risk mitigation measures. Such measures could include:
"The first transaction takes place via the customer's Nemkonto or another bank account registered in the customer's name.
The undertaking sends a unique code to a mobile phone number that it has checked belongs to the customer, or by physical letter to the customer's registered address.
The undertaking verifies the customer's IP address in relation to geolocation .
The undertaking asks the customer questions, which can be subsequently verified by a reliable and independent source, e.g. information from the customer's personal tax folder" (Section 9.5 of the FSA Guide).
Accordingly, Non-Doc KYC solutions are permissible for both identity and address verification in principle so long as they sufficiently mitigate the risk posed by non-face-to-face onboarding and have been granted approval by the
competent national authorities. In relation to MitID specifically, it can arguably be relied on as a standalone solution at both "substantial" and "high" levels of assurance at least in all instances when enhanced due diligence is not
required (where customers may need to apply additional safeguards of their choice, such as: obtaining ID copies, verifying the source of funds where necessary, collecting further data items (e.g., geolocation), etc).
41 — The customer’s residential address is therefore not listed as part of the information obligatory to obtain. Section 14 of the FSA Guide suggests that collection and verification of address data may be leveraged as an EDD measure, but it is still referred to as one of possible alternatives only.
In Estonia, the main requirements to customer due diligence for AML/CFT purposes are established under the
2017 Money Laundering and Terrorist Financing Prevention Act (the "AML Act ").
As per §21 and §31 of the AML Act, the exact procedures to be followed in relation to an individual customer depend on (i) the customer's country of residence and, if different, nationality; (ii) whether the customer is physically
present during the onboarding process; and (iii) the actual or anticipated amount of transactions carried out within the business relationship. Specifically:
by default, the customer who is a natural person has to be identified:
by their "person's name [and] personal identification code or, where the person does not possess one, their date of birth and the place of residence or location"50 (§21, subsection 1, clauses 1-2);
with the collected identity data subsequently verified "using information originating from a credible and independent source for that purpose" (§21, subsection 2), which may include "personal identification data entered in the
database of identity documents" (§31, subsection 5);
information concerning recognition and verification of the right of representation and scope thereof and, where the right of representation does not arise from law, the name of the document serving as the basis for that right,
its date of issue, and the name of the issuer;
particulars of the person's means of telecommunication.
The obliged entity must also verify the correctness of the data specified in clauses 1 and 2 of subsection 1,using information originating from a credible and independent source for that purpose.
Where the person subject to due diligence procedure is not located in the same location with the party conducting due diligence, and it is not possible to employ a scheme or service mentioned in subsection 3 of this section, the means
or service used to identify the person and verify data must ensure:
that the data and documents gathered in the course of applying due diligence measures are correct and up to date;
secure gathering and storage of images, video, audio and data in understandable form and with sufficient quality, such that unambiguous identifiability of the person is ensured;
in a situation where the connection is unexpectedly interrupted or on manifestation of other technical defects, the failure of identification.
In accordance with subsection 3 of section 21 of the AML Act the obliged entity identifying a natural person should do so using the following documents:
a document specified in subsection 2 of § 2 of the Identity Documents Act;
a valid travel document issued in a foreign country;
a driving licence that meets the requirements provided for in subsection 1 of § 4 of the Identity Documents Act, or
a birth certificate specified in § 30 of the Vital Statistics Registration Act in the case of a person below the age of seven years.
Where the original document specified in the list above, is not available, the identity can be verified on the basis of a document specified in subsection 3, which has been authenticated by a notary or certified by a notary or
officially, or on the basis of other information originating from a credible and independent source, including means of electronic identification and trust services for electronic transactions, thereby using at least two different
sources for verification of data in such an event.
With regard to special customer due diligence rules for financial and credit institutions and where the following cumulative conditions are met:
(i) the customer is not physically present; and
(ii)(a) "the customer's place of residence or seat is in a country outside the European Economic Area", or
(ii)(b) "the total amount of outgoing payments related to the transaction or service contract per calendar month exceeds 15,000 euros in the case of a customer who is a natural person" (§31, subsection 1)
(iii) Where the residence or seat of the customer or of the person who carries out the occasional transaction is in a high-risk third country or in a jurisdiction that falls under the provision of clause 4 of subsection 4 of § 37 of the
Act.
The following remote KYC methods are prescribed: (additionally, the regulated entity must "establish rules of procedure that ensure secure identification of persons and verification of data, and that effectively alleviate and manage
risks related to application of due diligence measures without being present in the same location as the person"):
"an electronic identification scheme that has been notified in accordance with Article 9 of Regulation (EU) 910/2014 of the European Parliament and of the Council on electronic identification and trust services for electronic
transactions in the internal market and repealing Directive 1999/93/EC (OJ L 257, 28.08.2014, p. 73) and that corresponds to the assurance level provided for by subparagraph (b) or (c) of paragraph 2 of Article 8 of that
Regulation;"; or
"a qualified trust service that meets the requirements provided by Regulation (EU) 910/2014 of the European Parliament and of the Council";
Option 2 (where Option 1 is not possible): the means or service used to identify the person and verify data must ensure:
that the data and documents gathered in the course of applying due diligence measures are correct and up to date;
secure gathering and storage of images, video, audio and data in understandable form and with sufficient quality, such that unambiguous identifiability of the person is ensured;
in a situation where the connection is unexpectedly interrupted or on manifestation of other technical defects, the failure of identification.
Option 1 and Option 2 (where Option 1 is not possible) as defined above are also applicable whenever the customer is not physically present, even if the corresponding qualifying criteria are not met ;
where the customer is not physically present and their residence or seat is in a country that "provides funding or support for terrorist activities, or that has designated terrorist organisations operating within their country, as
identified by the European Union or the United Nations" or another high-risk country, only Option 1 as defined above is permissible (para. 31, subsection 11);
where the customer is not physically present and an e-resident's digital identity document is used to identify them and verify data, another document mentioned in subsection 3 of § 21 of the AML Act51 must be used simultaneously (§31,
subsection 4);
furthermore, where the obliged entity is not a credit institution, a financial institution, or a notary, para. 31 of the AML Act does not apply, meaning a possible fallback to para. 21, subsection 4: "where the original document
specified in subsection 3 of this section is not available, the identity can be verified [...] on the basis of other information originating from a credible and independent source , including means of electronic
identification and trust services for electronic transactions, thereby using at least two different sources for verification of data in such an event".
Accordingly, the instances where the customer would not necessarily have to present an identity document during non-face-to-face KYC may include:
(i) the obliged entity is not a credit institution, a financial institution, or a notary - meaning that identity data may be verified via two independent sources, whether documentary or non-documentary; or
(ii) the obliged entity relies on an e-identification solution with a "high" or "substantial" level of assurance as per the eIDAS regulation or a qualified trust service meeting the requirements of the eIDAS regulation. For example, the
electronic identification schemes notified by Estonia, all with a "high" level of
assurance, are: ID card; RP card; Digi-ID; e-Residency Digi-ID; Mobile-ID; and diplomatic identity card;
(iii) it is not possible to employ any solution falling within option (ii) above, in which case the obliged entity is not restricted in its choice of the onboarding flow so long as certain technical safeguards (e.g., data accuracy,
secure data storage, uninterrupted connection) are implemented.
In summary, non-document identification can be used as long as it gives assurance equivalent to the eiDAS regulation, preferably through one of the prescribed electronic identification schemes notified by the Estonian government and as long as identity data comes from two independent sources. With regard to address verification, in the absence of instructions to the contrary, it may be assumed that, while regulated entities are indeed expected to verify address-related information, they are not restricted in their options of doing so and, provided that the customer’s address is not already reliably confirmed in the course of general identity verification, both documentary and non-documentary supplemental checks can be used.
50 — There is no specific guidance regarding residential address / location verification; therefore, presumably, it can be achieved via any supplemental checks if necessary.
51 —
a document specified in subsection 2 of § 2 of the Identity Documents Act;
a valid travel document issued in a foreign country;
a driving licence that meets the requirements provided for in subsection 1 of § 4 of the Identity Documents Act; or
a birth certificate specified in § 30 of the Vital Statistics Registration Act in the case of a person below the age of seven years.
Finnish Financial Supervisory Authority (FIN-FSA) is the regulatory body overseeing the financial sector, including AML/CFT compliance supervision in Finland.
Act on Preventing Money Laundering and Terrorist Financing (444/2017; amendments up to 599/2023 included) ("AML Act" ) and
Regulations and Guidelines issued by FIN-FSA in 2/2023 Journal Number FIVA/2023/1289
("Guidelines" ) provide the legal framework for combating money laundering and terrorist financing.
Customer Due Diligence (CDD) - general provisions:
A. Chapter 3, Section 2(1) of the AML Act and Para 17 of the Guidelines require "obliged entities to identify their customers and verify their identities when establishing a permanent customer
relationship and even in the case of a customer relationship of an irregular nature [...]";
B. Chapter 1, Section 4(1)(6) of the AML Act and Para 18 of the Guidelines specify that "identification means establishing the customer's identity on the basis of information provided by the customer ";
C. Chapter 1, Section 4(1)(7) of the AML Act and Para 19 of the Guidelines specify that "verification of identity means ascertaining the customer's identity on the basis of documents, data or information obtained from a
reliable and independent source ";
D. Para 22 of the Guidelines"recommends that, in assessing the reliability and independence of the sources referred to in chapter 1, section 4(7) of the AML Act, supervised entities consider paragraphs 4.26-4.28 of the
EBA Risk Factors Guidelines (
''EBA Guidelines" ). In turn, para 4.27 of the EBA Guidelines reads:
"[...]
a. [while deciding what makes data or information reliable ], Firms should consider different degrees of reliability, which they should determine based on
(i) the extent to which the customer had to undergo certain checks to obtain the information or data provided;
(ii) the official status, if any, of the person or institution that carried out those checks;
(iii) the level of assurance associated with any digital ID system used ; and
(iv) the ease with which the identity information or data provided can be forged [...]
In most cases, firms should be able to treat government-issued information or data as providing the highest level of independence and reliability"
E. Para. 34 of the Guidelines states that "The FIN-FSA recommends that supervised entities create procedures for ascertaining the authenticity of a document and information used to verify identity . [...] One method to
ascertain the authenticity of the document and information used to verify the customer's identity could be comparing the information to information in the population register maintained by the
Digital and Population Data Services Agency ".
F. Chapter 3, Section 3(2) of the AML Act outlines the minimum data required for customer due diligence:
The following customer due diligence data shall be retained:
1) name, date of birth, personal identity code and address ;
7) name, number or other identifier of document used to verify identity or a copy of the document or, in the case of non-face-to-face identification, data on the procedure or sources used in verification;
If the customer is a foreign national without a Finnish personal identity code, data on the customer's citizenship and travel document in addition to the data under subsection 2 of this section shall be retained.
As outlined in the above guidelines, identification entails establishing the customer's identity based on information provided by the customer while verification of identity involves ascertaining the customer's identity
using documents, data, or information obtained from reliable and independent sources .
In assessing the reliability of these sources, government-issued information or data typically provides the highest level of independence and reliability. Supervised entities are recommended to create procedures for authenticating
documents and information used for identity verification, such as (but without limitation) comparing them to information in the population register maintained by the Digital and Population Data Services Agency.
Additionally, Chapter 3, Section 3(2) of the AML Act specifies the data that must be retained for customer due diligence only includes name, date of birth, personal identity code, and address (from which it can be inferred that a copy
of an identity document is not necessary). However, for foreign nationals without a Finnish personal identity code, data on citizenship and travel documents must also be retained. Hence, a fully non-doc KYC solution would not be viable
for non-Finnish residents.
In summary, if the customer's identity is being verified remotely and the method of verification involves using an official identification document, the name of the document used for verification, its number or any other identifying
information, and the details of the issuer should be retained or copied. However, if the verification process is remote and does not involve directly using an official identification document, the supervised entity should instead store
information about the specific procedure or sources used for authentication. This could include details about the verification method or technology employed, such as biometric authentication or data cross-referencing.
Non-Documentary Verification - specific provisions
Section 11 of the AML Act and Para 60 of the Guidelines define non-face-to-face identification as the scenario when the customer is not physically present when he or she is identified and his or her identity verified. These
provisions further outline the following enhanced customer due diligence requirements for non-face-to-face identification, leaving supervised entities a broad margin of discretion in the choice of procedure:
Verify the customer's identity using additional documents, data, or information obtained from a reliable source.
ensure that the payment relating to the transaction is made from a credit institution's account or into the account that was opened earlier in the customer's name; or
Verify the customer's identity through specific electronic means, such as the use of identification devices as stipulated in the Act on Strong Electronic Identification and Electronic Signatures (617/2009), qualified
certificates for electronic signatures under Regulation (EU) No 910/2014, or other secure and verifiable electronic identification technology .
Para 63 of the Guidelines states that "the supervised entity does not have to apply other enhanced due diligence procedures in addition to the enhanced procedure related to non-face-to-face identification referred to in chapter 3,
section 11 of the AML Act, if
the supervised entity applies the method referred to in chapter 3, section 11(3) to remote identification; and
the supervised entity finds that the customer is not associated with a higher than ordinary risk of money laundering and terrorist financing
Para 67 of the Guidelines "recommends that supervised entities applying remote identification in their activities, in connection with establishing a customer relationship, verify the customer's identity by means of an identification
device referred to in the Identification Act or a qualified certificate for electronic signature as provided in Article 28 of Regulation (EU) No 910/2014 of the European Parliament and of the Council on electronic identification and
trust services for electronic transactions in the internal market and repealing Directive 1999/93/EC or other secure and verifiable electronic identification technology".
Para 68 of the Guidelines further "recommends that, in considering the use of another electronic identification technology in the identification of a customer and the verification of identity, supervised entities assess the adequacy
of the identification technology relative to the money laundering and terrorist financing risks involved".
Based on the above legal requirements, both the AML Act and Guidelines mandate enhanced customer due diligence requirements for non-face-to-face identification, including at least one of the following options:
Verify with Additional Sources: Use additional reliable data sources to confirm the customer's identity.
Verify Account Ownership: Ensure the customer's initial transaction originates from their account or into a pre-existing account held in their name.
Electronic Verification: Utilize specific electronic means like identification devices under the Act on Strong Electronic Identification and Electronic Signatures (617/2009).
However, the above-mentioned procedures are apparently not considered fully equivalent by the regulator; in particular, only the "Electronic Verification" method referred to in section 11(3) of the AML Act is considered completely
self-sufficient for EDD purposes in all circumstances.
Given Finland's robust electronic identification solutions such as FINeID, BankID, and MobileID, all supported by the Digital and Population Data Services Agency and adhering to the Act on Strong Electronic Identification, these can be
utilized for AML purposes. These solutions are part of the Finnish Trust Network (FTN) and provide secure and reliable electronic identification options.
At the same time, while "Electronic Verification" solutions are considered a "safe harbor," regulated entities have the flexibility to explore alternative options, including for non-documentary KYC, such as alternative external
databases. However, such alternatives may be more difficult to justify from a risk-based approach perspective.
According to Para 67 of the Guidelines, it is recommended to opt for Section 11(3) of the AML Act ("Electronic Verification") rather than (1) (additional sources) or (2) (account ownership confirmation). Additionally, Para 68 advises
against using methods from Section 11(1) and (2) for identity verification unless necessary circumstances warrant it.
Furthermore, in considering "other secure and verifiable electronic identification technology", supervised entities must ensure it corresponds to their risk profile and guarantees data security and method verifiability, as outlined in
Paras 73-74 of the Guidelines.
To conclude, in setting up processes for non-documentary verification, supervised entities should prioritize the use of electronic identification technologies recognized under Finnish law, such as BankID/FTN solutions, to ensure
compliance with both the AML Act and related guidelines; however, alternative options such as the use of external databases are also permissible so long as the regulated entity can justify their reliability through a risk-assessment of
their clients profile.
55 — English translated version of the AML Act .
56 — According to the FIN-FSA’s interpretation, a supervised entity may decide, relying on its risk based procedures, what documents and information it considers obtained from a reliable and independent source and may create different procedures for the documentary evidence which shall be presented by customers to verify their identity on the one hand when establishing a customer relationship and on the other hand during the customer relationship. (paras. 32 & 33 of the Guidelines).
The Monetary and Financial Code of France (the "Code") establishes, under Art. L. 561-5, the general duty of AML-regulated entities to:
(i) "identify their client", which is achieved, as per Art. R561-5, "by collecting their first and last name, as well as their date and place of birth"52 where the customer is a natural person; and
(ii) "verify the identification elements upon presentation of any written document of a probative nature", which is further detailed in Arts. R561-5-1 and R561-5-2:
as a general rule, an individual customer's identity data may be verified remotely according to one of the following methods (an electronic identification scheme notified as per the eIDAS Regulation either by France53 or by another EU
member state):
a) "electronic identification means certified or attested by the National Agency for the Security of Information Systems in accordance with the level of guarantee, either substantial or high, set by article 8 of Regulation (EU) No
910/2014 of the European Parliament and of the Council of 23 July 2014 on electronic identification and trust services for electronic transactions in the internal market", or
b) "electronic identification means issued within the framework of a scheme notified to the European Commission by a Member State of the European Union under the conditions provided for in paragraph 1 of Article 9 of this regulation
and whose level of guarantee corresponds to the level either substantial or high set by article 8 of the same regulation" (Art. R561-5-1, 1°);
where this is impossible, at least two measures from the list below (which, taken cumulatively, must allow for verification of all the identity data named in Article R. 561-5) must be implemented:
"obtain a copy of a document mentioned in 3° or 4° of article R. 561-5-1 [valid official document including the customer's photograph]";
"implement measures to verify and certify the copy of an official document or an extract from the official register mentioned in 3° or 4° of Article R. 561-5-1 by a third party independent of the person to be identified"54 ;
"require that the first payment for transactions be made from or to an account opened in the client's name with a person mentioned in 1° to 6° bis of Article L. 561-2 [certain types of AML-regulated entities] that is established
in a Member State of the European Union or in a State party to the agreement on the European Economic Area or in a third country imposing equivalent obligations in terms of the fight against money laundering and the financing of
terrorism";
"obtain confirmation of the customer's identity directly from a third party fulfilling the conditions set out in 1° or 2° of I of Article L. 561-7" [third party itself subject to AML/CFT laws and located in an EU/EEA country or
a third country imposing obligations equivalent to those contained in the Code, including those related to exchange of personal information];
"use a service certified as compliant by the National Information Systems Security Agency, or a certification body authorized by this agency , at the level of substantial guarantee of the requirements relating to proof and
verification of identity, provided for in the appendix to the implementing regulation (EU) 2015/1502 of 8 September 2015";
"collect an advanced or qualified electronic signature or a valid advanced or qualified electronic seal based on a qualified certificate or use a qualified electronic registered delivery service bearing the identity of the
signatory or the creator of the seal and issued by a qualified trust service provider registered on a national trust list pursuant to Article 22 of Regulation (EU) No 910/2014 of July 23, 2014" (Art. R561-5-2, 1-6°).
Regarding address verification (where this measure is used by regulated entities), the Code does not specify an approach for natural persons:
"The [obliged entity] verify the identity of their client by asking him to provide him
with a copy of a valid official document containing his photograph and proving his identity and date of birth, verify his address and, when their customer wishes to fund his account or receive his assets by transfer, only carry out
these transactions from or to a single payment account opened in his name by the player with a payment service provider established in a Member State of the European Union
, in a State party to the agreement on the European Free Trade Agreement, in a third country in which these persons are authorized to organize and operate games of chance and have concluded with France a convention containing an
administrative assistance clause to combat tax fraud and evasion or in a third country imposing equivalent obligations in the fight against money laundering and the financing of terrorism and appearing on a list drawn up by decree of
the Minister for the Economy."
Therefore, non-documentary means of non-face-to-face identity verification are permissible, as long as they correspond to the requirements and standards established under the eIDAS Regulation (substantial or high level of assurance) or national legislation implementing it.
52 — The Article contains no similar reference to residential address or location. The
ACPR Guide for identification, identity verification and customer due diligence
("ACPR Guide") further recognizes that, while address verification could be beneficial for determining the customer's risk profile or tax residence, it is not a necessary element of CDD procedures (para. 131).
53 — Currently including the French eID scheme "FranceConnect+ / The Digital Identity La
Poste" with a "substantial" level of assurance.
54 — As per para. 46 of the ACPR Guide, this would primarily include "French or foreign [...] public authorities or ministerial public officers, such as notaries, embassy or consulate employees".
The
2022 Anti-Money Laundering / Combating the Financing of Terrorism & the Proliferation of Weapons of Mass Destruction Guideline
(the "Guideline") issued by the Financial Intelligence Centre and the Bank of Ghana is, in general, highly prescriptive regarding the minimum standards for customer identification and identity verification:
"AIs shall identify their customers and verify the customers' identities using the Ghana Card as the sole identifier for all financial transactions9 [...] Types of customer information to be obtained and identification data to be used to verify the information are provided in Appendix B" (Part B, Section 2.4.2(1)-(2)).
Appendix B, in turn, requires different sets of identity data and supporting evidence, depending on whether the individual in question is a citizen or resident of Ghana, as well as on their special status, if any (applicable to minors,
students, refugees and asylum seekers, foreign diplomats and their dependents). By way of illustration, a Ghanian citizen and a foreign citizen permanently residing in Ghana would need to provide, respectively:
Ghanian citizen:
Ghana Card KYC Data Set.
Additional minimum requirements:
Proof of Residential Address
i. GPS Address, or
ii. Tenancy Agreement, or
iii. Any other relevant document issued by an authorized government agency or institution;
Foreign citizen permanently residing in Ghana:
Non-Citizen Card KYC Data Set;
Additional minimum requirements:
Proof of Residential Address (local)
i. GPS Address, or
ii. Tenancy Agreement, or
iii. Any other relevant document.
Proof of Residential address (foreign)
i. Utility Bill, or
ii. Tenancy Agreement, or
iii. Any other relevant document issued by an authorized government agency or institution.
Furthermore, the
2022 Bank of Ghana Supervisory Guidance Note on the Use of the Ghana Card for Accountable Institutions
(the "Supervisory Note") establishes a procedure for how exactly the Ghana Card or Non-Citizen Card should be processed during customer onboarding. In particular, certain data contained in the document itself must be extracted to determine
if there is a match with the NIA records and, where necessary, request an update:
"a. Verify the identity of the customer using the Ghana Card or Non-Citizen Card in the case of non-Ghanaians.
b. Verify the Biometric information of both fingers and/or face of the customer
c. Update customer KYC data set using the data set from National Identity Authority (NIA).
d. In cases where the following data sets acquired from NIA differ:
Dynamic data - The AIs shall verify and update using procedures prescribed by the NIA in this Guideline. Such data set include phone numbers, addresses, occupation, next of kin and others.
Static data - The AIs shall refer the customer to NIA for the update. Such data set includes names, date of birth or place of birth " (Section 2).
"A "NO MATCH" verification is a case where:
The data (Card/Biometric) presented to the verification system does not match with anyone in the system.
Only the biometric data presented for verification is successfully captured but does not match the identity of a registered person.
The Ghana Card PIN being used with the biometrics of the customer was mistyped.
The customer presenting the Ghana Card as identification and verification for transaction is not the lawful owner of the Ghana Card" (Section 6.1)".
While Section 6.1.4 could be interpreted to rule out the non-documentary approach (as the customer is supposed to "present the Ghana Card"), Section 9.1 of the Supervisory Note sets out the following procedure for remote onboarding
specifically (with Sections 10-13 also suggesting alternative biometry-based verification flows where the holder is unable to display the document):
"To perform a Yes/No or KYC face verification, the end users Ghana Card PIN and biometrics are required. The administrator inputs the card holders Ghana Card Pin Number, selects the operation being performed and takes the end users
photograph to receive the result".
Accordingly, so long as the verification procedure involves collecting the customer's facial image data, alongside the Ghana Card PIN, full name, and date or place of birth and their subsequent matching against the official NIA records,
it may arguably be considered compliant. At the same time, as demonstrated above, non-documentary confirmation of the customer's address is only possible via a GPS check and only if the place of residence is in Ghana; a non-Ghanian
address would need to be verified based on additional documentation such as a utility bill or a tenancy agreement.
9 — The
2022 Bank of Ghana Supervisory Guidance Note on the Use of the Ghana Card for Accountable Institutions
("Supervisory Note"), however, provides a carve-out by stating that foreign citizens are expected to provide a Non-Citizen Card instead (section 2.2(a)). Similarly, an international passport may be taken as evidence of identity for
diplomats as per Part C, section 3.1.3 of the Guideline and section 5 of the Supervisory Note.
The Anti-Money Laundering and Counter-Terrorist Financing Ordinance ("AMLO"), Cap. 615 is the primary legal source prescribing obligations applicable to the AML/CFT-regulated
entities operating in Hong Kong and, in particular, setting out requirements regarding customer due diligence and record-keeping.
Pursuant to Part 2 Division 1 (Para. 2) of AMLO, supervised entities must identify the customer and verify the customer's identity on the basis of documents, data or information provided by:
"(i) a governmental body;
(ii) the relevant authority or any other relevant authority;
(iii) an authority in a place outside Hong Kong that performs functions similar to those of the relevant authority or any other relevant authority;
(iiia) a recognized digital identification system 30 ; or
(iv) any other reliable and independent source that is recognized by the relevant authority ".
At the same time, the responsibility for oversight of the financial market in Hong Kong is divided between the Hong Kong Monetary Authority (HKMA) and the Securities and Futures Commission (SFC). The HKMA regulates the banking industry,
while the SFC oversees the securities and futures markets, including virtual asset service providers. Both regulators within their respective functions provide practical guidelines on AML/CFT compliance, such as the latest HKMA
Guideline on Anti-Money Laundering and Counter-Financing of Terrorism For Authorized Institutions (Revised in May, 2023)
(the "HKMA Guideline") or the
Guideline on Anti-Money Laundering and Counter-Financing of Terrorism (For Licensed Corporations and SFC-licensed Virtual Asset Service Providers)
(the 'SFC Guideline') by the SFC. However, the HKMA Guideline and the SFC Guideline include similar provisions regarding customer identification and verification procedures. Therefore, the analysis below could be relevant for entities
supervised by either HKMA or SFC.
In particular, Para 4.3.1 of the HKMA Guideline replicates the above-mentioned requirement from AMLO regarding identity verification on the basis of reliable documents, data or information; however, it also clarifies in a footnote what
an appropriate "digital identification system" could be:
"The HKMA recognises iAM Smart , developed and operated by the Hong Kong Government, as a digital identification system that can be used for identity verification of natural persons. The HKMA may in future recognise other similar digital
identification systems developed and operated by governments in other jurisdictions having regard to market developments and specific circumstances"31 .
At the same time, in accordance with Paras 4.3.2-4.3.5 and 4.3.13-4.3.17 of the HKMA Guideline, the following identification and verification requirements are applicable to FIs:
for customers who are natural persons, the full name, date of birth, nationality, unique identification number and document type, as well as residential address, should be obtained for identification (although it is not mandatory to
check the accuracy of every piece of information32 );
the acceptable means of verification are documents, data or information provided by a reliable and independent source, the list of which is not exhaustive: (a) Hong Kong identity card or other national identity card; (b) valid
travel document (e.g. unexpired passport); or (c) other relevant documents, data or information provided by a reliable and independent source (e.g. document issued by a government body);
the obliged entity should ensure that documents, data or information obtained for the purpose of verifying the identity of a customer are current at the time they are provided to or obtained by the entity.
Section 4.10 on non-face-to-face CDD measures further states that regulated entities should "take additional measures to mitigate the risk (e.g. impersonation risk) associated with customers not physically present for identification
purposes". However, where a customer's identity is verified via a digital identification system recognized by HKMA, no such additional measures are required.
Accordingly, the usage of non-documentary identity verification is considered compliant so long as it is based on the digital ID system "iAM Smart", operated by the Hong Kong government. Any other digital identification systems could be
involved only if specifically approved by relevant authorities or regulatory bodies in Hong Kong and/or abroad.
30 — A digital identification system that is a reliable and independent source that is recognized by the relevant authority or relevant regulatory body (the AMLO, Schedule 2, Part 1).
31 — The SFC Guideline provides a similar requirement for identity verification. However, the SFC-licensed institutions may only use digital identification systems recognised by the SFC correspondingly; currently, only iAM Smart system meets
this criterion (the SFC Guidelines, Para 4.2.1).
32 — This applies to, in particular, address validation - based on the HKMA Guideline, an authorized entity is required to collect the address, but not necessarily verify it. However, pursuant to the footnote of Section 4.3.5 of the HKMA
Guideline, an authorized entity may, under certain circumstances, require verification (on top of collection) of the customer's residential address for other purposes (e.g. group requirements, other local or overseas legal and
regulatory requirements). In such circumstances, the authorized entity should communicate clearly to the customer the reasons for requiring verification of address. This section does not seem to exclude the use of alternative means,
e.g. geolocation data, to establish the customer's address.
The Prevention of Money Laundering Act, 2002 ("PMLA ") and the
Prevention of Money-Laundering (Maintenance of Records) Rules, 2005 issued thereunder ("PML Rules ") provide the main legislative framework
for combating ML / TF in India and, together with the guidance produced by the national Reserve Bank, explicitly prescribe e-KYC based on the customer's Aadhaar number11 or other identifiers as one of the possible (or, for certain
entities, required) means of identity verification:
"Every reporting entity shall verify the identity of its clients and the beneficial owner by -
(a) authentication 12 under the Aadhaar [...] Act , 2016 if the reporting entity is a banking
company; or
(b) offline verification 13 under the Aadhaar [...] Act , 2016; or
(c) use of passport issued under section 4 of the Passports Act, 1967; or
(d) use of any other officially valid document14 or modes of identification as may be notified by the Central Government in this behalf" (PMLA, Section 11(A)(1)).
Non-banking entities may also be permitted, by special notification of the Central Government, to perform Aadhar authentication, provided that it is necessary to do so and that the entities in question comply with the standards of
privacy and security under the Aadhaar Act. At the same time, the customer is allowed to choose between options (a)-(d).
"Where the client is an individual, he shall [...] submit to the reporting entity, -
(a) the Aadhaar number where
(i) he is desirous of receiving any benefit or subsidy under any scheme notified under section 7 of the Aadhaar (Targeted Delivery of Financial and Other subsidies, Benefits and Services) Act, 2016 (18 of 2016); or
(ii) he decides to submit his Aadhaar number voluntarily to a banking company or any reporting entity notified under first proviso to sub-section (1) of section 11A of the Act; or
(aa) the proof of possession of Aadhaar number where offline verification can be carried out ; or
(ab) the proof of possession of Aadhaar number where offline verification cannot be carried out or any officially valid document or the equivalent e-document15 thereof containing the details of his identity and address; and
(b) the Permanent Account Number or the equivalent e-document thereof or Form No. 60 as defined in Income-tax Rules, 1962 [...]" (PML Rules, Rule 9(4)).
Depending on which data the customer provides and whether offline verification is available, the reporting entity shall carry out the following procedures:
"Where the client has submitted -
(a) his Aadhaar number [...] to the banking company or a reporting entity notified under first proviso to sub-section (1) of section 11A, such banking company or reporting entity shall carry out authentication of the client's Aadhaar
number using e-KYC authentication facility provided by the Unique Identification Authority of India ;
(b) proof of possession of Aadhaar under clause (aa) of sub-rule (4) where offline verification can be carried out, the reporting entity shall carry out offline verification ;
(c) an equivalent e-document of any officially valid document, the reporting entity shall verify the digital signature as per the provisions of the Information Technology Act, 2000 (21 of 2000) and any rules issues
thereunder and take a live photo as specified under Annex 1 ;
(d) any officially valid document or proof of possession of Aadhaar number under clause (ab) of sub-rule (4) where offline verification cannot be carried out, the reporting entity shall carry out
verification through digital KYC as specified under Annex 1 " (PML Rules, Rule 9(15)).
Additionally, the Master Direction - Know Your Customer (KYC) Direction of Reserve Bank of India ("Master Direction ")
allows to verify a client's identity based on the KYC identifier16 from the Central KYC Records Registry17 :
"For undertaking CDD, REs shall obtain the following from an individual while establishing an account-based relationship [...]:
(ac) the KYC Identifier with an explicit consent to download records from CKYCR [...]" (Master Direction, section 16).
Therefore, the available options are:.
(i) Aadhaar authentication, powered by the Unique Identification Authority of India (UIDAI), provides an instant mechanism to confirm
one's identity and does not require any other ID proof except Aadhaar number. It is, however, restricted to banking institutions and certain other requesting entities as described above. Accounts opened using Aadhaar OTP-based
authentication, in non-face-to-face mode, are subject to a number of limitations as to the maximum balance, permitted operations, etc.
(ii) The UIDAI also enables "
paperless offline e-KYC ", wherein the customer,
using their Aadhaar number, creates a "Share Phrase" with their identification data encrypted and shares it with the entity performing KYC. The entity can then validate the data through its own OTP / face authentication mechanism.
(iii) Digital KYC means "the capturing of a live photo of the customer and their officially valid document / proof of possession of Aadhaar, where offline verification cannot be carried out, along with the latitude and longitude of the
location where such live photo is being taken by an authorised officer of the reporting entity" in accordance with specific technical requirements (Master Direction, section 3(a)(viii)). This procedure, however, may only be carried out
via a specialized application developed by the reporting entity (Master Direction, Annex I).
(iv) Where a customer submits a KYC Identifier to a reporting entity, with an explicit consent to download records from CKYCR, the reporting entity shall retrieve the KYC records online from the CKYCR using the KYC Identifier and the
customer shall not be required to submit the same KYC records or information or any other additional identification documents or details, subject to certain exceptions (Master Direction, section 56).
As an alternative to the aforementioned procedures, the "V-CIP'' mechanism was recently introduced, consisting of a video conference with the reporting entity's operator in combination with a "liveness" check, geolocation and IP address
check, and document analysis (Master Direction, section 18). V-CIP, however, is also dependent on external data sources, since the reporting entity is still required to validate the customer's identity data based on Aadhaar number, KYC
identifier or e-document.
In relation to address verification specifically, the options of conducting it are not limited to documentary evidence either. For certain specific exceptions, PML Rules, Rule 9(18-19) states that:
"where an officially valid document furnished by the client does not contain updated address, the following documents [or the equivalent e-documents thereof] shall be deemed to be officially valid documents for the
limited purpose of proof of address:
(a) utility bill which is not more than two months old of any service provider (electricity, telephone, post-paid mobile phone, piped gas, water bill);
(b) property or Municipal tax receipt;
(c) pension or family pension payment orders (PPOs) [...];
(d) letter of allotment of accommodation from employer [...]" - however, this only appears applicable where identity verification is being carried out based on the "officially valid document" in the first place and there is no
confirmation of the customer's current address otherwise:
"where a client has provided his Aadhaar number for identification under clause (a) of sub-rule (4) and wants to provide a current address, different from the address as per the identity information available in the Central
Identities Data Repository, he may give a self-declaration to that effect to the reporting entity".
Based on the analysis above, Aadhaar-based authentication, Aadhaar-based offline verification, and KYC identifier verification can all be considered as possible solutions for non-documentary identity verification.
11 — Aadhar number - an identification number issued to an individual pursuant to the Aadhaar Act.
12 — Authentication - the process by which the Aadhaar number along with OTP, demographic information or biometric information of an individual is submitted to the Central Identities Data Repository for its verification and
such Repository verifies the correctness, or the lack thereof, on the basis of information available with it. "Central Identities Data Repository" means a centralised database in one or more locations containing all Aadhaar numbers
issued to Aadhaar number holders along with the corresponding demographic information and biometric information of such individuals and other information related thereto.
13 — Offline verification - the process of verifying the identity of the Aadhaar number holder without authentication, through such offline modes as may be specified by regulations.
14 — Officially valid document - the passport, the driving licence, proof of possession of Aadhaar number, the Voter's Identity Card issued by the Election Commission of India, job card issued by NREGA duly signed by an
officer of the State Government, the letter issued by the Unique Identification Authority of India or the National Population Register containing details of name, address and Aadhaar number or any other document as notified by the
Central Government in consultation with the Regulator. The list is not exhaustive.
15 — Equivalent e-document - equivalent of a document issued by the issuing authority of such document with its valid digital signature including documents issued to the digital locker account of the client as per rule 9 of
the Information Technology (Preservation and Retention of Information by Intermediaries Providing Digital Locker Facilities) Rules, 2016.
16 — Know Your Client (KYC) Identifier - the unique number or code assigned to a client by the Central KYC Records Registry.
17 — Central KYC Records Registry - a reporting entity, substantially owned and controlled by the Central Government, and authorised by that Government through a notification in the Official Gazette to receive, store,
safeguard and retrieve the KYC records in digital form.
The most recent comprehensive legal act outlining the responsibilities of AML-subject entities in Indonesia is the
Regulation (POJK) No. 8 of 2023 ("OJK Regulation") on the
Implementation of Anti-Money Laundering (AML), Counter-Terrorist Financing (CFT), and Counter-Proliferation Financing of Weapons of Mass Destruction (CPF) Program in the Financial Services Sector by the Indonesian Financial Services
Authority (Otoritas Jasa Keuangan, OJK), which regulates the country's financial industry on par with Bank Indonesia.
Pursuant to Art. 21(2) of the OJK Regulation, identity verification of prospective customers may be conducted via: "a. direct face-to-face meetings; b. electronic face-to-face meetings; and/or c. non-face-to-face electronic mechanisms".
The solutions that may be employed by the supervised entity under subclause (c) are not limited, yet three main options are highlighted: the entity may rely on (i) its own software and hardware; (ii) software and hardware belonging to
third parties (such as KYC providers) and accessed by the entity; or (iii) utilization of population databases, for which at least two authenticity factors must be used (something characteristic of the customer and something the
customer possesses).
Regarding the scope of data to be collected in respect of an individual customer, Art. 25(1) of the OJK Regulation lists the following points:
full name (including aliases, if any);
identity document number;
residential address according to the ID and other residential addresses, if any;29
place and date of birth;
citizenship;
occupation;
address and telephone number of workplace, if any;
gender;
marital status;
mother's maiden name;
identity of the beneficial owner, if any;
source of funds;
average annual income and/or net worth;
aims and objectives of the business relationship or transaction.
Further, according to Art. 26(1) of the OJK Regulation, the aforementioned information has to be supported by an identity document. However, the Article further specifies that it can include: (i) for Indonesian citizens - a resident
card or "digital population identity as intended in the laws and regulations regarding population data"; (ii) for foreign citizens - a passport accompanied by immigration documents; (iii) for "individuals from the Indonesian diaspora or
Indonesian people abroad" - passports and identity cards issued to such individuals under the applicable laws and regulations.
Therefore, in reference to non-documentary verification, it is safe to assume that Indonesia allows identity verification via national identity databases when it comes to local citizens (see, e.g., the
e-KTP system ). At the same time, it is important for businesses to obtain all of the necessary identification data to stay fully compliant with national regulations.
29 — For the scenario where the residential address differs from the one indicated in the ID, the OJK Regulation does not prescribe any particular verification procedures.
In Italy, the core legal act stipulating the AML/CFT obligations for regulated companies is the
Legislative Decree 21 November 2007, n. 231 ("Legislative Decree"), which
largely endorses the documentary approach to KYC, yet at the same time specifies that official sources and public identity systems may be used to verify the authenticity of the obtained documentation: "The obliged entities fulfill their
customer due diligence obligations according to the following methods:
a) the identification of the customer and the beneficial owner is carried out in the presence of the same customer [...] and consists in the acquisition of the identification data provided by the customer, upon presentation of a
valid identity document or other equivalent identification document in accordance with current legislation, of which a copy is acquired in paper or electronic format [...];
b) the verification of the identity of the customer [...] requires verification of the veracity of the identification data contained in the documents and of the information acquired at the time of identification, only where, in
relation to them, there are doubts, uncertainties or inconsistencies. The verification can be carried out by consulting the public system for the prevention of identity theft referred to in the legislative decree of 11 April 2011, n.
64. Identity verification can also be carried out through the use of other reliable and independent sources including databases, with public access or conditional on the release of authentication credentials, referable to a public
administration as well as those referable to private entities authorized to issue digital identities within the system provided for by article 64 of legislative decree no. 82 of 2005 or an electronic identification regime included
in the list published by the European Commission pursuant to article 9 of EU regulation no. 910/2014" (Art. 19(1)).
In turn, the Bank of Italy Provisions on Customer Due Diligence implementing the Legislative Decree (
Disposizioni in materia di adeguata verifica della clientela per il contrasto del riciclaggio e del finanziamento del terrorismo
as amended on June 13, 2023, "CDD Provisions"), while detailing the applicability of these requirements to the remote onboarding context, also insist on collecting a copy of the customer's ID (with additional checks performed at the
reporting entity's discretion):
"In cases of remote operation, the recipients:
a) acquire the identification data42 of the customer and the executor and verify it on a copy - obtained by fax, post, in electronic format or with similar methods - of a valid identity document , in accordance with
current legislation;
b) carry out checks in addition to those provided for in Section V on the data acquired, according to the most appropriate methods in relation to the specific risk. By way of example, the following methods are indicated: telephone
contact on a fixed line (welcome call); sending communications to a physical address with return receipt; transfer made by the customer through a banking and financial intermediary based in Italy or in an EU country; request to send
countersigned documentation; verification of residence, domicile, activity carried out, through requests for information to the competent offices or through on-site meetings, carried out using its own personnel or third parties.
In compliance with the risk-based approach, recipients can use feedback mechanisms based on innovative and reliable technological solutions (e.g. those that provide forms of biometric recognition), as long as they are assisted by robust
security measures [...]" (Part 2, Section VIII).43
However, the Provisions on Customer Due Diligence also envisage specific circumstances where neither physical presence nor presentation of an identity document is mandatory, including where the customer's identity is verified on the
basis of an eIDAS-certified solution:
"[...] the identification obligation is considered fulfilled, even without their physical presence, for customers: [...]
2) in possession of a digital identity, of maximum security level, within the System referred to in Article 64 of Legislative Decree 7 March 2005, n. 82, and the related implementing legislation, or a digital identity with a maximum
security level44 or a certificate for the generation of a digital signature,
issued as part of an electronic identification regime included in the list published by the European Commission in pursuant to Article 9 of Regulation (EU) No. 910/2014 " (Part 2, Section III).
The two electronic identification schemes notified by Italy with a "high" level of
assurance are Italian eID based on National ID card (CIE) and SPID (Public System of Digital Identity), although the latter one may also have "low" and "substantial" levels depending on the provider.
It therefore follows that Italian eID and SPID (at a “high” assurance level) can be relied on as standalone solutions for non-documentary KYC. Aside from that, remote identity verification would almost invariably require obtaining the customer’s identity document. Nonetheless, other non-documentary methods for data verification may be implemented as additional security checks (e.g., biometric technologies, external data sources, etc.) as they deem necessary, including for verification of residential address.
42 — Art. 1(2)(n) of the Legislative Decree defines "identification data" as "name and surname, place and date of birth, registered residence and domicile, where different from registered residence, and, where assigned, the tax code or, in
the case of subjects other than a natural person, the name, registered office and, where assigned, the tax code". While the Decree or the CDD provisions do not explicitly mention "proof of address", the following can be inferred based
on the rest of the analysis: (i) if the primary identification document contains the customer's current address, it likely fulfills both identification and proof of address requirements; (ii) if the primary ID lacks the current address,
the law prescribes to collect it separately but does not explicitly specify how it should be verified; (iii) therefore, supplementary procedures adopted by obliged entities in this case could involve, e.g., requesting additional
documents or consulting external data sources. The specific requirements for proof of address documents might vary depending on the customer's risk profile; higher-risk customers might require more robust verification.
43 — Previously, video identification, as described in Annex 3 to the Bank of Italy Provisions on Customer Due Diligence, used to be accepted as an alternative to the mechanism outlined in Section VIII; however, it was
repealed in June 2023.
44 — Notably, Art. 19 of the Legislative Decree, providing for a similar exemption, only requires a "significant" (substantial) level of assurance and includes "secure and regulated electronic identification procedures authorized or
recognized by the Agency for Digital Italy" as an additional option.
According to Article 4 of the Act on the Prevention of the Transfer of Proceeds from Crime (the “AML Act ”) and Article 7 of the Enforcement Order of the Act on the Prevention of the Transfer of Proceeds from Crime (the “AML Enforcement Order ”), the banks, insurance companies, securities finance companies, electronic settlement and electronic payment companies, cryptocurrency exchange companies, and other obliged entities shall verify the identity of a customer when certain types of transactions are performed, e.g.:
When concluding a contract to accept deposits or savings;
When concluding an insurance contract;
When concluding a contract for securities provision;
When concluding a contract to lend money (e.g., a credit card contract);
When concluding a contract for opening a prepaid payment instrument account.
Pursuant to Article 4 of the AML Act, the following scope of data shall be verified in respect of an individual client:
Name
Address
Date of birth
Purpose of the transaction
Occupation.
In addition, Article 12(3) of the AML Enforcement Order implies that the obliged entity shall determine whether it deals with a politically exposed person (relevant transactions shall be deemed as requiring special caution).
The Enforcement Rules of the Act on the Prevention of the Transfer of Proceeds from Crime (the “AML Rules ”) establish the methods of verifying customer identification information. As per Article 6 of the AML Rules, most of the methods include presentation by the customer of his/her photo identification documents in some way (e.g., as an image of a document, as transmission of the chip information embedded in the identity verification document). The only non-documentary method is the use of an electronic signature certificate issued by an authorized Japanese state body.
As to the confirmation of the occupation, it is done by receiving a declaration from the client as per Article 10 of the AML Rules.
To conclude, it may be possible to onboard individual customers using a non-documentary identity verification procedure if the client possesses an electronic signature issued and valid in accordance with the applicable Japanese law. Otherwise, it will be needed to use a document-based method.
Banks, insurance companies, professional participants in the securities market, VASPs and other obliged institutions shall identify the clients and verify their identity as per Article 5 of the Law of the Republic of Kazakhstan “On combating the legalization (laundering) of proceeds from crime and the financing of terrorism” (the “AML Law ”).
Pursuant to Article 6 of the AML Law, customer die diligence (the “CDD”) measures shall be completed prior to establishing business relations. However, with respect to certain transactions, CDD measures may be skipped as per Article 5(3-1) of the AML Law:
“3-1. The measures provided for in this article shall not be taken in the following cases:
1) when carrying out the following one-time transactions :
when unidentified owners of electronic money - individuals carry out transactions to acquire and use electronic money that do not exceed the amount specified in paragraph 4 of Article 44 Law of the Republic of Kazakhstan “On Payments and Payment Systems” [approx. USD 380];
<...>
when a client makes a non-cash payment or transfers money without using a bank account , if the amount of such payment or transfer does not exceed 500,000 tenge [approx. USD 970] or an amount in foreign currency equivalent to 500,000 tenge [approx. USD 970], except in cases where the client makes a suspicious transaction;
when a client who is an individual carries out a transaction using a payment card that is not a means of access to the bank account of such client , if the amount of such transaction does not exceed 200,000 tenge [approx. USD 390] or an amount in foreign currency equivalent to 200,000 tenge [approx. USD 390];”.
As a general rule, CDD measures shall include “verification of the accuracy of information required to identify the client” (Article 5(3)(6) of the AML Law). However, according to Article 5(3-2) of the AML Law, in certain cases prescribed by law the verification step may be skipped by banks, insurers, professional participants of the securities markets, but not VASPs:
“3-2. The subjects of financial monitoring specified in subparagraphs 1) - 5), 11) and 12) of paragraph 1 of Article 3 of this Law, within the framework of remotely established business relations with the client, have the right to carry out transactions, with the exception of cross-border payments , without taking measures to verify the accuracy of the information necessary to identify the client (his representative), the beneficial owner, provided for in subparagraph 6) of part one of paragraph 3 of this article, in the following cases:
1) the implementation by the client of transactions for the payment of taxes, penalties, fines and other mandatory payments to the budget , as well as insurance premiums under compulsory insurance contracts ;
2) the transfer of funds to the client’s bank account.”
The scope of data by which an individual customer must be identified is established by the industry AML regulations. For example, for banks and professional participants of the securities markets the following list of data is specified as per para. 26 of the Requirements for the Internal Control Rules for the purpose of combating the legalization (laundering) of proceeds from crime, the financing of terrorism and the financing of the proliferation of weapons of mass destruction for second-tier banks, branches of non-resident banks of the Republic of Kazakhstan and the National Postal Operator (the AML Rules for Banks ”) and para. 27 of the Requirements for the Internal Control Rules for the purpose of combating the legalization (laundering) of proceeds from crime, the financing of terrorism and the financing of the proliferation of weapons of mass destruction for professional participants in the securities market and the central depository (the “AML Rules for Securities Market ”), respectively:
“When identifying an individual <...>, organizations establish and record the following data:
last name, first name, patronymic (if any);
citizenship;
date and place of birth;
legal address;
details of the identity document and (or) other document on the basis of which identification is carried out;
type of activity (for individual entrepreneurs);
individual identification number (except for cases when an individual has not been assigned an individual identification number in accordance with the legislation of the Republic of Kazakhstan).”
While the Requirements for internal control rules for the purpose of combating the legalization (laundering) of proceeds from crime and the financing of terrorism for persons engaged in the issuance and circulation of secured digital assets (the “AML Rules for VASPs ”) do not provide a specific list of data that shall be collected within the course of a CDD, we assume that the same scope of information as established for the banks and professional participants of the securities market will be applicable to them.
In addition to the above scope of information, it is necessary to determine whether the client
is a politically exposed person (as per Article 8 of the AML Law, para. 26 of the AML Rules for Banks, para. 27 of the AML Rules for Securities Market, para. 27 of the AML Rules for VASPs);
is included in the lists of organizations and individuals associated with the financing of terrorism and extremism, financing the proliferation of weapons of mass destruction (as per Articles 12 and 12-1 of the AML Law, para. 22(5) of the AML Rules for Banks, para. 27 of the AML Rules for Securities Market, para. 27 of the AML Rules for VASPs).
Further, with respect to the non-residents of the Republic of Kazakhstan,
the banks shall confirm the basis for their presence in the Republic of Kazakhstan (e.g., employment contract, training contract, residence permit) as per para. 22 of the AML Rules for Banks. However, pursuant to para. 26 of the AML Rules for Banks, “information on migration cards is not required to be obtained with respect to citizens of states that are members of the Eurasian Economic Union.”;
the VASPs shall require, inter alia, the “document certifying registration with the authorized bodies of the Republic of Kazakhstan for the right of entry, exit and stay of a non-resident individual in the territory of the Republic of Kazakhstan, unless otherwise provided by international treaties ratified by the Republic of Kazakhstan” as per para. 23 of the AML Rules for VASPs.
The banks shall also check whether the client is a foreign organizer of the gambling business, whose activities are considered to be illegal in the territory of the Republic of Kazakhstan on the basis of a court decision (para. 22(14) of the AML Rules for Banks).
Pursuant to Article 5(4) of the AML Law, a specific approach to the CDD process shall be established by obliged entities in their internal rules. However, with respect to the remote onboarding, the Requirements for due diligence of clients in the case of remote establishment of business relations by financial entities monitoring Resolution of the Board of the National Bank of the Republic of Kazakhstan (the “Remote CDD Rules ”) shall be applied. The Remote CDD Rules establish a specific set of rules for remote onboarding of customers by the following types of obliged entities: banks, insurance companies, professional participants in the securities market, and some other entities as per para. 1 of the Remote CDD Rules. However, the Remote CDD Rules do not apply to VASPs.
As to VASPs, para. 23 of the AML Rules for VASPs explicitly provides for documented approach:
“When conducting due diligence on a client (his representative) and a beneficial owner, entities shall document information about the client (his representative) and the beneficial owner based on originals or notarized copies of documents with an apostille or in the legalized manner established by international treaties ratified by the Republic of Kazakhstan, submitted at the client’s (his representative’s) discretion.”
The obliged entities that are allowed to apply the Remote CDD Rules may decide to use remote onboarding of a client on a risk-based approach (para. 2 of the Remote CDD Rules). At the same time, remote onboarding is explicitly prohibited by Article 5(9) of the AML Law if:
“1) the client (its representative) and the beneficial owner are a person included in the list of persons involved in terrorist activities , as well as the list of organizations and persons associated with the financing of the proliferation of weapons of mass destruction , and (or) the list of organizations and persons associated with the financing of terrorism and extremism ;
2) the client (its representative) and the beneficial owner are an established person or organization against whom international sanctions are applied in accordance with the resolutions of the Security Council of the United Nations
3) the client is a person who has been assigned a risk level requiring the application of enhanced due diligence measures in accordance with paragraph 7 of this article and the internal control rules, with the exception of the conclusion of insurance organizations of insurance contracts in electronic form, the insurance premium and (or) insurance payment for which are made through bank accounts .”
In addition, according to para. 22 of the AML Rules for Banks:
“Remote establishment of business relations with clients who are residents of countries with a high risk of ML/FT based on the factor of illegal production, trafficking and (or) transit of drugs, with the exception of the countries of the Eurasian Economic Union , extension of such business relations, as well as issuance and reissue (without the personal presence of the client) of more than one payment card to the specified persons is not allowed .”
As per para. 3 of the Remote CDD Rules, a remote onboarding is only possible for the clients who meet all of the following requirements:
“1) an individual or legal entity is assigned with the identification number (except for cases when an individual or legal entity has not been assigned an identification number in accordance with the legislation of the Republic of Kazakhstan) or the number under which an individual who is a non-resident of the Republic of Kazakhstan or a legal entity who is a non-resident of the Republic of Kazakhstan is registered in a foreign state ;
2) the client (his representative) and the beneficial owner are not a person included in the list of organizations and persons associated with the financing of terrorism and extremism ;
3) the client (his representative) and the beneficial owner are not an established person or organization against whom international sanctions (embargo) are applied in accordance with Security Council resolutions United Nations ;
4) the client is not a person who has been assigned a risk level that requires the application of enhanced due diligence measures in accordance with paragraph 7 of Article 5 of the AML/CFT Law and the internal control rules.”
In addition, according to para. 4 of the Remote CDD Rules, the following conditions shall be met simultaneously in order to carry out a remote onboarding:
“1) the information provided for in subparagraphs 1) [data with respect to an individual: details of the identity document, individual identification number, legal address], 2), 2-1) and 4) of paragraph 3 Article 5 of the AML/CFT Law is recorded in accordance with paragraph 8 of the Requirements [Remote CDD Rules];
2) the individual client has given consent to the collection, processing, storage and provision, including, if necessary, to third parties, of his/her personal data , confirmed by means of an identification tool;
3) there is an automated information system that enables the collection, processing, storage, provision and protection of personal data of an individual client (his representative) and beneficial owners;
4) the subject of financial monitoring has no suspicions that the purpose of business relations is the performance of transactions for the purposes of illegal financial transactions. ”
The process for remote CDD measures shall be as follows as per para. 6 of the Remote CDD Rules:
“1) the client inputs into the remote access system of the financial monitoring entity his/her personal or business identification number ;
2) the client identification and verification of identity is performed;
3) the information about the client is recorded , as provided for in subparagraphs 1),2) 2-1) and 4) paragraph 3 of Article 5 of the AML/CFT Law.”
Pursuant to para. 7 of the Remote CDD Rules,
“7. The following methods are used for client identification and verification:
1) electronic digital signature of an individual or legal entity;
2) biometric identification means;
3) payment card details during identification and authentication of an individual (number, expiration date of the payment card, name of the payment card system) issued by a second-tier bank [all banks operating in the country, except for the National Bank of the Republic of Kazakhstan, represent the second level of the banking system and are second-tier banks] or the National Postal Operator with which the financial monitoring entity has concluded an agreement on information exchange, if the individual was previously identified by the financial monitoring entity in person ;
4) confirmation of the identity of an individual by verification with government databases ;
5) a unique identifier , which is a combination of letters and numbers or symbols or other identifier established by the financial monitoring entity to identify the client and agreed upon with him/her .”
The obliged entities may use one or a combination of several methods listed above. However, method referred to in subparagraph 5) cannot be used as a standalone method and shall always be used in combination with one or more methods of identification and authentication of the client, provided for in subparagraphs 1), 2), 3) and 4) above.
In case of remote onboarding, the verification of the accuracy of information about the client is carried out in accordance with Article 5(3)(6) of the AML Law and the internal control rules as per para. 9 of the Remote CDD Rules.
Therefore, the AML/CFT regulations of Kazakhstan allow banks, insurance companies, professional participants in the securities market , and some other entities as per para. 1 of the Remote CDD Rules to apply non-documentary identity verification in certain cases and subject to the above mentioned limitations, while VASPs shall always use documentary identity verification.
In Lithuania, the relevant legal acts establishing the procedure for remote KYC are a) the
Law on the Prevention of Money Laundering and Terrorist Financing No. VIII 275 ("AML Law ") and b) the
Order on technical requirements for the customer identification process for remote identification by electronic means of direct image transmission No. V-314
("Order ").
As follows from the AML Law, the legislator sets out an exhaustive list of possible ways for obliged entities to carry out remote identity verification. Arguably, the most practical option is described in Art. 11(1)(4)(b):
"1. The identity of the customer that is a natural person <...> may be established without the physical presence of the customer only in the following cases:
<…>
4) when using electronic means allowing direct video streaming in one of the following ways:
<...>;
b) the facial image of the customer and the original of the identification document2 or an equivalent residence permit in the Republic of Lithuania shown by the customer is recorded at the time of direct video streaming".
In turn, the Order sets out two alternative ways of conducting "video streaming" as per Art. 11(1)(4)(b) of the AML Law: i) via "live video transmission" (which implies a real-time video conference with the user) or ii) via "direct
transmission of photographs" (which can be assimilated to the "liveness" technology). In both cases, the user must display the identity document in a specific manner, and the obliged entity must assess it and compare it with the user's
facial image in order to confirm their identity.
The "physical" ID demonstration can be, however, rendered unnecessary where the obliged entity relies on an eIDAS-compliant eID- or QES-based procedure, as per Arts. 11(1)(2) and 11(1)(3) of the AML Law:
"using electronic identification means issued in the European Union which operate under the electronic identification schemes with the assurance levels high or substantial, as specified by [eIDAS Regulation]";
"information about a person's identity is confirmed with a qualified electronic signature supported by a qualified certificate for electronic signature which conforms to the requirements of [eIDAS Regulation]".
However, three necessary preconditions for using either of these two options must be present:
before the identification of the customer by the obliged entity, the customer must have been previously identified (i) by a third party (i)(a) with the physical presence of the customer or
(i)(b) using electronic means allowing direct video streaming or (i)(c) in the way specified in point 5 of paragraph 1 of Art. 11 [bank transfer / "penny drop"], or (ii) with the
physical presence of the customer at the time of issuance of an electronic identification means which operates under the electronic identification scheme with the assurance levels high or substantial, or (iii) with
the physical presence of the customer before the issuance of a qualified certificate for electronic signature for them (Art. 11(2)(1));
the customer must have been previously identified by the obliged entity on the basis of the documents specified in Article 10 of the AML Law ["an identity document of the Republic of Lithuania or a foreign state or a residence
permit in the Republic of Lithuania or a driving licence issued in a state of the European Economic Area in accordance with the requirements laid down in Annex I to Directive 2006/126/EC of the European Parliament and of the Council
of 20 December 2006 on driving licences (recast)"] (Art. 11(2)(2));
obliged entities must obtain the data [on the customer's name, surname, personal number (for foreigners - date of birth and Lithuanian RP data), citizenship] (Art. 11(3)(2)).
Regarding the customer's residential address, neither the AML Law nor the Order prescribe any particular means of its verification. It can be inferred that, while obliged entities may still be expected to collect data related to the
customer's location (e.g., to determine whether enhanced due diligence should be applied to the customer or to fulfill the requirement to obtain the customer's IP data as set out in para. 26 of the Order), the format in which this
information should be gathered and confirmed is determined by the obliged entity itself.
Accordingly, so long as the user journey does not contain eID validation (with a substantial or high level of assurance) or QES Verification as described above, the current AML regulations of Lithuania do not allow obliged entities to
rely solely on Non-Doc KYC solutions for remote client onboarding, even though they could be used for separate elements of the KYC procedure (such as, e.g., address verification).
2 — As per Art. 10(1) of the AML Law, an "identification document" is defined as "an identity document of the Republic of Lithuania or a foreign state or a residence permit in the Republic of Lithuania or a driving licence issued in a state
of the European Economic Area in accordance with the requirements laid down in Annex I to Directive 2006/126/EC of the European Parliament and of the Council of 20 December 2006 on driving licences, which contains the following data:
name/names;
surname/surnames;
personal number (in the case of a foreigner - date of birth (where available - personal number or any other unique sequence of symbols granted to that person, intended for personal identification), the number and period of validity
of the residence permit in the Republic of Lithuania and the place and date of its issuance (applicable to foreigners);
photograph;
signature (except for the cases where it is optional in the identification document);
citizenship (except for the cases where it is optional in the identification document) and in the case of a stateless person - the state which issued his identification document".
The
Anti-Money Laundering, Anti-Terrorism Financing and Proceeds of Unlawful Activities Act 2001 (AMLA)
is the primary statute governing the AML/CFT regime in Malaysia, whereas Bank Negara Malaysia (BNM) , the country's central bank and financial regulator, issues policy documents setting out reporting entities'
obligations concerning the AMLA-imposed requirements.
The AMLA, while establishing the general customer identification duty, provides a broad range of evidence acceptable for verifying identity-related data:
"A reporting institution, in undertaking customer due diligence measures, shall-
(a) ascertain the identity, representative capacity, domicile, legal capacity, occupation or business purpose of any person, whether he is an occasional or usual customer;
(b) verify, by reliable means or from an independent source, or from any document, data or information , the identity, representative capacity, domicile, legal capacity, occupation or business purpose of any person,
through the use of documents which include identity card, passport, birth certificate, driver's licence, constituent document or any other official or private document as well as other identifying information relating
to that person, whether he is an occasional or usual customer". (AMLA, Section 16(3))
Simultaneously, the BNM
Anti-Money Laundering, Countering Financing of Terrorism and Targeted Financial Sanctions for Financial Institutions (AML/CFT and TFS for FIs)
and
Anti-Money Laundering, Countering Financing of Terrorism and Targeted Financial Sanctions for Designated Non-Financial Businesses and Professions (DNFBPs) & Non-Bank Financial Institutions (NBFIs) (AML/CFT and TFS for DNFBPs and
NBFIs)
policies do not list identity documents or copies thereof among the information mandatory for collection during standard CDD in relation to natural persons:
"(a) full name;
(b) National Registration Identity Card (NRIC) number or passport number or reference number of any other official documents of the customer or beneficial owner;
(c) residential and mailing address;
(d) date of birth;
(e) nationality;
(f) occupation type;
(g) name of employer or nature of self-employment or nature of business;
(h) contact number (home, office or mobile); and
(i) purpose of transaction". (See, e.g., Section 14.10.1 of AML/CFT and TFS for DNFBPs and NBFIs, Section 14A.9.1 of AML/CFT and TFS for FIs).33
BNM further provides for non-documentary means of identity verification and, specifically, those involving the use of specific external data sources:
"Reporting institutions must verify and be satisfied with the identity of the customer or beneficial owner through reliable and independent documentation, electronic data or any other measures that reporting
institutions deem necessary". (See, e.g., Section 14A.5 of AML/CFT and TFS for FIs, Section 14.5 of AML/CFT and TFS for DNFBPs and NBFIs)
"[In the non-face-to-face context], reporting institutions may identify and verify a customer's identity by:
(a) conducting video calls with the customer before setting up the customer's money changing account or allowing the customer to perform transactions;
(b) communicating with the customer at a verified residential or office address where such communication shall be acknowledged by the customer;
(c)
verifying the customer's information against a database maintained by relevant authorities including the National Registration Department or Immigration Department of Malaysia; telecommunication companies, sanctions lists issued
by credible domestic or international sources in addition to the mandatory sanctions lists or social media platforms with a broad outreach; or
(d) requesting to sight additional documents such as recent utility bills, bank statements, student identification or confirmation of employment".34 (See, e.g., Section 14C.16.12 of AML/CFT and TFS for FIs)
The minimum expected baseline for regulated entities applying non-face-to-face verification methods is for them to "ensure and be able to demonstrate on a continuing basis that appropriate measures for identification and verification of
the customer's identity through e-KYC are secure and effective" (see, e.g., Section 14A.15.7 of AML/CFT and TFS for FIs). Other than that, BNM offers no indication that it is obligatory to obtain a copy of the customer's ID in the
context of remote CDD. On the contrary, in the
Guidance on Verification of Individual Customers for Customer Due Diligence
, it emphasizes that "there is no restriction on the form of evidence to be taken by reporting institutions in verifying the identity" (para. 5.1) and that electronic data can be elected instead of documentary evidence, provided it is
obtained from a reliable and independent source.
In addition, the Guidelines on Prevention of Money Laundering,Countering Financing of Terrorism, Countering Proliferation Financing and Targeted Financial Sanctions for Reporting Institutions in the Capital Market, revised version of 2024 , strongly emphasize a risk-based approach to Customer Due Diligence/AML compliance. This means that the level of scrutiny applied to customers and transactions should vary, depending on their assessed risk level.
The Guidelines provide detailed guidance on how to conduct risk assessments (both business-based and relationship-based/RBA) and implement appropriate mitigation measures. Appendix A of the Guidelines provides specific details on the RBA methodology.
More specifically, Section 8.1.23 of the Guidelines , focuses on establishing "non-face-to-face business relationships." The Section 8.1.23 details the heightened requirements and measures needed when onboarding a customer without a face-to-face interaction. These measures include:
Obtaining additional identification documents or information (e.g., utility bills)
Substantiating customer information with independent sources
Contacting the customer through digital communication channels for visual identification
Requesting a nominal payment from the customer's own account
The Guidelines pave the way for the utilisation of new technologies, such as biometric identification
The aforementioned section also highlights that if a reporting institution cannot adequately identify and verify a customer using these methods, a face-to-face meeting is required. Exceptions are noted for foreign PEPs, customers from high-risk jurisdictions, and those subject to targeted financial sanctions
In addition, Section 8.1.24-8.1.28 of the Guidelines ,allows for completing the verification process after the establishment of the business relationship under specific circumstances, which could be relevant in a remote onboarding scenario where obtaining the necessary documents might take longer. However, this is a delayed verification, not a process for conducting the initial onboarding remotely. There still strict risk management and mitigation controls must be in place.
While the Guidelines do not have a dedicated section on non-document customer due diligence, Section 8.1.23 provides detailed guidance on the enhanced due diligence measures required for non-face-to-face customer onboarding. It emphasizes that similar stringent Customer Due Diligence (CDD)/AML procedures must be followed, and in most cases this requires more stringent measures than in-person onboarding. The Guidelines implicitly support electronic CDD through the allowance of certain technologies, but a face-to-face meeting may ultimately be required unless stringent controls are in place.
Also, in accordance with the Circular No 069/2024 of the Malaysia’s Bar Council , legal firms subject to its Circulars and guidelines,should go through the provided checklist in order to ensure that they obtain all the necessary information when conducting CDD. Any checklist that is used to do CDD should be kept with every new client’s file and shown to officers from Bank Negara Malaysia (“BNM”) during their on-site examination.
Furthermore, the recent Newsletter BNM 2/2023 , includes updates that repeatedly stress the need for reporting institutions to conduct sanction screening as part of their CDD and ongoing due diligence. This applies whether onboarding is done remotely or in person and implies that electronic methods of verifying customer identity might be required to effectively comply with this sanction-screening requirement.
To conclude, financial institutions, DNFBPs and NBFIs supervised by the BNM may rely on non-documentary verification methods (specifically, external electronic databases) for identity data (including address), so long as they are
sufficiently robust to be as effective as face-to-face CDD. However, additional mechanisms (e.g., a questionnaire) may need to be implemented in order to collect the necessary customer information that might not be contained in the
consulted data source.
33 — It should be noted that, in certain scenarios (e.g., simplified due diligence or, for specific types of business, transactions below a designated threshold), not all of the listed data may be necessary.
34 — Given that (d) is presented as an equal alternative to the other options, it can be assumed that non-face-to-face verification of address, similarly to verification of identity in general, may be carried out via non-documentary evidence, e.g., by reference to external databases.
Section 15 of the Anti-Money Laundering and Countering Financing of Terrorism Act 2009 (the “AML/CFT Act ”) establishes the following scope of data by which an individual customer must be identified (please note that in case of an enhanced customer due diligence (the “EDD ”), additional data might be required):
Full name
Date of birth
Address.
Regarding name and date of birth verification , the Amended Identity Verification Code of Practice 2013 (the “Code”) provides for both documentary and electronic verification methods applicable to customers assessed as low to medium risk . Even though the Code is not mandatory, the reporting entities who comply with it will be deemed as meeting their obligations to verify name and date of birth under the AML/CFT Act for low to medium risk customers (that are natural persons).
Explanatory Note: Electronic Identity Verification Guideline (the “Explanatory Note ”) in its paragraph 6 further clarifies that the electronic identity verification has two key components, both of which must be satisfied:
Confirmation of identity information via an electronic source(s) ; and
Matching the person you are dealing with remotely to the identity that they are claiming (i.e. are they the same person).
As to the name and date of birth verification via electronic sources, paragraph 15 of the Code stipulates the use of either:
A single independent electronic source that can verify an individual’s identity to a high level of confidence , or
At least two independent and reliable matching electronic sources , where one source must confirm both the name and date of birth, while another source must at least confirm the name.
According to note to paragraph 10 of the Explanatory Note, there is only one electronic source that could be used as a single independent electronic source, namely RealMe® , which is managed by the New Zealand Department of Internal Affairs (this source contains biometric information and, therefore, verifies the person’s identity to a high level of confidence).
In paragraphs 15 and 16 of the Explanatory Note, the Financial Markets Authority (FMA) suggests using the following electronic sources that could be used as two independent and reliable electronic sources :
Primary sources to verify name and date of birth of an individual:
NZ Driver Licence (NZTA)
Confirmation Service (DIA)
Secondary sources to verify an individual’s name:
Credit Bureaus
Companies Office
Land Registry (LINZ)
Vehicle registration (NZTA).
In case the two-sources method is used , a reporting entity must still have regard to whether the electronic sources include a mechanism to determine if the customer can be linked to the claimed identity (whether biometrically or otherwise). None of the electronic sources listed in paragraphs 15 and 16 above incorporate such a mechanism.
Therefore, additional methods shall be used in order to ensure that the person that the reporting entity is dealing with is the genuine holder of the identity they are claiming. Paragraph 19 of the Explanatory Note provides for some examples of such additional methods that include, in particular:
Require the first credit into the customer’s account to be received from an account held at a New Zealand registered bank in the customer’s name that cannot be altered or changed.
Check the authenticity of identification document electronically provided by the customer. This process must ensure the document has not been forged, altered or tampered with in any way, including the photo on the document.
Phone the customer on a number that has been verified by a reliable and independent source before the customer’s account is fully operational.
At the same time, the Guideline: Virtual Asset Service Providers Complying with the Anti-Money Laundering and Countering Financing of Terrorism Act 2009 stipulates that, due to inherent risks of the sector where many customers will not be assessed as low to medium risk, the VASPs will almost always need to use the EDD , though the measures stipulated by the Code could be applied as a baseline.
It is for VASP to determine what specific measures are required according to the level of risk involved. However, paragraphs 70 and 71 of the Enhanced Customer Due Diligence Guideline offer the following possible approaches:
In case the name and date of birth are verified according to the Code and there are no doubts that they are true and correct, the VASP may not need to undertake any further verification steps over and above those set out in the Code . In this case, EDD may be focused, for example, on the examination of the source of wealth and/or source of funds.
Otherwise, the VASP shall consider additional, increased or more sophisticated measures to verify the name and date of birth. This could include obtaining certified copies of documents or taking additional identity authentication steps.
Regarding verification of address, section 13 of the AML/CFT Act foresees that the verification of identity (which scope includes the address) must be done either on the basis of documents, data, or information issued by a reliable and independent source; or any other basis applying to a specified situation, customer, product, service, business relationship, or transaction prescribed by regulations. Neither the Code , nor other explanatory documents prescribe the way in which reporting entities can fulfil their obligation to conduct verification of a customer’s address. Thus, it is up to the reporting entity how to verify the customer’s address.
In our view, electronic verification of address is permitted as a standalone method as long as it uses a reliable and independent source. For instance, RealMe® (a government-backed digital identity and authentication service) may be used to verify a residential address. This involves a process where the user’s selected residential address is checked against trusted online data sources, such as New Zealand Post’s records. If a match is found, the address is marked as “NZ Post verified”, and no further action is required. This verified address can then be shared with organizations that use RealMe® to prove where the user lives. A RealMe® verified identity does not automatically include address information unless the user opts to verify it.
Given that RealMe® is deemed to provide a high level of confidence for the purpose of the name and date of birth verification, in our view, it could also be used as a means of verification for a customer’s address.
In addition, we believe that VASPs and other reporting institutions may use supplementary checks such as, for example, geolocation or IP address tracking, though such checks are not sufficient as a standalone verification method.
In conclusion, both non-documentary identity and address verification via the use of electronic sources is explicitly permitted for customer identification processes in New Zealand, as long as these processes are compliant with the Code and the Explanatory Note.
The 2022 Money Laundering (Prevention and Prohibition) Act ("AML Act"), together with regulations and guidance by the
Central Bank of Nigeria ("CBN"), lays out the legal provisions applicable to Nigerian AML-supervised entities, including those related to customer due diligence.
Art. 4(1) of the AML Act outlines the general principles of the identification and identity verification duty for financial institutions and DNFBs. While the document-based approach is framed as the default standard, the AML Act refers
to secondary legislation for substantiation24 :
"A financial institution and a designated non-financial business and profession shall -
(a) identify a customer, whether permanent or occasional, natural or legal person or any other form of legal arrangements, using identification documents as may be prescribed in any relevant regulation ;
(b) verify the identity of that customer using reliable, independent source documents, data or information <...>".
In turn, Art. 6(a) of the Central Bank of Nigeria Customers Due Diligence Regulations 2023 (the "CDD Regulations") lists the
information to be collected in relation to individual customers, with Art. 7(2) elaborating on the possible means of its verification:
legal name and any other names used (such as maiden name);
permanent address (full physical address);
residential address (where the customer can be located);25
telephone number, e-mail address and social media handle;
date and place of birth;
Bank Verification Number (BVN);
Tax Identification Number (TIN);
nationality;
occupation, public position held and name of employer;
an official personal identification number or other unique identifier contained in an unexpired document issued by a government agency, that bears a name, photograph and signature of the customer such as a passport, national
identification card, residence permit, social security records or drivers' license;
type of account and nature of the banking relationship;
signature; and
politically exposed persons (PEPs) status.
"FIs shall verify the identity of individuals by confirming the -
(a) date of birth from a valid official document, such as birth certificate, passport, identity card and national or social security records ;
(b) residential address through physical visitation and use of other sources, including utility bill, tax assessment, bank statement, or letter from a public authority;26
(c) contact details provided by the customer through positive feedback from phone call, email or physical letter to the residential address;
(d) validity of the official documentation provided through certification by an authorized person such as embassy official, notary public (in the case of foreign nationals); and
(e) phone numbers, particularly for wallet providers, through independent process, including validation against the NCC database or geo-mapping".
Therefore, the notion of official documentation that may be used for identity verification
is quite broad, implying it is not necessarily required to collect a copy of any particular identity document. Furthermore, Arts. 14, 16 and 35 of the CDD Regulations as well as Art. 26 of the
2022 Central Bank of Nigeria (Anti-Money Laundering, Combatting the Financing of Terrorism and Countering Proliferation Financing of Weapons of Mass Destruction in Financial Institutions) Regulations
(the "AML Regulations") specify that both "physical" and "electronic" methods of customer onboarding may be adopted by financial institutions, so long as the "tiered" approach and other e-KYC standards endorsed by the CBN are complied
with. However, "additional measures or checks to supplement the documentary or electronic evidence [must be undertaken] to ensure that an applicant is who he/she claims to be", with at least one check "to guard against impersonation or
fraud".
Referring, in turn, to the "tiered" approach as established in the
2013 CBN Circular FPR/DIR/CIR/GEN/02/001 (Introduction of Three-Tiered Know Your Customer (KYC) Requirements) , it prescribes different CDD standards
depending on the customer's risk profile and the value of their account:
until recently, only a set of identity attributes (such as passport photo, name, place and date of birth, address, etc.) was required for Tier 1 (lowest-value) accounts with no evidence required;
Tier 2 demands the Tier 1 information provided by the customer to be supported with evidence and checked against official databases (such as National Identity Management Commission (NIMC), Independent National Electoral Commission
(INEC) Voters Register, Federal Road Safety Commission, etc.), while "ID verification and monitoring" is also necessary;
Tier 3 further refers to the KYC standards established by the CBN AML/CFT Regulation, 2009 as amended (which would, at present, encompass both the AML Regulations and the CDD Regulations, in particular Arts. 6-7 of the latter as
referenced above).
Furthermore, the
2023 CBN Circular PSM/DIR/PUB/CIR/001/053
enhanced the aforementioned requirements, stating that: (i) it is now mandatory for all Tier 1 accounts for individuals to have BVN and/or NIN (National Identification Number); (ii) both BVN and NIN are obligatory for Tier 2 and Tier 3
accounts; and (iii) "the process for account opening shall commence by electronically retrieving BVN or NIN related information from the NIBSS' BVN or NIMC's NIN databases[together with the underlying identity data, such as name, DoB,
etc.] and for the same to become primary information for onboarding of new customers". In addition, the same Circular prescribed all the BVNs and NINs already attached to existing accounts to be revalidated by January 31, 2024.
BVN- and NIN-based verification is generally widespread in the country. A BVN is a unique ID number issued to every customer of a Nigerian bank upon
enrolment and linked to every account that the customer has in any other local banks, whereas a NIN is provided by the NIMC and used to link citizens' and legal residents' biometric data to the National Identity database, which may then
be relied on for physical or digital verification and authentication. Both identifiers can therefore be easily validated against governmental databases.
In conclusion, banks and other financial institutions are generally encouraged (and, in certain cases, obliged) to refer to external official databases while onboarding Nigerian citizens and residents. However, in some instances such as
in cases involving non-nationals, these checks may have to be supplemented with obtaining supporting documentation from the customer depending on their account Level (risk profile) and resident status.
24 — No similar reference is included for casinos; see Art. 5(1): "A casino shall - (a) verify the identity of any of its customers carrying out financial transactions by requiring its customer to present a valid original document bearing
his name and address".
25 — As per Art. 27(2) of the CDD Regulations, "where a foreign national has recently arrived in Nigeria, the residential address in the applicant's home country shall be notarized". For resident non-Nigerians, a valid residence permit is
obligatory.
26 — It appears that the word "including" here should not be understood as imposing a limitation, since "other sources" could in general be interpreted broadly so as to encompass, e.g., external databases. This is supported by Art. 26(1) of
the CDD Regulations, applicable to non-residents and stating that "FIs shall obtain and verify applicant's name, date of birth and permanent residential address (in host country) directly through a reputable Credit Institution or FI in
the applicant's country of residence or a correspondent bank, provided that particular care shall be taken when relying on identification evidence obtained from other countries".
In Norway, the primary legal statute governing the AML/CFT framework is the
2018 Act relating to Measures to Combat Money Laundering and Terrorist Financing ("AML Act "), with the
2018 Regulations relating to Measures to Combat Money Laundering and Terrorist Financing by the Ministry of Finance detailing its requirements ("
AML Regulations "). The Finanstilsynet (also the Financial Supervisory Authority), which is a government agency responsible for regulating the financial sector, including AML/CFT compliance supervision, provides
guidelines regarding the interpretation and application of the relevant laws and regulations.
The standard approach to identity verification as enshrined in Section 12 of the AML Act implies personal presence of the customer; however, remote onboarding is also permissible, provided that additional safeguards are implemented:
"When the customer is a natural person, the following information shall be obtained concerning the customer:
a. name;
b. personal identity number, D-number or, if the customer does not have any such number, another unique identity code. For persons who do not have a Norwegian personal identity number or D-number, the date of birth, the place of birth,
the gender and the citizenship shall be obtained, including whether the person has multiple citizenships;
c. address39 [...]
Information on the customer's identity shall be verified by personal appearance with a valid proof of identity . If verification of the identity shall take place without personal appearance,
additional documentation shall be presented or additional measures shall be applied ".
In turn, Section 4-3(4) of the AML Regulations states, without explicitly limiting alternative solutions, that eID mechanisms compliant with the eIDAS Regulation and relevant national legislation are suitable for non-face-to-face KYC:
"An electronic signature is valid proof of identity for natural persons when their identity shall not be verified upon personal appearance. The electronic signature shall comply with the
requirements for eID solutions laid down in Section 3 of
Regulations of 21 November 2019 No. 1578 relating to Self-Declaration Arrangements for Electronic Identification
and be entered on a published list pursuant to Section 13, subsection 1, of the said Regulations ". [Section 3 of the Regulations refers to schemes with a "high" level of assurance.]
The electronic identification schemes notified by Norway pursuant to Article 9(1) of the
eIDAS Regulation include Buypass ID and BankID. This coincides with Finanstilsynet's
2019 Circular "Guide to the Anti-Money Laundering Act" ("Circular"), which provides the following:
"The reference to BankID as valid identification has been changed to apply to electronic identification in accordance with the Money Laundering Regulations section 4-3 fourth paragraph. This is to ensure that all electronic
identification that meets the requirements is covered" (page 6).
From the Section 4.3.1.1 of the Circular it may also be inferred that no non-documentary KYC solutions are regarded as acceptable besides those falling under Section 4-3(4) of the AML Regulations, since the list is formulated
restrictively:
"Valid identification for natural persons is, according to the Norwegian Financial Supervisory Authority's opinion:
Norwegian and foreign passports (not emergency passports).
Norwegian driver's license.
Norwegian bank cards with picture.
National ID cards issued by an EEA country (an overview of these can be found in Appendix 4 of the Immigration Regulations).
Norwegian immigration passport (blue passport).
Norwegian travel document for refugees (green passport).
Electronic identification in accordance with the Money Laundering Regulations § 4-3 fourth paragraph ".
Based on Section 4.3.1.3, supplementary non-face-to-face measures that could be additionally taken on a risk-based approach include:
obtaining the customer's tax return, pay slip, confirmation of payment of social security, benefits, student loans or other public benefits;
confirmation that the customer's first payment has been made from an account in the customer's name at a bank or credit institution established in the EEA area, or a jurisdiction with equivalent regulation and supervision;
conversation with the customer on a telephone registered to the customer;
video communication with the customer;
other reassuring electronic solutions [potentially including, e.g., references to external databases or geolocation detection];
communication with the customer via postal address or digital address registered to the customer (the communication should contain the customer's signature which can be checked against the copy of the identification document).
In conclusion, non-documentary methods for identity and address verification are permitted as long as they correspond to the approved methods for electronic identification under eIDAS and the Norwegian AML/CFT framework.40 Currently, such methods include BankID, Buypass ID, as well as other solutions that may provide electronic signatures compliant with the regulations referred above.
39 — While address needs to be collected, no obligatory verification measures are prescribed under the AML Act, AML Regulations, or the Circular so long as the customer’s identity in general is confirmed via acceptable evidence.
40 — Notably, where the verification is carried out on documentary basis, the obliged entity must, as per Section 4.3.1.1 of the Circular, “check the security elements in the identification document, including that it is not falsified, facial and image similarity and assess the correctness of the document's specified personal data as well as checking these against external sources such as, for example the National Register” .
The Republic Act nº 9160 (the Anti-Money Laundering Act of 2001), as well as the
2018 Revised Implementing Rules and Regulations ("2018 RIRR ") thereto, endorse documentary evidence as the recognized means for customer identify
verification:
"Sec. 9. [...] Covered institutions shall establish and record the true identity of its clients based on official documents " (Republic Act nº 9160)
"3.2. First Time Transactions
Customers who engage in a transaction with a covered person for the first time shall be required to present the original and submit a clear copy of, at least, one (1) ID as herein defined. 5
3.4 Required Identification Data from Natural Persons
For customers who are natural persons, covered persons shall gather the following identification information and ID before or during account opening or onboarding:
(a) Identification Information:
Full name;
Date of birth;
Place of birth;
Sex;
Citizenship or nationality;
Address;
Contact number or information, if any;
Specimen signatures or biometric information;
(b) Identification Documents:
PhilID; or
Other identification document, as herein defined" (Rule 18, 2018 RIRR)
The above-specified provisions, however, may be overridden by Rule 18, Section 3.7 of the 2018 RIRR, stating that "covered persons shall deem the provision and submission of the PSN6 or PhilID7 as official and sufficient proof of
identity, subject to the authentication requirements under the PhilSys Act [Republic Act No. 11055, or the Philippines Identification System Act ] and its IRR [
Implementing Rules and Regulations of Republic Act No. 11055 ]". This is further detailed in
Circular No. 1170 issued by the Bangko Sentral ng Pilipinas ("BSP ") on 30 March 2023, providing additional guidelines on customer due diligence
for banks and non-bank financial institutions, including e-KYC via digital identity systems. Specifically, the Circular states that, "where the PCN [PhilSys Card Number] or PSN [PhilSys Number] derivative, or the Philippines
Identification (PhillD) card, in physical or digital form, is presented by the customer, it shall be accepted as official and sufficient proof of identity, subject to proper authentication, and the covered person shall no longer require
additional document to verify the customer's identity". Therefore, accessing an individual's record in the Philippine Identification System ("PhilSys") is considered a reliable way to verify their identity. Other digital ID systems are,
in principle, also allowed to be used so long as they are "supported by robust technology, adequate governance, processes and procedures that provide appropriate level of confidence that the system produces accurate results"; however,
there is no indication that the RIRR requirement to present an actual identity document is waived for foreigners not registered in PhilSys.
From the above it may be inferred that, so long as a customer's identity is verified via PhilSys (and all the required identity attributes as listed above are extracted in this manner), no additional procedures - such as further
identity or address confirmation - are needed.
Conversely, where the obliged entity does not rely on PhilSys, it may be expected that address, like other identity data, will be verified based on documentary evidence. See, e.g., the BSP
Manual of Regulations for Banks (MORB) /
Manual of Regulations for Non-Bank Financial Institutions (MORNBFI) on Customer Due Diligence, Section 921/921Q:
"the covered person obtain from individual customers, at the time of account opening/ establishing the relationship, the following minimum information [including address] and confirming this information with the official or valid
identification documents":
as one of possible additional safeguards for enhanced due diligence, it is suggested to verify the address "through evaluation of utility bills, bank or credit card statement, sending thank you letters, or other documents showing
address or through on-site visitation".
Accordingly, Non-Doc KYC as the primary identity verification method for identity information including address, is possible via solutions accessing PhilSys; in other cases, the document-based approach remains prevalent. However, as the
scope of potentially acceptable documents is defined broadly for low-risk customers, it may arguably be allowed to obtain reports or other excerpts from trustworthy external data sources instead of "conventional" IDs.
5 — As per Rule 2, Section 1(qq) of the 2018 RIRR, "identification document" means: "(1) For Filipino citizens: Those issued by any of the following official authorities: (a) PhilID; (b) Other identification documents issued by the
Government of the Republic of the Philippines, including its political subdivisions, agencies, and instrumentalities; and (c) Other identification documents that can be verified using reliable, independent source documents, data or
information. (2) For foreign nationals: (a) PhilID, for resident aliens; (b) Passport; (c) Alien Certificate of Registration; and (d) Other identification documents issued by the Government of the Republic of the Philippines, including
its political subdivisions, agencies, and instrumentalities. (3) For Filipino students: (a) PhilID; (b) School ID signed by the school principal or head of the educational institution; and (c) Birth Certificate issued by the Philippine
Statistics Authority; and (4) For low risk customers: Any document or information reduced in writing which the covered person deems sufficient to establish the client's identity".
6 — As per 2018 RIRR, Rule 2, Section 1(www), "PhilSys Number" (PSN) refers to the randomly generated, unique and permanent identification number assigned to every citizen or resident alien, upon birth or registration, by the Philippine
Statistics Authority (PSA).
7 — As per 2018 RIRR, Rule 2, Section 1(uuu), "Philippine Identification Card" (PhilID) refers to the non-transferrable identification card issued by the Philippine Statistics Authority (PSA) to all citizens and resident aliens registered
under the Philippine Identification System. It shall serve as the official government-issued identification document of cardholders in dealing with all government agencies, local government units, government and controlled corporations,
government financial institutions, and all private sector entities.
Financial institutions, VASPs and other regulated entities shall perform identification of their clients and verification of their identity as per Article 34(1)(1) of the Act of 1 March 2018 on combating money laundering and terrorist financing (the “AML Act ”).
Article 36 of the AML Act contains the following list of data by which an individual customer must be identified:
Name and surname
Citizenship
The number of the General Electronic Population Registration System (PESEL) or date of birth – if the PESEL number and the country of birth have not been given
Series and number of the document certifying the identity of the person
Address of residence – if this information is possessed by the obliged institution
In addition, it is necessary to determine whether the client is a politically exposed person or is subject to UN sanctions or national restrictive measures, pursuant to Articles 46(1) and 117(1) of the AML Act, respectively.
The AML Act provides for both documentary and non-documentary methods for identity verification. According to Article 37(1) of the AML Act,
“Verification of the identity of the customer, the person authorised to act on his behalf and the beneficial owner consists in the confirmation of established identification data on the basis of a document proving the identity of a natural person, a document containing current data from an extract from the relevant register or other documents, data or information and independent source, including, if available, electronic identification means or from relevant trust services provided for in Regulation 910/2014 ”.
According to the law, a qualified electronic signature (QES ) issued under the Regulation (EU) No 910/2014 of the European Parliament and of the Council of 23 July 2014 on electronic identification and trust services for electronic transactions in the internal market and repealing Directive 1999/93/EC (the “eIDAS EU Regulation ”) is an acceptable method for verification of the customer’s identity.
The Polish Financial Supervision Authority (KNF ) issued several clarifications regarding customer identification and their identity verification (the “KNF Comments ”).
In the 2019 KNF Comments addressed to the banks, KNF states that the most reliable instrument in terms of verifying the customer’s identity without their physical presence is electronic identification referred to in the eIDAS EU Regulation, including a QES . Otherwise, the 2019 KNF Comments instruct the following:
“If it is not possible to use the above electronic identification means , the bank should consider using – in accordance with Article 43 section 2 point 7 of the Act – enhanced measures of financial security.
To verify the identity of a customer who is absent for identification purposes, a bank should consider using a variety of verification materials from reliable and independent sources.
In terms of verifying the identity of a natural person, at least one of the verification materials should be a document confirming identity within the meaning of the generally accepted definition. <...>
The bank may use the video verification method. <...>”
In the 2023 KNF Comments , the regulator maintains its position that the electronic identification under the eIDAS EU Regulation shall suffice for the verification purposes:
Supervised entities should determine the types of documents necessary to identify the client , the authorised person and the beneficial owner. It must be ensured that:
information obtained through the remote customer engagement solution is up-to-date and meets the requirements of applicable legal and regulatory standards relating to the application of financial security measures to the customer;
all electronic records (images, audio and video recordings, data) are recorded in a readable format and of appropriate quality so that the client is unambiguously recognizable;
the identification process was not continued if technical faults or unexpected connection interruptions were detected.
Supervised entities may consider the above requirements as met if one of the following criteria is applied within a given solution:
the electronic identification schemes have been notified in accordance with Article 9 of Regulation (EU) No 910/2014 and meet the requirements of the assurance level “substantial” or “high” in accordance with Article 8 of that Regulation;
the relevant qualified trust services meet the requirements of Regulation (EU) No. 910/2014 , in particular Chapter III, Section 3 of that Regulation.
Based on the risk assessment of a particular customer, the supervised entities may need to apply additional verification measures. The 2023 KMF Comments suggest some examples of such control measures, for instance:
“Penny drop”;
Telephone contact;
Direct correspondence to the client (both electronically – e.g. during a communication session – and by post).
Therefore, the AML/CFT regulations of Poland currently provide that the non-documentary approach can be used if the customer’s identity is verified via eIDAS-compliant QES . Otherwise, it is mandatory to obtain the customer’s ID and apply other verification measures.
The primary AML/CFT legislation of Saudi Arabia - namely, the Anti-Money Laundering Law (along with the
Implementing Regulations thereto) and the
Law on Combating the Financing of Terrorism (along with the
Implementing Regulations thereto) - do not lay emphasis on the
acceptable methods of identity verification, while stipulating that certain data must always be collected from individual customers and validated via "reliable and independent sources, documents, data or information":
"the financial institution or designated non-financial business and profession shall obtain and verify the full legal name, residential or the national address, date and place of birth, and nationality"64 (Implementing Regulations to the
AML Law, section 7/2(a); Implementing Regulations to the CFT Law, section 17(3)(a)).
The matter is regulated more precisely in relation to the respective industries by the Saudi Central Bank (SAMA), the Capital Market Authority (CMA), and other bodies such as the Ministry of Commerce and Investment (MOCI), which all
demonstrate a divergence of approaches to non-documentary KYC:
(i) CMA :
As per the CMA AML/CFT Rules (addressed to the securities and investment sector):
individual customer's identities must be verified "using the original documents" (copies are only acceptable in case of reliance on a third party) as follows:
Saudi nationals:
the client's National Identification Card or family record;
the client's residential address & place of work and work address;
individual expatriates:
a residence permit (Iqamah) or a five-year special residence permit or a passport, and a National Identification for Gulf Cooperation Council (GCC) nationals or a diplomatic identification card for diplomats;
the client's residential address & place of work and work address (Article 8(2), 8(4));
furthermore, based on Articles 7(4) and 8(5), face-to-face identity verification is mandatory except when there is reliance on a third party;
in turn, Articles 14(1) and 14(3) specify that a third party eligible for reliance must "either be a commercial bank or financial institution that engages in securities activities" and may only be engaged "to perform the CDD if the
client is located in a country other than Saudi Arabia".
(ii) MOCI :
The Manual on AML-CFT (addressed to certain Designated Non-Financial Businesses and Professions (DNFBPs), specifically
dealers in precious metals and precious stones, real estate agents, and chartered accountants), while not explicitly requiring face-to-face KYC, replicates the CMA AML/CFT Rules provision on the necessary documentary evidence to be
collected from individual customers:"Establishing the identity of the client and continuously verifying the identity of all dealers against valid officially certified original documents proving their identity as
follows:
Saudi nationals:
National identification card or family record.
Address of the person, place of residence and place of work.
Individual expatriates:
Residence permit (Iqamah) or a five-year special residence permit or a passport or National identification for GCC nationals or a diplomatic identification card for diplomats.
Address of the person, place of residence and place of work" (Section 3(1)).
(iii) SAMA :
Pursuant to Section 3.3 of the 2019
Anti-Money Laundering and Counter-Terrorism Financing (AML/CTF) Guide
("AML Guide "), addressed to SAMA-regulated financial institutions, "information and documents issued by government bodies are considered to be from reliable and independent sources". Sections 3.9-3.10 futher imply the
possibility of non-documentary identity verification, so long as it is conducted via "reliable and independent electronic services", such as the National Information Center:
"3.9 The customer is not required to come to the financial institution when updating and reviewing their information for identity verification
as long as electronic authentication services approved by the National Information Center are used. However, the financial institution shall determine the need for further documentation or the customer's presence based
on the level of risk posed by the customer.
3.10 When using reliable and independent electronic services to verify a customer's identity, the financial institution shall determine if more documentation is required based on the level of risk posed by the customer
. In addition, it must implement the necessary preventive measures to mitigate business relationship risks and set the necessary procedures and measures to verify and review the customer information obtained, including
the information provided by the customer, using reliable and independent electronic services".
It follows that non-documentary identity verification is permissible for SAMA-regulated financial institutions to the extent it is carried out via "reliable and independent" government-maintained electronic sources, the only example
explicitly named in the AML Guide being the National Information Center.
64 — More information may be required under industry-specific regulations. E.g., source of income is necessary as per Article 3.3 of the 2019 Anti-Money Laundering and Counter-Terrorism Financing (AML/CTF) Guide; the
2022 Rules for Bank Accounts prescribe to collect ID number and expiry date and employer name (if any); etc.
While the Monetary Authority of Singapore maintains separate Notices and Guidelines addressing each type of AML-regulated business (e.g., banks, merchant banks, finance companies, specified payment services, digital payment token
services), they are substantially similar in relation to customer due diligence procedures. In particular, photographic evidence is universally recognized as necessary for verifying a natural person's identity and, likewise, documentary
evidence would also be generally required and prioritized over electronic sources (which, nevertheless, are encouraged as additional safeguards4 ) for verification of the customer's address. See, for example:
"Where the person whose identity is to be verified is a natural person, the finance company should ask for some form of identification that contains a photograph of that person " (
Guidelines to MAS Notice 824 - Finance Companies
, para. 23);
"When relying on documents, a bank should be aware that the best documents to use to verify the identity of the customer are those most difficult to obtain illicitly or to counterfeit. These may include government-issued identity
cards or passports, reports from independent company registries, published or audited annual reports and other reliable sources of information.
Where the customer is a natural person, a bank should obtain identification documents that contain a clear photograph of that customer.
In verifying the identity of a customer, a bank may obtain the following documents :
(a) Natural Persons ―
(i) name, unique identification number, date of birth and nationality based on a valid passport or a national identity card that bears a photograph of the customer ;
(ii) residential address based on national identity card, recent utility or telephone bill, bank statement or correspondence from a government agency "" (
Guidelines to MAS Notice 626 - Banks
, paras. 6-3-1, 6-6-1, 6-6-2);
"When relying on documents, a payment service provider should be aware that the best documents to use to verify the identity of the customer are those most difficult to obtain illicitly, counterfeit or falsify digitally. These may
include government-issued identity cards or passports, reports from independent company registries, published or audited annual reports and other reliable sources of information.
Where the customer is a natural person, a payment service provider should obtain identification documents that contain a clear photograph of that customer .
In verifying the identity of a customer, a payment service provider may obtain the following documents :
a) Natural Persons -
(i) name, unique identification number, date of birth and nationality based on a valid passport or a national identity card that bears a photograph of the customer;
(ii)residential address based on national identity card, recent utility or phone bill, bank statement or correspondence from a government agency " (Guidelines to MAS Notice PSN02 - Digital Payment Token Services , paras. 6-3-1, 6-6-1, 6-6-2).
An exception to this general rule is MyInfo, a government service that enables citizens and residents to manage the use of their personal data for simpler online transactions.
MAS Circular No. AMLD 01/2018
on "Use of MyInfo and CDD Measures for Non-Face-To-Face Business Relations", para. 3, describes MyInfo as a "reliable and independent source for the purposes of verifying the customer's name, unique identification number, date of birth,
nationality and residential address", as well as other personal attributes. It is simultaneously confirmed that, "where MyInfo is used, MAS will not require FIs to obtain additional identification documents [such as NRIC or passport] to
verify a customer's identity, and will also not expect FIs to separately obtain a photograph of the customer". At the same time,
MAS Circular No. AMLD 01/2022 on "Non-Face-To-Face Customer Due Diligence
Measures", setting out industry good practices observed by the regulator, states that most supervised entities use solutions including "elements of biometrics technology, such as facial recognition" to further mitigate the risks of
impersonation in the context of remote identification (para. 9).
Consequently, the only electronic source that could be involved as a standalone verification method of customer's identification data is MyInfo. Otherwise, in cases where MyInfo is not engaged, an individual customer is required to
present a photo-bearing ID (such as a passport or national identity card) and, where necessary, an additional document for address confirmation. Arguably and in exceptional cases, alternative photographic evidence could be accepted
(e.g., a report provided by a reliable government data source and containing the customer's facial image and other necessary information based on an official ID), but only subject to a proper risk assessment by the regulated entity.
Non-documentary checks (in relation to either general identity verification or address verification) would only be an additional tool complementing the documentary evidence.
4 — For example, the Guidelines for Digital Payment Token Services name “collection of customer device identifiers, IP addresses with associated time stamps, geo-location data” as one of possible risk mitigation measures in the remote onboarding context (para. 6-12-3).
The 2017 Guidance Note 7 on the Implementation of Various Aspects of the Financial Intelligence Centre Act, 2001 ,
issued by the Financial Intelligence Centre of South Africa, emphasizes that regulated institutions "have the flexibility to choose the type of information by means of which they will establish clients' identities and also the means of
verification of clients' identities" (para. 74). More specifically, both "documents" and "electronic data issued or created by reliable and independent third-party sources " are permitted for confirming a customer's
identity (para. 83) and, consequently, isolated identity attributed such as address. The Guidance Note subsequently reiterates this approach, while stating that full name, date of birth and unique identifying number issued by a
government source are "basic attributes"8 that should be collected from an individual in any event (para. 85) and outlining the following principles of e-verification:
the regulated entity should conduct a risk assessment of the data sources to be engaged (paras. 87, 90-91);
only reliable and independent (e.g., not created or generated by the customer themselves) third-party sources may be used (paras. 87-88);
where possible, the regulated entity should use the original sources of the information in question (i.e., government-issued or -controlled sources); using multiple data sources, including across time, is also encouraged (paras.
88-89, 92);
the use of electronic data sources does not, in itself, protect the obliged entity from regulatory action relating to its AML compliance duties (para. 90);
data sources that can be manipulated and tampered with are not considered reliable (para. 91);
the Department of Home Affairs, records of the Companies and Intellectual Property Commission, records of the South African Revenue Service, eNaTIS records and records of the Master of the High Court are named as examples of
acceptable data sources (para. 94).
Thus, electronic sources may be relied on for KYC measures for both identity and address verification so long as they are sufficiently robust and meet the aforementioned criteria and the information contained therein can be securely
linked to the customer's real identity.
8 — In turn, identity attributes such as “physical appearance or other biometric information, place of birth, family circumstances, place of employment or business, residential address , contact particulars (e.g. telephone numbers, e-mail addresses, social media), contacts with the authorities (e.g. tax numbers) or with other accountable institutions” (para. 86) are considered as supplementary and therefore, presumably, not mandatory to establish as part of the KYC procedure.
In Korea, financial institutions are required to conduct customer due diligence (CDD) under the Act on Real Name Financial Transactions and Guarantee of Secrecy (the “Real Name Financial Transactions Act ”), which establishes the framework for basic CDD measures and the Financial Transaction Reports Act (the “FTRA ”).
Article 5-2(1) of the FTRA prescribes that the financial institutions and virtual asset operators shall identify the customer and verify the respective information prior to opening an account.
According to Article 10-4 of the Enforcement Decree of the FTRA , Articles 38(1) and 39(1) of the Business Regulations on Anti-Money Laundering and Anti-Terrorism Financing (the “AML/CFT Regulations ”), as well as Article 3 of the Enforcement Decree of the Act on Real Name Financial Transactions and Confidentiality , the following information shall be identified with respect to the individual customers:
Full name
Personal number:
Resident registration number (for Korean nationals)
Registration number listed in the register of registered foreigners under the Immigration Control Act or passport / ID card (for foreigners)
Address
Contact information (a phone number and e-mail address)
Date of birth:
In case of foreign non-residents (i.e. those that do not reside in Korea) - always required
In case of other individuals - required only for electronic financial transactions
Gender:
In case of foreign non-residents - always required
In case of other individuals - required only for electronic financial transactions
Nationality - required only for foreigners (i.e. irrespective of whether they do or do not reside in Korea).
In addition, the financial institutions may request other information that may allow them to prevent the AML/CFT risk (e.g., occupation of an individual).
In the course of the customer identification, the financial institution shall also check if the customer is a PEP or is subject to the UN sanctions lists, national financial transaction restrictions (Article 43 of the AML/CFT Regulations).
Article 39 of the AML/CFT Regulations dictates a documentary approach to verification of the customer’s identification information requiring use of government-issued documents.
Even though Article 35 of the AML/CFT Regulations seem to allow non-face-to-face verification of the customer, based on the Financial Services Commission (the “FSC ”) Anti-Money Laundering Authoritative Interpretation Casebook 2.0 (the “Casebook ”), this approach will not fully release from the obligation to verify certain data by checking the documents (e.g., address).
Chapter 5 (Cases 77, 78, etc.) of the Casebook provides the FSC’s clarifications on the performance of verification in a non-face-to-face format by addressing the question from the market stakeholders.
“The Financial Services Commission, through an authoritative interpretation (2015.12.1.), has permitted that, when opening an account under the “Financial Real Name Transaction Act” and the “Electronic Financial Transactions Act,” verification of the customer’s identity can be performed using the “multiple non-face-to-face verification methods” (dual verification and enhanced customer identification).
Multiple Non-Face-to-Face Verification Methods
(Dual Verification – Mandatory):
Submission of a copy of an ID card
Video call
Verification upon delivery of an access medium
Use of an existing account
Other methods equivalent thereto (e.g., comparison with registered biometric information)
→ At least two of the items 1–5 must be applied.
(Multiple Verification – Recommended):
6. Use of verification results from other institution (such as joint certificates, mobile phone authentication, etc.)
7. Verification using multiple personal information items
→ Additional verification should be performed by methods from items 1–7, except for the two already used.
However, the customer verification system related to anti-money laundering, including actual owner verification, is not relaxed from the non-face-to-face real-name verification method, and financial companies can autonomously perform customer verification online and non-face-to-face to the same extent as offline. Therefore, it will be necessary to set reasonable and objective standards for each financial institution to the same extent as offline so that supervisors or inspectors can be sufficiently convinced and then implement them. Meanwhile, financial companies, etc. must establish procedures and methods to deal with risks such as money laundering related to non-face-to-face transactions, and must apply those procedures and methods when continuously verifying customers through non-face-to-face methods (Article 35 of the Business Regulations).”
In light of the applicable regulatory provisions and interpretative guidance set forth in the Casebook, non-documentary identity verification is allowed, under certain circumstances, when at least two of the mandatory verification methods may be used (e.g., video call and “penny drop”).However, as commented above, nondocumentary verification is applicable only to a portion of the onboarding information that shall be verified. Therefore, it is not completely possible to skip the documentary verification (e.g., in terms of the address verification).
In Spain, the legal AML/CFT framework is primarily governed by the Prevention of Money Laundering and Terrorist Financing Law 10/2010 of 28 April (the "AML Law"), which,
among other things, provides the requirements for customer due diligence.
Article 3 of the AML Law sets out the general identity verification duty:
"2. Prior to the establishment of the business relationship or the execution of any operations, the obligated subjects will verify the identity of the parties involved through reliable documents. In the event that it is not possible to
verify the identity of the parties involved through reliable documents at first, the provisions of article 12 may be considered, unless there are elements of risk in the operation".46
Furthermore, as per Article 4bis of the AML Law, the following identity data is prescribed for collection in relation to natural persons that are ultimate beneficial owners for the purposes of the business relationship in question:
name and surname;
date of birth;
type and number of identification document (in the case of Spanish nationals or residents, a document issued in Spain shall always be provided);
country of issue of the identification document, if the Spanish national identity card or resident card is not used;
country of residence;47
nationality; etc.
In turn, Article 12(1) addresses non-face-to-face business relationships and transactions:48
"Obligated subjects may establish business relationships or execute operations through telephone, electronic or telematic means with clients who
are not physically present, provided that any of the following circumstances occur:
a) The identity of the client is proven by means of the qualified electronic signature regulated by Regulation (EU) No. 910/2014 of the European Parliament and of the Council of 23 July 2014 on electronic identification and trust
services for electronic transactions in the internal market and repealing Directive 1999/93/EC. In this case, it will not be necessary to obtain a copy of the document, although the conservation of identification data that justify
the validity of the procedure will be mandatory. In the rest of the cases, when the electronic signature used does not meet the requirements of the qualified electronic signature, obtaining a copy of the identification document
within one month will continue to be mandatory.
b) The first deposit comes from an account in the name of the same client opened in an entity domiciled in Spain, the European Union or equivalent third countries.
c) The requirements determined by regulation are verified49 .
In any case [but excluding Art. 12(1)(a)], within a period of one month from the establishment of the business relationship, the obligated subjects must obtain from these clients a copy of the documents necessary to carry out due
diligence".
It follows that the non-documentary approach can only be used if the customer's identity is verified via eIDAS-compliant QES; otherwise, it is mandatory to obtain the customer's ID immediately during or within one month after the
establishment of the business relationship.
46 — As per Art. 6(1) of the
Regulation on the Prevention of Money Laundering and Terrorist Financing approved by Royal Decree 304/2014 of 5 May ("Decree"), "reliable
documents" means:
"For individuals who are Spanish nationals, the national identity card.
For foreign individuals, the Residence Card, Foreign Identity Card, Passport or, in the case of citizens of the European Union or the European Economic Area, the official personal identity document, letter or card issued by the home
authorities. The identity document issued by the Ministry of Foreign Affairs and Cooperation for diplomatic and consular personnel of third countries in Spain shall also be valid for the identification of foreign nationals.
Exceptionally, obliged subjects may accept other personal identification documents issued by a government authority provided they enjoy adequate guarantees of authenticity and show a photograph of the holder".
47 — There are no further explicit references to a necessity to collect and/or verify the customer's residential address in the AML Law or the Decree.
48 — Art. 21 of the Regulation on the Prevention of Money Laundering and Terrorist Financing approved by Royal Decree 304/2014 of 5 May contains a similar rule listing one additional alternative condition: "The customer's identity is
evidenced by means of a copy of the relevant identity document as set out in article 6, provided that the copy is issued by a notary public".
49 — Referring to (i) SEPBLAC specifications regarding authorization of remote identification by videoconference , 12
February, 2016, and (ii) SEPBLAC specifications regarding authorization of remote identification by video recording , 11 May, 2017.
Both (i) and (ii), however, require presentation of an identity document as part of the process.
In Sweden, the two main legal acts regulating anti-money laundering and counter-terrorist financing measures are the Money Laundering and Terrorist Financing (Prevention) Act ("AML Act ") and the
Act on Penalties for Money Laundering Offences . The Finansinspektionen (also the Financial
Supervisory Authority), which is a government agency responsible for regulating the financial sector, including AML/CFT compliance supervision, provides guidelines regarding the interpretation and application of the relevant laws and
regulations.
Chapter 3 Section 2 of
Finansinspektionen's regulations regarding measures against money laundering and terrorist financing FFFS 2017:11 ("
FI Regulations ") issued on 26 June 2017 is mainly focused on the document-based approach to identity verification:
"An undertaking shall verify the identity of a natural person by means of a Swedish driver's licence, Swedish passport or identity card issued by a Swedish authority, or a Swedish certified identity card.
The undertaking shall verify the identity of natural persons who do not have a Swedish identity document against a passport or other identity document. The passport or identity document must contain a photograph of the person and
information on citizenship, and must be issued by an authority or other authorised issuer. A copy of a foreign passport or other foreign identity document shall be retained in accordance with the requirements set out in Chapter 5,
section 3 of the Act on Measures against Money Laundering and Terrorist Financing (2017:630)".
At the same time, Section 5 sets out specific requirements applicable directly to non-face-to-face customer relationships:
"An undertaking shall verify the identity in a non-face-to-face situation by:
Using electronic identification to produce an advanced electronic signature as set forth in the Act (2016:561) [eIDAS regulation] laying down additional requirements to the EU Regulation on electronic identification or by using
any other technology for electronic identification which provides equivalent certainty
, or
Verifying the natural person's identity in an appropriate manner by:
a) obtaining information regarding the person's name, address,38 personal identity number or equivalent,
b) verifying the information against external registers, certificates, or other equivalent documentation, and
c) contacting the natural person by sending a confirmation to the person's address in the population register or other reliable address,
or ensuring that the person sends a certified copy of an identity document, or other equivalent measure ".
Since, in the context of remote CDD, obtaining a copy of the customer's ID is only one of the possible methods for identity verification, it could be concluded that Section 5 should be interpreted as substituting, not complementing, Chapter 3 Section 2.
It follows that Non-Doc KYC solutions can be relied on so long as they meet the requirements of the eIDAS Regulation or constitute a similarly robust and secure procedure. In particular, electronic identification schemes
notified by Sweden pursuant to Article 9(1) of the eIDAS Regulation include BankID,
Freja eID, and EFOS, of which three BankID is arguably the most feasible and most commonly used option, although it is only available to individuals with a Swedish personal identity number.
Notably, eIDAS-based solutions also appear to rule out the necessity to collect and verify additional identity attributes, such as the customer's address.
38 — No particular means of verifying address are prescribed besides contacting the customer at their place of residence; however, this would only be obligatory where the obliged entity relies on Section 5(2) of the FI Regulations, not Section 5(1).
Article 4 of the 2019
Prime Minister Office Notification on Customer Identification Methodology for Financial Institutions and Businesses and Professions
("Customer Identification Methodology"), enacted on the basis of the Anti-Money Laundering Act B.E.2542 (1999), provides the minimum identification information to be obtained in respect of an individual customer for CDD purposes:
"(1) Full name;
(2) Date of birth;
(3) Personal identification number or, in case of a foreigner, passport number or other identification number issued by government or government agency of citizenship or identification number as appears in other identification
document issued by the government of Thailand [and evidence thereof as per Article 5(1)];
(4) Address as appears in personal identification card or in the house registration and current address. In case of a foreigner, the country of citizenship and current address57 in Thailand shall be provided, except for the case of a
foreigner with no address in Thailand, whose current address shall be used instead;
(5) Other contact information such as phone number or email address".58
In turn, the measures regulated entities may take to verify this data (either face-to-face or remotely) are generally detailed in the 2021
Anti-Money Laundering Office Notification Concerning Guideline for Identification and Verification of Customers and Ultimate Beneficial Owners
("AMLO Notification"):
- where the customer uses a low-risk product or service:
"(A) Where a national identity card is used as identification evidence, one of the following procedures or any other equally reliable procedures shall be conducted as appropriate:
Verifying such information using a smart ID card reader which is connected to the electronic verification system of a government agency.
Verifying such information using a smart ID card reader and comparing it against the information that appears on the ID card.
Verifying such information against another government agency's database.
Examining and verifying the correctness of such information to confirm that such customer is the owner of such information.
(B) Where a passport is used as identification evidence, one of the following procedures or any other equally reliable procedures shall be conducted as appropriate:
Using electronic data retrieved from the passport such as data from near field communication technology to compare against information that appears on the passport.
Examining and verifying the correctness of such information to confirm that such customer is the owner of such information";
- where the customer uses a high-risk product or service:
"(B) In verification of a non-face-to-face customer [...]
Where a smart ID card is used as identification evidence, information shall be examined by using smart ID card reader through the electronic examination system of a government agency
or any other procedures having equivalent reliability .
Where a passport is used as identification evidence, data from the passport such as data retrieved from near field communication technology shall be compared with the information on the passport or other documents issued by
government of the Kingdom of Thailand or government agency of citizenship or any other procedures having equivalent reliability .
In implementation under 1) and 2), a photograph of customer shall be taken and recorded and advanced technology under international standard or acceptable standard shall be used for comparing photograph of customer with biometric data
retrieved from the smart ID card or electronic data retrieved from the passport to ensure that such person is genuinely the customer in place of their physical presence or any other method having equivalent reliability";
- in other cases:
"(B) In verification of a non-face-to-face customer [...].
For using smart identity card as identification information, one of the following procedures may be conducted:
Verifying such information using a smart ID card reader and comparing it against the information that appears on the ID card of such a customer.
Verifying the information that appears on the ID card and the ID card status through the electronic examination system of a government agency .
Where a passport is used as identification evidence, data from the passport such as data retrieved from near field communication technology shall be compared with information on the passport. In a case where information could not be
retrieved from near field communication reading, comparison may be made against other documents issued by the government of the Kingdom of Thailand or government agency of citizenship.
For implementation under 1) and 2), a photograph of customer shall be taken and recorded and advanced technology under international standard or acceptable standard shall be used for comparing the photograph of the customer with the
biometric data retrieved from the smart ID card or electronic data retrieved from the passport to ensure that such person is genuinely the customer in place of their physical presence
or any other method having equivalent reliability ".
The Bank of Thailand ("BOT")
Notification No. SorNorChor. 1/2563 Re: Regulations on Know Your Customer (KYC) for e-Money Service Activation ("'BOT Regulations") largely
stipulates the same non-face-to-face KYC methods (see, e.g., Clause 4.2 (2.2)). It is also reiterated that a reference to a "digital ID platform" may serve "as a replacement of customer verification or to be used for supporting the
customer verification" (Clause 4.2.4).59 However, Clause 4.5 of the BOT Regulations further states that, where alternative verification means not otherwise explicitly mentioned by the regulator are used, they need to be pre-approved by
the BOT.
"Financial institutions can verify the accuracy, reality and up-to-date nature of identification data and documents, as well as verify that it truly is this customer or a person with final authorization from a juristic person (if any)
through the digital verification and identification system such as National Digital ID Platform (NDID Platform) to substitute or support the documentary verification approach ".
From the above, it is clear that non-documentary identity verification is permissible to substitute or support the documentary verification approach in the non-face-to-face scenario, as long as the method in use is accepted under the
BOT Regulations. Currently, such method includes the NDID Platform. At the same time, alternative verification means that are not explicitly mentioned by the regulator should be pre-approved on a case-by-case basis.
57 — This would imply that, where the customer's address is verified via electronic sources, the obliged entity would have to confirm that the same address is indeed featured in the customer's personal identification card or house
registration. At the same time, no specific procedures are prescribed for validating a residential address that is different from the one indicated in the personal identification card or house registration. Additional documentation such
as utility bills may normally only be required as a possible EDD measure, as per Art. 5 of the AMLO Notification.
58 — In the case of standard CDD, the list would also include "information on occupation including name and address of work place" as per Article 5(2) of the Customer Identification Methodology. The same set of data is typically required
under industry-specific AMLO Guidelines (see, e.g., page 9 of the
AMLO Guideline on Customer Due Diligence For Banks ).
59 — A similar approach is adopted in Clause 5.3.2 (2) of the
Notification of the Bank of Thailand No. FPG. 19/2562 Re: Regulations on Know Your Customer (KYC) for deposit-account opening at financial institutions
, explicitly providing the possibility of digital identification and verification systems usage:
"Financial institutions can verify the accuracy, reality and up-to-date nature of identification data and documents, as well as verify that it truly is this customer or a person with final authorization from a juristic person (if any)
through the digital verification and identification system such as National Digital ID Platform (NDID Platform) to substitute or support the documentary verification approach ".
The principal AML/CFT legislation within the UAE includes: (i)
Federal Decree-Law No. (20) of 2018 On Anti-Money Laundering and Combating the Financing of Terrorism and Financing of Illegal Organisations
(the "AML-CFT Law" or "Law") and implementing regulations, such as (ii)
Cabinet Decision No. (10) of 2019 Concerning the Implementing Regulation of Decree Law No. (20) of 2018 On Anti-Money Laundering and Combating the Financing of Terrorism and Illegal Organisations
(the "AML-CFT Decision" or "Cabinet Decision").
Besides, the UAE Central Bank (CBUAE) maintains
Anti-Money Laundering and Combating the Financing of Terrorism and Illegal Organisations Guidelines for Financial Institutions (the
"AML Guidelines") as well as both general and sphere-specific guidances in order to ensure better understanding and effective performance of AML obligations.
The AML-CFT Decision provides the general identification and identity verification requirement in Article 8 :
"Financial Institutions and [Designated Non-Financial Business or Professions] DNFBPs should identify the Customer's identity, whether the Customer is permanent or walk-in, and whether the Customer is a natural or legal person or legal
arrangement, and verify the Customer's identity and the identity of the Beneficial Owner. This should be done using documents, data or information from a reliable and independent source or any other source to verify the identity as
follows:
For Natural Persons:The name, as in the identification card or travel document , nationality, address, place of birth, name and address of employer, attaching a copy of the original and valid identification card or travel document ,
and obtain approval from the senior management, if the Customer or the Beneficial Owner is a PEP".
In general, under Article 8.1 of the AML-CFT Decision and section 6.3.1 of the AML Guidelines, required identity attributes for CDD under UAE regulations and guidance include, for a natural person, the name (as in the passport or
identity card, number, country of issuance, date of issuance and expiration date of the identity card or passport), the nationality, the address (i.e., the permanent residential address), the date and place of birth, and the name and
address of employer (if applicable).
Reinforcing this, Section 6.3.1 of the AML Guidelines further elaborates on the necessity to collect copies of identity documents:
"The verification of a customer's identity, including their address, should be based on original, official (i.e. government-issued) documents whenever possible .22 When that is not possible, FIs should augment the number of verifying
documents or the amount of information they obtain from different independent sources. In particular, when verifying the UAE ID card, FIs licensed by the Central Bank must use the online validation gateway of the Federal Authority for
Identity & Citizenship and keep a copy of the UAE ID and its digital verification .23 They should also identify the lack of official documents and the use of alternative means of verification as risk factors when assessing the customer's
ML/FT risk classification".
At the same time, both Section 6.3.1 of the AML Guidelines and Section 3.1 of the
Guidance for Licensed Financial Institutions ('LFI's) on Digital Identification for Customer Due Diligence
(the "Digital Identification Guidance ") seem to suggest that verification via electronic sources is an acceptable alternative to the documentary method:
"An example of alternative verification means is verification by way of digital identification systems . Such digital identification systems should rely upon technology, adequate governance, processes and procedures that provide
appropriate levels of confidence that the system produces accurate results";
"Under Article 8 of the AML-CFT Decision, LFIs are required to identify each customer and verify the customer's identity using documents, data, or any other identification information from a reliable and independent source. This
requirement is technology neutral and expressly permits LFIs to use documentary as well as non-documentary sources (i.e., information or data) when performing identification and verification; it does not impose any restrictions on the
form-physical or digital-that identity evidence must take, nor does it impose limitations as to the use of digital ID systems for the purpose of linking a customer's verified identity to a unique, real-life individual, provided this is
done using a "reliable" and "independent" source. As such, LFIs are permitted to utilize digital ID systems as well as physical forms to perform customer identification and verification, consistent with the expectations set forth in
this Guidance".
Section 5 of the Guidance further prescribes the mandatory assessments the FIs should conduct before choosing a digital identification system:
"An assurance level assessment , through which the LFI can understand the assurance levels that the digital ID system provides based on its technology, architecture, and governance and determine its reliability and independence; and
An appropriateness assessment , through which the LFI can make a risk-based determination - given the digital ID system's assurance levels - of whether the digital ID system is appropriately reliable and independent for CDD in light of
potential ML, TF, fraud, and other illicit financing risks".
Section 2.1 of the Guidance describes several national identification systems approved for use by AML-regulated entities, including UAE Pass, Emirates ID and Emirates Facial Recognition. UAE Pass, in particular, is the UAE's primary
digital identity and signature solution with a high level of security.
The interpretation of the above-mentioned provisions, taken cumulatively, appears to be that, while usage of digital identification systems is in principle permitted for KYC purposes, it does not negate the overall document-based
approach adopted by the UAE financial regulators and, in particular, the requirement to obtain a copy of the customer's identity document under the AML-CFT Decision. Accordingly, digital ID systems may be relied on as a standalone
solution when they allow access to all of the required customer data, including that related to the identity document and a copy of the identity document itself. Alternatively, they may be used for supplementary checks (which are
sometimes mandatory, as in the case of Emirates ID).
22 — For address verification, this could imply that geolocation detection alone would not be adequate; this is supported by the Digital Identification Guidance, referring to geolocation / IP address data mostly as supporting identity attributes to leverage for ongoing due diligence and transaction monitoring (see, e.g., Section 3.2). However, since there is no exhaustive list of documentation that can serve as proof of address, arguably records obtained from a reliable external database could suffice.
23 — Section 2.2 of the Digital Identification Guidance also states that, “when verifying the Emirates ID card, either physically or by way of digital or electronic “Know Your Customer (“e-KYC”) solutions, LFIs should use the online validation gateway of the Federal Authority for Identity, Citizenship, Customs & Port Security, the UAE Pass Application, or other UAE Government-supported solutions, and keep a copy of the Emirates ID and its digital verification record”.
The core legal sources of AML-related obligations in the UK, the Proceeds of Crime Act 2002 and the
Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017 ("MLR "), do not specify the exact KYC
procedures that may or should be implemented by regulated entities, granting them a broad margin of discretion. The MLR mostly set out the general criteria that identity verification processes must conform to; for example, paras. 18-19
of Art. 27 provide the following guidance:
"(18) For the purposes of this regulation -
(a) <...> "verify" means verify on the basis of documents or information in either case obtained from a reliable source which is independent of the person whose identity is being verified;
(b) documents issued or made available by an official body are to be regarded as being independent of a person even if they are provided or made available to the relevant person by or on behalf of that person.
(19) For the purposes of this regulation, information may be regarded as obtained from a reliable source which is independent of the person whose identity is being verified where-
(a) it is obtained by means of an electronic identification process <...>; and
(b) that process is secure from fraud and misuse and capable of providing assurance that the person claiming a particular identity is in fact the person with that identity , to a degree that is necessary
for effectively managing and mitigating any risks of money laundering and terrorist financing".
The Financial Conduct Authority also makes references to electronic verification through its Rulebook, FCG 3.2.4 , reiterating that "an electronic identification
process may be regarded as a reliable source for the purposes of CDD verification where that process is independent of the person whose identity is being verified, secure from fraud and misuse and capable of providing an appropriate
level of assurance that the person claiming a particular identity is in fact that person with that identity".
Furthermore, the Guidance by the Joint Money Laundering Steering Group (JMLSG), Part I ("Guidance "), which is widely regarded to establish the industry
standards for compliance with AML/CFT requirements, confirms that non-documentary checks (in particular, those involving external databases) are permissible as the primary KYC measure, provided that at least the following identifying
data is collected in respect of individual customers:
full name;
residential address;
date of birth (para. 5.3.71).
When opting for electronic verification, however, obliged entities are instructed to:
choose multiple data sources (or one single source where it "has been issued by a government authority and contains cryptographic security features") or to "incorporate qualitative checks that assess the strength of the information
supplied" (para. 5.3.50);
"demonstrate that they have both verified that the customer exists, and satisfied themselves that the individual seeking the business relationship is, in fact, that customer" (paras. 5.3.44, 5.3.79). To fulfill this requirement, the
Guidance recommends various methods, such as the use of biometric information or private codes that "incontrovertibly link the potential customer <...> to the electronic/digital identity information" (para. 5.3.44);
"if suspicions are raised in relation to the integrity of any electronic information obtained, [...] take whatever practical and proportionate steps are available to establish whether these suspicions are substantiated, and if so,
whether the relevant source should be used" (para 5.3.45);
when choosing the data providers, assess whether they are sufficiently robust, reliable, and accurate (e.g., if they are accredited for KYC purposes through a governmental or industry process; use both positive and negative
information sources; maintain appropriate data retention procedures; etc.) (paras. 5.3.52-5.3.53).
In relation to proof of address specifically, para. 5.3.29 of the Guidance emphasizes that "knowledge of an individual's residential address is central to being reasonably satisfied that the customer is who they say they are". However,
no particular method of verifying address is explicitly promoted. Furthermore, para. 5.3.112 states that address does not even necessarily have to be verified in all cases (e.g., it may be omitted when the customer lacks a permanent
place of residence); this is a matter within obliged entities' discretion. At the same time, as per para. 5.3.80, address - like any other identity attributes - may be confirmed via electronic checks. This may include, e.g., external
databases maintained by private or government entities and, arguably, geolocation data (where the identity in general is verified via more robust sources and/or the customer's risk profile is low).
It follows that, under the UK AML regulations, non-doc identity and address verification solutions may be relied upon as long as i) the solution is able to link the user to their claimed identity that has been confirmed as existent by
an independent external data source and ii) additional security measures allowing to link the user to the claimed identity are involved.
The Bank Secrecy Act (BSA), imposing AML obligations on financial institutions and other reporting entities, only broadly outlines the customer due diligence obligation. For instance,
31 CFR 1020.220 (section on "Customer Identification Program: minimum requirements") lists the data to be collected in respect
of every individual client but not the specific means of its verification. At the same time, para. 1020.220(a)(2) states that both documentary and non-documentary verification methods (as well as their combinations) are acceptable so
long as the chosen procedures "enable the [obliged entity] to form a reasonable belief that it knows the true identity of each customer". Several examples of non-documentary KYC processes are also given for reference, such as
"contacting a customer; independently verifying the customer's identity through the comparison of information provided by the customer with information obtained from a
consumer reporting agency, public database, or other source ; checking references with other financial institutions; and obtaining a financial statement".
In particular (but without limitation), based on para. 1020.220(a)(2)(ii)(B), non-documentary procedures may be used, subject to the financial institution implementing additional safeguards to mitigate the ensuing risks, where:
an individual is unable to present an unexpired government-issued identification document that bears a photograph or similar safeguard;
the institution is not familiar with the documents presented; the account is opened without obtaining documents;
the customer opens the account without appearing in person at the institution; and
where the institution is otherwise presented with circumstances that increase the risk that the institution will be unable to verify the true identity of a customer through documents.
This approach is further confirmed in various explanatory or interpretative materials by the Financial Crimes Enforcement Network (FinCEN), e.g.,
Guidance FIN-2018-G001 of April 3, 2018 :
"A financial institution's CIP must contain procedures for verifying customer identification, including describing when the institution will use documentary, non-documentary, or a combination of both methods for identity verification";
"Non-documentary methods of verification may include contacting a beneficial owner; independently verifying the beneficial owner's identity through the comparison of information provided by the legal entity customer (or
the beneficial owner, as appropriate) with information obtained from other sources ; checking references with other financial institutions; and obtaining a financial statement";
"<...> covered financial institutions may verify the identity of a beneficial owner who does not appear in person, through a photocopy or other reproduction of a valid identity document, or
by non-documentary means <...>".
No specific procedures are prescribed for address verification; since information sources that could potentially be used for non-documentary checks are not restricted, both external databases and geolocation data (as well as other
sources) could be suitable for this purpose. Notably, FinCEN has repeatedly encouraged IP address detection as an additional security measure to be
incorporated into the KYC process.
Accordingly, the US AML regulations allow, in principle, non-documentary KYC methods within the risk-based approach. However, the obliged entity must be assured it knows the true identity of its customer, for which purpose additional
KYC mechanisms aimed at connecting the user and the identity in question must be implemented.
3 —
Name;
Date of birth, for an individual;
Address, which shall be:
(i) For an individual, a residential or business street address;
(ii) For an individual who does not have a residential or business street address, an Army Post Office (APO) or Fleet Post Office (FPO) box number, or the residential or business street address of next of kin or of another
contact individual [...]; and
Identification number, which shall be:
(i) For a U.S. person, a taxpayer identification number; or
(ii) For a non-U.S. person, one or more of the following: A taxpayer identification number; passport number and country of issuance; alien identification card number; or number and country of issuance of any other
government-issued document evidencing nationality or residence and bearing a photograph or similar safeguard.
The 2017 Resolution of Board of Central Bank of the Republic of Uzbekistan (as amended) (the "CBU Resolution ") outlines a comprehensive approach to customer identity
verification, emphasizing both document-based and electronic methods:
"Identification of an individual client by a commercial bank is carried out on the basis of an identity document (passport or ID card or a document replacing them) or biometric data . In
this case, a commercial bank, when identifying an individual client:
on the basis of an identity document (passport or ID card or a document replacing them) - must familiarize itself with the original of such document ;
on the basis of biometric data - must verify such data via the information system of the Ministry of Internal Affairs of the Republic of Uzbekistan" (clause 26).
Regarding the scope of data by which an individual customer must be identified, clause 25 of the CBU Resolution refers to Appendix 1 thereto, which, in turn, contains the following list:
Surname, first name and patronymic
Date and place of birth
Citizenship
Place of permanent and (or) temporary residence
Details of the passport or ID card or the document replacing them: series and number of the document, date of issue of the document, name of the authority that issued the document
Personal identification number
Home telephone number (if available).
In parallel, the 2021 Central Bank Decision "About the Approval of the Regulation on the Procedure for Digital Identification of Customers" authorizes (i) digital identification with human
interaction and (ii) digital authentication without human interaction via information systems for banks, microfinance organizations, pawn shops and payment organizations in relation to citizens of Uzbekistan, foreign citizens and
stateless persons residing permanently or temporarily in Uzbekistan:
(i) the procedure for digital identification is as follows (section 6):
"the obliged entity receives from the customer photos of the parts of their identity document (biometric passport or ID card or driver's license of a new model) containing the relevant information;
the obliged entity receives the customer's photo and (or) video65 ;
the information obtained, including the photo and (or) video of the customer, is compared with that stored in the "Electronic Government" system ("central database");
the obliged entity verifies the customer's mobile phone number (e.g., by sending an SMS message);
the obliged entity checks whether the customer's risk profile is high (which would make them ineligible for the procedure);
the obliged entity establishes an online video conference with the customer and checks that the submitted documents belong to them."
(ii) the procedure for digital authentication is as follows (section 7):
"the obliged entity receives from the customer the series and number of their identity document (biometric passport or ID card or driver's license or a new model), or personal identification number and date of birth, or all of these
data, together with a photo or video of the customer taken in real time;
the obliged entity sends a request to the central database and receives the following personal data of the customer:
digital photograph (if available);
personal identification number ("ЖШШИР");
date of issue of biometric passport or ID card, its validity period and place of issue;
surname, first name, patronymic in the state language (in Latin script);
information about gender, country of birth, place of birth, nationality, citizenship and place of permanent or temporary residence;
the obliged entity compares the customer's photo or a snapshot from the video taken in real time with the image extracted from the central database (if available) in an automated manner (without human involvement);
the obliged entity verifies the customer's mobile phone number (e.g., by sending an SMS message);
the obliged entity compares the received data with the List [the list of persons participating or suspected of participating in organized terrorist activities or proliferation of weapons of mass destruction, prepared by the
Department for Combating Economic Crimes under the General Prosecutor's Office of the Republic of Uzbekistan] automatically (without human involvement)".
Therefore, the AML/CFT regulations of Uzbekistan currently provide for two options of fully non-documentary identity verification: (i) via the Ministry of Internal Affairs databases (the customer's biometric data being the input); and
(ii) via the Electronic Government database (the customer's real-time photo / video, as well as certain non-biometric personal data (ID details or personal identification number and date of birth), being the input), subject to several
procedural requirements, such as impersonation risk mitigation, obligatory consultation of specific AML screening sources, mobile phone verification, collection of all necessary attributes, etc.
65 — As per section 10, in case of both digital identification and digital authentication, the photo / video: needs to be in color; the video must have sound; it is not allowed to have persons other than the customer in the photo and (or) video; the matching mechanism must allow for impersonation risk mitigation; etc.