Sumsub offers its state-of-the-art Non-Doc Address Verification solution to address the growing demand for automation, speed, and reduced manual intervention in KYC onboarding processes for both obligated financial institutions and their customers.

While Non-Doc Address Verification is a relatively new user residency verification method, it has already been widely recognized by regulatory authorities on a global basis and made a significant operational impact for clients who have decided to implement it.

The following analyses elaborate on the compliance of Non-Doc Address Verification with national AML/CTF regulations of multiple jurisdictions by examining in detail the requirements for customer risk assessment, data collection, and verification.

Regulatory recognition

The table below provides a regulatory compliance scoring framework designed by the Sumsub's Legal team. Each in-scope jurisdiction is given an overall rating based on the degree to which it permits document-free methods for customer Address Verification under the national AML/CTF laws.

Each individual country assessment offers detailed information on the nature of the findings, the rationale for the compliance score, the regulatory basis for the assessment, and a summary outlining Sumsub's interpretation and position.

For convenience purposes, the jurisdictions have also been segmented into tabs based on the overall score they were given.

Score	Description
1	The use of document-free address verification as a standalone method is explicitly allowed either generally, or in specific cases.
2	The use of document-free address verification as a standalone method is not explicitly prohibited.
3	The use of document-free address verification as a standalone method is explicitly ruled out.

📘
Note
In Brazil, both the Score 2A and the Score 3 are applied:

Score 2 — for Betting Operators and Central Bank-regulated Entities.

Score 3 — for CVM-regulated entities.

In Saudi Arabia, both the score 2 and the Score 3 are applied:

Score 2 — for SAMA-regulated Financial Institutions.

Score 3 — for CMA-regulated Entities and Certain DNFPBs.

In Kyrgyzstan, both the score 1 and the Score 3 are applied:

Score 1 — for temporary address.

Score 3 — for permanent address.

In Kazakhstan, both the score 1 and the Score 3 are applied:

Score 1 — for banks, insurance companies, professional participants in the securities market.

Score 3 — for VASPs.

Score 1

Country:

Cited Sources:

The Anti-Money Laundering and Counter-Terrorism Financing Rules Instrument 2007 (No. 1) ("AML/CFT Rules")

Is it required to collect user address information?

Yes; Part 4.2.3 of the AML/CFT Rules sets out the minimum KYC information to be collected about an individual customer, which includes their residential address.

Is it required to verify user address information?

As per Part 4.2.6 of the AML/CFT Rules, at least the customer's (i) full name and either (ii)(a) date of birth or (ii)(b) residential address have to be verified.

Is it permissible to use document-free methods for address verification?

Part 4.2.7 of the AML/CFT Rules lists the acceptable methods of verifying the above-mentioned customer data: "(1) reliable and independent documentation; (2) reliable and independent electronic data; or (3) a combination of (1) and (2) above".

Furthermore, the AML/CTF Rules offer different "safe harbour" verification approaches (documentation-based and electronic-based) depending on the risk profile of the customer. Where the risk is medium or lower and the electronic method is chosen, "use of reliable and independent electronic data from at least two separate data sources is required. The entity must also verify that the customer has a transaction history for at least the past 3 years" (AML/CTF Rules, Parts 4.2.12 - 4.2.14).Thus, it is permissible to verify addresses electronically, provided that the customer's full name is validated against a different source.

Cited Sources:

Law on the prevention of money laundering and terrorist financing and on the restriction of the use of cash ("AML Law")
National Bank of Belgium Object of the identification and identity verification guidance ("NBB Guidance")

Is it required to collect user address information?

As per Article 26(2) of the AML Law, an individual customer' identification data shall include "last name, first name, date and place of birth and, to the extent possible, address".

Is it required to verify user address information?

In accordance with Article 27(2) of the AML Law, unless simplified due diligence measures are warranted, it is required to verify all information collected pursuant to Article 26(2) (where this is the case) against "one or more supporting documents or reliable and independent sources of information enabling them to confirm this data".

In relation to address validation specifically, section 2.3.2(a) of the NBB Guidance further explains that "financial institutions' internal procedures should determine the measures to be taken to fulfil this legal obligation in a sufficiently precise manner. When the supporting document used to verify the customer's identity provides relevant information on the customer's address, this document should logically also be considered as the source of relevant information on their address. When this is not possible (in particular if the supporting document does not mention the customer's address), the internal procedures should determine how this information can be obtained. In these cases, a simple declaration signed by the customer, agent or beneficial owner concerning their address generally suffices if the customer, business relationship or transaction does not present a high ML/FT risk".

Is it permissible to use document-free methods for address verification?

Based on the above-cited position of the NBB, address needs to be corroborated by evidence stronger than a self-declaration only if the customer's risk profile is high. However, even in that case regulated entities retain a broad margin of discretion and apparently may choose whatever means of address verification they deem appropriate, so long as such means allow them to confirm the data in question with sufficient precision.

Cited Sources:

2019 Guidelines on Electronic Know Your Customer (e-KYC) ("2019 Guidelines")
Guidance Notes on Prevention of Money Laundering and Terrorist Financing for Financial Institutions ("Guidance Notes")

Is it required to collect user address information?

As per both the Guidance Notes (see, e.g., section 7.3.5) and the 2019 Guidelines (see, e.g., section 3.3), both the current and permanent addresses of an individual customer (if different) need to be collected.

Is it required to verify user address information?

As per section 7.3.5 of the Guidance Notes, it is recommended to verify address via one of the following methods:

provision of a recent utility bill, tax assessment or bank statement containing details of the address (to guard against forged copies it is strongly recommended that original documents are examined);
checking the voter lists;
checking the telephone directory;
visiting home/office;
sending thanks letter.

Is it permissible to use document-free methods for address verification?

While the above-cited provision of the Guidance Notes is phrased as a recommendation rather than an obligation, address verification methods not listed therein might require additional justification from the regulated entity. If the regulated entity chooses to rely on electronic sources for this check, it may therefore be advisable to consult either the "voter lists" or the "telephone directory".

Cited Sources:

Proceeds of Crime (Money Laundering) and Terrorist Financing Regulations (the "AML/CFT Regulations")
FINTRAC Guidance on the methods to verify the identity of persons and entities (the "FINTRAC Guidance")

Is it required to collect user address information?

Yes; as per Sections 12-14 of the AML/CFT Regulations, address is among the data attributes to be collected from individual customers for identification purposes.

Is it required to verify user address information?

It depends on the method used to verify the customer’s information.

It is not required to verify the address when the government-issued photo verification method is used (as per paragraph 105(1)(a) of the AML/CFT Regulations and section 2.1 of the FINTRAC Guidance).

If the credit file method is used, the financial entity shall verify that the individual’s address matches with the credit file data (as per paragraph 105(1)(c) of the AML/CFT Regulations and section 2.2 of the FINTRAC Guidance).

For the dual-process method, it is not mandatory to verify the address each and every case, rather the address verification forms part of one of the verification options available. For example, if it is possible to verify (i) the person’s name and date of birth along with (ii) person’s name and account with a financial entity, there will be no need to verify the address. Otherwise, if it is not possible to verify either (i) or (ii), it will be required to verify (iii) the person’s name and address (as per paragraph 105(1)(d) of the AML/CFT Regulations and section 2.3 of the FINTRAC Guidance).

Is it permissible to use document-free methods for address verification?

where the identity verification is conducted on the basis of government-issued documents, it is not required to verify the address;
where the identity verification is conducted via the credit file method, which does not require the customer to present an ID, the obliged entity is expected to retrieve the information about the customer’s address from the credit file issued by a Canadian credit bureau;
where the identity verification is conducted under the dual-process method and it is possible to get a Canadian credit file on the person with the information from at least two independent original sources (where each source will confirm one of the two types of information that shall be confirmed under the dual-process method), it will not be required to get any documents from the customer. Otherwise, some documents will be required (e.g., a utility bill).

Cited Sources:

External Circular 100-000005
Prudential standards regarding Anti-Money Laundering and Counter-Terrorism Financing (AML/CTF) risk management and other related provisions ("Prudential Standards")

Is it required to collect user address information?

Yes; for example, Part I, Title IV, section 4.2.2.2.1.1.3.2 of the Prudential Standards lists address among other identity attributes to always be "obtained and kept updated" as part of the KYC procedure.

Likewise, Art. 5.2(a) of the External Circular 100-000005 states: "To strengthen the security of the process of KYC, and when the transaction allows it, it is recommended, as an example, the following: get to know by any legal means the origin of resources, verify the customer's identity, their address [...]".

Is it required to verify user address information?

Based on the following provision of the Prudential Standards, only the identity document presented by the customer is subject to mandatory verification (while a separate procedure for address validation is recommended as shown above but not obligatory):

"4.2.2.2.1.1.1.1. Client identification. The supervised institutions must have policies and procedures that allow them to identify and verify the identity of the potential client, whether it is a natural person, legal entity or structure without legal status, at the time of their linking in face-to-face environments or not.

In the case of natural persons, such policies and procedures must consist in verifying the identity document issued by the competent authority[...]".

Is it permissible to use document-free methods for address verification?

Should the regulated entity choose to verify the customer's address separately, they have broad discretion in choosing the exact method. For instance, section 4.2.2.2.1 of the Prudential Standards allows the use, among other KYC solutions, "public databases, digital citizen services providers, their own databases and/or external databases", as long as the engaged source undergoes prior risk assessment.

Cited Sources:

Is it required to collect user address information?

Yes; both the CBC AML/CFT Directive (section 4.13.1, para. 122) and the CySEC AML/CFT Directive (Fifth Appendix, para. 1) mention the customer's residential address as a necessary element of the identification procedure,therefore,its collection is mandatory.

Is it required to verify user address information?

Yes; this is emphasized in both the CBC AML/CFT Directive and the CySEC AML/CFT Directive:

"it is pointed out that a person's residential address is considered an integral part of the identity of the person and, thus, there needs to be a separate procedure for the verification of the customer's address" (the CBC AML/CFT Directive, section 4.11, para. 104);
"the address of residence and work is considered a basic element of identity of a person and, therefore, a separate procedure is followed for its verification [...] Under no circumstances shall the same evidence be accepted for the verification of the customer's identity and residential address" (the CySEC AML/CFT Directive, section 21).

Is it permissible to use document-free methods for address verification?

Both the CBC AML/CFT Directive and the CySEC AML/CFT Directive set out an exhaustive list of address verification methods that do not include electronic sources as a standalone alternative:

"further to the verification of name, the customer's permanent residence address is verified by one of the following ways: (i) visit to the place of residence [...], (ii) the presentation of a recent (up to 6 months) utility bill (e.g. electricity, water), or housing insurance document, or municipal taxes and/or bank account statement" (the CBC AML/CFT Directive, section 4.13.1 , para. 126);

An identical provision is contained in the Fifth Appendix to the CySEC AML/CFT Directive; additionally, it is required to obtain "a recent (up to 6 months) telephone bill, electricity bill, municipal taxes or bank account statement, or other similar document" as part of the identification data.

Nevertheless, the Directive DI144-2007-08 permits electronic verification as long as information can be retrieved from electronic databases which provide access to information referred to both present and past situations showing that the person really exists and also provide both positive information (at least the customer's full name, address and date of birth), they provide real-time updates, have transparent procedures and are approved by the Data Protection Commissioner.

Also,CySEC's amendment of theAnti-Money Laundering (AML) Directive, formalized through Directive 282/2024was designed to strengthen the existing AML/CFT framework for obliged entities regulated by CySEC, by improving measures for the prevention of money laundering and terrorist financing, particularly clarifying identification document requirements and the use of electronic verification methods.

The Cyprus regulations also aligns with the EU5AMLD and 6AMLD which emphasize a risk-based approach.There are also explicit references to the use of electronic verification methods which are not only permitted and supported by both directives.

In general, there is no explicit allowance to address verification through electronic means and on standalone basis, however, the adoption of the EU directives and the references to electronic verification methods-which are permitted as long as they are sucre and reliable-allow us to conclude that electronic address verification is also permitted as long as this is based on a risk-based approach. The Cyprus AML Law referring to the requirement of submission of documentation seems to not align with the current industry practice or the adoption of EU AML Directives.

Cited Sources:

Act No. 253/2008 Coll. on selected measures against legitimisation of proceeds of crime and financing of terrorism ("AML Act")

Is it required to collect user address information?

Yes; in accordance with Section 5(1) of the AML Act, an individual customer's "address of permanent or other residence" must be obtained as part of their "identification data".

Is it required to verify user address information?

Based on Sections 8 and 8a of the AML Act, there are two self-sufficient ways of verifying an individual customer's identity:

where the customer is physically present, "an obliged entity records identification data [including address] and verifies them from an identity card should they be included thereon, and subsequently records the type and serial number of the identity card, the issuing country or issuing authority and the card's validity; at the same time, the obliged entity verifies the holder's appearance and the holder's facial image as pictured on the identity card". It can therefore be inferred that, where the submitted identity document does not contain the holder's address, the latter needs to be verified separately. However, there is no prescribed procedure in case of a mismatch between the address featured in the ID and that of the customer's actual residence ("document-based KYC option"); and
where the onboarding is conducted remotely either (i) in accordance with the eIDAS Regulation and the Act on Electronic Identification or (ii) as otherwise explicitly permitted under the Bank Act, in which case the address information is retrieved alongside the rest of the identity information ("e-KYC option").

Is it permissible to use document-free methods for address verification?

Yes; in accordance with the Sections 8a of the AML Act, non-documentary methods for address verification are permitted as long as they correspond to the approved tools used for customer onboarding.

Cited Sources:

Is it required to collect user address information?

Appendix B to the Guideline requires different sets of identity data and supporting evidence, depending on whether the individual in question is a citizen or resident of Ghana, as well as on their special status, if any (applicable to minors, students, refugees and asylum seekers, foreign diplomats and their dependents). By way of illustration, a Ghanian citizen and a foreign citizen permanently residing in Ghana would need to provide, respectively, in relation to their address:

Ghanian citizen:

Proof of residential address:

GPS Address, or
Tenancy Agreement, or
Any other relevant document issued by an authorized government agency or institution;

Foreign citizen permanently residing in Ghana:

Proof of Residential Address (local)

GPS Address, or
Tenancy Agreement, or
Any other relevant document;

Proof of Residential address (foreign)

Utility Bill, or
Tenancy Agreement, or
Any other relevant document issued by an authorized government agency or institution.

Is it required to verify user address information?

Based on the provisions cited above, user address information needs to be corroborated with evidence, specifically certain types of documentation and/or (where the customer resides in Ghana) GPS data.

Is it permissible to use document-free methods for address verification?

As demonstrated above, non-documentary confirmation of the customer's address is only possible via a GPS check and only if the place of residence is in Ghana. A non-Ghanian address (including one belonging to a foreign citizen permanently residing in Ghana) would need to be verified based on additional documentation such as a utility bill or a tenancy agreement.

Cited Sources:

Legislative Decree 21 November 2007, n. 231 ("Legislative Decree")
Disposizioni in materia di adeguata verifica della clientela per il contrasto del riciclaggio e del finanziamento del terrorismo ("CDD Provisions")

Is it required to collect user address information?

Yes; Art. 1(2)(n) of the Legislative Decree defines "identification data" as "name and surname, place and date of birth, registered residence and domicile (where different from registered residence) and, where assigned, the tax code or, in the case of subjects other than a natural person, the name, registered office and, where assigned, the tax code".

Is it required to verify user address information?

Part 2, Section VIII of the CDD Provisions states that an individual's "identification data" (which, as shown above, includes address) needs to be "verified via a copy - obtained by fax, post, in electronic format or with similar methods - of a valid identity document", unless the customer's identity is being confirmed via an eIDAS-compliant solution (the two electronic identification schemes notified by Italy with a "high" level of assurance are Italian eID based on National ID card (CIE) and SPID (Public System of Digital Identity) identities with the Level of Assurance (LoA) 3), in which scenario, as follows from Part 2, Section III, such a copy is not necessary. However, no mandatory verification procedure is prescribed where the submitted ID does not contain address-related information (or if the regulated entity becomes aware that the address indicated in the ID is different from the customer's actual place of residence).

Is it permissible to use document-free methods for address verification?

Yes; as per Part 2, Section III of the CDD Provisions, if the person’s identity is verified using an eIDAS-notified electronic identification scheme, the address information can be verified relying on the same source. However, if the ID lacks the customer’s current address, the regulator prescribes to collect it separately but does not explicitly specify how it should be verified. Therefore, supplementary procedures adopted by regulated entities in this case could involve, e.g., requesting additional documents or consulting external data sources. The specific requirements for proof of address might vary depending on the customer's risk profile.

Cited Sources:

ANNEXE A LA DECISION N° 26 du 02/07/2015/CM/UMOA ("Uniform AML/CFT Regulation")

Is it required to collect user address information?

Yes; as per Article 27 of the Uniform AML/CFT Regulation, obtaining the address of the customer's main residence is one of the essential identification procedure elements.

Is it required to verify user address information?

Yes; in accordance with the same Article 27, "verification of [an individual customer's] address is carried out by the presentation of a document capable of providing proof [thereof] or by any other means. [...] The financial institution verifies the authenticity of the document presented".

Is it permissible to use document-free methods for address verification?

Based on the above-cited provision, there are no restrictions regarding possible address verification methods; therefore, regulated entities may choose such solutions as they consider appropriate.

Cited Sources:

Act on the Prevention of the Transfer of Proceeds from Crime (the “AML Act”)
Enforcement Order of the Act on the Prevention of the Transfer of Proceeds from Crime (the “AML Enforcement Order”)
Enforcement Rules of the Act on the Prevention of the Transfer of Proceeds from Crime (the “AML Rules”)
Overview of the Act on Prevention of Transfer of Criminal Proceeds revised in June 2020 by Japan Financial Intelligence Center National Police Agency (the “2020 JAFIC Guidelines”)

Is it required to collect user address information?

Yes, address is among the items that shall be obtained as part of the process of verification of identity for individual customers as per Article 4 of the AML Law.

Is it required to verify user address information?

Yes, according to Article 4 of the AML Act and Article 7 of the AML Enforcement Order, the obliged entities shall verify the identity of a customer when certain types of transactions are performed, e.g.:

When concluding a contract to accept deposits or savings;
When concluding an insurance contract;
When concluding a contract for securities provision;
When concluding a contract to lend money (e.g., a credit card contract);
When concluding a contract for opening a prepaid payment instrument account.

Is it permissible to use document-free methods for address verification?

Yes, in certain cases. As per Article 6 of the AML Rules, the only non-documentary method for verification of information (including address) is the use of an electronic certificate issued by an authorized Japanese state body.

However, as per the clarifications provided in section 5-2 of the 2020 JAFIC Guidelines,

“When the current residence of the customer or the representative is different from the one stated or recorded in the identification documents or when the residence is not stated, other identification documents or supplementary documents (such as tax certificates, receipts of social insurance premiums, receipts of public utility bills, documents issued by government offices, etc.) shall be presented.”.

Therefore, if there is any discrepancy between the address in the identification documents or if the address is not indicated there at all, it will be necessary to apply the documentary method for the address verification.

Cited Sources:

Is it required to collect user address information?

Yes; as per para. 26 of the AML Rules for Banks and para. 27 of the AML Rules for Securities Market, respectively, the legal address is among the data attributes to be collected from individual customers for identification purposes. While the AML Rules for VASPs do not provide a specific list of data that shall be collected from individual customers for identification purposes, we assume that the same scope of information as established for the banks and professional participants of the securities market will be applicable to them (i.e., it should include address).

Is it required to verify user address information?

As a general rule, CDD measures shall include “verification of the accuracy of information required to identify the client” as per Article 5(3)(6) of the AML Law.

Is it permissible to use document-free methods for address verification?

Banks, insurance companies, professional participants in the securities market, and some other entities as per para. 1 of the Remote CDD Rules are allowed to apply non-documentary identity verification in certain cases, while VASPs shall always use documentary identity verification pursuant to para. 23 of the AML Rules for VASPs.

Cited sources:

Kyrgyz Republic Government Resolution “On measures to implement the Law of the Kyrgyz Republic “On Counteracting the Financing of Terrorist Activities and Legalization (Laundering) of Criminal Proceeds” (the “AML Regulation”).

Is it required to collect user address information?

Yes; as per para. 16 of Appendix 12 “Position on the procedure for conducting a proper customer check” (the “CDD Rules”) to the AML Regulation, which, in turn, refers to Annex 1 thereto, permanent (registration) and/or temporary (residence) addresses are among the data attributes to be collected from individual customers for identification purposes.

Is it required to verify user address information?

In our view, it depends on the type of address. Thus, the permanent (registration) address is to be collected, if specified in the identification documents of the client (as per line 13 of the questionnaire as per Annex 1 to the AML Regulation) and the temporary (residence) address is to be collected from the client’s words (as per line 14 of the questionnaire as per Annex 1 to the AML Regulation).

Therefore, we believe that when it comes to the permanent (registration) address its verification will be required, while the temporary (residence) address does not require verification as it will be based on the client’s statement.

Is it permissible to use document-free methods for address verification?

It depends on the type of address: verification of the permanent (registration) address shall be done on the basis of a document, while verification of temporary (residence) address is not required at all.

Cited Sources:

Anti-Money Laundering, Anti-Terrorism Financing and Proceeds of Unlawful Activities Act 2001 ("AMLA")
Bank Negara Malaysia Anti-Money Laundering, Countering Financing of Terrorism and Targeted Financial Sanctions for Financial Institutions Policy ("AML/CFT Policy for FIs")
Bank Negara Malaysia Anti-Money Laundering, Countering Financing of Terrorism and Targeted Financial Sanctions for Designated Non-Financial Businesses and Professions (DNFBPs) & Non-Bank Financial Institutions (NBFIs) Policy ("AML/CFT Policy for DNFBPs / NBFIs")
Guidance on Verification of Individual Customers for Customer Due Diligence ("CDD Guidance")

Is it required to collect user address information?

Yes; section 16(3)(a) of the AMLA requires reporting institutions to ascertain the domicile of any person as part of customer due diligence measures. Likewise, AML/CFT Policies for both FIs and DNFBPs / NBFIs (sections 14A.9 and 14.10.1 respectively), as well as section 3.3 of the CDD Guidance, name "residential and mailing address" among the minimum identification data.

Is it required to verify user address information?

Yes; as per section 16(3)(b) of the AMLA, domicile, among certain other identification data, needs to be "verified, by reliable means or from an independent source, or from any document, data or information [...] through the use of documents which include identity card, passport, birth certificate, driver's licence, constituent document or any other official or private document as well as other identifying information relating to that person".

Is it permissible to use document-free methods for address verification?

Malaysian AML/CFT regulations explicitly permit reliance on electronic sources (including databases) for CDD purposes; e.g., section 14C.16.11(c) of the AML/CFT Policy for FIs allows, in the context of non-face-to-face onboarding, to use "a database maintained by relevant authorities including the National Registration Department or Immigration Department of Malaysia; telecommunication companies, sanctions lists issued by credible domestic or international sources in addition to the mandatory sanctions lists or social media platforms with a broad outreach". This is mentioned as an equivalent alternative to requesting additional documentation such as "recent utility bills, bank statements, student identification or confirmation of employment".

Similarly, section 5.1 of the CDD Guidance emphasizes that "there is no restriction on the form of evidence to be taken by reporting institutions in verifying the identity. Reporting institutions may accept either physical documents, electronic or digital information and data, or a combination of both". The only instance where it is recommended to obtain documentary proof of address (specifically, a utility bill) is when "residential and NRIC address are different" (section 6.1).

Cited sources:

Anti-Money Laundering and Countering Financing of Terrorism Act 2009(the “AML/CFT Act”)
Amended Identity Verification Code of Practice 2013(the “Code”)

Is it required to collect user address information?

Yes; as per section 15 of the AML/CFT Act, the person’s address is among the data attributes to be collected from individual customers for identification purposes.

Is it required to verify user address information?

Yes, under section 16 of the AML/CFT Act a reporting entity must take reasonable steps to satisfy itself that the information obtained under section 15 (i.e. including the address) is correct.

Is it permissible to use document-free methods for address verification?

Section 13 of the AML/CFT Act foresees that the verification of identity (which scope includes the address) must be done either on the basis of documents, data, or information issued by a reliable and independent source; or any other basis applying to a specified situation, customer, product, service, business relationship, or transaction prescribed by regulations. Neither the Code, nor other explanatory documents prescribe the way in which reporting entities can fulfil their obligation to conduct verification of a customer’s address. Thus, the address verification method is determined by the obliged entity within its discretion.

In our view, document-free verification of address is permitted as a standalone method as long as it uses a reliable and independent source. For instance, RealMe® (a government-backed digital identity and authentication service) may be used to verify a residential address. This involves a process where the user’s selected residential address is checked against trusted online data sources, such as New Zealand Post’s records. If a match is found, the address is marked as “NZ Post verified”, and no further action is required. This verified address can then be shared with organizations that use RealMe® to prove where the user lives. However, a RealMe® verified identity does not automatically include address information unless the user opts to verify it.

Given that RealMe® is deemed to provide a high level of confidence for the purpose of the name and date of birth verification (as it contains biometric information), in our view, it could also be used as a means of verification for a customer’s address.

In addition, we believe that VASPs and other reporting institutions may use supplementary checks such as, for example, geolocation or IP address tracking, though such checks are not sufficient as a standalone verification method.

In conclusion, non-documentary address verification via the use of electronic sources is explicitly permitted for customer identification processes in New Zealand if RealMe® is used.

Cited Sources:

Central Bank of Nigeria Customers Due Diligence Regulations 2023 ("CDD Regulations")
2022 Central Bank of Nigeria (Anti-Money Laundering, Combating the Financing of Terrorism and Countering Proliferation Financing of Weapons of Mass Destruction in Financial Institutions) Regulations ("AML Regulations")
2023 CBN Circular PSM/DIR/PUB/CIR/001/053 ("2023 Circular")

Is it required to collect user address information?

Yes; Art. 6(a) of the CDD Regulations lists both "permanent address (full physical address)" and "residential address (where the customer can be located)" among data items to be collected as part of the KYC procedure.

Is it required to verify user address information?

Yes; Art. 7(2) of the CDD Regulations elaborates on the possible means of address verification:"FIs shall verify the identity of individuals by confirming the - [...]

(b) residential address through physical visitation and use of other sources, including utility bill, tax assessment, bank statement, or letter from a public authority".

In addition, as per Art. 27(2) of the CDD Regulations, "where a foreign national has recently arrived in Nigeria, the residential address in [their] home country shall be notarized". For resident non-Nigerians, a valid residence permit is obligatory.

Is it permissible to use document-free methods for address verification?

It appears that the word "including" in Art. 7(2)(b) of the CDD Regulations should not be understood as imposing a limitation, since "other sources" could in general be interpreted broadly so as to encompass, e.g., external databases. This is supported by Art. 26(1) of the CDD Regulations, applicable to non-residents and stating that "FIs shall obtain and verify applicant's name, date of birth and permanent residential address (in host country) directly through a reputable Credit Institution or FI in the applicant's country of residence or a correspondent bank, provided that particular care shall be taken when relying on identification evidence obtained from other countries".

Additionally, Nigerian AML/CFT regulations are generally favourable towards non-documentary KYC solutions. For instance, Arts. 14, 16 and 35 of the CDD Regulations, as well as Art. 26 of the AML Regulations, specify that both "physical" and "electronic" methods of customer onboarding may be adopted by financial institutions, so long as the "tiered" approach and other e-KYC standards endorsed by the CBN are complied with. In turn, the CBN 2023 Circular not only permits, but prescribes to validate customer identity data via governmental NIBSS' BVN or NIMC's NIN databases.

Therefore, it may be assumed that, where technically possible, addresses may be verified electronically at least through official national databases such as NIBSS or NIMC.

Cited Sources:

2018 Act relating to Measures to Combat Money Laundering and Terrorist Financing ("AML Act")
2018 Regulations relating to Measures to Combat Money Laundering and Terrorist Financing ("AML Regulations")
2019 Circular "Guide to the Anti-Money Laundering Act" ("2019 Circular")

Is it required to collect user address information?

Yes; Section 12(1) of the AML Act stipulates that, in the case of a natural person, address needs to be collected among other identity data.

Is it required to verify user address information?

Based on Section 12(2) of the AML Act, "information on the customer's identity shall be verified by personal appearance with a valid proof of identity. If verification of the identity shall take place without personal appearance, additional documentation shall be presented or additional measures shall be applied". Beyond that, no obligatory address verification measures are prescribed under the AML Act, AML Regulations, or the 2019 Circular so long as the customer's identity in general is confirmed via acceptable evidence as described below.

Is it permissible to use document-free methods for address verification?

As per Section 4-3(4) of AML Regulations, where the customer is not physically present, the only acceptable onboarding solution is an eIDAS-compliant electronic signature, which is self-sufficient for KYC purposes insofar as all the required identity data (including address) had been previously obtained. However, regulated entities may choose to further validate their customers' residential addresses as part of risk mitigation or enhanced due diligence procedures. In this case, they are not limited in the choice of methods; for example, Section 4.3.1.3 of the 2019 Circular mentions "other reassuring electronic solutions" on par with "communication with the customer via postal address or digital address" or "video communication".

Cited Sources:

Is it required to collect user address information?

As per Rule 18, Section 3.4 of the 2018 RIRR, address is indeed among other identity attributes that should be collected from an individual customer before or during account opening or onboarding.

Is it required to verify user address information?

Overall, documentary evidence of identity-related information (including address) appears mandatory. See, e.g., the BSP Manual of Regulations for Banks (MORB) / Manual of Regulations for Non-Bank Financial Institutions (MORNBFI) on Customer Due Diligence, Section 921/921Q:

"the covered person obtains from individual customers, at the time of account opening / establishing the relationship, the following minimum information [including address] and confirms this information with the official or valid identification documents";

as one of possible additional safeguards for enhanced due diligence, it is suggested to verify the address "through evaluation of utility bills, bank or credit card statement, sending thank you letters, or other documents showing address or through on-site visitation".

The above-specified provisions, however, may be overridden by Rule 18, Section 3.7 of the 2018 RIRR, stating that "covered persons shall deem the provision and submission of the PSN or PhilID as official and sufficient proof of identity, subject to the authentication requirements under the PhilSys Act [Republic Act No. 11055, or the Philippines Identification System Act] and its IRR [Implementing Rules and Regulations of Republic Act No. 11055]". This is further detailed in Circular No. 1170. Specifically, the Circular states that, "where the PCNor PSN derivative, or the Philippine ldentification (PhillD) card, in physical or digital form, is presented by the customer, it shall be accepted as official and sufficient proof of identity, subject to proper authentication, and the covered person shall no longer require additional documents to verify the customer's identity". Therefore, accessing an individual's record in the Philippine Identification System ("PhilSys") is considered a reliable way to verify their identity.

From the above it may be inferred that, so long as a customer's identity is verified via PhilSys (and their address is also extracted in this manner), no further address confirmation is needed. Conversely, where the obliged entity does not rely on PhilSys, it may be expected that address, like other identity data, will be verified based on documentary evidence.

Is it permissible to use document-free methods for address verification?

Based on the reasoning above, non-documentary address verification is possible via solutions accessing PhilSys; in other cases, the document-based approach remains prevalent.

Cited Sources:

Act of 1 March 2018 on combating money laundering and terrorist financing (the “AML Act”)
The position of the Polish Financial Supervision Authority regarding customer identification and verification of their identity in banks and branches of credit institutions based on the video verification method of 2019 (the “2019 KNF Comments”)
The position of the Polish Financial Supervision Authority solutions in the financial sector for establishing business relations without the physical presence of the client of 2023 (the “2023 KNF Comments”)
Regulation (EU) No 910/2014 of the European Parliament and of the Council of 23 July 2014 on electronic identification and trust services for electronic transactions in the internal market and repealing Directive 1999/93/EC (the “eIDAS EU Regulation”)

Is it required to collect user address information?

No; as per Article 34(1)(1) of the AML Act the address of residence is only required when “this information is possessed by the obliged institution”. That is, the address seems to be not a mandatory piece of data to be collected by the reporting institutions from individual customers for identification purposes.

Is it required to verify user address information?

If collected, the address needs to be verified as per Article 37(1) of the AML Act.

Is it permissible to use document-free methods for address verification?

Yes. As to the verification of the address, a qualified electronic signature (QES) issued under the eIDAS EU Regulation is an acceptable method for its verification.

This is also confirmed by the 2019 KNF Comments addressed to the banks, where the regulator states that the most reliable instrument in terms of verifying the customer’s identity without their physical presence is electronic identification referred to in the eIDAS EU Regulation, including a QES. Otherwise, the 2019 KNF Comments instruct the following:

“Utility bills, for example, can be considered as supplementary documents confirming the client's identity and address of residence.”

In the 2023 KNF Comments, the regulator maintains its position that the electronic identification under the eIDAS EU Regulation shall suffice for the verification purposes:

“Supervised entities may consider the above requirements [about verification] as met if one of the following criteria is applied within a given solution:

the electronic identification schemes have been notified in accordance with Article 9 of Regulation (EU) No 910/2014 and meet the requirements of the assurance level “substantial” or “high” in accordance with Article 8 of that Regulation;
the relevant qualified trust services meet the requirements of Regulation (EU) No. 910/2014, in particular Chapter III, Section 3 of that Regulation.”

Therefore, the AML/CFT regulations of Poland currently provide that the non-documentary approach can be used if the customer’s address is verified via eIDAS-compliant QES. Otherwise, it is required to obtain the documents (e.g., utility bills) and apply other verification measures.

Cited Sources:

Guidelines to MAS Notice 626-Banks
MAS Circular No. AMLD 01/2018 on "Use of MyInfo and CDD Measures for Non-Face-To-Face Business Relations" ("2018 MAS Circular")

Is it required to collect user address information?

While the Monetary Authority of Singapore (MAS) maintains separate Notices and Guidelines addressing each type of AML-regulated business (e.g., banks, merchant banks, finance companies, specified payment services, digital payment token services), the requirement to collect an individual customer's residential address is universal. See, for instance: "where a customer is a natural person, a bank must obtain residential address based on national identity card, recent utility or telephone bill, bank statement or correspondence from a government agency" (Guidelines to MAS Notice 626 - Banks, para. 6-6-2).

Is it required to verify user address information?

Based on the same para. 6-6-2 of the Guidelines to MAS Notice 626 - Banks (and identical provisions contained in the Guidelines related to other industries), user address information needs to be corroborated with evidence, specifically certain types of documentation.

Is it permissible to use document-free methods for address verification?

An exception to the document-based approach to address verification is MyInfo, a government service that enables citizens and residents to manage the use of their personal data for simpler online transactions. The 2018 MAS Circular, para. 3, describes MyInfo as a "reliable and independent source for the purposes of verifying the customer's name, unique identification number, date of birth, nationality and residential address", as well as other personal attributes. It is simultaneously confirmed that, "where MyInfo is used, MAS will not require FIs to obtain additional identification documents to verify a customer's identity".

Cited sources:

2017 Guidance Note 7 on the Implementation of Various Aspects of the Financial Intelligence Centre Act, 2001 ("Guidance Note")

Is it required to collect address information?

The Guidance Note, while stating that full name, date of birth and unique identifying number issued by a government source are "basic attributes" that should be collected from an individual customer in any event (para. 85), also describes data such as residential address as supplementary (para. 86) and therefore, presumably, not mandatory to establish as part of the KYC procedure.

Is it required to verify user address information?

Since it is not necessary for obliged entities to collect address information in the first place, whether to do so and whether to subsequently verify such data remains within their discretion.

Is it permissible to use document-free methods for address verification?

Para. 74 of the Guidance Note emphasizes that regulated entities "have the flexibility to choose the type of information by means of which they will establish clients' identities and also the means of verification of clients' identities". More specifically, both "documents" and "electronic data issued or created by reliable and independent third-party sources" are permitted for confirming a customer's identity (para. 83) and, consequently, isolated identity attributes such as address.

Cited sources:

Swiss Financial Market Supervisory Authority ("FINMA") Circular 2016/7 on "Video and online identification"

Is it required to collect user address information?

Yes, it is required to collect user address information based on the FINMA Circular 2016/7 on "Video and online identification", Section IV(B)(a), margin 34, stating that "the financial intermediary must also [in addition to other identity data] confirm the contracting party's residential address".

Is it required to verify user address information?

Yes, it is required to verify user address information. As per the FINMA Circular 2016/7 on "Video and online identification", Section IV(B)(a), margin 34, such information must be not simply obtained, but also further "confirmed".

Is it permissible to use document-free methods for address verification?

The FINMA Circular 2016/7 on "Video and online identification", Section IV(B)(a), margins 35-37.1, provides an exhaustive list of means by which a contracting party's residential address can be confirmed, namely: "tax invoice or any other official invoice or power, water or telephone invoices (utility bill); postal delivery; a public register, or a trustworthy, privately managed database/directory; or geolocation".

Cited Sources:

Is it required to collect user address information?

Yes; in accordance with Article 8(1) of the AML-CFT Decision, an individual customer's address needs to be obtained along with their "name, as in the identification card or travel document, nationality, [...] place of birth, name and address of employer, attaching a copy of the original and valid identification card or travel document", cumulatively referred to as "identity".

Is it required to verify user address information?

The same Article 8(1) of the AML-CFT Decision states that the customer's "identity" (consisting of the elements as cited above) needs to be verified, which therefore applies to address in particular. This is further corroborated by section 6.3.1 of the AML Guidelines:

"The verification of a customer's identity, including their address, should be based on original, official (i.e. government-issued) documents whenever possible. When that is not possible, FIs should augment the number of verifying documents or the amount of information they obtain from different independent sources".

Is it permissible to use a non-document method to verify an address?

Despite the overall preference for documentary evidence, section 6.3.1 of the AML Guidelines and section 3.1 of the CDD Guidance seem to suggest that verification via electronic sources is an acceptable alternative:

"An example of alternative verification means is verification by way of digital identification systems. Such digital identification systems should rely upon technology, adequate governance, processes and procedures that provide appropriate levels of confidence that the system produces accurate results";

"Under Article 8 of the AML-CFT Decision, LFIs are required to identify each customer and verify the customer's identity using documents, data, or any other identification information from a reliable and independent source. This requirement is technology neutral and expressly permits LFIs to use documentary as well as non-documentary sources (i.e., information or data) when performing identification and verification; it does not impose any restrictions on the form-physical or digital-that identity evidence must take, nor does it impose limitations as to the use of digital ID systems for the purpose of linking a customer's verified identity to a unique, real-life individual, provided this is done using a "reliable" and "independent" source. As such, LFIs are permitted to utilise digital ID systems as well as physical forms to perform customer identification and verification, consistent with the expectations set forth in this Guidance".

Therefore, according to the Article 8(1) of the AML-CFT Decision, the address as well as personal identifiable information may be verified via any sufficiently reliable means, whether documentary or electronic.

Cited Sources:

Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017 ("ML Regulations")
Guidance by the Joint Money Laundering Steering Group, Part I ("Guidance")

Is it required to collect user address information?

Yes, it is necessary to collect an individual customer's residential address, according to the Joint Money Laundering Steering Group (JMLSG) Guidance. Para. 5.3.29 thereof specifically states that "knowledge of an individual's residential address is central to being reasonably satisfied that the customer is who they say they are".

Is it required to verify user address information?

No particular method of verifying address is explicitly promoted. Furthermore, para. 5.3.112 of the Guidance emphasizes that address data does not even necessarily have to be validated in all cases (e.g., it may be omitted when the customer lacks a permanent place of residence); this is a matter within obliged entities' discretion.

Is it permissible to use document-free methods for address verification?

As a general rule, Art. 27(19) of the ML Regulations explains that "information may be regarded as obtained from a reliable source [...] where - (a) it is obtained by means of an electronic identification process [...]; and (b) that process is secure from fraud and misuse and capable of providing assurance that the person claiming a particular identity is in fact the person with that identity, to a degree that is necessary for effectively managing and mitigating any risks of money laundering and terrorist financing". Therefore, obliged entities are granted a broad margin of discretion in their choice of CDD procedures, and electronic solutions are within the scope of permissible remote onboarding methods.

Furthermore, as per paras. 5.3.72 and 5.3.80 of the Guidance, address - like any other identity attributes - may be confirmed via electronic checks, including by relying on external databases so long as they are sufficiently robust.

Cited sources:

The Bank Secrecy Act (BSA) 31 CFR 1020.220 ("BSA")

Is it required to collect user address information?

Yes, as per the BSA ("Customer Identification Program: minimum requirements", section 1020.220(a)(2)(i)(A)), identity data to be collected from each individual customer includes: "address, which shall be: (i) for an individual, a residential or business street address; (ii) for an individual who does not have a residential or business street address, an Army Post Office (APO) or Fleet Post Office (FPO) box number, or the residential or business street address of next of kin or of another contact individual".

Is it required to verify user address information?

As a general rule, the BSA (section 1020.220(a)(2)(ii)) dictates that financial institutions must have in place "procedures for verifying the identity of the customer, using information obtained in accordance with paragraph (a)(2)(i) of this section" [identity data, including address]. Therefore, it would likely be expected for a financial institution to validate the previously collected user address information unless it can reasonably demonstrate that, even without this check, it knows the customer's identity.

Is it permissible to use document-free methods for address verification?

Yes, the BSA (section 1020.220(a)(2)(ii)) states that both documentary and non-documentary verification methods (as well as their combinations) are acceptable so long as the chosen procedures "enable the [obliged entity] to form a reasonable belief that it knows the true identity of each customer". Several examples of non-documentary KYC processes are also given for reference, such as "contacting a customer; independently verifying the customer's identity through the comparison of information provided by the customer with information obtained from a consumer reporting agency, public database, or other source; checking references with other financial institutions; and obtaining a financial statement".

Cited sources:

2017 Resolution of Board of Central Bank of the Republic of Uzbekistan (as amended) ("2017CBU Resolution").

2021 Central Bank Decision "About the Approval of the Regulation on the Procedure for Digital Identification of Customers" ("2021 CBU Decision").

Is it required to collect user address information?

Yes; as per Appendix 1 to the 2017 CBU Resolution, permanent and/or temporary address is among the data attributes to be collected from individual customers for identification purposes.

Is it required to verify user address information?

There is no explicit requirement to verify address in the cited sources, arguably because every national ID acceptable for KYC purposes as per the 2017 CBU Resolution (passport, ID card, new-model driving license) already contains this data.

Is it permissible to use document-free methods for address verification?

where the identity verification is conducted on the basis of identity documents, address is considered confirmed as a result of being featured in such documents;
where the identity verification is conducted via "digital authentication" (as per the 2021 CBU Decision), which does not require the customer to present an ID, the obliged entity is expected to retrieve the information about the customer's place of residence from the "Electronic Government" database;
otherwise, the address verification method is determined by the obliged entity within its discretion.

Cited sources:

2022 Law on Anti-Money Laundering ("AML Law")

Is it required to collect user address information?

Yes; based on Article 10(1) of the AML Law, an individual customer's address in Vietnam and/or abroad (whichever is applicable depending on the person's citizenship and residence) needs to be collected.

Is it required to verify user address information?

Yes; while Article 10(1) of the AML Law lists residential address as part of "customer identification data", Article 12(1) stipulates the obligation to verify this dataset via documents and information which, in the case of individual customers, must include "identity card, citizen identification card or passport with valid term of use; other documents issued by competent authorities".

Is it permissible to use document-free methods for address verification?

According to Article 12(2) of the AML Law, "reporting subjects can exploit information in national databases according to the provisions of law, through competent state agencies and other organizations specified in Article 13 [a third-party provider engaged by the reporting subject] or regulated third parties specified in Article 14 [a financial institution or a legal entity in a related non-financial industry that has established relationships with customers (excluding agency and outsourcing relationships); conducts CDD according to the AML Act of, for foreign entities, the FATF recommendations; is subject to the management and supervision of a competent authority] of this Law to compare and verify information provided by customers". This grants regulated entities an option to validate address via official electronic sources where it is not already featured in the identity document presented by the customer.

Score 2

Country:

Cited Sources:

UIF Resolution 14/2023 (RESOL-2023-14-APN-UIF#MEC, "UIFResolution")

Is it required to collect user address information?

Yes; as per Article 22 of the UIF Resolution, all individual customers of a regulated entity must be identified by, inter alia, their "actual address (street, number, town, province, country and postal code)".

Is it required to verify user address information?

The UIF Resolution is mostly silent on address validation. Notably, Article 22 does specify how the customer's full name and surname, type and number of identity document should be verified (namely, by a copy of an identity document), but no similar guidance is provided for other identity attributes such as address. Therefore, presumably, it is the obliged entities' choice whether and via which means to perform address verification.

Is it permissible to use document-free methods for address verification?

Since no mandatory procedures for address verification are prescribed, nor is it evident from the UIF Resolution that it is necessary in the first place, regulated entities may choose any methods of validating their customers' addresses they consider reasonable.

Cited Sources:

CVM RESOLUTION NO. 50, OF AUGUST 31, 2021 ("CVM Resolution")
BACEN/DC Circular No. 3978 OF 01/23/2020 ("CBCircular")
Portaria SPA/MF Nº 1231 DE 31/07/2024 ("Portaria N 1231")

Is it required to collect user address information?

The Securities and Exchange Commission (CVM) and the Central Bank of Brazil do require at least address collection; respectively:

in accordance with Annex B, Article 1 of the CVM Resolution, complete address (street, complement, district, city, state and zip code) along with other data such as name and date of birth should be obtained;
as per Article 18 of the CB Circular, obliged entities "must adopt procedures that allow them to qualify their clients through the collection, verification and validation of information [...]" including, in the case of natural persons, their place of residence.

Additionally to address of residence, obligated betting operators must collect bettors' IP addresses at the registration stage and during each change in registration, as stipulated in Articles 31-32 of Portaria 1231.

Is it required to verify user address information?

As shown above, Art. 18 of the CB Circular indeed prescribes to not only collect, but also verify address information. Similarly, Annex B, Article 1 of the CVM Resolution specifies that an individual customer's records must include "proof of residence or domicile" as a document copy (although there is no exhaustive list of acceptable documents).

Is it permissible to use a non-document method to verify PoA?

In the case of banks and financial institutions, Article 16(1) of the CB Circular states: "The institutions shall adopt identification procedures that allow verifying and validating the identity of the client. The procedures shall include obtaining, verifying and validating the authenticity of customer identification information, including, if necessary, by comparing this information with those available in public and private databases". This is applicable to verification of both identity and its isolated components such as residential address.

However, as per the above-cited provisions of the CVM Resolution, only documentary proof of address may be accepted by CVM-regulated entities; electronic sources may only be relied on for supplementary evidence.

As for the betting operators specifically, the requirements regarding residential address verification are not described; however, they must collect bettors' IP addresses at the registration stage and during each change in registration.

Cited Sources:

Consolidation Act on Measures to Prevent Money Laundering and Terrorism Financing (the Anti-Money Laundering Act) ("AML Act")

2020 Guide to the AML Act by the Finanstilsynet ("FSA Guide")

Is it required to collect user address information?

Section 11(1) of the AML Act prescribes to collect the following identification data of natural persons: "name and civil registration number or similar if the person in question does not have a civil registration number. Should the applicant not have a civil registration number or similar, the identity information shall include date of birth". Therefore, address is not explicitly required.

Is it required to verify user address information?

Danish AML/CFT regulations stipulate no separate obligation to verify the customer's address. However, it is mentioned in Section 14 of the FSA Guide as one of possible enhanced due diligence measures.

Is it permissible to use document-free methods for address verification?

Since no mandatory procedures for address verification exist, regulated entities may choose any methods they consider reasonable.

Cited Sources:

2017 Money Laundering and Terrorist Financing Prevention Act ("AML Act")

Is it required to collect user address information?

Yes; as per §21, subsection 1, clauses 1-2 of the AML Act, a customer who is a natural person has to be identified by, inter alia, their "place of residence or location".

Is it required to verify user address information?

As a general rule, §21, subsection 2 of the AML Act prescribes to verify customer identification data (including address) "using information originating from a credible and independent source". However, no further detailed guidance is offered in relation to the validation of address specifically.

Is it permissible to use document-free methods for address verification?

In the absence of instructions to the contrary, it may be assumed that, while regulated entities are indeed expected to verify address-related information, they are not restricted in their options of doing so and, provided that the customer's address is not already reliably confirmed in the course of general identity verification, both documentary and non-documentary supplemental checks can be used.

Cited Sources:

Act on Preventing Money Laundering and Terrorist Financing (444/2017; amendments up to 599/2023 included) ("AML Act")
Regulations and Guidelines issued by FIN-FSA in 2/2023 Journal Number FIVA/2023/1289 ("FIN-FSA Guidelines")

Is it required to collect user address information?

Yes; Chapter 3, Section 3(2) of the AML Act, outlining the minimum data required for customer due diligence, encompasses address among other identity attributes. Para. 104 of the FIN-FSA Guidelines further elaborates that this requirement refers "as a rule to the address of the customer's permanent place of residence. Where necessary, a temporary address may be saved instead of, or in addition to, a permanent address".

Is it required to verify user address information?

In relation to address verification, para. 105 of the FIN-FSA Guidelines suggests that "it is enough as a rule that the supervised entity records the customer's contact address through which the customer can be reached by letter mail if the customer does not have a permanent or temporary address, or the customer does not want to disclose the address due to a valid non-disclosure for personal safety. The supervised entity shall assess on a risk-sensitive basis the importance of the lack of the customer's permanent or temporary home address on the overall risk involved in the customer relationship and whether the supervised entity is able to manage these risks". Beyond that, no detailed instructions are provided, implying a broad margin of discretion reserved for regulated entities.

Is it permissible to use document-free methods for address verification?

Since no mandatory procedures for address verification exist, regulated entities may choose any methods they consider appropriate.

Cited Sources:

Monetary and Financial Code of France

ACPR Guide for identification, identity verification and customer due diligence ("ACPR Guide")

Is it required to collect user address information?

Whereas Art. R561-5 of the Monetary and Financial Code of France requires regulated entities to identify their individual customers by collecting their "first and last name, as well as their date and place of birth", this obligation does not encompass residential address.

Is it required to verify user address information?

Whereas regulated entities may choose to verify a customer's residential address as part of risk mitigation or enhanced due diligence, para. 131 of the ACPR Guide appears to suggest that it is not a necessity:"The collection of [proof of address] is therefore not essential for knowledge of the business relationship. Financial institutions determine, in their internal procedure, using a risk-based approach, whether proof of the home address is an element to be collected and, in this case, the type of proof to be collected".

Is it permissible to use document-free methods for address verification?

Since no mandatory procedures for address verification exist, regulated entities may choose any methods they consider appropriate.

Cited Sources:

Guideline on Anti-Money Laundering and Counter-Financing of Terrorism For Authorised Institutions (Revised in May, 2023) ("HKMA Guideline")
Guideline on Anti-Money Laundering and Counter-Financing of Terrorism (For Licensed Corporations and SFC-licensed Virtual Asset Service Providers) ("SFC Guideline")

Is it required to collect user address information?

Yes; as per sections 4.3.2-4.3.5 and 4.3.13-4.3.17 of the HKMA Guideline, the following identification and verification requirements are applicable to financial institutions:

"for customers who are natural persons, the full name, date of birth, nationality, unique identification number and document type, as well as residential address".

Section 4.2.4 of the SFC Guideline contains an identical requirement to collect an individual customer's residential address.

Is it required to verify user address information?

No; based on the HKMA Guideline, authorized entities are required to collect the address, but not necessarily verify it. However, pursuant to the footnote of section 4.3.5 of the HKMA Guideline, an authorized entity may, under certain circumstances, require such verification for other purposes (e.g. group requirements, other local or overseas legal and regulatory requirements). In this case, it should communicate clearly to the customers the reasons why it requires proof of residential address. The SFC Guideline (see the footnote to section 4.2.4) adopts the same approach.

The SFC Guideline (see the footnote to section 4.2.4) adopts the same approach.

Is it permissible to use document-free methods for address verification?

Since no mandatory procedures for address verification exist, regulated entities may choose any methods they consider reasonable.

Cited Sources:

Is it required to collect user address information?

Out of all acceptable methods of identity verification listed in Chapter VI, Part I, section 16 of the KYC Direction, only one explicitly mentions address specifically:

"For undertaking CDD, REs shall obtain the following from an individual [...]:

(a) the Aadhaar number [...]; or

(aa) the proof of possession of Aadhaar number where offline verification can be carried out; or

(ab) the proof of possession of Aadhaar number where offline verification cannot be carried out or any OVD[officially valid document] or the equivalent e-document thereof containing the details of their identity and address; or

(ac) the KYC Identifier with an explicit consent to download records from CKYCR; and

(b) the Permanent Account Number or the equivalent e-document thereof or Form No. 60 as defined in Income-tax Rules, 1962; and

(c) such other documents including in respect of the nature of business and financial status of the customer, or the equivalent e-documents thereof as may be required by the RE".

It can be inferred that, where the customer does not present an OVD featuring their address (or its substitute), address collection is still necessary but already implied under the other permitted procedures. See, for instance, regarding the Aadhaar number validation: “if a customer wants to provide a current address, different from the address as per the identity information available in the Central Identities Data Repository, they may give a self-declaration to that effect to the RE”.

Is it required to verify user address information?

Chapter 1, section 3(xiv) of the KYC Direction states that, "where the OVD furnished by the customer does not have updated address, the following documents or the equivalent e-documents thereof shall be deemed to be OVDs for the limited purpose of proof of address:-

utility bill which is not more than two months old of any service provider (electricity, telephone, post-paid mobile phone, piped gas, water bill);

property or Municipal tax receipt;

pension or family pension payment orders (PPOs) issued to retired employees by Government Departments or Public Sector Undertakings, if they contain the address;

letter of allotment of accommodation from employer issued by State Government or Central Government Departments, statutory or regulatory bodies, public sector undertakings, scheduled commercial banks, financial institutions and listed companies and leave and licence agreements with such employers allotting official accommodation".

No separate verification procedure is prescribed in case the customer's identity is verified via means other than their OVD. This is subject to a restriction set out in section 40(c):"Following EDD measures shall be undertaken by REs for non-face-to-face customer onboarding (other than customer onboarding [using Aadhaar OTP based e-KYC]): [...]

c) Apart from obtaining the current address proof, RE shall verify the current address through positive confirmation before allowing operations in the account. Positive confirmation may be carried out by means such as address verification letter, contact point verification, deliverables, etc."

Is it permissible to use document-free methods for address verification?

With the exception of the case where the customer presents an OVD not featuring their current address and provided they are being onboarded via Aadhaar OTP-based e-KYC, no additional address verification procedures appear to be required. However, if the regulated entity prefers to further confirm the customer's address, they may choose any means of doing so.

Cited Sources:

Regulation (POJK) No. 8 of 2023 ("OJK Regulation")

Is it required to collect user address information?

Yes; Art. 25(1) of the OJK Regulation specifies it is necessary to collect an individual customer's "residential address according to the ID and other residential addresses, if any".

Is it required to verify user address information?

It appears that the fact a person's identity document contains an address serves as sufficient evidence of the latter's validity. The OJK Regulation further states that, where the actual residential address of the customer differs from the one indicated in the ID, the alternative address needs to be recorded as well; however, no particular verification procedures are prescribed.

Is it permissible to use document-free methods for address verification?

Since no mandatory procedures for address verification exist (besides extracting the address information out of the customer's ID), regulated entities may choose any methods they consider reasonable.

Cited Sources:

2013 Prudential Guidelines issued by the Central Bank of Kenya ("Prudential Guidelines")

Is it required to collect user address information?

Yes; section 5.6.7.2 of the Prudential Guidelines, addressing non-face-to-face onboarding specifically, emphasizes an obliged entity must "ensure that there is sufficient communication to confirm address and personal identity" of an individual customer.

Is it required to verify user address information?

Yes; as per section 5.6.7.4 of the Prudential Guidelines, "the procedures to check identity must serve two purposes: (i) they must ensure that a person bearing the name of the applicant exists and lives at the address provided; and (ii) that the applicant is that person". From this, it can be inferred that user address information needs to be supported with evidence.

Is it permissible to use document-free methods for address verification?

In terms of address verification specifically, obtaining a utility bill or other forms of documentation is recommended under paras. 5.6.5.1 and 5.6.7.7 of the Prudential Guidelines as the best practice and there are no explicit references to the possibility of relying on electronic sources instead. However, para. 5.6.7.5 suggests this method is not the only permissible one and ultimately "it is for each institution to decide upon which checks to employ".

Cited Sources:

Is it required to collect user address information?

Neither the AML Law nor the Order stipulates a necessity to collect user address information. However, as per Art. 10(1)(6) of the AML Law, it is required to understand an individual customer's "citizenship (except for the cases where it is optional in the identification document) and in the case of a stateless person - the state which issued their identification document". While obliged entities may still be expected to collect data related to the customer's location (e.g., to determine whether enhanced due diligence should be applied to the customer or to fulfill the requirement to obtain the customer's IP data as set out in para. 26 of the Order), the format in which this information should be gathered and confirmed is determined by the obliged entity itself.

Is it required to verify user address information?

The AML/CFT regulations of Lithuania do not specify any particular means for verifying the customer's residential address.

Is it permissible to use document-free methods for address verification?

Yes, insofar as this matter is not explicitly regulated under the AML Law or the Order and obliged entities have the freedom of discretion in it.

Cited Sources:

2012 Federal Law of the Prevention and Identification of Operations with Resources of Illicit Origin ("AML Law"), including the 2013 General Rules referred to therein ("General Rules")

Is it required to collect user address information?

Pursuant to Art. 12 of the General Rules and Annexes thereto, the scope of identification data to be collected from individual customers depends on whether the person is a local citizen or permanent resident and whether they have their current place of residence abroad. In the latter case, both the foreign residential address and the address in Mexico where the customer "can receive correspondence" must be submitted. See, e.g., Annex 3 (relating to natural persons who are citizens of Mexico or foreign citizens with a temporary or permanent residence permit):"vi) Home address at your place of residence, consisting of the following information: name of the street, avenue or road in question, duly specified; exterior number and, where applicable, interior number; neighborhood or urbanization; territorial demarcation, municipality or similar political demarcation that corresponds, where applicable; city or town, federal entity, state, province, department or similar political demarcation that corresponds, where applicable; postal code and country";"[...] Additionally, in the case of persons who have their place of residence abroad and at the same time have an address in national territory where they can receive correspondence addressed to them, the data relating to said address must be entered in the file, with the same elements as those contemplated in section vi) above".

Additionally, in 2021, it was prescribed that financial institutions track the real-time geolocation of their customers with an otherwise unknown location when they perform remote operations via their devices.

Is it required to verify user address information?

Regarding address verification, the approach also varies depending on the customer's citizenship and place of residence:

for Mexican citizens permanently residing in Mexico, no specific requirements are prescribed;
for Mexican citizens or foreign citizens with a temporary or permanent Mexican residence permit who reside abroad, proof of address is necessary when "the address stated by the [person] does not match the one on the identity document or the latter does not contain it" (General Rules, Annex 3);
for foreign citizens permanently residing abroad and without a Mexican residence permit, proof of address is necessary in relation to "the address in the national territory where the [person] may receive correspondence addressed to them" and when "the address stated by the [person] does not match the one on the identity document or the latter does not contain it" (General Rules, Annex 5).

Is it permissible to use document-free methods for address verification?

Insofar as no address verification methods are prescribed as mandatory in relation to Mexican citizens permanently residing in Mexico, it can be assumed that document-free solutions are permissible. Otherwise, where proof of address is explicitly required, both Annex 3 and Annex 5 to the General Rules specify it needs to be in the form of "a copy of a document that proves the [customer's] address, which may be a receipt for payment for home services or bank statements, all of them [...] not older than three months from the date of issue, or the contract of lease in force on the date of submission by the [customer] and registered with the competent tax authority, the Certificate of registration in the Federal Registry of Taxpayers, as well as any other documents that, where applicable, are approved by the UIF".

Cited Sources:

Anti-Money Laundering Law and theImplementing Regulations thereto
Law on Combating the Financing of Terrorism and the Implementing Regulations thereto
CMA AML/CFT Rules
MOCI Manual on AML-CFT
2019 Anti-Money Laundering and Counter-Terrorism Financing (AML/CTF) Guide by the Saudi Central Bank (“AML Guide”)

Is it required to collect user address information?

Yes; the Implementing Regulations to both the Anti-Money Laundering Law and the Law on Combating the Financing of Terrorism specify that, for individual customers, “the financial institution or designated non-financial business and profession shall obtain and verify the full legal name, residential or the national address, date and place of birth, and nationality” (sections 7/2(a) and 17(3)(a) respectively).

Is it required to verify user address information?

Yes; as follows from the provisions cited above, address information must be both collected and verified.

Is it permissible to use document-free methods for address verification?

The approach to address verification differs depending on the regulatory body:

the CMA AML/CFT Rules (Article 8), as well as the MOCI Manual on AML-CFT (Section 3(1)), require to verify the customer’s residential address via “original documents”;
in contrast, the SAMA AML Guide does not prescribe any specific procedure for address validation that would be separate from or additional to identity verification itself.

Cited Sources:

Prevention of Money Laundering and Terrorist Financing Law 10/2010 of 28 April ("AML Law")
Regulation on the Prevention of Money Laundering and Terrorist Financing approved by Royal Decree 304/2014 of 5 May ("Royal Decree")

Is it required to collect user address information?

As per Article 4bis of the AML Law, in relation to natural persons that are ultimate beneficial owners for the purposes of the business relationship in question, only the "country of residence" is required to ascertain their address. There are no further indications in the AML Law or the Royal Decree that the information on the customer's place of residence needs to be collected with higher precision.

Is it required to verify user address information?

In terms of the overall identity verification duty, Articles 3 and 12 of the AML Law generally require a copy of the customer's "reliable document" (unless the KYC procedure is being conducted via an eIDAS-compliant qualified electronic signature, which exemption is provided under Article 12(1)(a) of the AML Law). In turn, a "reliable document", pursuant to Article 6(1)(a) of the Royal Decree, means:

for individuals who are Spanish nationals, the national identity card;
for foreign individuals, the residence card, foreign identity card, passport or, in the case of citizens of the European Union or the European Economic Area, the official personal identity document, letter or card issued by the home authorities;
exceptionally, obliged subjects may accept other personal identification documents issued by a government authority provided they enjoy adequate guarantees of authenticity and show a photograph of the holder.

However, no mandatory verification procedures are prescribed where the presented identity document does not feature the customer's address.

Is it permissible to use document-free methods for address verification?

Since no mandatory procedures for address verification (besides collecting a copy of the customer's identity document) exist, regulated entities may choose any methods they consider appropriate.

Cited Sources:

Finansinspektionen's regulations regarding measures against money laundering and terrorist financing ("FI Regulations")

Is it required to collect user address information?

Chapter 3, Section 5 of the FI Regulations, governing non-face-to-face onboarding, sets out two alternative methods for performing KYC remotely:

"using electronic identification to produce an advanced electronic signature as set forth in the Act (2016:561) laying down additional requirements to the EU Regulation on electronic identification or by using any other technology for electronic identification which provides equivalent certainty" ("e-KYC option"), or

"verifying the natural person's identity in an appropriate manner by:
- obtaining information regarding the person's name, address, personal identity number or equivalent;
- verifying the information against external registers, certificates, or other equivalent documentation, and
- contacting the natural person by sending a confirmation to the person's address in the population register or other reliable address, or ensuring that the person sends a certified copy of an identity document, or other equivalent measure" ("document-based KYC option").

Accordingly, only the "document-based KYC option" requires a separate procedure for address collection.

Is it required to verify user address information?

As demonstrated above, only the "document-based KYC option" necessitates address verification; furthermore, it needs to be conducted specifically via physical correspondence with the customer.

Is it permissible to use document-free methods for address verification?

Consequently, only the "e-KYC option" (which does not prescribe address verification specifically in the first place) permits reliance on non-documentary sources as a standalone solution.

Cited Sources:

AMLA Regulations, June 2022 (GN 397) ("2022 AML Regulations")

Is it required to collect user address information?

Part I(2) of the 2022 AML Regulations does list the “residential address” among other items to be obtained as part of “basic personal information” for individual customers; however, it is specified that such information “may be expressed in terms of physical address or in the absence of a physical address, such details as neighborhood or locality or village, town or city, district or region and country”. Accordingly, the degree of precision in collecting address-related data is to be determined by the obliged entity.

Is it required to verify user address information?

“Basic verification” measures as set out in Part I(2) and Part III(8) of the 2022 AML Regulations are silent on the necessity to validate residential address specifically, so long as it is not featured in the identity document submitted by the customer (in which case the obliged entity must “ensure that the personal information provided is accurate, through comparison of such information with information on the identification documents”). Address verification is not prescribed as part of “detailed verification” or “enhanced due diligence” either. It therefore appears to be a matter left to the obliged entity’s discretion.

Is it permissible to use document-free methods for address verification?

Since there is no explicit requirement to verify the address via any specifically prescribed procedure, regulated entities may, if they nevertheless consider this check necessary, choose any methods they deem appropriate.

Cited Sources:

Prime Minister Office Notification on Customer Identification Methodology for Financial Institutions and Businesses and Profession ("Prime Minister Notification")
Anti-Money Laundering Office Notification Concerning Guideline for Identification and Verification of Customers and Ultimate Beneficial Owners ("AMLO Notification")
AMLO Guideline on Customer Due Diligence For Banks ("AMLO Guideline", as an example of industry-specific AMLO Guidelines)

Is it required to collect user address information?

Yes; Article 4 of the Prime Minister Notification, providing the minimum identification information to be obtained in respect of an individual customer for CDD purposes, specifically mentions "address as appears in personal identification card or in the house registration and current address. In case of a foreigner, the country of citizenship and current address in Thailand shall be provided, except for the case of a foreigner with no address in Thailand, whose current address shall be used instead". The ALMO Guideline further confirms this requirement refers to:

in case of Thai national, meaning address in the house registration book and in case of not living therein, stating also the present address;

in case of alien, meaning address in the country of nationality and address in Thailand.

Is it required to verify user address information?

There appears to be no obligatory procedure for address verification prescribed under the AML/CFT regulations of Thailand. Whereas Article 5 of the AMLO Notification suggests requesting additional documentation (such as utility bills) as an enhanced due diligence measure where the customer's risk profile is high, nothing indicates that this is the only acceptable way of validating address in principle.

Is it permissible to use document-free methods for address verification?

Since no mandatory procedures for address verification exist, regulated entities may choose any methods they consider appropriate.

Score 3

Country:

Cited Sources:

Financial Intelligence Regulations 2022 ("FI Regulations")

Is it required to collect user address information?

Yes; pursuant to Part 2, Section 6(1) of the FI Regulations, the data subject to ascertainment in relation to a natural person includes, inter alia:

where the person is a citizen or resident of Botswana, the person's residential address in Botswana;

where the person is not a citizen or resident of Botswana, the residential address in his or her country of domicile and physical address in Botswana.

Is it required to verify user address information?

Yes; Part 2, Section 6(1) of the FI Regulations requires to collect, among other identification data, "an original of the recent council rate or utility bill receipt". The same is expressed in Section 15, stating that at least one of the following measures has to be adopted in relation to non-face-to-face onboarding: "(a) obtaining a reference from a well known professional, an employer of the customer of the specified party, or a known customer of the specified party who knows the natural person; or (b) requesting original recent council rates or utility bill receipt".

Is it permissible to use document-free methods for address verification?

Based on the above-cited provisions, while regulated entities are not prohibited from relying on electronic sources to conduct a supplementary address check, this does not negate the general obligation to collect documentary proof of address either.

Cited Sources:

CVM RESOLUTION NO. 50, OF AUGUST 31, 2021 ("CVM Resolution")
BACEN/DC Circular No. 3978 OF 01/23/2020 ("CBCircular")
Portaria SPA/MF Nº 1231 DE 31/07/2024 ("Portaria N 1231")

Is it required to collect user address information?

The Securities and Exchange Commission (CVM) and the Central Bank of Brazil do require at least address collection; respectively:

in accordance with Annex B, Article 1 of the CVM Resolution, complete address (street, complement, district, city, state and zip code) along with other data such as name and date of birth should be obtained;
as per Article 18 of the CB Circular, obliged entities "must adopt procedures that allow them to qualify their clients through the collection, verification and validation of information [...]" including, in the case of natural persons, their place of residence.

Is it required to verify user address information?

Is it permissible to use a non-document method to verify PoA?

Cited Sources:

Is it required to collect user address information?

Is it required to verify user address information?

As a general rule, CDD measures shall include “verification of the accuracy of information required to identify the client” as per Article 5(3)(6) of the AML Law.

Is it permissible to use document-free methods for address verification?

Cited sources:

Kyrgyz Republic Government Resolution “On measures to implement the Law of the Kyrgyz Republic “On Counteracting the Financing of Terrorist Activities and Legalization (Laundering) of Criminal Proceeds” (the “AML Regulation”).

Is it required to collect user address information?

Is it required to verify user address information?

Is it permissible to use document-free methods for address verification?

Cited Sources:

FIAML Regulations 2018 ("FIAML Regulations")
AML/CFT Handbook by the Mauritius Financial Services Commission (FSC) ("AML/CFT Handbook")

Is it required to collect user address information?

Yes; in accordance with Article 4(1) of the FIAML Regulations, the "current and permanent address" of each individual customer has to be both obtained and verified, on par with other identification data, as part of the KYC procedure.

Is it required to verify user address information?

Yes; this follows from Article 4(1) of the FIAML Regulations as referred to above. Furthermore, Section 5.11 of the AML/CFT Handbook states that, where a financial institution is unsatisfied with its verification of a customer's identity or address, the respective business relationship must be terminated immediately.

Is it permissible to use document-free methods for address verification?

As per Article 4(2) of the FIAML Regulations, identification data needs to be supported with "documentary evidence as may be specified by a relevant regulatory body or supervisory authority". This is further reiterated in section 5.3 of the AML/CFT Handbook, setting out an exhaustive list of documents via which address can be validated (identity documents, utility bills, bank statements, etc.). Notwithstanding this, Section 5.11 of the AML/CFT Handbook permits reliance on electronic data sources as a supplementary safeguard, emphasizing that "the use of more than one confirmatory source to match data enhances the assurance of authenticity".

Cited Sources:

Anti-Money Laundering Law and theImplementing Regulations thereto
Law on Combating the Financing of Terrorism and the Implementing Regulations thereto
CMA AML/CFT Rules
MOCI Manual on AML-CFT
2019 Anti-Money Laundering and Counter-Terrorism Financing (AML/CTF) Guide by the Saudi Central Bank (“AML Guide”)

Is it required to collect user address information?

Is it required to verify user address information?

Yes; as follows from the provisions cited above, address information must be both collected and verified.

Is it permissible to use document-free methods for address verification?

The approach to address verification differs depending on the regulatory body:

the CMA AML/CFT Rules (Article 8), as well as the MOCI Manual on AML-CFT (Section 3(1)), require to verify the customer’s residential address via “original documents”;
in contrast, the SAMA AML Guide does not prescribe any specific procedure for address validation that would be separate from or additional to identity verification itself.

Cited sources:

Enforcement Decree of the Financial Transactions Report Act
TheBusiness Regulations on Anti-Money Laundering and Anti-Terrorism Financing (the “AML/CFT Regulations”).
TheEnforcement Decree of the Act on Real Name Financial Transactions and Confidentiality
Anti-Money Laundering Authoritative Interpretation Casebook 2.0 (the “Casebook”)

Is it required to collect user address information?

Yes; according to Article 10-4 of the Enforcement Decree of the Financial Transactions Report Act, Articles 38(1) of the AML/CFT Regulations, as well as Article 3 of the Enforcement Decree of the Act on Real Name Financial Transactions and Confidentiality, the address is among the data attributes to be collected from individual customers for identification purposes.

Is it required to verify user address information?

Yes; as per Article 39(1) of the AML/CFT Regulations, it is necessary to verify the address.

Is it permissible to use document-free methods for address verification?

No. Even though Article 35 of the AML/CFT Regulations seem to allow non-face-to-face verification of the customer, the Financial Services Commission’s position issued in the Casebook (pp. 159-160) is that the address shall be verified by checking the documents.

Cited sources:

Regulations Governing Identity Verification Mechanism and Transaction Limits for Users of Electronic Payment Processing Institutions (the ‘e-payment account Regulations’) (the “E-payment Account Regulations”)
Regulations Governing Anti-Money Laundering and Countering the Financing of Terrorism for Enterprises or Persons Providing Virtual Asset Services (the “VASP Regulations”)
Model Guidelines for Banks’ Anti-Money Laundering and Counter Terrorism Financing Policies and Procedures (the “Model Guidelines for Banks”)

Is it required to collect user address information?

It depends on the industry:

VASPs shall collect the household registration or residence address from individual customers for identification purposes under Article 3(4) of the VASP Regulations.
Pursuant to Article 4(IV) of the Model Guidelines for Banks, banks shall also identify the permanent or residence address of an individual customer.
Unlike VASPs and banks, e-payment institutions are not obliged to collect the addresses of their customers as per Article 8 of the E-payment Account Regulations.

Is it required to verify user address information?

Yes; both VASPs and banks that are obliged to collect the addresses among the data attributes for individual customers’ identification purposes are required also to verify the addresses (as per Article 3(4) of the VASP Regulations and Article 4(VIII)(I)(1)(2) of the Model Guidelines for Banks, respectively).

Is it permissible to use document-free methods for address verification?

In our view, no.

Although Article 3(3)(A) of the VASP Regulations does not explicitly mention the documents, it does require verifying the customer’s address “using reliable, independent source documents, data or information”. At the moment, we are not aware of such non-documentary sources that may verify the address to be available in Taiwan.
As to the banks, Article 4(VIII)(I)(1)(2) of the Model Guidelines for Banks establishes the documentary verification method of the address (e.g., via bills, account statements, or official documents) as principal one, while non-documentary methods could be applied in addition to (but not instead of) the former.

Solution compliance assessment

Regulatory recognition

📘
Note

Regulatory recognition

📘Note

📘
Note