ECSH33357 - Evidence of verification: electronic verification
Regulation 28(19) of The Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017 (MLR 2017) sets out that information may be regarded as obtained from a reliable source which is independent of the person whose identity is being verified where:
- It is obtained by means of an electronic identification process, including by using a “trust service”, and,
- That process is secure from fraud and misuse and capable of providing assurance that the person claiming a particular identity is in fact the person with that identity, to a degree that is necessary for effectively managing and mitigating any risks of money laundering and terrorist financing.
What is a “trust service”
A trust service enables a person to create a digital identity proving who they are, which can be used during interactions and transactions. A UK trust service is supervised by the Information Commissioner, and you can find out more on the ICO website.
Digital identity products and services developed under the trust framework are not the same as centralised identity databases or digital identity cards. Using electronic verification (EV) is also not a reliance arrangement, as the business is still conducting its own due diligence checks, it is simply using a digital system to verify the unique information provided by the customer. Either way, the business remains liable for any customer due diligence (CDD) failures.
A business may use digital identity checks, either on their own or in conjunction with documentary evidence. If you establish that the business has carried out electronic verification checks, you need to understand the type of service used. For example, it may have used an identity service provider who maintain a database of identities (widely used by art market participants (AMPs) and estate agency businesses (EABs)) or it may have simply gathered documentary evidence digitally (by way of email or web-based messaging apps), rather than using a trust service.
The Joint Money Laundering Steering (JMLSG) from paragraph 5.3.39 also provides guidance on this.
Identity providers (IDPs)
IDPs are businesses that carry out digital identification and verification checks on a customer. The IDP will conduct various checks on the customer’s identity depending on the service offered and the pricing structure, for example there may be a basic verification fee, with additional fees for a Land Registry check or checks on politically exposed persons (PEPs) and targets of financial sanctions.
Some IDPs require a photo of the customer to be taken. Most will produce a report detailing a copy of the ID, the checks done and if each check has been passed or failed. This could be a tick or a cross or a coloured Red-Amber-Green (RAG) status. This is stored digitally within the IDPs system. You can see example IDP reports in the AMP SharePoint site.
If the customer is not met face-to-face, the business can send their customer a link to upload their ID documents to the identity providers’ system. This provides a level of assurance that the customer is who they say they are.
If the customer is seen in person, and ID documents are checked by the business to verify identity, an IDP may be used to carry out additional screening, such as adverse media, PEP and Sanctions checks.
It is important for the business to understand what products and services they are paying for, and the types of information verified. Its therefore good practice to ask to see a copy of the contract.
The key thing is to establish how the verification supports the business’s customer due diligence (CDD) measures and what, if any, risks it mitigates.
What checks have been done?
Discuss the system used:
- How much does it cost, is it a monthly fee or a fee for each check? (Fees can be up to several hundred pounds per month).
- What information is input? (For example, name, address and date of birth, or other personal information such as passport number and bank account details).
- Which datasets or databases are used.
- The business’s understanding of the searches and parameters used?
- What constitutes a pass, fail or refer?
Who has the business conducted EV checks on?
Confirm if the business has checked all relevant individuals to the transaction or checks only on the legal person/entity. For guidance on who’s identity must be verified, see ECSH 33320.
Where are results stored?
You should discuss where records are stored and how you can view them. If they are held within the EV product, what happens if the business switches providers?
- Will the business still be able to access reports for record keeping requirements?
- Are paper copies printed and retained?
- How long are they stored for?
- How and when are the reports updated, for ongoing monitoring?
What does the business do with the results?
The policies, controls and procedures (PCPs) should detail what procedure to follow if a customer fails verification or if there are red flags shown, for example, if a name matches that of a PEP. You will need to confirm what additional checks the business would carry out to confirm that its customer was or wasn’t the PEP shown on the report. If you see a report with red flags while carrying out records testing, ask the business to explain its procedures and see evidence of the checks carried out. If a PEP is confirmed, review results of the enhanced due diligence checks.
The business needs to view the CDD report and then decide what if anything needs to be done next based on the risks. These actions need to be documented. For the business must also assess, and possibly obtain information on, the purpose and nature of the transaction, something that only some IDP are able to do.
You should establish who in the business reviews the reports, and the procedures for escalating red flags.
Timing of verification
The date the check was conducted is usually displayed on the report. For more information on when verification is required to be conducted refer to the guidance on timing of verification in this chapter.
How to view the report
If a business uses an IDP, it will be able to login to the system to show you the relevant CDD documents. You will need to check that the report refers to the relevant period you are testing and the procedures in place at the time of the transaction.
If carrying out a desk-based intervention, the business may offer you a link to securely login to view the customer’s CDD information. This should be declined and alternative arrangements made (for example, downloaded copies sent via Dropbox).
For guidance on the information that you should record when you are conducting records testing and the business has undertaken EV checks, see ECSH33715.
Finally, you must not endorse any external companies offering EV or IDP services. It is the business’s decision as to whether it chooses to use the services of an external company.