Flexible CDD measures at onboarding after Covid-19

In order to meet the unique position in which Covid-19 has placed financial institutions around the globe, firms have been given greater flexibility in Customer Due Diligence (CDD) measures, such as client identity verification at onboarding. 

Standard Required CDD measures at onboarding

CDD requirements underpin the Money Laundering, Terrorist Financing and Transfer of Funds Regulations 2017. The FATF Recommendations dictate that financial institutions undertake CDD measures when establishing business relations (i.e., at on-boarding). Generally, CDD measures at onboarding a client include the following components: 

1. Verifying the customer’s identity using an independent and reliable source of data;

2. In the case of customers who are legal persons or trusts, identifying the customer’s beneficial owner(s) and verifying his/her (their) identity and, taking reasonable measures to understand their ownership and control structure; 

3. Assessing the purpose and intended nature of business relationships.

Additionally, CDD measures include screening customers against the sanctions list, PEP status, and adverse media hits. 

COVID-19 outbreak brought a number of challenges in the financial world. As it was pointed out by the FATF “the increase in COVID-19-related crimes, such as fraud, cybercrime, misdirection or exploitation of government funds or international financial assistance, is creating new sources of proceeds for illicit actors.” 

One of the potential ML/TF risks emerging from the aforementioned threats and vulnerabilities could be criminals finding ways to bypass CDD measures by exploiting temporary challenges in internal controls caused by remote working. Swift and effective implementation of AML/CFT measures can help to manage new COVID-19 risks and vulnerabilities. On the contrary, such measures could be considered as an opportunity COVID-19 has presented for industry, for instance, supporting electronic and digital payment options and electronic identity verification (EIV).

EIV was generally achieved by an identity proofing operator being physically present at the same place as the applicant, when extracting information and verifying an ID card of the applicant. However, during the COVID-19 pandemic, the possibility of identification a customer without physical presence became even more crucial given that physical presence is not only cumbersome, but even not possible. 

In this regard the industry is exploring the opportunities and challenges of new technologies for AML/CFT. For example, they published guidance on digital identity technology in March 2020 to clarify how digital identity systems work, and how they can be used to conduct certain elements of customer due diligence as part of a risk-based approach to AML/CFT. The FATF published two further reports in July 2021 on the opportunities and challenges of new technologies, and a stocktake of technologies facilitating advanced analytics.

One of the FATF Recommendations encourages the fullest use of responsible digital customer onboarding and delivery of digital financial services in light of social distancing measures, and notes that non-face-to-face onboarding and transactions conducted using trustworthy digital ID are not necessarily high-risk and can be standard or even lower-risk. 

In 2012, the FATF added the “verification of identity” requirement to the Recommendation 12 of the original FATF Forty Recommendations (July 1990), that requires the regulated entities to identify their clients “on the basis of an official or other reliable identifying document”. And the requirement is that identity evidence must be “independent” in addition to being “reliable”. At the same time, the 2012 revision took a more flexible, expansive approach to the types of identity evidence: not only source documents, but also digital data or information could be used for customer identification/verification. It also dropped the previous Recommendations’ explicit reference to “official identifying documents.” 

More flexibility after COVID-19

Taking into account the FATF Recommendations related to COVID 19, the FCA requires to continue to comply with applicable legal obligations related to CDD measures and onboarding process which include the customer’s verification. The amended Regulations add to the previous guidance, recognising the growing use of EIV and adding a further option to conduct EIV with a trusted service that is secure from fraud and misuse. The only eIDAS approved scheme currently available in the UK is GOV.UK Verify. 

The FCA expects that firms adopt the following measures which are described as flexibility rather than relaxation of requirements:

• accept scanned documentation sent by email, preferably as a PDF; 
• seek third-party verification of identity to corroborate that provided by the client, e.g. from their lawyer or accountant; 
• ask clients to submit digital photos or videos for comparison with other forms of identification gathered as part of the onboarding process; 
• place reliance on due diligence carried out by others, such as the client’s primary bank account provider, where appropriate agreements are in place to provide access to data; 
• use commercial providers who triangulate data sources to verify documentation provided; 
• use digital identity solutions to identify customers where a firm considers that the solution provides an appropriate level of assurance as to a person’s identity;
• gather and analyse additional data to triangulate the evidence provided by the client, such as geolocation, IP addresses, verifiable phone numbers; 
• verify phone numbers, emails and/or physical addresses by sending codes to the client’s address to validate access to accounts; and
• seek additional verification once restrictions on movement are lifted for the relevant client group.

While the FATF and the 5MLD stipulate that the electronic identification should be used wherever possible, it was believed that from 2020, EIV would become mandatory, at this moment this remains an evolving area.

The MLRs 2017 are not prescriptive over how businesses should adopt or use particular technologies, the HM Treasury started the review to consider the extent to which the MLRs 2017 allow for the adoption of new technologies by businesses in a responsible and appropriate way while meeting their obligations under the MLRs 2017.

Thus, the UK is on the way to identify whether there is a greater flexibility referred to above and is on the way to develop the ‘UK Digital Identity and Attributes Trust Framework’, which outlines the rules organisations should follow to use digital identity, including how to protect against fraud and misuse, and a framework for abiding by regulations like the MLRs 2017. 

In addition, the MLRs 2017 confirm that the explicit requirement, reflecting the FATF Recommendations, for firms taking reasonable measures to understand the ownership and control structure of their clients is not applicable to listed companies. 

Another standard CDD measures relied upon include requirements to report discrepancies in CDD data obtained from the third parties. Regulation 30A in the MLRs 2017 requires relevant persons to report to the registrar of companies any discrepancies between the information they hold about the beneficial owners of companies, as a result of CDD measures, and the information recorded by Companies House on the public companies register. This requirement applies at the onboarding stage, “before establishing a business relationship”, as stated in Regulation 30A(1). From 10 March 2022 proof of registration and discrepancy reporting requirements are extended to cover express trusts.