Anti-money laundering compliance World-Tour: Key identity verification regulations 

Introduction

Money laundering and the financing of terrorism for a long time have posed substantial dangers to the financial systems of countries around the world. The picture becomes clear even if we look at the European Union, which is sometimes perceived as having one of the toughest legal regimes in the field of prevention of money laundering and terrorist financing. The EU Commission in the Impact Assessment Accompanying Anti-Money Laundering Package refers to Europol data indicating that around 1% of the EU’s annual Gross Domestic Product may be involved in suspicious financial activities and transactions. However, the scale of money laundering is even more terrifying when looking at the issue at large. The United Nations Office on Drugs and Crime estimates that around 2% to 5% of the worldwide annual Gross Domestic Product is involved in money laundering. 

Therefore, it does not come as a surprise that preventing money laundering activity is a serious and complex issue, being a priority for regulators, law enforcement agencies, and supervisory authorities worldwide. For credit and financial institutions, as well as other persons subject to the anti-money laundering regulations, this means including appropriate risk-based procedures is crucial. Implementation of appropriate customer due diligence allows timely detection and reporting of suspicious transactions and ensures regulatory compliance of the obliged entities. The price for ignorance can be devastating, not only for financial institutions but also for the economy as a whole.

Guardians of finance: role of financial institutions

In the quest for anti-money laundering compliance and safeguarding of the financial system against money laundering, the most important role has justifiably been afforded to financial institutions. This stems from the simple idea that the financial institutions’ compliance with anti-money laundering and terrorism financing legislation is a determining factor in preventing illicit money flows.

This role however carries a substantial weight as financial institutions must always stay on top of regulatory developments. Besides that, it also mandates financial institutions to ensure implementation of the effective KYC process. We have explored in the previous blog the meanings and importance of concepts such as AML compliance, CDD measures, and KYC processes. The points discussed in the previous blog bundled with the rapid digitalization of financial services make it clear - that anti-money laundering compliance must start from smooth and compliant remote identity verification.

Intent

In this overview, we aim to address how countries approach regulating the identity verification requirements, and equip you with bits of knowledge on how it may affect you. This can help if you are trying to understand the Bank Secrecy Act, have doubts about finding appropriate KYC measures for a specific country, or often question how to approach compliance where your business operates.

While this overview may come in handy when assessing your internal controls or conducting compliance risk assessment, it is important to acknowledge the plurality and complexity of anti-money laundering frameworks of different countries. Therefore, this overview should not be assumed to holistically draw the applicable requirements onto your business. Just as requirements differ from country to country, there are differences in applicable requirements depending on the scope of the financial service provided.

United States

The challenge of understanding the Bank Secrecy Act is common for many operators who want to provide their services in the US. However, to understand what the Bank Secrecy Act means to your business, we first need to acknowledge the purpose of the Bank Secrecy Act. The Bank Secrecy Act was issued to enable the Department of the Treasury, its bureaus, and other authorities regulating the financial service sector to impose a range of requirements on financial institutions and other businesses to help detect and prevent money laundering. Therefore, if you are a financial institution operating in the US, you should look at the implementing regulations of your supervisory authority, rather than the Bank Secrecy Act.

While there are separate regulations published by the Office of the Comptroller of the Currency, the Federal Deposit Insurance Corporation, and the National Credit Union Administration, in this overview, we focus on the regulations published by the Financial Crimes Enforcement Network (also known as “FinCEN”), as they hold relevance for a wide range of financial service businesses doing business in the US. They are well-positioned to explain the common approach the US regulators have towards financial institutions' due diligence requirements.

Identity verification requirements overview 

FinCEN regulations are codified in the Code of Federal Regulations in Title 31, Chapter X. Although rules for each type of financial institution are separate and vary, there are quite a few common steps that financial institutions can take before deep-diving into their specific applicable requirements. 

Firstly, different financial institutions must develop, test, and implement the anti-money laundering program, based on policies, internal controls, and procedures, all designed to prevent the facilitation of money laundering and terrorist financing the the use of financial institutions’ services. 

The anti-money laundering programs must, among other things, include appropriate risk-based procedures for conducting customer due diligence, particularly identity verification. For example, financial institutions are mandated to collect the identifying information of their customers, which is typically composed of (i.) full name, (ii.) date of birth, (iii.) address, and (iv) identification number, and reasonably verify the accuracy of these pieces of information. 

United Kingdom

Regulatory framework overview

In the UK, the primary legislation dealing with financial institutions anti-money laundering obligations is The Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017 (“UK AML Regulation”). Within the UK AML Regulation, the financial institutions should pay particular attention to Part 3, which brings together requirements for the customer due diligence process. To enable financial institutions to understand the expectations that regulators’ have for the appropriate risk-based procedures to address the dangers of money laundering and terrorism financing, there are additional materials, such as the FCA Handbook and the JMLSG Guidance for the UK Financial Sector, which can be of great help. The JMLSG Guidance are great practical tool to verify your firm's compliance, as even though it is not the law as such, it is often taken into account by the courts and FCA when evaluating whether the financial institution properly implemented and complied with their anti-money laundering requirements

Identity verification requirements overview

While the UK AML Regulation establishes the requirement to perform the identity verification requirements, financial institutions are welcome to dive into the JMLSG Guidance to understand.  The Guidance provides an extensive insight into the minimum requirements that financial institutions need to comply with when it comes to identity verification. For example, it specifies the minimum information required to collect when identifying customers, such as (i.) name, (ii.) address, and (iii.) date of birth. The obtained information needs to be verified either against government-issued documents or suitable electronic means that allows achieving the same level of certainty and security as if it was verified face-to-face.

Australia

Regulatory framework overview

In Australia, the regulation of money laundering and terrorism financing prevention for financial institutions comes from the Anti-Money Laundering and Counter-Terrorism Financing Act 2006 and accompanying Rules Instrument 2007 (No. 1). The financial institutions may find useful the resources provided by the Australian financial supervisory authority, AUSTRAC, who issued comprehensive explanatory guidance on the obligations and application of requirements for the financial institutions. This resource succinctly outlines the main regulatory duties that financial institutions need to consider to stay compliant, and can be consulted on the demand before diving into the legislation.

Identity verification requirements overview

A notable part of AUSTRAC’s guidance is that it includes explanations on how businesses should approach the identity verification process. Financial institutions at a minimum must collect their customers (i.) full name and either their (ii.) address or (iii.) date of birth and verify the information using reliable sources, which can be documentary (for example government-issued identity documents), electronic (for example Document Verification Service) or a mix of the two.

Brazil

Regulatory framework overview

The Brazilian anti-money laundering and terrorism financing regulatory framework is governed by Law No. 9,613 of 3 March 1998, often referred to as the cornerstone of the Brazilian regime. This law criminalized money laundering and outlined specific duties and obligations for financial institutions and other industries. These include requirements to implement appropriate internal controls, conduct customer identification, and report suspicious transactions to authorities. Whilst different regulatory authorities are supervising various segments of the financial service industry, we would like to take a glimpse into one of such instruments that we consider impactful for most of financial institutions.

Identity verification requirements overview 

The specifics of identity verification in Brazil stem from segment-specific regulations, such as Circular No. 3,978 of 23 January 2020 which is relevant to any financial institution supervised by the Central Bank of Brazil. The Circular requires financial institutions to conduct identity verification in a three-step procedure. Firstly, businesses need to identify the customer by obtaining (i.) full name, and (ii.) registration number in the Individual Taxpayers’ Registry (known as “CPF”). For customers who reside abroad or are not required to register and obtain CPF, additional data is required instead of CPF. After that, companies must verify the identity using reliable sources and “qualify” the customer, which is the process of classification of customer’s risk profile. During the qualification process, businesses need to obtain and verify the information about the customer's address, as well as understand the nature and scope of economic activity that customer will perform using the financial service offered by the business.

Canada

Regulatory framework overview

In Canada, the ultimate source of truth regarding businesses’ money laundering and terrorism financing prevention practices is the Proceeds of Crime (Money Laundering) and Terrorist Financing Act. The Canadian financial supervisory authority, FINTRAC, has also developed a more important and perhaps practical source to help financial institutions meet their regulatory obligations. The FINTRAC Guidance to PCMLTFA and its implementation therefore stands out as invaluable resources for businesses providing financial services in Canada, and should address the concerns that financial institutions have when trying to achieve compliance.

Identity verification requirements overview 

The FINTRAC Guidance here yet again comes very handy by explaining distinct methods through which financial institutions may identify and verify the information about the customers in the way that satisfies the requirements of the Canadian law. The most commonly used method revolves around verifying the customer on the basis of the government issued identity document. If the financial institution chooses this method they need to obtain customer’s (i.) full name, (ii.) date when identity was verified, (iii.) the document type, (iv.) unique document identifier (for example, document number), (v.) the place where document was issued, and (vi.) the expiry date of the document. It is important to acknowledge that FINTRAC allows financial institutions to use this method both in face-to-face setting or remote by using technological solutions, such as Veriff.

Germany

Regulatory framework overview

The German financial institutions should be quite familiar with the Money Laundering Act (Geldwäschegesetz – GwG). Section 3 of the Money Laundering Act stands out with its importance for financial institutions looking to understand the applicable customer due diligence requirements. The German financial regulatory authority, BaFin, also publishes a range of supporting materials to assist financial institutions. These materials shed light on many aspects of financial institutions’ compliance from suspicious transaction reporting to mapping the appropriate risk based procedures for conducting customer due diligence.

Identity verification requirements overview 

When it comes to identity verification requirements, many financial institutions perceive the German regulatory framework as quite strict. The businesses are mandated to inquire extensively about their customers by collecting their (i.) full name, (ii.) place and date of birth, (iii.) nationality, (iv.) address, (v.) type, number, and issuing authority of identification document. Importantly, the BaFin has authorized financial institutions to perform remote identity verification through the live video interview process regulated by the Circular 3/2017 (GW). Currently, Germany is in the process of reviewing the Circular to allow financial institutions to use more technological tools to meet their regulatory requirements.

Spain

Regulatory framework overview

The Spanish regulatory framework laying down rules for customer due diligence is predominantly based on the Law 10/2010 of 28 April, on the prevention of money laundering and terrorist financing and accompanying Real Decreto 304/2014. These laws lay the foundation for comprehensive anti-money laundering and financing of terrorism prevention measures. They apply to a wide range of sectors, including financial institutions, lawyers, and dealers in high-value goods. 

Identity verification requirements overview 

Spain is exemplary in identity verification regulation, offering a comprehensive approach. For the beginning, financial institutions need at minimum to collect the information, such as (i.) full name, (ii.) date of birth, (iii.) type, number, and country of issue of the identification document, and finally (vi.) country of residence and nationality. Then to properly verify the identity, financial institutions should use the methods specified in Article 12 of the Law 10/2010 which enables Spanish supervisory authority, SEPBLAC, to issue regulations on proper remote identity verification methods. One example of such methods is the Autorización de procedimientos de vídeo-identificación which authorizes financial institutions to use technological solutions, such as Veriff.

How Veriff can help?

Veriff assists customers in navigating the complex terrain of regulatory and compliance obligations with cutting-edge identity verification technology. In industries where knowing your customer (KYC) and anti-money laundering (AML) regulations are stringent, Veriff's solutions streamline the verification process, ensuring that businesses can remain compliant with local and international laws. By employing advanced AI and machine learning algorithms, Veriff automatically verifies the authenticity of documents and the identity of users, reducing the risk of fraud. This not only fortifies trust and safety online, but also significantly diminishes the legal and financial repercussions associated with non-compliance.

Frequently Asked Questions

1. Why is proper identity verification important for compliance with anti-money laundering laws?

As we explained in our previous blog, there is an inherent interdependency between AML compliance, CDD process and KYC measures. Identity verification is fundamental to compliance, as without it, businesses cannot satisfy the CDD process, negating AML compliance.

2. What are the challenges businesses face in mapping their AML obligations?

The main challenges stem from the fact that different countries have variable approaches, and compliance in one country often does not equal to compliance in another. This means businesses need put significant efforts in mapping out their compliance needs per each country, taking into account the applicable laws and services provided. 

3. What are different regulatory approaches countries take to regulate AML?

We are aware of two broad approaches that countries can take when deciding on how the regime will be set up. The first approach is to have a uniform authority who supervises AML compliance of all financial institutions established in the country. 

The second approach involves different authorities supervising specific parts of financial institutions. In such countries, banks and insurance providers, for example, may be supervised by different regulators for their AML compliance. While the overarching AML law is the same for both, AML regulations and regulatory approaches may differ.

3. How can technology improve AML compliance?

Technology such as AI and machine learning can be a very useful assistant to financial institutions’ compliance needs by relieving many painpoints. With the help of our AML and KYC compliance solution, you can ensure that your customers are who they say they are. Our AI-powered tool makes identity verification fast and simple, without compromising compliance and identity fraud prevention. With our tool, you can show regulators that you take financial crime and compliance seriously.

To learn more about how we can help make sure that your business stays compliant, schedule a consultation with our experts today.

Please note that Veriff does not provide legal advice. This article is provided for informational purposes only. You should always discuss your anti-money laundering controls and compliance framework with a qualified legal counsel or AML specialists.