New EBA Guidelines on AML Risk Factors and How It Can Impact Customer Verification

Published by Yana on

Two new regulations came about in early 2020 with respect to AML and KYC requirements and they generated a number of speculations, second-guessing and urban legends - EBA Guidelines Draft and updated JMLSG "Prevention of Money Laundering" regulation.
 
Let’s first talk about EBA Draft Guidelines JC 2019 87 on “Money Laundering Risk Factors”.
 
First of all – it is clear that collection of the ID document copy from natural persons or corporate documents from legal entities is technically not required as long as the identity (or legal identity) can be verified using an independent (from the customer) and reliable source (for example, a population register or another credible electronic database).


Here are some quotes:
 
4.26. Firms must verify their customer’s identity and, where applicable, beneficial owners’ identity, on the basis of reliable and independent information and data, whether this is obtained remotely, electronically or in documentary form.

4.27. Firms should set out in their policies and procedures which information and data they will treat as reliable and independent for CDD purposes. As part of this, firms should consider what makes data or information reliable.

In most cases, firms should be able to treat government-issued information or data as providing the highest level of independence and reliability.

 
Non-face to face situations
 
4.32. …  firms may choose to use electronic or documentary means, or a combination thereof, to evidence their customers’ identity; but firms must make sure that this evidence is based on data or information from reliable and independent sources.

4.34. Firms that use an external provider, rather than develop their own innovative solution in-house, remain ultimately responsible for meeting their CDD obligations....
...
[What is important when an external vendor is used]:
  • sufficient range of data from different sources and across time, having regard to the following elements in particular
  • electronic evidence based on a customer’s passport is unlikely to be sufficient in a non-face to face context without accompanying checks to ensure that the customer is who they say they are, and that the document has not been tampered with; and a single data source or a single point in time is unlikely to be enough to meet verification standards in most situations
  • is contractually bound to comply with duties required by their agreement and binding norms of Union Law and national law, and to inform the firm immediately should anything change; and
  • operates transparently, so that the firm knows at all times which checks were carried out, which sources were used, what the results were and how robust these results were.  

My tentative conclusions from the EBA Draft Guidelines:
  • It is not required to collect the ID copies as long as the source for ID verification is “reliable and independent” and it whenever the vendor is using the governmental source it is considered “reliable”.
  • Whenever a vendor is not using a government source (e.g. they use data of a banking or a telecom partner) , there is a need to do a separate assessment on whether or not their data are reliable.
  • There is no specific explicit requirement to use more than one source to verify each data point (especially if you rely on governmental official data), however, in addition to verifying the customer's identity it’s necessary to verify that the customer being verified is your customer (impersonation risk) – e.g. by using 2FA authentication with the code, fraud management tools, liveliness tests, address verification, etc.
  • EBA Guidelines (similar to AMLD5, actually) do not specifically focus on address verification or proof of address collection, which hopefully confirms my long-standing conviction that utility bills have never prevented any financial crimes and that in our day and age address verification becomes more and more redundant. Practically speaking, I do expect that regulators will focus less and less on the accuracy of address verification and more and more of the nature of customer activities and technical transactional data.
 
P.S. If you don't have the time to keep up with ever changing regulations to make sure your internal policies are kept up-to-date, consider using my  Compliance Policies Templates designed specifically for FinTech industry.
>