Customer due diligence and remote identification

What is customer due diligence?

Identification is the main element of the customer due diligence process that all financial institutions must perform at the onboarding stage and beyond. According to the FATF Recommendations this process includes the following elements:

Identifying the customer and verifying that customer’s identity using reliable, independent source documents, data or information;
Identifying the beneficial owner, and taking reasonable measures to verify the identity of the beneficial owner, such that the financial institution is satisfied that it knows who the beneficial owner is. For legal persons and arrangements this should include financial institutions understanding the ownership and control structure of the customer;
Understanding and, as appropriate, obtaining information on the purpose and intended nature of the business relationship;
Conducting ongoing due diligence on the business relationship and scrutiny of transactions undertaken throughout the course of that relationship to ensure that the transactions being conducted are consistent with the institution’s knowledge of the customer, their business and risk profile, including, where necessary, the source of funds.

In 2012, FATF issued Recommendations that require a risk-based approach to CDD, i.e. lower the ML/FT risks may allow for the less stringent CDD rules. This triggered the implementation of risk-based approaches to CDD. For example, in Germany, video identification is considered a face-to-face identification.

What is the identification process?

In the most common sense, identification determines that the client is the person he/she claims to be. The identification/verification process is the element of customer due diligence that requires the involvement of the customer (as opposed to, for example, monitoring operations and analyzing a pattern of customer-specific behavior), which may present a barrier for financial inclusion. In most cases around the world, the client still needs to physically come to the office of the financial institution and present an ID. The introduction of simplified or remote identification in such cases can significantly improve financial inclusion. However, when implementing such procedures, the regulator faces issues of the compliance with ML/FT risks, FATF Recommendations, security, and other practical issues. To address these issues, we developed the IVCid model (identification-verification-confirmation of identity).

What is the IVCid model?

Leading analysts of the REMA, Viktor Dostov and Pavel Shust, developed the IVCid model (identification-verification-confirmation of identity), that can be used to retroactively analyze the existing customer identification programs and devise new ones that can be used in face-to-face or non-face-to-face environment. The model is based on the FATF Recommendations and can be easily integrated in the FATF guidance. It includes three elements: identification-verification – proof of identity.

What is each element about?

1. Identification. At this stage, the financial institution collects information (name, date of birth, residential address, etc.). For example, it might look like this:

2. Verification. Verification within the IVCid model means verification of the information using a reliable independent source. The goal of verification is to make sure that the person with the said characteristics (name, date of birth, etc.) actually exists. For example, by verifying the authenticity of the original passport, or by checking data through government databases, credit bureaus, etc. There are also “exotic” options where the referee statements or even letters from a village representative are used.

3. Confirmation of identity. Although this step is often considered as a“supplementary step” to mitigate risks of impersonation, confirmation of identity is important in the IVCid model in the context of identity theft risks (espesially in non face-to-face environment). The verification procedure only confirms that the person exists. But it does not affirm that these particular data belong to the person.

There can be multiple ways to verify the identity of an individual. But they all seem to be based on the two-factor authentication. According to the EU’s Second Payments Directive, the two-factor authentication is defined as “authentication based on the use of two or more elements categorised as knowledge (something only the user knows), possession (something only the user possesses) and inherence (something the user is) that are independent, in that the breach of one does not compromise the reliability of the others, and is designed in such a way as to protect the confidentiality of the authentication data”.

What to expect?

The increasing global attention to non face-to-face identification, including identification using digital ID systems, reflects the development of non-cash payments, fintech and digitalization. This year, the FATF issued a Guidance on Digital Identity, which “clarifies that non-face-to-face customer-identification and transactions that rely on reliable, independent digital ID systems with appropriate risk mitigation measures in place, may present a standard level of risk, and may even be lower-risk”.

Non face-to-face identification in Russia?

The Bank of Russia is currently implementing a Digital biometric identification. It is a solution that allows individuals to receive financial services remotely from different banks after they confirm their identity using biometric personal data (face and voice recognition).

Quarantine has showed the importance of non face-to-face identification systems. The Association is actively involved in the process of non face-to-face identification systems development. In particular, we work closely with the Bank of Russia on video identification issues, and we have developed and agreed on recommendation standards for video identification procedures for credit institutions within the Association.