My money laundering news alerts have been very, very quiet in the past fortnight – not for one moment do I think this means that money laundering has stopped, or even decreased markedly, but understandably businesses and law enforcement agencies need time to adjust to new ways of working, and AML is just not top of the agenda at the moment. (Not that it often is, except during rare spikes of interest when we’ve had a ginormous laundering case in the news.) But one AML-ish topic that is generating a fair amount of discussion is the acceptability or otherwise of verification of client identity at a remove.
Of course, there have always been clients who are identified remotely – online casinos never meet their players, and even more traditional businesses like banks now offer online services to clients who never set foot in a branch. But it has been generally accepted, using the risk-based approach to AML, that “non-face-to-face client” will be a trigger for a higher risk rating and suitably enhanced due diligence. Businesses are now having to recalibrate to a situation where – ironically – meeting a client face-to-face is far too risky, and therefore the remote client is the new standard risk proposal. As I posited in my previous post (don’t say that too quickly), how will we undo staff and client expectations when life goes back to normal – will clients who have become used to remote verification be even more ticked off than usual when we ask them to call in with their passports? “You believed me when I was sitting at home in my pyjamas and Zooming you – why won’t you believe me now?”
Talking of Zoom, yesterday the Guernsey Financial Services Commission addressed this very issue, issuing detailed guidance on when video calling can be used to verify the identity of individuals. Crucially, the point is made at the end that “a firm is required to periodically review the identification data it holds on a business relationship to ensure that it is accurate and remains relevant [and] the Commission would expect these reviews to include a determination that verification of an individual via video remains appropriate and relevant in light of the activity over the business relationship and the risks associated with that relationship”. In other words, when it’s back to business as normal, a video chat with someone may well no longer cut the AML mustard.
Of course, video ID – as it is sometimes called – was around pre-pandemic. I have found a terrific article on it by two German lawyers, who make the frightening point that you might not be talking to the client in real-time but have been duped into conversing with a clever recording. In order to check the client’s “liveness”, you should “request specific actions of the person to be identified (e.g. blink the left eye twice)”. I reckon we could have some fun with this, perhaps drawing on “Candid Camera” for inspiration.
Susan, Hope you are keeping well and the garden must be close to immaculate by now!! Interesting! At least GFSC have tried to say something constructive, the other island regulatory has simply advised that as face to face is not available there are other methods of verifying ID! Of course no one in the industry will have ever realised that before.
It’s an interesting contrast: the garden is indeed immaculate, but the house is a tip. And yes: it is (nearly) always good when a regulator gives detailed guidance rather than a general statement (of the bleeding obvious).
My guess is that our current “enforced remote working” will be an accelerator for all kinds of digitalisation. (I suggested over on LinkedIn that everyone is getting used to online services, and disruptors are gaining a load of experience in delivery and scaling. https://www.linkedin.com/pulse/piecing-business-together-again-mark-cardwell).
Regulators may of course choose to be conservative, but we’ve already got online identification and address verification for UK bank accounts. The slightly stricter German version which requires a video interview is interesting – but already that can be done by API – solarisBank offers KYC-as-a-service.
Travel was already going out of fashion; now face-to-face contact has become problematic. Look out for much more “remote presence” tech. Watch too for ever-increasing use of additional data sources, and a fight for who collects and analyses that data.
“Remote presence” – that may be our new compliance buzzword! That said, it’s something my male relatives have been practising for years – body in the room but mind elsewhere…
Slightly off the subject Susan, you’d have had a heart attack watching ‘The Gambler’, 2014 version set in Los Angeles. Rich mother goes into bank and withdraws $250,000 in cash – the clerk is a bit concerned but hands it over upon production of passport. Rich mother’s son walks into a casino, unchallenged, with the $250,000 and blows it all on blackjack.
The latest warnings: https://www.ft.com/content/a12f4c23-d485-436b-9690-41b117c95ac0
New guidance for UK accountants on CDD during the pandemic (thanks to John in Ireland for spotting these for us): https://www.icaew.com/-/media/corporate/files/technical/legal-and-regulatory/money-laundering/coronavirus-guide-aml-responsibilities.ashx?la=en
And their guidance on other matters COVID-ish: https://www.icaew.com/-/media/corporate/files/regulations/aml-supervision/covid-19-outbreak-aml-responsibilities-of-accountancy-practices.ashx?la=en