The problem of confirming identity without face-to-face meetings during the COVID-19 pandemic has brought digital systems for the verification of identity into focus, and may well accelerate the transition from paper based to digital systems as the default means of verifying identity.
This piece explores the recent steps undertaken by the JFSC and the GFSC, the framework established by the FATF, and how the industry has responded.
Click to view article
The problem of confirming identity without face-to-face meetings during the COVID-19 pandemic has brought digital systems for the verification of identity (“Digital ID”) into focus, and may well accelerate the transition from paper based to digital systems as the default means of verifying identity.
The Guernsey Financial Services Commission (“GFSC”) and Jersey Financial Services Commission (“JFSC”) have for several years officially recognised that regulated firms may, subject to appropriate safeguards, use digital means to meet their anti-money laundering / countering the financing of terrorism (“AML/CFT”) obligations to verify the identities of their customers. In doing so, they have taken their lead from the Financial Action Task Force (“FATF”) – the intergovernmental body whose 2012 recommendations are the accepted international standard on AML/CFT – and followed by many other regulators around the world.
Helpfully, both regulators updated their AML/CFT Handbooks for financial services businesses in recent years (in line with FATF recommendations) to expressly provide for Digital ID. The GFSC Handbook, for example, states that “electronic verification [of identity] can be used to verify all or any combination of the mandatory [identification] data points” (that is, name, date or birth, address, place of birth and nationality), and goes on to provide some useful guidance on the kinds of controls that might be incorporated into a Digital ID system to verify these details, which firms should take into account in assessing the extent to which they are able to rely on a given system.
Similarly, in 2019 the JFSC updated its Handbook to say “Evidence of identity can take a number of forms. In respect of individuals, much weight is placed on identity documents and these are often the easiest way of providing evidence as to someone’s identity. It is, however, possible to be satisfied as to a customer’s identity by obtaining other forms of confirmation, including independent data sources, E-ID and, in appropriate circumstances, written assurances from obliged persons.”
Following these changes and, at the height of the first wave of the pandemic in July 2020, the JFSC issued the JFSC Shared KYC Utility Report. In the debate as to whether this should be a government sponsored utility or a private sector this comment is interesting to note: “One of the downsides of developing a shared utility is that it would be likely to undermine the diversity of supplier and approach which creates a significant element of resilience in Jersey’s financial system. The global competition and compliance standards advantages of a utility would need to be substantial to outweigh the potential harm to a burgeoning market of providers of digitised on-boarding services in order to justify the interference in the market involved in building a Government-sponsored utility.”
However, later in the report the outcome of the Working Group set up to consider this (consisting of administrators, law firms and international banking groups) concluded that a “Shared KYC Utility” is to be preferred to reduce friction for customers and enable data sharing between regulated firms. Unfortunately, the Working Group was unable to agree on either a government-led or industry-led model to go forwards.
The recommendation of the report was really to kick the can down the road and that “Jersey should not be a “leader” in this space” but reconvene an industry group in a years’ time, albeit that the Government of Jersey should continue to scan the horizon to consider “whether the jurisdictional landscape has evolved and if not, whether the thoughts and aspirations of Industry have changed since this review. Such meetings should focus on identifying any evidence of developments in technology and legal frameworks for holding and sharing data as are likely to provide a good model for Jersey in developing a utility”.
Such a model may be on the horizon. On December 29, 2020 the Hong Kong Monetary Authority launched the iAM Smart which provides all Hong Kong residents with a single digital identity and authentication to conduct government and commercial transactions on-line. iAm also supports digital signing for statutory documents and commercial contracts. Jersey’s government has used Yoti - a digital ID service used by the UK government and other institutions - for accessing some government services.
Back in Jersey neither the revisions to the Handbook, nor the report helps business solve the tricky choice of which is the right technology to rely on.
In Guernsey, current indications are that the GFSC would prefer to leave the development of any such utilities to industry. There are, however, proposals under consideration to bring CDD platforms (which are currently largely unregulated) within the scope of Guernsey’s regulatory framework, and in so doing ensure that they are subject to certain minimum standards.
In addition to the guidance in the GFSC and JFSC Handbooks, local firms looking to adopt Digital ID would do well to consider the guidance of the FATF, published in March 2020, which offers a “technology neutral” position, but which sets out a framework for an approach to issues around Digital ID:
- Understand the basic components of Digital ID systems.
- Take an informed, risk-based approach to relying on Digital ID for CDD, including understanding a chosen system’s “assurance levels” (i.e. the degree of assurance that a given Digital ID system provides in identifying and verifying the identity of a subject) and ensuring that those levels are appropriate to the money laundering / terrorist financing risks of the cases in relation to which such system is to be used.
- Consider whether Digital ID systems with lower assurance levels may be sufficient for simplified due diligence in lower risk cases.
- Consider reviewing and revising policies that automatically classify non-face-to-face business as high risk to the extent that Digital ID may be used to reliably identify and verify the identities of customers.
- Where appropriate, leverage anti-fraud and cyber-security processes to support Digital ID (for example, anti-fraud authentication systems might feed into ongoing monitoring for CDD purposes).
- Ensure access to, or a process for authorities to obtain, the underlying identification data and supporting evidence.
Before adopting a given system, firms in both Islands will need to ensure that they have undertaken (and documented) a risk assessment of the system in question and updated their policies and procedures accordingly.
It will be interesting to see how the approaches of the GFSC and the JFSC continue to evolve in the years to come. In the meantime, it is likely that regulators will be watching the progress of the iAM Smart system in Hong Kong with interest.