This is the third installment in a five-part blog series featuring high-risk countries and their regulatory efforts to combat Anti-Money Laundering (AML)/Counter-Terrorist Financing (CTF) crime.
Future installments will cover more details on the impact of new AML/CTF laws, regulations, and crime trends in the MENA, APAC, and EU regions specifically:
- United Arab Emirates (UAE)
- Russian Federation
- European Union
- Hong Kong, China
The United Nations Office on Drugs & Crime reports that “the estimated amount of money laundered globally in one year is 2-5% of global GDP, or $800 billion – $2 trillion in current US dollars.” Following the Anti-Money Laundering Act of 2020 (AMLA2020) being signed into law in the United States, the EU and its Member States are enacting similar legislation to combat money laundering and terrorist financing. This installment will discuss the requirements for banks and financial institutions to conduct identity checks for money laundering (ML) and terrorist financing (TF) and the Know Your Customer process.
Identity Checks For Money Laundering & Fraud Prevention in the EU
Identity checks are particularly important for banks and financial institutions to screen for money laundering, fraud, and past illicit financial activities. KYC, or Know Your Customer, is the process of verifying a customer’s identity to ensure they are providing accurate personally identifiable information (PII) as well as in order to understand their past financial behavior with previous institutions or money service providers.
The Know Your Customer (KYC) process helps to ensure that the financial institution’s services are not misused for identity theft, money laundering, and the funding of criminal organizations. kYC ensures that organizations are both compliant and that customers with a suspicious financial background are not approved for an account at the bank or financial institution.
Know Your Customer (KYC) Obligations in the European Union
There is a major push to develop interoperable identity documents across the EU because most Member States have their own independent regulations or procedures relating to KYC and identity verification specifically relating to video and remote identification.
Customer Due Diligence For Banks & Financial Institutions
DIRECTIVE (EU) 2015/849 or “4th AML Directive” set the stage and clarified important aspects of the EU’s stance on money laundering and counter-terrorist financing efforts including the obligations required for banks to make reasonable efforts to collect identity documents from new clients that meet specific criteria.
Article 13 of Chapter II set the basis for requirements of financial institutions (which since has been amended by the adoption of the 5th and 6th AML Directives which we will discuss later in this article):
“1. Customer due diligence measures shall comprise.. (a) .identifying the customer and verifying the customer’s identity on the basis of documents, data or information obtained from a reliable and independent source.”(European Parliament)
The essential documentation required for a successful Know Your Customer process is as follows:
Proof Of Identity (POI):
- A UID/passport, driver’s license, or voter’s ID card
- A PAN (Permanent Account Number) card with a picture matching the customer
- A current ID card issued by the State
- Any valid Debit or Credit card issued by a bank
Proof Of Address (POA):
- A copy of utility bills such as electric bills with a verifiable address
- Visa/Driver’s License with a digital picture
- A copy of a registered sale agreement or lease for residence
- Any identification document in the name of one’s spouse
Proof of Income/Past Financial Activities
- Income Tax Returns
- Credit Report
- Paycheck Stubs or Bank Statements
A new client may attempt to use one or more of the above documents for identity verification and the key for a bank/financial institution to understand is the vulnerable nature of current identification documents in the EU and worldwide. Despite security innovations, fraudsters are sto;; engaging in many legacy techniques to fraudulently obtain access to a bank’s offerings.
ID Tampering & Fraud: Security Features & Common Criminal Typologies
One major challenge with identity document verification is forgery and tampering. EU passports, national IDs, and other identity documents are targets for savvy identity thieves and criminals. A strong aml compliance program includes ID tampering and fraud prevention strategies.
Regulators and law enforcement authorities continuously face threats (tampering, fraud, and identity spoofing) including:
- falsification by overprint
- adding a laser-engraved personalization
- simulating optical variable devices (OVD)
- grinding to access the core of a document
- Facial spoofing during remote eKYC activities
- high quality “intaglio printing” look-alike in fake passports
Methods typically used in tampering are:
- opening using heat, solvents, and tools
- adding a foil on top of the card with the impostor’s da
It is important for banks and financial institutions to be aware of these threats and illicit activities during kyc verification processes and attempt to discover and stop fraudsters whether the verification process is in-person or remote.
Remote Identity Proofing: eKYC, Liveness Detection, and EU-wide Identity Schemes
Advancements in technology and the COVID-19 pandemic have caused banks to pivot towards virtual banking and implement remote identity proofing/eKYC.
What is eKYC?
While kyc verification can be challenging, remote know your customer verification processes aren’t as detailed (especially in the case of eKYC). Electronic Know Your Customer (eKYC) has the same basic premise as traditional, in-person, KYC but it takes place remotely and usually has some restrictions. There are differences between in-person and remote kyc in that remote kyc, or eKYC in terms of opening a mutual fund account in the EU, has specific limitations such as:
- Limitation on deposit of funds (INR50,000 in some countries)
- Limited fund transfers without further submission of documents
- In some cases, limited functionality or access to platforms exist
The European Union is moving towards the idea of an interoperable digital ID where you can even manage your citizenship, open bank accounts, file your tax returns/ These eID’s will even allow you to launch a business from anywhere in the world.
BNM Issues Draft Rules on Financial Sector Use of Electronic KYC
A recent Exposure Draft of rules covering eKYC’s implementation in Malaysia was released by Bank Negara Malaysia (Central Bank of Malaysia).This draft applies to the following professional industries:
- Licensed banks
- Licensed life insurers
- Licensed Islamic banks
- Licensed investment banks
- Licensed family takaful operators
- Licensed money-changing operators
- Licensed remittance service providers
- Prescribed development financial institutions
- Approved non-bank issuers of designated payment instruments and designated Islamic payment instruments
Section 7.3 of the draft reads, “A financial institution shall ensure and be able to demonstrate on a continuing basis that appropriate measures for the identification and verification of a customer’s identity through e-KYC are secure and effective.” The two key elements to this section that jump out are: secure and effective. We will begin to discuss some of the threats with remote identity verification and attempts to eliminate fraudulent identification or ‘identity spoofing’ using liveness detection in the following section of this article.
Section 7.4 discusses balancing document requirements or eligibility with potential customer risk: “Afinancial institution shall adopt an appropriate combination of authentication factors when establishing measures to verify the identity of a customer being on-boarded through e-KYC. The strength and combination of the authentication factors shall be commensurate to the risks associated with inaccurate identification for a particular product or service.”
This highlights Malaysia’s commitment to undertaking stronger risk profiling and the use of innovative techniques to overcome the challenges relating to electronic KYC verification.
eKYC Challenges, Liveness Detection, & Facial Spoofing
eKYC brings with it unique challenges not just in the sense of applying varying requirements and obligations from regulators or deterring tampering of ID cards. Banks need to be able to use anti-spoofing technology such as liveness detection to thwart bad actors before they gain access to a bank’s precious resources.
Since the COVID-19 pandemic began, banks have had to adapt to the idea of a digital-first economy. Banks are now facing the challenges associated with stronger demand for access to funds from individuals, small businesses, and large corporations on the brink of disaster.
IDMerit Leverages Liveness Detection To Deter Biometric Spoofing Attacks
Bad actors are keen to take advantage of the banking system’s resource issue. Banks are turning to a tool known as Liveness Detection to counteract fraud during remote KYC verification. According to security firm Thales liveness detection is, “the ability of a system to detect if a fingerprint or face (or other biometrics) is real (from a live person present at the point of capture) or fake (from a spoof artifact or lifeless body part).” During remote kyc verification, liveness detection deters biometric spoofing attacks such as fingerprint molds or 3D masks made of silicone. This powerful anti-spoofing tool allows identity verification and document validation to run much smoother and take less time.
Anti-Money Laundering/Counter-Terrorist Financing Laws & Regulations in the EU
The European Union has placed into force a number of regulations and laws in the past two years including:
- Sixth Anti-Money Laundering Directive (AMLD6)
- Markets in Crypto Assets Regulation (MICA)
- Second Payment Services Directive (PSD2)
- General Data Protection Regulation (GDPR)
EU Directive 2018/1673 – Sixth Anti-Money Laundering Directive (6AMLD) Comes Into Force To Combat ML/TF Crime
On the 3rd of December 2020, Directive (EU) 2018/1673 of the European Parliament and of the Council of 23 October 2018 on combating money laundering by criminal law (also known as the “6AMLD”) came into force. Peter Mizzi, Compliance & AML Advisor at Camilleri Preziosi Advocates, commented on the Directive stating that it, “aims to enable financial institutions and authorities to do even more in their fight against money laundering (ML) and terrorism financing (TF), by closing gaps and loopholes in existing legislation, clarifying regulatory details and toughening criminal penalties across the EU.”
This directive brought about much more clarification and transparency in regards to the following areas:
- List of offenses: environmental crime and cybercrime added as offenses
- Money laundering: definitions of what constitutes money laundering were clarified
- Scope expanded: increased liability to allow prosecution of both individuals and businesses
- Stricter persecution & punishment: possible sentences expanded to four years as opposed to previous one-year terms
EU Commission Proposes Markets in Crypto-Assets (MICA) Regulation
Patrick Hansen, Head of Blockchain at Bitkom, and a Stanford Law School’s “RegTrax” blog Contributor for the European Union. Patrick states, “ The proposal is part of a comprehensive “Digital Finance Package,” which also includes other documents such as a “Digital Finance Strategy,” a “Retail Payment Strategy,” and legislative proposals for a “DLT Pilot Regime” and for more “digital resilience” in the financial sector. Once adopted and in force, the MiCA will be directly applicable law in all EU member states and regulate all issuers and service providers dealing with crypto-assets.”
The MICA Regulation’s objective is to accomplish the following:
- Establish specific rules for ‘stablecoins’
- Uniform rules for crypto-asset service providers
- Replace existing national frameworks applicable to crypto-assets not currently covered by existing EU laws
Despite the major changes, many crypto exchanges and banks do not have stringent identity verification or Know Your Customer procedures in place.
Directive 2015/2366/EU (Payment Services Directive 2 or PSD2) Brings Open Banking & AML Risks To EU Banks
Directive 2015/2366/EU (or PSD2) is an EU Directive that applies to payment services and is an attempt to reduce fraud and increase customer choice while not impacting the overall customer experience.
According to JPMorgan, “The European Union’s Second Payment Services Directive (PSD2) is driving change and innovation in the payments industry. The directive contains two key elements of particular importance for e-commerce merchants – Strong Customer Authentication (SCA) and the emergence of two types of new regulated payment providers designed to promote increased competition and innovation in banking and finance.” Privacy and customer experience are among the most critical aspects that drive new bank customers to complete the onboarding and signup process.
General Data Protection Regulation (GDPR)
General Data Protection Regulation (GDPR) is a set of directives for the European Union (EU) which enhances the protection of personal data of EU citizens. It requires companies to comply with new rules that strengthen the data privacy and security of every individual within the EU. These rules are strict and include many provisions which increase the rights of data subjects. It also contains harsher penalties for violations.
Three concepts are important under the GDPR:
- Legitimate Interest
You can learn more about GDPR compliance on the IDMerit blog.
Future AML/CFT Trends in the European Union
- The European Commission’s new action plan
- European Banking Authority (EBA) initiatives
Headquartered in San Diego, California, IDMERIT provides an ecosystem of identity verification solutions designed to help its customers prevent fraud, meet regulatory compliance and deliver frictionless user experiences. The company is committed to the ongoing development and delivery of offerings that are more cost-effective and comprehensive than other solution providers. IDMERIT was funded by experts who have been sourcing data on personal and business identities across the globe for over a decade. This access to official and trusted data throughout the world has become increasingly important as companies find themselves completing transactions across borders as a standard course of business. www.idmerit.com