To cite a few examples, the actual sighting of original
passports or identity cards, or seeking to get them certified by a
lawyer, notary, accountant or bank official, or even legalising a
certified copy by apostille are close to impossible these days.
These are, of course, just some examples, as CDD, in essence,
relies on the authenticity of documents. One could say that
traditionally, Malta, as a jurisdiction, tends to rely heavily on
documents in paper format, such as documents signed in original, or
original certified true copies thereof. However, this is not
suitable nowadays, especially in these current circumstances, and
particularly considering that medical practitioners are suggesting
that even paper should be ‘quarantined’ for between
seventy-two hours and five (5) days. Face-to-face business is also
no longer possible in the current circumstances.
However, as an alternative to the above, and not least to
facilitate matters in these challenging times, other possible
options in our law do exist, which, unfortunately, many subject
persons may not be fully aware of. The Implementing Procedures
Part I (the “Implementing
Procedures“) issued by the Financial Intelligence
Analysis Unit (“FIAU“) specifically
provide for alternative measures subject persons may use in order
to perform CDD on their customers in the course of a business
relationship or when undertaking an occasional transaction, when
the customer is not present for verification purposes
(non-face-to-face). Although especially useful in the current
circumstances, these measures were actually introduced by the FIAU
way back in 2017 (27 January, 2017), and therefore well in advance
of the present pandemic. It is pertinent to briefly go through the
main measures put forward by the FIAU in section 4.3.1.2 of the
Implementing Procedures (previously section 3.1.1.2 (ii)(b) of the
2017 version of the Implementing Procedures).
Not having the applicant for business, or relevant person for
CDD purposes, physically present for verification purposes, whilst
not automatically presenting a higher risk of money laundering
(“ML“) and/or the funding of terrorism
(“FT“),1 does require the subject person to
implement such technological means within its systems to enable it
to address the risk of impersonation or identity fraud and thereby
significantly reduce the inherent risk arising from this form of
interaction with customers.2 Subject persons must, therefore,
bear in mind what verification of identity entails and assess
whether the electronic identification and verification measure/s to
be applied provide sufficient comfort that the customer exists and
that he/she is truly who he/she says he/she is. If the subject
person still has doubts about the customer’s identity, the
subject person should assess whether, in view of the other risk
elements of the relationship or transaction, additional or
different identification and verification measures or checks should
be carried out.
A. Verification on the basis of Documents
When the customer is not present for verification purposes,
subject persons would understandably only be in a position to
obtain copies of identification documents. With respect to other
documents that may be used to verify residential address, subject
persons are permitted by the Implementing Procedures to obtain
copies. The Implementing Procedures allow subject persons to verify
the residential address through the mailing of correspondence or
codes, i.e. by the mailing of correspondence via registered mail or
other mail courier service, or the mailing of codes generated by
automated systems to the residential address provided by the
customer.3 When subject persons avail
themselves of this measure to verify the residential address, they
are required to keep documentary evidence.
When receiving documentation in copy or scanned format, there
are a number of factors to determine the reliability and
suitability of that document for verification purposes. Subject
persons should therefore avoid accepting documents provided in
formats that are more susceptible to being tampered with (e.g.,
Microsoft Word or other word processor documents – e.g..doc, .txt
or .rtf format) and should instead request copies in other more
tamper-resistant formats (such as .pdf format).
In low-risk business relationships or occasional transactions,
the provision of an identification document in copy would be
sufficient so long as no issues arise as to its authenticity or
reliability. However, where the risk of ML/FT is not low, subject
persons should consider applying additional measures to verify the
customer’s identity. The following are some examples, and each
must be seen in conjunction with the respective conditions laid
down in the Implementing Procedures:
i. requesting additional identification documentation -
through this measure, the identity details would be verified at
least twice based on multiple documents not issued from the same
source;4
ii. ensuring that the first payment or transaction into the
account is carried out through another account held by the
same customer in his/her name with a credit institution authorised
under the Banking Act or a financial institution authorised under
the Financial Institutions Act or otherwise authorised in another
EU Member State or a reputable jurisdiction.5 In this way, the
subject person would have a degree of comfort that the
customer’s identity would already have been verified by another
entity. E-money payments are not admissible in terms of this
option;
iii. requesting the customer to confirm automatically
generated codes or PINs before accessing the
service/account;6
iv. holding a ‘welcome call’ with the customer
through a verified home or mobile phone number and confirming
certain personal information or the details of the transaction to
be undertaken;7
v. using information that can be retrieved from a
customer’s device to corroborate certain personal details
provided by the customer (e.g., customer’s IP address or the
geo-location of a mobile phone to confirm residence);8
vi. sending a transfer of a small amount of funds to a
bank account held by the customer asking him/her to return the
funds or to indicate the value of that transaction;9
vii. requiring the customer to send a photograph
clearly showing his/her face and the image on the identity document
being held in the same picture to demonstrate that this actually
belongs to the customer – the subject person would be able to
compare the face, and the features of the customer’s face, with
that, included on the identification document and therefore verify
that the identification document truly belongs to that
individual;10
viii. through video conference facilities – a video
call may be carried out after the customer would have submitted
copies of the identification or other verification documents to the
subject person (e.g., by e-mail) or by making this documentation
visible during the same video conference call. Checks to verify the
authenticity of verification documents presented through the video
call may either be carried out manually by the subject person or
automatically through the use of software, where this has embedded
within it the capability of carrying out these authentication
checks in an automated manner. Records of the video call are to be
kept as indicated in the Implementing Procedures;
ix. using specialised identity verification software,
which allows customers to upload facial images, video clips, and
scans of the identification documents and which carries out
authentication checks on these documents, as well as visual checks,
to compare the uploaded customer’s facial image with the image
appearing on the uploaded document.
When it comes to video conference calls, it is important for
subject persons to note that it is not just any software
that can be used for this purpose. Indeed, the Implementing
Procedures lay down a number of requirements that need to be
satisfied by the relevant software, including, for instance,
that:
a. the video call must allow the subject person and the customer
to make both visual and verbal
contact simultaneously;11
b. it should be of a sufficiently good quality to enable clear
verbal communication and to allow the subject person to clearly
visualise the customer’s face, as well as view the contents and
security features of identification documents produced by the
customer (where identification documents are being presented
through the video call);12
c. it should be capable of retaining at least an audio recording
of the video call or the entire video call itself, which includes
the entire conversation between the official of the subject person
and the customer;13
d. it should be capable of allowing the official of the subject
person to take screenshots during the video call, which must
include an image of the customer as well as the date and time
displayed by the video conference tool;14
e. when the identification document is produced by the customer
throughout the video call, screenshots of the identification
document (all relevant pages or sides) will need to be recorded.
The photographic evidence of identity as well as all the
information on the identification document must be clearly visible
and legible from the screenshots.15
To carry out some of the listed checks (e.g., to visualise the
security features of the identification document being
presented):
A. the customer should be asked to tilt the document during the
video call;16
B. the official carrying out this procedure must also examine
the image on the identification document (presented during the
video call or submitted to the subject person prior to the video
call) to ensure that it matches the customer’s visual
appearance as displayed during the video call, as well as the
details of the person produced on the identification document (such
as age and gender).17
B. Electronic Verification of Identity
The FIAU’s Implementing Procedures also permit subject
persons, should they wish, to verify the identity of the customer
remotely through electronic means. The following are modes through
which this can be done, all in conjunction with the respective
conditions set out in the Implementing Procedures:
i. Verification through the use of a commercial electronic
data provider – these commercial data providers may have
access to multiple data sources, such as electoral registers,
driving licence databases and passport identity registers. The
Implementing Procedures stipulate various criteria to be taken into
consideration, such as in choosing the commercial electronic
database, the subject person is to regard data protection
requirements and ensure that the provider is abiding by any
applicable data protection obligations;18
ii. Use of e-IDs – a number of jurisdictions have
developed electronic identification systems (i.e., systems that
allow an individual to provide evidence of his/her identity
remotely). Personal identification data is encrypted and is either
stored on electronic devices (e.g., electronic chips embedded in
identification documents, mobile phones, etc.) or is otherwise
accessed through the use of a set of credentials associated with
the given individual;19
iii. Verification of Identity Platforms – this is
carried out by engaging the services of a third party, i.e. through
an outsourcing arrangement that meets the conditions set out in
Chapter 6 (on outsourcing) of the Implementing Procedures. The
subject person can engage a third party to carry out the
verification process with respect to its customers. However, it
could also include the use of software solutions or platforms
through which individuals can have their identity verified and
which enables them to hold identification information, data, and
documentation through that solution or platform. Individuals may
then allow subject persons to access this identification
information, data and documentation to verify their identity, when
requesting the carrying out of an occasional transaction or the
establishment of a business relationship.20
While the electronic verification of identity procedures
contemplated by the FIAU in their Implementing Procedures require
the use of specialised commercial electronic databases, that
satisfy the requirements of the Implementing Procedures, the other
verification of identity options are more readily available,
especially nowadays where more and more firms that may, prior to
the pandemic, not have been geared up for remote working are
increasingly becoming more ‘online’ in their presence as a
result of the current novel coronavirus pandemic.
The FIAU has recognised the challenges being faced by subject
persons in the current climate and on 7th May 2020, it
published a guidance note, titled ‘COVID-19: Remaining
Vigilant against a Changing Criminal Landscape’, which
it published on its website on this
link.
This document essentially provides guidance to all subject
persons on various obligations they must adhere to during the
current challenging circumstances brought about by the novel
COVID-19 pandemic. This guidance note is divided into three
parts:
A. an outline of some examples of the criminal impact of
COVID-19, i.e. a non-exhaustive list of different types of
illicit behaviour and new criminal activities and trends that are
being noted across Europe;
B. guidance on how subject persons may mitigate money
laundering and terrorist financing risks; and
C. a reminder to subject persons that the FIAU Implementing
Procedures Part I provide for remote onboarding
procedures, which, they suggest, can easily be resorted to
in the current circumstances.
According to the FIAU, since COVID-19 has drastically changed
the mode of doing business throughout the world, with most subject
persons, authorities, agencies, and businesses now working remotely
from home, and imposed social distancing measures restricting the
meeting of people, with a resultant surge in virtual meetings, the
traditionally used methods of identification and verification
procedures, have become increasingly difficult, if not impossible,
to adopt. In its guidance note the FIAU reminds subject persons
that, utilised to their fullest, the FIAU Implementing
Procedures provide the flexibility needed for subject persons
to adapt to such changes while at the same time remaining effective
against ML/FT.
In fact, many subject persons may be unaware of the various
paperless options, provided in the FIAU Implementing
Procedures, that can be used to conduct a CDD exercise. Now is
indeed the time, more than ever, for subject persons to resort to
these alternative CDD measures, even to safeguard the health of all
those involved. The above options should increasingly be resorted
to, not only now due to the ever-changing COVID-19 measures and
restrictions, but even going forward as a new means of conducting
one’s CDD in the 21st century, where technological
developments are overtaking the more traditional methods, and where
everything is moving towards a paperless society. The advantages to
this are many: besides being more environmentally friendly, it is
less costly, more efficient, less bureaucratic, and a more
expeditious service.
Footnotes
1. Page
39 of FIAU Implementing Procedures, section 3.2.4.
2. Page
39 of FIAU Implementing Procedures, section 3.2.4.
3. Page
101 of FIAU Implementing Procedures, section 4.3.1.2 (i), which
cross-refers to section 4.3.1.1 (i).
4. Page
102-103 of FIAU Implementing Procedures, section 4.3.1.2
(i).
5. Page
104 of FIAU Implementing Procedures, section 4.3.1.2
(i).
6. Page
104 of FIAU Implementing Procedures, section
4.3.1.2(i).
7. Page
104 of FIAU Implementing Procedures, section
4.3.1.2(i).
8. Page
104 of FIAU Implementing Procedures, section
4.3.1.2(i).
9. Page
105 of FIAU Implementing Procedures, section
4.3.1.2(i).
10.
Page 105 of FIAU Implementing Procedures, section
4.3.1.2(i).
11.
Page 105 of FIAU Implementing Procedures, section
4.3.1.2(i).
12.
Page 105 of FIAU Implementing Procedures, section
4.3.1.2(i).
13.
Page 106 of FIAU Implementing Procedures, section
4.3.1.2(i).
14.
Page 106 of FIAU Implementing Procedures, section
4.3.1.2(i).
15.
Page 106 of FIAU Implementing Procedures, section
4.3.1.2(i).
16.
Page 105 of FIAU Implementing Procedures, section 4.3.1.2(i).
Subject persons are invited by the FIAU to refer to Section
4.3.1.1(iv) of the Implementing Procedures for guidance on
authenticity checks that may be carried out manually by the subject
person.
17.
Page 105 of FIAU Implementing Procedures, section
4.3.1.2(i).
18.
Page 108 of FIAU Implementing Procedures, section
4.3.1.2(i).
19.
Page 109 of FIAU Implementing Procedures, section
4.3.1.2(i).
20.
Page 109 of FIAU Implementing Procedures, section
4.3.1.2(i).
Originally published 12 May 2020
The content of this article is intended to provide a general
guide to the subject matter. Specialist advice should be sought
about your specific circumstances.