Risk-Based Approach
Before adopting e-KYC or remote onboarding, regulated entities are expected to take a risk-based approach to these technologies and put in place the following:
- Updated policies and procedures in line with the new e-KYC method and remote on-boarding technology. The updated policies and procedures must cover instances when the new technology fails or is not available.
- A formal risk assessment of the new technology, ensuring the accuracy and reliability levels are adequate for the jurisdiction, product, customer and any other relevant risk factors.
- An updated customer risk assessment, to ensure that the firm is comfortable that such methods (based on its risk assessment of the customer) are appropriate and, where applicable, consider the application of tiered customer due diligence.
- Adequate record retention systems that will allow CIMA to obtain from the new technology the underlying identity information and evidence needed for identification and verification of individuals.
- Appropriate anti-fraud and cybersecurity measures to support e-KYC and digital ID systems, such as authentication systems for CDD.
- Procedures for the regular, ongoing and independent review of the new systems and their effectiveness.
Ongoing Obligations
When the decision has been made to utilise e-KYC or remote onboarding, regulated entities will also be expected to:
- Apply and document a risk-based approach. When establishing a new business relationship and the new or potential customers is not physically present at the place where the relationship is being established, the FSP is expected to determine and document that e-KYC being used is appropriate in the circumstances;
- Put in place appropriate controls during the e-KYC process to verify the identity and authenticity of the ID documents presented;
- Where appropriate, have eligible introducers or suitable certifiers who have met the customer provide that confirmation; and
- Where a regulated entity has assessed a customer, product, service or originating jurisdiction as higher risk for AML compliance, the entity should conduct additional verification measures to ensure the accuracy of the e-KYC methods.
Video Conferencing and Selfies
Video-conferencing is expressly listed in the revised guidance as a way to identify natural persons (such as directors, ultimate beneficial owners and settlors) during on-boarding and confirm their identify where the customer is a corporate legal persons or legal arrangements (trusts and foundations). As video conferencing is not a ‘face-to-face’ meeting, additional checks are required.
In circumstances where the FSP is unable to verify official formation or constitutional documents during video-conferencing or via other electronic means, they must seek alternative measures to verify the documentation presented.
CIMA will be satisfied with the use of a selfie photographs as long as the photographs are in colour and clearly show the person’s face, holding the identity document in the same photograph to demonstrate it actually belongs to that person. A clear, scanned colour copy or photograph of the identity document itself should also be provided.
How CAN APPLEBY help?
The latest AML guidance imposes increased compliance requirements. Appleby can help regulated entities utilising these new technologies to:
- conduct and document a revised business risk assessment and a revised customer risk assessment covering remote onboarding and ongoing monitoring;
- refresh existing AML policies and procedures to reflect the new requirements on e-KYC and digital ID technologies; and
- update internal AML training manuals and materials.
Please do not hesitate to contact a member of Appleby’s regulatory team to discuss.