Company Name: iSignthis
Announcement Date: 28/06/2016
Announcement Category: Other
Announcement Content:
CySEC has released earlier this week a new directive on customer due diligence, for remote verification of customers.
I've written this article based upon our internal analysis of the directive (guidance), with the below being an outline and not intended as legal advice.
Im pleased to report however that iSignthis does provides solutions that meet or exceed the requirements in the guidance, and that we utilise a number of the approaches outlined by CySEC in the iSignthis verification approach.
The "Directive DI144-2007-08(A) of 2016 regarding the prevention of money laundering and terrorist financing" provides excellent guidance regarding remote verification, and offers some new alternatives consistent with UK, Swiss and German practice. It also seriously raises the bar with regards to CDD requirements by CIF's.
Whilst the directive introduces electronic verification, it is NOT of the type that UK operators would be familiar with, due to the requirements with respect to real time, alerting, quality and updates of the data.
Documents
CySEC has confirmed that documents must be either original or certified as true copies in their physical form – directly addressing the bad practice of some CIFs who have been using uncertified copies uploaded by end customers as the sole basis for identity verifcation.
CySEC does however require uncertified copies of documents to be uploaded in support of any of the following enhanced due diligence methods.
Remote Verification Elements
The following methods can be used to verify a customer's identity, with CIF's needing to assess each on a risk based approach, together with the quality and reliability of the source data or information.
1. An authenticated transaction from an EU or equivalency financial institution drawn from an account in the customer's name. The iSignthis process confirms source account and name, as well as proving "control" of the account.
2. Confirmatory evidence from a financial institution of the customer''s name, address and passport (or presumably other identification) details. iSignthis process captures, screens and validates bank statements that are linked to Item 1 above.
3. Confirmation of home or office telephone. (We have asked CySEC to confirm if mobile is considered either or both). iSignthis verifies mobile (and optionally landline) via automated means.
4. Video Conference with the customer, provided that conference is recorded with high quality static frames of identity documentation. This is consistent with BaFIN and Swiss regulator approaches. We question how practical, scaleable or economic this approach is for a standard process, given that it will require a trained officer to conduct each interview. We do see the benefits of this approach for exceptions handling and audit.
5. Physical mailout of a post card to a customers address, and requesting customer to confirm a one time code printed on mailout. This is something iSignthis have explored in the past, but the 7-10 days minimum generally makes this awkward, except as a real fallback.
6. Electronic Verification, but not the UK way! The directive requires that ALL of the conditions are met, as summarised below.
- Electronic databasea must conform with EU privacy/data laws in how they are sourced, and be registered with an EU data protection agency. Not particularly difficult you might think, but, consider that PayPal fell foul of this for their Turkey operation (store data to Turkish law in Turkey) last month, and lost their financial license. iSignthis is registered with Cypriot, Netherlands and UK data protection agencies.
- Electronic databases need to show current and historic evidence that the person exists. They must contain both positive information (at least full name, address and the client's date of birth) and negative information (eg committing crimes like identity theft, including a deceased person files, including on sanctions lists and restrictive measures by the European Union and the UN Security Council). Whilst on the face of it, this appears to be ok, and that there are a number of providers that should be able to offer this - the negative checks are worth querying.
Electronic databases must contain a wide range of sources with information from various time intervals, which are updated in real time (real-time update) and send notifications (trigger alerts) when important data differentiate. Databases with a "wide" range of sources from "various time intervals" and trigger alerts on changes will prove challenging for most vendors.
- The CIF has made suitable enquiries or investigated with regards tio the accuracy of the data and their results, and assessed their significance in relation to the degree of certainty with respect to the control of the customer.
- Establishment of procedures that allow the CIF to record and store information used and the results must be authenticated.
The above (which are set out in paras 1 (b) (1) (iv) and (v) of the directive) will be interesting in practice, as they start to require quality and consistency of data that is not addressed by the UK regime. The directive has incorporated and drawn from global best practice elements from regulators outside the EU.
Data Integrity
The directive requires that CIFs establish procedures to satisfy itself as to the quality, completeness, validity and reliability of the information to which it has access. The directive also requires that the review process includes both positive and negative information.
For example, at iSignthis, we use data and metadata derived directly from payment transactions as our source, and we have adopted this as our practice in terms of evaluating payment data with regards to quality, completeness, validity and reliability requirements :
- Security : Data sourced via the payment network is secure. The integrity of the payment message is considered secure, through application of PCI DSS requirements or interbank transfer protocols.
- Accuracy :The origin of the issuer is known via either the Issuer Identification Number (IIN) on the card, or via the interbank transfer protocols.
- Recency : The source is considered reliable as the account is active at the time of initiating the iSignthis process, and is not based on historic data that may no longer be accurate or may have been compromised.
- Comprehensive :The data source is considered to have implemented its own initial and ongoing PEP and Sanction screens, and ensure that lost, compromised or stolen accounts are revoked immediately upon notification by the account holding customer.
- Reliance Basis : The data is maintained by the issuer pursuant to legislation, and we ensure that the issuer is not located in a sanction jurisdiction, does not appear on any sanctions list themselves, and meets any ‘equivalency’ requirements set out in the regulation under which our client operates (e.g. Bank Act) ; and
- Authentication : Knowledge Based Authentication is used to verify that the person presenting the transaction is the person who was issued the account presented.
2+2 ID&V
Finally, the information must be derived from two or more sources, which is accepted practice globally for electronic verification. At a minimum, the electronic means must meet the following correlation model:
1. Locating the full name and present address of the client from a source, and
2. Locating the full name of the client and either this address or date of birth of a second source.
The CySEC requirements appear to go beyond the requirements of the UK’s JMLSG, which in turn means that UK 2+2 vendors will unlikely be able to offer an “out of the box’ solution. That's probably not a bad thing, as the premise under which the UK model was designed has long gone, with identity theft, hacks, breaches, social engineering, and self disclosure (e.g. social media) effective;y nullifying the core premise of "PII data is private". Unfortunately, that is no longer the case, and use of authentication means, real time updates and comparative analysis is now a necessary requirement.
Compliance via iSignthis
We welcome enquiries from CIF’s or entities in other jurisdictions with regards to how we can assist with your customer due diligence requirements. CIF’s, please contact Andrew Karantzis to discuss how iSignthis can assist you with customer due diligence.
Announcement URL: https://www.linkedin.com/pulse/cysecs-2016-customer-due-diligence-directive-bar-john-karantzis?trk=hb_ntf_MEGAPHONE_ARTICLE_POST
About iSignthis:
Australian Securities and Frankfurt Stock Exchange listed iSignthis Ltd (ASX : ISX / FRA : TA8) is the only neobank focussed on making business banking simpler. We are the global leader in remote identity verification, payment authentication and payment processing to meet AML/CFT requirements. iSignthis provides an end-to-end on-boarding service for merchants, with unified deposit taking, IBAN accounts, payments, card acquiring and identity service via our Paydentity and ISXPay® solutions.
By converging payments and identity, iSignthis delivers regulatory compliance to an enhanced customer due diligence standard. We offer global reach to any of the world’s 4.2Bn ‘bank verified’ card or account holders, that can be remotely on-boarded to regulated merchants in as little as 3 to 5 minutes.
iSignthis is the trusted back office solution for regulated entities, allowing our customers to stay ahead of the regulatory curve and focus on growing their core business.
We are a principal of Visa, Mastercard, JCB, ChinaUnionPay and AMEX.
Go to Company Profile for: iSignthis
Announcement Contact: [email protected]