Thoughts from advisory board member, David Birch
In the midst of the global pandemic, in which identity, money, and risk management have found their way to center stage, the Financial Action Task Force (FATF) provides welcome direction by publishing new guidelines around digital ID to encourage governments and financial institutions to use a risk-based approach and to “encourage the use of a simplified digital customer onboarding”. The new guidelines provide direction on how to tackle the challenges of operating a business in the COVD-19 era whilst remaining alert to “new and emerging” risks.
Don’t let the 100+ pages and the bureaucratic language put you off: this is actually pretty interesting stuff!
The FATF is the global inter-governmental money laundering and terrorist financing (ML/TF) watchdog that develops recommendations and standards that more than 200 countries and jurisdictions are committed to implementing for a coordinated global response to prevent organized crime, corruption, and terrorism.
Emerging trends realized
The President of the FATF, Xiangmin Liu (who is the Director-General of the Legal Department at the People’s Bank of China), writes in the new guidelines’ introduction that the recommendations highlight the benefits of trustworthy digital identity for improving the “security, privacy and convenience” of identifying people remotely for both onboarding and conducting transactions while managing the ML/TF risks.
FATF’s position supports key trends that were already in place before the virus upended daily operations.
- The new guidelines have a lot in common with the EU’s Fifth Anti-Money Laundering Directive (AMLV), as they recognize that there is a role of digital onboarding beyond convenience or necessity.
- They highlight that automated digital onboarding can reduce human error and improve outcomes for all.
- They reinforce that tiered due diligence in an appropriate risk framework that can accelerate financial inclusion.
Local practices can strengthen global standards
Since the FATF made their new recommendations, regulators around the world have responded with strong support
In the UK, for example, the Financial Conduct Authority (FCA) issued a letter noting that while organizations have to meet their obligations under the relevant regulations (in this case, the UK’s Money Laundering Regulations 2017), they can be flexible. Now, some of this flexibility is a little old school (allow people to send scanned documents as PDFs by e-mail instead of producing original documents, for example, is what I label “digitized identity”) but some of it is, I think, a considered and sound response to the new environment. The FCA will accept “third-party verification” (where a lawyer or accountant corroborates data) and, in a step towards the federated digital identity of the future (the “financial services passport” that I have been going on about for years), organizations can rely on CDD performed by other organizations (the example given is the obvious one of customer’s primary bank account provider) and on commercial providers who “triangulate” data sources to verify documentation.
Similarly, the Hong Kong Monetary Authority (HKMA) issued a letter that noted that “the provision of remote account opening and the use of financial technology will provide significant opportunities to manage some of the challenges presented by the current situation, especially the community efforts on social distancing.” This reminds us that digital onboarding has a role to play in keeping society safe beyond its traditional context in ML/TF prevention.
It is also interesting to see how these new guidelines fit with the approach already adopted by some regulators. In Canada, for example, the Financial Transactions and Reports Analysis Center (FINTRAC) recently published its own guidelines on digital onboarding that specify (in Section 2A) that when an individual is not physically present, the authenticity of a government-issued photo identification document must be determined by using a “technology capable of assessing the document’s authenticity” and that financial institutions must determine if the individual presenting the identity is indeed the person identified. Royal Bank of Canada has just launched its new digital onboarding mobile app that complies with these new guidelines.
Identity is integral to an inclusive world
Implementation of these new guidelines include recommendations for digital ID service providers who offer services to regulated entities that are the subject of actual FATA rules. The guidelines are:
- Understand the ML/TF requirements for Customer Due Diligence
- Seek assurance testing and certification by governments or their approved expert bodies
- Provide transparent information about assurances levels to the regulated entities that they serve.
As a passionate believer that digital identity, done right, can create a more inclusive world, I think that point about assurance levels answers criticism around financial exclusion. The report says that a flexible approach around risk can “facilitate the implementation of tiered CDD and delayed identity verification”. In other words, marginalized people with limited identification possibilities can obtain access to some basic financial services. Of course, high-risk behavior, such as online gambling, will continue to require instant identity verification to a much higher standard. Both approaches are important in the context of our current situation, given the increase in digital consumption and the delivery of governmental stimulus packages in response to the pandemic.
The recommendations themselves contain some other interesting provisions. If a business is provided with a government-approved digital identity (eg, eIDAS in Europe) then verification is accepted. However, if you are provided with a non-government approved digital identity then your business must either undertake an “assurance test” or have a third-party do it for you. The level of assurance can be varied so that in areas where there are lower risks, lower assurance digital identity verification is acceptable (I’m a tech guy, so I suspect that only a lawyer can interpret this). Furthermore, where there are risks of financial exclusion, organizations can be more flexible (by, for example, using third-party verification as per the FCA letter). This could be critical in many jurisdictions where government stimulus payments to both individuals and businesses can be held up, subverted, or even diverted because of the lack of digital identities.
The silver lining
None of us who champion digital identity as an integral factor in the new economy would have wanted to reach this pinnacle through a pandemic. But the fact of the matter is that the response to the current crisis, and the preparation for the next one, will bring digital identity to the top of the strategic agenda for individuals, businesses and governments alike. We (the identity industry) have the opportunity to respond with cost-effective and efficient solutions that deliver both privacy and security as well as access to the benefit of all stakeholders.