By Alice Tregunna, CEO, The TIC Company.
Ever Changing Electronic Identity Verification (EIV)
The regulators have issued another explanatory note to support reporting entities in understanding the expectations surrounding the use of electronic identity verification.
EIV refers to the practice of verifying a customer’s identity either remotely or non face-to-face.
It appears that for some there has been a misunderstanding around the use of EIV when trying to comply with their obligations under the AML/CFT Act. There are two components to EIV - with the second having at times been overlooked by reporting entities.
1. Confirmation of identity information via electronic source(s); and
2. Matching the person you are dealing with remotely to the identity that they are claiming.
What Electronic Source Can be Used to Identify Information?
When the supervisors are telling you that you have to use an electronic source they are referring to the underlying database where authenticated core identity information is held and against which an individual’s identity can be verified. As a general rule of thumb this will be a database that is maintained by a government body or pursuant to legislation.
The supervisors have felt the need to state in the most recent guidance that “an electronic source is not any of the following:
The person that the reporting entity is dealing with online who provides their biographical information.
A selfie photo or video received from the person being dealt with online, including audio-visual link or video conferencing technology.
An uploaded image of the person’s identity document(s).
An email, app or internet platform through which the reporting entity receives information or copies of identity documents.
The third-party provider (EIV Provider) that a reporting entity uses to conduct its EIV”.
Highlighting the misunderstandings across reporting entities as well as the dangers of irresponsible marketing, ‘fake news’ and ill-informed advice which is being peddled by some entities providing AML/CFT services.
Reporting entities are able to satisfy EIV requirements from a single independent source only when they can do so to a high level of confidence. Unsurprisingly, RealMe has been hailed as the only EIV source which verifies a person’s identity with a high level of confidence - as it biometrically matches a person’s photo and identity against New Zealand government records. If this ‘high level’ of confidence is met then you do not need to separately link the individual to their claimed identity.
As it stands at the moment - where RealMe is not being used the code does allow you to verify an individual’s identity from at least two electronic sources (that are reliable, independent and match each other):
The name and date of birth must be verified from one source; and
Only the name is verified on the second source.
Then you also need to match the person to the claimed identity they have presented whether biometrically or otherwise.
If you are using an EIV provider - make sure that they are confirming that the identity document is authentic and that it has not been tampered with in any way.
The supervisors have again flagged that video conferencing cannot be used as a method to link a customer to an identity. Remember that EIV is not CDD - it is not sufficient to only undergo an electronic identity verification process and onboard your clients you must ensure that you are completing all the requirements associated with customer due diligence.