Identification solutions that allow customer identification by taking pictures of ID documents and selfies of the user’s face do not comply with regulations about money laundering and terrorist financing (AML, Anti-Money Laundering), especially in the financial sector.

In this article, we will detail the reasons why these identity verification solutions do not comply with KYC procedures and AML law related to customer onboarding and authentication.

If you are interested in the new European Digital Single Market, download this free whitepaper.

Why selfie ID solutions are not KYC/AML compliant

Their low technical-security level, the weakness of the electronic proves provided at the KYC (Know Your Customer) process and the low reliability they perform in relation to the lack of integrity of them cause that this type of solutions does not fit to the requirements demanded by legislation and the various regulations.

Security level provided is poor, far from the required standards for formal customer identification according to the most demanding regulations in this area. A higher level of technical requirements in KYC/AML processes is required than the one shown at selfie-based solutions.

KYC/AML process security in the US

Given the multiple cases of fraud in KYC/AML processes, the US Department of Commerce, through the National Institute of Standards and Technology (NIST) defined a baseline on digital identity verification (NIST SP 800- 63A), which establish three security levels for registration and proof of identity verification, which are classified as low (IAL1), medium (IAL2) and high (IAL3).

High level (IAL3) is equivalent to face-to-face identification and is suitable for online/remote account creation. This level requires human intervention and needs a high-resolution continuous video transmission.

Solutions that take images/selfies are included in the medium level of security (IAL2) as long as they are combined with other high-level evidence on the identity of the person, beyond the images taken from the identity document and the recording of the user’s face. These cases are usually invoices, address, or background checks of information about the identity of the person.

Second level is insecure, inefficient and unreliable. In the European Union, for reasons of privacy and security, as opposed to what happens in the Anglo-Saxon world, these methods are not allowed for many reasons at any risk level. In addition, the difficulty in the processing of personal data is a problem to be processed with the express consent.

KYC in Europe: AML & eIDAS

As we have stated previously, there are no non-face identification procedures in Europe that allow the use of identity verification solutions based on simple images or selfies.

AML5 Directive, together with the eIDAS Regulation of trust services, establish the regulatory framework for KYC/AML processes in Europe.

This creates the regulatory framework that allows the adoption of Video IDentification for processes of new contracting of services and opening accounts completely online and secure, thus homogenizing the European Digital Single Market.

eIDAS establishes different levels of security (from low to substantial and high) in electronic identification, also in electronic signature.

AML5, or 5AMLD, relies on eIDAS security framework for remote customer identification.

The European Commission has worked more than twelve years in the qualification to validate the solutions that comply with eIDAS and in the levels of security in electronic identification and esignature. Similarly, it relies on local standardization bodies and Conformity Assessment Body (CAB).

To ensure that a Video IDentification solution is valid, the CABs perform an audit and issue a Conformity Assessment (CAR) report. If you wish to adopt a KYC/AML solution, you must request a CAR from the software provider to confirm that your solution is audited, certified and eIDAS/AML regulations compliant.

Countries such as Germany have developed additional guidelines. Where appropriate, the first Technical Guideline, called TR-03147. This Technical Guide establishes security measures for remote identification of clients exclusively by video and through identity documents.

Even so, even before the entry into force of AML5 and eIDAS, many European Union member states already had regulators about non-face-to-face identification authorizations that allowed to use video-streaming technology.

KYC/AML regulatory entities

Both in Europe and the rest of continents, certain regulatory entities that set the standards in KYC/AML procedures and remote customer identification stand out.

Europe:

  • BAFIN (Bundesanstalt für Finanzdienstleistungsaufsicht) – German regulator.
  • FMA (Financial Market Authority) – Austrian Regulator.
  • FINMA (Swiss Financial Market Supervisory Authority) – Swiss regulator.
  • CSSF (Commission of Surveillance du Secteur Financier) – Luxembourg Regulator.
  • BdP (Bank of Portugal) – Portuguese regulator.
  • FCIS (Financial Crime Investigation Service under the Ministry of Interior) – Lithuanian Regulator.
  • SEPBLAC (Executive Service for Money Laundering Prevention) – Spanish Regulator.

Latin America:

  • CNBV (National Banking and Securities Commission) – Mexico Regulator.

Asia:

  • MAS (Monetary Authority of Singapore) – Singapore Regulator.
  • FSC (Financial Services Commission) – Korea Regulator.
  • FSA or JFSA (Japan Financial Services Agency) – Japan Regulator.
  • HKMA (Hong Kong Monetary Authority) – Hong Kong Regulator.

All procedures/authorizations developed by these entities can be found publicly online.

Secure Video IDentification Solutions for KYC/AML

Video-streaming is becoming the standard for online customer identification. There are two types of solutions:

  • Synchronous solutions: video-conference by an agent who conducts the online client interview, identity verification and documentation
  • Asynchronous solutions where a video-recording is made in streaming, guaranteeing the control and integrity of the video recording process by the obligated subject and subsequent offline verification by a qualified agent.

Both solutions can be combined depending on the need for its use. Usually, video-conferencing (synchronous) is used for a consultative sale in which a new customer is acquired and asynchronous video (Video IDentification) is more common in customer acquisition processes that require agility in the process and in which a fast and fluid experience is offered (online bank account opening process, for example) but just as safe as face-to-face identification. An example of a safe and simple solution is VideoID.

If you want to know which solutions are KYC/AML compliant, do not hesitate to download this guide.