The Covid-19 pandemic has raised money laundering and terrorist financing (AML/CFT) risks. National regulators (see Communication of the National Bank of Belgium), the European Banking Authority (« EBA ») and the Financial Action Task Force (« FATF ») have issued official statements (link – link) encouraging financial institutions to remain vigilant in order to detect and report transactions, funds and facts suspected of being related to money laundering or terrorist financing.
Confinement or strict social distancing measures made more complicated to apply customer due diligence and risk assessment. With this in mind, FATF has proposed a range of measures to enable financial institutions to use a risk-based approach to their customer due diligence. Such measures include the use of financial technology (please also see the FATF Guidance on Digital ID) or applying simplified due diligence measures where lower risks are identified.
This article provides a broad outline of the Belgian legal aspects of one of the technologies mentioned by FATF: distance identification and video transmission allowing for remote identification.
1. Legal framework
The legal framework regarding AML in Belgium consists primarily of: (i) the Act of 18 September 2017 on the prevention of money laundering and terrorism financing and the restriction of the use of cash (the « AML Act« ), which implements the Directive (EU) 2015/849 of the European Parliament and of the Council of 20 May 2015 on the prevention of the use of the financial system for the purpose of money laundering and terrorist financing (the « Fourth AML Directive« ), and (ii) the Regulation of the National Bank of Belgium (the « NBB« ) of 21 November 2017 on the prevention of money laundering and terrorism financing and the restriction of the use of cash(the « AML Regulation« ).
2. Identification and verification requirement
The entities subject to the AML Act (the « Obliged Entities« ) must identify and verify the identity of their customers, their customers’ representatives and their customers’ beneficial owners:
- when establishing a business relationship;
- when carrying out an occasional transaction, whether that transaction is carried out in a single operation or in several operations which appear to be linked, that:
- amounts to 10,000 EUR or more; or
- constitutes a transfer of funds as defined in the EU Funds Transfer Regulation No 2015/847 or money remittance, exceeding 1,000 EUR or regardless the amount, when the Obliged Entity receives the funds concerned in cash or by means of anonymous electronic money;
- when there is a suspicion of money laundering or terrorist financing;
- when there are doubts about the veracity or adequacy of previously obtained customer identification data.
3. Identification requirements
The Obliged Entities must obtain relevant information from their customers, their representatives and the beneficial owners in order to distinguish them from any other person with reasonable certainty, taking into account the identified risk profile.
For natural persons, the relevant information that must be obtained is:
- the name;
- the first name;
- the date and place of birth;
- to the extent possible, the address. It should also be noted that the EU Funds Transfer Regulation No 2015/847 requires the customer’s address to be verified by the payment service provider of the payer before being sent together with the funds to the payment service provider of the payee.
Where the risk identified on the basis of the individual risk assessment is low, the Obliged Entity can limit the information to be obtained. The information obtained must however remain sufficient in order to distinguish the person from any other person with reasonable certainty.
Where the risk identified is high, the Obliged Entity must apply enhanced due diligence measures. In particular, the Obliged Entity must make sure that the information obtained, and the supporting documents, will enable it to distinguish the person from any other person in an indisputable manner. Where necessary, further information must be obtained.
4. Distance identification
The Obliged Entities must check the ID information obtained against one or more supporting documents or reliable and independent sources which can confirm this information in order to have a reasonable degree of certainty regarding the identity of the persons involved, taking into account the identified risk profile.
Neither the AML Act nor the AML Regulation lists the supporting documents or the reliable and independent sources of information that can or should be used to fulfil the verification requirement. In this regard, the NBB requires the Obliged Entities to include a correlation table of the supporting documents accepted for each risk class in their internal procedures relating to the customer and transaction due diligence measures, as well as a list of the circumstances in which certain supporting documents need not be submitted. This table/list should be based on an assessment of the level of reliability of each supporting document or source of information. Where appropriate, the level of reliability required may be the result of the combined use of two or more supporting documents.
In case of non-face-to-face verification of natural persons, the NBB provides, in its Explanatory Memorandum to the AML Act, further guidance regarding the supporting documents or the reliable and independent sources of information that can or should be used when the identification and verification of natural persons is done remotely.
In standard risk-situations:
- It is recommended that the identity of natural persons is verified using his valid official identity documents such as his identity card or, where appropriate, his passport.
The NBB considers that the identity can be verified remotely through the information registered on the microprocessor of the Belgian electronic identity card. The NBB notes, however, that this means of verification may be less reliable than a face-to-face verification as it does not allow for a visual check using the photograph included in the supporting document to ensure that the person using it is indeed its legitimate holder. It could therefore be necessary to systematically verify the legitimacy of the document presented by consulting https://www.checkdoc.be. Furthermore, an Obliged Entity using this method of verifying the identity should implement measures that enable it to ensure that the objective of the AML Act (i.e. to have a reasonable degree of certainty regarding the identity of the persons involved) will be met notwithstanding the lack of a visual check, where appropriate by implementing an additional verification measure.
- Taking into account the provisions of the EU Regulation n° 910/2014 on electronic identification and trust services for electronic transactions in the internal market and of Commission Implementing Regulation n° 2015/1502, the identity of the persons involved can be verified using the electronic identification means referred to in these European regulations.
- The Obliged Entities are also allowed to make use of innovative technology to verify the identity of the persons involved. The AML Regulation requires that the acceptance of new technologies as instruments for verifying the identity must be based on a prior analysis conducted by the Obliged Entity itself of the reliability of such instruments with regard to the objective set out in the AML Act, i.e. checking all or part of the identification data collected against one or more supporting documents or reliable and independent sources of information which enable this data to be confirmed, in order to have a sufficient degree of certainty regarding the identity of the persons involved. The NBB expects this analysis to be correctly documented and retained so that it can be transmitted to it at its request.
- The NBB considers that a photocopy or electronic image of a supporting document (particularly the identity card or passport) of the person concerned is not as reliable as the original supporting document itself and therefore cannot be accepted as such as a sufficiently reliable supporting document in standard-risk situations. However, by producing both a simple copy or electronic image of the identity card or passport of the person concerned and another supporting document, the reliability of the verification could be increased. In that case, the Obliged Entity providing for such a dual method for verifying the identity of the persons concerned should be able to demonstrate that it has obtained an adequate overall level of reliability of the verification in this manner.
Furthermore, Article 28 of the AML Act grants the Obliged Entities the right to indirectly access the National Register to corroborate a copy of a supporting document and to verify the identity of the persons concerned (i.e. customers, their agents and their beneficial owners) where these persons are not physically present during their identification.
In high-risk situations:
The internal procedures should only authorize the use of the supporting documents accepted in standard-risk situations that are deemed the most reliable or, where appropriate, require the use of a combination of these supporting documents. When verifying the identity of natural persons, the NBB recommends to only use supporting documents including a photograph of the person to be identified, and to require a visual check in order to ensure that the person presenting the supporting document is its legitimate holder.
When the financial institution authorises the use of “electronic identification means” issued in accordance with European legislation on the subject (see above) in high-risk situations, the NBB expects it to tighten the terms and conditions for the application of this authorisation.
In any case, the financial institution should establish its list of supporting documents or sources of information that are accepted to verify the identity of the persons involved in high-risk situations based on a thorough analysis of the reliability of these verification tools that enables it to demonstrate that their high level of reliability is appropriate in view of the high level and the nature of the ML/FT risk incurred.
In low-risk situations:
Financial institutions’ internal procedures may reduce the amount of identification data that should be collected for the identification of persons involved in low-risk situations compared to the data required by the Law in standard-risk situations. However, the information collected should remain sufficient to enable the person concerned to be distinguished from any other person with reasonable certainty. For instance, the last and first name of a legal person or the corporate name of a legal person cannot reasonably be considered information that need not be collected. As this identification data alone does not suffice to eliminate an increased risk of homonymy, the NBB considers that, even in situations with low ML/FT risk, financial institutions should collect at least one additional item of identification data in order to reduce this risk of homonymy.
5. Video identification
On 23 January 2018, the European Supervisory Authorities’ (ESA)’s issued an Opinion on the use of innovative solutions by credit and financial institutions in the customer due diligence process, which sets out a number of factors that should be considered when the Obliged Entities are using or intending to use innovative technology for the purpose of the identification and verification requirement. These factors relate to oversight and controls; quality and adequacy; reliability; delivery channel risks; and geographical risks.
With regards to video identification, the Opinion provides that the Obliged Entities should at least consider the following factors:
- Is there a risk that the customer’s image visible on the screen is being tampered with during the transmission? The Obliged Entities must have sufficiently robust controls in place to prevent or reduce such risk. These controls may include the following:
- a feature whereby a customer is required to have a live chat with an administrator who has received specialized training in how to identify possible suspicious or unusual behavior or image inconsistencies;
- a built-in computer application that automatically identifies and verifies a person from a digital image or a video source (e.g. biometric facial recognition);
- a requirement for a screen to be adequately illuminated when taking a person’s photograph or recording a video during the identity verification process;
- a built-in security feature that can detect images that are or have been tampered with (e.g. facial morphing) whereby such images appear pixelated or blurred.
- Is there a risk that an ID document displayed on the screen by a customer during the transmission belongs to another but similar-looking person? The Obliged Entities should ensure that the innovative solution contains built-in features that enable it to identify any discrepancies, or that staff responsible for the identify verification during the transmission have been trained to spot situations where the person on the screen looks different from the person on the ID document.
- Are controls in place to ensure that identity documents produced during the transmission have not been altered (i.e. changes made to data in a genuine document), counterfeited (i.e. reproduction of an identity document) or recycled (i.e. creation of a fraudulent identity document using materials from legitimate documents)? The Obliged Entities should have sufficient controls in place to prevent or reduce the risk of these breaches, which may include one or more of the following:
- built-in features which enable them to detect fraudulent documents on the basis of the documents’ security features (i.e. watermarks, biographical data, photographs, lamination, UV-sensitive ink lines) and the location of various elements in the document (i.e. optical character recognition);
- features that compare the security features ingrained in the identity document presented during the transmission with a template of the same document held in the Obliged Entity’s internal identity document database;
- limiting the type of acceptable identity documents to those that contain:
- high security features or biometric data including finger prints and a facial image (e.g. e-passports and e-ID);
- a qualified electronic signature created in line with standards set in EU Regulation No 910/2014 (especially relevant where a customer is a legal person);
- a feature that links the innovative solution with trade registers or other reliable data sources such as the company registration office database; or
- a feature that adjoins the innovative solution with the government-established customer due diligence data repository or the notified e-ID scheme as defined in the EU Regulation No 910/2014, if the scheme’s assurance level is classified as substantial;
- where the verification is not based on a government-issued identity document, to the extent permitted by national law and commensurate with the AML risk, features that allow Obliged Entities to verify the information received from their customers against a combination of multiple reliable and independent sources (including, but not limited to, government registers and databases), which can be supplemented with data mining and social network analysis, IP address analysis, and location or device analysis.
The Obliged Entities must keep, using any type of record-keeping system, the identification data and a copy of the records or the result of checking an information source which are necessary to comply with the identification and verification requirement. These records must be kept for a period of 10 years after the end of the business relationship with the customer or after the date of an occasional transaction.