Digital payments are growing at an annual rate of 12.7% and are projected to reach 726 billion transactions in 2020. As payment technology goes digital, money laundering methodologies are also changing. To manage those new threats, many financial institutions are considering digital identification measures as part of their AML/CFT solutions. Digital ID systems enable firms to identify their customers more accurately and efficiently but also entail new compliance considerations.
Responding to the growing potential of digital identity AML, the Financial Action Task Force (FATF) recently released guidance to help governments and financial institutions integrate digital identification into their compliance frameworks and ensure that their customer due diligence (CDD) and know your customer (KYC) measures remain effective.
The FATF’s guidance on digital identity verification serves as an introduction to its application in risk-based AML/CFT frameworks, including its role in CDD and KYC. The guidance covers terminology associated with digital ID AML, what constitutes “proof of official identity” in a digital context and how digital identities can be satisfactorily authenticated to FATF standards. The guidance also covers the record-keeping requirements associated with digital ID AML and how digital ID systems can play a role in financial inclusion efforts.
The FATF guidance includes examples of technology used to establish digital ID:
- Electronic databases, such as distributed ledgers
- Digital credentials
- Biometrics, such as fingerprint, face and voice recognition
- Digital application program interfaces (APIs), platforms and protocols that facilitate the identification and verification process
Utilizing that technology, the digital identity verification process comprises the following steps:
- Collection: Customers present their digital identity attributes, either in person or online, by filling out an online form, taking a selfie photo or uploading scans of official documents (passports, driving licenses, etc.).
- Validation: Firms inspect the digital or physical materials to establish their authenticity and accuracy.
- De-duplication: Firms establish that the new identity attributes can be assigned to a unique account in the digital ID system by conducting duplicate record searches.
- Verification: Firms link the identity attributes to a unique account using verification measures, such as biometrics and liveness detection.
- Enrollment and binding: Firms create the new account and bind the customer identity to it with a digital authenticator, such as a password or one-time code generator.
The FATF’s guidance on digital ID systems includes a range of advantages and disadvantages.
Advantages: The FATF concludes that digital ID systems have significant potential within AML/CFT frameworks. If integrated correctly by government authorities and financial institutions, digital ID can improve the reliability, security and convenience of CDD and KYC processes, both during onboarding and as part of ongoing monitoring, by helping firms scrutinize the behavior of their customers more accurately and efficiently. Automated digital ID processes also minimize the potential for human error and speed up the proofing and verification process.
Disadvantages: The FATF guidance sets out a range of potential weaknesses in digital ID systems, acknowledging that many also apply to conventional CDD/KYC measures. These include the risk of identity theft or misuse of technology to introduce fraudulent identities into a system and the risk of cyberattacks or phishing attempts by criminals seeking to steal data or hijack identities. Connectivity to internet and phone networks may also be an issue in certain contexts.
Since it is a relatively new technology, the FATF points out that digital ID systems could be vulnerable to a range of as-yet emergent technological threats.
The FATF guidance sets out a series of recommendations on the implementation of digital ID systems for every participant in the AML/CFT compliance process. The recommendations apply to financial institutions, service providers and authorities but also focus more generally on the risk-based approach to AML/CFT.
The digital identity FATF recommendations can be characterized as follows:
The Risk-Based Approach:
The FATF recommends that authorities and firms take a risk-based approach to digital ID and evaluate the assurance levels that each digital ID system provides. After establishing the digital ID system’s assurance level, firms should determine its CDD/KYC reliability given the criminal risks they face.
- Record-keeping: The FATF recommends that firms ensure that financial authorities can obtain the information underlying their customers’ digital identities in order to facilitate money laundering investigations.
- Digital ID diligence: Firms should ensure that their digital ID KYC and CDD processes are robust enough to manage the AML/CFT risks that they face. Firms may be able to implement digital ID systems selected from a government-authorized list.
- Tiered ID systems: The FATF suggests that firms consider tiered digital ID systems that are sensitive to the level of risk that each customer presents. Digital ID systems with lower assurance levels may be used for simplified CDD, while a system with higher levels of assurance could be used for high-risk customers that require enhanced due diligence.
- Regulatory clarity: The FATF recommends that government authorities put clear digital ID regulations in place so that firms with AML/CFT obligations are able to integrate their digital ID systems within existing risk-based compliance programs effectively.
- Industry collaboration: Authorities should consider implementing digital ID mechanisms that facilitate cross-industry collaboration and information sharing between firms.
- Financial inclusion: Authorities should consider the ways in which digital ID can promote financial inclusion by removing obstacles to customer identity verification. Tiered digital IDs, for example, could make AML/CFT compliance easier and allow more firms to enter the financial sector.
The FATF recommends that digital ID service providers take steps to understand the AML/CFT requirements that apply to the regulated entities and jurisdictions that they serve. This means that service providers should perform assurance testing, seek government certification and provide authorities and financial institutions with transparent information about the services they offer.