Businesses must understand the various money laundering and terrorist financing risks to which they are exposed to and apply anti-money laundering (AML) and counter financing of terrorism (CFT) measures. This allows businesses to apply measures proportionate to the level of risk, such as ensuring the use of reliable and independent identity verification resources to an extent that would ensure mitigation of these risks.
It is an AML/CTF obligation to collect and verify customer KYC information to ensure customers are whom they claim to be. You must use reliable and independent documentation or electronic data (or a combination of both) to verify information about the customer and beneficial owner(s). An AML/CTF program must include appropriate risk-based systems and controls for the reporting entity to determine the accuracy, reliability, and independence of data.
What are reliable and independent data sources?
Reliability is a new concept that made it into the legislation only in late 2005 when technology was starting to appear. Initially, data verification was based on a ‘100 points’ system. A bank officer had to collect and record details from a number of specified documents listed by points value to a total of 100 points to comply with the regulations of that time. A bank officer could also collect points by manually checking through electronic data, such as looking up a phone book, and/or calling the person to confirm their identity. But with digitalisation, this process has become seamless through the use of electronic data resources.
It is imperative to determine whether electronic data is reliable and independent – businesses must consider the accuracy and security of the data. Ideally, the data should be maintained under government legislation so it can be additionally authenticated with up-to-date sources. For example, the Australian Death Check service helps identify whether a person still exists (is alive) and is used by other government agencies to cross-check their data. The Australian Document Verification Service (DVS) is probably the best example of a data source that was created and maintained under strict government legislation.
Checklist for determining the reliability and independence of the data sources:
The data should be accurate, secure, up-to-date, comprehensive, and can be additionally authenticated.
Matches the risk tolerance of the business
Can confirm KYC information collected about a customer by independently initiating contact with the person that the customer claims to be
Can pre-define tolerance levels for matches and errors
Can verify the source of the data
It should be noted that government originated data sources are not the only source of reliability and independence. Commercially compiled and maintained data sources such as credit files, homeownership, and marketing databases may also be used if they meet the above checklist criteria though ultimately, the original source of the data must always be identified and how the data was handled since its original collection.
However, reliable and independent data is only the first step a reporting entity needs to take based on their risk assessment and AML/CTF program. They need to consider other factors when they apply their choices of data, including but not limited to:
Whether all the data sources may be applied equally
The conditions of use of each data source such as whether ‘consent’ is required
Rules for a ‘Pass’, including how many sources and/or which type of source is mandatory
Tolerance levels for matches and errors (mis-spellings, truncations, alternative name such as ‘Liz’ vs ‘Elizabeth’, etc).
Offering an alternative method of identity verification so that some prospective customers are not disadvantaged.