Since 1 January 2016 the revised Anti-Money Laundering Ordinance has been in force. This has enabled FINMA to take account of new technologies designed to assure the requisite level of security in meeting the relevant due diligence requirements. FINMA also has to make this practice public, and has accordingly published the FINMA circular 2016/7 on video and online identification on 17 March 2016. The circular describes the due diligence requirements for intermediaries onboarding clients via digital channels without gaps in the information process. This is an opportunity for the Swiss financial industry to put the digitisation of business processes into practice. Our aim is to show where the risks lie and advise on how to deal with them.
Under the circular 2016/7, financial intermediaries will have to define measures and controls that ensure that the whole identification procedure and the relevant data are secure and confidential. There are other risk-related components within this process that the intermediary also has to take account of. Below we describe some of the specific challenges that have to be borne in mind when defining and designing the relevant organisations, processes and systems.
Once clients have been given a detailed picture of what video and online identification involves and the information gathered, they must give their explicit consent to the process. Despite this safeguard, the procedure still entails certain compliance risks above and beyond the requirements of the Money Laundering ACT (FINMA Anti-Money Laundering Ordinance) and the banks’ due diligence code of conduct (VSB/CDB). Data privacy laws both in Switzerland and the client’s country of domicile have to be complied with.1
Not only this, but all information and outcomes of the video and online identification process have to be managed and stored in accordance with the principles for commercial accounting and electronic data processing set down in the Swiss Code of Obligations and the ordinance on the maintenance and preservation of business records. A failure to comply can have very serious financial and reputational consequences.2
Our recommendation: Before implementing a video and online identification procedure, financial intermediaries should think about what countries they intend to offer video identification in. They should then look into the legal and regulatory requirements in these countries and take account of them when defining and implementing the process. At the same time they must be fit and prepared for digitisation; in other words they have to have a basic organisational framework in place. This includes an information management system and an electronic archiving system to be able to furnish the requisite documentary proof of identification throughout the entire period stipulated in the law.
Video and online identification adds new potential avenues of attack to the scenarios already familiar in areas such as e-banking. For example hackers could potentially use a manipulated computer at a new client’s to record the video identification process and recycle it for identification at other financial institutions – in other words use a false identity to initiate a business relationship. In this context it’s interesting to note that the first video kits and toolkits have already emerged in the dark web for ‘sextortion’3 , allowing a specific video sequence to be fed directly in response to a question or action by a counterpart. ‘Man-in-the-middle’ attacks are also conceivable, where the victim is led to believe they’re taking part in a competition or online survey when in fact they’re registering as a new client with a bank. The applicant’s independence in terms of the choice of mobile device also entails risks. Unlike written correspondence, the address can’t be clearly identified and shared; the device being used might be stolen.
Our recommendation: The list of questions you ask in the identification interview should not be static. It must be possible to change the order of questions. General control questions should also be built in for additional security. This can help minimise the organisational risk of recorded video sequences. Interviewers can make psychological and behavioural observations to recognise the person’s reactions and even detect tell-tale signs that different video sequences are being used (for example jerky transitions). You have to keep a careful eye out for risks during the entire process, from identification through to the delivery of access data (for example for e-banking). You should also look into the possibility of additional verification with the help of other independent databases or sources of information.
Falsification of documents
Checking the authenticity of identification documents requires a well-trained eye and detailed specialist knowledge of the various security features. When you do in-person identification you can check ID both visually and haptically (the look and feel of the document). When you do video and online identification you can only run a visual check, and via the online channel there’s a risk of missing obvious clues.
Our recommendation: The interviewer should use technical aids that enhance visual verification by automatically checking the most common security features. For example, in addition to verifying security features, these tools should have technology for comparing the person being identified with the photo. Staff running ID checks should be familiar with the official ID documents from the countries in question and the peculiarities of these documents. In other words, before implementation, intermediaries should have a strategy defining the countries in which they want to offer video and online identification.
Video and online identification entails risks of deliberate deception. There are various tricks applicants can use to deceive the financial intermediary: reducing the channels to online only, poor lighting, inadequate data transfer rates (for example with mobile devices), loud background noise, limited sight (showing only the face) or insufficient camera resolution. Interviewers should also keep an eye out for deliberate attempts to conceal information or special ways of handling ID documents (for example tilting and panning too quickly), which can also be indicators of attempted deception.
Our recommendation: Before the identification process starts the intermediary should make the applicant aware of the requirements: adequate lighting, quiet surroundings and minimum technical requirements for the front camera. Interviewers should also be able to recognise both obvious and subtle attempts at deception and abort the identification procedure if necessary. Financial intermediaries must find out what incidents have to be reported (the money laundering legislation stipulates the corresponding notifications) and document aborted identification procedures. This experience will enable them to recognise future attempts at deception early on.
External service providers
Since video and online identification often entails the use of special technology (software for verifying holograms or signatures), external software providers are involved. Video identification is done by external providers with trained personnel and call centre structures for conducting interviews with clients. When financial intermediaries outsource knowledge, competences and subprocesses in this way they run the risk of losing control and not being able to take or assert responsibility. There is also the risk that external providers won’t have the same level of protection or the same awareness when it comes to safeguarding client data, or that they won’t apply the standards of due diligence expected by the financial intermediary.
Our recommendation: When completely outsourcing processes, technologies and systems, financial intermediaries should take particular care to ensure appropriate structures are in place for defining, monitoring and reporting on controls, quality standards and process statistics at external service providers. This can be done by way of control assurance systems (ISAE 3402 and ISAE 3000), certification for external service providers or software solutions, and service level agreements laying down the need for protection, the level of protection, and additional policies. Regular dialogue between the partners is also important; it’s the only way of periodically assessing the risks and dangers and defining suitable measures and controls. Banks should also be aware that delegating the process may constitute outsourcing under the terms of FINMA Circular 08/7, ‘Outsourcing banks’, in which case additional contractual arrangements will be required.
There may be more key risks, depending on the focus (e.g. the countries covered) and design of the process and the relevant technical systems. Questions of economic feasibility should be addressed when the opportunities and risks are assessed. Some of the risks are already familiar from traditional identification procedures, but they may be accentuated by the reduction in channels. But the online approach also entails new risks. A risk management framework can help you recognise technological changes and risks in good time. For this reason financial intermediaries should ensure they have such a system in place and make sure that processes, procedures, controls and the level of protection can all be adapted within a reasonable period of time. To avoid risks or reduce them to acceptable levels requires a combination of organisational, process- and IT-related security controls.