COVID-19 and alternative customer due diligence measures Authors: Anthony Cremona, Stephanie J. Coppini Published on May 12, 2020 With the unfortunate circumstances the world, including Malta, is currently facing as a result of the novel COVID-19 virus pandemic, it is regretfully not ‘business-as-usual’, not least where Anti-Money Laundering and Combating the Funding of Terrorism (“AML-CFT”) is concerned. In fact, while most subject persons have adapted themselves to COVID-19 by striving to continue to provide their services to their customers remotely due to social distancing measures, public health-related precautions, the physical closure of government departments/agencies and lockdown for particular persons who are considered vulnerable, it is becoming increasingly difficult, if not impossible, to carry out Customer Due Diligence (“CDD”) in the way we were accustomed to just a few weeks ago. Procuring original documents, or certified true copies thereof, in particular has become increasingly challenging. To cite a few examples, the actual sighting of original passports or identity cards, or seeking to get them certified by a lawyer, notary, accountant or bank official, or even legalising a certified copy by apostille are close to impossible these days. These are, of course, just some examples, as CDD, in essence, relies on the authenticity of documents. One could say that traditionally, Malta, as a jurisdiction, tends to rely heavily on documents in paper format, such as documents signed in original, or original certified true copies thereof. However, this is not suitable nowadays, especially in these current circumstances, and particularly considering that medical practitioners are suggesting that even paper should be ‘quarantined’ for between seventy-two hours and five (5) days. Face-to-face business is also no longer possible in the current circumstances. However, as an alternative to the above, and not least to facilitate matters in these challenging times, other possible options in our law do exist, which, unfortunately, many subject persons may not be fully aware of. The Implementing Procedures Part I (the “Implementing Procedures”) issued by the Financial Intelligence Analysis Unit (“FIAU”) specifically provide for alternative measures subject persons may use in order to perform CDD on their customers in the course of a business relationship or when undertaking an occasional transaction, when the customer is not present for verification purposes (non-face-to-face). Although especially useful in the current circumstances, these measures were actually introduced by the FIAU way back in 2017 (27 January, 2017), and therefore well in advance of the present pandemic. It is pertinent to briefly go through the main measures put forward by the FIAU in section 4.3.1.2 of the Implementing Procedures (previously section 3.1.1.2 (ii)(b) of the 2017 version of the Implementing Procedures). Not having the applicant for business, or relevant person for CDD purposes, physically present for verification purposes, whilst not automatically presenting a higher risk of money laundering (“ML”) and/or the funding of terrorism (“FT”),[1] does require the subject person to implement such technological means within its systems to enable it to address the risk of impersonation or identity fraud and thereby significantly reduce the inherent risk arising from this form of interaction with customers.[2] Subject persons must, therefore, bear in mind what verification of identity entails and assess whether the electronic identification and verification measure/s to be applied provide sufficient comfort that the customer exists and that he/she is truly who he/she says he/she is. If the subject person still has doubts about the customer’s identity, the subject person should assess whether, in view of the other risk elements of the relationship or transaction, additional or different identification and verification measures or checks should be carried out. A. Verification on the basis of Documents When the customer is not present for verification purposes, subject persons would understandably only be in a position to obtain copies of identification documents. With respect to other documents that may be used to verify residential address, subject persons are permitted by the Implementing Procedures to obtain copies. The Implementing Procedures allow subject persons to verify the residential address through the mailing of correspondence or codes, i.e. by the mailing of correspondence via registered mail or other mail courier service, or the mailing of codes generated by automated systems to the residential address provided by the customer.[3] When subject persons avail themselves of this measure to verify the residential address, they are required to keep documentary evidence. When receiving documentation in copy or scanned format, there are a number of factors to determine the reliability and suitability of that document for verification purposes. Subject persons should therefore avoid accepting documents provided in formats that are more susceptible to being tampered with (e.g., Microsoft Word or other word processor documents – e.g..doc, .txt or .rtf format) and should instead request copies in other more tamper-resistant formats (such as .pdf format). In low-risk business relationships or occasional transactions, the provision of an identification document in copy would be sufficient so long as no issues arise as to its authenticity or reliability. However, where the risk of ML/FT is not low, subject persons should consider applying additional measures to verify the customer’s identity. The following are some examples, and each must be seen in conjunction with the respective conditions laid down in the Implementing Procedures: i. requesting additional identification documentation – through this measure, the identity details would be verified at least twice based on multiple documents not issued from the same source;[4] ii. ensuring that the first payment or transaction into the account is carried out through another account held by the same customer in his/her name with a credit institution authorised under the Banking Act or a financial institution authorised under the Financial Institutions Act or otherwise authorised in another EU Member State or a reputable jurisdiction.[5] In this way, the subject person would have a degree of comfort that the customer’s identity would already have been verified by another entity. E-money payments are not admissible in terms of this option; iii. requesting the customer to confirm automatically generated codes or PINs before accessing the service/account;[6] iv. holding a ‘welcome call’ with the customer through a verified home or mobile phone number and confirming certain personal information or the details of the transaction to be undertaken;[7] v. using information that can be retrieved from a customer’s device to corroborate certain personal details provided by the customer (e.g., customer’s IP address or the geo-location of a mobile phone to confirm residence);[8] vi. sending a transfer of a small amount of funds to a bank account held by the customer asking him/her to return the funds or to indicate the value of that transaction;[9] vii. requiring the customer to send a photograph clearly showing his/her face and the image on the identity document being held in the same picture to demonstrate that this actually belongs to the customer – the subject person would be able to compare the face, and the features of the customer’s face, with that, included on the identification document and therefore verify that the identification document truly belongs to that individual;[10] viii. through video conference facilities – a video call may be carried out after the customer would have submitted copies of the identification or other verification documents to the subject person (e.g., by e-mail) or by making this documentation visible during the same video conference call. Checks to verify the authenticity of verification documents presented through the video call may either be carried out manually by the subject person or automatically through the use of software, where this has embedded within it the capability of carrying out these authentication checks in an automated manner. Records of the video call are to be kept as indicated in the Implementing Procedures; ix. using specialised identity verification software, which allows customers to upload facial images, video clips, and scans of the identification documents and which carries out authentication checks on these documents, as well as visual checks, to compare the uploaded customer’s facial image with the image appearing on the uploaded document. When it comes to video conference calls, it is important for subject persons to note that it is not just any software that can be used for this purpose. Indeed, the Implementing Procedures lay down a number of requirements that need to be satisfied by the relevant software, including, for instance, that: a. the video call must allow the subject person and the customer to make both visual and verbal contact simultaneously;[11] b. it should be of a sufficiently good quality to enable clear verbal communication and to allow the subject person to clearly visualise the customer’s face, as well as view the contents and security features of identification documents produced by the customer (where identification documents are being presented through the video call);[12] c. it should be capable of retaining at least an audio recording of the video call or the entire video call itself, which includes the entire conversation between the official of the subject person and the customer;[13] d. it should be capable of allowing the official of the subject person to take screenshots during the video call, which must include an image of the customer as well as the date and time displayed by the video conference tool;[14] e. when the identification document is produced by the customer throughout the video call, screenshots of the identification document (all relevant pages or sides) will need to be recorded. The photographic evidence of identity as well as all the information on the identification document must be clearly visible and legible from the screenshots.[15] To carry out some of the listed checks (e.g., to visualise the security features of the identification document being presented): A. the customer should be asked to tilt the document during the video call;[16] B. the official carrying out this procedure must also examine the image on the identification document (presented during the video call or submitted to the subject person prior to the video call) to ensure that it matches the customer’s visual appearance as displayed during the video call, as well as the details of the person produced on the identification document (such as age and gender).[17] B. Electronic Verification of Identity The FIAU’s Implementing Procedures also permit subject persons, should they wish, to verify the identity of the customer remotely through electronic means. The following are modes through which this can be done, all in conjunction with the respective conditions set out in the Implementing Procedures: i. Verification through the use of a commercial electronic data provider – these commercial data providers may have access to multiple data sources, such as electoral registers, driving licence databases and passport identity registers. The Implementing Procedures stipulate various criteria to be taken into consideration, such as in choosing the commercial electronic database, the subject person is to regard data protection requirements and ensure that the provider is abiding by any applicable data protection obligations;[18] ii. Use of e-IDs – a number of jurisdictions have developed electronic identification systems (i.e., systems that allow an individual to provide evidence of his/her identity remotely). Personal identification data is encrypted and is either stored on electronic devices (e.g., electronic chips embedded in identification documents, mobile phones, etc.) or is otherwise accessed through the use of a set of credentials associated with the given individual;[19] iii. Verification of Identity Platforms – this is carried out by engaging the services of a third party, i.e. through an outsourcing arrangement that meets the conditions set out in Chapter 6 (on outsourcing) of the Implementing Procedures. The subject person can engage a third party to carry out the verification process with respect to its customers. However, it could also include the use of software solutions or platforms through which individuals can have their identity verified and which enables them to hold identification information, data, and documentation through that solution or platform. Individuals may then allow subject persons to access this identification information, data and documentation to verify their identity, when requesting the carrying out of an occasional transaction or the establishment of a business relationship.[20] While the electronic verification of identity procedures contemplated by the FIAU in their Implementing Procedures require the use of specialised commercial electronic databases, that satisfy the requirements of the Implementing Procedures, the other verification of identity options are more readily available, especially nowadays where more and more firms that may, prior to the pandemic, not have been geared up for remote working are increasingly becoming more ‘online’ in their presence as a result of the current novel coronavirus pandemic. The FIAU has recognised the challenges being faced by subject persons in the current climate and on 7th May 2020, it published a guidance note, titled ‘COVID-19: Remaining Vigilant against a Changing Criminal Landscape’, which is published on its website on this link. This document essentially provides guidance to all subject persons on various obligations they must adhere to during the current challenging circumstances brought about by the novel COVID-19 pandemic. This guidance note is divided into three parts: A. an outline of some examples of the criminal impact of COVID-19, i.e. a non-exhaustive list of different types of illicit behaviour and new criminal activities and trends that are being noted across Europe; B. guidance on how subject persons may mitigate money laundering and terrorist financing risks; and C. a reminder to subject persons that the FIAU Implementing Procedures Part I provide for remote onboarding procedures, which, they suggest, can easily be resorted to in the current circumstances. According to the FIAU, since COVID-19 has drastically changed the mode of doing business throughout the world, with most subject persons, authorities, agencies, and businesses now working remotely from home, and imposed social distancing measures restricting the meeting of people, with a resultant surge in virtual meetings, the traditionally used methods of identification and verification procedures, have become increasingly difficult, if not impossible, to adopt. In its guidance note the FIAU reminds subject persons that, utilised to their fullest, the FIAU Implementing Procedures provide the flexibility needed for subject persons to adapt to such changes while at the same time remaining effective against ML/FT. In fact, many subject persons may be unaware of the various paperless options, provided in the FIAU Implementing Procedures, that can be used to conduct a CDD exercise. Now is indeed the time, more than ever, for subject persons to resort to these alternative CDD measures, even to safeguard the health of all those involved. The above options should increasingly be resorted to, not only now due to the ever-changing COVID-19 measures and restrictions, but even going forward as a new means of conducting one’s CDD in the 21st century, where technological developments are overtaking the more traditional methods, and where everything is moving towards a paperless society. The advantages to this are many: besides being more environmentally friendly, it is less costly, more efficient, less bureaucratic, and a more expeditious service. ____________________________________________________________________ [1] Page 39 of FIAU Implementing Procedures, section 3.2.4. [2] Page 39 of FIAU Implementing Procedures, section 3.2.4. [3] Page 101 of FIAU Implementing Procedures, section 4.3.1.2 (i), which cross-refers to section 4.3.1.1 (i). [4] Page 102-103 of FIAU Implementing Procedures, section 4.3.1.2 (i). [5] Page 104 of FIAU Implementing Procedures, section 4.3.1.2 (i). [6] Page 104 of FIAU Implementing Procedures, section 4.3.1.2(i). [7] Page 104 of FIAU Implementing Procedures, section 4.3.1.2(i). [8] Page 104 of FIAU Implementing Procedures, section 4.3.1.2(i). [9] Page 105 of FIAU Implementing Procedures, section 4.3.1.2(i). [10] Page 105 of FIAU Implementing Procedures, section 4.3.1.2(i). [11] Page 105 of FIAU Implementing Procedures, section 4.3.1.2(i). [12] Page 105 of FIAU Implementing Procedures, section 4.3.1.2(i). [13] Page 106 of FIAU Implementing Procedures, section 4.3.1.2(i). [14] Page 106 of FIAU Implementing Procedures, section 4.3.1.2(i). [15] Page 106 of FIAU Implementing Procedures, section 4.3.1.2(i). [16] Page 105 of FIAU Implementing Procedures, section 4.3.1.2(i). Subject persons are invited by the FIAU to refer to Section 4.3.1.1(iv) of the Implementing Procedures for guidance on authenticity checks that may be carried out manually by the subject person. [17] Page 105 of FIAU Implementing Procedures, section 4.3.1.2(i). [18] Page 108 of FIAU Implementing Procedures, section 4.3.1.2(i). [19] Page 109 of FIAU Implementing Procedures, section 4.3.1.2(i). [20] Page 109 of FIAU Implementing Procedures, section 4.3.1.2(i). Go back