Verification of Identity
As a core aspect of your anti-money laundering and counter financing of terrorism (AML/CFT) compliance, you must conduct customer due diligence (CDD) when establishing a business relationship with a new customer or on an existing customer, if there has been a material change in the nature or purpose of the business relationship and if you do not have sufficient information about the existing customer. We discuss in a previous post how to identify the beneficial owners of the customer, and in this post, we focus on how verify an individual’s identity.
You must verify the identity of the customer, of any beneficial owners of the customer and any person acting on behalf of the customer. The AML/CFT Supervisors have not provided any relevant guidance on how to verify someone’s address and we consider that a utility bill, or a bank statement issued within 12 months from when this was resented to you, can be considered a sufficient proof of address. This post focuses on the verification of identity, i.e., name and date of birth.
Identity Requirements
In practice, you need to collect any relevant person’s name, date of birth and address. Such information must be verified on the basis of documents, data, or information issued by a reliable and independent source. For example, your customer will tell you that their name is Jane Smith, and their date of birth is 1 January 2000. You will need to verify such information with an identity document, like her passport.
There are two types of identity verification, documentary (either in person or via a trusted referee) and electronic. Moreover, you may also opt for using the services of a specialised CDD outsourcing provider or to rely on another reporting entity for CDD. We describe these options below.
Documentary Identity Verification in Person
For documentary identity verification you must verify the person’s name and date of birth against a valid identity document (ID). A New Zealand passport is considered a primary form of identification, and therefore it is sufficient to verify someone’s identity.
However, a New Zealand driver licence is not considered a primary ID and therefore you will need to accompany such ID with another piece of identification. Examples of other documents that can be used in addition to the driver licence are a New Zealand full Birth Certificate, an eftpos card, and a bank statement issued in the 12 months preceding the date of when the statement is present to you.
If the person holds foreign IDs, their passport would be considered as a primary ID and therefore acceptable on its own. In addition to that, a foreign person can also present a national identity card issued for the purpose of identification, that contains the name, date of birth and a photograph of the person in whose name the document is issued and their signature. An Australian driver licence would fall under this category and therefore acceptable on itself as a primary ID.
The full list of acceptable ID combinations is included in the Amended Identity Verification Code of Practice (the Code) in paragraphs 1, 2 and 3.
When verifying a person during a face-to-face meeting, you can collect the person’s ID and take a copy of such ID for your record. It is useful to add a note or a stamp to the copy to say:
in what date the ID was collected;
by whom was the ID collected (name of the employee, role and signature); and
that the person in the ID represents the identity of the named individual.
Documentary Identity Verification via Trusted Referee
If you are unable to meet the person during a face-to-face meeting, you can obtain a certified copy of their ID. This means that you would need to instruct the person to meet a trusted referee. For example, a trusted referee can be a justice of peace or a lawyer. The Code of Practice provides a full list of acceptable trusted referees in paragraph 8 of the Code. If the certification occurs overseas, copies of international identification provided by a person resident overseas must be certified by a person authorised by the law in that country to take statutory declarations in that country.
Moreover, a trusted referee must not be below 16 years old, related to the person (for example, a trusted referee cannot be their parent, child, brother, sister, aunt, uncle or cousin), the spouse or partner of the person, living at the same address as the person, or involved in the transaction or business requiring the certification.
Certification must:
contain a statement to the effect that the documents provided are a true copy and represent the identity of the named individual (link to the presenter).
include the name, signature, the date of certification, and the trusted referee’s capacity to act as a trusted referee.
have been carried out in the three months preceding the presentation of the copied documents.
You are not strictly required to obtain the ‘wet ink’ copy of the certified ID, and, generally, it is sufficient that a scanned copy of the certification is sent to you via email. Receiving a ‘wet ink’ copy is considered best practice and you may elect to request a ‘wet ink’ copy in specific circumstances, for example if the certification occurs overseas.
Electronic Identity Verification
If you are unable to meet a person face-to-face, another option is to verify their identity electronically. An electronic identity is a record kept in electronic form that contains authenticated core identity information about an individual. An electronic identity verification (EIV) must confirm the identity information via electronic sources and must connect the person you are dealing with remotely to the identity that they are claiming. Importantly, an electronic source is not a selfie photo or video received from the person being dealt with online, including audio-visual link or video conferencing technology.
Several providers offer EIV tools. If you opt to use any of these tools, you need to consider and assess in your Compliance Programme the following:
The form of EIV methods that are considered reliable and independent and when these are used. On this point, the AML/CFT Supervisors have clarified you need to verify someone’s name against at least two electronic sources, and their date of birth from at least one source. The two sources for the verification of the name need to be reliable, independent and match each other.
How the EIV tool has regards to the following matters: accuracy, security, privacy, method of information collected, how the information collected is linked to the claimed identity, and whether the information collected is maintained by a government body.
Whether you will use any supplementary method to verify identities, should the EIV tool fails. For example, you may decide that if the EIV fails, the person will need to provide a certified copy of their ID.
Refer to Part 3 of the Code and the Explanatory Note: Electronic Identity Verification Guideline for further reading.
Relying on Another Reporting Entity for CDD
Under Section 33 of the Act, you may rely on another reporting entity for CDD. This is useful if you are working in tandem with another reporting entity (for example a lawyer and a real estate agent working for the same customer in relation to a settlement), as it can streamline the CDD process for the customer and improve their customer experience.
You can rely on another reporting entity under the conditions that you both have a business relationship with the customer and that the other reporting entity will provide:
relevant identity information before you establish a business relationship with the customer; and
relevant verification information as soon as practicable on request, but within five working days of the request.
It is important to remember that you remain responsible for ensuring that the CDD is carried out in accordance with the AML/CFT Act. And therefore, we suggest that you make sure to obtain all relevant information before the business relationship is established or as soon as practical and double check that the information is correct and accurately verified.
Outsourcing CDD
Finally, under Section 34 of the AML/CFT Act you may wish to outsource CDD to another entity, which is not a reporting entity. A CDD outsourcer can be useful for time and customer management, as you are outsourcing potentially complex CDD matters to a team of CDD experts.
However, when deciding whether to use a CDD outsourcing provider, we suggest that you consider the following:
you remain responsible for ensuring that the CDD conducted by the third-party provider is undertaken to the level required by the AML/CFT Act. To this end, you should ensure that the CDD outsourcer is a reputable business with proven experience and expertise in the field.
CDD procedures outsourced do not exist in isolation from your wider CDD and other obligations under the AML/CFT Act (i.e., nature and purpose, transaction/activity provided to the customer, assessment whether enhanced CDD should apply, ongoing CDD and account monitoring).
you must ensure that CDD information outsourced from a third-party provider is readily accessible.
you must assess any EIV tool used by the third-party provider (see comments on EIV just above).
What’s Next
If you have any doubt on how to verify a person’s identity, do not hesitate to get in touch with your questions. If you have started using (or are planning to use) an EIV tool, or a CDD outsourcer provider, flick us a message and we will help you figuring out how your policies, procedures and controls should be updated.