Social distancing has put KYC into sharp focus, with regulators reiterating their support for digital onboarding to ensure financial transactions are possible.
Perhaps it is unsurprising, but it certainly is saddening, to see the huge volume of phishing scams related to the COVID-19 pandemic. Playing on both fear and the level of attention the virus is attracting, bad actors are finding ways to compromise accounts and grab personal data.
In one week in early April alone, an average of 18 million COVID-19 phishing emails were sent per day via Gmail accounts, according to Google. Barracuda Networks observed that of the COVID-19 phishing attacks it has seen, 54% were classified as scams, 34% as brand impersonation attacks, 11% as blackmail, and 1% as business email compromise.
However, the overall risk was considered serious enough to warrant a recent warning from the FATF (Financial Action Task Force) for financial institutions to stay alert to emerging financial crime risks that may arise during this crisis. Europol has issued similar warnings about the proliferation of COVID-19 related crimes.
Risk-based approach
The surge in criminal activity underlines the huge burden COVID-19 is having on both the economy at large and on corporate operations. For financial institutions across most jurisdictions, existing KYC and AML policies typically require face-to-face identity verification for customer onboarding. However, under remote work arrangements and social distancing directives, this has proven problematic for financial services.
The 1 April FATF statement said it: “encourages governments to work with financial institutions and other businesses to use the flexibility built into the FATF’s risk-based approach to address the challenges posed by COVID-19.”
In line with this (and in what may prove to be a taste of how KYC will be performed in a post-COVID-19 world), regulators across Asia and globally have reiterated their support for more flexible approaches to KYC compliance, taking a risk-based approach, with many opting to allow reporting entities to confirm identities digitally.
In early April, the HKMA (Hong Kong Monetary Authority) encouraged authorised institutions and stored value facility (SVF) licensees to seek out technology as a means to combat social distancing and enable remote onboarding and account opening services, caveating that CDD (customer due diligence) measures should be commensurate with the assessed risks.
In New Zealand, regulators have likewise encouraged a risk-based approach to conducting CDD, allowing reporting entities the discretion to “not necessarily sight certain documents in certain circumstances, depending on the reporting entity’s assessment of ML/FT risk.”
In a similar vein, India’s securities regulator on 27 April endorsed the use of technology to comply with AML requirements in the investor KYC process, including video-based ID verification, liveness checks, and electronic signatures and documents. This followed a 30 March relaxation of KYC requirements for foreign portfolio investors, allowing them to send scanned copies of documents required for renewing registrations.
A permanent shift?
As with India, many of the regulatory relaxations across the globe are temporary in nature and subject to government handling of the COVID-19 crisis and social distancing policies. However, the practices to conduct digital CDD now may inform future regulatory initiatives and, if done well, may actually reduce risk.
As FATF has said: “Reliable, independent digital ID systems, with appropriate risk-mitigation measures in place, may be standard risk, and may even be lower-risk”.
“It’s an often debated point with seasoned compliance professionals, but technology used in identity verification is arguably more robust than comparable processes used in-branch today,” says James Mirfin, Global Head of Digital Identity and Financial Crime at Refinitiv.
“Take an example of document verification, using a camera on a high-end smartphone, it is possible to easily identify compromised, altered or fake documents, as compared to an eyeball test in branch. Combine that with some of the anti-impersonation and anti-fraud tools which can be deployed and you can have a very robust identity verification done remotely, along with real-time screening for regulatory risk against a database like World-Check.”
The pandemic has placed digital KYC into sharp focus, but the tides of digitalisation were in force well before the virus put the world on lockdown. By 2022, approximately 60% of world GDP is expected to be digitalised, according to International Data Corporation 2019 estimates. Whether we like it or not, rigorous methods of protecting and confirming digital identification is an essential part of future proofing businesses.
Fortunately, Asian financial institutions have been quick to the mark in adapting to these behavioural changes. Banks like OCBC and Maybank, for example, have invested in biometric technology to streamlining account opening and safeguarding digital IDs. As biometrics usage in onboarding process increases, the customer effort involved in providing identity documents and authenticating themselves comes down.
The development of systems and technology that can mitigate money laundering and fraud risks in line with accepted practice hold “great promise for strengthening CDD and AML/CFT control, increasing financial inclusion, improving customer experience, and reducing costs for regulated entities”, in the words of FATF, in a guidance paper on digital ID systems in March.
In the 1 April statement, the FATF went further, calling on countries to explore the use of digital ID systems to improve the security, privacy and convenience of identifying people remotely for both onboarding and conducting transactions, while managing ML/TF risks during the COVID-19 crisis.
Not all change is bad
Such services already exist in some capacity. As noted in previous articles, Refinitiv’s Qual-ID solution offers digital ID verification, document proofing and risk screening by leveraging the World-Check Risk Intelligence database. World-Check covers 100 percent of sanctioned entities globally, contains millions of additional records not found on official lists, and features negative media screening functionality to identify further potential risks.
Whichever digital ID system or service a financial institution may decide to use, it’s important to understand the fundamentals that drive its behaviour. This will help drive more informed business decisions, which will ultimately reduce the potential for regulatory, legal and reputational risk.
Financial institutions should ensure they understand the digital ID system’s assurance levels, particularly for identity proofing and authentication. The FATF’s recommended risk-based approach relies on a set of assurance frameworks and technical standards, which are presently being updated by the International Organization for Standardization and the International Electrotechnical Commission with a view to developing a comprehensive global standard for digital ID systems.
At a business level, FATF says assurance levels must be calibrated to the ML/TF risk connected to the customer, the jurisdiction, and geographic reach, for example. “Systems with lower assurance levels may be sufficient for simplified due diligence in cases of low ML/TF risk. For example, where permitted, adopting a tiered CDD approach that leverages digital ID systems with various assurance levels to support financial inclusion,” it says.
As with many elements of problem solving, financial institutions should not operate in a bubble; they should seek assurance testing and certification by the government or an appropriate expert body, or otherwise seek expert opinion. Also, it does no harm to be proactive: financial institutions should consider getting involved in public sector regulatory “sandboxes” and help inform policymakers of what works and what does not.
As with many aspects of our life under a pandemic, patterns of behaviour are required to change. However, not all change is bad.
To learn more digital identification in a post-COVID world, join this webinar.
This article was jointly produced by Regulation Asia and Refinitiv.
