The Government published new guidance (and a blog) in February on the use of digital ID verification for money laundering checks to help organisations understand what it is and which providers to trust. ‘Digital ID verification’ refers to the ability to prove who someone is without them presenting physical documents or being seen in person.
DVS Register
The government’s ‘trust framework’ includes an independent certification system and DVS register which (according to the guidance) means that, if your digital verification services (DVS) provider is so certified, they can be treated as a reliable and independent source of information, with appropriate anti-impersonation assurance, enabling firms to comply with their Regulation 28 Money Laundering Regulations (MLRs) obligations. The opposite also appears to be true, with the guidance stating, “Digital verification services which are not certified and therefore not on the DVS register cannot reliably be deemed suitable for identity verification in compliance with the MLRs.” This seems like quite a dramatic statement given the very limited fanfare that has accompanied this guidance, in particular from the SRA in its March statement on the subject.
Action
In light of the above, our current understanding is that if you are relying solely on your e-verification provider to verify the identity of your clients without seeing physical documents or the client in person, you should check the DVS Register and/ or speak to your provider about the level of assurance they can provide and document your thought process and findings (either in your Firm Wide Risk Assessment or at least referenced there) – firms have always had to show that they understand exactly what their technology providers can and can’t do for them. If they are not on the Register, it would seem wise to document why you are satisfied that the checks they provide are Regulation 28 compliant, or start looking for another provider. This process would probably be wise even if you don’t solely rely on digital ID verification/ your e-verification provider.
What digital verification doesn’t do
No matter how good your digital identity verification is, DVS is only one part of your CDD journey for which you remain ultimately liable, even when using third-party services. You remain responsible for assessing client risk, applying enhanced due diligence where appropriate, understanding the purpose and nature of the matter and the funds involved (where relevant), and keeping records of the steps you take. Regulation 40 also requires you to keep the CDD you collect for a minimum period of 5 years. Don’t rely on your e-verification provider to do this. Download all final reports to your own system.
Technology risk assessments
The SRA has reminded firms thinking of adopting such technologies of the obligation to carry out a risk assessment before doing so (see Regulation 19(4)(c) Money Laundering Regulations (MLRs)).