1 April 2020
On 31st March, the UK Financial Conduct Authority (FCA) issued a letter to the CEOs of UK regulated financial institutions providing guidance on how to navigate the challenges of coronavirus.
This has been interpreted by some national newspapers to mean that identity checks can be done with selfies (“Send your bank a selfie to check your identity, watchdog says”, The Daily Telegraph).
This is not true. Identity checks completed via selfie are an open invitation to money-launderers and other criminals.
The only way to remotely check the identity of an individual is through Genuine Presence Assurance:
Without Genuine Presence Assurance, criminals and terrorists can, and will, fully exploit identity check processes for the purposes of money-laundering and other fraudulent activity.
What is the FCA letter actually saying?
The letter has been misinterpreted in some quarters. It is actually reminding organizations that flexibility already exists within the current guidelines. Financial institutions already have the right to remotely identify and authenticate individuals, thus eliminating the need for customers to come into branches for identity checks.
Financial institutions that have not yet taken advantage of remote identification technology must do so immediately, in order to:
Banks such as ING, Standard Bank, and Rabobank are already using Genuine Presence Assurance technology to effortlessly and safely onboard customers remotely, protecting themselves against criminals and ensuring compliance with regulations.
The letter makes reference to Joint Money Laundering Steering Group (JMLSG) guidance, which clearly states that any risk must be mitigated when completing identity checks on customers.
(19) For the purposes of this regulation, information may be regarded as obtained from a reliable source which is independent of the person whose identity is being verified where— (a) it is obtained by means of an electronic identification process, including by using electronic identification means or by using a trust service (within the meanings of those terms in Regulation (EU) No 910/2014 of the European Parliament and of the Council of 23rd July 2014 on electronic identification and trust services for electronic transactions in the internal market(2)); and (b) that process is secure from fraud and misuse and capable of providing an appropriate level of assurance that the person claiming a particular identity is in fact the person with that identity.”
A selfie submitted by email or text is clearly neither secure from fraud and misuse, nor capable of proving an appropriate level of assurance that the person is who they claim to be.
Andrew Bud, Founder and CEO of iProov, said; “The FCA is not relaxing its rules on identity verification. The financial services industry was already permitted a level of flexibility that is now desperately needed in the current situation.
“Thanks to online identity verification, customers can still set up bank accounts and transactions can still be authorized and completed even when branches are closed and people cannot leave their homes.
“We welcome Chris Woolard’s reminder to the industry that remote identity verification is possible and encourage organizations that have not yet made the transition to do so.”
Any organization that would like advice about implementing the ID verification measures referred to in the recent guidance from the FCA, or about offering online identity verification, should contact firstname.lastname@example.org