On 31st March, the UK Financial Conduct Authority (FCA) issued a letter to the CEOs of UK regulated financial institutions providing guidance on how to navigate the challenges of coronavirus.
This has been interpreted by some national newspapers to mean that identity checks can be done with selfies (“Send your bank a selfie to check your identity, watchdog says”, The Daily Telegraph).
This is not true. Identity checks completed via selfie are an open invitation to money-launderers and other criminals.
The only way to remotely check the identity of an individual is through Genuine Presence Assurance:
- Are they the right person? Are they able to prove, online, that they are the rightful holder of a passport, driver’s license or other identity document?
- Are they a real person? Is the individual that is presenting themselves for identification a real person and not a photograph or video?
- And are they authenticating themselves right now? Criminals can use replay attacks, where videos of previous identifications are used to dupe the system. Genuine Presence Assurance protects against spoof attacks by confirming that the individual is a live human being and is completing the identification at this very moment.
Without Genuine Presence Assurance, criminals and terrorists can, and will, fully exploit identity check processes for the purposes of money-laundering and other fraudulent activity.
What is the FCA letter actually saying?
The letter has been misinterpreted in some quarters. It is actually reminding organizations that flexibility already exists within the current guidelines. Financial institutions already have the right to remotely identify and authenticate individuals, thus eliminating the need for customers to come into branches for identity checks.
Financial institutions that have not yet taken advantage of remote identification technology must do so immediately, in order to:
- Continue onboarding customers, who can no longer come into branches
- Provide remote step-up authentication on high value or high risk transactions that previously needed to be completed in-branch
- Authenticate customers accessing secure online services
- Protect against increased criminal activity during the coronavirus pandemic
Banks such as ING, Standard Bank, and Rabobank are already using Genuine Presence Assurance technology to effortlessly and safely onboard customers remotely, protecting themselves against criminals and ensuring compliance with regulations.
The letter makes reference to Joint Money Laundering Steering Group (JMLSG) guidance, which clearly states that any risk must be mitigated when completing identity checks on customers.
(19) For the purposes of this regulation, information may be regarded as obtained from a reliable source which is independent of the person whose identity is being verified where— (a) it is obtained by means of an electronic identification process, including by using electronic identification means or by using a trust service (within the meanings of those terms in Regulation (EU) No 910/2014 of the European Parliament and of the Council of 23rd July 2014 on electronic identification and trust services for electronic transactions in the internal market(2)); and (b) that process is secure from fraud and misuse and capable of providing an appropriate level of assurance that the person claiming a particular identity is in fact the person with that identity.”
A selfie submitted by email or text is clearly neither secure from fraud and misuse, nor capable of proving an appropriate level of assurance that the person is who they claim to be.
Andrew Bud, Founder and CEO of iProov, said; “The FCA is not relaxing its rules on identity verification. The financial services industry was already permitted a level of flexibility that is now desperately needed in the current situation.
“Thanks to online identity verification, customers can still set up bank accounts and transactions can still be authorized and completed even when branches are closed and people cannot leave their homes.
“We welcome Chris Woolard’s reminder to the industry that remote identity verification is possible and encourage organizations that have not yet made the transition to do so.”