Updated HMRC Guidelines for Electronic Verification – How to Meet the Requirements
Businesses using identity document validation technologies (IDVT) are likely aware that the HM Revenue and Customs (HMRC) has recently released a new set of Money Laundering, Terrorist Financing and Transfer of Funds Regulations. But what do they mean for companies, and how can your electronic ID verification provider help with compliance?
We break down some of the key points below:
Customer Due Diligence
The minimum due diligence requirements of the new set of regulations highlight the responsibility companies have to ‘complete customer due diligence on all customers and beneficial owners before entering into a business relationship or occasional transaction.’ These include implementing enhanced due diligence procedures for high-risk areas where the risk of money laundering is higher and having the means to identify politically exposed persons.
The regulations also introduce several changes in the way businesses can use technology designed to assist them in establishing whether identity verification documents are authentic.
Clause 4.101
Merely carrying out electronic records checks on limited information, such as the name and address of a person you have not seen, does not mean that you have verified that the person you are dealing with is who they say they are. You must ensure that the checks you use show that you have identified the customer, verified the identity and that they are, in fact, the same person that is using your services (to protect against impersonation).
How we help:
Fortunately, IDVT such as the Credas portal and mobile app take users through a specific process which requires them to prove they are ‘real and present’ by performing a ‘liveness’ test. These include a series of real-time instructions users need to follow while completing the verification process. Combined with the other ID checks outlined below, this ‘liveness’ test provides concrete proof of thorough verification.
Clause 4.103
Viewing a photo document over the internet or a “selfie” of a person holding identification documents or the use of Skype or similar, is not an appropriate form of customer due diligence as you will not be able to identify fakes or forgeries. The use of facial recognition software does not address this issue.
How we help:
The next-generation facial recognition technology used by Credas compares the person in the photographic ID document with the selfie taken to ensure a complete match. What’s more, the innovative document authentication tool on our portal and app uses Optical Character Recognition (OCR) to confirm that the document hasn’t been tampered with, while the revolutionary NFC chip reading makes the authentication 100% complete. Our ID verification software performs a series of broader data checks, including PEPs, Sanctions, address, DOB, mortality and more.
Clause 4.104
If using a service provider, you should ensure that it is reliable and accurate using extensive source data. You should consider the following criteria in your selection:
- it is registered with the Information Commissioner’s Office to store personal data
- it is accredited to give identity verification services through a government, industry or trade association process that involves meeting minimum standards
- the standards it works too, or accreditation, require its information to be kept up to date
- its compliance with the standards are assessed
- it uses a range of positive information sources, and links a person, through other sources, to both current and previous circumstances
- it uses harmful information sources, such as databases relating to identity fraud and deceased persons
- it uses a wide range of alert sources, such as up to date financial sanctions information
- it has transparent processes that enable the firm to know what checks were carried out, what the results of these checks were it can set the level of certainty as to the identity of the subject suitable for your risk assessment
- should be able to keep records of the information used to verify identity information or allow a download to be stored on your server
- if your customer due diligence records are retained on the outsourcing service provider’s server ensure that in the event of the service provider going out of business that you will continue to have access to the data for 5 years from the end of your business relationship with the customer.
How we help?
At Credas, we are proud to shout about all the things that make us a preferred IDVT provider. We are registered with the Information Commissioner’s Office (Reg. number: ZA220768) and covered by Lexis Nexis’ accreditation to provide identity verification services as part of our partnership.
As we already mentioned above, the Credas software also performs a series of further checks such as Known as Deceased, Beneficial Owner, Politically Exposed Person (PEP) – domestically or internationally, up to date financial sanctions information and more. We employ best practice solutions and use our access to multiple data sources to provide companies with the most extensive results on the market.
Our clients can access a detailed overview of all the checks that the
Credas software is carrying out through the client portal, alongside with the results of each check.
In addition to a comprehensive dashboard, we give companies the option to download a PDF copy of all the identity verification information we’ve collected, which they can include in their records.
What’s more, we use Azure to store all the information we collect on behalf of our customers, and we keep all the data safe for a minimum of five years.