The new cross-border digital identification for EU countries is the right step forward for AML compliance.
What is eIDAS and how does it impact AML compliance.
The new EU-wide legislation on the electronic identification (eIDAS Regulation) has finally come into force. The old regime has been problematic using hard copies of country specific identity documents, which were difficult to verify.
So what is eIDAS, and what does it mean to you? Well, eIDAS is short for ‘electronic identification and trust services’. It refers to a range of services that help verify the identity of individuals and businesses online or the authenticity of electronic documents.Essentially it means that each government is responsible for providing the means to have an identity verified on-line when using a government service. This is great news for those required to comply with AML legislation around the verification of natural persons, whether the account holder, or UBO.
In the past, its been difficult to ensure that you are actually maintaining compliance. Country by country legislation usually provides generalities, and guidelines, but it is not until you are actually audited that you discover whether you are truly compliant. Combine this with financial pressures such as the cost of compliance generally, and the time to onboard your customer, (time to revenue), and it has been a grey area for a long time. Many an organisation has fallen foul of simply taking a photocopy of an ID, and storing on file. This does little to ensure the identity is real, or that the person claiming the identity as their own actually has the right to do so.
Now that the various governments of the member states of the EU, as well as many other areas such as Asia-Pacific have embraced the concept of eIDAS, organisations who are required to comply with KYC now have an avenue to verify their customers or UBO's by electronic authentication against government sanctioned electronic processes. IE if its lawful for a government agency, its lawful for a private agency.
Unfortunately, as always, it is not as simple as it should be or could be. As with most EU directives, each member state will pass it into law within their own country. This means that from country to country, the implementation, compliance and enforcement will be slightly different. And for those offering cross border services, this is something to be mindful of. Some countries are satisfied with an ID that has been electronically verified as real and accurate, in isolation. Others require a companion snapshot of the person for either human or electronic verification. There can be a stipulation that the image of the person must be taken at the time of application. And then still others need proof of liveness, which can be anything from holding up a newspaper showing a date, to an actual video recording taken via a webcam or smart phone.
Now most providers of financial services are well aware of this, and the fact they must comply with the laws of the country they are registered in, regardless of where the services are provided. However, this is not always possible. We were recently assisting a client with its compliance, and their local law specified that acceptable forms of ID were a national ID card, or a passport, both of which were part of their registered eIDAS program. This particular company offers service in the UK, however they must comply with laws of the home member state. The UK does not have a national ID card, (at least not at the time of writing), and not everyone has a passport, so to follow the letter of the law, this would mean excluding a large portion of their target market. The alternative was to accept a drivers licence or firearms licence, both of which are accepted under the UK eIDAS scheme. But, that would mean a potential breach of their local AML compliance law.
The situation is further exacerbated by exasperation by customers, or potential customers. Those that have been through the process before have an expectation of the process, are usually prepared, only to find themselves unable to complete the application for the product or service in question, due to the identity verification process following the laws of a different jurisdiction or state. Usually this ends up with the customer somewhat upset, making strong claims that the process in question is wrong, with demands to change, or allow the process to be as they have experienced previously with another organisation. We all know customers can be like that!
This conflict as a result of drafting in legislation is not uncommon, something we see it all the time, even within countries, and it makes it difficult to determine a pragmatic approach to compliance. Much of the interpenetration of compliance law is yet to be tested in the courts, so there are few precedents to rely on. Thankfully, as we wrote about it in another article, most regulators understand the complexity of compliance given the myriad of products and services, their unique nuances, and the multitude of regulations that may or may not apply. There have been very few penalties for organisations that have shown a willingness to comply, and a sense or urgency when change or remedial action is recommended.
However, putting the ambiguities aside for one moment, the passing of the eIDAS legislation is a great step forward in reducing the costs of AML and KYC compliance, and will generally make the onboarding process infinitely smoother.