The three AML/CFT Act Supervisors (the FMA, RBNZ and DIA) recently issued new guidance regarding two aspects of identity verification.
1. Explanatory note – electronic identity verification guideline
The first is an updated explanatory note to the Amended Identity Verification Code of Practice 2013 (Code), which replaces the previous version published in 2017. The updated explanatory note can be found here, and provides examples of potential electronic identity verification (EIV) solutions, including specific examples as to acceptable electronic sources (which had not been specified in the previous version).
What does the explanatory note cover?
The explanatory note explains how reporting entities can use EIV to verify customers' identities. It also provides guidance as to what the Supervisors expect from reporting entities' EIV policies, procedures and controls, and includes helpful examples of different potential EIV scenarios, and the level of verification acceptable to the Supervisors in each case.
Do reporting entities need to comply with the note?
The note is to be read in conjunction with the Code, which provides best practice guidelines for reporting entities conducting name and date of birth identity verification on low to medium risk (natural persons) customers.
Compliance with the Code is not mandatory, but provides a safe harbour for reporting entities ie you will be deemed to have complied with the Act if you comply with the Code. However, if you choose not to adopt the Code when performing your obligations under the Act, you must notify your AML/CFT Supervisor in writing of your intention to opt out of compliance with the Code, and state that you will satisfy your obligations by some other, equally effective, means.
What does the note tell us about performing EIV?
There are two key components of EIV:
(1) Confirmation of identity information via electronic source(s); and
(2) Matching the person you are dealing with remotely to the identity that they are claiming.
The explanatory note and Code provide comprehensive guidance on how to complete the two above steps, and we recommend thoroughly reading both.
The documents explain that verification of identity can be carried out either by using one independent source (where it is possible to verify an individual's identity to a high level of confidence, for instance, with biometric information), or with two reliable and independent matching sources. The explanatory note sets out what will not qualify as an electronic source, as well as the typically expected sources, such as a Government source (ie passport, NZTA driving licence) or other electronic source (ie credit bureaus, the Companies Office, or LINZ).
Additional methods for linking a person to their claimed identity are also provided, for example, requiring the first credit into the customer's account to be received from an account held at a New Zealand registered bank in the customer's name that cannot be altered.
Documenting EIV procedures
If a reporting entity is using EIV, it must clearly document how the Code is being complied with. The explanatory note expands on all the information that must be documented, such as when EIV will be used, what EIV products are used, how cross checks are done, and exception and escalation processes.
Reporting entities must also mitigate against new and emerging risks and threats to their EIV processes.
2. Factsheet – birth certificates with redacted information
In this second piece of guidance, the AML/CFT Act supervisors confirm that customers can redact certain details from their birth certificate, if it is being used for identity verification purposes in customer due diligence. The factsheet can be found here.
The Code provides suggested best practice for conducting name and date of birth identification of medium-low risk natural persons. Under the Code, a New Zealand birth certificate is an available non-photographic identification for this purpose.
Given that only the customer's name and date of birth need to be verified, customers can redact any other information on their birth certificate, such as place of birth or sex assigned at birth. A reporting entity collecting information other than name and date of birth could be acting contrary to privacy principles in the Privacy Act 2020.
This is a welcome clarification, particularly for members of the transgender, non-binary, takatāpui and intersex communities, whose gender identity may not reflect their assigned sex at birth.
Changes were also recently made to the Exemption Regulations, Requirements and Compliance Regulations, and the Definitions Regulations, effective from 9 July 2021. A table setting out all of the changes can be found here and we summarise the key changes below:
Wire transactions of $1,000 or more that occur outside of a business relationship with a customer will be captured by regulation 13A of the Definitions Regulations, meaning they are an occasional transaction (and CDD will be required).
AML/CFT audits have had their default timeline extended to every three years, with some businesses potentially being eligible to be audited every four years.
Enhanced due diligence will need to be conducted on companies that have nominee director or shareholder relationships, to prevent companies misusing nominee relationships to obscure beneficial ownership.
More businesses will be treated as related entities, meaning that the AML/CFT Act will not apply when they provide relevant services to each other.