AML, KYC, IDV...no, these are not fashion brands or rare diseases but the most common finance acronyms used in modern identification. And because it can be difficult to remember what is what and who is who (pun intended), we created this short-but-sweet guide to help you navigate the industry.
We live in a world of acronyms. In this article, we will try to decipher some of them in an attempt to help the reader understand what’s what. And we promise, we’ll try to keep you awake while reading....
Anti-money laundering is typically referred to as AML. Although each country will make their own legislation and regulations in this area, the EU money laundering directive (e.g. MLD3) are the main harmonization tools used. These form the foundation of requirements, methods and common methods. An example of this is the evolution of “risk based” approaches to subjects based on behavior and activity.
A sibling to AML is CFT, Combating the Financing of Terrorism. It involves investigating, analyzing, deterring, and preventing sources of funding for activities intended to achieve terrorism.
A fundamental requirement of both AML and CFT is to understand who you are dealing with in a situation that involves finance activities (transactions, payments, loans, deposits etc). There are always natural persons involved (even when representing a company) so identifying natural persons is at the very heart of AML and CFT.
Unveiling who natural persons behind a company are, so called “beneficial owners”, is another very important activity in AML and CFT. CFT can best be combated by using published so called sanction lists (e.g. UN:s) for the presence of a natural person’s name. Furthermore, a relatively novel requirement is that of spotting the increased risks of money laundering arising from political assignments. The latter risk is referred to as politically exposed persons (PEPs).
In the digital world where finance service providers engage in remote relationships, establishing identity at the start of a relationship requires so called customer due diligence (CDD). Most financial supervisory authorities, however, view remote relationships as a source of higher risks. Therefore, establishing identity in remote relationships is often referred to as enhanced due diligence (EDD). In some industries, such as gambling, EDD is referred to as looking further into the credit history of a client.
The acronyms CDD and EDD will typically be mixed with know-your-customer (KYC) or in the case of companies sometimes adding know-your-business (KYB). It’s unclear what the difference is - but in our opinion, KYC typically involves more than just identity verification.
The fundamental capability in all instances of a new relationship is identity proofing, also known as identity validation or identity verification (IDV). Typically, each EU member state will define how IDV, for the purpose of EDD, shall be carried out. The rules will be found on two levels in EU member states:
- The national AML legislation can include exact IDV measures accepted but more often:
- The specific regulations and guidelines for IDV are issued by the financial supervisory authority (e.g. Bafin in Germany, or Sepblac in Spain)
As with many areas of harmonization in the EU, AML is affected by developments in other regulatory areas. One development, in which Identiway is a pioneer, is the fusion of AML and eIDAS.
eIDAS (Electronic Identification, Authentication and Trust Services) is an EU regulation on a set of standards for electronic identification and trust services for electronic transactions in the European Single Market. It was established in EU Regulation 910/2014 of 23 July 2014 and came into force in 2016.
There are two main tracks in eIDAS - one of electronic signatures and trust service providers (TSP), which is in our view the most important, and one of electronic identities (eIDs). The latter is anchored more in national adoption and legislation bodies. The former with so called common criteria bodies (CAB) that assess trust services for national regulators such as the Swedish Post and Telecoms Authority (PTS).
eIDAS has proved to be challenging for member states because there is a general lack of penetration among EU citizens of both eIDs (e.g. smartphone apps etc) and e-signature devices. There is a deficit of actors that provide electronic identification and signature services abiding to the rules in eIDAS and designated ETSI standards (European Telecommunications Standards Institute). And few member states have made any meaningful progress in distributing eIDs or electronic signatures.
There is a major problem, but also massive opportunity, in the fact that less than 4% of the EU population have access to an eIDAS electronic signature on their smartphone. Meaningful penetration in the EU is restricted to Northern Europe.
Given the nature of regulations as secondary legislation in the member states, eIDAS has direct effect in every member state at the same time and is immediately binding. As a result, eIDAS e-signatures can be found in all member state AML legislation as a means of compliant IDV. The higher e-signatures constitute per definition, with few exceptions, compliant IDV.
In this lies a tremendous opportunity for finance service providers to leap into the future. Provided, of course, technologies used for issuing e-signatures are user friendly. And that’s exactly what we do at Identiway. User-friendly remote identity verification. Care to learn more? Contact us and we’ll get back to you within a day.