Back Custom print Link Text Only Rich Text Print

  • Licensee’s digital ID applications

    • FC-1.4.9

      Investment firm licensees may use its digital ID applications that use secure audio-visual real time (live video conferencing/live photo selfies) communication means to identify the natural person.

      Added: January 2022

    • FC-1.4.10

      Investment firm licensees must maintain a document available upon request for the use of its digital ID applications that includes all the following information:

      (a) A description of the nature of products and services for which the proprietary digital ID application is planned to be used with specific references to the rules in this Module for which it will be used;
      (b) A description of the systems and IT infrastructure that are planned to be used;
      (c) A description of the technology and applications that have the features for facial recognition or biometric recognition to authenticate independently and match the face and the customer identification information available with the licensee. The process and the features used in conjunction with video conferencing include, among others, face recognition, three-dimensional face matching techniques etc;
      (d) “Liveness” checks created in the course of the identification process;
      (e) A description of the governance arrangements related to this activity including the availability of specially trained personnel with sufficient level of seniority; and
      (f) Record keeping arrangements for electronic records to be maintained and the relative audit.
      Added: January 2022

    • FC-1.4.11

      Investment firm licensees that intends to use its digital ID application to identify the customer and verify identity information must meet the following additional requirements:

      (a) The digital ID application must make use of secure audio visual real time (live video conferencing/ live photo selfies) technology to (i) identify the customer, (ii) verify his/her identity, and also (iii) ensure the data and documents provided are authentic;
      (b) The picture/sound quality must be adequate to facilitate unambiguous identification;
      (c) The digital ID application must include or be combined with capability to read and decrypt the information stored in the identification document’s machine readable zone (MRZ) for authenticity checks from independent and reliable sources;
      (d) Where the MRZ reader is with an outsourced provider, the licensee must ensure that such party is authorized to carry out such services and the information is current and up to date and readily available such that the licensee can check that the decrypted information matches the other information in the identification document;
      (e) The digital ID application has the features for allowing facial recognition or biometric recognition that can authenticate and match the face and the customer identification documents independently;
      (f) The digital ID solution has been tested by an independent expert covering the governance and control processes to ensure the integrity of the solution and underlying methodologies, technology and processes and risk mitigation. The report of the expert’s findings must be retained and available upon request;
      (g) The digital ID application must enable an ongoing process of retrieving and updating the digital files, identity attributes, or data fields which are subject to documented access rights and authorities for updating and changes; and
      (h) The digital ID application must have the geo-location features which must be used by the licensee to ensure that it is able to identify any suspicious locations and to make additional inquiries if the location from which a customer is completing the onboarding process does not match the location of the customer based on the information and documentation submitted.
      Added: January 2022

    • FC-1.4.12

      Investment firm licensees using its digital ID application must establish and implement an approved policy which lays down the governance, control mechanisms, systems and procedures for the CDD which include:

      (a) A description of the nature of products and services for which customer due diligence may be conducted through video conferencing or equivalent electronic means;
      (b) A description of the systems, controls and IT infrastructure planned to be used;
      (c) Governance mechanism related to this activity;
      (d) Specially trained personnel with sufficient level of seniority; and
      (e) Record keeping arrangements for electronic records to be maintained and the relative audit trail.
      Added: January 2022

    • FC-1.4.13

      Investment firm licensees must ensure that the information referred to in Paragraph FC-1.2.1 is collected in adherence to privacy laws and other applicable laws of the country of residence of the customer.

      Added: January 2022

    • FC-1.4.14

      Investment firm licensees must ensure that the information referred to in Subparagraphs FC-1.2.1 (a) to (f) is obtained prior to commencing the digital verification such that:

      (a) The licensee can perform its due diligence prior to the digital interaction/communication and can raise targeted questions at such interaction/communication session; and
      (b) The licensee can verify the authenticity, validity and accuracy of such information through digital means (See Paragraph FC.1.4.16 below) or by use of the methods mentioned in Paragraph FC-1.2.3 and /or FC-1.4.3 as appropriate.
      Added: January 2022

    • FC-1.4.15

      The licensee must also obtain the customer’s explicit consent to record the session and capture images as may be needed.

      Added: January 2022

    • FC-1.4.16

      Investment firm licensees must verify the information in Paragraph FC-1.2.1 (a) to (f) by the following methods below:

      (a) Confirmation of the date of birth and legal name by digital reading and authenticating current valid passport or other official original identification using machine readable zone (MRZ) or other technology which has been approved under paragraph FC-1.4.9, unless the information was verified using national E-KYC application;
      (b) Performing real time video calls with the applicant to identify the person and match the person’s face and /other features through facial recognition or bio-metric means with the office documentation, (e.g. passport, CPR);
      (c) Matching the official identification document, (e.g. passport, CPR) and related information provided with the document captured/displayed on the live video call; and
      (d) Confirmation of the permanent residential address by, unless the information was verified using national E-KYC application capturing live, the recent utility bill, bank statement or similar statement from another licensee or financial institution, or some form of official correspondence or official documentation card, such as national identity card or CPR, from a public/governmental authority, or a tenancy agreement or record of home visit by an official of the investment firm licensee.
      Added: January 2022

    • FC-1.4.17

      For the purposes of Paragraph FC-1.4.16, actions taken for obtaining and verifying customer identity could include:

      (a) Collection: Present and collect identity attributes and evidence, either in person and/or online (e.g., by filling out an online form, sending a selfie photo, uploading photos of documents such as passport or driver’s license, etc.);
      (b) Certification: Digital or physical inspection to ensure the document is authentic and its data or information is accurate (for example, checking physical security features, expiration dates, and verifying attributes via other services);
      (c) De-duplication: Establish that the identity attributes and evidence relate to a unique person in the ID system (e.g., via duplicate record searches, biometric recognition and/or deduplication algorithms);
      (d) Verification: Link the individual to the identity evidence provided (e.g., using biometric solutions like facial recognition and liveness detection); and
      (e) Enrolment in identity account and binding: Create the identity account and issue and link one or more authenticators with the identity account (e.g., passwords, one-time code (OTC) generator on a smartphone, etc.). This process enables authentication.
      Added: January 2022

    • FC-1.4.18

      Not all elements of a digital ID system are necessarily digital. Some elements of identity proofing and enrolment can be either digital or physical (documentary), or a combination, but binding and authentication must be digital.

      Added: January 2022

    • FC-1.4.19

      Sufficient controls must be put in place to safeguard the data relating to customer information collected through the video conference and due regard must be paid to the requirements of the Personal Data Protection Law (PDPL). Additionally, controls must be put in place to minimize the increased impersonation fraud risk in such non face-to-face relationship where there is a chance that customer may not be who he claims he is.

      Added: January 2022