• FC-1.4 FC-1.4 Enhanced Customer Due Diligence: Non face-to-face Business and New Technologies

    • FC-1.4.1

      Licensees must establish specific procedures for verifying customer identity where no face-to-face contact takes place.

      October 2010

    • FC-1.4.2

      Where no face-to-face contact takes place, licensees must take additional measures (to those specified in Section FC-1.2), in order to mitigate the potentially higher risk associated with such business. In particular, licensees must take measures:

      (a) To ensure that the customer is the person they claim to be; and
      (b) To ensure that the address provided is genuinely the customer's.
      October 2010

    • FC-1.4.3

      There are a number of checks that can provide a licensee with a reasonable degree of assurance as to the authenticity of the applicant. They include:

      (a) Telephone contact with the applicant on an independently verified home or business number;
      (b) With the customer's consent, contacting an employer to confirm employment, via phone through a listed number or in writing;
      (c) Salary details appearing on recent bank statements;
      (d) Independent verification of employment (e.g.: through the use of a national E-KYC application, or public position held;
      (e) Carrying out additional searches (e.g. internet searches using independent and open sources) to better inform the customer risk profile;
      (f) Carrying out additional searches focused on financial crime risk indicator (i.e. negative news);
      (g) Evaluating the information provided with regard to the destination of fund and the reasons for the transaction;
      (h) Seeking and verifying additional information from the customer about the purpose and intended nature of the transaction or the business relationship; and
      (i) Increasing the frequency and intensity of transaction monitoring.
      Amended: January 2022
      October 2010

    • FC-1.4.4

      Financial services provided using digital channels or internet pose greater challenges for customer identification and AML/CFT purposes. Licensees must identify and assess the money laundering or terrorist financing risks relevant to any new technology or channel and establish procedures to prevent the misuse of technological developments in money laundering or terrorist financing schemes. The risk assessments must be consistent with the requirements in Section FC-C.2.

      Amended: January 2022
      October 2010

    • Enhanced Monitoring

      • FC-1.4.5

        Customers onboarded digitally must be subject to enhanced on-going account monitoring measures.

        Added: January 2022

      • FC-1.4.6

        The CBB may require a licensee to share the details of the enhanced monitoring and the on-going monitoring process for non face-to-face customer relationships.

        Added: January 2022

    • Licensee’s digital ID applications

      • FC-1.4.7

        Licensees may use its digital ID applications that use secure audio-visual real time (live video conferencing/live photo selfies) communication means to identify the natural person.

        Added: January 2022

      • FC-1.4.8

        Licensees must maintain a document available upon request for the use of its digital ID applications that includes all the following information:

        (a) A description of the nature of products and services for which the proprietary digital ID application is planned to be used with specific references to the rules in this Module for which it will be used;
        (b) A description of the systems and IT infrastructure that are planned to be used;
        (c) A description of the technology and applications that have the features for facial recognition or biometric recognition to authenticate independently and match the face and the customer identification information available with the licensee. The process and the features used in conjunction with video conferencing include, among others, face recognition, three-dimensional face matching techniques etc;
        (d) “Liveness” checks created in the course of the identification process;
        (e) A description of the governance arrangements related to this activity including the availability of specially trained personnel with sufficient level of seniority; and
        (f) Record keeping arrangements for electronic records to be maintained and the relative audit.
        Added: January 2022

      • FC-1.4.9

        Licensees that intend to use its digital ID application to identify the customer and verify identity information must meet the following additional requirements:

        (a) The digital ID application must make use of secure audio visual real time (live video conferencing/live photo selfies) technology to (i) identify the customer, (ii) verify his/her identity, and also (iii) ensure the data and documents provided are authentic;
        (b) The picture/sound quality must be adequate to facilitate unambiguous identification;
        (c) The digital ID application must include or be combined with capability to read and decrypt the information stored in the identification document’s machine readable zone (MRZ) for authenticity checks from independent and reliable sources;
        (d) Where the MRZ reader is with an outsourced provider, the licensee must ensure that such party is authorized to carry out such services and the information is current and up to date and readily available such that the licensee can check that the decrypted information matches the other information in the identification document;
        (e) The digital ID application has the features for allowing facial recognition or biometric recognition that can authenticate and match the face and the customer identification documents independently;
        (f) The digital ID solution has been tested by an independent expert covering the governance and control processes to ensure the integrity of the solution and underlying methodologies, technology and processes and risk mitigation. The report of the expert’s findings must be retained and available upon request;
        (g) The digital ID application must enable an ongoing process of retrieving and updating the digital files, identity attributes, or data fields which are subject to documented access rights and authorities for updating and changes; and
        (h) The digital ID application must have the geo-location features which must be used by the licensee to ensure that it is able to identify any suspicious locations and to make additional inquiries if the location from which a customer is completing the onboarding process does not match the location of the customer based on the information and documentation submitted.
        Added: January 2022

      • FC-1.4.10

        A Licensee using its digital ID application must establish and implement an approved policy which lays down the governance, control mechanisms, systems and procedures for the CDD which include:

        (a) A description of the nature of products and services for which customer due diligence may be conducted through video conferencing or equivalent electronic means;
        (b) A description of the systems, controls and IT infrastructure planned to be used;
        (c) Governance mechanism related to this activity;
        (d) Specially trained personnel with sufficient level of seniority; and
        (e) Record keeping arrangements for electronic records to be maintained and the relative audit trail.
        Added: January 2022

      • FC-1.4.11

        Licensees must ensure that the information referred to in Paragraph FC-1.2.1 is collected in adherence to privacy laws and other applicable laws of the country of residence of the customer.

        Added: January 2022

      • FC-1.4.12

        Licensees must ensure that the information referred to in Subparagraphs FC-1.2.1 (a) to (f) is obtained prior to commencing the digital verification such that:

        (a) The licensee can perform its due diligence prior to the digital interaction/communication and can raise targeted questions at such interaction/communication session; and
        (b) The licensee can verify the authenticity, validity and accuracy of such information through digital means (See Paragraph FC.1.4.14 below) or by use of the methods mentioned in Paragraph FC-1.2.3 and /or FC-1.4.3 as appropriate.
        Added: January 2022

      • FC-1.4.13

        The licensee must also obtain the customer’s explicit consent to record the session and capture images as may be needed.

        Added: January 2022

      • FC-1.4.14

        Licensees must verify the information in Paragraph FC-1.2.1 (a) to (f) by the following methods below:

        (a) Confirmation of the date of birth and legal name by digital reading and authenticating current valid passport or other official original identification using machine readable zone (MRZ) or other technology which has been approved under paragraph FC-1.4.9, unless the information was verified using national E-KYC application;
        (b) Performing real time video calls with the applicant to identify the person and match the person’s face and /other features through facial recognition or bio-metric means with the office documentation, (e.g. passport, CPR);
        (c) Matching the official identification document, (e.g. passport, CPR) and related information provided with the document captured/displayed on the live video call; and
        (d) Confirmation of the permanent residential address by, unless the information was verified using national E-KYC application capturing live, the recent utility bill, bank statement or similar statement from another licensee or financial institution, or some form of official correspondence or official documentation card, such as national identity card or CPR, from a public/governmental authority, or a tenancy agreement or record of home visit by an official of the licensee.
        Added: January 2022

      • FC-1.4.15

        For the purposes of Paragraph FC-1.4.14, actions taken for obtaining and verifying customer identity could include:

        (a) Collection: Present and collect identity attributes and evidence, either in person and/or online (e.g., by filling out an online form, sending a selfie photo, uploading photos of documents such as passport or driver’s license, etc.);
        (b) Certification: Digital or physical inspection to ensure the document is authentic and its data or information is accurate (for example, checking physical security features, expiration dates, and verifying attributes via other services);
        (c) De-duplication: Establish that the identity attributes and evidence relate to a unique person in the ID system (e.g., via duplicate record searches, biometric recognition and/or deduplication algorithms);
        (d) Verification: Link the individual to the identity evidence provided (e.g., using biometric solutions like facial recognition and liveness detection); and
        (e) Enrolment in identity account and binding: Create the identity account and issue and link one or more authenticators with the identity account (e.g., passwords, one-time code (OTC) generator on a smartphone, etc.). This process enables authentication.
        Added: January 2022

      • FC-1.4.16

        Not all elements of a digital ID system are necessarily digital. Some elements of identity proofing and enrolment can be either digital or physical (documentary), or a combination, but binding and authentication must be digital.

        Added: January 2022

      • FC-1.4.17

        Sufficient controls must be put in place to safeguard the data relating to customer information collected through the video conference and due regard must be paid to the requirements of the Personal Data Protection Law (PDPL). Additionally, controls must be put in place to minimize the increased impersonation fraud risk in such non face-to-face relationship where there is a chance that customer may not be who he claims he is.

        Added: January 2022

    • Overseas branches

      • FC-1.4.18

        Where licensees intend to use a digital ID application in a foreign jurisdiction in which it operates, it must ensure that the digital ID application meets with the requirements under Paragraph FC-B.2.1.

        Added: January 2022