On July 16, 2021, the Financial Markets Authority, the Department of Internal Affairs and the Reserve Bank of New Zealand (Supervisors) released the update Explanatory Note: Guideline on Electronic Identity Verification (Guideline) on the Amended Code of Practice for Identity Verification 2013 (AIVCOP). The guideline replaces the previous one Code of Practice for Identity Verification – Explanatory Note published in December 2017 (previous explanatory note).
A link to AIVCOP is available here and a link to the new directive is available here.
Who needs to read it? Why?
The changes will be relevant to all AML / CFT reporting entities, especially those that use Electronic Identity Verification (EIV) as a means of verifying the identity of a customer. Overall, the guideline is more specific and restrictive in terms of what controllers think is appropriate for EIV compared to the previous explanatory note. Significant changes to the guideline are described below.
What does it cover?
Documentation of EIV procedures
The guideline provides much more detail than the previous explanatory note on how reporting entities should document their use of EIV as part of their AML / CFT program. Specifically, the following information should be included:
- when the reporting entity will use the EIV;
- the supplier and the EIV product (if the reporting entity relies on a third party to perform the EIV);
- the electronic source (s) used to verify the person’s name and date of birth;
- record keeping process;
- how the reporting entity verifies in its records that the details of a potential client have not been used before; and
- exception and escalation process.
Supervisors state that the AML / CFT program should also make it clear whether the reporting entity using the EIV uses a single independent source with a high confidence level, or two (or more) reliable and independent matching sources. . If a reporting entity uses a single independent source, then the AML / CFT program should document how the assurance of a “high level of confidence” in an individual’s identity is met. If two (or more) reliable and independent matching sources are used, the AML / CFT program should document the measures taken to ensure compliance with AIVCOP clauses 17 and 18.
The guideline builds on the previous explanatory note and includes additional content identifying electronic sources commonly used in New Zealand. It also sets out the expectations of controllers when reviewing or inspecting the EIV procedures, policies and controls of a reporting entity. Various examples of EIV practices are also included in the guideline.
Use of two reliable and independent pairing sources
Regarding the use of two reliable and independent matching sources for verifying a client’s identity, supervisors indicated in the guideline that in their opinion, the name and date of birth of the person should be verified from one source, while only the name should be verified from the other.
Further, they said that in their view the confirmation service offered by the Department of Home Affairs and the New Zealand Driver’s License database offered by the New Zealand Transport Agency are the main ones. electronic sources that they would expect a reporting entity to use to verify a customer’s name and date of birth.
Regarding the second electronic source that would be used to verify the client’s name, supervisors suggested that credit bureaus, companies office, Land Information New Zealand land registry and vehicle registration details from the New Zealand Transport Agency are acceptable. .
Use of a single independent source
Regarding the use of a single independent electronic source for verifying a customer’s identity, supervisors have stated that in their view, only a verified RealMe identity  can meet the requirement for a single independent source to verify a person’s identity with “a high level of trust” as it biometrically compares the person’s photo and identity details to neo government records -Zeeland.
Link a customer to their claimed identity
In the guideline, the supervisors pointed out, in stronger language, that if an electronic source does not have a mechanism in place to determine whether a customer can be linked to their identity, or if the mechanism in place is not not robust enough, then a reporting entity has to adopt additional methods that will be used to complement it or otherwise mitigate the shortcomings of the process.
The guideline indicates that one way for a reporting entity to achieve this is to require that the first credit to the customer’s account or facility be received from an account / facility held at a bank registered in New Zealand. – Zealand on behalf of the customer which cannot be tampered with or changed. To complete these guidelines, the supervisory authorities have specified in a new annex to the directive a list of registered banks with which the first credits can be invoked for this purpose, because they do not allow the customer to modify or change the name of the payer.
Our point of view
Despite its title and status as “guidance”, the guideline uses prescriptive language suggesting that supervisors expect it to be followed.
The AIVCOP itself remains unchanged since its amendment in 2013. Codes of good practice, like AIVCOP, are intended to provide a statement of practice to help reporting entities comply with their AML / CFT obligations. and are governed by Subpart 5A of AML / CFT. Act. Compliance with a code of conduct is not compulsory. However, if fully adhered to, codes of practice function as a “safe haven” for reporting entities. If the controllers wish to change a code of conduct, including AIVCOP, this will require the approval of the Minister of Justice. In turn, the Minister could only approve the changes if the supervisors consulted with the people and organizations he deems appropriate. This provides an additional layer of control before a modified code of practice can be promulgated.
However, the controllers did not obtain here the modification of the AIVCOP itself, which leaves an ambiguity as to the position of the reporting entities which consider that they comply with the AIVCOP, but whose interpretation differs. that of the controllers as defined in the directive. However, many reporting entities will prefer the more conservative approach of complying with the Guideline even though, as the Guideline itself indicates in an introductory paragraph, the Guideline cannot be relied on as evidence of compliance. to the AML / CFT Law and does not constitute advice.
A good example of the difference is the question of what is a single acceptable independent source that can be trusted to verify the identity of an individual with a high level of trust. The Guide indicates that Supervisors consider RealMe to be the only example available. However, if a private sector entity were able to develop a mechanism that offered the same level of trust, or even a better level of trust in a person’s identity, reporting entities would have to decide whether to trust the person’s identity. this new technology on the basis that it meets the requirements imposed by AIVCOP, even if this was not foreseen by the guideline.
After that ?
Reporting entities may need to modify their AML / CFT programs to ensure that they take into account the expectations of supervisors regarding their use of the EIV. If you have questions regarding the changes to the Directive or would like help updating your AML / CFT programs to reflect the new requirements.