AML guidance on engaging digital ID providers issued

The draft guidance was published earlier this week by the Joint Money Laundering Steering Group (JMLSG), an influential body that brings together a number of trade associations active in the UK financial services sector. Previous guidance developed by the JMLSG has been endorsed by UK government ministers.

While existing guidance developed by the JMLSG already recognises the potential role for digital identity checks in AML compliance, the proposed amendments that have been opened up to consultation elaborate further. In particular, they set out criteria firms should refer to when engaging digital identity verification providers.

Angus McFadyen of Pinsent Masons, the law firm behind Out-Law, said: "This is very positive that we are seeing digital identity recognised through the guidance, which reduces the barriers to adoption of digital identity in the UK – the regulated market has been slow to adopt this in part due to lack of regulatory recognition."

"The guidelines are out for consultation and, whilst generally positive, we suggest more thinking is put into helping regulated firms identify suitable digital identity schemes. The positioning of a number of references in the proposed new guidelines to eIDAS recognised schemes could imply that these are the only or main option – that’s not intentional but could be an effect of the positioning – if it were read in that way then there’s only one UK scheme that could be used and the regulations themselves are much wider. We’ll be feeding back to the consultation on this point," he said.

The term 'eIDAS' refers to electronic identification (e-ID) or trust service schemes that have been certified and developed in line with an EU regulation that provides for electronic identification and trust services.

The JMLSG said that before engaging e-ID verification providers, firms "should be satisfied that information supplied by the provider is considered to be sufficiently extensive, reliable, accurate, independent of the customer, and capable of providing an appropriate level of assurance that the person claiming a particular identity is in fact that person". It listed criteria that it said firms should consider when making that assessment.

According to the JMLSG, the fact an identify provider is either a notified identity scheme under the eIDAS Regulation, or is provided by means of a trust service covered by the eIDAS Regulation, could be relevant to the firm's judgement on that provider.

Other relevant considerations might include whether the provider is registered to store personal data with the UK's data protection authority, the breadth of information and sources the provider uses and accesses, and whether the provider's processes are sufficiently transparent to enable firms to "know how much certainty they give as to the identity of the subject", the JMLSG.

Whether the published standards to which the provider confirms requires "verified data or information to be kept up to date, or maintained within defined periods of reverification", and whether the provider is subject to assessment of its compliance with the standards, are other factors firms might wish to consider, it said.

The JMLSG said its proposed revisions to its guidance primarily reflect the fact that new AML legislation took effect in the UK earlier this year. The Money Laundering and Terrorist Financing (Amendment) Regulations 2019 extend existing customer due diligence (CDD) obligations, increase reporting requirements for many businesses, and also introduce new duties to carry out risk assessments. There is also a regulatory imperative that individual senior managers ensure their firms comply with the regulations, specialists in corporate crime and financial services regulation at Pinsent Masons have previously pointed out.