Verifi was founded in 2012 in Auckland, New Zealand by legal and financial services professionals Tyler McNamee and Vincent McCartney, and interactive pioneers Karl von Randow and Matthew Buchanan of Cactuslab. Together they provide over 30 years of global financial services experience and 30 years of modern, functional and accessible web solutions.
Vincent is a financial services professional with more than 15 years’ experience in retail and wholesale financial markets across the United Kingdom, Australia and New Zealand. He has significant expertise in developing opportunities in the financial services market and implementing large-scale wholesale partners across Australia and New Zealand. Vincent has developed, launched and managed several successful financial trading products and project managed the roll-out of business-critical online trading platforms, including client migration and integration of equity trading into large banks.
Tyler is a lawyer with 17 years’ corporate and commercial legal experience in Canada, New Zealand and Australia. In addition to his role with Verifi, he is head of legal (Australia and New Zealand) for global online financial services company CMC Markets, where he’s responsible for all legal matters in Australasia and and Asia, along with strategy, project management, commercial and marketing matters. Tyler also co-founded and serves as a director for Wired Dog, a cross-platform IT consulting company.
Karl is a highly successful developer and co-owner of Cactuslab, a web and app development studio in Auckland. He is the creator of Charles Proxy, a popular debugging tool used by thousands of companies around the globe, and a co-founder of Camera+, one of the most popular apps in Apple’s iOS App Store. Karl runs Auckland’s monthly iOS development gatherings, and was previously involved as an organiser of the Auckland Web Meetup group. He is also a co-founder of Letterboxd, a social network for film lovers that launched in late 2011.
Matthew is a creative director, interface designer and typographer, and a co-founder of both Cactuslab and Letterboxd. He has a background in publication design, and has been designing and building for the web since 1994. Matthew is a Fellow of the Designer’s Institute of New Zealand, and has spent six of the past eight years on the judging panel (the last three as convenor) for our national design awards, the Best Awards.
With the enactment of the Anti-Money Laundering and Countering Financing of Terrorism Act 2009, the New Zealand government made it clear it was serious about meeting the obligations developed by the Financial Actions Task Force. FATF is a global, inter-governmental body whose purpose is to develop and promote national and international policies to combat money laundering and terrorist financing.
The result is that businesses now have much greater obligations to verify the identity of their customers. The New Zealand government has recognised the potential for the new regime to impact an organisation’s ability to do business efficiently and, as a result, has made genuine concessions to help organisations manage compliance costs. In fact, electronic verification (EV) has the ability to not only reduce inefficiencies in current identity verification processes, but also to improve the customer experience.
EV has a number of advantages that make it a workable and efficient solution for organisations:
The Identity Verification Code of Practice 2011, together with the Identity Information Confirmation Bill and the Electronic Identity Verification Bill, set out ‘Safe Harbour’ procedures for meeting the requirements of the AML/CFT Act.
The Safe Harbour provisions for EV require an organisation to:
However, it is important to note that it is still up to the organisation to determine which types of electronic data it considers reliable. In assessing reliability, the Code requires an organisation to have regard to:
Accordingly it is vital that when an organisation selects an EV provider, it does so on the basis of being able to choose from a variety of sources in accordance with this requirement. Different organisations will typically have different risk thresholds depending on their business, and whilst a particular data source might be acceptable to one organisation it may not be suitable to others.
Potential data sources include data related to:
With a large number of potential sources, the likelihood of new sources becoming available in future and the necessity of maintaining sources that may change (as data providers modernise and improve offerings), it is clear that the sensible option for organisations who wish to implement EV is to select a third-party provider. The Code specifically contemplates this via a statement allowing organisations to obtain multi-source verifications from a single provider.
When selecting an EV provider and platform, an organisation should carefully consider factors such as:
The last point is crucial to organisations, as both regulators and the private sector evolve and approve additional data sources for access. For instance, the electoral roll is not currently available but would be an excellent data source. It is critical that when a new data source becomes available, organisations are able to ‘turn on’ the new source without having to perform further internal development to their IT systems. A flexible and scalable platform provides organisations with the highest possible success rates for EV at any particular time.
Verifi’s Cloudcheck platform was developed specifically with these factors in mind. Most importantly, Cloudcheck allows an organisation to select from a ‘menu’ of data sources that are then presented to a potential customer when performing EV.
Cloudcheck can be integrated into an organisation’s application process with minimal development, either via a web-based app operated by your staff; via a branded EV page emailed to your customers; or directly via the platform’s API. In addition, the platform is continually being improved, with new data sources added as they become available, without the need for our customers to perform additional development work. A single integration exercise to add Cloudcheck allows an organisation to remain at the forefront of EV into the future.
The recently passed Anti-Money Laundering and Countering Financing of Terrorism (AML/CFT) Amendment Bill will usher in “Phase 2” of New Zealand’s AML/CFT laws.
Phase 2 will bring a number of industries into the AML/CFT regime during a phased implementation period:
Cloudcheck can be customised to suit each industry’s specific needs in a cost-effective manner, in order to make the transition to the AML/CFT regime as simple and painless as possible for businesses.
Guidance notes for Phase 2 entities developed by the Department of Internal Affairs can found here.
In December 2017 New Zealand’s three AML/CFT regulators released an Explanatory Note (‘note’) in relation to the Amended Identification Code of Practice 2013. These two documents should be read in conjunction with one another.
Important: this opinion should not be taken as legal advice and we STRONGLY urge you to seek your own independent advice from an experienced AML adviser or legal professional.
In our opinion, the note has conflated fraud issues and AML issues by focusing on ‘biometrics’ and the achieving of a link between the customer and the identity document presented. Whilst fraud is a very important issue facing all businesses (especially those that have processes in place that allow for non-face-to-face onboarding of customers), the risk of fraud should not be a barrier to using electronic identity verification services — a view shared by the FMA in its AML/CFT Annual Report 2016, which states:
“…some are concerned about the risk of someone’s identity being stolen and used to open an account. Fraud risk should not be a barrier for REs to use electronic identity verification, as their overall controls should include details about how they plan to reduce the risk of fraud.”
There are many ways to reduce fraud risk and each business should have controls in place to do so. The note even suggests some in paragraph 15.
We provide more detail below around single-source and two sources, but in summary — we believe that with the right controls and tools in place there is no reason why Cloudcheck cannot continue to be used by entities captured under the AML/CFT Act.
Paragraphs 8 and 9 of the note deal with the concept of using a single independent source for identity verification. Effectively, the note suggests that in order to use a single electronic source, the source, not the document, must incorporate biometric information. As the available ways of meeting this requirement are extremely limited, we believe that Verifi’s services, including a biometric option, best fit under the two reliable sources provision.
Paragraphs 10 and 11 of the note discuss being able to verify the customer’s identity from two “reliable and independent” sources. Referring back to paragraph 15 of the Amended Identification Code of Practice 2013, what needs to be identified is the customer’s name, twice (15.a.b), and their date of birth, once (15.b).
The majority of Cloudcheck users use the service to verify a customer's name, date of birth and address, so this is the scenario we will focus on. To achieve a pass, Cloudcheck users typically conduct the following checks:
1. Name & Date of Birth using an ID document checked against the source database for that identity document, e.g. DIA Passport Database; and
2. Name & Address using a third-party address database, e.g. LINZ
If the above is followed, the customer’s name has arguably been verified twice and their date of birth once (as well as their address) in accordance with the Amended Identification Code of Practice 2013 and note.
Important: Verifi does not promote or recommend which databases should be verified against or should be seen as reliable and independent. The Reporting Entity must make this decision themselves, and Verifi supports this approach by allowing Reporting Entities to determine which databases to verify against, and in which order (no database is mandatory for our users).
Paragraph 12 of the note states that a Reporting Entity must have regard to whether the identity can be linked back to the customer. If you choose to proactively make this link, one easy solution would be to look at using our biometrics solution (Cloudcheck Live), which captures images of the customer’s face and identity document and enables a comparison between the two, in order to achieve this link.
As at the date of this opinion, the comparison between the two captured images is a manual one that you must undertake. A forthcoming update to Cloudcheck Live is expected to be released in Q1 2018 that will support automated image matching.
Paragraph 13 notes that if you do not have the mechanics (e.g. via Cloudcheck Live) in place to perform this link, you must have additional measures in place to satisfy yourself that the customer is the genuine holder of the identity. Paragraph 15 suggests some likely approaches.
As noted in paragraph 16, whatever you decide to do you must ensure that you have documented it in your AML/CFT Programme.
Paragraph 17 allows for the use of electronic identity verification when verifying your pre-AML/CFT Act (30 June 2013) customers. One way you may wish to consider doing this is via Cloudcheck Go, our tool that enables the sending of a secure, single-use link (via our email system or yours) to your customer to get them to self-verify—including capturing images of their face and identity document (when used together with Cloudcheck Live).
Whilst we are disappointed with the ambiguity of certain elements of the note, as it has raised more questions than answers, we appreciate the difficult job the regulators have in balancing the evolving nature of the AML/CFT landscape and new technological advances.
We welcome any opportunity to work with the regulators in the future around guidance on electronic identity verification and the practical implications of it in New Zealand businesses.
This opinion is dated 13th February 2018, is for information purposes only and should not be taken as legal advice, we STRONGLY urge you to seek your own independent advice from an experienced AML adviser or legal professional.