Verifi Identity Services

Verifi Identity Services Limited (“Verifi”) is a leading provider of online electronic identity verification (“EV”) solutions and PEP screening to companies requiring name, date of birth and address verification of their customers.

Verifi was founded in 2012 in Auckland, New Zealand by legal and financial services professionals Tyler McNamee and Vincent McCartney, and interactive pioneers Karl von Randow and Matthew Buchanan of Cactuslab. Together they provide over 30 years of global financial services experience and 30 years of modern, functional and accessible web solutions.

About AML

The push for electronic verification

With the enactment of the Anti-Money Laundering and Countering Financing of Terrorism Act 2009, the New Zealand government made it clear it was serious about meeting the obligations developed by the Financial Actions Task Force. FATF is a global, inter-governmental body whose purpose is to develop and promote national and international policies to combat money laundering and terrorist financing.

The result is that businesses now have much greater obligations to verify the identity of their customers. The New Zealand government has recognised the potential for the new regime to impact an organisation’s ability to do business efficiently and, as a result, has made genuine concessions to help organisations manage compliance costs. In fact, electronic verification (EV) has the ability to not only reduce inefficiencies in current identity verification processes, but also to improve the customer experience.

EV has a number of advantages that make it a workable and efficient solution for organisations:

• it is a highly cost-effective way of complying with the identity verification requirements;
• it is a reliable method of identifying irregular details and suspicious customers;
• it removes human error;
• it separates customer-facing staff from the due diligence process; and
• it minimises the inconvenience to customers, particularly versus producing paper identification documents.

The Identity Verification Code of Practice 2011, together with the Identity Information Confirmation Bill and the Electronic Identity Verification Bill, set out ‘Safe Harbour’ procedures for meeting the requirements of the AML/CFT Act.

The Safe Harbour provisions for EV require an organisation to:

• verify a customer’s name from at least two reliable and independent electronic sources;
• verify the customer’s date of birth from at least one reliable and independent electronic source; and
• verify the customer’s address from at least one reliable and independent source.

However, it is important to note that it is still up to the organisation to determine which types of electronic data it considers reliable. In assessing reliability, the Code requires an organisation to have regard to:

• accuracy;
• security;
• privacy;
• the method of collection;
• whether the source has the ability to link a customer to the claimed identity;
• whether the source is maintained by a government body; and
• whether the information has been additionally verified.

Accordingly it is vital that when an organisation selects an EV provider, it does so on the basis of being able to choose from a variety of sources in accordance with this requirement. Different organisations will typically have different risk thresholds depending on their business, and whilst a particular data source might be acceptable to one organisation it may not be suitable to others.

Potential data sources include data related to:

• Passports
• Births, Deaths & Marriages
• Driver’s licence
• Vehicle registration
• Electoral roll
• Citizenship
• National identity cards such as the 18+ card
• Property ownership
• Utilities (e.g. water, electricity)
• Companies Office records

With a large number of potential sources, the likelihood of new sources becoming available in future and the necessity of maintaining sources that may change (as data providers modernise and improve offerings), it is clear that the sensible option for organisations who wish to implement EV is to select a third-party provider. The Code specifically contemplates this via a statement allowing organisations to obtain multi-source verifications from a single provider.

When selecting an EV provider and platform, an organisation should carefully consider factors such as:

• the platform’s range of data sources;
• the platform’s ease of integration;
• the ability to select which data sources a customer can verify against;
• transparency into the methodologies used by a platform giving the organisation complete comfort with the process and a verifiable approach for the organisation’s own reporting obligations;
• the platform’s level of security and accessibility;
• the ability to brand the platform to the organisation’s brand;
• the ability to perform verification directly via API as well as via a hosted service; and
• whether the platform will scale to support the inclusion of new data sources as they become available.

The last point is crucial to organisations, as both regulators and the private sector evolve and approve additional data sources for access. For instance, the electoral roll is not currently available but would be an excellent data source. It is critical that when a new data source becomes available, organisations are able to ‘turn on’ the new source without having to perform further internal development to their IT systems. A flexible and scalable platform provides organisations with the highest possible success rates for EV at any particular time.

Verifi’s Cloudcheck platform was developed specifically with these factors in mind. Most importantly, Cloudcheck allows an organisation to select from a ‘menu’ of data sources that are then presented to a potential customer when performing EV.

Cloudcheck can be integrated into an organisation’s application process with minimal development, either via a web-based app operated by your staff; via a branded EV page emailed to your customers; or directly via the platform’s API. In addition, the platform is continually being improved, with new data sources added as they become available, without the need for our customers to perform additional development work. A single integration exercise to add Cloudcheck allows an organisation to remain at the forefront of EV into the future.

Phase 2 of the AML/CFT regime

The recently passed Anti-Money Laundering and Countering Financing of Terrorism (AML/CFT) Amendment Bill will usher in “Phase 2” of New Zealand’s AML/CFT laws.

Phase 2 will bring a number of industries into the AML/CFT regime during a phased implementation period:

• Lawyers and Conveyancers — 1 July 2018
• Accountants — 1 October 2018
• Real estate agents — 1 January 2019
• High-value goods dealers — 1 August 2019
• NZ Racing Board — 1 August 2019

Cloudcheck can be customised to suit each industry’s specific needs in a cost-effective manner, in order to make the transition to the AML/CFT regime as simple and painless as possible for businesses.

Guidance notes for Phase 2 entities developed by the Department of Internal Affairs can found here. 

Amended Identity Verification Code of Practice — Explanatory Note

Verifi’s opinion on the regulators’ note

In December 2017 New Zealand’s three AML/CFT regulators released an Explanatory Note (‘note’) in relation to the Amended Identification Code of Practice 2013. These two documents should be read in conjunction with one another.

Important: this opinion should not be taken as legal advice and we STRONGLY urge you to seek your own independent advice from an experienced AML adviser or legal professional.

Overview

In our opinion, the note has conflated fraud issues and AML issues by focusing on ‘biometrics’ and the achieving of a link between the customer and the identity document presented. Whilst fraud is a very important issue facing all businesses (especially those that have processes in place that allow for non-face-to-face onboarding of customers), the risk of fraud should not be a barrier to using electronic identity verification services — a view shared by the FMA in its AML/CFT Annual Report 2016, which states:

“…some are concerned about the risk of someone’s identity being stolen and used to open an account. Fraud risk should not be a barrier for REs to use electronic identity verification, as their overall controls should include details about how they plan to reduce the risk of fraud.”

There are many ways to reduce fraud risk and each business should have controls in place to do so. The note even suggests some in paragraph 15.

We provide more detail below around single-source and two sources, but in summary — we believe that with the right controls and tools in place there is no reason why Cloudcheck cannot continue to be used by entities captured under the AML/CFT Act.

Using a single independent source

Paragraphs 8 and 9 of the note deal with the concept of using a single independent source for identity verification. Effectively, the note suggests that in order to use a single electronic source, the source, not the document, must incorporate biometric information. As the available ways of meeting this requirement are extremely limited, we believe that Verifi’s services, including a biometric option, best fit under the two reliable sources provision.  

Using two reliable and independent matching sources

Paragraphs 10 and 11 of the note discuss being able to verify the customer’s identity from two “reliable and independent” sources. Referring back to paragraph 15 of the Amended Identification Code of Practice 2013, what needs to be identified is the customer’s name, twice (15.a.b), and their date of birth, once (15.b).

The majority of Cloudcheck users use the service to verify a customer's name, date of birth and address, so this is the scenario we will focus on. To achieve a pass, Cloudcheck users typically conduct the following checks:

1. Name & Date of Birth using an ID document checked against the source database for that identity document, e.g. DIA Passport Database; and

2. Name & Address using a third-party address database, e.g. LINZ

If the above is followed, the customer’s name has arguably been verified twice and their date of birth once (as well as their address) in accordance with the Amended Identification Code of Practice 2013 and note.

Important: Verifi does not promote or recommend which databases should be verified against or should be seen as reliable and independent. The Reporting Entity must make this decision themselves, and Verifi supports this approach by allowing Reporting Entities to determine which databases to verify against, and in which order (no database is mandatory for our users).

Paragraph 12 of the note states that a Reporting Entity must have regard to whether the identity can be linked back to the customer. If you choose to proactively make this link, one easy solution would be to look at using our biometrics solution (Cloudcheck Live), which captures images of the customer’s face and identity document and enables a comparison between the two, in order to achieve this link.

As at the date of this opinion, the comparison between the two captured images is a manual one that you must undertake. A forthcoming update to Cloudcheck Live is expected to be released in Q1 2018 that will support automated image matching.

Paragraph 13 notes that if you do not have the mechanics (e.g. via Cloudcheck Live) in place to perform this link, you must have additional measures in place to satisfy yourself that the customer is the genuine holder of the identity. Paragraph 15 suggests some likely approaches.

Inclusion with AML/CFT Programme

As noted in paragraph 16, whatever you decide to do you must ensure that you have documented it in your AML/CFT Programme.

Pre-AML/CFT Act customers

Paragraph 17 allows for the use of electronic identity verification when verifying your pre-AML/CFT Act (30 June 2013) customers. One way you may wish to consider doing this is via Cloudcheck Go, our tool that enables the sending of a secure, single-use link (via our email system or yours) to your customer to get them to self-verify—including capturing images of their face and identity document (when used together with Cloudcheck Live).

Final word

Whilst we are disappointed with the ambiguity of certain elements of the note, as it has raised more questions than answers, we appreciate the difficult job the regulators have in balancing the evolving nature of the AML/CFT landscape and new technological advances.

We welcome any opportunity to work with the regulators in the future around guidance on electronic identity verification and the practical implications of it in New Zealand businesses.

This opinion is dated 13th February 2018, is for information purposes only and should not be taken as legal advice, we STRONGLY urge you to seek your own independent advice from an experienced AML adviser or legal professional.