NEWS RELEASE 20 March 2015
Customer Due Diligence – use of smart phone and tablet applications
Technology now offers the possibility of collecting information and obtaining evidence of an individual’s identity in new and different ways. Accordingly, the Jersey Financial Services Commission (JFSC) has started to consider what additional guidance may be needed in its AML/CFT Handbooks in cases where wholly new concepts are used, such as the use of smart phone and tablet applications to capture images of customers and documents.
Requirement to find out identity and obtain evidence
Article 3(4) of the Money Laundering (Jersey) Order 2008 (Money Laundering Order) explains that identification of a person means:
• Finding out the identity of that person, including that person’s name and legal status
• Obtaining evidence on the basis of documents, data or information from a reliable and independent source, that is reasonable capable of verifying that the person to be identified is who the person is said to be, and satisfies the person responsible for the identification of a person that the evidence does establish that fact.
Section 4.3.2 of the AML/CFT Handbooks explains how a relevant person1 may demonstrate that it has obtained evidence that is reasonably capable of verifying that an individual to be identified is who the individual is said to be. Inter alia, it states that use of the following documentary evidence will be reasonably capable of verifying an individual’s identity:
• A current passport, or copy of such a passport certified by a suitable certifier
• A current national identity card, or copy of such a national identity card certified by a suitable certifier
• A current driving licence, or copy of such a driving licence certified by a suitable certifier.
As an alternative to using documentary evidence, Section 4.3.4 of the AML/CFT Handbooks allows the use of independent data sources to verify that the person to be identified is who the person is said to be. In practice, it may be possible to demonstrate compliance with Article 3(4) of the Money Laundering Order through a combination of documentary evidence and independent data sources.
Whereas there is currently no reference made to the use of smart phone and tablet applications in the AML/CFT Handbook, there is nothing to preclude their use in customer due diligence (CDD) measures so long as senior management of a relevant person is satisfied that it achieves compliance with Article 3(4) of the Money Laundering Order.
1 A relevant person is a person that carries on a financial services business listed in Schedule 2 to the Proceeds of Crime (Jersey) Law 1999 and which carries on that business in, or from within, Jersey or through a Jersey company or other legal person.
Other requirements are relevant.
Article 11 of the Money Laundering Order requires a relevant person to have policies and procedures for the identification and assessment of risks that arise in relation to the use of new or developing technologies for new or existing products or services.
An AML/CFT Code requires a relevant person to assess, record and monitor risk when any element of the CDD process is outsourced to another party.
Senior management responsibility
The decision to use smart phone and tablet applications rests solely with the senior management of a relevant person. Before taking such a decision, senior management must have:
• Identified and addressed technological and outsourcing risks in line with Article 11 of the Money Laundering Order and Section 2.4.4 of the AML/CFT Handbooks
• Satisfied itself that compliance with Article 3(4) of the Money Laundering Order is achieved and be able to demonstrate to the JFSC why this is so.
In order to properly consider outsourcing and technological risk, it will be necessary for senior management to be very clear what the smart phone and tablet application does and what it does not do. For example:
• Is it to be used only to collect information about an individual from that individual?
• Is it to be used to verify that individual’s identity?
• Is it to be used to collect more general relationship information about an individual from that individual, e.g. source of funds?
• Is it also to be used to collect information about an individual from reliable and independent data sources?
To the extent that a smart phone and tablet application does not cover elements of identification measures (or more general CDD measures), then, in line with Article 13 of the Money Laundering Order, these should continue to be applied using existing systems, controls, policies and procedures.
The JFSC will not endorse the use of particular smart phone and tablet applications.
Guidance on use of smart phone and tablet applications
The introduction to each of the AML/CFT Handbooks explains that guidance identifies ways of complying with the Money Laundering Order and AML/CFT Codes.
Where smart phone and tablet applications are used to capture images and documents, additional guidance will be published in the AML/CFT Handbooks to recognise the legitimate use of such applications in CDD measures. It is expected that guidance will cover the particular risks that arise when documents are not physically presented to a relevant person or a suitable certifier, and consider some of the measures that might be taken by a relevant person to mitigate such risks.
• There is a risk that documents have been tampered with or forged
• There is a risk that images of the customer or of documents are tampered with before or during transmission to the relevant person
• There is a risk that documents or images captured are stolen or their use unauthorised.
In order to assist with the development of such guidance, relevant persons that are already using, or considering the use of, smart phone and tablet applications are invited to contact the JFSC’s Financial Crime Policy Division (FCP Division) as soon as possible. In particular, it will be helpful to provide outsourcing and technological risk assessments to the FCP Division.
Andrew Le Brun – Director, FCP
Tel: + 44 (0) 1534 822065