Under the UK's anti-money laundering regime, information from electronic databases is an acceptable form of verification of clients' identities. Electronic identification can be used either as part of a wider process or, where appropriate, as the only source of identification. The regime is not prescriptive; the onus is on businesses to adequately satisfy themselves of clients' identities on a case by case basis. But before using these tools, businesses should assess for themselves whether the information mined from these databases is sufficiently reliable, comprehensive and accurate. The following points should be considered:
Does the system draw on multiple sources?
A single source, for example, the Electoral Roll, is usually not sufficient. Also, a system should ideally use both positive and negative data. Positive data are those that verify details such as name, permanent address, date of birth and so on. Negative data refer to known incidents of fraud, including identity fraud. A database that draws together both positive and negative data will provide a more complete picture of the client.
Are the sources checked across a period of time?
Systems that do not regularly update their data are generally prone to more inaccuracies than those that do. Some data must, by their nature, be regularly updated, eg permanent addresses or credit histories.
Are there regular tests to ensure the integrity of data?
Database systems should have built-in, qualitative tests that ensure the integrity of data. The system should be transparent enough to allow user to understand what checks are performed, what their outcomes are, and what bearing they have on the integrity of the data.
Note that it is up to businesses to build their identification processes for themselves with due diligence, using as many or as few sources of verification as they see fit. The anti-money laundering regime doesn't demand the use of any particular form of identity check. So long as businesses are satisfied the information they are using is robust, electronic data are as valid as paper documents.
Businesses should take a risk-based approach, considering the depth of scrutiny needed on a case by case basis. Some clients may be considered higher risk and therefore warrant more extensive checks. Some indicators as to risk might include:
- Lack of transparent ownership/complex business structures
- Business is based overseas in a less transparent jurisdiction
- The client's work is outside the usual client base (and thus experience) of the firm
- Involvement of an individual in a public position or location with higher risk of corruption (politically exposed persons)
- Significant cash business
On the other hand, if clients can reasonably be considered lower risk, identification procedures do not need to be unduly onerous.
Members are encouraged to consider their own client identification needs and not to conclude that any 'off the peg' product will be appropriate in all cases. If subscribing to such a service be prepared to supplement information obtained if it is appropriate to address the risk and give the appropriate level of satisfaction to you. Remember it is you who will have to demonstrate that you took all reasonable steps to satisfy yourself the client is who they purport to be.