• Add

CySEC's 2016 Customer Due Diligence Directive- 144-2007-08(Α) - seriously raising the bar.

iSignthis Ltd (ASX:ISX/FRA:TA8)

CySEC released earlier this week a new directive for customer due diligence, for remote verification of customers.

I've written the below based upon our internal analysis of the directive (guidance), with the below being an outline and not intended as legal advice.

Im pleased to say however that iSignthis does provide solutions that meet or exceed the requirements below, and we utilise a number of the approaches outlined by CySEC in the iSignthis verification approach.

The "Directive DI144-2007-08(A) of 2016 regarding the prevention of money laundering and terrorist financing" provides excellent guidance regarding remote verification, and offers some alternatives consistent with UK, Swiss and German practice. It also seriously raises the bar with regards to CDD requirements by CIF's.

Whilst the directive introduces electronic verification, it is NOT of the type that UK operators would be familiar with, due to the requirements with respect to real time, alerting, quality and updates of the data.


CySEC has confirmed that documents must be either original or certified as true copies in their physical form - dispelling the bad practice by some CIF's whereby uncertified copies are uploaded by end Customers.

CySEC does however require uncertified copies of documents to be uploaded in support of any of the following enhanced due diligence methods.

Remote Verification Elements

The following methods can be used to verify a customer's identity, with CIF's needing to assess each on a risk based approach, together with the quality and reliability of the source data or information.

1. An authenticated transaction from an EU or equivalency financial institution drawn from an account in the customer's name. iSignthis confirm source account and name, as well as prove "control" of the account.
2. Confirmatory evidence from a financial institution of the customer''s name, address and passport (or presumably other identification) details. iSignthis process captures, screens and validates bank statements that are linked to Item 1 above.
3. Confirmation of home or office telephone. (We have asked CySEC to confirm if mobile is considered either or both). iSignthis verifies mobile (and optionally landline) via automated means.
4. Video Conference with the customer, provided that conference is recorded with high quality static frames of identity documentation. This is consistent with BaFIN and Swiss regulator approaches. We question how practical, scaleable or economic this is, given that it will require a trained officer to set up an interview. We do see the benefits of this approach however for exceptions handling and audit.
5. Physical mailout of a post card to a customers address, and requesting customer to confirm a one time code printed on mailout. This is something iSignthis have explored in the past, but the 7-10 days minimum generally makes this awkward, except as a real fallback.
6. Electronic Verification, but not the UK way! The directive requires that ALL of the conditions are met, as summarised below.
- Database must conform with EU privacy/data laws and be registered with an EU data protection agency. Not particularly difficult you might think, but, consider that PayPal fell foul of this for their Turkey operation (store data to Turkish law in Turkey) last month, and lost their financial license. iSignthis is registered with Cypriot, Netherlands and UK data protection agencies.
- Electronic databases need to show current and historic evidence that the person exists. They must contain both positive information (at least full name, address and the client's date of birth) and negative information (eg committing crimes like identity theft, including a deceased person files, including on sanctions lists and restrictive measures by the European Union and the UN Security Council). Whilst on the face of it, this appears to be ok, and that there are a number of providers that should be able to offer this - the negative checks are worth querying.
- Electronic databases must contain a wide range of sources with information from various time intervals, which are updated in real time (real-time update) and send notifications (trigger alerts) when important data differentiate. Databases with a "wide" range of sources from "various time intervals" and trigger alerts on changes will prove challenging for most vendors.
- The CIF has made suitable enquiries or investigated with regards to the accuracy of the data and their results, and assessed the significance in relation to the degree of certainty with respect to the control of the customer.
- Establishment of procedures that allow the CIF to record and store information used and the results must be authenticated.
The above (which are are actually Paras 1 (b) (1) (iv) and (v) of the directive) will be interesting in practice, as they start to require quality and consistency of data that is not addressed by the UK regime. The directive has incorporated and drawn from global best practice elements from regulators outside the EU.

Data Integrity

The directive then also requires that CIF's establish procedures to satisfy the quality, completeness, validity and reliability of the information to which it has access. Provided that the review process includes both positive and negative information.

For example, at iSignthis, we use data and metadata derived directly from payment transactions as our source, and we have adopted this as our practice in terms of evaluating payment data with regards to quality, completeness, validity and reliability requirements :

- Security :Data sourced via the payment network is secure. The integrity of the payment message is considered secure, through application of PCI DSS requirements or interbank transfer protocols.
- Accuracy :The origin of the issuer is known via either the Issuer Identification Number (IIN) on the card, or via the interbank transfer protocols.
- Recency : The source is considered reliable as the account is active at the time of initiating the iSignthis process, and is not based on historic data that may no longer be accurate or have been compromised.
- Comprehensive :The data source is considered to have implemented its own initial and ongoing PEP and Sanction screens, and ensure that lost, compromised or stolen accounts are revoked immediately upon notification by the account holding customer.
- Reliance Basis : the data is maintained by the issuer pursuant to legislation, and we ensure that the issuer is not located in a sanction jurisdiction, does not appear on any sanctions list themselves, and meets any ‘equivalency’ requirements set out in the regulation under which our client operates (e.g. Bank Act) ; and
- Authentication: Knowledge Based Authentication is used to verify that the person presenting the transaction is the person who was issued the account presented.

2+2 ID&V

Finally, the information must be derived from two or more sources, which is accepted practice globally for electronic verification. At a minimum, the electronic means must meet the following correlation model:

1. Locating the full name and present address of the client from a source,
2. Locating the full name of the client and either this address or date of birth of a second source.

The CySEC requirements appear to go beyond the requirements of the UK’s JMLSG, which in turn means that UK 2+2 vendors will not be able to offer an “out of the box’ solution. That's probably not a bad thing, as the premise under which the UK model was designed has long gone, with identity theft, hacks, breaches, social engineering, and self disclosure (e.g. social media) effective;y nullifying the core premise of "PII data is private". Unfortunately, that is no longer the case, and use of authentication means, real time updates and comparative analysis is now a necessary requirement.

Compliance via iSignthis

We welcome enquiries from CIF’s or entities in other jurisdictions with regards to how we can assist with your customer due diligence requirements. CIF’s, please contact Andrew Karantzis to discuss how iSignthis can assist you with customer due diligence.

Source: https://www.linkedin.com/pulse/cysecs-2016-customer-due-diligence-directive-bar-john-karantzis?trk=hb_ntf_MEGAPHONE_ARTICLE_POST
!"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{|} !"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{|}