Dear Sirs, Response to the Review of the AML/CTF Regime Issues Paper

Transcription

1 28 th February 2014 AML/CTF Review Team Financial Crime 4 National Circuit BARTON ACT 2600 By amlreview@ag.gov.au Dear Sirs, Response to the Review of the AML/CTF Regime Issues Paper We thank you for the opportunity to provide our response to the stakeholder consultation as outlined in the Review of the AML/CTF Regime Issues Paper dated December We have only responded to the section entitled Harnessing technology to improve regulatory effectiveness on page 19 of the issues paper. Background provides online Evidence of Identity (EOI) by confirming via authentication that the originator of a transaction on a specified financial instrument is the account holder of the financial instrument. In Australia, such service would be provided on an agency basis under s37 of the Anti Money Laundering and Counter Terrorism Act 2006 (Cth) ( the Act ). The isignthis EOI service is not directed at the opening of accounts per s6, Table 1 of the Act, but rather for any other designated service per Tables 1 to 4. That is, any financial instrument issued by a financial institution in Australia (or any other FATF jurisdiction that is equivalent to Australia), should be regarded as a reliable source of identification with regards to the customer due diligence requirements required for other designated services (excluding accounts). The isignthis process relies upon the customer having first been identified by a regulated financial institution at the account opening stage, as a mandatory requirement in FATF legislative model jurisdictions. Bank accounts, credit and debit cards may only be issued following appropriate customer due diligence (CDD) and the financial institution meeting its Know Your Customer (KYC) requirements. Our process does not require direct involvement by the issuing financial institution, nor the provision of any facilities additional to those already provided by the financial institution to their customer base. It is our contention that the licensed financial institutions that offer accounts under s6 of the Act should assist businesses and those without specific expertise in conducting customer due diligence. The assistance required from financial institutions places no additional burden on them over those already imposed by the Act, and is that of indirect reliance upon their CDD. Page 1 of 7

2 Our understanding is that the operation of s38 and s114 of the Act in their current form provide a basis for reliance based services as proposed by isignthis. isignthis would act under s37 as an agent for Reporting Entities. We believe that our process is also consistent with, for example, the provisions of the US Bank Secrecy Act and Patriot Act, the Monetary Authority of Singapore Guidance Note 626, the Hong Kong AML regulations CAP, and the 4 th Directive on AML/CTF, which has been proposed by the European Commission and is due for vote by the EU parliament in April As of the date of this submission, isignthis is finalising agreements with a government agency of a FATF legislative model jurisdiction to provide EOI services for the remote identification of online customers. We would be pleased to provide further details in confidence if this is of interest to the department. The isignthis process is subject to Australian and international patents, with further information available from our website, and the (not for publication) White Paper attached to this submission. The White Paper may provide some useful comparison between various jurisdictions. Harnessing technology to improve regulatory effectiveness How might the development of online identity verification systems be harnessed to streamline and strengthen compliance with customer due diligence obligations under the AML/CTF Act? Online identity systems may be categorised by their use of one or more of the following approaches that may be augmented by uploading of supporting documentation: 1. reliance upon physical documentation that is uploaded via digital scanning of the identity documents for comparison with both identity document templates and comparison of photo features on the identity document and facial recognition of features captured at point of transaction (e.g. Jumio or Facebanx) 2. reliance upon static, localised, point in time databases, as reported by financial institutions and other businesses (e.g. Veda or Experian) 3. reliance upon government maintained databases (e.g. the DVS or electoral roll) 4. reliance upon financial instrument authentication (e.g. isignthis or PayPal) 5. reliance upon account access information via the use of account aggregation services (e.g. Yodlee or miicard) Our view is that the first category is presently a high technological risk, as the recognition software needs to not only identify if a document is valid, but it also needs to compare the images on the document with facial recognition. Page 2 of 7

3 A further approach that appears to us to be of high risk is the account aggregation approach, whereby customers are requested to provide their account login and passwords to multiple accounts across multiple institutions. The advantage posited to customers is that all accounts can be accessed and viewed by the customer from a single online portal. Whilst this approach confirms to the operator that the customer has in fact got access to the nominated accounts, it also creates a (permanent or transitory) store of information that could lead to breaches with the most severe consequences. The European Parliament is currently debating third party access to accounts, and, whilst it appears likely they will permit access, the requirements will be stringent, with severe penalties currently being proposed for companies and their directors against any breach. There is well-- established use of the static database approach within Australia. Unfortunately, the use of static databases has the obvious shortcoming that there is no dynamic element associated with the identification procedure. The addition of knowledge-- based challenge/response to the process will alleviate the issue slightly, however, the challenge and response data is also static and also subject to breach. It is an unavoidable flaw of centralised, aggregated databases that they are susceptible to breach, and that the static information contained therein may be compromised beyond recovery or re-- use. In what other ways can technology be used to support the objectives of the AML/CTF regime or reduce the compliance burden on business? By way of example, isignthis has developed technology that leverages the existing financial network end-- to-- end, between the online point of payment at the business/emerchant through to the customer portals that display the statement of account for the instrument used to make payment. The re-- use of the existing financial processing network infrastructure and back office KYC processes by regulated financial institutions, provides a basis upon which all banked customers may be identified online. If a business is a reporting entity under the Act, and it is in a position where it accepts payments via online means, then it is in our view desirable for the business to have a process that combines payment and identification. The isignthis process establishes that a financial instrument is reliable. The isignthis process to determine if an account is reliable includes confirming that the financial instrument is a) active and, b) from a reputable Obligated/ Reporting Entity and, c) that the account holder has initiated the transaction by authenticating a specific transaction and, d) that the process has been logged through an evidentiary trail, including details of financial institution, account, transaction identification and technical data. Page 3 of 7

4 isignthis uses the credit/debit card or direct debit request, and its associated data, to create a traceable link and authentication 1 through insertion of additional payment data during the payment process. The account holder is the only person that would reasonably be able to access the account and provide details as to the additional data inserted by isignthis, and thus complete the authentication process. This in turn creates a loop back to the account holder, with traceability as to the initiation of the transaction and authentication. The traceability process captures network and device data including IP address, geo-- location, device identifiers, operating system, language, and may be coupled to third party device fingerprinting technology or biometrics. The re-- use of the account issuing financial institution s banks KYC/CDD, via the existing global financial payment network substantially lowers the compliance burden on business. What are the advantages and disadvantages of online identity verification, and how might the disadvantages and risks of this approach be addressed? isignthis contends that use of at least one active financial instrument as part of the identification process provides a superior means of electronic verification. This use of authentication provides a dynamic means of ascertaining if the financial instrument is being operated by the account holder. A safeguard of financial instruments is that they are most likely immediately cancelled if compromised by the account holder. Consequently, any identity created using them may be revoked or suspended. The inclusion of a dynamic verification process would enhance the ability of Reporting Entities to comply with ongoing Customer Due Diligence (CDD) requirements, since customers may be requested to re-- authenticate at future points in time, using their future-- valid authentication information, rather than relying on static databases, which may not be as up to date. In the event of account takeover, the breach is generally reported promptly, either limiting the ability of third persons to use the account to spawn ghost accounts, or, for any accounts created from date of account breach to be revoked. That is, any breach of a financial instrument is active and discernable by multiple parties. This is in contrast to a passive and potentially non-- discernable breach of static databases, where data may be read for later on use, without visible compromise of the database. 1 authentication means a procedure which allows the payment service provider to verify the identity of a user of a specific payment instrument, including the use of its personalised security features or the checking of personalised identity documents; (From EU Payment Services Directive 2013 draft legislation) Page 4 of 7

5 Financial instruments and their associated transaction activity are monitored on a continuous basis by the issuing financial institution and their account holders. EOI based upon dynamic inputs from live financial instruments then allows sanction and PEP lists to be screened during the identity process using the name and the details associated with the financial instrument presented, further extending the probability that a sanctioned person will be detected. Further, continuing due diligence requirements can be met by either authenticating a subsequent transaction on the original financial instrument, based upon periodic or risk criteria, or, the level of assurance may be augmented by a separate financial instrument being authenticated and linked to the persons online identity or EOI profile. A further advantage is that all banked Australians can be identified online, whereas use of static databases relies upon enrolment of the person to either of a (reported) credit facility, and/or a driver s license, and/or a passport and/or the electoral roll. It is our contention that any person that seeks to transact online will of necessity likely be already in possession of a suitable financial instrument and thus identified by their bank. There is already an expectation that the customer will need to provide the details of their financial instrument in order to effect payment for whatever online service they are intending to procure. That is, the level of personal information to be provided is no higher a burden that what a customer would provide today in regular ecommerce. The level of additional personal data to be uploaded to the internet is thus minimised, and consistent with emerging privacy principles and privacy by design. This process can then be extended to persons residing overseas, who may seek to transact with an Australian reporting entity. For persons residing in FATF legislative model jurisdictions that are deemed equivalent to Australia, the process can provide significant benefit to Australian businesses. The benefit is not only in cost and time savings, but also in competitive advantages for Australian business that may have access to a remote and automated means of identifying international customers. Some risk mitigation and general advantages to this approach are: reach 100% of banked persons in suitable jurisdictions, corresponding to 100% of online users that would be required to identify themselves under the Act (ie a user will not seek to transact/make payment online unless they have a means to do so). the approach can be layered, such that a second financial instrument may be requested as a further source in order to mitigate risk under certain circumstances. continuing due diligence can be met by re--- authenticating any routine transaction between the reporting entity and the customer. Page 5 of 7

6 screening and due diligence is active, based upon operating accounts that have not been suspended or revoked, providing a further layer to the process. Active comparison against new and existing EOI profiles with regards to PEP/sanction lists and financial institution revocation lists (such as TC40 and SAFE reports for dishonoured credit cards), provides yet another layer to the process. sources of information are disaggregated, whereby a breach at one issuing institution does not lead to a systemic failure of the EOI process (e.g. consider if a database relating to historical credit of persons were to be breached) customer data is maintained by the issuing financial institution, and not of necessity replicated at multiple (and possibly less secure) locations. the database maintained by isignthis provides traceability back to a financial institution source, but does not per se comprise data that can lead to new EOI profiles being generated. EOI profiles can be depersonalised to the extent that only the primary account number, transaction identifier and authentication response, together with network and device data, is necessary to be maintained. Compliance with Ss of the Act would still be possible. In the event of account takeover, a person may use their new/replacement financial instrument credentials to revalidate their online EOI profile. New or replacement instruments would have differing account numbers and access details, in addition to KYC having been revalidated at time of issue. lowering the cost burden on business providing a near universal publicly accessible service for online identification, which re-- uses existing financial network infrastructure, incorporating facilities from sources familiar and trusted to the individual. (e.g. online banking portals) As the process relies upon KYC by the issuing entity in whatever jurisdiction it operates in, the assessment of documentation and face-- to-- face KYC process is by persons who are familiar with local identification documents in that particular jurisdiction. In turn, this reduces complexity for Australian business in determining if a customer s documentation is valid or invalid for KYC purposes. By way of counter example, the loss of a first person s wallet would allow a third person to access services such as the DVS, and create ghost accounts with designated service providers, unbeknownst to the first person. The inclusion of dynamic authentication of a live financial instrument as part of an EOI process would mitigate any fraudulent creation of ghost accounts, as it would require both static and dynamic data to be ascertained in order to complete the EOI process. Whilst the isignthis EOI process relies upon the issuing financial institution to maintain continuing due diligence, these institutions already bear that burden in any case. isignthis contends that the Electronic Verification safe harbour provisions should be less prescriptive, as the codification of methodology itself introduces risks, due to the public transparency of the codified approach. Page 6 of 7

7 isignthis further contends that the use of nominated, centralised, near static, point in time databases leads to risks that can be avoided or mitigated. In particular, databases whose contents may be (in whole or part) improperly ascertained by third parties using unauthorised means increases overall risk. Other Applications for Evidence of Identity The Act provides a framework for the identification of individuals or business, which may be applicable to other areas and services other than those designated by the Act. For example, the Australian Communications and Media Authority has recently issued guidelines on the requirements of identification of prepaid mobile customers. The use of a credit card as part of the in store process meets the revised requirements, presumably as the credit card is authenticated by Chip and PIN authentication. Authenticating the credit card online using the isignthis service, provides a remote and equivalent analogue to in-- store authentication, which would allow mobile operators the ability to accept payment online, and use the authentication of the payment as a means of meeting their compliance requirements. The additional advantage to individuals, business and the financial industry itself is that in such a case where a financial instrument is authenticated online, the opportunity for card not present fraud against that financial instrument is significantly mitigated. Provision of online services by Centrelink, the Department of Human Services or Medicare, where there is a link between the person, the service and payment to a financial instrument, means that a similar process can be adopted for remote identification of the person. Whilst the EOI profiles can be re-- used and shared between services, it is preferable under a risk based approach to maintain dynamic revalidation of the EOI profile, at least periodically, and in accordance with risk based criteria. We thank you for your consideration of to the matters raised above, and would welcome a discussion or correspondence with the review team if there are any queries. Yours faithfully N J Karantzis Managing Director Page 7 of 7