In 2019, amendments to Canada’s primary AML regulation (PCMLTFA) came into force, permitting remote photo ID verification in Canada. In June 2021, Canada’s financial regulator FINTRAC approved two more verification methods, bringing the total to five. Now, businesses are faced with a choice of customer verification methods. We cover them all in this article.
The new requirements concern all Canadian and foreign businesses that report to the Financial Transactions and Reports Analysis Centre of Canada (FINTRAC).
- Financial institutions (banks, credit unions, etc.);
- Money service businesses;
- Insurance companies;
- Real estate;
- Security dealers;
- Accountants and and accounting firms;
- Agents of the crown;
- British Columbia notaries;
- Dealers in precious metals and stones.
Businesses that deal in virtual currencies (crypto exchanges, platforms that transfer cryptocurrencies, etc.) will fall under FINTRAC’s supervision, and must comply with all KYC & AML requirements as of July 1, 2020. Such companies will be considered as “money service businesses.”
At the end of 2019, FINTRAC, for the first time, permitted remote photo ID verification. Before, only on-the-spot ID verification was available to companies. The new amendments have allowed businesses to offer their services all around the world.
Other methods (credit file and dual-process) haven’t changed much. The only notable update to the credit file method is that companies no longer need to contact credit bureaus directly to obtain client information. Instead, they can delegate this to service providers. As for the dual-process method, companies can now accept electronic documents, having previously been limited to original copies.
Update: In June 2021, FINTRAC approved two more verification options: affiliate and reliance methods. However, these methods aren’t new. Each of them has already been permitted by the law. So the difference here is more about the structuring and inclusion of these methods in FINTRAC’s guidance.
Let’s take a look at all the possible verification methods, one by one.
What are the available verification methods
FINTRAC permits businesses to choose from five methods of identity verification:
- Photo ID;
- Credit file;
- Affiliate or member;
The regulator has no preference over which method the business chooses.
Method #1: photo ID
The main requirement for digital verification is to ensure that the ID is authentic (i.e., issued by a qualified organization), valid (not forged), and current (not expired).
Remote verification takes two steps: identification and verification.
- Identification. A client scans their ID using a phone or another device. Then, the company or the employed service provider checks the document using a special technology. This technology must examine specific characteristics (design, size, letter spacing, etc.) and security features (watermarks and holograms, etc.) of the ID.
- Verification. There are two ways to ensure that the ID matches the person pictured on the document: video chat or selfie. The selfie must be examined using facial recognition technology.
Doing only one step isn’t enough. Businesses cannot just check an ID or do a video call. However, the second step doesn’t have to follow the first one immediately. It’s for the company to decide when to conduct the second step.
Method #2: credit file
For this method, businesses must obtain a client’s credit file directly from the Canadian credit bureau or a service provider. The check must be conducted right when the client is verified. The verification process includes checking that the data presented by the client matches the data written in the credit file (slight typos are allowed).
The information required for this method includes: 1) name; 2) credit file number; 3) name of the bureau or service provider that has the file; 4) date when the business’s employee consulted the file.
Only those credit files that have existed for at least three years can be used for verification.
With this method, businesses can only use credit files obtained from Canadian credit bureaus, not foreign ones. Therefore, companies can only offer verification for local customers.
Method #3: dual-process
Dual-process means that businesses access client data from two separate sources. For instance, a business can contact the credit bureau to get a credit file while contacting the bank to receive financial account information. The information required for collection is the same as in the previous method.
Although businesses obtain client data from such reliable institutions as banks and credit bureaus, in reality, these entities don’t have the means to thoroughly examine ID documents. Bank employees, for instance, have to rely solely on their eyes and a watermarks scanner to decide whether a submitted ID is authentic. Hence, if a person presents counterfeit documents, there is a strong possibility they won’t be detected, and forged documents will get into databases. On top of that, the dual-process method can simply be costly and time consuming.
Method #4: affiliate or member
An affiliate is a company that is owned by, has the same parent entity or has consolidated financial statements with another company.
This option allows businesses to rely on verification conducted by their domestic or foreign affiliates or members of financial cooperatives and credit unions. The initial check must be carried out by the photo ID, credit file, or dual-process methods.
To use the option, businesses must request that their member or affiliate submits the client’s name, address, and date of birth and compares this data with the data received from the client.
Method #5: reliance method
The reliance method permits businesses to use verification performed by other Canadian companies and their foreign affiliates.
To use this option, businesses must have a written agreement with its partners that requires them to provide all information related to a client’s verification process.
As with the affiliate method, the initial verification must be done through the photo ID, the credit file, or the dual-process methods. Businesses must also check that the information they received is valid and current.