At the end of 2019, amendments to the primary AML regulation (PCMLTFA), supervised by the Financial Transactions and Reports Analysis Centre of Canada (FinTRAC), came into force. As a result, Canadian companies finally received the opportunity to employ remote verification through a photo ID document to broaden their client base. Here we discuss these new updates to KYC verification procedures.
Who is affected
The new requirements concern all companies that report to FinTRAC. These include:
- Financial institutions (banks, credit unions, etc.);
- Money service businesses;
- Insurance companies;
- Real estate;
- Security dealers;
- Agents of the crown;
- British Columbia notaries;
- Dealers in precious metals and stones.
Businesses that deal in virtual currencies (crypto exchanges, platforms that transfer cryptocurrencies, etc.) will fall under FinTRAC’s supervision, and must comply with all KYC & AML requirements as of July 1, 2020. Such companies will be considered as money service businesses.
What has changed
In these updates, FinTRAC, for the first time, permits remote photo ID verification. Before, only on-the-spot ID verification was available to companies. The new amendments have allowed businesses to offer their services all around the world.
Other methods (credit file and dual-process) have not changed much. The only notable change in the credit file method is that it is now acceptable to use service providers to obtain the client’s information contained in their credit file, making direct contact with credit bureaus unnecessary. As for the dual-process method, while previously companies could use only original documents, they can now accept documents in electronic format as well.
What are the proposed verification methods
FinTRAC permits businesses to choose between three methods of identity verification: 1) government-issued photo ID; 2) credit file, and 3) dual-process. There is no difference to the regulator which method the company chooses.
First verification option: photo ID method
The main requirement for digital verification is to ensure that the ID is authentic (i.e., issued by a qualified organization), valid (not forged), and current (not expired).
Remote verification takes two steps: identification and verification.
- Identification. A client scans their ID using a phone or another device. Then, the company or the employed service provider checks the document using a special technology. This technology must examine specific characteristics (design, size, letter spacing, etc.) and security features (watermarks and holograms, etc.) of the ID.
- Verification. There are two ways to ensure that the ID matches the person on the document’s photo: video chat or selfie. The selfie must be examined using facial recognition technology.
Doing only one of these steps is not sufficient; businesses cannot only check an ID or just have a video call. However, one step does not have to follow the other immediately. It is for the company to decide when to conduct the second step.
Second verification option: credit file method
For this method, businesses must obtain the credit file directly from the Canadian credit bureau or the service provider. The check must be conducted at the same time as client verification. This verification includes checking that the data presented by the client matches the data written in the credit file (slight typos are allowed). However, FinTRAC’s guidance does not specify a format for either remote or non-remote verification.
The information to be collected for this method include: 1) name; 2) credit file number; 3) name of the bureau or service provider that has the file; 4) date when the company’s employee consulted the file. Only those credit files that have existed for at least three years can be used for verification.
In this method, businesses can use only credit files obtained from Canadian credit bureaus, not foreign ones. Therefore, a company can offer verification only for local customers.
Now, let’s move on to the final verification method.
Third verification option: dual-process method
Dual-process means that a business accesses the client’s data from two separate sources. For instance, the company can contact the credit bureau to get the credit file and contact the client’s bank to receive the financial account information. The list of information to collect is the same as the previous one for the dual-process method.
Dual-process is a remote verification method, so the physical presence of the individual is not needed.
Although companies obtain clients’ data from such reliable institutions as banks and credit bureaus, in reality these entities do not have secure enough means to examine identity documents. Bank employees, for instance, have to rely solely on their eyes and a watermark scanner to decide whether the submitted ID is authentic. Hence, if a person presents counterfeit documents, there is a strong possibility that the fraud will not be detected, and forged documents will be stored into databases. In addition, the dual-process method can simply be costly and time-consuming.