focus note: global trends in anti money laundering
TRANSCRIPT
Focus Note: Global Trends in Anti Money Laundering Leon Perlman1 and Andrew Araujo2
Abstract3
A successful innovation in addressing the provision of basic financial services and at relatively low cost serving financial
inclusion goals is known Digital Financial Services (DFS).4 It mimics the basic transactional – and mostly non-credit -
capabilities of bank accounts, but is provided by banks as well as non-banks such as mobile network operators (MNOs) and
third parties known as Digital Financial Services Providers (DFSPs). Access to DFS is (primarily) via low-cost mobile phones,5
and is sometimes also termed ‘mobile money’ and ‘mobile financial services’ (MFS).
Sign-up for a DFS account usually requires provision of an acceptable form of identity to an ‘agent’ of the DFSP. These agents
are sometimes called ‘human ATMs’ to recognize their critical role in providing (and accepting) digital ‘mobile money’ to and
from customers by exchanging cash. This facility is often known as ‘cash in/cash out’ (CICO).6
1 Leon Perlman Ph.D.; Head: Digital Financial Services Observatory, Columbia Institute for Tele-information, Columbia
University (CITI), New York. 2 Andrew Araujo, Research Assistant, Digital Financial Services Observatory, Columbia Institute for Tele-information, Columbia University (CITI), New York. 3 This paper was supported by a grant by the Bill and Melinda Gates Foundation. I am grateful to Professor Eli Noam, Director
of CITI, for his supportive role and comments on early drafts; and to my colleagues at the Digital Financial Services
Observatory. 4 For an introduction to and overview of DFS, see Perlman, L (2018) Digital Financial Services Primer 2018, available at
dfsobservatory.com 5 For an overview of the mobile phones and technologies used in DFS, see Perlman, L (2017) Technology Inequality:
Opportunities and Challenges for Mobile Financial Services, available at https://bit.ly/2pAHOBw 6 Cash-in is a process of exchanging cash for electronic value, what is often known as ‘e-money’, and cash out is the process
of exchanging electronic value/e-money to cash. AFI (2016) Digital Financial Services Basic Terminology, available at
https://bit.ly/2fipB9g
AML/CFT requirements for DFS to detect and counter money laundering (ML) and terrorist financing (TF)7 may be part of
what has historically been referred to as Know Your Customer (KYC)8 but which is now known as procedures for customer
identification and verification (CIV). 9 These CIV procedures are in turn usually part of what is known as customer due
diligence (CDD)10 requirements. CIV and CDD are procedures, principles and processes that stem from efforts by national
7 ML refers to the conversion or transfer of property or any association, knowing it is derived from criminal activity, for the
purpose of hiding its origins, nature, location, disposition, movement, ownership. Similarly, TF is the provision or collection
of funds to contribute to the commission of specific offences while in complete knowledge that they are being used or will be
used for such purposes. Summarized from EIB (2018) Anti-Money Laundering and Combating Financing of Terrorism
Framework, available at https://bit.ly/2HX4QMH. See also CGAP (2005) AML/CFT Regulation, available at
http://www.cgap.org/publications/amlcft-regulation; and IMF (2018) Anti-Money Laundering/ Combating the Financing of
Terrorism (AML/CFT), available at https://www.imf.org/external/np/leg/amlcft/eng/ 8 ACAMS defines KYC as: ‘AML policies and procedures used to determine the true identity of a customer and the type of
activity that is “normal and expected,” and to detect activity that is “unusual” for a particular customer.’ ACAMS (2018) AML
Glossary of Terms, available at https://www.acams.org/aml-glossary/ 9 CIV is also known as ‘Customer and beneficial owner identification and verification’ in some jurisdictions. CIV may involve
identification data such as a person’s full name; date of birth; ID number; nationality; and residential address. Some countries
may also require additional information such as contact details, profession or occupation, source of funds, or tax number
(depending on country context). See Finmark Trust (2015) AML/CFT due diligence and related matters, available at
https://bit.ly/2S8NP47 10 ACAMS defines CDD in terms of ML controls, as requiring ‘policies, practices and procedures that enable a financial
institution to predict with relative certainty the types of transactions in which the customer is likely to engage. CDD includes
not only establishing the identity of customers, but also establishing a baseline of account activity to identify those transactions
that do not conform to normal or expected transactions.’ As part of CDD, providers it says should identify and verify the
customer’s identity using reliable and independent sources; identify and verify the beneficial owner so as to know whether they
are the actual parties of interest; obtain information on the purpose and intended nature of the business relationship; assess the
risks associated with the business relationship; monitor transaction to check if it is consistent with the knowledge of the
customer, their business and risk profile and conduct ongoing due diligence. FATF (2012) The FATF Recommendations,
available at https://bit.ly/1e7w0Gl. Similarly, but in the context of financial inclusion, CGAP says CDD ‘involves identifying
a client and verifying the client’s identity by checking his or her identity documentation or data and, where appropriate,
conducting background and beneficial ownership checks. Clients are then profiled and their transactions are monitored to
identify discrepancies that may trigger a suspicious transaction report to be filed with the country’s FIU.’ See Lyman, T & de
Koker, L (2018) KYC Utilities & Beyond: Solutions for AML/CFT Paradox?, available at https://bit.ly/2OqOgso. See also
Exhibit 1 outlining the FinCEN view of the differences and interconnectedness between KYC, CDD, and CIV and their
relationship to an AML program.
regulators and supranational Standard Setting Bodies (SSBs) such as the Financial Action Task Force (FATF)11 to prevent and
identify ML and TF.
Local regulators will set these AML/CFT policies and principles that what are generally known as ‘reporting institutions’ –
such as banks and DFSPs - must follow when dealing with customers and risk fines and other limitations on their activities if
they do not.
This focus note traces the evolution of the AML approaches and ability for companies to comply with AML rules, using a
comparative approach between developed and developing world economies.
It also addresses emerging AML-related issues surrounding the evolution of crypto-currencies as mainstream financial and
monetary instruments and products.
11 FATF is an inter-governmental body that sets standards and promotes effective implementation of legal, regulatory and
operational measures for combating ML, TF and other related threats to the integrity of the international financial system. Its
‘Recommendations’ relate to financial and non-financial institutions. FATF (2018) About, available at http://www.fatf-
gafi.org/about/. FIUs will usually create principles for AML and CIV based on principles from FATF and within a country
conext.
Table of Contents
Abstract 1
ABBREVIATIONS 5
1. Introduction 6
2 Compliance Related Aspects of AML/KYC 13
2.1 Overview 13
2.2 Identification, and CDD on Downstream Entities 14
2.3 Suspicious Transactions and Customers 14
2.4 Compliance and Enforcement Uncertainty Through Regulatory Ambiguity 16
2.5 Compliance Costs 17
2.6 Institutional Capacity 18
3 Supra National Approaches to AML/KYC 20
3.1 The Role and Impact Of The Financial Action Task Force (FATF) 20
3.2 FATF’s Recommendations 21
4. Trends in Approaches to AML/KYC and Compliance 23
4.1 The Risk-Based, Proportional Approach to AML 23
4.2 Balancing Financial Inclusion and Financial Integrity 24
4.3 Central Database For CIV and Ongoing CDD 25
4.4 Compliance Management Capacity 25
4.5 Crypto-currencies and AML 26
4.6 Innovation and Capacity 28
4.8 Remote Onboarding 31
4.9. The Rise of Transaction Laundering 33
4.10 AML Policy in the U.S 35
4.10.1 CDD and Beneficial Ownership Rule 35
4.10.2 Implications of the Paycheck Protection Program 36
4.11 Regtech 37
5 Country eKYC Implementations 40
5.1 Overview 40
5.2 Benefits and Risks Associated with E-ID 40
5.3 Country Customer Due Diligence Approaches 44
5.3.1 Developing World Approaches 44
5.3.2 Developed World Approaches 46
5.3.2.1 European Union AML Directives 46
5.3.2.2 Canadian AML Policy Amendments 49
6 Conclusions 51
Abbreviations
AML/CFT Anti-Money Laundering and Combating the Financing of Terrorism
AMLU Anti Money Laundering Unit
AMLD Anti-Money Laundering Directive
API Application Program Interface
ATM Automatic Teller Machine
Biodata Biometric Data
BSA Bank Secrecy Act
BTCA Better than Cash Alliance
CA Certification Authority
CDD Customer Due Diligence
CFT Counter Terrorist Financing
CIV Customer Identification and Verification
CICO Cash In/Cash Out
CRS Congressional Research Service
CSPD Civil Status and Passports Department
DFS Digital Financial Services
DFSP Digital Financial Service Provider
DISP Digital ID Service Provider
ECOWAS Economic Community of West African States
EDD Enhanced Due Diligence
eKYC Electronic KYC
eID Electronic ID
E-signature Electronic Signature
FATF Financial Action Task Force
FinCEN Financial Crimes Enforcement Network
FI Financial Institutions
FIGI Financial Instrument Global Identifier
G2P Government to Person
GFIN Global Financial Innovation Network
ID Identity
IP Internet Protocol
KYC Know Your Customer
ML Money Laundering
MNO Mobile Network Operator
MOU Memorandum of Understanding
MPSP Mobile Payments Services Provider
OCC Office of Comptroller of the Currency
OCDD Ongoing Customer Due Diligence
P2P Person To Person
PEP Politically Exposed Persons
PIN Personal Identification Number
PKI Public Key Infrastructure
POS Point of Sale
PPP Payroll Protection Program
SIC Smart ID Card
SDD Simplified Due Diligence
SIM Subscriber Identity Module
T&C Terms and Conditions
TF Terrorist Financing
UNHCR United Nations High Commissioner for Refugees
1. Introduction
Financial inclusion12 has increased globally with 69% of adults having access to formal financial services.13 This increase is
mainly driven by the uptake of mobile phones and access to the internet.14 Yet, 1.7 billion people still remain financially
excluded.15
A successful innovation in addressing the provision of basic financial services and at relatively low cost serving financial
inclusion goals is known Digital Financial Services (DFS).16 It mimics the basic transactional – and mostly non-credit -
capabilities of bank accounts, but is provided by banks as well as non-banks such as mobile network operators (MNOs) and
third parties known as Digital Financial Services Providers (DFSPs). Access to DFS is (primarily) via low-cost mobile
phones,17 and is sometimes also termed ‘mobile money’ and ‘mobile financial services’ (MFS). There are now 270 live DFS
implementations in over 90 countries.18
Sign-up for a DFS account usually requires provision of an acceptable form of identity to an ‘agent’ of the DFSP. These agents
are sometimes called ‘human ATMs’ to recognize their critical role in providing (and accepting) digital ‘mobile money’ to and
from customers by exchanging cash. This facility is often known as ‘cash in/cash out’ (CICO).19
However, the sign-up for DFS and acquisition of necessary MNO SIM cards for mobile access is often handicapped by a lack
of acceptable forms of identity that may be required by national regulations relating to Anti-Money Laundering and Counter
12 For an overview of financial inclusion, see Perlman, L (2018) Digital Financial Services Primer 2018, available at
dfsobservatory.com 13 World Bank (2018) The Global Findex Database 2017, available at https://globalfindex.worldbank.org/ 14 ibid. 15 ibid. 16 For an introduction to and overview of DFS, see Perlman, L (2018) Digital Financial Services Primer 2018, available at
dfsobservatory.com 17 For an overview of the mobile phones and technologies used in DFS, see Perlman, L (2017) Technology Inequality:
Opportunities and Challenges for Mobile Financial Services, available at https://bit.ly/2pAHOBw 18 Naghavi, N & Scharwat, C (2018) Mobile money competing with informal channels to accelerate the digitisation of
remittances, available at http://bit.ly/2KcHqAH 19 Cash-in is process of exchanging cash for electronic value, what is often known as ‘e-money’, and cash out is the process of
exchanging electronic value/e-money to cash. AFI (2016) Digital Financial Services Basic Terminology, available at
https://bit.ly/2fipB9g
Terrorist Financing (AML/CFT) 20 policies often issued by a central bank, telecommunications regulator or financial
intelligence unit (FIU) as the case may be.21
AML/CFT requirements to detect and counter money laundering (ML) and terrorist financing (TF)22 may be part of what has
historically been referred to as Know Your Customer (KYC)23 but which is now known as procedures for customer
identification and verification (CIV). 24 These CIV procedures are in turn usually part of what is known as customer due
diligence (CDD)25 requirements. CIV and CDD are procedures, principles and processes that stem from efforts by national
20 The Association of Certified Anti-Money Laundering Specialists (ACAMS) defines AML as: ‘The system designed to assist
institutions in their fight against money laundering and terrorist financing. At a minimum, the AML program should include
(a) written internal policies, procedures and controls (b) a designated AML compliance officer; (c) on-going employee training;
and (d) independent review to test the program. See ACAMS (2018) AML Glossary of Terms, available at
https://www.acams.org/aml-glossary/ 21 Financial Intelligence Units are often also known as the ‘AML Unit’ (AMLU) or the Financial Intelligence Agency (FIA),
and are usually independent state bodies with their own powers of investigation, but which in some cases may be a division
within the central bank. 22 ML refers to the conversion or transfer of property or any association, knowing it is derived from criminal activity, for the
purpose of hiding its origins, nature, location, disposition, movement, ownership. Similarly, TF is the provision or collection
of funds to contribute to the commission of specific offences while in complete knowledge that they are being used or will be
used for such purposes. Summarized from EIB (2018) Anti-Money Laundering and Combating Financing of Terrorism
Framework, available at https://bit.ly/2HX4QMH. See also CGAP (2005) AML/CFT Regulation, available at
http://www.cgap.org/publications/amlcft-regulation; and IMF (2018) Anti-Money Laundering/ Combating the Financing of
Terrorism (AML/CFT), available at https://www.imf.org/external/np/leg/amlcft/eng/ 23 ACAMS defines KYC as: ‘AML policies and procedures used to determine the true identity of a customer and the type of
activity that is “normal and expected,” and to detect activity that is “unusual” for a particular customer.’ ACAMS (2018) AML
Glossary of Terms, available at https://www.acams.org/aml-glossary/ 24 CIV is also known as ‘Customer and beneficial owner identification and verification’ in some jurisdictions. CIV may involve
identification data such as a person’s full name; date of birth; ID number; nationality; and residential address. Some countries
may also require additional information such as contact details, profession or occupation, source of funds, or tax number
(depending on country context). See Finmark Trust (2015) AML/CFT due diligence and related matters, available at
https://bit.ly/2S8NP47 25 ACAMS defines CDD in terms of ML controls, as requiring ‘policies, practices and procedures that enable a financial
institution to predict with relative certainty the types of transactions in which the customer is likely to engage. CDD includes
not only establishing the identity of customers, but also establishing a baseline of account activity to identify those transactions
that do not conform to normal or expected transactions.’ As part of CDD, providers it says should identify and verify the
customer’s identity using reliable and independent sources; identify and verify the beneficial owner so as to know whether they
are the actual parties of interest; obtain information on the purpose and intended nature of the business relationship; assess the
regulators and supranational Standard Setting Bodies (SSBs) such as the Financial Action Task Force (FATF)26 to prevent and
identify ML and TF. Local regulators will set these AML/CFT policies and principles that what are generally known as
‘reporting institutions’ – such as banks and DFSPs - must follow when dealing with customers and risk fines and other
limitations on their activities if they do not.
Customer Identification and Verification (CIV) is the ‘modern’ catch-all description for identifying, verifying and
undertaking due diligence on customers. Although FATF largely discarded the term ‘KYC’ in its documents onwards from
2003,27 KYC as the overall descriptor for CIV and related processes is still firmly embedded in the minds of national
regulators, compliance officers, industry associations,28 academic works,29 and customers.30
risks associated with the business relationship; monitor transaction to check if it is consistent with the knowledge of the
customer, their business and risk profile and conduct ongoing due diligence. FATF (2012) The FATF Recommendations,
available at https://bit.ly/1e7w0Gl. Similarly, but in the context of financial inclusion, CGAP says CDD ‘involves identifying
a client and verifying the client’s identity by checking his or her identity documentation or data and, where appropriate,
conducting background and beneficial ownership checks. Clients are then profiled and their transactions are monitored to
identify discrepancies that may trigger a suspicious transaction report to be filed with the country’s FIU.’ See Lyman, T & de
Koker, L (2018) KYC Utilities & Beyond: Solutions for AML/CFT Paradox?, available at https://bit.ly/2OqOgso. See also
Exhibit 1 outlining the FinCEN view of the differences and interconnectedness between KYC, CDD, and CIV and their
relationship to an AML program. 26 FATF is an inter-governmental body that sets standards and promotes effective implementation of legal, regulatory and
operational measures for combating ML, TF and other related threats to the integrity of the international financial system. Its
‘Recommendations’ relate to financial and non-financial institutions. FATF (2018) About, available at http://www.fatf-
gafi.org/about/. FIUs will usually create principles for AML and CIV based on principles from FATF and within a country
conext. 27 Lyman, T & de Koker, L (2018) KYC Utilities & Beyond: Solutions for AML/CFT Paradox?, available at
https://bit.ly/2OqOgso 28 See also AFI (2013) Risk-based Approaches to AML/CFT: Balancing financial integrity and inclusion, available at
https://bit.ly/2S6yHnX 29 For example, de Koker, L (2014) The FATF’s customer identification framework: fit for purpose?, available at
https://bit.ly/2S8QZF2; and Arner, D; Zetzsche, Buckley, R et al. (2018) The Identity Challenge in Finance: From Analogue
Identity to Digitized Identification to Digital KYC Utilities, available at https://ssrn.com/abstract=3224115. See also FATF
(2012) The FATF Recommendations, available at https://bit.ly/1e7w0Gl 30 The terminology communicated by banks, MNOs and other financial providers such as DFSP to their customers when they
sign up for services mostly refer to ‘KYC’ as the identity-verification descriptor.
Distinguishing between and outlining the relationships between, AML, CDD, CIV, and KYC is best shown through the final
rule31 issued by the US FIU, FinCEN. The rule describes its ideal AML program as including four core elements of CDD:
(a) CIV (b) beneficial ownership identification and verification, (c) understanding the nature and purpose of customer
relationships to develop a customer risk profile; and (d) ongoing monitoring for reporting suspicious transactions and, on a
risk-basis, maintaining and updating customer information.
In many cases CIV or CDD are conflated with ‘KYC’ to mean the same thing, whereas KYC is now considered to be only
but one - the identity input - component of a CIV procedure32 that, in turn, is part of the ongoing33 CDD process.34 All of
these components together form part of an AML/CTF program for all covered financial institutions.35 Similarly, the capture
and use of biometric data of citizen, resident or scheme participants for general identification purposes and specifically for
AML purposes has assumed the moniker eKYC.
31 FinCEN (2016) Customer Due Diligence Requirements for Financial Institutions, available at https://bit.ly/2ySJMQS 32 For Southern African Development Community (SADC) countries, the verification of customer identity data may involve
use of independent (external) sources such as an address validation and verification service; bank statement; cellular or
telephone account; credit reference agency, insurance policy; lease or tenancy agreement; national database or register; personal
visit to the home of the applicant; rates or utility bill; reference from a bank; reference from customary authority; reference
from known customer of bank; reference from well-known professional/government official; reference or affidavit from an
employer; revenue service; telephone book; and television license. See Finmark Trust (2015) AML/CFT due diligence and
related matters, available at https://bit.ly/2S8NP47 33 Authorities, the financial sector and other designated entities – such as lawyers and real estate agents – must provide what
are known as ‘suspicious transaction reports’ (STRs) to the FIU if activity that could indicate ML or TF is suspected by that
entity. Suspicious activity may be irregular or questionable customer behavior or activity that may be related to ML or other
criminal offense, or to the financing of a terrorist activity. It may also refer to a transaction that is inconsistent with a customer’s
known legitimate business, personal activities, or the normal level of activity for that kind of business or account. See ACAMS
(2018) AML Glossary of Terms, available at https://www.acams.org/aml-glossary 34 Where contextually required, the distinction between the terms KYC, CIV, CDD will be highlighted. See further on
terminology used in the context of financial transactions and ML. See de Koker, L (2014) The FATF’s customer identification
framework: fit for purpose?, available at https://bit.ly/2S8QZF2; and Watts, D, Medine, D & De Koker, L (2018) Customer
Due Diligence and Data Protection: Striking a Balance, available at https://bit.ly/2KKJAHk; Lyman, T & De Koker, L (2018)
KYC Utilities & Beyond: Solutions for AML/CFT Paradox?, available at https://bit.ly/2OqOgso 35 An effective AML program, FinCEN says, should include (i) a system of internal controls; (ii) designation of an AML-
focused compliance officer (iii) training; (iv) testing and auditing; that CDD-covered institutions understand the nature and
purpose of relationships so as to develop a customer risk profile, conduct ongoing monitoring for reporting suspicious
transactions, and, using a risk-based approach, maintain and update customer information. FinCEN (2016) ibid.
eKYC refers to the electronic means to conduct customer identification and allow online and/or digital verification of the
customer’s identity. When biometric-based, eKYC may require capture of the customer’s biodata, which may include
fingerprints, facial, voice and iris scans. Similarly, an identity with electronic and/or biometric components to it is known as
an electronic ID (eID).36
There is often a distinction made between eID and digital IDs, or the terms are used interchangeably as essentially a
distinction without a difference. To be consistent and importantly to maintain the link to eKYC focus of this Note, this Note
uses the term eID as to represent the electronically (digitally) captured and stored - and not solely physical37 - representation
of an ID and the biographical data therein, unless noted otherwise. In the use cases described in this Note, the eID will always
have a biometric component to it.
Exhibit 1: A Word on Identity and AML-related Terminology
There is however a significant ‘identification gap’ in the developing world, with some 1.5 billion people lacking proof of legal
identity.38 The proof could be a birth certificate, or a document or ID issued by a sectoral authority that indicates that the holder
36 Electronic ID (eID) is a form of identification used for online or offline identification process often in the form of a photo-
card with an embedded chip that contains information. Some eIDs can contain biometric information and are often referred to
as Smart Identity Cards (SIC) described in Exhibit 4. MicroSave (2017) Progress and Challenges with KYC and Digital ID,
available at https://bit.ly/2teQXAN; and World Bank (2018) Principles On Identification For Sustainable Development:
Toward The Digital Age, available at https://bit.ly/2mgZktJ 37 The physical representation of the electronically captured and stored data may also be in the form of a SIC. 38 Identity is a set of attributes that uniquely describes an individual or entity. World Bank (2018) Principles On Identification
For Sustainable Development: Toward The Digital Age, available at https://bit.ly/2pZWkBY. The UN’s Sustainable
Development Goals (SDGs) aims to achieve ‘legal identity for all, including birth registration’ by 2030. See ‘Target 16.9’ of
the UN SDGs, available at https://sustainabledevelopment.un.org/sdg16. As the World Bank notes, identification is also a key
enabler of Target 1.3 (implementing social protection systems), 1.4 (ensuring that the poor and vulnerable have control over
land, property, and financial assets), 5a (giving poor women equal access to economic resources, including finance), 5b
(enhancing the use of technology, including ICT to promote women’s empowerment), 10.7 (safe and responsible migration
and mobility), 10c (reducing the cost of remittance transfer), 12c (phasing out harmful fuel subsidies), 16a (strengthening the
capacity to fight terrorism and crime), 16.5 (reducing corruption). The World Bank also notes that there are national and
international effects involving donors and private-sector partners to strengthen legal identification systems, including civil
registries, national IDs, population databases, voter registries, social transfer databases, and travel documents. World Bank
(2018) Principles Of Identification For Sustainable Development: Toward The Digital Age, available at
https://bit.ly/2pZWkBY.
is that same person. With fake IDs though, attestation – a higher forms of verification – is unlikely. eKYC and eIDs usually are
able to provide that required attestation of the veracity of the holder’s ID by an issuing authority.
Without legal and acceptable means to identify themselves, some 20% of the financially excluded are unable to access DFS
facilities because they lack the necessary proof of identity documentation mandated by regulators for opening financial services
accounts39 and for obtaining mobile SIM cards.40
As noted by WEF41 and others,42 there is the need to disentangle the terms ‘legal identity,’ ‘citizenship,’ ‘identification,’
‘registration’ and ‘ID documentation.’ We agree, but such an exercise is beyond the scope of this paper, which will simply
refer to these concepts per their colloquial use, and within the framework of CIV processes and the need to address AML/CFT
concerns.
Data from the World Bank’s ID4D program43 shows that of the over 1 billion people without an official proof of identity 81%
live in Sub-Saharan Africa and South Asia; that 47% are below the national ID age of their country, highlighting the importance
of strengthening birth registration efforts and creating a unique, lifetime identity; that 63% live in lower-middle income
economies, while 28% live in low-income economies, which the World Bank say reinforces the fact that lack of identification
is a critical concern for the global poor.44 Also, over 45% of women lack a foundational ID compared to 30% of men.45
39 World Bank (2018) The Global Findex Database 2017, available at https://globalfindex.worldbank.org/ 40 Where an MNO also acts as a DFSP, a ‘basic’ – that is, limited in transaction balances, transfer and frequency - transactional
DFS account is often provided automatically to a customer on their sign-up for a mobile SIM card. Additional documentation
provided later by the customer may remove these initial DFS-related limitations. See also World Bank (2018) ibid. 41 WEF (2015) What is the future of legal identity?, available at https://bit.ly/2J9Bg4t 42 Dahan, M & Gelb, A (2015) Role of Identification in the Post-2015 Agenda, Center for Global Development, available at
https://bit.ly/2ytboMP 43 The ID4D program operates across the World Bank Group with global practices and units working on digital development,
social protection, health, financial inclusion, governance, gender, and legal issues. It brings global knowledge and expertise
across sectors to help countries realize the transformational potential of digital identification systems. See World Bank (2018)
About Us, available at http://id4d.worldbank.org/abouts-us 44 See World Bank (2018) ID4D Data: Global Identification Challenge by the Numbers, available at
http://id4d.worldbank.org/global-dataset. 45 World Bank data from 2015 showed the vast majority of 198 countries its surveyed have fragmented, single-purpose ID
systems. In particular, 8% have no eID; 12% have an eID used for identification only; 72% eID used for one or more services;
and 7% have fully integrated, multi-purpose ID systems. See World Bank (2015) Identification for Development (ID4D)
Integration Approach, available at https://bit.ly/2xPv51Z. A similar study in 2018 showed that 42% of 198 countries surveyed
collected some biometric data such as fingerprint or iris. The World Bank’s ID4D data also indicates that countries with the
greatest gender gaps in ‘foundational’ ID coverage also tend to be those with legal barriers for women’s access to ID. In
The forms of identity that are available and which may be acceptable for CIV purposes for SIM card and/or DFS registration
range from ‘analogue’ physical paper or laminated cards, and documents or booklets that contain the CIV-required information,
to electronic versions of these documents in the form of a card, or more advanced versions with the customer’s biometric data
– usually their fingerprints – stored on a smart chip embedded on the card.46 Other multi-modal biometric parameters such as
iris scans or palm prints may be stored on remote server controlled by a central authority that enrolled the citizen, resident or
customer as the case may be. The capture – as an eID - and use of biometric data of citizen, resident or scheme participants for
CIV purposes and specifically for AML/CFT purposes is commonly referred to as eKYC.
In many country cases, the means – analogue and/or electronic - to identify and verify the person is issued by a national
authority or agent, but this may not include a centralized, single identifier. That is, there is no national ID number that
permanently identifies that person to the state and others in perpetuity. Often there is no such authority to issue that national
ID number or physical representation thereof, either because of public-policy considerations47 or due to a lack of infrastructure
and/or capacity to capture citizen/resident data, and then issue national ID numbers and associated ID documents. The former
situation is characteristic of some developed countries48 where citizens believe such centralization will violate their privacy
and the latter of many developing countries.49
Frustration with central government initiating issue of a unified, single national ID has however given rise to various authorities
and agencies issuing their own eIDs, initiating their own CIV/eKYC programs. For example, telecommunications regulators
and MNOs50 for SIM card registration; the national electoral authorities for voting; transport authorities for driver’s licenses;
and a central bank for access to financial service. The disparate and non-interconnected systems – although critical for each of
their own ecosystems - complicate AML/CFT efforts as often only some of these are acceptable forms of ID for financial
transaction-related CIV. As they each become entrenched into their own system with their own procedures and technical
standards, harmonization of the individual ecosystem biometric databases becomes ever more difficult and costly.51 The World
Afghanistan, Benin, and Pakistan, for example, a married woman cannot apply for a national ID in the same way as a married
man. See Desai, V (2018) The global identification challenge: Who are the 1 billion people without proof of identity?, available
at http://tinyurl.com/ydfps6zq 46 Cards with biometric information stored on them are often known as Smart ID Cards (SICs). See Exhibit 4. 47 48 For example in the UK and Australia where there are no national ID systems mostly due to resistance from the public. 49 See legal issues surrounding national IDs and eKYC. 50 As occurs in Tanzania where the MNOs share a common eKYC enrollment for mandatory SIM card registration platform
using smartphones and biometric capture devices. 51 See below in the case of Ghana where harmonization of nine separate databases has complicated efforts as a single NIDB
system. In Nigeria, the government announced in September 2018 that of the various biometric databases, only the central bank
controlled biometric database would be acceptable. For its new national ID database.
Bank estimates that there is USD 50 billion in potential annual savings by 2020 for governments that adopt nationwide, single
eID systems.52
In many cases, eKYC systems that use an eID could be the critical input mechanism for centralized but shared facilitates that
improve customer sign-up times and quickly detect incidents of ML and fraud. The eKYC53 programs and systems that have
been launched and described here have overarching goals to advance a person’s access to services, reduce identity fraud, and
increase financial inclusion. Country examples and challenges – inter alia, policy, legal, security, design, financial and
infrastructural - in the rollout are discussed below.
It is to be noted that there are also attempts by private sector actors to develop so-called self-sovereign IDs54 where a person
will self-enroll to obtain a digital token or representation of their identify using recently-developed blockchain-type55
Distributed Ledger Technologies (DLTs) protocols. It is however trite that in most cases acceptance by financial institutions –
and regulators - of these IDs for account opening and CIV purposes is largely still lacking and are likely to be so for a number
of years as the technology matures. Many of the newest private-sector innovations in ID using DLTs are gaining better traction
and acceptance though, when a person is required to provide ID credentials connected to an official, trusted, state-issued
identity.56
2 Compliance Related Aspects of AML/KYC
2.1 Overview
52 Dahan, M & Sudan, R (2015) Digital IDs for Development: Access to Identity and Services for All, available at
http://hdl.handle.net/10986/22297. 53 The ID4D program indicates that there are 161 countries with ID systems ‘using digital technologies.’ This is not the same
as eKYC, and only refers to the digital technology used for capture and storage of data. In this context, eKYC is deemed to
include a process of biometric capture and storage of individual user data. See World bank (2018) ID4D Data: Global
Identification Challenge by the Numbers, available at http://id4d.worldbank.org/global-dataset 54 Self-sovereign digital identities are created and managed by individuals, and enable them to maintain their digital identities
independent from residence, national eID infrastructure and market-dominating service providers. See Der, U; Jähnichen, S &
Sürmeli, J (2017) Self-sovereign Identity – Opportunities and Challenges for the Digital Revolution, available at
https://arxiv.org/pdf/1712.01767 55 For an overview of blockchain and DLTSs, see Perlman, L (2017) Distributed Ledger Technologies and Financial Inclusion,
available at https://bit.ly/2nyxpBG 56 See www.civic.com, described below and the GSMA’s M4D Digital Identity program. The latter program works with the
mobile industry, governments and the development community to explore the role and potential of the mobile industry in both
state-led and private-sector led digital ID offerings. See Wilson, M (2016) Digital Identity: a prerequisite for Financial
Inclusion?, available at https://bit.ly/2PMHjhX
Many financial institutions believe that rather than simply undertake financial transactions, norms and rules inspired by FATF
and codified into actionable regulations by local FIUs over the past decades have effectively deputized them with being the
frontline of AML/CFT-related financial integrity and acting on behalf of these FIUs. The net effect is that they are required to
undertake regular assessments of their customers – and even their customer’s customers - who raise risk flags.
This could, as noted before, include filing STRs to their financial institution, undertaking enhanced due diligence on their own
customers, and if needed, terminating all business relationships with an account holder. They further argue that not undertaking
these proactive measures raises the distinct possibility of opprobrium from the FIU, which could not only include service
sanctions, but also suspension or even termination of licenses to operate.
2.2 Identification, and CDD on Downstream Entities
Reliable IDs combined with effective CIV tools for detection of fraud and malfeasance can act to lower the risk of servicing a
customer base with a relatively higher risk classification, such as politically exposed persons (PEPs) and non-profit
organizations servicing high-risk jurisdictions.57
Efficient onboarding and accurate CIV procedures in developing countries in customer identification and onboarding processes
can present lower risks of providing financial services to MTOs who service these jurisdictions.
2.3 Suspicious Transactions and Customers
As noted above, monitoring programs at financial institutions are geared to identify suspicious transactions, individuals and
entities. They may use some or all the available tools such as regtech-type big data software to find suspicious patterns of
activity, as well as KYC Utilities (KYCUs) to detect fake identities or those on sanctions or PEP lists.
In many cases, closures/refusals have been justified due to obvious ML or fraud activities.58
57 Frasher, M and Agnew, B (2016) Multinational Banking and Conflicts among US-EU AML/CFT Compliance & Privacy
Law: Operational & Political Views in Context, available at https://ssrn.com/abstract=2803944 58 See for example the cases relating to South African PEPs, the eponymous ‘Gupta Brothers’ - Marrian, N (2017) How Bank
of Baroda was overwhelmed by suspicious Gupta-linked accounts, available at http://bit.ly/30s2evC
Where there is some suspicion found that triggers a compliance concern, that entity or person may be flagged, alongside their
transactions. Usually the transactions are sent to the domestic financial institution – or shared in a centralized KYC Utility
where local laws allow for this, but avoiding ‘tipping off’ – as a STR.59
The STR - or suspicious activity report (SAR) as the US calls them - may be ex post though: the entity or person may already
be terminated or refused service. Notwithstanding a prohibition against tipping off, this ex post termination/refusal could occur
where there is evidence on ongoing fraud that could cause contemporaneous harm to the financial institution or its clients.
Money laundering-related risks were likely to have been relatively more important drivers of branch closures in the Southwest
border region. Counties in the Southwest border region have been losing bank branches since 2012. 60 A US Government
Accountability Office (GAO) report found that in 2016, bank branches in the Southwest US border region61 adjacent to Mexico
filed 2.5 times as many reports identifying potential ML or other suspicious activity on average, as bank branches in other high-
risk counties outside the region. Many of the issues relate to drug trafficking. An estimated 80% of these banks terminated
59 The GAO indicates that banks are required to electronically file a SAR when a transaction involves or aggregates at least
USD 5,000 in funds or other assets, and the institution knows, suspects, or has reason to suspect that the transaction meets
certain criteria qualifying as suspicious. Banks are also required to file a SAR for known or suspected criminal violations
involving insider abuse of any amount, as well as violations aggregating $5,000 or more when a suspect can be identified and
USD 25,000 or more even without a potential suspect. See 12 C.F.R. §§ 21.11(c)(1)-(3), 163.180(d)(3)(i)-(iii) (OCC); 12 C.F.R.
§ 208.62(c)(1)-(3) (Federal Reserve); 12 C.F.R. § 353.3(a)(1)-(3) (FDIC). GAO (2018) Bank Secrecy Act: Derisking Along
The Southwest Border Highlights Need For Regulators To Enhance Retrospective Reviews, available at https://bit.ly/2XIK1gA 60 In the US, federal banking regulators do not direct banks to open, close, or maintain individual accounts. Federal banking
regulators also cannot prohibit banks from closing branches.. However, FDIC-insured banks are required to submit a notice of
any proposed branch closing to their primary banking regulator. GAO (2018) Bank Secrecy Act: Derisking Along The
Southwest Border Highlights Need For Regulators To Enhance Retrospective Reviews, available at https://bit.ly/2XIK1gA 61 The Southwest border region as all counties that have at least 25% of their landmass within 50 miles of the US-Mexico
border.
accounts for BSA/AML risk reasons and an estimated 80% limited or did not offer accounts to customers62 that are considered
high risk for ML63 because the customers drew heightened regulatory oversight64 - behavior that could indicate de-risking.
2.4 Compliance and Enforcement Uncertainty Through Regulatory Ambiguity
While the Financial Action Task Force’s (FATF) initial rules-based approach was relaxed somewhat following the introduction
by FATF of its principles-based RBA to AML – and FinCEN adopting the RBA – the RBA did not trickle down to the banking
sector operating in the US. In particular, with very few normative rules baked into a RBA, and with bank examiners looking
for instances where institutions have not undertaken internal risk assessments of their policies and client profiles as part of a
general institutional risk assessment, institutions have, to a large degree, overcompensated by terminating whole swatches of
client classes. This over-cautiousness is but one of the main causes of such terminations and refusals.
A CPMI survey of correspondent banks showed that they are often uncertain as to what exactly constitutes compliance with
the requirements that would avoid penalties and related reputational damage.65 Enforcement decisions against them, they
believe, seem less than predictable with a perception - and fear - that regulations are amorphous and uncertain.
In particular, while FATF has harmonized AML/CFT policies - in particular application of an RBA – the belief is that this has
not manifested as regulatory certainly. In some cases, instead of having the effect of assisting in expanding financial inclusion,
an RBA may have the opposite effect. That is, some financial institutions feel that regulators are often not helpful to supervised
entities in assisting in complying with RBA-based AML/CFT regulations, with no granularity – that is, specific guidance - on
how to implement CDD procedures as a ‘safe harbor.’ They thus feel that they have to be extra risk averse, which can have the
62 The GAO's econometric analysis generally found that counties that were urban, younger, had higher income or had higher
money laundering-related risk were more likely to lose branches. GAO (2018) Bank Secrecy Act: Derisking Along The
Southwest Border Highlights Need For Regulators To Enhance Retrospective Reviews, available at https://bit.ly/2XIK1gA 63 All counties within the Southwest border region have been identified by the US government as either a High Intensity
Financial Crime Area (HIFCA) or a High Intensity Drug Trafficking Area (HIDTA) with the vast majority being identified as
both. HIFCAs were conceived in the Money Laundering and Financial Crimes Strategy Act of 1998, Pub. L. No. 105-310, 112
Stat. 2941 (1998), and first announced in the 1999 National Money Laundering Strategy. GAO (2018) Bank Secrecy Act:
Derisking Along The Southwest Border Highlights Need For Regulators To Enhance Retrospective Reviews, available at
https://bit.ly/2XIK1gA 64 The GAO says that several characteristics of the Southwest border region make the region a high-risk area for money
laundering activity include high volumes of cash transactions, cross-border transactions, and foreign account holders. 65 This is particularly so for entities who operate internationally and would need to comply with differing legal and regulatory
frameworks across national borders.
effect of creating hardship for clients who were now captured by EDD. This effect can impact economic growth and financial
inclusion.66
In the US for example, banks have reported an apparent disconnect between certain types of banking examiners – both state
and federal - and policies they are meant to implement. In particular, while FATF have indicated that three is not always a need
to do so,67 there seems to be a degree of uncertainty as to when it is necessary to do CCDD and how detailed this exercise
should be.68
Other regulators have provided ‘mixed signals’ to banks regarding termination of relationships, which led to wholesale culling
of account relationships with end customers. For example, in the UK financial regulator, the Financial Conduct Authority
(FCA) noted in an annual report into AML that it had required and obtained voluntary undertakings from four banks that they
would not take on any new high-risk and/or PEPs as customers until AML control weaknesses69 had been corrected.70
The FCA, though, has later indicated to its regulated entities that that an RBA does not mean that banks should deal generically
with whole categories of customers or potential customers in so far as deeming entire classes to be ‘risky,’ and that assessment
of AML compliance should include whether termination/refusal strategies could lead to consumer protection and/or
competition issues.71
2.5 Compliance Costs
Increased regulatory scrutiny on transactions have led to increased compliance costs for all entities in transnational and national
financial transactions. Higher compliance costs may also be reducing incentives for larger banks to maintain many CBRs,
66 Similarly, an ability to ‘swap data’ between institutions on risky clients or transactions so as to avoid ‘tipping off’ handicaps
the RBA. FATF at its June 2019 plenary reportedly considered modifying this approach to allow some data sharing for AML
purposes. 67 FATF (2015) FATF Takes Action to Tackle De-risking, available at http://bit.ly/2XBRCbF 68 The CPMI survey showed that there is routine second-guessing of a financial institution’s decisions and treatment of certain
clients as categorically high risk by bank examiners, who require financial institutions to undertake extensive and expensive
steps to mitigate those risks. 69 FCA (2014) Annual Report 2013/14, available at http://bit.ly/2XELH5C 70 The FCA appeared to change its view though when the effect of their policy became apparent when charities operating in
high-risk countries as well as some fintech companies involved with alternative payments were terminated by banks. A small
bank had decided to exit over 200 relationships where it could not satisfy itself that it could manage the risks these customers
posed. 71 FCA (2016) De-risking: Managing Money-laundering Risk, available at http://bit.ly/2xFhIjs
which previously were seen as providing extra cover or transactional options for example in relation to trade finance-type
transactions.72
For larger banks, these compliance costs may relate to financial integrity and financial stability. 73 That is, on AML and CDD
matters or requirements from financial regulators for provision of increased liquidity to ensure financial stability. For a financial
institution, these may require a financial institution having to hire additional staff and do ongoing due diligence of their
customers. In some cases these compliance costs may be passed on to the corporate customer in the form of an onboarding
cost, plus an additional ‘cost to serve’ monthly compliance cost if their risk profiles are assessed higher, or a premium on per
transaction fees. The UK’s FCA indicates that total on-boarding costs74 per client by the dedicated teams is around USD 3,000
for lower risk to USD 4,300 for higher risk clients.75
There may also be substantial increases in regulatory activity and scrutiny increase required compliance efforts, human
expertise and capacity.76 Civil sanctions for non-compliance can be substantial77 and the potential for organizational and
personal criminal sanctions are manifest.
2.6 Institutional Capacity
An underestimated and underreported reason is that of capacity of an institution to do proper initial and ongoing risk assessment
of its clients because of capacity, changing regulatory environment, regulatory complexity and budgetary issues. These issues
72 ibid 73 Over 22% of a KPMG study experienced an over 50% increase in AML related expenditure and the Asia and Pacific region
reported the highest where 39% reported more than 50% in AML costs since 2011. KPMG (2014) Global Anti-Money
Laundering Survey 2014, available at http://bit.ly/2G6jNtk 74 A further USD 520-650 per client is allocated for a dedicated financial crime team. The FCA report further says that similarly,
the annual ‘cost to serve’ correspondent banking clients at USD 1700 - USD 2,600, depending on risk level. This covers
compliance-related monitoring costs (transaction checks, triggers, etc.) but also other non-compliance maintenance costs. For
enhanced due diligence, other than the rough figures for in-house checks for the large bank mentioned above, we have also
been given a range of costs of USD 9300 – USD 26,000 for external reports from a compliance/investigation consultant. 75 FCA (2016) Drivers & Impacts of Derisking, available at http://bit.ly/2Jz2cLF 76 Additionally, our research found that inordinate pressure is placed by state bank examiners on state-chartered US banks they
supervise for these banks to discontinue supply of financial services to MSBs engaged in remittance provision to Caribbean
countries, under threat of withdrawal of their state licenses and increased scrutiny. In most cases, the state banks have complied,
even if there was no identifiable ‘risk’ of AML non-compliance by the MSBs and their corresponding foreign customers. 77 Center for Financial Inclusion (2016) Does Global De-Risking Create ‘Financial Abandonment’? The Background You Need
to Know, available at http://bit.ly/2xGt8DH
affect primarily the smaller institutions and banks, who may be faced with clients who begin to nest or are PEPs. This is also a
matter of risk assessment and monitoring systems that are diluted due to repeated mergers.
In a noted South African case, a bank cut off ties with PEPs - three brothers tightly connected to then President Jacob Zuma -
and their companies because it was unable to cope with the work required to review every transaction with a small staff, and
could face legal liabilities from the central bank and the FIU if it failed to monitor the accounts properly.78 The PEPs
successfully sued the bank for restoration of its accounts, a temporary victory though as they eventually fled the country leaving
their companies to fend for themselves.79 The bank however eventually closed its doors in South Africa given the reputational
damage it had suffered, criminal investigations, and loss of CBRs.80
The DFS ecosystem – and particularly through injection of digital liquidity through incoming remittances – requires a robust
regulatory basis and enforcement of rules. These need to incorporate international standards set by SSBs, in particular those
by FATF for CIV and AML/CTF purpose.81
Where the ecosystem lacks proper identity and/or identity verification can have a systemic effect on the general financial
system because of the trend towards derisking of DFSPs, remittance providers, banks, and even CBs by global correspondent
banks aiming to avoid or mitigate the risks of (unintended) flows of illicit funds to unknown beneficial owners of accounts.
Often the greatest and most immediate impact is sudden closure of remittance corridors, especially those denominated in
US Dollars.
Exhibit 2: The Impact of Regulatory Environment On De-risking
78 Marrian, N (2017) How Bank of Baroda was overwhelmed by suspicious Gupta-linked accounts, available at
http://bit.ly/30s2evC 79 Almost 20 South African companies linked to the brothers lost a court bid which sought to have Bank of Baroda, the last
lender doing business with the firms, maintain operations in the country. Livemint (2018) Gupta Firms Lose Bid to Have Bank
of Baroda Remain in South Africa, available at https://bit.ly/2GclYvw 80 Fin24 (2018) Gupta-linked Bank of Baroda Gives Formal Notice of SA Exit, available at https://bit.ly/2GclYvw 81 See FATF (2017) FATF Guidance On AML/CFT Measures And Financial Inclusion, With A Supplement On Customer Due
Diligence, available at https://bit.ly/2kF4wog
3 Supra National Approaches to AML/KYC
3.1 The Role and Impact Of The Financial Action Task Force (FATF) 82
The Financial Action Task Force (FATF) is an inter-governmental body that develops recommendations for combating money
laundering, financing of terrorism and other related threats to the international financial system.83 FATF developed The
International Standards on Combating Money Laundering and the Financing of Terrorism & Proliferation: The FATF
Recommendations to set global standards for national AML/CFT regulation. 84 They actively promote and monitor
implementation of these recommendations globally and revises them to ensure they are up to date and relevant.85
FATF issued a guidance paper in 201186, Anti-Money Laundering and Terrorist Financing Measures and Financial Inclusion,
which recognized the impact of financial exclusion in money laundering and terrorist financing. 87 In order to manage financial
exclusion risks, FATF Recommendations in 2012 were revised to focus on their risk-based approach (RBA) to AML/CFT
systems.88 The RBA aims to encourage and provide access to financial services for unserved and underserved groups by using
customer due diligence (CDD) measures that are appropriate to the risk customers pose.89
These shifts are due to an amalgam of internal and external factors, which include guidance’s from SSBs90 and peer groups,91
regional interactions and agreements between sector regulators.92
82 See http://www.fatf-gafi.org/ 83 FATF (2018) Who We Are, available at http://www.fatf-gafi.org/about/ 84 FATF (2012) The International Standards on Combating Money Laundering and the Financing of Terrorism &
Proliferation: The FATF Recommendations, available at https://bit.ly/2GHXKr9 85 FATF (2018) What Do We Do, available at http://www.fatf-gafi.org/about/whatwedo/ 86 Revised in 2013 87 FATF (2013) Anti-Money Laundering and Terrorist Financing Measures and Financial Inclusion, available at
https://bit.ly/2IQXDKY 88 FATF (2017) Anti-money Laundering and Terrorist Financing Measures and Financial Inclusion- With a Supplement on
Customer Due Diligence, available at https://bit.ly/2wLMObN 89 FATF (2017) Anti-money Laundering and Terrorist Financing Measures and Financial Inclusion- With a Supplement on
Customer Due Diligence, available at https://bit.ly/2wLMObN 90 See for example CPMI, FATF, World Bank, BIS, ITU, and IMF. 91 For example AFI and the Better than Cash Alliance (BTCA), as well as the Financial Instrument Global Identifier (FIGI) 92 Through for example Economic Community of West African States (ECOWAS) and the East African Community (EAC).
Particularly effective has been the impact of donor funds and groups93 that facilitate groups of external consultants to assist
regulators in developing new policy frameworks, in paying for and testing new technology94 and undertaking capacity-building
workshops and missions.
3.2 FATF’s Recommendations
FATF’s Recommendation provide, in relation to cross border electronic transactions, that a beneficiary financial institution
should verify the identity of the beneficiary, if the identity has not been previously verified. FIUs need to consider whether that
verification data should be sent back to the originating institution and, if so, how the reliability of the data will be ensured. It
also needs to consider what the recipient bank would be required to do in relation to the data received.
In general, it is more likely that only banks – of all the possible receiving entities - in the foreign country are the best placed to
comply if such a mandatory requirement is ultimately imposed in the final AML instructions. The quality of the processes may
also differ from jurisdiction to jurisdiction with high capacity institutions in FATF-member countries more likely to provide
higher quality data. It is also appropriate to consider the ML/FT risk controls in relation to those transactions and each country
corridor and the need for the imposition of transactional limits.
As noted above, FATF is the global SSB underpinning and driving all supranational AML/CFT efforts. Over time it has issued
standards on measures countries should implement to combat ML, TF and financing of proliferation of weapons of mass
destruction (PF).95 Core to the FATF scheme is the need to identify those engaged in financial transactions and if needed,
monitor their activities if any ML or TF activities are suspected.
93 For example through the German Corporation for International Cooperation GmbH, IFC, World Bank, IDB, ADB, Bill and
Melinda Gates Foundation, UNCDF, Mastercard Foundation, Metlife Foundation, Omdiyar Network, Rockefeller Foundation;
Department for International Development (DFID); and U.S. Agency for International Development (USAID). 94 See for example the Central Bank of Jordan’s JoMoPay initiative for DFS interoperability. The Reserve Bank of Malawi,
with World Bank funding, also developed a national switch for DFS and financial sector interoperability. 95 The FATF framework is composed of the 1) FATF Recommendations; (AML/CFT) standards, and methodologies to assess
the effectiveness of AML/CFT systems. See Arner, D; Zetzsche, Buckley, R et al (2018) The Identity Challenge in Finance:
From Analogue Identity to Digitized Identification to Digital KYC Utilities, available at https://ssrn.com/abstract=3224115.
See also FATF (2012) The FATF Recommendations, available at https://bit.ly/1e7w0Gl.
Initial standards issued by FATF relating to what is now known as DFS were however often seen as too restrictive96 given the
low values often involved as well as the systemic lack of identity infrastructure in countries attempting to increase financial
inclusion.97 In an attempt to ensure that AML/CFT provisions it promoted do not unduly hinder access to formal financial
services to the underserved and unbanked, it issued a ‘guidance’ in 201398 to balance, it hoped, both financial inclusion and
AML/CFT objectives. It introduced what is now known as FATF’s risk-based approach (RBA).99 RBA affects several different
aspects of CIV and CDD processes in AML/CFT for financial inclusion environments by having as its grundnorm the premise
that risk management and mitigation measures should be proportionate to the identified and assessed risks. Another FATF
guidance relating to financial inclusion was also issued in 2017100 as a supplement to its 2013 Guidance.
As part of a RBA, the country’s FIU must conduct a national risk assessment based on surveys and assessments of its financial
sector and other ecosystems which may pose a ML risk. Appropriate RBA rules and regulations must follow, or existing rules
and regulations updated if needed. The report must be submitted to FATF. Peer groups will also visit the country as part of
FATF’s mutual evaluation program101 to assess levels of implementation of the FATF Recommendations, and to provide an
in-depth description and analysis of that country’s approach to and system for detecting and preventing criminal abuse of the
financial system, which includes CIV processes.
The peer review group will follow FATF’s ‘Methodology for assessing technical compliance with the FATF Recommendations
and the Effectiveness of AML/CFT systems,’ which sets out how the FATF will determine whether a country is sufficiently
compliant with the 2012 FATF Standards and whether its AML/CFT system is working effectively. If any deficiencies are
96 Non-risk based approach to AML/CFT safeguards both in the onboarding stage and ongoing relationships when providing
financial services. FATF (2017) Anti-Money Laundering and Terrorist Financing Measures and Financial Inclusion with a
Supplement on Customer Due Diligence, available at https://bit.ly/2taubZM 97 See for example Financial Action Task Force (2012) International Standards On Combating Of Money Laundering And The
Financing Of Terrorism And Proliferation: the FATF Recommendations available at https://bit.ly/1e7w0Gl; FATF’s
Recommendation 10 read with its Interpretative Note sets out the requirements regarding customer identification and
verification. For detailed commentary on these 2012 Recommendations, see de Koker, L (2014) The FATF’s customer
identification framework: fit for purpose? Available at https://bit.ly/2S8QZF2 98 FATF (2013) Guidance For A Risk-Based Approach Prepaid Cards, Mobile Payments And Internet-Based Payment Services,
available at https://bit.ly/2jEAiAl 99 FATF (2017) Anti-Money Laundering and Terrorist Financing Measures and Financial Inclusion with a Supplement on
Customer Due Diligence, available at https://bit.ly/2taubZM 100 ibid. 101 As of June 2018, FATF says it has reviewed over 80 countries and publicly identified 65 of them as being high-risk. Of
these 65, 55 have since made the necessary reforms to address their AML/CFT weaknesses and have been removed from the
process. See FATF (2018) High-risk and other monitored jurisdictions, available at https://bit.ly/1RA355J
found – in the visit and in the national risk assessment – the country could be labelled as one of FATF’s categories of ‘risk’102
and be monitored by FATF, but is usually given a period to correct any deficiencies.103 If these are not fixed, sanctions or
restriction on integration into the world’s financial system may follow.
4. Trends in Approaches to AML/KYC and Compliance
4.1 The Risk-Based, Proportional Approach to AML
The first generation AML/KYC regimes have however in many cases fastened a prescriptive ‘fact-based’ financial integrity
regime on the DFS sector, that caters to actors at the extremities of the DFS ecosystem, but which does not necessarily recognize
the strata embodied therein as represented by the SMEs and traders.
The latest iteration of the FATF principles104 have followed the significant progress, success and risk profiles of DFS systems
and now recognize the need for a more heuristic approach. This involves a degree of proportionality in developing AML/KYC
policies and limits so as to strike the right balance between risks and benefits, tailoring regulation to mitigate AML risk without
imposing undue regulatory burden that stifles innovation.
This approach increases the use of legitimate channels and lowers the risks of ML/TF caused by Financial Exclusion, and posits
that AML/CFT controls should not inhibit access to formal financial services for financially excluded and underserved groups,
including low-income, rural sector, and undocumented groups. This was the similar conclusion reached by the Group of 20
nations in 2010105 which believes that Financial Inclusion engenders a higher national GDP
102 The Methodology is available at https://bit.ly/1MoYVaY. The level of compliance with each FATF Recommendation will
be indicated with one of the following ratings: compliant, largely compliant, partially compliant or non-compliant. The
effectiveness assessment will assess the extent to which a country achieves a defined set of outcomes that are central to a robust
AML/CFT system and will analyze the extent to which a country’s legal and institutional framework is producing the expected
results. 103 A FATF Eastern and Southern Africa Anti-Money Laundering Group mutual evaluation report of Uganda in February 2014
found deficiencies in its AML/CFT programs. These included deficiencies in its FIU, the DFS/Mobile Money operations and
lack of AML-related regulations. It then placed Uganda on the ‘high risk’ category. Uganda addressed the concerns by inter
alia amending its Financial Institutions Act to make its FIU the central agency for receiving STRs, issuing and implementing
regulations for the freezing of terrorist assets, issuing AML regulations for implementation of AML requirements, and issuing
AML/CFT inspection manuals for financial sector supervisors. It was removed from monitoring by FATF in 2017. 104 FATF (2012) Standards on AML & CTF, available at 105 G20 (2010) Principles for Innovative Financial Inclusion, available at
https://www.gpfi.org/publications/g20-principles-innovative-financial-inclusion-executive-brief
A similar FATF Guidance on DFS106 recognizes that AML/CTF regimes require flexibility, including the need for tiered levels
of KYC and limits that includes a trade-based AML approach. A very cautious approach to AML/CFT, it says, may have
unintended consequences of excluding legitimate businesses and consumers from the financial system, which then also
excludes the ability to monitor transactions. The subsequent specific FATF Guidance on Financial Inclusion107 recognizes that
Financial Exclusion is a ML/TF risk. That is, overbearing AML negates Financial Inclusion initiative and that mitigating the
risks of Financial Exclusion is vital to achieving an effective AML/CFT system. This may be done by rather using a RBA.
In a trader/merchant context, this would be preferred as it recognizes that while traders may exchange payments at high velocity,
that the ML risks are relatively low, especially those in markets and co-operatives where members are known. It thus becomes
acceptable via the use of a RBA to infer the purpose and intended nature of the business relationship from the type of transaction
or business relationship established.
The RBA is ostensibly how the financial regulators in Zambia and Bangladesh have approached the need to cater for those in
the midpoint of the commercial stratum – the informal traders. India currently has a strict AML regime, but has announced
plans to liberalize its DFS regime, including its AML rules.
4.2 Balancing Financial Inclusion and Financial Integrity
In the years following the first AML/CTF principles developed by the Standard Setting Body, the FATF, the world has seen
the emergence of successful rollouts of over 238 deployment of Digital Financial Services (DFS). These provide immediate
and reliable access to financial systems using prefunded mobile wallets as a source of payment, replacing cash in many areas.
This has been a boon for financial inclusion, but at the same time the non-bank actors and the relatively high velocity of
financial transactions embodied in DFS has challenged regulators vies on how to maintain financial integrity. The prescriptive
approach in the first iterations of the FATF 40+9 AML/CTF recommendations have been embraced by many regulators, who
have put in strict limits on transaction volumes, values, and wallet balances, although some KYC and CDD criteria have been
relaxed to recognize the relatively low-risk nature of the DFS ecosystem compared to bank-style products with a higher risk
profile.
106 FATF (2013) AML Guidance for a Risk-Based Approach to Prepaid Cards, Mobile Payments and Internet-Based Payment
Services, available at
https://www.fatf-gafi.org/publications/fatfrecommendations/documents/rba-npps-2013.html 107 FATF (2013) Guidance on Financial Inclusion, available at
https://www.fatf-gafi.org/publications/financialinclusion/documents/revisedguidanceonamlcftandfinancialinclusion.html
The DFS deployments are of course in relatively early stages of development as system operators build and field test their
technologies, establish their agent networks, acquire new customers, and seek new ways of ensuring customers utilise their
systems often. Interoperability between systems is an important point in this evolution.
Another part of this evolution too is the recognition that the potential for DFS usage reaches far beyond just allowing financial
interactions between individuals, and individual and large companies and government, but that DFS has the potential to provide
a reliable interface for payments between smaller commercial enterprises and traders in a typical informal trading scenario.
4.3 Central Database For CIV and Ongoing CDD
As noted by FATF in their 2017 Guidance,108 CDD requirements can often act as barriers to financial access, some countries
have supported simplified CDD (SDD) practices in lower risk cases that align financial integrity and financial inclusion policy
objectives successfully.
Effective CDD is however dependent on access to reliable and timely customer data, especially for CIV purposes. This includes
an ability to verify identity documents, awareness of any red flags for certain customers or classes of customers, and checking
for incidences of smurfing and other suspicious behaviors.109
An important element of CDD is checking whether current or prospective customers are subject to United Nations Security
Council resolution sanctions and any other relevant international sanctions scheme and whether they are foreign Politically
Exposed Persons (PEPs) or related to or associated with a foreign PEP.
Integrated commercial databases support such checks, but access to such data can be costly. Currently each regulated
institutions has to negotiate its own access to the data required to support its sanctions and PEP checks.
For industry, there is a critical need for coordination across the financial ecosystem and linking with requisite government
systems to share data and facilitate real-time queries. Specifically, the CPSD should provide the option for banks and non-
banks to read in real-time biodata on the SIC.110 Access to information should be improved to support initial as well as ongoing
CDD
4.4 Compliance Management Capacity
108 FATF (2017) ibid 109 For example ‘smurfing’. 110 Technical standards for data on the SIC’s chip are set by the MoICT and implemented by the CSPD.
While banks have well-developed compliance functions, DFSPs are still developing their functions. They generally have
limited compliance resources and expertise, and staff are under pressure to develop policies and processes that will effectively
mitigate ML/FT risks in new products accessed by new users.
Given that the DFS industry is young, smaller entities do not necessarily have the required expertise and resources to design
effective risk mitigation measures or to design and conduct unique, institution-focused training. Nor does it appear, is there
sufficient budget in many of the DFSPs for a larger complement of experienced compliance personnel.111
More training, and more uniformity in guidance from regulators, was seen as critical.
In all, the lack of a centralized database to share and query compliance-related information, expanding compliance requirements
within the banking sector, as well as a general lack of experience amongst compliance officers in the midst of the growth of
DFS, indicate the need for a compliance forum to bring together current and new compliance officers in a collegial setting.
A ‘Compliance Officer’s Forum’ could:
● Allow for a collegial interchange of information on trends in the banking and payments sector
● Allow compliance officers to better understand existing regulations
● Provide insight into practical compliance challenges
● Set compliance risk management standards
● Organize and be a conduit for any compliance-related training
● Act as an informal conduit for any urgent compliance-related issues between forum members
This could not only prevent or ameliorate compliance-related lapses, but also ensure that any potential ‘weakest compliance
links’ in the financial ecosystem does not compromise the entire financial and payments ecosystem and potentially lead to
derisking of the financial sector by international bodies and financial institutions.
4.5 Crypto-currencies and AML
Despite equivocation and potential arbitrage in application of legacy-type rules to the emerging crypto asset ecosystem, risk of
money laundering appear to be addressed by regulators and standard setting bodies. For example, following the adoption of the
111 Many salesman and agents reportedly do not fill all the required KYC fields. Author site visits.
fifth Anti Money Laundering Directive (AMLD5)112 in the EU, AML rules will extend to providers engaged in exchange
services between crypto currencies and fiat currencies and custodian wallet providers.
Similarly, new rules for FATF require exchanges and other custodial entities that take custody of their customers’ crypto-
currency to obtain identifying information about both parties before allowing a transaction over their platforms. This will
function much like the FATF’s ‘travel rule’ for correspondent banks and may impose additional compliance obligations on
custodial exchanges.113 This may precipitate industry consolidation if smaller participants cannot do necessary compliance.
Some believe that the new rules are over-reach and may drive the crypto-industry underground awaiting the mainstreaming of
atomic swap technologies which ostensibly do not require any exchange intermediaries.
The recently issued guidance act as policy recommendations for nations to institute to further regulate crypto currency and
virtual asset service providers. Singapore provides an example of how countries have adopted FATF’s guidance and transcribed
it into national law. In 2019, Singapore regulators developed a policy noting that organizations must verify customer identities
relating to parties engaging in digital currency transactions exceeding S$1,500 Singapore dollars.
There is also a global moves towards total identification of any participants in crypto-related holdings as well as the use of
so-called stablecoins.
FATF launched enquiries during the course of 2020 on the characteristics of so-called stablecoins ; the money laundering
and terrorist financing risks of so-called stablecoins are; how the FATF Standards apply to so-called stablecoins and the
different businesses involved in the so-called stablecoin; and how the FATF plans to enhance the global anti-money
laundering and counter-terrorism financing framework for virtual assets and so-called stablecoins. FATF emphasized that
the first step to ensuring an effective global response to so-called stablecoins, and virtual assets more broadly, is ensuring
that the FATF’s pre-existing Standards published in June 2019 are transposed into domestic law and operationalized.
On a US domestic level, FinCEN also announced its intention to propose to amend the regulations implementing the Bank
Secrecy Act (BSA) regarding reports of foreign financial accounts (FBAR) to include virtual currency as a type of reportable
account.114 All customers in a crypto-asset transfer, even those not customers of an exchange, as needing to provide KYC
112 Directive (EU) 2018/843 of the European Parliament and of the Council of 30 May 2018 amending Directive (EU) 2015/849
on the prevention of the use of the financial system for the purpose of money laundering or terrorist financing and amending
Directives 2009/138/EC and 2013/36/EU. Available at https://bit.ly/2JUeq4w 113 The Block (2019) FATF retains 'travel rule' in new guidance, compelling exchanges to share customer data, available at
https://bit.ly/2GAsAnP; Casey, M (2019) The Cat-and-Mouse Game of Crypto Regulation Enters a New Phase, available at
bit.ly/31dnXZG 114 For that reason, a foreign account holding virtual currency is not reportable on the FBAR (unless it is a reportable account
under 31 C.F.R. 1010.350 because it holds reportable assets besides virtual currency. However, FinCEN intends to propose to
details. The crypto industry in the US sees this proposed rule – or even variation of it – as a unworkable static requirement
that would have them collect names and physical addresses of (recipient) non-customers of whom they have no knowledge.
It also issued a notice of proposed rulemaking to require banks and money service businesses (“MSBs”) to submit reports,
keep records, and verify the identity of customers in relation to transactions involving convertible virtual currency or digital
assets with legal tender status held in unhosted wallets, or held in wallets hosted in a jurisdiction identified by FinCEN.115
Exhibit 3: Trends in Crypto-related AML Initiatives
4.6 Innovation and Capacity
As financial institutions consider augmenting or replacing existing compliance procedures it is important that they also consider
relevant risk factors that could arise from implementing new controls and processes. Institutions should implement or adhere
to their existing change management policies and procedures before widespread adoption of new innovative processes to meet
BSA/AML compliance program requirements. Additionally, institutions should also consider other potential risk areas prior to
implementing new approaches including information protection security, third-party risk management, and data privacy
concerns.
amend the regulations implementing the Bank Secrecy Act (BSA) regarding reports of foreign financial accounts (FBAR) to
include virtual currency as a type of reportable account under 31 CFR 1010.350. See Report of Foreign Bank and Financial
Accounts (FBAR) Filing Requirement for Virtual Currency FinCEN (2020) FinCEN Notice 2020-2, available at
https://gbbcouncil.us18.list-manage.com/track/click?u=f8eb19ec9d20ccaa2912ac75d&id=d9efd200d9&e=fe39b3e04f 115 FinCEN says it proposed these requirements pursuant to the Bank Secrecy Act (“BSA”). To effectuate certain of these
proposed requirements, FinCEN proposes to prescribe by regulation that crypto currencies and FinCEN is proposing to adopt
these requirements pursuant to the Bank Secrecy Act (“BSA”). To effectuate certain of these proposed requirements, FinCEN
proposes to prescribe by regulation that CVC and LTDA are “monetary instruments” for purposes of the BSA. However,
FinCEN is not proposing to modify the regulatory definition of “monetary instruments” or otherwise alter existing BSA
regulatory requirements applicable to “monetary instruments” in FinCEN's regulations, including the existing currency
transaction reporting (“CTR”) requirement and the existing transportation of currency or monetary instruments reporting
requirements are “monetary instruments” for purposes of the BSA. However, FinCEN is not proposing to modify the regulatory
definition of “monetary instruments” or otherwise alter existing BSA regulatory requirements applicable to “monetary
instruments” in FinCEN's regulations, including the existing currency transaction reporting requirement and the existing
transportation of currency or monetary instruments reporting requirement. See Fincen (2020) Notice of proposed rulemaking;
available at Notice of proposed rulemaking, available at https://beta.regulations.gov/document/FINCEN-2020-a0020-0001
The Board of Governors of the Federal Reserve System, the Federal Deposit insurance Corporation, the Financial Crimes
Enforcement Network (FinCEN), the National Credit Union Administration, and the Office of the Comptroller of the Currency
issued116 recent guidance to encourage banks to consider, and evaluate implementing innovative approaches to meeting their
Bank Secrecy Act (BSA) and AML compliance requirements.
The guidance indicated that regulators will not penalize or criticize banks that decide not to seek out new approaches or
financial institutions implementing pilot programs that ultimately fail, or that expose activity that would not otherwise have
been identified, if the existing BSA/AML program has otherwise been deemed effective. Further, regulators also noted that no
additional regulatory expectations would be required of financial institutions that choose to incorporate innovative processes
into their institutions’ BSA/AML compliance programs.
At the federal level, FinCEN has also created a new Innovation Hours Program for banking institutions and financial technology
firms to showcase their products and service offerings. Financial institutions are allowed to present how their innovations work
and financial institutions can demonstrate how their solutions may help facilitate improving their AML programs. Innovation
Hours can even be utilized by organizations to assist in piloting emerging technological solutions to help address AML
obligations. The House Financial Services Committee also recently formed an artificial intelligence task force117 that will
explore applications of machine learning in regulations, fraud related to the use of artificial intelligence, and digital
identification technologies among other areas of interest.
At the local level, states have begun to create internal divisions within their respective Departments of Financial Services to
handle innovation. For example, the New York Department of Financial Services has created an Office of Innovation to
promote innovation in the financial industry. These local government initiatives are not specifically dedicated to promoting
innovation in AML compliance. However, they lay the foundation for regulators to develop expertise with various emerging
technologies which can translate into new approaches by regulators seeking to supervise regulated entities compliance with
AML laws and different innovations by institutions in meeting their AML obligations. The Wyoming and New York
Department of Financial Services and Arizona’s Attorney General’s Office are also members of the Global Financial
Innovation Network (GFIN).
The Global Financial Innovation Network (GFIN)118 represents a broad network of financial regulators (primarily from
developed countries) and related organizations exploring the potential for a global sandbox. Goals enumerated in the GFIN
consultation document include accomplishing the following on a global level: (i) a network of regulators (information and
116OCC (2018) Joint Interagency Statement on Innovation, available at
https://bit.ly/3hWybpr 117 Waters Announces Committee Task Forces on Financial Technology and Artificial Intelligence (2019), available at
https://bit.ly/3dzZdj4 118 FCA (2018) Global Financial Innovation Network, available at https://bit.ly/2Maebm8
knowledge sharing about innovation); (ii) joint policy work and regulatory trials (regulator collaboration such as approaches
on key policy questions, exploring RegTech synergies); and (iii) conducting cross-border innovations testing worldwide (both
business to business and to consumers.)119 Pertinent to developing countries, GFIN calls for a channel of cooperation between
financial regulators, assisting them with addressing common challenges and developing the capacity and knowledge of their
staff.120 It also provides a platform for firms to interact with regulators, opportunities to scale ideas across borders and to reduce
time to deploy products and services to the international market – an incentive which may attract more innovators into the
sandbox.121It is crucial, however, that the sandbox is transparent, fair and available for all potential applicants. Inclusion of
EMDE jurisdictions as members at an earlier stage could prove mutually beneficial, recognizing and welcoming the value of
the growth of ‘inclusive FinTech’ innovation122 occurring in the global south.
These programs and initiatives should help supervisory personnel and lawmakers attain knowledge about new technologies.
Authorities can then use their experience and knowledge to design controls to regulate these emerging financial products and
services. Through collaboration and sharing information, these programs provide a mechanism to foster growth in financial
innovations and provide valuable feedback to institutions to help safeguard the economy.
4.7 Trends Identified from Recent Enforcement Actions
Recent regulatory enforcement actions emphasize that controls around transaction monitoring and reporting need to be
comprehensive and robust. Within the past two years reports indicate that several financial institutions have received regulatory
fines including Capital One123, Charles Schwab, Morgan Stanley, and Mashreqbank124 for weaknesses in monitoring controls
119 The GFIN consultation document was published in August with a request for comments by October 14, 2018. GFIN (2018)
Global Financial Innovation Network (GFIN) Consultation Document, available at https://bit.ly/2np2p9N; It is important to
recognize that GFIN represents a long-term vision with a significant setup time. Mueller, J & Murphy, D & Piwowar, M (2018)
Response to the Global Financial Innovation Network (GFIN) Consultation Document, available at https://bit.ly/2RZnZQj 120 FCA (2018) Global Financial Innovation Network, available at https://bit.ly/2Maebm8 121 ibid 122 Ahmed, W (2017) How fintech is changing lives in the global south, available at https://bit.ly/2AN8uRI 123 Office of the Comptroller of the Currency (2018) OCC Assesses $100 Million Civil Money Penalty Against Capital One,
available at
https://www.occ.treas.gov/news-issuances/news-releases/2018/nr-occ-2018-112.html 124 Department of Financial Services (2018) DFS Fines Mashreqbank and Its New York Branch $40 million for violations of
New York Anti-Money Laundering and Recordkeeping Laws, available at
https://www.dfs.ny.gov/reports_and_publications/press_releases/pr1810101
and lack of adequate suspicious activity reporting. For example, in one instance the SEC125 alleged that at least 47 independent
investment advisors of a financial institution engaged in transactions that should have filed SARs on including behaviors such
as undisclosed self dealings, conflicts of interest, excessive advisory fees charged to clients, fraudulent transactions in client
accounts, posing as a client, and transacting without proper registration as an advisor. Another organization126 was fined by
FINRA for AML transaction monitoring surveillance lapses. The regulator noted coverage gaps within their transaction
monitoring surveillance system; insufficient personnel resources to perform reviews of transaction monitoring alerts including
potentially suspicious wires; and inadequate monitoring of low priced security transactions.
Institutions must have sufficient personnel dedicated to transaction monitoring, resources to perform model validations,
effective rules that adequately monitor ML risks, and processes in place to monitor new products and services as businesses
evolve. The recent penalties levied highlight the need for stronger transaction monitoring from the financial community. The
actions taken by authorities also demonstrate that regulators are still reluctant to personally hold individual Compliance Officers
responsible for AML program deficiencies at various financial institutions. Lastly, the regulatory fines underscore the
importance of investigating unusual activity, examining transactions containing elements of red flag indicators, and having
mechanisms to report any activity that appears to be potentially suspicious.
4.8 Remote Onboarding
Throughout the world, banks and merchants are increasingly turning to remote customer onboarding to reduce costs, increase
efficiency, and gain broader adoption of banking services. Per Notification SorNorSor 7/2559127, the Bank of Thailand has set
out to impose regulatory guidelines for financial institutions that conduct banking services through electronic channels. The
regulations permit financial institutions to onboard customers electronically however, identification and verification methods
must be equivalent to the KYC due diligence standards that institutions perform on customers that are onboarded in person.
The guidelines note that only natural persons are permitted to be onboarded remotely and that they must undertake further
enhanced due diligence procedures for these customers such as augmented transaction monitoring and frequently updating
customer data. Organizations must also have electronic devices available to perform video conference inquiries of prospective
customers. The Bank of Thailand also permits onboarding through the financial institutions technological equipment such as
virtual teller machines. Financial institutions can verify the identification information using a smart card reader and they can
125 Securities and Exchange Commission (2018) SEC Charges Charles Schwab with Failing to Report Suspicious Transactions,
available at https://www.sec.gov/litigation/litreleases/2018/lr24189.htm 126 FINRA (2018) FINRA Fines Morgan Stanley $10 Million for AML Program and Supervisory Failures, available at
https://www.finra.org/media-center/news-releases/2018/finra-fines-morgan-stanley-10-million-aml-program-and-supervisory 127 Bank of Thailand (2016) Regulations on Acceptance of Deposits or Money from Customers, available at
https://bit.ly/3i2KTmK
also use Thailand’s government identification and fingerprint systems as an additional resource to support their identity
verification processes.
In Japan, the Act on Prevention of Transfer of Criminal Proceeds in November of 2018 made new amendments that permit
methods for regulated entities to verify the identity of customers remotely. The amendments expand online verification methods
to include: the collection of facial photos and images from verified documents such as a driver’s license; facial images and
integrated circuit chip storage information; and facial images or integrated circuit chip storage coupled with bank enquiry into
the customer’s accounts at other banks.128 Japan is just one of many nations where non-face-to-face customer onboarding has
emerged. In Mexico, level 1 and level 2 restricted bank accounts can be opened by customers remotely by mobile phone or on
the web.129
In the United Kingdom, the Financial Conduct Authority (FCA) recently provided a reminder to CEOs of UK’s financial
institutions that remote onboarding is permissible especially given the nature of the growing COVID-19 pandemic health crisis.
Importantly, the FCA message130 notes various methods that organizations can employ for purposes of onboarding bank
customers including:
• Accept scanned documentation sent by e-mail, preferably as a PDF;
• Seek third party verification of identity to corroborate that provided by the client, such as from its lawyer or
accountant;
• Ask clients to submit ‘selfies’ or videos;
o Place reliance on due diligence carried out by others, such as the client’s primary bank account provider,
where appropriate agreements are in place to provide access to data;
o Use commercial providers who triangulate data sources to verify documentation provided;
o Gather and analyze additional data to triangulate the evidence provided by the client, such as geo-location,
IP addresses, verifiable phone numbers;
o Verify phone numbers, e-mails and/or physical addresses by sending codes to the client’s address to validate
access to accounts; and seek additional verification once restrictions on movement are lifted for the relevant
client group.
128 Japan FSA (2018) Announcement of "Order to Amend Part of the Law Enforcement Regulations Regarding Prevention of
Transfer of Revenue from Crimes", available at
https://bit.ly/3fXwCpy 129 FATF (2017) Anti-Money Laundering and Terrorist Financing Measures and Financial Inclusion, available at
https://bit.ly/31jdAFW 130 Financial Conduct Authority (2020) Dear CEO Letter to firms providing services to retail investors about coronavirus
COVID-19, available at https://bit.ly/3g2af22
In Malaysia,131 Bank Negara Malaysia (the central bank of Malaysia) is embracing e-KYC in the money service business
industry. Businesses132 that are licensed online and mobile remittance service providers are permitted to perform customer
identity verification over the web through facial recognition, video calls, or ‘selfie’ photos as long as organizations match facial
images against the customer’s ID and take measures to detect alterations and other forms of deception such as pre-recorded
videos. Institutions such as Amazon are also moving toward onboarding merchants remotely as well. Amazon133 now performs
video conferencing with selling merchants on their digital marketplace platform.
In Luxembourg,134 the Commission de Surveillance du Sectur Financier has advocated for organizations to use digital ID
systems especially as a solution to the customer due diligence challenges in the wake of the COVID-19 crisis. Recently, the
Commission even noted that live video-chats could be considered adequate to verify a customer’s identity.
The current health pandemic should further accelerate the trend of remote banking services for customers and consumers alike.
Ultimately, broader adoption of remote onboarding can offer more convenience and can lead to greater financial inclusion for
customers that are located in areas that do not have access to traditional brick and mortar bank branches for financial services.
4.9. The Rise of Transaction Laundering
According to the Electronic Transactions Association, 50%-70% of online sales for illicit goods involve a form of transaction
laundering. The OECD’s report on Trends in Trade in Counterfeit and Pirated Goods135, based on 2016 data, estimates that the
volume of international trade in counterfeit and pirated products could amount to as much as USD 509 billion, which represents
up to 3.3 % of world trade. As discussed above, Amazon and other companies are moving toward identity verification
electronically. The video conferencing interviews of merchants may make it more difficult for sellers to register as official
Amazon merchants which could help reduce instances of transaction laundering.
131 Bank Negara Malaysia (2017) Anti-Money Laundering and Counter Financing of Terrorism (AML/CFT) - Money Services
Business, available at
https://bit.ly/31hXeNL 132 Bank Negara Malaysia (2018) Implementation Guidance on e-KYC by MSB Industry Frequently Asked Questions and
Answers, available at
https://bit.ly/2B2233l 133 NY Post (2020) New Amazon Sellers Now Have To Verify Their Identities Over Video Chat, available at
https://nypost.com/2020/04/27/amazon-making-new-sellers-verify-identity-over-video-chat/ 134 FSI Briefs (2020) Financial crime in times of Covid-19- AML and cyber resilience measures, available at
https://bit.ly/3fX42EL 135 OECD (2019) Trends in Trade in Counterfeit and Pirated Goods, available at https://bit.ly/2Vl7BN9
Transaction laundering is a process in which organizations, that are not known to the acquirer financial firm, process
transactions for goods and services from a merchant’s account in order to make the payments appear as normal business
transactions. The rise of this form of ML can primarily be attributed to several factors including:
• The increase in growth of e-commerce businesses;
• E-commerce transactions still have cross border capabilities with less stringent kyc due diligence standards for
onboarding new merchants;
• Formal banking channels and capital markets have more advanced monitoring controls to scrutinize ml;
• The ease of setting up online marketplaces as criminals no longer have to set up a physical store;
• The emergence of new payment methods (such as e-wallets, payment gateways, etc.), with less sophisticated
monitoring solutions; and
• The card industry focuses compliance efforts on fraud rather than ML.
One common type of transaction laundering is through funnel accounts. Funnel account transaction laundering can occur when
a legitimate merchant account processes card transactions charges for other organizations that do not have processing
capabilities. Then the merchant funnels the payments through their merchant account as regular business transactions, as the
merchant does not know that the other organizations are involved in illegitimate business activity. Affiliate transaction
laundering is when an affiliate of a merchant collects customer payment credentials such as credit card details, and then carries
out fraudulent transactions by purchasing goods or creating fake sales to gain affiliate commissions.
There are other instances where merchants knowingly commit transaction laundering. One example is when a merchant acts
as a Pass-Through-Company. A Pass-Through-Company scheme involves a company that runs a legitimate business but allows
a fraudulent company to use their payment processing account, often in exchange for a share of the proceeds. For example, a
shoe company that partners with an organization that sells counterfeit products and uses the shoe company to process their
sales from their illegitimate website. Ghost laundering can also sometimes be associated with transaction laundering. Ghost
laundering occurs when companies create fictitious sales but no actual exchange of goods or services takes place.
Finally, a front company appears as an organization but obfuscates the true nature of their business such as a legitimate animal
goods store concealing their activity of selling endangered wildlife products.
The consequences for merchants that fall victim to transaction laundering can be devastating. Merchants can face a plethora of
issues as a result including:
• Having their merchant accounts suspended;
• Loss of brand value;
• Reputational damage;
• Chargeback fees or other costs; and
• Legal risks.
There are steps that merchants can take to limit exposure to transaction laundering. Merchants should utilize strong antivirus
software and avoid registering the merchant account over public internet networks. Other actions merchants can take include
guarding password information, examining the business transaction volumes and researching any unexplained spikes in sales
or income.
Merchant service providers, such as third party payment processors, sponsor banks, and acquirers, can also help mitigate
transaction laundering risks. Additional measures to assist in ML prevention are noted below.
• Banks can perform robust monitoring of cash deposits in conjunction with transaction monitoring of credit card
activity from the merchant acquirer.
• The credit card industry can design stronger controls with further development around aml rules and typologies rather
than fraud.
• Acquirers can enhance their due diligence procedures during the underwriting process to identify higher aml risk
merchants. For example, acquirers can perform site-visits on the merchants they service periodically.
• Merchant acquirers can review their merchants to discern the merchants nature of business and organization type in
addition to examining merchants average credit card processing volumes for a given period. Then merchant acquirers
can investigate prepaid card volumes that appear to be unusual and higher than other merchants in the same business
category.
• Third party payment processors and merchant acquirers are not subject to aml laws, however if they implemented
aml compliance programs it could assist in the prevention of ml.
4.10 AML Policy in the U.S
4.10.1 CDD and Beneficial Ownership Rule
In 2018, FinCEN’s final new rule on customer due diligence and beneficial ownership requirements took effect. Covered
financial institutions were required to implement these changes and write them into their firm-wide policies, procedures, and
systems. Specifically, the CDD Final Rule denotes that i) banks; (ii) brokers or dealers in securities; (iii) mutual funds; and (iv)
futures commission merchants and introducing brokers in commodities. The rule notes that financial institutions perform due
diligence measures including obtaining a comprehensive understanding of the customer’s business nature, monitoring customer
transactions to detect suspicious activity, identification and verification of customers and their beneficial owners.
Technically, a beneficial owner is defined as any individual who owns or controls at least a twenty five percent (25%) or higher
ownership stake in a legal entity customer. Additionally, the rule also requires that financial institutions also identify one
individual with senior managerial responsibilities. While the new beneficial ownership measures were not required by U.S. law
previously, in practice many of these elements of CDD were already being carried out by financial institutions.
Several groups have noted issues with the final CDD and beneficial ownership rules. The Library of Congress Congressional
Research Service (CRS), a research group dedicated to assisting Congress, detailed potential issues that could arise from the
new requirements. One issue identified was when more than five individuals share ownership of a legal entity, which could
lead to none of them being identified as a beneficial owner due to their ownership stakes representing less than the 25%
threshold. Interestingly, firms will have to determine what the beneficial ownership threshold will be for legal entity customers
that are considered high-risk customers subject to EDD measures.
FinCEN does not specifically require that financial firms lower the beneficial ownership threshold as part of their EDD
processes, in fact, they noted that it is possible that collecting ownership information at lower equity interest may not aid in
mitigating or analyzing high risk customers. Instead, it appears that regulators are providing a level of flexibility to financial
firms in assessing the risk posed by their customers as FinCEN explained that mitigation of a customer’s AML risk could
potentially be carried out through additional due diligence including enhancing transaction monitoring or collecting other
information such as expected account activity. In practice, many institutions have lowered their threshold for collection of
beneficial ownership to 10% equity interest or more as part of their EDD processes for their high-risk clients while only
collecting beneficial ownership information at the 25% or higher level for low risk customers as part of their risk-based CDD
processes. Additionally, many institutions will also collect additional information on their higher risk customers such as the
source of wealth and source of funds.
The new CDD and beneficial ownership rules have helped enhance AML risk management. However, CRS noted their concerns
over aspects of the new requirements including that they lack coverage in certain sectors of the U.S. economy and this point
has also drawn similar criticism from FATF. Specifically, CRS expressed concerns that real estate transactions and corporate
formation agents are excluded from U.S. beneficial ownership requirements. These coverage gaps could leave the U.S. exposed
to ML risks. Importantly, the beneficial ownership rule also does not require that a beneficial ownership registry be formed in
the U.S., while their European Union counterparts have made it a mandatory requirement for member states to bolster AML
enforcement. Further, the lack of a federal registry of beneficial owners in the U.S. could pose challenges to regulatory
authorities’ ability to respond to foreign legal requests for beneficial ownership information.
4.10.2 Implications of the Paycheck Protection Program
As part of initiatives to spur economic growth during the ongoing health crisis, the U.S. rolled out a Paycheck Protection
Program (PPP). PPP constitutes a short-term loan solution for small businesses that may have financial challenges due to
COVID-19 and the subsequent stay at home orders issued. While some have noted that the loan terms are too burdensome,
others have expressed how the loans have been able to help some small business owners keep their businesses afloat. The
program has also illustrated how difficult it is for some small businesses to access credit markets136. The Small Business
136 FinRegLab (2020) Technology Solutions for PPP and Beyond, available at
Administration (SBA) guidance to non-bank lending entities noted that they will be subject to BSA regulations and need to
establish AML compliance programs, if they want to engage in PPP lending facilities.
As noted above, part of the AML requirements for financial institutions include verifying the legal existence of the organization
and the identities within their beneficial ownership structure. The verification process can consist of checking the business
information submitted by an organization against information from a business credit bureau database. Considering that it can
take several years for a business to appear in these databases, younger businesses can be challenging to verify.
Additionally, businesses located in low income areas frequently have less access to banks. Mature large businesses with better
credit scores often already have established relationships with lenders and typically do not have to re-verify the identity of the
business and the beneficial owners. In contrast, many of the small businesses that need financial assistance did not have pre-
existing relationships with lenders and therefore need to go through the verification process.
4.11 Regtech
Regtech – or regulatory technology – is emerging as a means to deploy current and emerging technology solutions to reduce
the increasing costs of compliance for companies and to improve internal reporting and supervisory capacity for regulators.
Many of the regtech solutions are derived and adapted from existing financial technology (fintech)137 solutions, but emerging
solutions are being developed de novo with new technologies to cater for specific regulator or compliance-related needs.
Regtech needs and solution can be divided into two discrete, but clearly interlinked segments:138 supervisory functions for
regulators, and compliance for supervised entities. For regulators and supervisors, regtech adoption involves automation of
largely manual process and/or use of new technologies to improve their ability to supervise their regulated industries and to
efficiently implement regulations.139 When regtech is used by supervisors of the financial system for oversight and monitoring,
https://bit.ly/3ew4ucX 137 Financial Technology. Fintech companies use emerging technology and innovative business models to disrupt the financial
industry. We focus on small, technology-enabled, new entrants to financial services rather than large technology firms that are
entering the financial services or financial institutions that are increasingly using technology. AFI (2016) Digital Financial
Services Basic Terminology, available at https://bit.ly/2fipB9g; PwC (2016) Blurred Lines: How Fintech Is Shaping Financial
Services, available at https://pwc.to/2HM7WDN; WEF (2017) Beyond Fintech: A Pragmatic Assessment of Disruptive
Potential in Financial Services, available at https://bit.ly/2inenB5 138 Toronto Center (2017) FinTech, Regtech and SupTech: What They Mean for Financial Supervision, available at
https://goo.gl/R3vWxH 139
it is often also referred to as ‘suptech,’ or supervision technology.140 Suptech solutions allow regulators to automate and
simplify routine administrative procedures, as well as improve complex decision-making processes.141 We use regtech to
describe all regtech solutions, including suptech and differentiate where necessary.
While regtech is a relatively new term, technologies seen in the early iterations of what is now known as regtech were simply
innovative adaptations of existing technologies for regulatory-related purposes. Nowadays, regtech is driven by the emergence
of new technologies such as machine learning, artificial intelligence, pervasive cloud computing, KYC Utilities, and distributed
ledger technologies, and from the rapid development in data and analysis-orientated ‘big data’ solutions. Together, these make
up the ‘secret sauce’ in regtech solutions. These all emanate to a large degree from fintech innovations focused on compliance
and supervision activities.
RegTech solutions, where implemented in the developing world, have been used by financial institutions and other market
participants to enhance internal controls, and by financial regulators to improve supervisory capabilities and internal processes
for data collection and analysis. Where RegTech is used for supervisory purposes to gather and analyze data from supervised
entities and to monitor their activities, it is also known as supervisory technology (SupTech).
Regtech is emerging as a means to deploy current and emerging technology solutions to reduce the increasing costs of
compliance for companies and to improve internal reporting and supervisory capacity for regulators. Many of the regtech
solutions are derived and adapted from existing financial technology (fintech)142 solutions, but emerging solutions are being
developed de novo with new technologies to cater for specific regulator or compliance-related needs.
Regtech needs and solution can be divided into two discrete, but clearly interlinked segments:143 supervisory functions for
regulators, and compliance for supervised entities.
140 Dias, D & Staschen, S (2017) Regtech and Digital Finance Supervision: A Leap into the Future, available at
http://www.cgap.org/blog/regtech-and-digital-finance-supervision-leap-future 141 See for example the Bank of Russia’s suptech solution to undertake daily, automated collection of bank transaction data.
FX Finance Feed (2018) Russia's c-bank invites comments on RegTech and SupTech consultation paper, available at
https://financefeeds.com/russias-c-bank-invites-comments-regtech-suptech-consultation-paper/ 142 Financial Technology. Fintech companies use emerging technology and innovative business models to disrupt the financial
industry. We focus on small, technology-enabled, new entrants to financial services rather than large technology firms that are
entering the financial services or financial institutions that are increasingly using technology. AFI (2016) Digital Financial
Services Basic Terminology, available at https://bit.ly/2fipB9g; PwC (2016) Blurred Lines: How Fintech Is Shaping Financial
Services, available at https://pwc.to/2HM7WDN; WEF (2017) Beyond Fintech: A Pragmatic Assessment of Disruptive
Potential in Financial Services, available at https://bit.ly/2inenB5 143 Toronto Center (2017) FinTech, Regtech and SupTech: What They Mean for Financial Supervision, available at
https://goo.gl/R3vWxH
For regulators and supervisors, regtech adoption involves automation of largely manual process and/or use of new technologies
to improve their ability to supervise their regulated industries and to efficiently implement regulations. When regtech is used
by supervisors of the financial system for oversight and monitoring, it is often also referred to as ‘suptech,’ or supervision
technology.144 Suptech solutions allow regulators to automate and simplify routine administrative procedures, as well as
improve complex decision-making processes.145 We use regtech to describe all regtech solutions, including suptech and
differentiate where necessary.
Many national regulators are implementing regtech solutions in isolation primarily due to the lack of uniformity in regulatory
standards, legacy systems and IT capabilities between the national regulators.146
Clearly regulators with common concerns and remits – for example on security or KYC – need to collaborate. Facilitation of
cooperation and, as needed, standardization should be through at a minimum, a Memorandum of Understanding (MoU)147.148
where predefined roles, responsibilities and expectations outline the degree of collaboration and cooperation and what is
expected of each regulator.
144 Dias, D & Staschen, S (2017) Regtech and Digital Finance Supervision: A Leap into the Future, available at
http://www.cgap.org/blog/regtech-and-digital-finance-supervision-leap-future 145 See for example the Bank of Russia’s suptech solution to undertake daily, automated collection of bank transaction data.
FX Finance Feed (2018) Russia's c-bank invites comments on RegTech and SupTech consultation paper, available at
https://financefeeds.com/russias-c-bank-invites-comments-regtech-suptech-consultation-paper/ 146 Accenture (2017) How FinTech is Changing the Regulatory Environment: Compliance Keynote at Next, available at
https://goo.gl/RmV1Ze 147 A formal agreement between two or more parties that outline the details of the understanding, which includes requirements
and responsibilities of each of the involved parties. Summarized from The Law Dictionary (2018) What is Memorandum of
Understanding (MOU)?, available at https://thelawdictionary.org/memorandum-of-understanding-mou/; Collins (2018)
Memorandum Of Understanding, available at https://bit.ly/2qvg4NI 148 For example, The Securities Commission Malaysia (SC) signed a MoU with MIMOS, the national research and development
center in information and communications technology (ICT) to establish groundwork for the development of regtech for capital
market analytics. SC greatly benefits from the technological capabilities of MIMOS in processing high volumes of structured
and unstructured data to generate better insights on the capital market. It also allows MIMOS to further its objectives in pushing
technology solutions to improve government services. Summarized from SC (2016) Collaboration Between SC and MIMOS
On Big Data Capability In Capital Market, available at https://www.sc.com.my/post_archive/collaboration-between-sc-and-
mimos/; MIMOS (2016) Boosting Regulatory Preformation With Regtech, available at https://bit.ly/2Hv85Ij
For example, in designing regtech solutions for DFS, the telecommunications regulator, central bank, Anti-money laundering
unit (AMLU), and those with remit over issuance of national IDs need collaboration, lest it lead to an ecosystem breakdown as
occurred recently in Uganda149.
A regtech solution – which could also be part of a KYC utility150 - that effortlessly integrates required CIV and associated
reporting data is a useful pivot for impacted regulators to embark on a regtech solution journey.
For compliance-related solutions – again an example on KYC-related issues – impacted regulators could liaise with their
supervised or impacted entities to undertake a needs and solution analysis, possibly in a collegial set of workshops followed by
ongoing workgroups that set the standards for any regtech solutions based on market capabilities and regulator resources.
5 Country eKYC Implementations
5.1 Overview
As noted above, various eKYC implementations around the world have a nexus between SIM card registration and DFS
account provision. These types of eKYC systems are in place or planned in inter alia Bangladesh, Ghana,151 India, Nigeria,
Pakistan, Uganda, and Jordan, with varying degrees of success. Some eKYC implementations revolve around the use of a
single national eID, while other eIDs may be specific to a sector.
There is no one size-fits-all approach to KYC and AML. The growth in digital payments in emerging market economies is
approximately 21.6% annually. 152 The innovation and growth in electronic payments has helped transform the ways in which
customer due diligence is performed in the developing world. Recent research has focused on the benefits and risks associated
with E-ID as the digital financial services landscape has evolved. For example, E-ID systems have helped organizations to
carry out KYC due diligence and transaction monitoring processes. E-ID has also provided access to banking services for an
increasing number of individuals and businesses. There are a number of benefits and risks associated with E-ID which are
discussed below.
5.2 Benefits and Risks Associated with E-ID
149 Daily Monitor (2017) UCC Releases Guidelines for Sim Card Switch Off, available at https://bit.ly/2GX4uSb; africanews
(2017) Authorities in Uganda to Switch Off Two Million Unregistered Sim Cards, available at
http://www.africanews.com/2017/08/27/authorities-in-uganda-to-switch-off-two-million-unregistered-sim-cards// 150 See Section 7.2: Shared Utilities as Regtech 151 Biometric IDs are issued by the National Identification Authority. Ghana began re-registration of SIM cards in November
2017. Modern Ghana (2017) Ghana to Witness Massive Re-registration of SIM Cards from November, available at
https://bit.ly/2rx7NKs
152 Capgemini and BNP Paribas (2018) World Payments Report, available at
https://bit.ly/2Z6Zvsv
E-ID systems can assist with enhancing the reliability of customer identification and verification during onboarding. Robust
E-ID systems also have the potential to aid existing customer authentication for account access. Traditional documentary
methods of conducting customer identification and verification utilize a variety of human control elements. However, the
personnel responsible for conducting the KYC due diligence may not have robust investigative tools and the experience to
reliably identify counterfeit, altered or stolen documents. E-ID systems also are typically more efficient and provide better user
experiences than paper-based applications. Increases in efficiency can also potentially lead to lower overall costs associated
with on-boarding customers. A report by Mckinsey153 notes that organizations that utilize E-ID systems can realize an
approximate ninety percent (90%) reduction in costs related to customer identification processes and experience a reduction in
payroll fraud saving up to $1.6 trillion globally. For example, Nigeria began a biometric verification trial period in 2015 for all
civil servants in order to obtain accurate records for personnel and to examine whether ‘ghost’ salaries were being paid out.
The Central Bank of Nigeria, also had customers enroll with their banks to get unique Bank Verification Numbers which is run
by the Nigeria Inter-Bank Settlement System.154 After assessing the civil servants against existing records, Nigeria announced
the removal of thousands of (ghost) workers, and saved the tax payer equivalent of USD $74 million.
Additional benefits from enactment of digital ID systems include more effective ongoing due diligence, and better transaction
monitoring typologies. E-ID systems can help to capture additional data points such as geolocation, IP address, or what devices
are being used to perform the transactions. E-ID systems and the additional data points captured can be used to inform
transaction monitoring strategies.
The additional customer information can also assist in developing better transaction activity profiles which can help to identify
which transactions appear to be unusual or deviate from the customer’s typical transaction profile. E-ID systems will still
require robust quality assurance protocols to ensure that vulnerabilities are addressed. E-ID can also assist financially excluded
people that do not have official identity documentation, by granting them the ability to obtain digital IDs, and use them to
secure banking services. E-ID can also assist people in areas without formal banking channels and in remote geographical
regions by gaining access to customer identification and verification through online interaction rather than meeting face-to-
face.
E-ID systems are dependent upon reliable documents, processes, and security. Without proper risk management measures
numerous challenges can occur with E-ID systems. Identity management and authentication of identity can pose risks over
web communication networks. Effective governance and accountability safeguards can assist in preventing misuse of these
systems. However, if effective measures are not implemented the threat exists that criminals may be able to take over an
individual’s legitimate identity or create false identities. Specifically, identity proofing risks involve the creation of fabricated
153 Mckinsey Global Institute (2019) Digital Identification, available at
https://mck.co/3i0PhT6 154 The World Bank Group (2018) G20 Digital Identity Onboarding, available at
https://bit.ly/2BCljnX
digital IDs to conduct criminal activities whereas, authentication risks involve legitimate digital IDs being compromised. There
are other cyber risks such as development of synthetic identities by joining authentic identity data and false identity information
to create a new synthetic identity to carry out criminal conduct. Multi-factor authentication is also a risk that arises with E-ID
implementation, as passwords can be subject to phishing attacks and data breaches.
Country First
Operational
DFS Use Notable Features & Challenges
Banglades
h
2015 In
progress
eID is mandated by the Bangladesh Telecommunication Regulatory Commission
for SIM card registration and re-registration. The Bangladesh Bank is also
developing an eKYC system for financial services.
Ghana 2017 Yes Ghana Card is the national eID which has been recently updated to a 128kb SIC
with tactile elements for the blind, iris-capture capabilities and all 10 fingerprints
of an applicant. The new SIC will provide organizations with data sharing,
personal information verification, online identity validation and biometric
verification services.
India 2010 Yes Aadhaar system collects biometric and demographic data of residents, which is
stored in a centralized database. Using the eKYC service, residents can authorize
service providers to access their demographic data and photograph from the
database using biometrics or password. There have however also been multiple
security breaches of the Aadhaar system, raising questions of data privacy and
protection.
Jordan 2016 Yes Department of Civil Status and Ministry of Information and Telecommunication
Technology introduced national eID along with a SIC containing biographical
data, fingerprints and iris scans (except in the SIC). In 2018, the
Telecommunication Regulatory Commission also mandated the collection of
biometric data for SIM registration.
Malawi 2017 Yes Within 180 days, around 9.1 million citizens out of 16 million were registered for
the national eID, while 3.6 million children were registered alongside their
parents. The total cost of the project was around USD 52 million.
Pakistan 2015 Yes The Telecommunication Authority mandated the verification of all SIM card
owners using biometric information linked to their NIC number. SIM registration
was later allowed to satisfy KYC requirements for mobile money account set up,
making it easier for people to access mobile money services.
South
Africa
2016 Yes SIC with a person's photograph, full name, date and place of birth, fingerprint and
unique ID number replaced bar-coded identity books. The government in 2018
launched its Automated Biometric Identification System project that integrates
all systems and offer a single source for biometric authentication for citizens.
Uganda 2017 Yes UCC has made multiple attempts to require verification of all SIM cards using
proper identification documents but it has been affected by conflicts between
MNOs, the UCC and the government over deadlines for registration and
availability of required ID documents. UCC, in different occasions, banned the
sale of new and replacement SIM cards until the national ID and database was
fully integrated into the CIV processes for SIM registration and also switched off
unregistered SIM cards. While both actions were lifted, they prevented users
from accessing their DFS accounts for that period.
UNHCR 2015 Yes UNHCR, as its own eKYC system, uses a combination of iris scans,155 document
(passport, national ID, military cards or family books) authentication and
interviews. The documents are checked for authenticity and interviews are
conducted to capture biographical info of family members on the database. The
iris data of adults in a family is also captured and stored. If there are any doubts
or suspicions regarding the identity of the individuals/family, further
investigation is conducted. Otherwise, they are given refugee/asylum status and
they can use UNCHR financial services using their biometrics.
Philippine
s
2018 In
Progress
The Philippines is in the initial stages of developing a new biometric-based
foundational national ID system, the Philippine Identification System. Further,
the Central Bank of the Philippines (CBP) has established regulations on E-KYC
rules. The CBP notes that the shift to a national ID System will be critical for
financial inclusion, as the system will assist in addressing potential onboarding
issues due to lack of a verifiable ID. The establishment of a national ID system
can also assist in the elimination of inefficient paper-based KYC processes which
has made serving impoverished customers less desirable.
Singapore 2003 Yes SingPass, Singapore’s eGov system, can be utilized to carry out payments
without account numbers. Additionally, SingPass has a feature known as MyInfo
that contains basic user identity data attributes such as names and addresses. The
Monetary Authority of Singapore is currently establishing a KYC system that
will permit financial institutions to access customers’ MyInfo data, which will
assist organizations in meeting basic customer due diligence requirements.
Exhibit 4: Selected eID and EKYC implementations used for CIV for financial services
5.3 Country Customer Due Diligence Approaches
5.3.1 Developing World Approaches156
155 This uses the UNHCR’s IrisGuard iris capture system
156 GSAM (2019) Overcoming the Know Your Customer hurdle: Innovative solutions for the mobile money sector, available at
https://bit.ly/3exKDKn
Various organizations across the globe have instituted risk-based customer due diligence processes for their customers. The
level of diligence performed on each customer is typically based on a customer risk assessment that weights several data
attributes (such as customer type, product type, delivery platform, geography, source of wealth, etc.).
Countries such as Nigeria and Ghana have tiered customer due diligence to differentiate customers that pose different levels
of risk. Table 1 below demonstrates the application of tiered due diligence requirements and the associated account restrictions.
Level of Due
Diligence
Daily
Transaction
Limits
Account Balance
Limits
KYC Requirements157
Ghana Minimum Due
Diligence
Requirements
GH300 GH1000 Any photo ID, name, date of birth, residential
address, and phone number.
Due Diligence
Requirements
for Medium
Risk
Customers
GH2000 GH10,000 Official ID document, name, date of birth,
address, and telephone number. Official ID
documents that are acceptable include
National ID; Voter ID; National Health
Insurance Scheme ID; Social Security and
National Insurance Trust ID; Passport; and
Driver’s License.
Enhanced Due
Diligence
Requirements
for High risk
Customers
GH5000 GH20,000 Same requirements as Medium Risk
Customers plus at least one of the following:
tenant agreement; utility bill; income tax
certificate; other banks’ statements; reference
letter; employer’s reference letter.
Nigeria Minimum Due
Diligence
Requirements
N50,000 N300,000 Passport photograph, name, place of birth,
date of birth, residential address, gender, and
phone number.
Due Diligence
Requirements
for Medium
Risk
Customers
N200,000 N500,000 Passport photograph, name, place of birth,
date of birth, gender, and Bank Verification
Number (BVN).
Additionally, ID verification is required.
157 CGAP (2019) Risk-Based Customer Due Diligence, available at
https://bit.ly/2CEXpbV
Enhanced Due
Diligence
Requirements
for High risk
Customers
N5,000,000 Unlimited Customers must comply with all KYC
requirements contained within the Central
Bank of Nigeria’s AML/CFT Regulations
and BVN is required.
Exhibit 5: Selected KYC limits for financial services in developing countries
5.3.2 Developed World Approaches
5.3.2.1 European Union AML Directives
On June 19th 2018, the 5th Anti-Money Laundering Directive (AMLD) was published in the Official Journal of the European
Union. Member states had until January 10, 2020 to codify the requirements into their respective national laws. The AMLD
broadens the scope of entities subject to AML regulations. Entities that are now subject to the 5th AMLD158 requirements
include:
• Providers engaged in exchange services between virtual currencies and fiat currencies;
• Custodian wallet providers;
• Dealers in artwork (where the value of the transactions or series of associated transactions amounts to eur 10,000 or
more).
Tax advisors and estate agents had to adhere to AML regulations under the 4th AML Directive, however the 5th AMLD
provides further clarity on which providers need to meet the AML requirements. Specifically, the scope of the law includes:
• Tax advice service providers that advise on tax matters as principal business or professional activity; and
• Estate agents including when acting as intermediaries in the letting of immovable property, but only in relation to
transactions for which the monthly rent amounts to EUR 10,000 or more.
Expanding the scope of industries and entities that must abide by the EU’s AML requirements should help make it more
challenging for bad actors who will have less channels to operate in anonymity. As part of the 5th AMLD, each EU member
158 European Parliament (2018) Directive (EU) 2018/843 of the European Parliament and of the Council, available at
https://bit.ly/3hSjl3g
state also has to develop a prominent public function list that outlines the title and role of the function rather than naming the
officials holding the public function as the individuals holding office change frequently. The European Commission has
oversight on assembling the list and making it publicly available.
Significantly, having a uniform standardized list of prominent public functions will help financial organizations to alleviate the
ambiguity involved in determining whether a public official holds a position that would qualify as a prominent public role. A
centralized list of public functions will also benefit financial institutions, with diverse customer bases across the EU, in
identifying which customers are PEPs (politically exposed persons) or accounts associated with PEPs. Financial institutions
typically screen their customer information for PEPs and adverse media when assessing ML, bribery , and corruption risks.
The formation of these lists will also be advantageous to regtech vendors that service financial organizations because these
institutions typically outsource their PEP, sanctions, and adverse media screening process to vendors that offer screening and
due diligence technology solutions.
Under thea 5th AMLD, member states have to develop and maintain national beneficial ownership databases. The amendments
to the Directive also broaden the methods in which customer due diligence processes can be performed by permitting electronic
or any other secure, remote, electronic identification practices that are regulated, recognized, and approved by national
authorities.
Further changes include how entities of EU members deal with countries that the European Commission identifies as having
deficiencies in their AML and CTF regimes. Entities across the EU are now required to apply EDD protocols on transactions
to and from these designated high-risk jurisdictions such as Uganda, Yemen, Trinidad and Tobago. Previously, EU member
states could individually determine their own set of EDD practices on transactions with high-risk countries. The EDD measures
on transactions with high-risk countries primarily impacts individuals and entities from developing nations. EDD measures
such as documentation and information on source of wealth could be difficult to procure for persons in the developing world
but are necessary to provide adequate safeguards against ML violations.
Another amendment noted in the 5th AMLD is the maximum monthly transaction limit for prepaid cards has been lowered
from EUR 250 to EUR 150, any transactions above the limit of EUR 150 are subject to customer due diligence controls. The
derogation of customer identification requirements does not apply in instances of redemption in cash, cash withdrawal, or
remote payment transactions where the amount exceeds EUR 50 per transaction. Institutions that offer prepaid cards need to
consider updating their policies and procedures as it relates to the new thresholds and enhancing monitoring controls to account
for the new requirements.
Cards issued in countries outside of the EU will not be accepted across EU member states unless the country of issuance has
AML legislation that is equivalent to the EU’s AML/CFT mandates. Placing further restrictions on individuals using prepaid
cards could decrease access to financial services for those without robust identification documentation to meet the customer
due diligence standards. However, it should be noted that implementation of these controls can assist in maintaining the
integrity of the financial system as customer identification and verification are a critical component of thwarting financial
crime.
The European Parliament enacted the EU’s 6th AMLD and member states are required to codify the Directive’s requirements
into their national law by December 3, 2020. The 6th AMLD expands the types of actions that are indicative of possible criminal
activity, provides clarity on ML offenses, and entities that conduct business in the region have until June 2021 to implement
the measures to comply with the regulations.
The 6th AMLD widens the scope of liability with respect to legal persons. Legal persons can be defined as “any entity having
legal personality under the applicable law, except for states or public bodies in the exercise of state authority and for public
international organisations.” 159 Legal persons can now be held responsible in circumstances where a person with a leading
position within an organization carries out a ML offense for the benefit of the organization. Legal persons can also be held
accountable for persons with oversight duties in instances where a ML act was made possible by other individuals (ie. an
employee, company representative, etc.) due to limited supervision or control of the individuals. The extension of liability to
legal persons demonstrates the significant challenges the EU has faced in recent times in preventing ML and TF. Since the
Directive can hold companies responsible for offenses committed by individuals within the business, it is important that
organizations provide adequate employee training on preventing financial crimes. Organizations should also assess whether
affiliate parties operating within their business have authorizations that would enable them to carry out an offense and have
policies in place to assist in the risk management and monitoring of those associated parties.
The requirements note that aiding or encouraging ML should be considered a potential ML offense. Other examples of conduct
that is now considered a ML offense is the transfer of property and when there is knowledge that such property is derived from
criminal activity for the purpose of masking the property origins. Differences between the EU’s prior AMLDs and the 6th
AMLD exist. Specifically, the 6th AMLD attempts to develop uniform minimum standards that define criminal offences among
EU member states. The list includes 22 offenses including environmental crimes, cyber crimes, tax crimes, and counterfeiting
of products. Other distinctions between the EU’s AMLDs include amendments to individual sanctions for offenses. Previously,
the mandated minimum prison sentence was one year, however the 6th AMLD increases the minimum sentence for ML offenses
to four years. The development of a uniform list of offenses underscores the difficulties authorities have with regulatory policy
gaps across member states with differing national laws. The provision of a minimum set of definitions and standards to combat
ML should benefit organizations across the EU in monitoring AML risks, developing standardized comprehensive controls,
and penalizing bad actors.
Under the 6th AMLD member states also have several other requirements and items for consideration including:
159 European Parliament (2018) Directive (EU) 2018/1673 of the European Parliament and of the Council of 23 October 2018
on combating money laundering by criminal law, available at
https://bit.ly/37ZcwIF
• Aggravating circumstances that warrant sanctions for ML offences;
• Granting authorities the ability to confiscate or freeze proceeds derived from ML;
• Considerations of further sanctions for legal persons such as exclusion from public benefits, exclusion from public
funding, disqualification from practicing business activities, a judicial winding up order, and temporary or permanent
closure of establishments used in committing the crime.
The 6th AMLD also increases cooperation between EU members when the predicate offenses occur in multiple member states,
specifically EU members must collaborate to centralize the prosecution of the offender.
Both Directives share a common theme of attempting to develop a universal framework to enforce ML violations across EU
member states. The Directives should help to further eliminate gaps in existing ML regulations and aid in streamlining member
state laws. Additionally, the new regulations expand the number of industries that implement AML controls and enhance how
existing industries already subject to AML laws monitor these financial risks.
5.3.2.2 Canadian AML Policy Amendments
Canada has adopted amendments to the Proceeds of Crime ML and TF Act and were published in 2019. As part of the Budget
Implementation Act of 2019, Canadian law mandates that entities transacting in virtual currencies are now expected to register
as a money servicing business. Additionally, the legislation’s new requirements are noted below.
Virtual currency dealers are now required to register with FINTRAC and must comply with all AML regulations. However,
two exclusions apply to the new rules. If the virtual currency is in a closed loop environment where the currency is non-
exchangeable then the business would not be considered a reporting entity. If the business accepts digital currency for purposes
of redeeming goods and services then the business would not be required to register as a reporting entity.
Previously financial institutions had to file a STR within 30 days with FINTRAC from when they first detect a fact that
constitutes reasonable grounds to suspect. The amendments change the reporting requirements to as soon as practicable.
Regulated entities also need to submit additional data attributes when filing the report including beneficial ownership
information.
International electronic funds transfers must include the beneficiary’s name, address, and account numbers. Intermediaries of
electronic funds transfers also now have mandates to keep records and include customer information in the transactions.
Financial organizations that act as the beneficiary in receiving an electronic funds transfer are required to establish risk based
processes to discern whether they should reject the transaction if the transfer does not include the required information and
determine if escalation procedures are warranted.
Under previous Canadian laws, regulated entities had rigid criteria for satisfying customer due diligence requirements. The
customer documentation has to be “original, valid, and current” in order to be considered permissible to verify a customer’s
identity. The new regulations note that organizations can use “valid, authentic, and current” documentation to verify identity.
By stating that authentic documentation is now permissible rather than only the “original” identity documentation, regulators
are opening additional flexibility to financial entities regarding acceptable methods of verification and granting institutions the
ability to verify customer identities through electronic channels. Essentially, the new requirements permit institutions to accept
copies of customer documentation rather than originals in order to verify customer identities.
Foreign MSBs that provide services in Canada, but don’t have a physical footprint in the country were not required to meet
Canadian AML regulations, however with the amendments, foreign MSBs will have to meet all Canadian regulations for MSBs
if they actively direct services to Canadians. For example, if a foreign MSB initiates a marketing campaign in Canada to
provide banking services, the foreign MSB would be subject to Canadian laws.
Beneficial ownership rules have also changed. Specifically, institutions have to take measures to verify the validity of new
beneficial ownership information and monitor the ownership records on an ongoing basis to ensure that the information is up
to date.
Under prior regulations, organizations were required to determine whether an individual was a PEP when initiating or receiving
an international EFT of $100,000 or more. The criteria for identifying PEPs included individuals that were within one of the
categories below:
• Foreign PEPs
• Domestic peps;
• Family or close associates of a PEP; and
• Leaders of international organizations.
The new amendments now require that organizations expand the determination of PEP status for prepaid product and virtual
currency transactions of $100,000 or more. Financial institutions are also now required to take reasonable measures to
determine a PEP’s source of wealth.
Multiple transactions that occur within 24 hours are considered one transaction when they total $10,000 or more in virtual
currency or cash. The regulations provide further clarity, that only one report needs to be submitted to FINTRAC for the
transactions rather than submitting a report for each transaction over the $10,000 limit.
The new policy amendments demonstrate that institutions will have to consider updating their policies and procedures to reflect
the changes. The regulations place AML controls on the virtual currency industry bringing Canada in line with other developed
nations. The additional flexibility allotted to verification methods helps to further advance remote onboarding initiatives
amongst financial entities. Overall, the amendments are likely to increase compliance burdens for organizations across Canada
but especially for virtual currency dealers. The additional oversight measures should also benefit regulators in meeting their
stated objectives.
6 Conclusions
The paper addresses a broad range of topics to identify current patterns in the AML regulatory landscape. The results
demonstrate that regulators are constantly refining AML rules around the globe. Additionally, regulatory authorities are
increasingly willing to be adaptive regarding the supervisory measures taken in times of crisis.
Regulatory guidelines have recently encouraged financial institutions to utilize e-KYC and various electronic methods to verify
customer identities. The regulatory guidance and the use of digital technology for AML compliance does not mark a departure
from the high standards set by regulators but rather it establishes additional flexibility around existing requirements. Demand
from bank end-users for electronic methods to perform banking transactions is increasing.
Emerging patterns suggest the health pandemic should accelerate transitions from banking-focused services and cash into
digital financial services with broader adoption by consumers fearful of contracting illnesses. As innovation in the financial
industry continues, regulators are consistently developing new methods to ensure safeguards are put in place to protect the
economy.
Governments have developed innovation offices and have taken an open approach to learning about new technologies such as
blockchain and digital currencies in an effort to develop sound risk management and AML rules to supervise new financial
products and financial technology organizations.
Increased regulations can sometimes serve as an impediment to financial inclusion. Policy makers have a difficult task in
balancing their goals and objectives. As the regulatory landscape evolves, considerations have to be given to ensure that the
populations that historically have had challenges to accessing banking services are still able to utilize them. Ultimately, the
path for AML policy continues to advance as financial markets have become increasingly complex. The economy’s financial
integrity remains intact and regulators will continue to develop policy solutions to mitigate AML risks.
