Canadian financial institutions must revamp their identity verification procedures by June 1 of this year to comply with new anti-money laundering regulations.
The Proceeds of Crime (Money Laundering) and Terrorist Financing Act (PCMLTFA) was updated last year to permit regulated businesses to rely on digital identification from customers when they conduct financial transactions. Now, the Financial Transactions and Reports Analysis Centre of Canada (FINTRAC) has spelled out how those institutions must verify digital IDs.
The goal is to modernize the rules to adjust to today’s digital world and to reduce the regulatory burden for business. “We consulted businesses extensively on proposed new regulations,” said Tammy Maheral, a Senior Compliance Officer with FINTRAC, at a recent ITWC webinar sponsored by OneSpan.
Webinar On-Demand: FINTRAC Regulatory Update
It’s up to businesses to make sure that a person’s digital ID is “authentic, valid and current” according to the new regulations, Maheral said.
How to verify digital ID
There are three ways for regulated businesses to verify individuals’ identities:
- Authenticate government-issued photo ID. Businesses can still use the traditional method of examining an original document in-person, or may do so remotely, explained Maheral. If the customer is not physically present, technology can be used to verify the ID. After scanning the ID by phone, an application would be used to compare the document’s appearance and security features to known characteristics of that type of ID, such as a passport. The business also has to be sure that the name and photo on the ID match the customer. They can confirm this in a live video chat session, or by using ID verification software to review the customer’s name and a selfie. Maheral cautioned that not all technologies will compare the customer’s name with the name on the photo ID.
- The credit file method. The business can check an ID against a valid and current credit file from a Canadian credit bureau. The file must have been in existence for three years and be reviewed at the time they’re verifying the customer’s identity. The information on the credit file has to match the name, address and date-of-birth that the customer provided.
- The dual-process method. This allows the business to check a customer’s identity by referring to two different and reliable sources which may be digital. For example, statements or letters can be used in this case to verify several combinations of information such as name and address or name and date-of- birth.
To verify the identity of a corporation, partnership or association, businesses can check the information on a paper or electronic record obtained from a public source.
The new rules also make a number of changes to the process for reporting suspicious transactions, which should be carefully reviewed by all regulated entities.
Guidelines to manage COVID-19 challenges
FINTRAC has issued specific guidelines to assist businesses experiencing compliance challenges brought on by the COVID-19 crisis, said Maheral. For example, if a company can’t report a suspicious transaction for reasons beyond its control, it should submit a notice of non-compliance and this will be taken into consideration when assessing their overall compliance, she said. As well, some of the detailed requirements to verify ID authenticity have been relaxed during for the time being. FINTRAC is open to working constructively with regulated businesses to manage compliance during this difficult period, Maheral said.