Canadian financial institutions must revamp their identity verification procedures by June 1 of this year to comply with new anti-money laundering regulations.

The Proceeds of Crime (Money Laundering) and Terrorist Financing Act (PCMLTFA) was updated last year to allow regulated businesses to rely on digital identification from customers when they conduct financial transactions. Now, the Financial Transactions and Reports Analysis Centre of Canada (FINTRAC) has spelled out how those institutions must verify digital IDs.

The goal is to modernize the rules to adjust to today’s digital world and to reduce the regulatory burden for business. “We consulted businesses extensively on proposed new regulations,” said Tammy Maheral, a Senior Compliance Officer with FINTRAC, at a recent ITWC webinar sponsored by OneSpan.

It’s up to businesses to make sure that a person’s digital ID is “authentic, valid and current” according to the new regulations, Maheral said.

How to verify digital ID

There are three ways for regulated businesses to verify the identity of individuals:

  1. Authenticate government-issued photo ID. Businesses can still use the traditional method of examining an original document in-person, or may do so remotely, explained Maheral. If the customer is not physically present, technology can be used to verify the ID. After scanning the ID by phone, an application would be used to compare the document’s appearance and security features to known characteristics of that type of ID, such as a passport. The business also has to be sure that the name and photo on the ID match the customer. They can confirm this in a live video chat session, or by using ID verification software to review the customer’s name and a selfie. Maheral cautioned that not all technologies will compare the customer’s name with the name on the photo ID.
  1. The credit file method. The business can check an ID against a valid and current credit file from a Canadian credit bureau. The file must have been in existence for three years and be reviewed at the time they’re verifying the customer’s identity. The information on the credit file has to match the name, address and date-of-birth that the customer provided.
  1. The dual process method. This allows the business to check a customer’s identity by referring to two different and reliable sources which may be digital. For example, statements or letters can be used in this case to verify several combinations of information such as name and address or name and date-of- birth.

To verify the identity of a corporation, partnership or association, businesses can check the information on a paper or electronic record obtained from a public source.

The new rules also make a number of changes to the process for reporting suspicious transactions, which should be carefully reviewed by all regulated entities.

Guidelines to manage COVID-19 challenges

FINTRAC has issued special guidelines to help businesses facing compliance challenges brought on by the COVID-19 crisis, said Maheral. For example, if a business can’t report a suspicious transaction for reasons beyond its control, it should submit a declaration of non-compliance and this will be taken into consideration when assessing their overall compliance, she said. As well, some of the detailed requirements to verify ID authenticity have been relaxed during for the time being. FINTRAC is open to working constructively with regulated businesses to manage compliance during this difficult period, Maheral said.