UK guidance on digital ID for AML compliance answers and raises questions

Money laundering is one of the social ills digital identity can potentially help with, and new guidance from the UK’s HM Treasury and the Office for Digital Identities and Attributes (OfDIA) explores how.

Both compare how the digital identity system the UK is setting up around its Digital Identity and Attributes Trust Framework (DIATF) can help organizations meet their anti-money laundering (AML) compliance requirements. They address how regulated businesses can meet their obligations under the Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017 (MLRs) in terms of customer onboarding and identity verification for customer due diligence (CDD).

Identity verification for these processes, including verification of company directors, can meet the requirements of MLR Regulation 28, as long as it is provided by a digital verification service (DVS) certified under the DIATF, HM Treasury’s guidance states.

“Digital verification services which are not certified and therefore not on the DVS register cannot reliably be deemed suitable for identity verification in compliance with the MLRs,” according to the guidance.

Regulated entities should ensure their DVS complies with the record-retention requirements in MLR Regulation 40.

Businesses can have confidence that certified and registered DVS providers are reliable and independent sources of information, and in the anti-impersonation assurance they deliver, according to OfDIA’s guidance. OfDIA also emphasizes the role of DIATF-certified digital identity providers in meeting CDD and Regulation 28 obligations.

Regardless of how they carry out identity verification, OfDIA cautions organizations still need to continually assess customer risk and apply enhanced due diligence as needed, and should remember that the liability for appropriate CDD is still theirs, even if a third-party service is used. They should also not assume that digital identity satisfies all elements of CDD, offering the example of “understanding the purpose and intended nature of a business relationship or transaction.”

OfDIA notes the use of digital identity could benefit the UK economy with an estimated 701 million pounds (roughly US$944 million) in efficiencies.

Confidence, certification consistency challenged

Richard Oliphant spots two fundamental flaws in the guidance.

First is the lack of guidance on the level of confidence (as defined in the Good Practice Guide 45) required for compliance with Regulation 28.

“This is a major oversight and dilutes the usefulness of the guidance. Moreover, it diverges from the approach under the new EU hashtag#AML regime which prescribes the level of identity assurance for remote customer onboarding (see Article 22(6) of the EU AML Regulation),” Oliphant says in a LinkedIn post.

The statement quoted above about the need for DVSs to be certified and registered clashes with the stipulation in Regulation 28(19) that qualified trust service providers (QTSPs) established in the EU under eIDAS can be considered reliable.

OfDIA is surely well aware of the role of EU-based digital identity firms, as only 14 of the 39 DVS providers it collected survey responses on international interoperability from are DIATF-certified.

Oliphant notes Docusign, Signicat and Namirial among examples of EU-qualified providers operating in the UK. He calls for that point of guidance to be reconsidered.

Article Topics

AML  |  DIATF certification  |  digital ID  |  Digital Identity and Attributes Trust Framework (DIATF)  |  digital verification service (DVS)  |  financial services  |  OfDIA  |  Richard Oliphant  |  UK digital ID