On 16 July 2021, the Financial Markets Authority, the Department of Internal Affairs, and the Reserve Bank of New Zealand (Supervisors), released the updated Explanatory Note: Electronic Identity Verification Guideline (Guideline) on the Amended Identity Verification Code of Practice 2013 (AIVCOP). The Guideline replaces the previous Identity Verification Code of Practice – Explanatory Note issued in December 2017 (Previous Explanatory Note).
A link to the AIVCOP is available here and a link to the new Guideline is available here.
Who needs to read it? Why?
The changes will be relevant to all reporting entities under the AML/CFT Act, especially those who use Electronic Identity Verification (EIV) as a way of verifying a customer’s identity. Overall, the Guideline is more precise, and restrictive, in terms of what the Supervisors think is appropriate for EIV compared to the Previous Explanatory Note. The significant changes in the Guideline are outlined below.
What does it cover?
Documenting EIV procedures
The Guideline provides much greater detail than the Previous Explanatory Note as to how reporting entities should document their use of EIV as part of their AML/CFT Programme. Specifically, the following information should be included:
- when the reporting entity will use EIV;
- the EIV provider and product (if the reporting entity is relying on a third party to conduct EIV);
- the electronic source(s) used to verify the person’s name and date of birth;
- record keeping processes;
- how the reporting entity checks their records that a prospective customer’s details has not previously been used; and
- exception and escalation processes.
The Supervisors state that the AML/CFT Programme should also make clear whether the reporting entity using EIV is using a single independent source to a high level of confidence, or two (or more) reliable and independent matching sources. If a reporting entity is using a single independent source, then the AML/CFT Programme should document how assurance of a “high level of confidence” of an individual’s identity is being met. If two (or more) reliable and independent matching sources are being used, the AML/CFT Programme should document the steps being taken to ensure compliance with clauses 17 and 18 of the AIVCOP.
EIV sources
The Guideline builds on the Previous Explanatory Note and includes additional content identifying commonly used electronic sources in New Zealand. It also sets out the Supervisors’ expectations for when they review or inspect a reporting entity’s EIV procedures, policies and controls. Various examples of EIV practices are also included in the Guideline.
Using two reliable and independent matching sources
In relation to the use of two reliable and independent matching sources for verification of a customer’s identity, the Supervisors have stated in the Guideline that in their view the individual’s name and date of birth must be verified from one source, whereas only the name must be verified from the other.
Furthermore, they have stated that in their view the Confirmation Service offered by the Department of Internal Affairs and the New Zealand Driver Licence database offered by the New Zealand Transport Agency are the primary electronic sources that they would expect a reporting entity to use for verification of a customer’s name and date of birth.
In relation to the second electronic source that would be used to verify the customer’s name, the Supervisors have suggested that credit bureaus, the Companies Office, the land registry from Land Information New Zealand, and vehicle registration details from the New Zealand Transport Agency are acceptable.
Using a single independent source
In relation to the use of a single independent electronic source for verification of a customer’s identity, the Supervisors have stated that in their view, only a verified RealMe identity [1] can meet the requirement for the single independent source to verify an individual’s identity to “a high level of confidence”, as it biometrically matches the person’s photo and identity details against New Zealand government records.
Linking a customer to their claimed identity
In the Guideline, the Supervisors have emphasised, through stronger language, that if an electronic source has no mechanism in place to determine whether a customer can be linked to their identity, or if the mechanism in place is not robust enough, then a reporting entity must adopt additional methods that will be used to supplement it, or to otherwise mitigate any deficiencies in the process.
The Guideline states that one way a reporting entity can achieve this is by requiring the first credit into the customer’s account or facility to be received from an account/facility held at a New Zealand registered bank in the customer’s name that cannot be altered or changed. To supplement this guidance, the Supervisors have specified in a new appendix to the Guideline a list of registered banks from which first credits can be relied upon for this purpose, as they do not allow the customer to alter or change the payer name.
Our view
Despite its title and status as “guidance”, the Guideline uses prescriptive language suggesting that the Supervisors expect it to be followed.
The AIVCOP itself remains unchanged since it was amended in 2013. Codes of practice, like AIVCOP, are intended to provide a statement of practice to assist reporting entities to comply with their AML/CFT obligations and are governed by subpart 5A of the AML/CFT Act. Complying with a code of practice is not mandatory. However, if fully complied with, codes of practice operate as a ‘safe harbour’ for reporting entities. If the Supervisors wish to amend a code of practice, including AIVCOP, it will require signoff from the Minister of Justice. In turn, the Minister would only be able to approve the amendments if the Supervisors have consulted with the persons and organisations that the Minister thinks appropriate. This provides an additional layer of screening before an amended code of practice can be promulgated.
However, the Supervisors here have not procured the amendment of the AIVCOP itself which leaves ambiguity as to the position of reporting entities who consider they are complying with the AIVCOP, but whose interpretation of it differs from the Supervisors as set out in the Guideline. However, many reporting entities will prefer the more conservative approach of complying with the Guideline even though as the Guideline itself states in an introductory paragraph, the Guideline cannot be relied on as evidence of compliance with the AML/CFT Act, and does not constitute legal advice.
A good example of the difference is the issue of what is an acceptable single independent source that can be relied upon to verify an individual’s identity to a high level of confidence. The Guidance indicates that the Supervisors regard RealMe as the sole example available. However, if an entity in the private sector were able to develop a mechanism that provided the same or even better level of confidence as to an individual’s identity, reporting entities would need to decide whether to rely on this new technology on the basis that it satisfied the requirements imposed by AIVCOP, even though that was not envisaged by the Guideline.
What next?
Reporting entities may need to amend their AML/CFT Programmes to ensure that these take into account the expectations of the Supervisors in relation to their use of EIV. If you have any questions in relation to the changes in the Guideline or would like assistance in updating your AML/CFT Programmes to reflect the new requirements, please contact one of our experts.
Footnote
[1] RealMe is a digital identity service to prove who you are online and is used by many New Zealand government agencies and other organisations. It is managed by the Department of Internal Affairs.