Search in book...
Toggle Font Controls
Create new playlist

Name your new playlist

Playlist description (optional)
Sign In

Email address

Password

Forgot Password?

or

Continue with Facebook

Continue with Google
Sign Up

Full Name

Email address

Confirm Email Address

Password

or

Continue with Facebook

Continue with Google

CHAPTER 15
RETAIL CUSTOMER IDENTIFICATION

15.1 WHO ARE RETAIL CUSTOMERS?

Retail customers are essentially private individuals who act in their own capacity. Customer identification procedures that are suitable for personal customers will inevitably be different from those that are applied to corporate customers. This is due to the nature of the relationship and also the nature of the documentation that is available to retail customers to provide to the financial institution.

Of course, in corporate relationships it may still be appropriate to identify some of the owners, controllers or stakeholders depending on the nature of the relationship. In such cases, the process that is undertaken is similar to that addressed in this chapter and will be in addition to the procedures to be adopted in respect of corporate customers, which are discussed in Chapter 16.

The procedures that will be adopted within a firm will need to meet the requirements of both their host (i.e. the jurisdiction where they are based) and home regulatory regime (i.e. the jurisdiction where their head office is based). The host requirement is obvious: since the firm is conducting business in that country it will need to comply with the rules of that country. In this chapter we discuss general requirements and provide UK-based rules as an example. In the country profiles included within Chapter 27, you will find summary specific requirements for specific countries.

We have also suggested that it would be wise to meet the higher requirements set by complying with both host and home regulations. Your home regulator is unlikely to be willing to accept that a lower level of identification is acceptable to a firm's overseas units. Accordingly, achieving the higher of home and host regulation would appear a prudent approach to be adopted by any firm.

While the distinction between a retail and a corporate customer might appear, on first consideration, to be straightforward, in practice this is not always clear cut. Consider the case of an individual that forms themselves into a company. Should the corporate customer rules be applied for identification, or should the firm continue to use the retail customer rules? What if the customer has one assistant? Would that make such a difference to the risk profile of the customer that a change in identification approach should be made?

In practice, you will find that firms do operate different approaches. What is most important for the firm to achieve is that, regardless of the approach adopted, sufficient information is obtained to enable the firm to really understand the nature of the customer's activity. The firm should have a clear policy which sets out the identification requirements in all such cases, with the objective always being to obtain sufficient reliable evidence to provide the firm with the protection it requires to demonstrate that appropriate procedures have been complied with. In making such an assessment, the firm should consider the nature of the financial crime risk that the relationship introduces, and conduct such analysis as appears appropriate in the circumstances.

15.2 BASIC RETAIL IDENTIFICATION EVIDENCE

Firms must generally initially identify private individuals by obtaining three key pieces of information:

Full name
Residential address
Date of birth.

However, this information must be obtained from reliable and independent sources. It is not sensible just to ask the customer to provide the data to the firm, since that will not provide any evidence of independent review. Instead, reference should be made to reliable documents that are prepared by a third party (agency or government, for example). In particular, photocopies should not be accepted unless they have clearly been authorised by an appropriate legal resource.

Typical documents required include a passport, driving licence or identity card, together with some form of utility or other bill that will prove address. The key element is having at least one piece of evidence that includes the face of the customer, such that it can be confirmed by the financial institution by seeing the person actually being met. Of course, any of these documents could be forged, with a utility bill being capable of being forged on a photocopier.

In terms of specific requirements, reference will still need to be made to local rules, since these do vary. Clearly, firms should take particular care when dealing with customers that they do not meet face to face. The objective is always, where possible, to see originals of documents when verifying identity, but non-face-to-face customers are likely to be reluctant to send valuable original documentation through the post. This leads to the problems of dealing with non-face-to-face customers, as discussed in Chapter 18.

15.3 DOCUMENTARY VERIFICATION

Once retail customer documents have been produced by the customer on request, the firm is still generally under an obligation to conduct validation procedures to ensure that they are reliable. We would recommend that such validation should be conducted particularly in cases where the relationship has been identified as being of enhanced risk, requiring additional or enhanced due diligence procedures to be adopted.

The highest quality documentation which firms can place reliance on will be documentary evidence issued by a government department or agency. The logic for this is that government agencies can, in theory, be relied upon to have undertaken procedures to verify their own evidence, checking the existence and characteristics of the person concerned. However, relevant staff still need to be aware of the possibility that such documents might be forged and to know any specific signs that might alert them to such a fact.

The evidence obtained must give the firm reasonable confidence in the customer's identity, which the firm should weigh against the risks involved in relying on this evidence. Non-government-issued documentary evidence may be accepted if it originates from a public sector body or a firm regulated by the financial services. In other cases, this may be used to provide supporting evidence in addition to a primary government-issued document. Of course, the bodies that produce such documents and the specific documents available will vary between countries.

Government-issued documents which incorporate a full name, address, date of birth and photograph typically include the following:

Valid passport;
Valid driving licence including a photograph of the customer;
National identity card, ideally also including a photograph of the customer.

There may be other documents acceptable to a firm for identification specified by the regulations, but these are normally only acceptable when two pieces of identification documentation are required, which is the position in some countries.

One of the concerns, as mentioned above, is forgery. A passport which has almost no stamps in it with a photograph that looks exactly like the customer is likely to carry a higher risk of forgery than a passport that looks like the customer on a bad day with a load of individual country stamps. Would you use your best photograph for your passport? What are you not allowed to do on a passport photo? The forger will not generally forge more than two country visa stamps and rarely on more than one page. It is just too much like hard work for them. So, a photograph that looks like the customer on a new-looking, fairly empty passport warrants a higher level of scepticism than one which is full of visas with a picture that is clearly pretty awful!

Government-issued documents without a photograph may also be used for customer identification, as long as they incorporate the customer's full name and are supported by a second document which is government-issued, or issued by judicial or public sector authority or a regulated firm which incorporates full name, address and date of birth. In the UK, statements or invoices from utility companies can be used to meet this requirement, but we would recommend caution. Any piece of evidence that can be forged on a photocopier must, by its very nature, be considered to provide limited evidence. Such documents are normally only used to verify address data, although this may be independently available in some form of electoral role documentation, in the telephone book or through the use of social media records of the individual.

Generally speaking, face-to-face verification can be achieved by the customer producing a valid passport or photocard licence and the firm confirming that the picture shown is a reasonable likeness of the customer. Remember that if the picture is a perfect likeness, this may provide cause for concern, since the money launderer always has perfect documents.

The objective of the provision of such documents is to enable the firm to show that the individual has met all of the required and procedurally driven identification requirements for money-laundering and terrorist-financing-deterrence purposes. However, they may not be sufficient in themselves, and consequently firms will need to apply a risk-based approach when determining the level of additional identification checks to be conducted, which is generally referred to as enhanced due diligence. Firms may wish to pay particular attention to managing fraud or credit risk, and so may restrict the use of certain identification documents. This will depend on the current status of forgery in their country. Indeed, it is the falling cost of forged documents which is such a concern at present.

In the UK, the obligations have moved towards really understanding your customer and away from simple, narrow requirements, which is clearly appropriate. It does, of course, raise additional problems for banks that are not dealing directly with their customers in person, for example internet banks and credit card vendors. Accordingly, a higher level of additional verification is required in such cases.

15.4 CUSTOMER EXCLUSION

In most countries there are specific rules on financial exclusion, and this can lead to some unusual cases. How would you identify the street vendor who does not have a permanent address and is perhaps illiterate? In practice, firms may be willing to accept a symbol made by the customer who is unable to sign their name and will also undertake and record additional procedures that need to be conducted in such cases.

If the firm has rules requiring a retail customer to possess a passport or driving licence and another form of identification, there will be some customers that will not have such documents. If you consider the case of a teenage child, they may have a passport, but no other documentation. Clearly, a letter of reference from the parent should be acceptable as additional identification, but this historically was not allowed in the UK. In one case, a teenage customer of a bank, who we will refer to as Robert, wanted to open another account at the same bank. He had a passport, but since he lived with his parents did not have either a utility bill or a driving licence. The bank rejected its own documents as evidence and told Robert to take £1 to another bank up the road. Using the first bank's bank statement and the passport, he would be able to open an account at the second bank. With the information from the second bank, he could return to the first bank and use this additional information to open an account. This is regulation that clearly is ineffective and has fortunately, in the case of the UK, been repealed.

15.5 ELECTRONIC VERIFICATION

Electronic verification of identity should be carried out by a firm using the customer's name, address and date of birth to carry out an electronic check directly or through a supplier (for example, a commercial agency such as Experian). Electronic verification provides additional independent assurance that the customer is who they say they are. Even electronic verification needs to meet a standard level of confirmation before it can be relied upon by a financial institution. To be acceptable there needs to be a match for the individual's name or current address, and a second match on an individual's name with their current address or date of birth. When firms use commercial agencies for electronic verification, they must ensure that they fully understand the systems and scoring mechanisms used by the firm when interpreting the results. There should always be a manual review of any such documents in case of manifest error by the agency.

Firms should remember that although outsourcing of a role to a commercial agency is permitted, they can delegate the work but not abrogate responsibility. Accordingly, a measure of oversight would still need to be maintained. There is a specific Bank for International Settlements paper entitled Outsourcing in Financial Services issued in February 2005 (http://www.bis.org/publ/joint12.pdf), to which reference should be made for specific guidance to be adopted in such cases, including the documentation to be maintained and the maintenance of suitable service level agreements (SLAs) which must be monitored effectively.

15.6 IMPERSONATION FRAUD

Impersonation fraud (or phishing) has become an increasing problem in recent years and is probably the fastest-growing area of fraud in the modern world. There are many reasons why a firm should manage the risk of impersonation fraud, only one of which relates to money-laundering deterrence. The greatest risk is, of course, fraud, and the disappearance of the customer with the funds of the firm, together with the reputational impact when this is discovered. There are greater risks in this respect when a firm is using electronic data to carry out additional anti-fraud checks as part of its routine procedures. In such cases, the firm should implement additional due diligence procedures which incorporate the following:

Requiring the first payment to be carried out in an account in the customer's name with a locally regulated credit institution, or one from an equivalent jurisdiction.
Verifying additional aspects of a customer's identity using independent third party sources.
Making telephone contact with the customer prior to opening the account on a home or business number which has been verified electronically, or making what is referred to as a “welcome call” to the customer before transactions are permitted. This is used to verify additional aspects of personal identity information that have previously been provided by the customer during the process leading to the setting up of the account.
Communicating with the customer at an address that has been independently verified, e.g. direct mailing. Firms should not rely solely on addresses provided by the customer, since this would increase the risk of fraud.
Other card or account activation procedures, all of which should be clearly documented and understood by all staff. Firms need to make sure that all procedures are rigorously applied and that there is no ability for an employee to override the requirement to undertake a procedure. Such inappropriate activity would enable staff to assist in fraudulent activity being conducted.

As an individual there are things that you can do to reduce the chance that your identity will be stolen. The Metropolitan Police in the UK have issued the following guidance in this respect which includes the actions to be taken:

HOW IS YOUR IDENTITY USED?

Once a key piece of information, such as card details, has been obtained, other information may be gathered from other sources, depending on the intention of the fraudster. Put together, they can obtain sufficient information to impersonate somebody and make a payment using their financial information.

Information that was given for another purpose may be used as a basis for ID fraud.
Internet sites such as Facebook, other social networking sites and publicly available information such as the Voters' register are used to gather identifying personal information.
The most common types of identity fraud involve the use of compromised credit and debit card details.
Account takeover is a growing trend. Information is obtained to take over bank, card and loan accounts in order to make high-value purchases and take out loans.
Genuine documents may be obtained such as passports and driving licences.

Be vigilant in providing and using your personal information. In particular:

Your address:

If you start to receive post for someone you don't know at your address, find out why.
Register to vote at your current address. Lenders use the electoral roll to check where you live.
When registering to vote, tick the box to opt out of the “Edited” register to prevent unsolicited marketing mail. (This does not affect credit checks.)
Sign up with the Mail Preference Service to prevent marketing letters.
Protect mail left in communal areas of residential properties.
Re-direct your mail when moving home.

Your accounts:

Regularly check statements and chase up any that are not delivered when expected.
Shred, using a cross-cut (confetti) shredder, anything containing personal information.
Sign up with a credit reference agency for alerts.
Regularly check your credit reports from a credit reference agency.
Sign up to Mastercard secure code or Verified by Visa when you receive your cards, even if you do not intend to use your cards online – this protects you if your card or details are lost or stolen.

Your phones:

Beware of unsolicited phone calls, letters and emails pretending to be your bank or other financial institution and asking you to confirm your personal details, passwords and security numbers.
Sign up with the Telephone Preference Service to prevent marketing phone calls.
If using a smartphone, install anti-virus software on it.

Your computer:

Keep your computer security programs (anti-virus, anti-spam) up to date.
Restrict the amount of personal information that you disclose on the web.
Don't fall for online scams, phishing emails, advance fee or other internet-related frauds.
Know how to verify secure websites if making financial transactions.
When forwarding emails, delete other people's email addresses, and if sending an email to several people, “blind copy” their email addresses to guard against email scammers.

You should:

Opt out where you can – companies may send you marketing mail or share your details in mailing lists with other companies.
Don't divulge more information than you need to – why do they want so much personal information?
Think very carefully before giving information to researchers or charity collectors.
Have a secure place to store confidential documents at home. In a safe, for example.
Don't carry what you don't need in your wallet, purse or bag, such as passports or credit cards.

If you think that you are a victim of identity fraud – act quickly:

Do not ignore the problem – it might not be you that has ordered some goods or opened an account, but the debt falls to your name and address.
Inform the card issuer or other financial institution concerned as soon as possible.
Do not destroy the card if it is still in your possession – keep it as evidence.
Identify fraudulent transactions as soon as possible. Inform the companies involved if possible.
Inform the police if you have lost money directly or can identify a suspect. Card companies pass information relating to transactions on compromised cards directly to the police.
Obtain a copy of your credit report from a credit reference agency.
Credit reference agencies offer free advice services to victims of ID fraud.
Sign up with the CIFAS Protective Registration Service: 0330 1000 180 (local rate) or email: [email protected].

Source: http://content.met.police.uk/Article/Identity-fraud--is-someone-using-your-identity/1400010760805/1400010760805

There is much good advice here. We are continually surprised that people provide so much detail on social media sites, which has the effect of making them more vulnerable to identity theft. Once your identity has been stolen, this is likely to haunt your financial reputation for many years to come.

15.7 FAMILY MEMBERS

In most jurisdictions there is generally no requirement to verify the identity of any other family members of the customer, or any requirement to obtain information on them. The rules tend to follow a simple legal view, in that it is the customer that is opening the account, not the family. Accordingly, information on family members is generally not recorded. In some countries, it would be illegal to even make such enquiries.

Of course, this does increase the risk that your firm will be used by the unscrupulous. If the spouse of the customer seeking a facility has been found guilty of money laundering, terrorist financing or fraud, this would clearly be relevant to a firm's assessment of the customer. In the notices published by the UN, EU and others you will note references being made to the stated person being an associate of a known terrorist financer.

That such enquiries cannot officially be made has the effect of increasing the opportunity for abuse of the system. Clearly, if a firm does undertake any such review then it must not be documented if such documentation would breach local rules. There can always be another reason to reject a customer.

If it is legal to conduct such additional investigation then the economic linkage test should be applied. Could the customer that the firm is seeking to identify actually have such a close relationship with another party that it would impact on the financial crime risk associated with this relationship? If such a relationship does exist then enhanced due diligence would suggest that the additional individual should be identified in addition to the primary customer. Again, this can only be undertaken if this is allowed within the regulations of your jurisdiction.

15.8 TRANSACTION MONITORING

In terms of accounts that are maintained with customers, the level of updating that is required to take place subsequent to the original account opening varies considerably between jurisdictions. In some countries, if a retail customer had taken out a property loan they would need to provide details of their current employer such that a deduction could be made from their salary. Changes in employer likewise must be reported immediately.

In other cases, all such loans are recorded on a central government database. The alternative is the situation in countries such as the UK where the customer is under no obligation whatsoever to provide up-to-date information to the firm. Accordingly, the firm will not even know who the customer is employed by, only who they were employed by when they took out the facility. Clearly, this severely impacts the ability of the firm to identify what might be considered inappropriate transactions.

What a firm should do is to consider the nature of the information available to it and undertake such monitoring as it considers appropriate in the circumstances to provide the assurance it believes it requires. This is often in addition to the requirements of local regulations.

There is also a requirement for the firm to conduct ongoing monitoring of the customer, and this is addressed in Chapter 22.

15.9 SOURCE OF FUNDS

Firms are generally required to record the source of funds for a deposit or repayment by a customer. However, the regulatory rules rarely specify that this has to be verified, which is perhaps rather unusual and could render the process pointless. If we take a case where a customer deposits $35,000, then they might say that the money was a gift from a friend, a legacy from a deceased relative or the proceeds from the sale of a car. The firm will record this, but it is not under any obligation to see if the customer actually had a friend, relative or car.

It is difficult to imagine that the money launderer will be caught out by this test. They are hardly likely to say either that they cannot remember or that they were drug trafficking, for example. The only thing that a firm can do is to remain vigilant and see if things appear to be inconsistent with their understanding of the customer. It is through investigation of an unusual pattern of behaviour that the firm should be able to identify, and therefore detect, inappropriate conduct.

Generally, this is an area where the rules are really only requiring a firm to conduct a process, rather than seeking to ensure that reliable evidence is obtained. The firm should still consider whether there is any evidence that might suggest that the funds may not be from the suggested source. The suspicion could result from the way that the funds are received, or from the illogicality of the information provided. If there are repeated legacies, for example, from the same parent, then this could be a cause for concern. You generally only die once.

..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.

Table of Contents for CHAPTER 15: RETAIL CUSTOMER IDENTIFICATION

Create new playlist

Sign In

Sign Up