The first Code of Practice under the Anti-Money Laundering and Countering Financing of Terrorism Act 2009 applies to name and date of birth verification for low to medium risk customers.
This Brief Counsel summarises the detail.
Much of the content of the Code was signalled in the August AML/CFT Consultation Document. The increased certainty it brings will be welcomed by entities in compliance planning following the recent implementation of the regulations, with the “go-live” date of 30 June 2013 looming large.
The code provides two “safe harbours” for those reporting entities required to verify a natural person’s name and date of birth. One safe harbour is for documentary verification (whether face to face or through certified copies of documents), the other for electronic verification.
The small print
The Code is restricted to low to medium risk customers (customers in this context includes natural persons who are beneficial owners of customers and natural persons acting on behalf of customers). More demanding or sophisticated measures will be needed for higher risk customers. Interestingly, the Code acknowledges that some enhanced customer due diligence customers (e.g. politically exposed persons) may nevertheless be low to medium risk.
Reporting entities must have regard to privacy when applying the Code, including whether the management and provision of information is consistent with the principles of the Privacy Act 1993.
The Code does not provide a safe harbour for address verification. Reporting entities will have to develop their own method for verifying this. (Although one aspect of electronic verification does include an address element.)
Reporting entities do not have to comply with the Code. They may instead choose to meet their relevant AML/CFT obligations by implementing “equally effective” means of verification. But any reporting entity wishing to rely on such means as a defence to a related act or omission on their part must give written notice to their AML/CFT supervisor, prior to the relevant act or omission.
Safe harbour #1 – documentary verification for name/date of birth
Reporting entities may verify a customer’s identity either:
face to face (i.e. match the relevant photograph to the person presenting it), or
against copies of documents certified by a trusted referee (see below).
Four options are available, as described below.
One form of the following primary photographic identification:
- NZ passport
- NZ certificate of identity issued under the Passports Act 1992 or the Immigration New Zealand Operation Manual
- NZ refugee travel document issued under the Passports Act 1992
- NZ firearms licence
- overseas passport or similar document issued for the purposes of overseas travel, or a national identity card issued for the purpose of identification, which:
- contains the name, DOB, photograph and signature of the person in whose name the document is issued; and
- is issued by a foreign government, the UN, or an agency of the UN.
One form of the following primary non-photographic identification:
- NZ full birth certificate
- certificate of NZ citizenship issued under the Citizenship Act 1977
- citizenship certificate issued by a foreign government
- a birth certificate issued by a foreign government, the UN, or an agency of the UN.
One form of secondary photographic identification, which includes:
- NZ driver licence
- 18+ Card
- valid and current international driving permit as defined in clause 88(1)(b) of the Land Transport (Driver Licensing) Rule 1999.
Note: if using a different form of secondary photographic identification to the above, reporting entities must ensure that the issuer is reliable and independent.
One form of secondary photographic identification, which includes (as above):
- NZ driver licence
- 18+ Card
- Valid and current international driving permit as defined in clause 88(1)(b) of the Land Transport (Driver Licensing) Rule 1999
Confirmation that the secondary photographic identification presented is consistent with the information that is recorded for the purposes of the Births, Deaths, Marriages, and Relationships Registration Act 1995 or the Citizenship Act 1977 by the DIA – e.g. through the DIA’s existing “igovt identity verification service”, proposed to be made more generally available through the Electronic Identity Verification Bill
, which has recently been introduced to the House. Note – where the secondary photographic identification is a NZ driver licence, reporting entities may also use Option Four.
NZ driver licence
One of the following:
- confirmation that the information presented on the driver licence is consistent with records held in the National Register of driver licences
- confirmation that the identity information presented on the NZ driver licence is consistent with the records held by a reliable and independent source (e.g. Option Three)
- a document issued by a registered bank that contains the person’s name and signature, for example a credit card, debit card or eftpos card
- a bank statement issued by a registered bank to the person in the 12 months immediately preceding the date of the application
- a document issued by a government agency that contains the person’s name and signature, for example a SuperGold Card as defined in the Social Security (SuperGold Card) Regulations 2007
- a statement issued by a government agency to the person in the 12 months immediately preceding the date of the application, for example a statement from the Inland Revenue.
Reporting entities must also:
- have appropriate exception handling procedures in place, for circumstances where a person cannot satisfy one of the above options
- check the person’s details against their own customer records to ensure there are no identity “double-ups”, and
- obtain an English translation of an identity document (if the person conducting the verification does not understand the original language of the document).
Certification by trusted referees
“Trusted referees” are the usual suspects, being one of the following (and at least 16 years of age):
- Commonwealth representative (as defined in the Oaths and Declarations Act 1957)
- an employee of the Police who holds the office of constable (as defined in section 4 of the Policing Act 2008)
- Justice of the Peace
- registered medical doctor
- registered teacher
- minister of religion
- lawyer (as defined in the Lawyers and Conveyancers Act 2006)
- notary public
- New Zealand Honorary Consul
- Member of Parliament, or
- chartered accountant (within the meaning of section 19 of the New Zealand Institute of Chartered Accountants Act 1996).
But the trusted referee cannot be related to, a spouse or partner of, or live at the same address as, the person being identified.
- the trusted referee must sight the original documentary identification, and make a statement to the effect that the documents provided are a true copy and represent the identity of the named individual
- certification must be dated, and include the name, occupation and signature of the trusted referee, and
- certification must have been carried out in the three months preceding presentation of the copied documents.
Safe harbour #2 – electronic verification of name/date of birth
To come within this safe harbour, reporting entities must:
- verify the person’s name from at least two reliable and independent electronic sources
- verify the person’s date of birth from at least one reliable and independent electronic source, and
- verify the person’s address from at least one reliable and independent electronic source.
In addition (as with documentary identification), reporting entities must check the person’s details against their own customer records, to ensure there are no identity “double-ups”.
What is a “reliable and independent source”?
This will ultimately be for the reporting entity to decide (in accordance with its risk assessment and AML/CFT programme). But when making their assessment, reporting entities must have regard to:
- accuracy (how up-to-date is the information and what are the error rates and matching parameters)
- privacy (including whether the management and provision of the information is consistent with the principles of the Privacy Act 1993)
- method of information collection
- whether the electronic source has incorporated a mechanism to determine the customer can be linked to the claimed identity (whether biometrically or otherwise)
- whether the information is maintained by a government body or pursuant to legislation, and
- whether the information has been additionally verified from another reliable and independent source.
AML/CFT compliance programme
Reporting entities that use electronic identity verification must say so in their AML/CFT compliance programme, and describe:
- the forms of electronic identity verification methods that are considered reliable and independent and the circumstances in which they will be used
- how the methods have regard to the assessment matters described above, and
- any additional methods that will be used to supplement electronic identity verification or otherwise mitigate any deficiencies in the verification process.
The Code expressly contemplates outsourcing electronic identity verification, including to a single provider with access to multiple databases. But reporting entities will need to be satisfied that the verification service meets the requirements of the safe harbour. It will be important to conduct appropriate “vendor due diligence”, and take care when contracting with any such verification providers, to ensure that the provider can (and does) meet the relevant reporting entity’s compliance requirements.