Following the publication of the 5th Money Laundering Directive (5MLD), the UK has transposed the changes into national law: The Money Laundering and Terrorist Financing (Amendment) Regulations 2019. 5MLD described a significant new option for electronic identification by using a trust scheme, in accordance with the EU 910/2014, the Regulation on electronic identification and trust services for electronic transactions, otherwise known as eIDAS.
Firms may now choose to use an identity service, which is aligned with eIDAS. The firm is ultimately responsible for the use of a scheme and determining whether the scheme is acceptable, according to the stated requirements of eIDAS.
The 5th amendment to the anti-money laundering directive contains the following change, highlighted in red.
Identifying the customer and verifying the customer’s identity on the basis of documents, data or information obtained from a reliable and independent source, including, where available, electronic identification means, relevant trust services as set out in Regulation (EU) No 910/2014 of the European Parliament and of the Council (*) or any other secure, remote or electronic identification process regulated, recognised, approved or accepted by the relevant national authorities;
EU 910/2014, the Regulation on electronic identification and trust services for electronic transactions – eIDAS
The change was recommended by UK Government, with a view to allowing schemes such as the Gov.UK Verify system as a suitable means to satisfy the electronic identity requirements of the AML regulations. It has been written in such a way as to allow any trust service that meets the requirements of eIDAS. The part of Article 13(1)a that has caused a lot of debate is “recognised, approved or accepted by the relevant national authorities”. This causes a particular problem in the UK because there isn’t a suitable competent authority that can make this determination.
The Money Laundering and Terrorist Financing (Amendment) Regulations 2019
UK national law has been updated, effective from 10th January 2020, with The Money Laundering and Terrorist Financing (Amendment) Regulations 2019.
The specific point relating to electronic identity is as follows:
“(19) For the purposes of this regulation, information may be regarded as obtained from a reliable source which is independent of the person whose identity is being verified where:
- (a) it is obtained by means of an electronic identification process, including by using electronic identification means or by using a trust service (within the meanings of those terms in Regulation (EU) No 910/2014 of the European Parliament and of the Council of 23rd July 2014 on electronic identification and trust services for electronic transactions in the internal market(11)); and
- (b) that process is secure from fraud and misuse and capable of providing an appropriate level of assurance that the person claiming a particular identity is in fact the person with that identity.”
What does the updated legislation mean?
The updated legislation permits an additional method for electronic identification, through the use of a trust service. Trust services are more commonly referred to as “digital identity”, whereby an individual is able to identify themselves electronically using an online service, rather than needing to manually prove who they are via mail or in person each and every time they apply for a new service. An example of this type of service is Gov.UK Verify, which can be used with a number of government services. Logging in using your Facebook profile is a similar approach, but in this context a Facebook credential carries no trust about the individual, whereas a trust service that falls within the definitions stated by eIDAS must meet strict identity proofing requirements.
eIDAS has three levels of assurance (LoA), Low, Significant and High. The updated legislation does not go as far as to state, which LoA is suitable for an electronic identification process, meaning the relying party must themselves determine the eIDAS level against the risk of the activity.
It’s common practice for firms to follow guidance from the Joint Money Laundering Steering Group (JMLSG), however updated guidelines in relation to electronic identification process have not yet been published, but are expected soon. It’s not clear whether the updated JMLSG guidelines will sight a particular LoA that must be met in order to prevent financial crime, or leave it to the relying party to determine.
The updated legislation also requires the process to be secure from fraud and misuse, perhaps an obvious detail, but also an important one. A trust service will perform identity proofing on behalf of a relying party and manage the identity from that point onwards. It’s crucial that measures are put in place to ensure that the digital identity remains secure from fraud, as the relying party will trust the assertions made by the trust service. Identity providers and relying parties may therefore be required to demonstrate how their systems are secure from fraud, going forward. Adopting industry best practices for user authentication, as well as deploying specific technologies such as ThreatMetrix to prevent and detect fraud are possible ways to meet this requirement.
5MLD offers firms an additional option to meet electronic identity requirements. Suitability of the services used by firms remains the responsibility of the firms themselves. Electronic identity systems that were in place to meet the requirements of 4MLD are still suitable to meet the requirements of 5MLD. The only scheme available in the UK, which currently meets the requirements of eIDAS is Gov.UK Verify. This is expected to change and this change in legislation is likely to drive the creation of more schemes.