AMLD 01/2022: Circular on Non-Face-to-Face Customer Due Diligence Measures

This Circular sets out industry good practices observed by MAS and supervisory guidance on the measures to mitigate risks associated with the use of non-face-to-face technologies for customer due diligence.

FIs should read this Circular in conjunction with the relevant AML/CFT Notices and Guidelines in relation to CDD Measures for Non-Face-to-Face Business Relations, as well as MAS’ Circular of 8 January 2018 (AMLD 01/2018) on the use of Myinfo and CDD measures for NFTF business relations .

Annex: FAQs on the Adoption of NFTF CDD Measures

A. Use of Video-Conferencing (VC) to establish NFTF business relations

A1. Where VC is used to establish NFTF business relations, would the FI need to conduct additional checks or would the sole use of VC suffice?

As outlined in MAS’ Circular No. AMLD 01/2018 dated 8 January 2018, FIs may hold real-time VC that is comparable to face-to-face communication, in establishing NFTF business relations. In using this approach, FIs should put in place appropriate controls during the VC process, to verify the identity of the customer and the authenticity of the ID documents sighted via VC. Some examples of such controls that are put in place during the VC process are set out in paragraph 3 of this Circular.

To mitigate the risks of impersonation and fraud, FIs should also perform additional checks, as appropriate, to complement the VC process. The Guidelines to MAS’ Notices on prevention of ML and countering the financing of terrorism provide some examples of these additional checks. Other examples are also set out in paragraph 4 of this Circular.

FIs are encouraged to adopt new technology solutions (e.g. biometrics technologies, liveness checks, document authenticity verification tools, etc.) that complement the use of VC, to more effectively ID&V customers remotely.

A2. Would the use of VC to sight the original CDD documents suffice, or would the FI still be required to obtain a Certified True Copy (CTC) of the documents from the customer?

Where the FI has sighted an original ID document via VC and is satisfied that the ID document sighted is consistent with the soft copy furnished by the customer, the FI would not need to obtain a CTC of the ID document. Please note that the supervisory expectations on the use of VC (as set out in A1 above) would continue to apply.

For the avoidance of doubt, CDD documents that cannot be verified against a registry or lack the requisite authenticity markers (e.g. a foreign certificate of incorporation that cannot be verified against a company registry) should not be verified via VC alone. FIs should conduct additional checks to verify that the soft copy is genuine, such as obtaining an original CTC16, or requiring suitably qualified persons to use digital signatures or watermarks to certify the authenticity of the soft copy.

B. CTC documents

B1. Can soft copies of CTC documents be accepted, or would the FI need to obtain the original hard copy CTC documents?

Scanned copies of CTC documents may be accepted, provided the FI puts in place measures to detect possible fraudulent or tampered documents. This could include, but are not limited to, (i) sighting the original document via VC with the appropriate controls in place (see A1 and A2 above), in addition to obtaining a scanned copy of the CTC document, or (ii) performing an independent call-back to the certifier, to verify the authenticity of the certification provided.
In the longer term, FIs are encouraged to adopt new technology solutions and digital signatures or watermarks to verify the authenticity of soft copy documents.

C. Assessment of New Technology Solutions

C1. How should the assessment of the new technology solution be conducted, and what should be included in the scope of such assessments?

(i) Prior to implementing the technology solution, the FI should conduct an internal assessment17 of the effectiveness of the technology solution in mitigating impersonation and fraud risks. The FI’s assessment should be approved by Board and Senior Management.

Some non-exhaustive areas that FIs may cover in this assessment include:

• Understand functionalities of the technology solution;
• Evaluate effectiveness in risk mitigation – including testing functionalities and assessing
reliability of underlying databases used;
• Evaluate residual risks and put in place appropriate risk mitigation measures.

(ii) At the first-year mark after implementation, a once-off independent assessment by a suitably qualified professional18 should be performed to certify the effectiveness of the new technology solution in managing impersonation and fraud risks. This has been conveyed in MAS’ Circular No. AMLD 01/2018 dated 8 January 2018.

Some non-exhaustive areas that FIs may cover in this assessment include:

• Review the policies and procedures, including guidance and training provided to staff, on
the use of the new technology solution to perform NFTF CDD;

• Test the effectiveness of the new technology solution in detecting red flags e.g. potential fraudulent or tampered document;
• Assess the adequacy and effectiveness of controls that have been put in place to mitigate impersonation and fraud risks;
• Ensure the proper oversight and governance of the adoption of the new technology solution;
• Propose recommendations for enhancements and remediate any gaps on a timely basis.

FIs should continue to monitor the robustness of their technology solutions on an ongoing basis to ensure that the solutions remain effective in mitigating impersonation and fraud risks.

C2. Would it suffice for the FI to rely on an external quality assurance standard to ascertain the robustness of the technology solution?

FIs cannot solely rely on external quality assurance standards of the technology service providers to arrive at its conclusion but should perform its own assessment (as set out in C1 above). For avoidance of doubt, FIs are not expected to assess the algorithms underpinning the new technology solution, but rather to understand the functionalities offered by the solution, to assess its suitability for the FI’s NFTF CDD process.

FIs should also ensure that the implementation of the technology solution is in line with the MAS Technology Risk Management guidelines.