The launderer always blinks twice


My money laundering news alerts have been very, very quiet in the past fortnight – not for one moment do I think this means that money laundering has stopped, or even decreased markedly, but understandably businesses and law enforcement agencies need time to adjust to new ways of working, and AML is just not top of the agenda at the moment.  (Not that it often is, except during rare spikes of interest when we’ve had a ginormous laundering case in the news.)  But one AML-ish topic that is generating a fair amount of discussion is the acceptability or otherwise of verification of client identity at a remove.

Of course, there have always been clients who are identified remotely – online casinos never meet their players, and even more traditional businesses like banks now offer online services to clients who never set foot in a branch.  But it has been generally accepted, using the risk-based approach to AML, that “non-face-to-face client” will be a trigger for a higher risk rating and suitably enhanced due diligence.  Businesses are now having to recalibrate to a situation where – ironically – meeting a client face-to-face is far too risky, and therefore the remote client is the new standard risk proposal.  As I posited in my previous post (don’t say that too quickly), how will we undo staff and client expectations when life goes back to normal – will clients who have become used to remote verification be even more ticked off than usual when we ask them to call in with their passports?  “You believed me when I was sitting at home in my pyjamas and Zooming you – why won’t you believe me now?”

Talking of Zoom, yesterday the Guernsey Financial Services Commission addressed this very issue, issuing detailed guidance on when video calling can be used to verify the identity of individuals.  Crucially, the point is made at the end that “a firm is required to periodically review the identification data it holds on a business relationship to ensure that it is accurate and remains relevant [and] the Commission would expect these reviews to include a determination that verification of an individual via video remains appropriate and relevant in light of the activity over the business relationship and the risks associated with that relationship”.  In other words, when it’s back to business as normal, a video chat with someone may well no longer cut the AML mustard.

Of course, video ID – as it is sometimes called – was around pre-pandemic.  I have found a terrific article on it by two German lawyers, who make the frightening point that you might not be talking to the client in real-time but have been duped into conversing with a clever recording.  In order to check the client’s “liveness”, you should “request  specific actions of the person to be identified (e.g. blink the left eye twice)”.  I reckon we could have some fun with this, perhaps drawing on “Candid Camera” for inspiration.