In the Circular CSSF 20/742 – AML/FT the CSSF aims to draw the attention of professionals of the financial sector to the major changes that the two laws of March 25, 2020 bring to the system of
fight against money laundering and terrorist financing (“AML/CFT”) applicable to the Luxembourg financial sector as provided for by the law of 12 November 2004 on the fight against money laundering and the financing of terrorism. The coordinated version of the law of 12 November 2004 on the fight against money laundering and terrorist financing is available in French and English at: https://www.cssf.lu/fr/document/loi-du-12-November-2004/.
Digital Identity Guidelines
(Guidance on Digital Identity)
Through its digital identity guidelines published in March 2020, the Financial Action Task Force (“FATF”) aims to help the financial sector and relevant stakeholders to understand how the systems of digital identification can be used in order to apply certain elements specific customer due diligence in accordance with, among other things, the FATF Recommendation 10 and a risk-based approach. the professionals who refer to digital identification systems use electronic means to ensure and prove the official identity of a person online (digitally) and/or in-person environments to several levels of assurance, according to the FATF. While taking a neutral stance on the technological level, the FATF underlines the advantages of the new technologies in order to support strong implementation of AML/CFT standards by combining with in-depth technological assurance checks, respecting, in particular, international standards (as set by the National Institute of Standards and Technology of the United States, the European e-IDAS regulation, or the ISO standard under development).
On the one hand, the document emphasizes the identification of natural persons by professionals, also in the context of the use of third parties by the professional.
On the other hand, the document provides details of the service providers of digital identification who must demonstrate a thorough understanding of the AML/CFT standards applicable in the legal and regulatory frameworks of the countries respective parties, request the related certification and assurance tests from the government or authorized expert bodies and cooperate in a manner adequate with regulated entities, while ensuring appropriate levels of identity verification and authentication.
Despite the positive impact that digital identity technology can have in customer due diligence, such as a better customer experience, savings in time and costs, improvement in the process of
control of transactions and profits for financial integration, it can also be associated with particular risks which, if not addressed adequately, may prevent the application of Recommendation 10 and the related requirements under the FATF standards, according to which professionals must identify, assess and mitigate the risks of money laundering capital and terrorist financing that may result from the use of new technologies or technologies under development both for new products and existing products.
Finally, the guidelines establish a detailed description of the systems of basic digital identification and actors and analyze various scenarios of technological process that can be applied, as well as case studies which refer to the use of digital identification technology in various country.
In this context, the CSSF wishes to draw the attention of professionals to the CSSF circular 20/740 relating to the consequences of the COVID-19 pandemic in matters of financial crime and AML/CFT published on April 10, 2020 in which the CSSF has already discussed the guidelines for digital identity of the FATF. Indeed, due to the COVID-19 pandemic, the rules on
social distancing prevent the professional from meeting their clients in person. Even if the situations may differ, the justification for the use of systems digital identification remains valid also in the context of COVID-19. In particular, point 3.3. concerning the due diligence with regard to the customers of this circular provides useful guidelines on how to implement these measures by professionals, for example, when the client is not physically present for the purposes of identification and verification of identity.
Similarly, the CSSF wishes to draw attention to the Questions/Answers of the CSSF with regard to AML/CFT and IT requirements applicable to entries in business relationships/special due diligence measures, published on April 8, 2016 and amended March 8, 2018, which provide additional guidance professionals who intend to implement the measures identification/verification by video chat. The CSSF recalls that the identification by video is authorized in order to take into account technological developments but does not circumvent obligations in the fight against money laundering and the financing of terrorism. Professionals of the financial sector can, in effect, under certain conditions, identify their customers, including the beneficiaries staff, or verify their identity through videoconferencing. Each professional must carry out its own analysis according to its procedures and take into account its AML/CFT framework and the use of videoconferencing should be considered in isolation. Before identification or verification by video, additional procedures should be put in place, including the development a guide for carrying out videoconferencing, vigilance in terms of security information technology and the fight against money laundering and the financing of terrorism, the requirement of appropriate training for the person in charge of this task, the use of adequate facilities for carrying out the process, as well as the existence of appropriate internal procedures. It should be emphasized that the professional who makes use of this process video identification is fully responsible for compliance with its customer due diligence obligations under the Luxembourg framework in the fight against money laundering and the financing of terrorism and, therefore, the professional retains full responsibility for compliance with these professional obligations, even in the event of outsourcing of identification by video to an external service provider.