Procedures by which the Subject of the Law on the Prevention of Money Laundering and Terrorism and Proliferation Financing Performs the Remote Identification of a Customer

[7 June 2022]

Issued pursuant to Section 22, Paragraph three
of the Law on the Prevention of Money Laundering
and Terrorism and Proliferation Financing

[7 June 2022]

I. General Provisions

1. The Regulation prescribes the procedures by which the subject of the Law on the Prevention of Money Laundering and Terrorism and Proliferation Financing (hereinafter - the Law) identifies such customer who has not participated in the onsite identification procedure in person by means of technological solutions including video identification or secure electronic signature, or other technological solutions (hereinafter - the remote identification of a customer) and also the extent of identification.

[7 June 2022]

2. The remote identification of a customer shall be applied on the basis of a risk assessment if prior to identification the subject of the Law has ensured the fulfilment of all of the following conditions:

2.1. money laundering and terrorism and proliferation financing risk assessment has been carried out and documented;

2.2. an internal control system corresponding to the inherent money laundering and terrorism and proliferation financing risk has been set up;

2.3. training of employees has been provided based on their duties and authorisations so that employees could perform the remote identification of a customer in compliance with requirements;

2.4. information regarding the process of remote identification and rights and obligations of a customer within this process has been provided to the customer;

2.5. security requirements for technological solutions have been defined based on the requirements of this Regulation and the inherent money laundering and terrorism and proliferation financing risk.

[7 June 2022]

II. Restrictions on the Application of the Remote Identification of a Customer

3. The remote identification of a customer shall not be performed if the Law provides for mandatory participation of the customer in the onsite identification in person or the application of remote identification does not conform to the money laundering and terrorism and proliferation financing risk inherent to the customer. This Regulation shall be applied insofar as other laws and regulations do not provide for different requirements for the remote identification of a customer.

[7 June 2022]

4. The subject of the Law shall not perform the remote identification of a customer, shall suspend it or apply other actions provided for in laws and regulations to the remote identification of a customer, if:

4.1. such circumstances are found which indicate that the remote identification does not conform to the money laundering and terrorism and proliferation financing risk inherent to the customer;

4.2. such circumstances are found which indicate that the security or suitability of the process of remote identification, or veracity of the obtained information is insufficient;

4.3. inconsistency with the information obtained in customer due diligence is found.

[7 June 2022]

III. Rights and Obligations of the Subject of the Law regarding the Remote Identification of a Customer

5. At any moment, the subject of the Law is entitled to apply the following to a customer who has been subject to remote identification without any further explanations:

5.1. identification with the participation of the customer in the identification procedure in person;

5.2. another type of the remote identification of a customer in accordance with Paragraph 7 of this Regulation, or to repeat an already performed remote identification, using the same type of remote identification by eliminating the identified deficiencies.

6. The subject of the Law shall perform the remote identification of a customer by itself within the scope of a single group of commercial companies or shall use an outsourcing service provider. The subject of the Law may delegate the remote identification of a customer to an outsourcing service provider, if at least the following measures are implemented:

6.1. the outsourcing service provider complies with the requirements deriving from the laws and regulations of the European Union regarding the prevention of money laundering and terrorism financing;

6.2. before using the service of the outsourcing service provider, the subject of the Law shall determine its ability to perform the remote identification of a customer and also monitor the conformity of the service supplied by the outsourcing service provider with the requirements laid down in laws and regulations;

6.3. requirements laid down in other laws and regulations for outsourcing service providers are complied with.

7. The subject of the Law shall use one or several of the following technological solutions according to the money laundering and terrorism and proliferation financing risk assessment performed by it:

7.1. secure electronic signature in accordance with the Electronic Documents Law or qualified electronic identification with enhanced security in accordance with the Law on Electronic Identification of Natural Persons, or solutions that are to be used in Latvia in accordance with Regulation (EU) No 910/2014 of the European Parliament and of the Council of 23 July 2014 on electronic identification and trust services for electronic transactions in the internal market and repealing Directive 1999/93/EC;

7.2. video identification in accordance with Paragraph 10 of this Regulation;

7.3. acquisition of data accrediting the identity of a natural person from a credit institution or payment institution by using an identification payment or another method which enables the receipt of the data referred to in Sub-paragraph 13.2 of this Regulation from a credit institution or payment institution;

7.4. comparison of the photograph in a personal identity document and electronic self-portrait photograph.

[7 June 2022]

8. Within the scope of risk management, the subject of the Law shall ensure continuous security management of the used technological solution by taking into account the current vulnerabilities of solutions and fraud schemes. To minimise the risk level, not only the direct, but also the compensating controls (including simultaneous use of multiple solutions referred to in Paragraph 7 of this Regulation, analysis of the digital behaviour of a person with self-learning algorithms, verification of invoices issued to a person, acquisition of information from other databases, social networks, keeping of an audio recording, acquisition of data accrediting the identity of a natural person from State-maintained registers for the verification of results) may be used in conformity with the requirements of the laws and regulations governing the field of personal data processing.

9. In the case referred to in Sub-paragraphs 7.2 and 7.4 of this Regulation, the subject of the Law, by using solutions (including technological), shall ensure verification of such security features of an identification document that can be and are needed to be technically verified remotely, and shall also carry out the recognition and comparison of the biometric data of a person obtained from the person during remote identification. When applying Sub-paragraph 7.2 or 7.4 of this Regulation, a photograph or video recording of a personal identification document shall be regarded as being equivalent to the copy of a personal identification document within the meaning of the Law.

[7 June 2022]

IV. Performance of Video Identification

10. Video identification shall be performed by ensuring the fulfilment of at least the following requirements:

10.1. it is performed in real time by interviewing the customer in a synchronised video streaming and audio streaming process and by using an encrypted connection;

10.2. the facial image of a natural person is compared with the image of the natural person visible in the personal identification document of the natural person acquired during the video stream;

10.3. the head, shoulders, facial image without shading of a natural person is clearly visible during video identification, the image can be clearly distinguished from the background and other objects;

10.4. the face of a natural person may not be covered;

10.5. the presented document images must be clearly visible;

10.6. during the video identification questions must be asked order to clarify or verify information regarding a customer;

10.7. the audit trail of audio and image information shall be recorded with a fixed time stamp, given name and surname of the natural person subject to remote identification and also the IP address of the Internet connection of the customer;

10.8. the continuity of the streaming process is ensured. If the process is discontinued, video identification shall be repeated.

[7 June 2022]

10.¹ The subject of the Law may use any of the solutions referred to in Sub-paragraph 7.1, 7.3, or 7.4 of this Regulation together with a solution that also includes video streaming and audio streaming which is performed differently from that specified in Paragraphs 10, 11, and 16 of this Regulation, however, such remote identification of a customer shall not be considered video identification within the meaning of Paragraph 10 of this Regulation, but may serve as a risk-mitigating technological solution for other methods referred to in Sub-paragraph 7.1, 7.3, or 7.4 of this Regulation, including for obtaining additional information from the customer.

[7 June 2022]

V. Use of Technological Solutions in the Remote Identification of a Customer

11. The technological solutions referred to in Sub-paragraph 7.2 or 7.4 of this Regulation can be used, if the type of the personal identification document of the customer, including also a representative of the customer, corresponds to any of the types of personal identification documents provided for in laws and regulations, and the following conditions have been fulfilled:

11.1. the document has an area which is particularly intended for optical text recognition, and its reading is ensured during remote identification;

11.2. the document contains optical security features (e.g., holographic cinematographic signs or printed elements with latent image effects);

11.3. solutions or methods for the recognition of forged personal identification documents are being used.

12. Sub-paragraph 7.3 or 7.4 of this Regulation shall not be applicable if the customer or the beneficial owner is associated with a high-risk third country or a low-tax or tax-free country or territory, and also in other cases, on the basis of the risk assessment performed by the subject of the Law.

[7 June 2022]

13. If in accordance with Paragraph 12 of this Regulation the type of remote identification provided for in Sub-paragraph 7.3 of this Regulation may be applied, then, upon applying Sub-paragraph 7.3 of this Regulation, all of the following conditions shall be additionally taken into account:

13.1. the requirements deriving from the legal acts of the European Union regarding the prevention of money laundering and terrorism and proliferation financing shall be applied to a credit institution or a payment institution the data whereof are used for remote identification;

13.2. the subject of the Law shall obtain sufficient data specified in the Law and corresponding to the requirements of the internal control system of the subject of the Law, using the identification payment or another method which enables the receipt of data accrediting the identity of a natural person from a credit institution or a payment institution to ascertain the identity of a natural person and compare with the data provided by the customer to the subject of the Law;

13.3. it is prohibited to identify a customer for opening any such account, providing a payment card or another payment instrument maintained by the payment service provider whereby it is further possible to perform the identification referred to in Sub-paragraph 7.3 of this Regulation.

[7 June 2022]

14. If the type of remote identification provided for in Sub-paragraph 7.4 of this Regulation may be applied in accordance with the requirements of this Regulation, the subject of the Law shall provide the recording of image audit trail with a fixed time stamp, given name and surname, and also the IP address of the Internet connection of the remotely identified natural person.

15. Within its internal policies and procedures, the subject of the Law shall determine specify the manner and procedures for the establishment of a business relationship with a customer who has been identified remotely.

16. The subject of the Law shall ensure the documentation and storage of the information acquired in the process of the remote identification of a customer, including video streaming and audio streaming materials, for the period of time laid down in the Law and also shall ensure that the identification and technical data obtained in electronic form during identification cannot be altered. Based on a risk assessment, video streaming and audio streaming material need not be stored if, in addition to the solution referred to in Sub-paragraph 7.1 of this Regulation, video identification is used in accordance with Sub-paragraph 7.2 of this Regulation or the solution referred to in Paragraph 10.¹ of this Regulation and only the image of the person and the personal identity document presented by the person are kept.

[7 June 2022]

17. The subject of the Law shall ensure the possibility to select information on customers who have been identified with the remote procedure for employees of the legal persons referred to in Paragraph 6 of this Regulation involved in this process and the technical solutions to be used.

[7 June 2022]

Prime Minister Māris Kučinskis

Minister for Finance Dana Reizniece-Ozola

Translation © 2022 Valsts valodas centrs (State Language Centre)