Procedures by which the Subject of the Law on the Prevention of Money Laundering and Terrorism Financing Performs the Remote Identification of a Customer
Issued pursuant to
I. General Provisions
1. This Regulation prescribes the procedures by which the subject of the Law on the Prevention of Money Laundering and Terrorism Financing (hereinafter - the Law) (hereinafter - the subject of the Law) identifies such customer who has not participated in the onsite identification procedure in person by means of technological solutions including video identification or secure electronic signature, or other technological solutions (hereinafter - the remote identification of a customer) and also the extent of identification.
2. The remote identification of a customer shall be applied on the basis of a risk-based approach, if prior to identification the subject of the Law has ensured the fulfilment of all the conditions listed below:
2.1. money laundering and terrorism financing risk assessment has been carried out and documented;
2.2. an internal control system corresponding to the inherent money laundering and terrorism financing risk has been set up;
2.3. training of employees has been provided based on their duties and authorisations so that employees could perform the remote identification of a customer in compliance with requirements;
2.4. information regarding the process of remote identification and rights and obligations of a customer within this process has been provided to the customer;
2.5. security requirements for technological solutions have been defined based on the requirements of this Regulation and the inherent money laundering and terrorism financing risk.
II. Restrictions on the Application of the Remote Identification of a Customer
3. The remote identification of a customer shall not be performed, if the Law provides for mandatory participation of the customer in the onsite identification in person, or the application of remote identification does not conform to the money laundering and terrorism financing risk inherent to the customer. This Regulation shall be applied insofar as other laws and regulations do not provide for different requirements for the remote identification of a customer.
4. The subject of the Law shall not perform the remote identification of a customer, shall suspend it or apply other actions provided for in laws and regulations to the remote identification of a customer, if::
4.1. such circumstances are found which indicate that the remote identification does not conform to the money laundering and terrorism financing risk inherent to the customer;
4.2. such circumstances are found which indicate that the security or suitability of the process of remote identification, or veracity of the obtained information is insufficient;
4.3. inconsistency with the information obtained in customer due diligence is found.
III. Rights and Obligations of the Subject of the Law regarding the Remote Identification of a Customer
5. At any moment, the subject of the Law is entitled to apply the following to a customer who has been subject to remote identification without any further explanations:
5.1. identification with the participation of the customer in the identification procedure in person;
5.2. another type of the remote identification of a customer in accordance with Paragraph 7 of this Regulation, or to repeat an already performed remote identification, using the same type of remote identification by eliminating the identified deficiencies.
6. The subject of the Law shall perform the remote identification of a customer by itself within the scope of a single group of commercial companies or shall use an outsourcing service provider. The subject of the Law may delegate the remote identification of a customer to an outsourcing service provider, if at least the following measures are implemented:
6.1. the outsourcing service provider complies with the requirements deriving from the laws and regulations of the European Union regarding the prevention of money laundering and terrorism financing;
6.2. before using the service of the outsourcing service provider, the subject of the Law shall determine its ability to perform the remote identification of a customer and also monitor the conformity of the service supplied by the outsourcing service provider with the requirements laid down in laws and regulations;
6.3. requirements laid down in other laws and regulations for outsourcing service providers are complied with.
7. Based on the money laundering and terrorism financing risk, the subject of the Law shall use one or several of the following technological solutions:
7.1. secure electronic signature which provides qualified electronic identification with enhanced security that corresponds to the level determined in accordance with laws and regulations or Regulation (EU) No 910/2014 of the European Parliament and of the Council of 23 July 2014 on electronic identification and trust services for electronic transactions in the internal market and repealing Directive 1999/93/EC;
7.2. video identification in accordance with Paragraph 10 of this Regulation;
7.3. acquisition of data accrediting the identity of a natural person from a credit institution or payment institution by using an identification payment or another method which enables the receipt of the data referred to in Sub-paragraph 13.2 of this Regulation from a credit institution or payment institution;
7.4. comparison of the photograph in a personal identity document and electronic self-portrait photograph.
8. Within the scope of risk management, the subject of the Law shall ensure continuous security management of the used technological solution by taking into account the current vulnerabilities of solutions and fraud schemes. To minimise the risk level, not only the direct, but also the compensating controls (including simultaneous use of multiple solutions referred to in Paragraph 7 of this Regulation, analysis of the digital behaviour of a person with self-learning algorithms, verification of invoices issued to a person, acquisition of information from other databases, social networks, keeping of an audio recording, acquisition of data accrediting the identity of a natural person from State-maintained registers for the verification of results) may be used in conformity with the requirements of the laws and regulations governing the field of personal data processing.
9. In the case referred to in Sub-paragraphs 7.2 and 7.4 of this Regulation, the subject of the Law, by using solutions (including technological), shall ensure verification of such security features of an identification document that can be and are needed to be technically verified remotely, and shall also carry out the recognition and comparison of the biometric data of a person obtained from the person during remote identification. When applying Sub-paragraphs 7.2 and 7.4 of this Regulation, a screenshot of a personal identity document shall be regarded as being equivalent to the copy of a personal identification document within the meaning of the Law.
IV. Performance of Video Identification
10. Video identification shall be performed by ensuring the fulfilment of at least the following requirements:
10.1. it is performed in real time by interviewing the customer in a synchronised video streaming and audio streaming process and by using an encrypted connection;
10.2. the facial image of a natural person is compared with the image of the natural person visible in the personal identification document of the natural person acquired during the video stream;
10.3. the head, shoulders, facial image without shading of a natural person is clearly visible during video identification, the image can be clearly distinguished from the background and other objects;
10.4. the face of a natural person may not be covered;
10.5. the presented document images must be clearly visible;
10.6. during the video identification questions must be asked order to clarify or verify information regarding a customer;
10.7. the audit trail of audio and image information shall be recorded with a fixed time stamp, given name and surname of the natural person subject to remote identification and also the IP address of the Internet connection of the customer;
10.8. the continuity of the streaming process is ensured. If the process is discontinued, video identification shall be repeated.
V. Use of Technological Solutions in the Remote Identification of a Customer
11. The technological solutions referred to in Sub-paragraph 7.2 or 7.4 of this Regulation can be used, if the type of the personal identification document of the customer, including also a representative of the customer, corresponds to any of the types of personal identification documents provided for in laws and regulations, and the following conditions have been fulfilled:
11.1. the document has an area which is particularly intended for optical text recognition, and its reading is ensured during remote identification;
11.2. the document contains optical security features (e.g., holographic cinematographic signs or printed elements with latent image effects);
11.3. solutions or methods for the recognition of forged personal identification documents are being used.
12. Sub-paragraph 7.3 or 7.4 of this Regulation shall not be applicable, if the customer or the beneficial owner is affiliated with a higher risk jurisdiction based on the factors increasing risk provided for in the Law. If in accordance with Sub-paragraph 7.3 or 7.4 of this Regulation the sum of monthly transactions of a customer who has been identified remotely and is subject to enhanced due diligence due to reasons unrelated to the facts of remote identification exceeds EUR 3000, this person shall be identified by the customer himself or herself participating in the identification in person or in accordance with Sub-paragraph 7.1 or 7.2 of this Regulation.
13. If in accordance with Paragraph 12 of this Regulation the type of remote identification provided for in Sub-paragraph 7.3 of this Regulation may be applied, then, upon applying Sub-paragraph 7.3 of this Regulation, all of the following conditions shall be additionally taken into account:
13.1. the requirements deriving from the laws and regulations of the European Union regarding the prevention of money laundering and terrorism financing shall be applied to a credit institution or a payment institution the data whereof are used for remote identification;
13.2. the subject of the Law shall obtain sufficient data specified in the Law by using the identification payment or another method which enables the receipt of data accrediting the identity of a natural person from a credit institution or a payment institution to ascertain the identity of a natural person and compare with data provided by the customer to the subject of the Law;
13.3. it is prohibited to identify a customer for opening any such account, providing a payment card or another payment instrument maintained by the payment service provider whereby it is further possible to perform the identification referred to in Sub-paragraph 7.3 of this Regulation.
14. If the type of remote identification provided for in Sub-paragraph 7.4 of this Regulation may be applied in accordance with the requirements of this Regulation, the subject of the Law shall provide the recording of image audit trail with a fixed time stamp, given name and surname, and also the IP address of the Internet connection of the remotely identified natural person.
15. Within its internal policies and procedures, the subject of the Law shall determine specify the manner and procedures for the establishment of a business relationship with a customer who has been identified remotely.
16. The subject of the Law shall ensure the documentation and storage of the information acquired in the process of the remote identification of a customer, including video streaming and audio streaming materials, for the period of time laid down in the Law and also shall ensure that the identification and technical data obtained in electronic form during identification cannot be altered.
17. The subject of the Law shall document information on customers who have been identified with the remote procedure and also shall ensure the possibility to select information on customers who have been identified with the remote procedure, employees of legal persons referred to in Paragraph 6 of this Regulation involved in this process and the used technical solutions.
Prime Minister Māris Kučinskis
Minister for Finance Dana Reizniece-Ozola
Translation © 2018 Valsts valodas centrs (State Language Centre)
Title: Kārtība, kādā Noziedzīgi iegūtu līdzekļu legalizācijas un terorisma finansēšanas novēršanas .. Status: