FCA flexibility is welcome, but misplaced
At the end of March, the Financial Conduct Authority (FCA) wrote a letter to firms outlining its response to Covid-19. Part of its outreach involved highlighting the flexibility already contained in its rules and guidelines to help organisations deal with an unprecedented demand on client identity verification.
While the FCA said it expects firms to continue to comply with their obligations when it comes to identity verification, it accepts that traditional methods – such as face-to-face meetings – are all but impossible under the current circumstances with social distancing being observed and the vast majority of the population staying at home.
The good news is that remote identity verification is an option. In fact, many firms have been successfully using remote services for some time. Money Laundering Regulations and indeed guidance from the Joint Money Laundering Steering Group already provide for remote verification to take place.
However, some of the advice on how to carry out these remote checks leaves a lot to be desired.
As its first example of an appropriate check to carry out verification remotely, the FCA writes that firms can “accept scanned documentation sent by e-mail, preferably as a PDF”. It’s at this point where anyone working in the field of identity will begin pulling at their hair. Emailed identity documents alone do not verify someone’s identity. After all, such documents can be pulled from the dark web with ease. Even email itself is susceptible to being intercepted, meaning even more documents could be headed for the dark web to create more false claims.
The FCA has since attempted to clarify that its suggested measures should be viewed as additional steps rather than processes to be taken in isolation. But when other suggestions include “reviewing data to triangulate the evidence provided by the client” and analysing geolocation data and IP addresses, one has to wonder how many firms will be able to handle such complexity and instead depend on simple and potentially unsecure methods.
But it’s not all doom and gloom. Rather than falling back on vulnerable communication channels, organisations can take a better approach to securing their remote identity verification processes.
Firms should consider fully end-to-end secure cloud systems that are encrypted and have been conceived with security and privacy ‘by design’. These systems are easy to use for both the organisation and the end user, and the power of cloud computing often means you can implement remote identity verification from the cloud within 24 hours (as our client Hitachi Capital has showed having done so to administer the Government’s CBILS scheme).
These systems simply and securely check the authenticity of ID documents and tie them to an individual via a selfie photo with a liveness check. The beauty of a cloud service also means there is zero implementation – the service is delivered purely from the cloud.
It’s easy for the customer too. They don’t need to jump through hoops to upload multiple images and download different apps. They don’t need to risk their data being intercepted. They are simply sent a link on their smartphone that directs them to a web browser with no additional downloads required.
While we believe that the FCA guidance is coming from the right place, we must ensure that we are taking identity verification just a seriously when it is performed remotely as when it is completed face-to-face.
Furthermore, a remote service should not be seen as a relaxed version of a standard procedure. In fact, a well implemented and secure remote identity verification service could replace the need for physical meetings entirely. At such an uncertain time, it’s worthwhile for any firm that requires identity verification to consider how secure their processes are. Chances are, remote verification will not only be their best option today but in the future as well.