Exceeding regulatory standards for AML compliance

CCAB AML Guidance.

Taking a look at the guidance provided by the CCAB and the UK's network of qualified accountants, we have set a new industry benchmark for digital AML compliance at a time when remote onboarding is more relevant than ever. This write-up analyses and outlines how your organisation can align with CCAB guidance when using the Identitech platform.

The Consultative Committee of Accountancy Bodies (CCAB) is an organisation that serves as an umbrella group for British qualified accountants, consisting of five public bodies: ICAEW, ACCA, CIPFA, ICAS and Chartered Accountants Ireland.

In its role as the organisation responsible for promoting sustainable growth in the UK economy through the UK accountancy profession, the CCAB has produced helpful guidance on AML (anti-money laundering) for the accounting industry. This guidance is also adopted by non-CCAB bodies such as the CIOT (Chartered Institute of Taxation).

At Identitech we take anti-money laundering requirements seriously. In fact, our whole business is based around ensuring that individuals are who they say they are and protecting the organisations who are legally required to carry out AML and KYC due diligence as part of their customer onboarding process.

Therefore it is vitally important to us, as a leading technology provider in the AML space, that our methods and technologies help our customers to meet the guidance laid out by the CCAB.

Here we aim to outline the key anti-money laundering requirements of the CCAB and how at Identitech we meet these requirements through innovative, time-saving, risk-reducing technology for accounting professionals and their businesses.

Note: this advice is relevant as of 12th January 2022.

CCAB AML Requirements for Client Verification via an Official Photo ID

According to CCAB, regarding photo ID documents:

A document issued by an official (e.g., government) body is deemed to be independent and reliable source even if provided by the client. The original, or an acceptably certified copy of a document should be seen, and a copy retained. The document should be valid and recent. Documents, including documents sourced online, should not be accepted if there is any suspicion regarding their provenance.

For information obtained from an electronic identification process to be regarded as reliable, the process must be secure from fraud and misuse and capable of providing an appropriate level of assurance that the person claiming a particular identity, is in fact the person with that identity.

The following is a suggested non-exhaustive list of sources of evidence for individuals:

  • valid passport
  • valid photo card driving licence
  • national Identity card (non-UK nationals)
  • identity card issued by the Electoral Office for Northern Ireland
  • a check provided via an electronic identification process that meets the criteria to be relied upon.

Using the Document Validation and Biometric Verification features built within our platform, we have harnessed the power of technology to help our customers to verify many different forms of official identity document, namely those listed and recommended above by CCAB.

Our solution helps you to meet the regulatory guidance provided by the CCAB by not only collecting a copy of an identity document remotely, but virtually validating and verifying that the person submitting the information is the owner of the photo ID document being provided.

During our setup process, an Identitech customer can specify their own AML requirements and decide upon the types of official documents they will accept when onboarding your customers.

CCAB AML Requirements for Client Verification via Address Documents

According to the CCAB, regarding address documents:

Where there is an increased risk specifically relating to the identity of the individual, it may be appropriate to request additional, supplementary documents, for example:

  • recent evidence of entitlement to a state- or local authority-funded benefit (including housing benefit, council tax benefit, tax credits, state pension, educational or other grant)
  • instrument of a court appointment (such as a grant of probate)
  • current council tax demand letter or statement
  • HMRC-issued tax notification (NB: employer-issued documents such as P60s are not acceptable)
  • end of year tax deduction certificates/ tax year overview issued by HMRC
  • current bank statements or credit/debit card statements
  • current utility bills
  • a check provided via an electronic identification process that meets the criteria to be relied upon.”

As part of the Document Validation features within the Identitech platform, professional service firms can request copies of address documents from their customers in order to help deepen the AML process. The experience of a customer submitting this information has been designed to be so easy that it provides a simple and effective way for our customers to significantly reduce the risk to their businesses and maintain a high standard of compliance compared with the CCAB guidance.

Our document request process currently accepts the following forms of address document:

  • driving licence
  • council tax letter
  • current bank statement or credit/debit card statement
  • current utility bill.

Subsequently, by the very nature and purpose of our technology, Identitech can help you to meet the requirement at the end of the CCAB list of requirements for increased risk: “a check provided via an electronic identification process that meets the criteria to be relied upon.”

CCAB AML Requirements for Use of Electronic Data

The CCAB specifically lists guidance on using electronic data and digital services such as ours in order to carry out the anti-money laundering process. Their guidance on this is:

Businesses may choose to use electronic identification processes either on their own or in conjunction with other paper-based evidence, on a risk-based approach. A number of subscription services, many of them online, give access to identity-related information. A broad variety of electronic verification systems exist, including those drawing on multiple sources, those relying on the self-capture of documentation using an interactive application, and those that provide credentials which confirm a third party has validated the ID. Companies House registers of persons of significant control may be used but may not be relied upon in the absence of other supporting evidence.

Before using any electronic service, firms should ensure they understand the basis of the systems they use and question whether the information is reliable, comprehensive and accurate. The process should be secure from fraud and misuse and capable of providing an appropriate level of assurance that the person claiming a particular identity is in fact the person with that identity, to a degree that is necessary for effectively managing and mitigating any risks of money laundering and terrorist financing. Consider the following:

  • Does the system draw on multiple sources? A single source (e.g., the electoral register) is not usually sufficient unless there are additional controls to validate the information. A system that combines negative and positive data sources is generally more robust.
  • Are the sources checked and reviewed regularly? Systems that do not update their data regularly are generally more prone to inaccuracy.
  • Are there control mechanisms to ensure data quality and reliability? Systems should have built-in data integrity checks which, ideally, are sufficiently transparent to prove their effectiveness.
  • Is the information accessible? It should be possible to either download and store search results in electronic form or print a hardcopy that contains all the details required (name of provider, original source, date, etc.). It is sufficient to have a record of the issuer of a document and its unique identifier, it is not necessary to have a reproduction of the original document.
  • Does the system provide adequate evidence that the client is who they claim to be? Consideration should be given as to whether the evidence provided by the system has been obtained from an official source, e.g., certificate of incorporation from the official company registry, or passport.”

The Identitech platform has been carefully designed and engineered to help reduce risk to organisations. We take careful consideration towards the requirements of the CCAB and other industry regulatory bodies in order to help achieve a high degree of industry compliance.

Addressing each of the above requirements listed by the CCAB, here is how the Identitech platform helps accounting professionals to meet the guidance provided by the industry body:

Does the system draw on multiple sources?

Absolutely. We recognise that a single source of information would be useful, but that validating customers based on multiple sources of information is both powerful and carries far less risk. Our extensive KYC and AML risk management draws on up to 23 sources of data and provides insight across different areas including: government, credit, commercial and consumer.

Are the sources checked and reviewed regularly?

Unlike many other data providers in the AML and KYC space, our data sources are updated either in realtime or on a monthly basis. The frequency of updates, whether in realtime or monthly, depends upon the source and the velocity with which our data providers update their information.

Are there control mechanisms to ensure data quality and reliability?

Yes. Alongside our own Crest certification to ensure the ongoing safety and reliability of our platform, alongside both software and human measures to ensure ongoing quality assurance, we have also taken measures to ensure that our data providers maintain a high standard. This includes ensuring that third parties have ISMS control measures in place and maintain ISO 27001 status to protect the confidentiality, integrity, and availability of customer held information resources and assets.

Is the information accessible?

When a check within the Identitech platform has been completed, the information provided by a customer is immediately available for download in PDF format by the professional carrying out/requesting the check. The available information includes photographic evidence of the person submitting the check, a copy of their photo ID and other critical information. This is available for up to 30 days before the data is then deleted to maintain privacy and security. However, each PDF can be downloaded, transferred and stored in line with each organisation’s own information security policies.

Does the system provide adequate evidence that the client is who they claim to be?

We have journeyed to the Nth degree to ensure that we are not only providing useful data, but ensuring that the person filling out the information is the exact same person as the person providing the documents and evidence. Our Biometric Verification, with a high degree of accuracy, ensures that the person is real, present and has not tampered with any of the forms of identification being used through the photo ID verification process.

Next-level technology for remote onboarding

Achieve greater AML compliance with Identitech.

Align your business with CCAB's anti-money laundering guidance. Take advantage of Identitech's powerful solution and help your organisation to remotely onboard customers more quickly, securely and with less risk. Find out more today and explore the benefits of Identitech for yourself.

Discover Identitech