Evaluation of measures taken by FATF members dealing with customer identification

21 July 1997
Source: http://www.oecd.org/fatf/evaluati2.htm

EVALUATION OF MEASURES TAKEN BY FATF MEMBERS DEALING WITH CUSTOMER IDENTIFICATION

Introduction

1. This paper presents a synthesis of measures taken by FATF members in relation to customer identification requirements and record-keeping rules. It deals with both the identification regime set up by members and the practical problems which may have arisen.

2. The "know your customer" policy is probably the cornerstone of the forty FATF Recommendations. While all members have generally implemented the Recommendations dealing with customer identification and record-keeping, there is a need to examine the effectiveness of the identification regimes in place and to see whether some refinements are necessary in order to solve the problems encountered in the most difficult situations by financial institutions.

3. The paper first describes the customer identification and record-keeping systems in FATF members. It then addresses specific issues such as anonymous accounts, identification of the beneficial owner, identification in cases where there is no face-to-face contact between the customer and the financial institution, and future challenges linked to the development of new technologies in electronic payments such as stored value cards. Finally, the conclusion will endeavour to provide an overall assessment of the effectiveness of identification regimes and their impact on money laundering activities.

I. DESCRIPTION OF CUSTOMER IDENTIFICATION AND RECORD-KEEPING

REQUIREMENTS IN FATF MEMBERS

A. Identification requirements

(i) Legal framework and guidance provided to institutions

4. In a vast majority of members, customer identification has been introduced by legislative provisions. However, two members have implemented identification requirements by decree (Turkey) or regulations (Japan). Two other members (Hong Kong, Singapore) have covered the matter with guidelines which have the force of law. In other members, the requirements for customer identification for the bulk of the institutions are provided in the law while some sectors are covered by regulations. The Netherlands is equipped with a law -- the Identification (Financial Services) Act -- which deals only with identification matters. Finally, in Switzerland, customer identification is dealt with both by law (the penal code punishes a lack of vigilance by financial institutions when they identify the beneficial owner) and by other norms (Due Diligence Convention of the banks, Directives of the Federal Banking Commission).

5. While most of the regimes in place were brought into effect recently (between 1990 and 1996), following the adoption of the forty FATF Recommendations, provisions in several previous laws already contained identification requirements. It is also interesting to note that, prior to the passage of legislation, self-regulatory guidelines were issued by the industry to provide standards for customer identification in the absence of legal requirements (e.g. Italy, Luxembourg, New Zealand, United Kingdom). In addition to the enactment of laws and regulations and the adoption of guidelines, further guidance has been provided either by the supervisory bodies or the trade associations, in all members except two for non-bank financial institutions. The nature of these further guidelines varies considerably and they do not all constitute a legal interpretation of the law.

6. All the identification regimes apply to both banks and non-bank financial institutions. However, in one member identification requirements only apply to banks. In a limited number of countries, identification requirements also apply to all or part of non-financial businesses, when they undertake financial activities (Australia, Belgium, Denmark, France, Germany, Netherlands, United Kingdom) or even when this is not the case (Portugal). In the very near future, two members (Belgium, Italy) will extend identification requirements to apply to non financial businesses.

(ii) Contents of the legal frameworks and guidance

(a) Opening of accounts and passbooks

7. The types of documents which are necessary for identifying natural persons opening an account are generally, but not always, set out in circulars or guidelines (e.g. Germany or Portugal). In France, the documents necessary for identifying persons, either individuals or legal entities, are specified in statutory provisions. In Canada, the documents necessary for identifying persons are specified in the Proceeds of Crime (money laundering) Regulations. The guidelines may also contain details for establishing the identity of different types of customers.

8. The definition of the documents which should be obtained differs between countries. However, in a majority of members, it is required to present an official document or any document from a reputable source, which bears a photograph and a signature. The documents which are the most commonly acknowledged and accepted are: identity card, passport, driving licence, social security card and special card of foreigner or refugee. In some members, other documents such as a certificate of marriage, municipal identity card, military card, police card or identification card issued by banks. Moreover, the personal identification number is generally requested in Nordic countries and, for deposit accounts in the United States, a taxpayer identification or social security number must be provided.

9. It should be noted that Norway, in addition to issuing a list of documents which are deemed to have a satisfactory level of security, has issued a list of documents which are deemed not to have a satisfactory level of security. The latter list, which is not exhaustive, includes birth certificates, credit cards, travelling cards for buses and trains, membership cards of unions or school certificates. In Denmark, only documents which are difficult to falsify are accepted. In Australia, the regulations specifically provide types of documents and points to be allocated to those documents, if the "100 point" system is used. However, the decision as to whether it is necessary to undertake further verification on the authenticity of the documents is left to each "cash dealer" (financial intermediary). In fact, the system requires that at least two documents, and often three or more, are required to be sighted by the cash dealer. In almost all cases, the documents must be full and valid.

10. Even though customers should produce an original document, a number of formal checks should be conducted, e.g. verification of the signature, examination of a possible anomaly in the photograph, the physical appearance of the prospective customer. On the whole, financial institutions must verify that the documents presented do not show any sign of alteration. While there are various means of verifying the address, none of them are really satisfactory. Sending and receiving mail does not provide unquestionable results. Of course, further checks can be conducted on the voters roll, telephone directory or recent utility or rates bills. In Japan, the client contact officer of the financial institutions visits the clients to confirm their address. In fact, financial institutions should be vigilant when the customer is domiciled at a third party or post box.

11. Finally, further checks are also carried out in several members. In Belgium, the institutions covered by the law should obtain other information related to their customers (profession, composition of the family, research of address changes, etc.). In Singapore and the United Kingdom, whenever possible, the prospective customer should be interviewed personally. In France, a bank which opens an account to a customer who shows a suspicious haste may engage its liability. The French Banking Association recommends not to accept vague indications on professional activities. For large accounts and/or transactions to be opened and/or carried out in the United States, it is required that the customer provide identification and even prior bank references and, if appropriate, write to that bank and request a customer reference. Also it is suggested that, in this case, banks should consider obtaining a credit bureau report. In Spain, financial institutions are especially cautious in particular cases, such as the verification of an operation through an intermediary, opening of accounts to unknown or non-usual customers, accounts assigned to receive funds from abroad and to be re-transmitted to other places in relation to financial, mercantile or investment operations. In general, several members use phone calls and cross-check information which is available from other files and registers.

(b) Other operations covered by identification requirements

12. In addition to the opening of accounts and passbooks, proof of identity is generally required where a customer conducts an occasional large transaction and where a transaction is suspected of being connected to money laundering. Furthermore, identification of the customer is required in any cases of starting a permanent business relationship and for a number of operations/transactions which include: renting of safe deposit boxes; taking custody of securities, precious metals and other assets; cashing share coupons, bank certificates and similar negotiable instruments; issuing credit cards; and carrying out large currency transactions and wire transfers.

13. In universal banking systems, most financial transactions are considered as banking business and are therefore covered by identification requirements. While some members (e.g. Germany, Greece, Singapore, Sweden) have provided a list of financial transactions for which proof of identity is obligatory, others (e.g. Norway, Spain, United Kingdom) have a general requirement for all financial activities. In France, customer identification is required for the opening of any type of account (notion of usual customers) for all operations with unusual customers above a certain threshold and the renting of safes. Also, as securities are dematerialised, they are kept on accounts. In Italy, proof of identity is required for persons who undertake operations involving means of payment or transfers of bearer securities for amounts exceeding 20 million lira. It is interesting to note that in Luxembourg, the word "account" should be interpreted as broadly as possible to include all financial operations. In New Zealand, the concept of "financial facility" which is broadly defined to include any account or arrangement provided by a financial institution through which two or more financial transactions can be conducted, and the broad definition of a "transaction", which refers to any deposit, withdrawal, exchange or transfer of funds, have effected a very wide range of financial operations. Finally, it should be noted that under Australian legislation, all international funds transfers instructions over A$ 10 000 are covered by identification requirements. In addition, in the United States, a new regulation requires all financial institutions transmitting or receiving domestic or international funds over a fixed threshold, to identify the originator or the beneficiary of the transfer.

14. In almost all members, only official names are accepted but assumed names can be tolerated in a few countries. However, it is important to distinguish between the name used for the opening of the account and the name which will be used for the reference of the account.

15. Non-resident natural persons are identified on the same basis as resident customers. In addition, the verification of the identity of the customer can be obtained from a resident overseas who is the foreign verifying officer of the financial institution, a corresponding financial institution, a consulate or an Embassy.

16. Children are usually expected to be introduced by a relative known to the bank. Documentary evidence of the identity of the child and/or his legal representative (birth certificate, passport of one of the parents or other travel document or statements from an educational institutions) is otherwise required. In many countries, accounts opened in the names of children may only be credited or debited by their legal representatives.

17. In almost all members, the establishment of identity is normally needed in the case of occasional transactions when the amount involved is above a fixed threshold. This applies whether the transaction is carried out in one or several operations which appear to have been linked. When the total amount is not known initially, the financial institution should proceed with identification as soon as it is clear that the threshold has been reached. All FATF members but two have a threshold in place. In addition, irrespective of the sums involved, identification is carried out if the transaction is suspicious. However, identification of occasional customers may also be required in the case of dealings in gold and precious metals (Luxembourg). It is also true that some financial institutions do not even entertain occasional customers. In Spain, the law does not make any distinction between the usual and the occasional customer and therefore the same rules apply to both. In the United States, all banks can refuse to conduct a transaction if warranted.

18. The efficacy of the controls aimed at detecting smurfing practices is largely dependent on the structure and size of financial institutions, as well as on information technology and the information management methods put in place. Smurfing transactions are, of course, difficult to detect if they are carried out in several financial institutions. Some members (e.g. Sweden, United Kingdom) have included an interval of time (e.g. within three months) between transactions for smurfing control. In Germany, the Federal Banking Supervisory Office has introduced regulations on the use of automatic cash in-payment machines to combat smurfing. In the case of cash reporting systems, specific penalties can apply for structuring transactions (Australia). Finally, in the United States automated curency retrieval systems are available to detect structuring.

(d) Exceptions

19. All members but five (Finland, Japan, New Zealand, Singapore) have various provisions in the relevant laws, regulations or guidance notes which exempt from the requirement to verify identity. Some of these provisions may specify categories of people who, in specific circumstances, may become signatories of accounts where they would not otherwise have adequate identifying documentation. For instance, in one member, these categories include recent arrivals in the country, certain recipients of social welfare benefits and some signatories to accounts with public companies and public authorities. Some members have no obligation to identify State organisations, State owned or public companies. Other categories of exemptions may include persons who are known to the financial institution or were already customers at the time identification requirements came into force. While there are no special exemptions provided by regulators, it is recognised that banks have sufficient discretion to make adjustments in their policies based upon their particular knowledge of certain customers. However, non bank financial institutions are not authorised to exempt certain customer transactions from identification requirements. Finally, it should also be noted that in several members (e.g. Denmark, Spain, United Kingdom) the exemptions do not apply where there is any knowledge or suspicion of money laundering.

20. In practice, most of the exemptions apply in the following cases:

other financial institutions subject to the same identification requirements;
life insurance policies where the annual premium, or the single premium, is the equivalent or less than specified thresholds;
pension insurance schemes where the policy is taken out by virtue of contract of employment or the insured person's occupation and provided that the policies do not contain a surrender clause and may not be used as a collateral for a loan;
insurance policies, and other operations pertaining to life insurance or pension schemes, provided that the payment of the premium or of the contribution is to be debited or drawn by cheque from an account opened in the customer's name, with a bank which is subject to anti-money laundering requirements.

(iii) Legal entities

(a) General rules

21. Legal entities are usually entitled to open accounts in their names. In some countries, however, this includes both companies and trusts, foundations, associations, etc. In most respects, relevant information regarding the formation of the entity is requested (certificate of incorporation or similar document, memorandum and articles of association). This information often also includes the number of registration, the name and postal address of the company, the names of the board's members as well as the management, the legal form of the entity. Most members request the production of the original document or certified excerpts from official registers.

22. For legal entities registered overseas, most members made it clear that comparable documents should be obtained as far as is practicable. However, since the standards of control vary among different countries, it is generally recognised that attention should be paid to the place of origin of the documents and the background against which they are produced. It is interesting to note that in Finland, non-resident legal persons are obliged to produce a letter of recommendation.

23. As a general principle, the identity of relevant individuals behind the entity (trustees, directors) is established in line with requirements for personal customers. For instance, in Canada, the identity of at least three persons who are authorised to give instructions with respect to the account must be verified. Furthermore, the resolution of the board of directors to open an account and to give authority to signatories on the account is generally requested.

(b) Further checks to be conducted

24. In addition to the above-mentioned requirements, several members have requested the relevant institutions to conduct further checks when identifying legal entities, since the establishment of identity of customers, who are not natural persons, gives rise to special problems. For instance, in Belgium, financial institutions are required to obtain information on the effective activity, size of the business and its financial situation. Finland, France and the United States have similar requirements. In Greece, further checks are only conducted for accounts which provide overdraft facilities. In the same way, if a legal entity requests a loan from a domestic institution in Iceland, further checks are only made with respect to the company and its legal registration in its home country. In Hong Kong and Singapore, there is an obligation to cross-check the information on legal entities with the company registry or the registry of companies and businesses. Financial institutions in the United Kingdom are encouraged to enquire at the start of the relationship about the size and nature of expected activities to be conducted through the account.

25. However, in several members the opportunity of conducting further checks is left to each relevant institution. In almost all members, there are no specific measures to be taken when accounts are opened in branches in the district of which the legal entity has neither its registered office nor significant business activity. In fact, this situation would often prompt a report of suspicious transaction (e.g. Australia, Belgium, Denmark, Germany, Italy, United States) or would provoke a thorough review (United States).

26. With regard to particular measures to be taken when the legal entity uses the services of a letter-box company, again, this situation could prompt special attention to the transaction or a disclosure of suspicions. Moreover, several members have required the identification of the legal entity itself (Belgium, Luxembourg). In Canada, all corporate accounts must be opened on a face-to-face basis. Some members have prohibited letter-box companies (France, Greece) and others (Singapore) have discouraged their use. However, there is no formal requirement in this respect in two members.

(iv) Compliance

(a) Measures in case of failure of identification

27. When the customer has not been adequately identified, various measures can be taken by the relevant institutions:

sever the relationship with the customer (including refusal to open the account or refuse the transaction;
block the account from withdrawals;
make a suspicious transaction report;
possible forfeiture of the account after a certain period of time;
keep the record of the data concerning the identification.

28. The above-mentioned measures can apply either separately or together. For instance, after an account has been opened, a financial institution may block the funds and simultaneously make a suspicious transaction report. However, this position has been subject to criticism as incompatible with the principle of good faith in business relations.

29. For most members, in no circumstances should transactions be permitted on a account before the customer's identity has been established. However, financial institutions may discover later that the identification checks were not satisfactorily completed. In this case, the institutions should, as a minimum, be required to disclose information to the relevant authorities. This issue of severing business relations at this stage is nevertheless questionable. In fact, it is important to keep an audit trail in all cases and not to authorise withdrawals in cash.

(b) Sanctions for non compliance with identification requirements

30. The sanctions applicable to the institutions in cases of non compliance with respect to customer identification are as follows:

fines for individuals, companies and financial institutions;

the possibility of imprisonment for individuals (members of the board, directors, managers, employees, representatives or other persons who permanently or occasionally render services to them);

disciplinary sanctions (warning, suspension of activity, or withdrawal of agreement in most serious cases);

rectification of any weaknesses in customer identification as identified in the banking supervisory process;

cease and desist, removal and prohibition and other such actions.

31. Again, the above-mentioned sanctions can be applied either in conjunction or separately. In many members, it is a criminal offence for an institution to fail to take reasonable measures to establish the identity of a prospective customer. Sometimes, not only the institutions but also their employees can be punished by fines and imprisonment according to their involvement in the offence and their position in the bank.

32. On the whole, there has been no evidence of any major deficiencies in complying with the general customer identification requirements. FATF members are satisfied with the way identification checks are applied. No prosecutions, or very few, have been brought against any financial institutions in this respect. In the few cases of inadequacy, action has been agreed with the institution concerned.

b. RECORD-KEEPING RULES

(i) Nature and contents

33. The banking sectors of all members have implemented the following requirements:

transaction records should be maintained for at least five years; and
records on customer identification must be kept for at least five years after the account is closed.

34. In fact, for many members, the documents must be kept for a period of time of more than five years (Australia: 7 years; Germany: 6 years; Hong Kong: 6 years for banks; Italy: 10 years; Portugal: 10 years for records of transactions; Spain: 6 years). In addition, other provisions, particularly in commercial laws, may require a longer period of time for record-keeping.

35. While the application of standards record-keeping is satisfactory, the situation could still be improved in certain categories of non-bank financial institutions, such as bureaux de change, and for certain non financial businesses undertaking financial activities. In one member, record-keeping requirements only apply to banks. However, some members have implemented record-keeping rules for their casinos (e.g. Denmark, Spain, the United States).

36. In addition, the legislation on the coverage of documents related to the identification of the beneficial owners could be clarified. Finally, some members specified that failure to maintain adequate record-keeping systems is an offence (Ireland, Singapore)

(ii) Storage of documents

37. The way the documents used in the process of identification and the records of transactions are retained and stored is essential for a reasonably speedy and practical retrieval. Very often the laws and regulations do not contain any provisions concerning the way the documents should be stored. However, in some members (e.g. Finland), financial institutions are required to organise their record-keeping in a centralised manner so that the information may be examined later without unreasonable delay, for example, by using a register or reference number. With regard to the contents of the information, it is interesting to note that in Norway the name of the officer within the financial institution who receives the information, must be furnished along with the identification information.

38. The storage of documents in a "paper format", sometimes in various locations, makes ready access very difficult, especially after the termination of business relations (documents stored in central warehouses of the financial institution and not at branches. The various forms of electronic storage (microfilm, optic disks, computerised forms, etc.) can ease this situation. However, for legal reasons and evidentiary purposes, it seems that usually the originals of certain documents (certified copies of the originals) are still required, and therefore must be retained in their original form. In this respect, it is necessary to find the right balance between the need to keep either the original document or copies admissible in court proceedings, and the standard procedures of financial institutions which seek to reduce the volume of records which need to be stored.

39. The retrieval of documents pertaining to occasional customers may be more problematic. In order to solve this difficulty, one member (Belgium) has established a "modus vivendi" to specify the requests for documents (identity, region and time of the transaction, etc.). In most members the documents are accessible within a reasonable time, in particular if the handling branch and the account number are known.

(iii) Access to stored data

40. In general, documents relating to transactions and the account identification process are accessible by all law enforcement agencies, financial regulators and judicial authorities. The means by which they can be accessed varies with the type of powers available to the afore-mentioned authorities and the context of the investigations. In general, the police need a search warrant or a subpoena to access customer identification data.

41. The financial regulatory authorities have access to the identification documents of the financial institutions without limitations although in some cases only for supervisory purposes. In some members, the disclosure receiving agencies have also unlimited access provided that a suspicious transaction report has been made. Sometimes, all the above authorities, including the police, have access to customer identification records without a search warrant (Iceland). In another extreme situation, the supervisory bodies, law enforcement and judicial authorities, may be required to justify access to the archives by means of a formal request.

II. specific issues

a. ANONYMOUS ACCOUNTS

(i) Description of the requirements

42. Financial institutions in FATF members are not permitted to open anonymous accounts or accounts in fictitious names. This requirement can be based on either specific legislative or regulatory provisions (Australia, Germany, Greece, Japan, Luxembourg, Singapore). However, in most cases, the objective of the FATF Recommendation to prevent anonymous accounts and accounts in fictitious names is a direct consequence of the general customer identification requirements. In other words, the prohibition applies to all types of accounts, safe deposit boxes and passbooks, with the exception of one member for the latter. There are various administrative, civil and penal sanctions in cases of non compliance.

43. In almost all members, the scope of the prohibition includes anonymous accounts which may be offered via new electronic systems such as Internet. However, the requirement does not apply to service providers established overseas. This situation gives rise to problems when a foreign country does not apply the FATF Recommendations, and in particular those relating to customer identification. In one actual case, an offshore bank based in the Caribbean proposes the opening of anonymous, coded and numbered accounts through Internet.

44. Due to the potential risks involved in technological innovations such as Internet banking, several members have indicated that they are considering an appropriate policy response (Australia, Hong Kong, Portugal). The latter considers that if its home country regulations prove ineffective, and if the number or size of the balance of those accounts so justifies, it will consider enacting legislation to prevent residents in Portugal (natural or legal persons) from opening anonymous accounts offered by foreign institutions via Internet.

(ii) Exceptions

45. The most important and serious exception to identification requirements relates to the passbooks which can be opened anonymously by Austrian residents. It should be noted that Austria recently decided that no new anonymous securities accounts could be opened after 1 August 1996. However, the possibility of opening anonymous passbooks still exists and continues to be a matter of serious concern. Seven years after joining the FATF, Austria is still not in full compliance with Recommendation 10. Failure to take action in this area could undermine the Austrian system for fighting money laundering.

46. There are also several other specific situations which, nevertheless, do not affect the implementation of "know your customer" principles. In Italy, although only bearer securities deposits can be attributed to fictitious names, the financial institutions are, in any case, required to ascertain the identity of the persons opening, closing or conducting transactions on these accounts. In France, cash purchases of capitalisation bonds from insurance companies or (bank-issued) short-term notes are unrestricted and anonymous for tax purposes. However, financial institutions are required to identify clients who purchase or redeem such bonds or notes and the preservation of client anonymity cannot be evoked as grounds for non disclosure to TRACFIN (Traitement du renseignement et action contre les circuits financiers clandestins).

47. In Belgium, in exceptional and specific cases which require discretion (key public figures, managers of the bank, etc.), the bank employees do not know the identity of the customer. It is therefore permitted to open numbered accounts or accounts in assumed names but only for these categories of clients. However, the identification of the customer is always verified at the management level of the bank and the latter is, of course, obliged to communicate the true identity of these account holders in cases of investigation or suspicious transactions reporting.

48. No anonymous accounts or safe deposits are permitted in Switzerland. However, as a further internal security measure, banks can open accounts or safe deposit boxes under a number or a pseudonym. This allows a limited number of bank staff to have access to the true identity of the holders of numbered or coded accounts. In any case, the banks are required to identify the actual account holder and the beneficial owner, if any.

B. identification of beneficial customers

(i) General requirements and cases where customers are represented by non-financial businesses, particularly lawyers

(a) General

49. In almost all members, financial institutions are required to take reasonable measures to obtain information about the true identity of the person on whose behalf an account is opened or a transaction is conducted (beneficial owner), if there are any doubts as to whether the client or customer is acting on his own behalf. However, there is one exception for non-bank financial institutions in one member.

50. In general, with regard to life insurance products, several members (e.g. Finland, France, Italy, Netherlands) have implemented various measures to identify, not only the policy holder but also the beneficiary of the contract. Due to the nature of life insurance contracts, the beneficiary may not be known at the time the policy is taken out and the identity of the beneficiary may therefore only be verified at the time payment is made.

51. Non-financial businesses are not always required to identify beneficial customers, especially when financial business is not their main activity. In most cases, there are no specific identification rules when customers are represented by non-financial professions. Some members have included certain categories of non-financial professions in the scope of the measures concerning customer identification (e.g. lawyers in Denmark; casinos, businessmen when carrying on their trade or business, and persons who administer another person's assets against payment in Germany; lawyers in New Zealand). In Norway, in cases where a customer is represented by a lawyer or other non-financial profession, the institution shall seek to obtain complete identity information about the person on whose behalf action is being taken.

(b) Non-financial businesses and lawyers

52. The general obligation to identify both the customer and his representatives (FATF Recommendation 11), irrespective of their professional capacity could probably address these specific cases. However, several non-financial businesses are characterised by a duty of professional secrecy (lawyers, accountants, bailiffs) which may prevent them from revealing the identity of their clients.

53. To solve this difficulty, various measures have been implemented. In Belgium, the non-financial intermediaries acting on behalf of their clients, should sign an attestation stating that no money laundering is involved. In the case of refusal, financial institutions should not execute the operation and should report the case to the CTIF (Cellule de traitement des informations financières), if the circumstances of this refusal show any indication of an attempt to launder. Conversely, should an intermediary sign such an attestation knowing that the funds are derived from one of the money laundering underlying offences, its penal and disciplinary liability would be engaged.

54. A section in the Irish guidance notes deals specifically with non-financial intermediaries (e.g. solicitors, accountants, etc.). If the financial institution is satisfied with the bona fide of the intermediary, the identity of the third party can be established by receiving a name from the intermediary. This can only be relied upon where the intermediary has given a written undertaking that it will take reasonable measures to establish identity, will retain documentary evidence and will, upon request, furnish a copy of the information to the financial institution. In any case, where it appears that the intermediary is merely providing a "front", such an undertaking will be inadequate and identification of the third party must be established by the financial institution.

55. When customers are represented by lawyers or any other non-financial profession, the financial institutions in Singapore require the production of the identity card or passport of the beneficial owner and they also check that the lawyer or professional concerned is duly registered locally. In Spain, if the client acts through a lawyer or another person, the latter must be identified by proving the power of attorney which enables him to act on the client's behalf. In Turkey, when a natural or legal person conducts a transaction with a bank on behalf of another person, he/she is required to submit a proxy statement arranged by a public notary for that specific transaction, certifying the identification of the beneficial owner. This rule applies whoever the representative is (trust, lawyer or other non-financial profession).

56. In Switzerland, while the banks which are subject to the Convention of Due Diligence are required to identify the beneficial owners (obligation to fill in "form A"), there are some exceptions for accounts or deposits established in the names of lawyers or notaries. These exceptions only apply in cases of payment of professional or judicial fees or deposits of patrimonial values and their related investments regarding inheritance, divorce or in trial cases. These situations are certified by written statements by lawyers and notaries.

57. Several members have also adopted measures to deal with situations where there are doubts as to the accuracy of the information pertaining to identification provided by non-financial businesses. In the case of serious doubts or when identification cannot be established, financial institutions can always refuse to open the account or execute the transaction (e.g. Germany, Switzerland). In Luxembourg, in a case where there is doubt that a customer is acting on his own behalf (because the customer is a legal entity which can form a "front": holding, Anstalt, trust, etc.), the latter is asked to provide a written declaration stating that he/she is acting for himself or establish the identity of the beneficial owner.

58. While banks cannot always establish the identity of the person(s) for whom a solicitor or accountant is acting, two members have indicated that this does not preclude banks from making reasonable enquiries about transactions passing through clients or beneficial accounts which give cause for concern, or from reporting those transactions if any suspicions cannot be satisfied. In the United Kingdom, where a money laundering enquiry arises in respect of such a client account, the law enforcement agencies will seek information directly from the intermediary as to the identity of the underlying client and the nature of the relevant transaction. The United Kingdom Money Laundering Guidance Notes recognise that there can be even more complex money laundering situations where the intermediary is from a country without equivalent anti-money laundering legislation. Of course, reasonable measures should again be taken to verify the identity of the underlying client. However, if it becomes apparent that the intermediary is playing little or no role beyond providing a "front", full verification procedures become necessary if the account opening is to proceed.

59. Finally, and this is certainly the best way to deal with this problem, several member governments have proposed to include categories of non-financial businesses in the scope of their anti-money laundering legislation (Australia: lawyers; Belgium: notaries and bailiffs). The Italian government intends to extend identification requirements to parties undertaking activities "particularly susceptible to be used for money laundering purposes due to the fact that there is an accumulation or transfer of major economic or financial resources, or that there is a risk of infiltration by organised crime."

(ii) Beneficial customer of trusts or nominee account holders

60. The most complex situations are found when customers are represented by trusts or nominees, especially when the latter are domiciled overseas in poorly regulated countries. The responses to these situations vary among the membership. Firstly, in some members (France, Spain, Portugal) trusts do not legally exist. Several members have specifically included trusts or nominee account holders in the scope of their laws, regulations or guidance notes dealing with customer identification (Australia, Denmark, Ireland, Italy, Japan, Luxembourg, New Zealand, Norway, Sweden, Switzerland, United Kingdom, United States). This inclusion can be either direct, with the trust or nominee account holders being treated as a financial institution or business, or indirect with a specific requirement for financial institutions to identify the beneficial owners.

61. However, it seems that the nature of such requirements differs from the general customer identification regime. In almost all members, where applicable, it is not mandatory to identify the name of each beneficiary of a trust. In fact, verification by a financial institution of the identity of the person acting as trustee, nominee or fiduciary does not raise specific problems. However, it is of course more difficult to identify the parties for whom the trustee or nominee is acting and to seek confirmation that the source of funds or assets under the trustee's control can be vouched for. According to the United Kingdom Guidance Notes, if the applicant is unable to supply the information requested, enquiries should be made as to the identity of the person who has actual control and the results should be recorded in the account opening file.

62. It is generally recognised that the reasonable measures undertaken to obtain information concerning the underlying beneficiary need to take into account legal constraints and/or good market practices in the respective area of activity, the geographical location of the trustee and beneficiaries to which the trust account relates and, in particular, whether it is normal practice in those areas or markets, to operate on behalf of undisclosed principals. In New Zealand, in order to take into account the practical difficulties associated with the identification by financial institutions of the beneficial customers of domestic trusts or nominee shareholders, this requirement has been limited to cash transactions involving NZ $ 10 000 (approximately US$ 7 000) or over. In Hong Kong, it is proposed to strengthen the guideline of the Monetary Authority by including the requirement that banks should verify the identity of trustees, nominees or account signatories as well as the nature of their trustee or nominee capacity and duties, for example, by obtaining a copy of the trust deed. In a case where the beneficiaries cannot be identified, the proposed revised guideline would require banks to pay special attention to business relations and transactions with the customer, including monitoring activity of the account in question.

63. It is generally admitted that trusts created in poorly regulated countries or jurisdictions, or the use of offshore investment companies, deserve special attention. However, while several members recommend that financial institutions undertake additional enquiries as to the true identity of the beneficiaries and sometimes also on the source of the funds, there is probably no fully satisfactory solution in this respect.

C. IDENTIFICATION IN CASES OF NO FACE-TO-FACE CONTACT

(i) Requirements in place and identification methods

64. In most members' legislation or regulations, there are no provisions which deal specifically with cases where there is no face-to-face contact between the financial institution and the customer. Therefore, in many members, financial institutions are required to obtain copies of identification documents, irrespective of the way the financial products are distributed. However, recognising the difficulties posed for customer identification in cases of mechanisms which avoid face-to-face contact between financial institutions and their clients, several members have addressed this issue in their guidance notes, circulars or instructions.

65. In general, face-to-face contact would normally be required. In Canada, it is even required that there must be face-to-face contact (verification in person) in the case of direct banking and direct insurance writing. However, the following paragraphs describe measures which have been implemented in member countries and practical solutions in cases where business is conducted by post, telephone or electronically.

(a) Direct banking

66. Firstly, where the transactions are carried out by a distance selling institution, payments should be made via or to the customer's bank account opened in another institution. It is expected that identity checks have already been carried out by the latter. However, there is still no proof that the customer has been correctly identified. Moreover, it seems difficult to transfer the liability for identification from the distance selling institution to the institution which holds an existing account.

67. The Identification (Financial Services) Act in the Netherlands authorises the Minister of Finance to designate cases for which the identification requirements are fulfilled when it is established that the first payment from the client is to be debited from, or is to be credited to, an account opened in the customer's name with a bank in the Netherlands or in another country designated by the Minister of Finance. The Minister of Finance has used this authority to designate direct banking services. The financial institution is required to obtain confirmation from the customer's bank that the client has been properly identified and that the client's identity has been recorded by the said bank.

68. There are various procedures to check the personal identification and verify the address of the applicant. In many instances, the distance selling bank demands a copy of a relevant identification document. In Germany, notaries public and other banks are authorised to establish identity on behalf of the institution obliged to identify the customer. The data and the copies of identification documents must be certified as official by various authorities : police, consulate, notary, Embassy, etc. (Luxembourg); lawyer, auditor or public notary (Norway, Portugal). In Portugal, the information relating to a customer must also be certified, in writing, by a bank established in a European Union member State, in a FATF jurisdiction or by a bank of internationally recognised good reputation.

69. In several members, where the account is opened by post, various mechanisms for checking the address and sometimes the name of the customer, are applied: sending documents by registered mail (Norway, Portugal) with the acknowledgement signed personally by the account holder (Austria) or by simplified registered mail with the absence of return being deemed as a verification of the customer's identification (Japan), surveillance of the mail or exchange of correspondence (Belgium, France, Switzerland), applying the identification requirements for banks by counter staff at the premises of the post or in the course of mail delivery (Germany), prohibition of the use of Post Office boxes (Spain).

70. Further methods of verification include: checks on the Voters Roll or providing original gas or electricity bills (e.g. United Kingdom). In addition, it is recommended that banks cross-check the information with other available information from the national register office, the tax office and the Register of Enterprises (Norway) or any public register (Sweden). In the latter country, the prospective customer will often be requested to visit a branch office before entering into business relations with the financial institution in question. Other forms of verification can include a telephone call to the applicant (at home and at work), to establish that the details are correct (Belgium, Spain, Sweden, United Kingdom). In the United Kingdom, the applicant's employer is also contacted, for independent confirmation.

71. Other specific provisions applicable to the opening of bank accounts by correspondence which also minimise the risks which are linked to a non face-to-face identification, are as follows:

such accounts can only be credited with cheques or transfers from another pre-existing account (Belgium, Canada, France);

the prohibition of cash and cheque withdrawals from these accounts; only transfers to other accounts are permitted (Belgium);

cross-checking information on the copies of identification documents with the sources of the information;

paying particular attention where such accounts are opened by persons from abroad, and where the account is supplied by large wire transfers from another country (France);

direct selling banks do not carry out one-off transactions (United Kingdom);

in the case of the delegation of identification checks to a third party, the framework of the delegation should be precisely defined and the partners or correspondents should be adequately qualified.

(b) Direct issue of credit cards

72. With regard to issuers of credit cards, the situation is a little different. In this case, the credit card issuer often requires its clients to mandate the issuer to transfer payments from a pre-specified bank account of the client to the account of the credit card company. As an additional safeguard, credit card issuers usually ask a potential client to mail to them a recent bank account statement in his name regarding the account to be debited.

73. Consequently, this situation raises less difficulty. In addition, some of the checks conducted in the case of direct banking (see above), can also apply to the direct issue of credit cards (e.g. monitoring and checking the mail). In general, for the issuance of credit cards, identification checks are naturally strict because cardholders may be subject to income qualification and credit limitations on applications for credit cards.

74. Although traditional life insurance and other related investment products may not be commonly sold at distance, the recent development of standardised life-insurance, which can more easily be sold by correspondence, has been addressed by a few members, as follows:

the identification process is deemed to have been fulfilled when it has been established that the premiums can be settled through an existing account of the insured person at an authorised financial institution provided that the third party or beneficiary has been fully identified;

the documents related to the contract can be sent by registered mail with various additional checks on the addressee;

in addition to traditional identification information, applicants can be asked to produce other documents such as medical certificates, etc.

(d) Nominee securities accounts

75. In general, the applicable laws and regulations require reasonable measures to be taken to ascertain the identity of the agent or the intermediary's principal. The bio-data of the applicant must be verified by a public notary and the financial institution should rely on its overseas branches or correspondents to ensure that the applicant is in fact the said person (Singapore). In the United Kingdom, if the intermediary is himself subject to either the regulations or "equivalent provisions" regulated overseas, then a written assurance may be accepted that the intermediary has obtained and recorded the principal's identity under his own procedures. Laws and regulations can also require that any agreement, involving the receipt of funds for investment in securities or other valuables for the customer's own account, will be made in the name of the client, legal or physical person (Iceland). In Switzerland, the customers of nominee securities accounts can also be registered as beneficial owners. The nominee has a complete list of customers with their names and addresses.

(ii) Alternative or complementary methods in cases of no face-to-face identification

76. In general, there are no special mechanisms which require banks to monitor accounts opened by distance selling, perhaps because distance selling or the acquisition of accounts or deposits are not so common. Apart from the general obligation for financial institutions to pay special attention to accounts opened by distance selling (e.g. Denmark, France), no specific monitoring mechanisms have been implemented in such cases except in Australia and Belgium. In the former, transnational activity is monitored for some accounts, but only with respect to significant cash transactions reports, international funds transfer instruction reports and suspicious transactions reports. Some banks in Belgium have implemented internal control measures in this respect (i.e. automatic systems for the detection of large movements and the establishment of a daily list of all withdrawals, suspicious operations may trigger a visit to the client, and non residents' accounts must be closely monitored).

77. In some member countries, banks have set up computer programs relating to "unusual" behaviour of an account (Australia, Italy, Spain, United Kingdom). However, in most respects, these have only been developed by a few banks and an even more limited number of non bank financial institutions. In the United Kingdom, a number of plastic card issuers have used or developed expert systems to prevent and detect fraud. These systems could also be used for anti-money laundering purposes but the routine profiling of customer's accounts and the monitoring of exceptions reports are seen by the United Kingdom financial institutions as more useful and cost-effective in the detection of money laundering than expert systems.

(iii) Reliance on photographic identification

78. In cases where there is no face-to-face contact, because customers can only be asked to supply copies of identification documents, the security provided by photographic identification may be questionable. In this context, several members believe that the risk of forgery is too great due to the universal availability of sophisticated copying and desk-top publishing systems, which can render the use of copied documents wholly unreliable.

79. Many other members also recognised that it is not entirely safe nor helpful to rely exclusively on photographic identification in situations where there is no face-to-face contact. Therefore it is most important to implement the measures which are set out in the paragraphs dealing with direct banking, as well as provisions which clearly state that documents which show obvious signs of alteration should not be accepted.

80. Some members are equipped with centralised data systems, or identification documents (e.g. Hong Kong, the Netherlands) or regulations requiring a national registration number (e.g. Denmark). While these measures can help financial institutions to identify national customers in a case of no face-to-face contact, they do not address the situation of overseas clients. A possible solution, which has already been mentioned in paragraph 68, are certified copies (by an attorney, consulate or embassy) of identification documents, if the bank has no branch/subsidiary in the applicant's country of residence.

(d) Future challenges regarding smart cards

(i) Identification requirements applicable

81. The use of stored value cards as a means of payment has not yet become generalised in all FATF members. These cards do not yet exist in ten member countries (Iceland, Ireland, Greece, Japan, Luxembourg, New Zealand, Norway, Singapore, Turkey) and have only recently been introduced in others. In most of the former, relevant projects are being experimented. The regime of authorisation for the issuers of such cards is quite strict, as the latter must be issued either by banks or credit institutions which are subject to customer identification, or by credit card companies which are subject to special authorisation by financial regulators or central banks (e.g. Denmark, Portugal, Singapore). In addition, and in all instances, the amount which can be stored on the cards is limited and this may reduce their vulnerability for money laundering purposes.

82. In fact, in a majority of cases, stored value cards are, or will only be issued by banks or other institutions which are, themselves, already covered by customer identification requirements (e.g. Australia, Austria, France, Germany, Hong Kong, Italy, Portugal, Singapore, Sweden, Switzerland). In Belgium and the Netherlands, stored value cards should necessarily be linked to a bank account which would imply that identification procedures apply. Normal identification procedures would also apply to the issuance of the cards in several members (e.g. Luxembourg, Spain, United Kingdom, United States).

83. Denmark has recently introduced legislation dealing with the issuance of prepaid cash cards. The issuers of the cards are under the supervision of the Danish Financial Supervisory Authority except for cards with a value under DKK 500 (approximately US$ 80). The legislation does not prescribe any identification requirement to individuals or companies buying prepaid cards, but the issuers must keep a register of all cards in circulation. Such registers can contain useful information for security purposes (the balance outstanding on a cash card, counterfeit cards, card used for a total exceeding the value).

(ii) Record-keeping requirements

84. Some FATF members are confident that an adequate track of the transactions which are carried out by stored value cards, particularly for large transactions (Australia) or for any kind of transaction (France), would be maintained, because the general anti-money laundering requirements would apply. This is probably true where stored value cards are issued and managed by banks.

85. Although the re-loading of smart cards is ultimately made through the debit of a bank account, they can be used by anyone, anywhere, and for whatever reasons, in the same way as any other bearer means of payment, especially for the multi-purpose smart cards. There is therefore no effective means of keeping track of the relation between the bank account holder and the card holder.

86. It is in fact possible to keep track of the bank account which is debited if the card management company regularly reports to every issuing institution all the transactions which have been settled through each card. It would also be interesting if the amounts loaded in a card could be registered in a central database. Maintaining a central database of transactions, or data retrieval capacity, would allow the participating banks to monitor transactions. Furthermore, where cards are not linked to a bank account, both the loading operation and the subsequent payments are anonymous, so that no paper trail is generated. This problem could of course become more acute if purse-to-purse transactions are allowed.

(iii) Assessment

87. It is probably too soon to assess definitively the potential of money laundering vulnerabilities implied by the development of stored value cards. However, the situation should be kept under close review, especially if stored value card technology is used at some point in the future, to handle large commercial transactions.

88. The advent of stored value cards could create a convenient vehicle for money launderers to transport and transfer money without having to carry a huge bulk of cash. It is therefore important that there are regulations in place which require card issuers set up adequate anti-money laundering procedures, for example, by having an audit trail to keep track of the transactions; limiting the amount that can be transferred to and from the card, linking the card to specific bank accounts for the purpose of downloading and off-loading of value; monitoring the behaviour of card transactions; and reporting any suspicious activities related to the use of these cards.

Conclusion/Overall assessment

89. On the whole, identification regimes in FATF members are deemed satisfactory. There is no doubt that customer identification requirements have a substantial deterrent effect. In this respect, the strict application of identification checks by the banking sector has caused a shift in money laundering activities to other sectors such as bureaux de change. However, since identification regimes are only one aspect of anti-money laundering programmes, it is difficult to quantify the impact which they have on global money laundering activity. Beyond preventing money laundering, identification regimes also combat other types of crime as well as preventing the institutions from fraudulent transactions. Much has been done in the area of customer identification over the last six years, but the measures in place need to be kept under review and improved.

90. In addition to technical problems linked to the structuring of large cash transactions and the reliability and security of identification documents, the difficulty for financial institutions to verify the identification of certain types of customers or transactions is recognised in cases such as:

legal entities, especially overseas private companies;
shell companies, trusts and nominee accounts;
the structuring of large cash transactions;
customers represented by intermediaries which are non-financial businesses subject to professional secrecy; and
situations where there is no face-to-face contact between the customer and the financial institution.

91. Although there have been some complaints about the costs of identification and record-keeping requirements, the latter definitely contribute to the prevention and detection of money laundering. However, many of the identification procedures are merely extensions of procedures which had already been established by the financial institutions for their own purposes. In a majority of cases, there are no cost estimates on how customer identification requirements are being fulfilled. However, one may consider that the costs are reasonable taking into account the FATF's objectives and the necessity of customer identification to accomplish these objectives. On the whole, it is recognised that the costs should not be overestimated. However, the duplication of identity verification across the financial sector and the costs involved by record-keeping measures could be reviewed.

92. In fact, the issue of costs should be dealt with in the generalisation of identification regimes world-wide. FATF Recommendations dealing with customer identification and record-keeping should become global standards. Another issue for future consideration is the application of identification measures in the context of the rapid development of electronic transactions and financial services through new technologies. It is also obvious that this challenge should be addressed at the international level and could be subject to further in-depth review by FATF.