CDD Essentials: What Makes Customer Data Reliable and Independent
CDD Essentials: What Makes Customer Data Reliable and Independent
This infographic aims to decode the nexus between customer data reliability and its importance in fulfilling AML/CFT Obligations in the UAE, such as Customer Due Diligence (CDD). It highlights the importance of Data Reliability and Independence in the context of fulfilling essential CDD obligations during customer onboarding and monitoring, helping Regulated Entities in the UAE navigate remote customer onboarding requirements while ensuring alignment with the principles of Data Reliability and Data Independence.
Factors That Determine Data Reliability
Data reliability, in the CDD context, determines the level of reliance that can be placed by the personnel of a Regulated Entity when making use of customer data for the purposes of conducting CDD obligations. The factors that determine the degree or extent to which customer data can be relied upon for CDD are:
Customer Checks
The degree to which the customer has undergone verification processes to obtain the data: or the extent and depth to which CDD measures have been applied, helps in understanding its attributes, such as its originality, the level of scrutiny it underwent (Simplified Due Diligence, Enhanced Due Diligence, or Standard Due Diligence), its quality and number of times it has been already relied upon, indicating its dependability, helping build the record lineage of the customer data.
Official Status
The credibility of the issuing person or institution: helps the KYC Analysts to determine the quality assurance factor, i.e., the level of trust that can be placed on the particular ID document and its contents, on the basis of the official status, reputation, and credibility of the issuing authority of such an ID.
For instance, when relying on an Emirati passport for verifying customer identity, which is issued by the Federal Authority for Identity and Citizenship, Customs and Port Security (ICP), then its official status is highly reliable and credible for the purposes of CDD, as the ICP issues passports only after stringent scrutiny, making them highly reliable. Contrastingly, if a customer presents a local gym or library membership card instead, as an ID, then such an ID cannot be relied upon for the purposes of CDD as gym or library membership can be granted to any individual without vetting and verifying their address proof, residency status, professional and educational background, etc., making such an ID completely unreliable for the purposes of CDD.
Additionally, the regulated entity must verify whether the digital ID system used to validate or authenticate customers is authorised by the UAE government for the purposes of fulfilling CDD obligations; if not, then such a digital ID system must not be used.
Digital ID Assurance
The level of assurance tied to the digital identity systems in use helps regulated entities’ staff determine the level of trust that can be placed in a digital identity on the basis of it being part of the national cybersecurity framework.
For instance, UAE Pass is UAE’s national digital identity solution that helps public as well as private entities (such as Currency Exchange Providers, Remittance Services Providers, and Payment Service Providers), which are heavily regulated under UAE’s AML-CFT Law and AML-CFT Decision to ensure compliance with the following laws on individual privacy and digital identity in the UAE:
- Federal Decree Law No. 45 of 2021 regarding the Protection of Personal Data
- Federal Decree Law No. 34 of 2021 on Combatting Rumors and Cybercrimes
- Electronic Transactions and Trust Services Law.
Digital ID systems help fulfil CDD obligations by:
- Identity Proofing: Obtaining Name, Date of Birth, ID number
- Binding and Authentication: Confirming and Verifying digital ID through credentials and authenticators
- Identity Lifecycle Management: Expiries, Renewals, or Re-Issue of ID documents triggering Re-KYC
- Portability and Interoperability Mechanisms: Portable ID Verification across various regulated entities through cross-recognition of digital ID systems
making digital ID and the assurance that comes along, the go-to tool for remote customer onboarding, which helps Regulated Entities conduct non-face-to-face business with relative ease.
Check out our insights on digital ID verification:
- Use of Digital ID for Customer Due Diligence -New Guidance issued by CBUAE for LFIs
- Customer Lifecycle Management and AML Compliance in the Digital World
- Streamlining Video KYC: A Guide to Best Practices
- A Complete Guide to ID Verification: Best Practices and Tools
RBA & Digital ID Systems
The FATF’s guidance on Digital Identity recommends that regulated entities adopt a tiered and risk-based approach when relying on digital ID systems for the purpose of CDD by ensuring that assurance levels are commensurate with the ML/FT or PF risks to which the regulated entities are exposed.
RBA simplifies the decision process for deploying adequate and appropriate CDD measures by enabling the RE in deciding if the digital ID system provides an adequate assurance level for the ML/FT or PF risk presented by the customer to the regulated entity. If the digital ID is found to be unreliable and not independent, according to the risk level, it should not be used for CDD purposes. However, if the digital ID is found to be adequately reliable and independent, based on the ML/FT and PF risk, then it can be used to fulfil CDD requirements.
Forgery Resistance
The difficulty involved in forging the provided identity information: Features such as holograms, microprinting, radio frequency identification (RFID) embedded chips, and stereo laser images (SLI) make ID documents such as Passports, Driver’s Licenses, and National ID Cards forgery resistant. When regulated entities are presented with such forgery-resistant ID documents for CDD, then the data reliability of such documents can be considered high.
Factors That Determine Data Independence
Data Independence needs to be assessed before relying on a digital ID system to ensure that the data contained and relied on through a digital ID system is free from falsification, manipulation, fabrication, cyber-enabled fraud, and insider complicity. Regulated Entities must check Digital ID frameworks and systems’ data independence so as to ensure:
Issuer’s Objectivity
Whether the person or institution providing the data has personal, professional, or familial ties to the customer: if such ties exist, measures must be taken to ensure that issuer’s objectivity remains unquestionable and its dealing are at an arms-length distance, emphasising no undue influence on the contents of data or manipulation of data. The existence of familial, personal, or professional ties might put the data independence factor of customer information at risk, lowering the Digital ID system’s assurance level, making it unreliable for CDD purposes.
Influence Resistance
The likelihood of undue influence by the customer on the data issuer: must be tested by Regulated Entities to ensure that the issuer does not succumb to influence and the digital ID system and framework are safe from the influence of customers and affiliates in an advantageous position, such as politically exposed persons (PEPs), who may influence the digital ID system’s personnel to manipulate or forge any materially relevant information that can bear legal consequences to them.
High Standards of Data Reliability and Independence
Regulated Entities need to ensure that they conduct CDD through digital ID systems that adhere to high standards of Data Reliability and Independence.
Government-Issued information or data is generally considered the most reliable and independent: due to the level of scrutiny that a legal entity customer or natural person customer undergoes in order to obtain a government issued document that can be used for identification purpose, such as a passport, driver’s license, national ID card, certificate of incorporation, trade license, etc. the government-issued ID and information are treated as holy grail that are issued after high standards of security checks, which grant increased data reliability and independence that is free from bias.
High Standards of Data Reliability and Independence
The compliance officer is responsible for reporting compliance reports indicating identified risks to the board to ensure the board is fully aware of the entity’s affairs, enabling them to make informed and appropriate decisions. These reports should include updates on changes to laws and regulations that require immediate action, ensuring the entity remains compliant and responsive to legal requirements.
In addition to compliance reports, audit reports should also be presented to board members, providing an independent assessment of the entity’s policies, procedures, and controls for comprehensive decision-making.
CDD With Reliable and Independent Customer Data: A Way Forward
Data reliability and independence play an important role in the CDD process, ensuring that compliance requirements in terms of AML/CFT laws, data privacy, and cybersecurity are adequately met.
Related Posts
Confused with how to mitigate ML, FT, and PF risks within your Regulated Entity?