By Paul Weathersby, Senior Director Product Management, LexisNexis® Risk Solutions
The Fifth Anti-Money Laundering Directive (5AMLD) presents a significant opportunity for companies to change the way they verify customers’ identities online and meet their compliance obligations. The directive became European Union (EU) law last July, and following a consultation by the United Kingdom’s (UK’s) HM Treasury in April, it will be transposed into UK law in less than three months, on January 10, 2020. This will happen regardless of the Brexit outcome, and organisations need to be prepared to comply.
Along with numerous measures designed to combat the funding of terrorism, much of the directive is, unsurprisingly, concerned with further tightening controls designed to prevent money laundering, which, according to government estimates, costs the UK at least £37 billion every year. 5AMLD brings cryptocurrencies and virtual-asset service providers, such as digital exchange platforms and high-value art dealers, within the scope of the regulations. It also establishes a new interconnected network of national bank-account and transaction registers; bans anonymous safe-deposit boxes; and increases the due diligence required for business relationships or transactions involving high-risk third countries.
The provisions on digital identity verification are different, though. While they don’t relax the obligations on businesses to identify and verify their customers, the directive recognises that these requirements can be met through digital means. Many firms have been using electronic methods to confirm identity for some time, but it is the first EU money-laundering directive to specifically highlight the use of “electronic verification” for identity, providing clarity to those regulated industries. Rather than tightening controls, these provisions are, therefore, primarily focused on making life easier for customers in the Digital Age. However, it may take some time before this is achieved in the UK.
Digital pioneers
Beyond providing for its use, 5AMLD is fairly light on details as to the requirements of the electronic identification-and-verification method, other than asserting that it is “secure” and approved “by the national competent authority”. Instead, these requirements are mostly found in the EU’s eIDAS (Electronic Identification and Trust Services for electronic transactions) Regulation, which has been in effect since 2016.
It is this regulation that has provided for the establishment of the federated identity schemes used in various countries across the public and private sectors. Such initiatives see individuals establish and verify their identities (in accordance with the rules under the Fourth Directive) to create an account, and this can then be used to verify their identities with a range of other organisations. Effectively, it allows customers or those using government services to go through the process of identifying themselves (providing identity documents, proof of address, etc.) just once rather than repeating it each time they want to access a different service.
Across Europe, a number of schemes are up and running; these include Estonia’s e-Residency scheme, set up by the government, and the bank-led scheme—BankID—in Norway.
However, the progress toward greater use of digital identities in the UK has been much slower. We do have the government-backed Gov.UK Verify scheme, which provides a digital identity that can be used for some benefits, taxes and state-pensions services. Even on its own terms, though, this has significantly underperformed. A review by the National Audit Office (NAO) earlier this year revealed that the number of people and government services using it was less than a fifth of the early targets for the scheme.
Furthermore, while this could, in theory, be put to commercial use, to date its use is restricted to the public sector, and in fact, even there to just one government department: The Department for Work and Pensions.As of February 2019, there were just 3.6 million people verified under the service.
A late bloomer
There are a number of reasons why progress in the UK has been slower than elsewhere. Culturally, there may be some resistance, as we have seen when historical attempts to create a national identification scheme have failed. Also, in comparison to countries such as Norway, the UK is more heavily populated. The Nordic countries combined have fewer than half of the number of people in the UK. Estonia has a population of just 1.3 million. Therefore, establishing digital identity schemes to serve the UK’s population of 52 million adults is, naturally, a more challenging proposition, and it will take time.
It’s certainly very early days. At present, the legal structures that 5AMLD envisages aren’t even in place. As stated, the directive provides that electronic identification processes must be “regulated, recognised, approved or accepted at (the) national level by the national competent authority”. In the UK, at present, this “national competent authority” arguably does not exist. {The government’s consultation, noting that approval could be implicit, suggested that standards approved by the Treasury and set out by bodies such as the Joint Money Laundering Steering Group (JMLSG) could constitute implicit recognition.}
There also remain uncertainties as to how the law would operate in any dispute once the schemes are up and running. Should a federated electronic service fail to properly check identities, leading to a regulatory breach, who would be liable? The directive and the Treasury are silent on this point, but the suspicion must be that it will be the business relying on it (rather than the scheme provider)—both because of the general principle that organisations cannot outsource their regulatory responsibilities and because the losses that could result from a significant failure in a digital identification-and-verification scheme could potentially be too big for a scheme provider to bear.
These challenges perhaps explain why we have seen relatively little in the way of digital identity services offered by technology providers, and, more to the point, relatively little demand, as yet, from businesses for these.
Demand-led growth
That will change, however. For a start, for all of the challenges, there are benefits to businesses from moving to electronic identification and verification. First, it cuts costs. Saving consumers from entering, uploading and sending the same information repeatedly saves businesses from many of the jobs and costs associated with processing that information. An analysis of the Nordic’s federated electronic identities (e-ID) schemes points to savings of €10 million a year in Norway alone from the move to 100-percent paperless mortgage applications. And Norway is a country with a population of just 5.3 million people.
The second benefit is arguably more important, however, as it boosts sales. Applications are much more likely to be completed by those using such a scheme. According to one bank in the same analysis, eight out of ten consumer loan applicants using a federated service completed their applications against just five out of ten for those not using one. For car loans, the respective ratios were seven out of ten for scheme users against two out of ten for others.
But even this is really just a reflection of the key reason electronic verification is here to stay and will only grow in use. That key reason is its popularity with customers. It is much more convenient for them and provides a faster, simpler, better experience. Once even a few businesses offer it, customers will increasingly demand it—and if it’s not available, go elsewhere.
Businesses will, therefore, have to embrace these digital technologies if they want to survive and thrive—it’s just a question of when. It seems unlikely that there will be any competitive advantage from leaving it late.