In the current environment of the COVID-19 pandemic, the vast majority of business is done on a non-face-to-face (“NFTF”) basis, we could say that the future of business has been accelerated in many ways. However, the Financial Action Task Force (the “FATF”) Recommendations still include NFTF business relationships or transactions as examples of potentially “higher risk scenarios” for money laundering and terrorism financing.1 As a result, financial institutions (“FIs”) continue to be expected to comply with applicable anti-money laundering (“AML”) and counter-terrorism financing (“CFT”) requirements that are increasingly difficult to follow.

One of the most compliance onerous issues in today’s environment is the requirement to sight original Know Your Customer (“KYC”) documents or have such documents certified as true (the “Certification Obligation”). In this article we discuss the background of this requirement and how financial institutions can comply with the applicable notices and guidelines.

NOTICES AND GUIDELINES ON AML AND CFT

The Monetary Authority of Singapore of Singapore (the “MAS”) publishes distinct AML/CFT notices for FIs which vary depending on the activity for which the entities are regulated. The MAS also provides guidelines to be read in conjunction with each notice. For the purpose of this article, we will refer to MAS Notice 626 (the “Notice”) and the applicable guidelines (the “Guidelines”) which apply to banks. Our analysis applies to all financial institutions, including capital markets intermediaries, fund management companies and companies licensed under the Payment Services Act, except for special considerations relevant to virtual asset service providers (“VASPs”) which we further discuss below.

THE EXPECTATION TO RECEIVE ORIGINALS OR CERTIFIED COPIES AS PART OF KYC

The Notice does not explicitly require FIs to obtain original or certified copies of documents in the course of onboarding a customer. Pursuant to paragraph 6.9 of the Notice, Banks are required to verify the identity of a customer “using reliable, independent source data, documents or information” (emphasis added).
However, in paragraph 6-6-6 of the Guidelines (the “MAS’ Reliability Guidance”) which addresses “reliability of information and documentation, it says:

“Where the customer is unable to produce an original document, a bank may consider accepting a copy of the document –
(a) that is certified to be a true copy by a suitably qualified person (e.g. a notary public, a lawyer or certified public or professional accountant); or (b) if a bank staff independent of the customer relationship has confirmed that he has sighted the original document.”

Accordingly, the starting, academic position when developing a FI’s AML/CFT policies and procedures is for the FI to receive original or certified as true documents whenever possible, subject to the FI’s ability to utilize a risk-based approach.

TAKING A RISK-BASED APPROACH

The Notice groups customer due diligence processes into three categories: (1) simplified due diligence (where the FI believes the risks of money laundering and terrorism financing are low, (2) regular due diligence and (3) enhanced due diligence (where the money laundering and terrorism risks are identified to be higher). Utilizing a risk-based approach, FIs often do not require sighting original documents or having them certified as true in cases of simplified due diligence. Furthermore, in our ever-digitized world, numerous documents are already available online from government sources and thus can be generally treated as originals for KYC purposes.

Everyone involved in a customer onboarding (including the front office, the compliance function and the customer) is happier when a new customer is determined to be eligible for simplified due diligence. Nevertheless, there are various reasons that new customers (individual and corporates) may not qualify for simplified due diligence, including their country of citizenship/incorporation, their country of residence/primary place of business, the amount of business they expect to transact with an FI, an other factors. Depending on the typical profile an FI’s client base, it may be unusual for simplified due diligence to be applicable.

For cases of regular and enhanced due diligence, FIs often choose to strictly follow processes suggested in the Guidelines. Among other reasons for such strict compliance, the MAS has written: “The degree of observance with these guidelines by a bank may have an impact on the [MAS’] overall risk assessment of the bank, including the quality of its board and senior management oversight, governance, internal controls and risk management.”

Question: Who wants to be the compliance officer that relaxed measures for a case of regular due diligence which resulted in adversely impacted the MAS’ overall risk assessment of the FI?
Answer: Nobody, which is why the practicalities of regular due diligence and enhanced due diligence can be so painful for customers.

NON-FACE-TO-FACE (“NFTF”) KYC

NFTF KYC is the process undertaken to conduct due diligence on a customer without any face-to-face meeting. The main risk of NFTF KYC described by the MAS is impersonation risk. Because of the perceived risk in onboarding a customer that is not “known”, the MAS requires FIs conduct NFTF KYC to perform customer due diligence measures that are at least as stringent as those that would be required to be performed if there was face-to-face contact. Moreover, the MAS generally advise FIs to exercise greater caution when dealing is an unfamiliar or new customer. As a result, onboarding a new customer via NFTF KYC can never be presumed to be low risk. Still, we note that the FATF encourages the use of responsible innovative solutions for identifying customers at onboarding and while conducting transactions.

It should not be forgotten that the risks of NFTF KYC apply to onboarding of both individuals and corporates. For the onboarding of corporates, most FIs would classify KYC that as face-to-face if they have met with at least one authorized representative of the corporate. While we agree with this view, some NFTF risks remain with respect to the relevant individuals of the corporate that the FI does not meet in person.

MITIGATING THE RISK OF NFTF KYC AND THE CERTIFICATION OBLIGATION

In Paragraph 6-11-3 of the Guidelines, the MAS lists six measures that FIs could consider using to reduce the risk inherent in NFTF KYC. Among the mitigating measures listed (the “Measures”) which do not preclude the use of other measures not listed, is the provision of certified identification documents by lawyers or notaries public.

On this basis, we take the view that (1) Paragraph 6-11-3 of the Guidelines envisages that FIs will not always receive original or certified as true documents in their KYC practices7 and (2) adhering to the Certification Obligation is not categorically necessary for purposes of complying with the MAS’ guidance on NFTF KYC.

However, this does not preclude the FI having to comply with the Certification Obligation pursuant to the MAS’ Reliability Guidance.

THE CONTINUING EXPECATION TO OBTAIN ORIGINAL OR CERTIFIED AS TRUE DOCUMENTS

The MAS’ Reliability Guidance does not include the Mitigating Measures as options to address ensuring the reliability of information. Therefore, we take the view that the MAS’ Reliability Guidance is unaffected by the ability of a FI to address the risks of NFTF KYC without obtaining original or certified as true documents. We also refer to the FATF’s Paper (the “Paper”) on COVID-19-related Money Laundering and Terrorist Financing – Risks and Policy Responses, published in May 2020. In Section 4 of the Paper, the FATF suggested that with respect to verification provisions for new business relationships, FIs can potentially accept digital copies of documents as an interim measure, “with the originals to be sighted in due course (emphasis added).”

CERTIFICATION LOGISTICS

If a document is certified as true (1) by a person who is not suitably qualified to offer such a certification or (2) without the certifier having seen the original, the certified document does not satisfy the MAS’ Reliability Guidance. However, in order to establish whether a certification was done correctly, a FI had to conduct due diligence on the certifier and his process. Absent such diligence, it would be relatively easy for a bad actor to impersonate a suitable certifier. A FI should also consider whether it can rely on a copy of the certification or requires the certifier to send an original to the FI in due course.

CONSIDERATIONS FOR VASPS

The MAS and the FATF have assessed virtual asset activities to present higher money-laundering and terrorism financing risks. Therefore, it is an open question whether VASPs have any customers or conduct any business that is suitable for simplified due diligence. While the applicable MAS notices and guidelines have been published, to date no VASP has received a license under the Payment Services Act. As a result, there is no established best practice for when a VASP can conduct simplified due diligence or consider waiving the Certification Obligation on a risk-based approach here in Singapore.

CONCLUSION

The Certification Obligation is a nuanced and nuisance issue, including the fact that one could argue that it not strictly an “obligation”. For organizations that want to explore alternatives to the Certification Obligation on a risk-based approach, there are potential solutions that the FI can consider. To learn more, please reach out to us so can we buy you a coffee, virtual or otherwise.