Identity verification & KYC requirements in the UK

The United Kingdom (UK) has the world’s seventh largest economy, is the largest financial services provider in the world and, according to the independent intergovernmental Financial Action Task Force (FATF), is “a global leader in promoting corporate transparency.”

Therefore, it’s not surprising that the UK has robust Anti-Money Laundering (AML) and Know Your Customer (KYC) laws and regulations. These include requirements for identity verification on individuals and businesses for organizations such as:

  • Credit and financial institutions
  • Payment companies
  • Electronic money institutions
  • Money service business
  • Gaming and casinos
  • High value dealers
  • Estate agents
  • Independent legal professionals who offer financial or real property transaction services

Note that different industry sectors can have different thresholds, standards and regulators, so it’s imperative to understand the specific requirements of the applicable sector.

Identity for financial services

The Financial Conduct Authority (FCA) — the UK regulator for financial services firms and financial markets — is well known for its forward-thinking approach to innovation. Consider the rate of fintech adoption; the UK ranks the second highest among developed countries. Many new developments in the field, from the concepts of regulatory sandbox and Open Banking to the idea of RegTech itself, originate or are driven by the UK’s collaboration and engagement between the FCA and fintech companies.

The FCA, in general, favors a risk-based approach, focusing on the outputs rather than specific AML laws and rules; “firms must have in place policies and procedures in relation to customer due diligence and monitoring, among others, but neither the law nor our rules prescribe in detail how firms have to do this.”

In terms of performing proper Customer Due Diligence (CDD), there are three requirement according the 2017 updated AML regulations:

 (a) identify the customer unless the identity of that customer is known to, and has been verified by, the relevant person;

 (b) verify the customer’s identity unless the customer’s identity has already been verified by the relevant person; and

 (c) assess, and where appropriate obtain information on, the purpose and intended nature of the business relationship or occasional transaction

While the law itself does not offer specifics, GOV.UK does offer a Good Practice Guide: Identity proofing and verification of an individual. The guidance specifically mentions checking an individual’s identity digitally as an option.

According to the guide, there are five parts of identity checking:

  • Get evidence of the claimed identity (“strength”)
  • Check the evidence is genuine or valid (“validity”)
  • Check the claimed identity has existed over time (“activity”)
  • Check if the claimed identity is at high risk of identity fraud (“identity fraud”)
  • Check that the identity belongs to the person who’s claiming it (“verification”)

One interesting observation is that not all steps must be performed at once. This speaks to the risk-based approach; as the risk level increases, the need for confidence in the identity increases and thus more identity checks are called for. This type of approach syncs with onboarding best practices, signing up visitors quickly and easily and migrating complex requirements until later in the process.

This identity checking process calls on firms to collect various identity evidence pieces to build an identity profile. The number of pieces, the score for each piece, and which part of the process is being checked factor in to a confidence level for that identity profile.

A critical element of identity checking is having an authoritative source for the information. Protecting the integrity of the information and ensuring that the information is up to date are powerful contributors to improving the confidence level.

Identity of beneficial ownership

Just as obliged entities must perform identity checking on individuals, they also need to do so check businesses. The 2017 AML Regulations provide more specific requirements:

Where the customer is a body corporate—

(a) the relevant person must obtain and verify—

(i) the name of the body corporate;

(ii) its company number or other registration number;

(iii) the address of its registered office, and if different, its principal place of business;

(b) subject to paragraph (5), the relevant person must take reasonable measures to determine and verify—

(i) the law to which the body corporate is subject, and its constitution (whether set out in its articles of association or other governing documents);

(ii) the full names of the board of directors (or if there is no board, the members of the equivalent management body) and the senior persons responsible for the operations of the body corporate.

To comply with the UK’s obligations under 4AMLD and 5AMLD, not only must the corporate information be acquired in the course of doing business, so must the beneficial ownership — “the natural person(s) who ultimately owns or controls a customer and/or the natural person on whose behalf a transaction is being conducted. It also includes those persons who exercise ultimate effective control over a legal person or arrangement.”

In the UK, a beneficial owner is referred to as a Person of Significant Control (PSC). PSC information must be reported to Companies House, the UK register, within 14 days of any change, including:

  • Name
  • Date of birth
  • Nationality
  • Service address
  • Usual residential address (not disclosed)
  • Date they became a PSC
  • Type of PSC conditions
  • If there’s an application for public disclosure protection

Identity for gaming

The UK Gambling Commission is the regulator in charge of overseeing people and businesses that provide gambling in the UK. New identity verification requirements for licensed online gaming operators were mandated to take effect on May 7, 2019.

The new rules expressly prohibit any gaming activity before age verification, obligating gaming operators to refrain from accepting any bets before the user’s age is verified. There are also CDD requirements for those who meet a threshold limit of €2000, are on a self-exclusion scheme, and on a risk-sensitive basis.

The rules require remote licensees to:

  • Verify, as a minimum, the name, address and date of birth of a customer before allowing them to gamble
  • Ask for any additional verification information promptly
  • Inform customers, before they can deposit funds, of the types of identity documents or other information that might be required, the circumstances in which the information might be required, and how it should be supplied to the licensee
  • Take reasonable steps to ensure that information on their customers’ identities remains accurate.

The future of identity

At the time of writing, it’s unknown how Brexit will play out, but the forward-thinking approach to regulations and technology is a significant positive for the UK. The country takes a balanced approach, allowing new financial technologies to sprout up and develop without over-regulating, ensuring international standards are met while delivering corporate transparency, and enabling gaming operators to deliver new and exciting opportunities while still providing oversight. This balanced approach is creating vibrant, growing sectors.  A balanced approach to identity — encouraging new online services while simultaneously fighting fraud and money laundering — is a smart strategy that serves consumers, businesses and governments.