interactive workshop: digital identity and ekyc how to look at...

1/22/2020

1

1

Interactive Workshop: Digital Identity and eKYCHow to Look at the Growing Technology Requirements and

Financial Crime-related Risks互動研討會：電子身分與電子化了解您的客戶 (eKYC)如何看待逐漸提升的技術需求及金融犯罪相關風險

Moderator 主持人：Dr. William Scott Grob, CAMS-FCI, AML Director – APAC, ACAMS公認反洗錢師協會亞太區反洗錢合規策略總監高威廉博士 (CAMS-FCI)

Speakers 講者：Brian Huang, Chief Compliance & AML officer, Cathay United Bank國泰世華銀行總機構法遵主管暨洗錢防制專責主管黃允暐YU Man Him, CAMS, Partner, Forensic & Integrity Services, Greater China., Ernst & Young Advisory Services Limited安永（中國）企業咨詢公司法政調查服務合伙人余文謙 (CAMS)

16 January 2020

2

1/22/2020

2

ACAMS 11th Annual Taiwan Conference – “Enhanced AML and Financial Crime Tools & Techniques”

3

Analyzing how digital identities and eKYC fields used in digital banking and compliance systems分析數位銀行及法規遵循制度如何應用電子身分與電子化了解您的客戶 (eKYC)

Reviewing examples for practical guidance on how to strengthen AML/CTF requirement in digital channels參閱實用指引的範例，瞭解如何加強數位通路的防制洗錢 / 打擊資助恐怖活動的必備條件

Detailing technology and project management best practices for understanding potential AML vulnerabilities詳細說明技術與專案管理最佳實務，以利理解防制洗錢的潛在漏洞

Agenda


92 04 39

4

1/22/2020

3


5

What do you want to learn from this workshop?您想從這次研討會中學到什麼？

a) Increased awareness 增強意識

b) Know the pros and cons 了解優點和缺點

c) The vulnerabilities 漏洞

d) The impact to my job 對我的工作的影響

e) The technology 技術

Question 1


FATF DRAFT GUIDANCE ON DIGITAL IDENTITY

6

Digital ID systems use electronic means to assert and prove a person’s official identity in online (digital) and/or in-person environments at various levels of assurance.

In NIST digital ID Guidelines, digital ID systems involve two essential components: Identity proofing and enrolment (with initial

binding/credentialing) Authentication and identity lifecycle managementAnd one optional componentPortability and interoperability mechanisms

1/22/2020

4



7

Digital ID relevant technologies include:

• a range of biometric technology

• the near-ubiquity of the Internet and mobile phones (including the rapid evolution and

uptake of “smart phones” with cameras, microphones and other “smart phone”

technology)

• digital device identifiers and related information (e.g., MAC and IP addresses; , mobile

phone numbers, SIM cards, global position system (GPS) geolocation);

• high-definition scanners (for scanning drivers licenses and other ID);

• high-resolution video transmission (allowing for remote identification and verification

and proof of “liveness”);

• artificial intelligence/machine learning (e.g., for determining validity of government-

issued ID);

• and distributed ledger technology (DLT)


DIGITAL IDENTITY in Taiwan

8

• Electronic Signature Act(2001 Nov.14)電子文件 Electronic record電子簽章 Electronic signature數位簽章 Digital signature加密 Encrypt憑證機構Certification service provider憑證Certificate

• Nature Person Certificate 自然人憑證

• National Health Insurance IC card 健保卡

• National Identification IC card國民身分證IC卡 ( planned to issue in 2020)

1/22/2020

5


DIGITAL IDENTITY relevant regulations

9

Bankers Association self-regulations:•金融機構辦理電子銀行業務安全控管作業基準Different risk level transaction requirements

•銀行受理客戶以網路方式開立數位存款帳戶作業範本Different Certification requirements for Digital Deposit account

Opening



10

Digital Identity on FATF standards on CUSTOMER DUE DILIGENCE

Recommendation 10 (a) permits financial institutions to use “documents” as well as “information or data,” when conducting customer identification and verification.

• “Reliable, independent” identity evidence • Risk-based approach to CDD • Non face-to-face business relationships and transactions

1/22/2020

6



11

Recommendation 10 (d), regulated entities must conduct “ongoing due diligence on the business relationship and scrutiny of transactions undertaken throughout the course of that relationship to ensure that the transactions being conducted are consistent with the institution’s knowledge of the customer, their business and risk profile, including, where necessary, the source of funds.”

• Ongoing due diligence on the business relationship • Customer Profiling using digital track• Transaction Pattern• Behavior Analysis (Usage pattern, Locality, “source of funds”)• Relationship Analysis • Machine Identity (cookies, Cell phone version, Browser version…)• Common Identities (email, phone, address, password(?), common settings…)


BENEFITS OF DIGITAL ID SYSTEMS FOR AML/CFT COMPLIANCE

12

Potential Benefits• Strengthening CDD

• Minimise weaknesses in human control measures

• Improve customer experience and generate cost savings

• Transaction monitoring

• Financial inclusion

1/22/2020

7


Risks and Challenges OF DIGITAL ID SYSTEMS FOR AML/CFT COMPLIANCE

13

Risks and Challenges

• Identity proofing and enrolment risks

• Impersonation risks and synthetic IDs (involving cyberattacks, data protection and/or security breaches)

•Authentication and identity life cycle management risks


Best Practices

14

Key Steps by Team work

• Identifying the risk of new technologies adopted

•Analysis the necessary mechanism(s) to mitigate the risk , when enjoying the benefits from using new technologies

•Periodical Review of Effectiveness / Efficiencies

1/22/2020

8


Digital identity and eKYC: How to look at the advancing Reg/AML technology in mitigating financial crime risks?

• Manhim Yu

• Partner, Forensic & Integrity Services

• Ernst & Young Advisory Services Limited

• 16 January 2020

15


Contents

1. Digital identities and eKYC

2. Advanced technology for AML/CFT controls

16

1/22/2020

9


Digital identities and eKYC

17


Transition from traditional KYC to eKYC

Face-to-face customer onboarding

Manual verification of identification documents

Manual screening and adverse news search

Information extractionOptical character recognition (OCR) to extract information from ID Document

Remote customer onboardingUse of electronic channels such as mobile application for customer onboarding

Identity authenticationVerification of ID document to ensure validity

Automated screening and monitoringIntroduce technology such as RPA into screening and transaction monitoring system

Identity matchingSelfie capture and liveness detection to ensure facial recognition matches with ID document

Transition of traditional KYC to eKYC

18

1/22/2020

10


Underlying Risk of eKYC

Below diagram shows the underlying risk of eKYC:

19


Ways to mitigate the risks of eKYC

Impersonation fraud

Technology risk

Data privacy and cybersecurity

Evaluate the adequacy of cybersecurity regarding customer onboarding and develop respectivemaintenance plans

Ensure privacy of customers are well-protected through implementation of IT controls.

Establishment of robust transaction monitoring system tailored to the characteristics of various paymentchannels is essential to ensure that these payment channels will not be exploited to facilitate thelayering of transactions to obscure the source or destination of funds.

Expanded payment channels

Make use of data from multiple sources through the adoption of a comprehensive database andincorporate qualitative checks to ensure information supplied for KYC is true and genuine.

Ensure technology deployed is sufficient to authenticate the customer.

Ensure eKYC technology (e.g., liveness detection for facial recognition) has been tested thoroughly priorto launch;

Assess risk and equip skilled personnel;

Design a comprehensive back-up plan in case of technology failure.

While connectivity is enhanced by facilitating businesses through a digital platform, it also implies thatcustomer on-boarding could be completed non-face-to-face, anywhere, anytime. Enhanced due diligencemeasures should be implemented to ensure that customer’s identity is legitimate prior theestablishment of business relationship.

Geographical risk

Emerging risks How to mitigate the risk?

20

1/22/2020

11


Advanced technology for AML/CFT controls

21


Robotics Process Automation (“RPA”) consists of software that mimics human interaction with core systems, web, and desktop applications to executeprocesses in a repetitive, audited and controlled manner. Robots are a virtual workforce that sit alongside existing infrastructure.

Below are the common areas where RPA is used:

Financial crime robotics

22

1/22/2020

12


Benefits of using robotics automation in financial crime compliance

23


Robotics process in customer due diligence process

1. Identify the customers 2. Verify the identity of the customers 3. Name screening for sanctions / PEPs

4. Obtain information on source of funds /

source of wealth6. Negative news search7. Senior management approval 5. Obtain information on reasons for intended

or performed transactions

When EDD procedures are necessary

Defined RPA/ Bots

Below is an illustrative example of the use of robotics in the customer due diligence process:

Below is an illustrative example of the use of robotics in the customer due diligence process:

24

1/22/2020

13


Robotics process in transaction monitoring alert clearanceLevel 1 investigation

Below is an illustrative example of the use of robotics in the transaction monitoring alert clearance process:

Defined RPA/ Bots

Investigators

25


Defined RPA/ Bots

Investigators


26

1/22/2020

14


Defined RPA/ Bots

Investigators


27


28

What additional information would like to know?您想知道哪些其他信息？

a) More on the regulation有關法規的更多信息

b) Impact on my AML program 對我的反洗錢計劃的影響

c) Privacy concerns 隱私問題

d) Risk assessment concerns 風險評估關注

Question 2

1/22/2020

15


Digital Identity Risk Assessment 電子身分風險評估Customer 顧客

Biographical Data 傳記資料

Attached documents 附加文件

Photo /Video 照片/視頻Passport / National ID 護照/身份證

Time 時間Place 地點Device 儀器

Legal Name合法姓名Date of Birth / Age出生日期/年齡Legal address 地址Citizenship / Jurisdiction國籍/管轄權National ID number身份證號碼Telephone 電話號碼Email address 電郵地址

Disclosure 公開

Capture Attributes 採集屬性

User Consent 用戶同意

Identity Number身份證號碼

Application Password 申請密碼

Unique ID # / Acct # 獨特身份證號碼

Credential Testing 憑證測試

Security 安全性

Device儀器

Device of use 儀器用途

Device of residence儀器產地

Device of user 儀器用者

Device number儀器號碼

Device stable IP address儀器網際網路通訊協定地址

Location位置

Country of use 使用國家

Country of residence 居住國家

Current GPS 當前的GPS

Scope of use 使用範圍

Inclusion / Exclusion 包含/排除

Area of Use Authentication 使用認證範圍

Device Authentication 設備認證

Jurisdiction Authentication 司法管轄區認證

Facial 面部Voice Fingerprint Retina 視網膜

Cookies 網路跟蹤器

User Authentication 用戶認證

Trust Score 信任分數

Product / Service 產品/服務

Product attributes 產品屬性

SIM card registration SIM卡註冊

29

Facial 面部Voice 指紋Fingerprint 指紋Retina 視網膜

Step 1 – Assess the customer, product,

geography, channel, and device features

步驟1 –評估客戶，產品，地理位置，渠道和設備功能

Step 2 – Assess

the risk

步驟2 –評估風險

Step 3 – Assess the risk

mitigation and controls

步驟3 –評估風險緩解和控制

Step 4 – Evaluate the overall

impact to the organization

步驟4 –評估對組織的總體影響


Inherent Threats 固有威脅

ID spoofing 身份欺騙

Device spoofing 設備欺騙

Insiders 內部人士

Counterfeit ID 偽造身份證

Substitutes 替代品

3rd Party use 第三方使用

Non activity 非活動

Fraud / Elderly abuse 欺詐/虐待老人

Romance fraud 網上情騙

Cyber attack 網絡攻擊

Misuse of an account 濫用帳戶

Controls控制

Digital KYC Policy 電子 KYC政策

Customer scoring 客戶評分

3rd reference checks 第三次參考檢查

Terms & conditions 條款及細則

Media screening 媒體篩選

Sanctions screening 制裁篩選

Simplified / Standard / EDD triggers簡化/標準/ EDD觸發器

Periodic Reviews 定期審查

Trigger events 觸發事件

Analytics

Change of Behavior 行為改變

Change of use 用途變更

Transactional Monitoring 交易監控

Quality Checks

Risk Appetite

Governance 管治

Audit / Assurance Reviews 審核/保證審查

Assessment Reviews 評估評論

Velocity of transactions 交易速度

Use by time / day patterns 按時間/日期模式使用

Pattern of use 使用方式

In / Out patterns 輸入/輸出模式

Rate of increase 增長率

% of high risk activities 高風險活動的百分比

Jurisdictions restrictions 轄區限制

Enhancements 增強功能

Limitations 局限性

Customer & Products 客戶與產品

Step 1 – Assess the customer, product,

geography, channel, and device features

步驟1 –評估客戶，產品，地理位置，渠道和設備功能

Step 2 – Assess

the risk

步驟2 –評估風險

Step 3 – Assess the risk

mitigation and controls

步驟3 –評估風險緩解和控制

Step 4 – Evaluate the overall

impact to the organization

步驟4 –評估對組織的總體影響

30

Digital Identity Risk Assessment 電子身分風險評估 (Cont’d)

1/22/2020

16


Key Takeaway (Mr. Huang)

31

• Knowing the new technologies

• Benefits, Risk and Challenges of adopting digital identities

• Regulations for digital banking are all important for AML/CFT

• FATF draft guidance on Digital Identity

• Best practices by Team Work!


32

Thank you!

Questions?

interactive workshop: digital identity and ekyc how to look at...

Documents