Achieving Customer Due Diligence
“The AML/CTF Act covers the financial sector, gambling sector and bullion dealing and any other professionals or businesses that provide particular ‘designated services’. The AML/CTF Act imposes a number of obligations on businesses when they provide these designated services. These obligations include:
- customer due diligence (identification, verification of identity and ongoing monitoring of transactions)
- reporting (suspicious matters, threshold transactions and international funds transfer instructions)
- record keeping and
- establishing and maintaining AML/CTF program.”
Australian Government, Attorney General’s Department
The introduction of the Anti-Money Laundering and Counter-Terrorism Financing Act 2006 (AML/CTF Act) has required that the gaming industry know its customers extremely well. The new risk-based approach has put the onus on gaming operators to determine the probability of “whether providing a designated service to a customer may facilitate money laundering or terrorism financing.”
Conformance to the legislation demands the adoption of a formal program for verification of a customer’s identity. Name, date of birth and/or residential address are stipulated as the minimum proofs required for every customer.
AusRegistrations is a Canberra-based service that provides organisations with a simple, low-cost solution to the problem of online identity verification.
AusRegistrations creates a data base of links to a person’s existing electronic associations (i.e. any instance where an individual has identified themselves to an organisation). These associations may include electronic relationships with government authorities, utilities, financial institutions, a local club or any other commercial interest. The common factor in all such associations is that each one involves instances whereby a person has had to prove their identity before the relationship could be acted upon.
Through AusRegistrations a person voluntarily allows specified organisations to access this already-verified identification data. The person may also choose to add biometric data to their records – such as registering their “face” by including an approved photo or recording their voice print. This image or print is then confirmed as belonging to that individual by someone in a position of authority, such as the person’s accountant, tax agent, lawyer, school teacher, lecturer, minister of religion etc.
At all times security measures ensure that the individual – and only the individual – controls access to their complete collection of associations.
The result is the individual’s ability to prove their identity over the telephone or while online.
The system is designed in such a way that a person can be represented in the database once and once only, removing the opportunity for identity fraud. Inbuilt security procedures make identity theft exceedingly difficult.
AusRegistrations conforms to all Australian privacy requirements. It is simple for people to use; it is inexpensive for organisations; and it provides a legally-accepted electronic proof of identity for an individual.
How the system operates
Most people already have some form of electronic identification. At present this identification is kept by the organisation with which the individual has a relationship – for example, the Australian Tax Office.
AusRegistrations provides the individual with a way that only they and the organisation involved can access the information. This then gives the person a means of accessing and sharing certain proven electronic data, such as identification information.
This is done by the person registering their relationship(s) with AusRegistrations, and requesting access to any information the organisation may hold about him or her. Using the ATO example, a person would prove to the ATO, via AusRegistrations, that they have the right of access by supplying information such as their name, address, how they can be contacted, their tax file number and a sequence number from their last tax assessment.
If this is the first time a person has used AusRegistrations to register an association with an organisation, then an “access” AusRegistrations electronic record is established which contains methods that the person can use to prove they have the right to access the information. Initially this might be a simple numeric pin, the person’s voice print, or the possession of a mobile phone, or a combination of all these items.
The person may now register additional associations with other organisations or people as required. For example, if a person has an electronic identity with an organisation such as a bank, then the person identifies themselves in the normal way to the bank and can request that their association with the bank be registered. That is, they log on to the bank system, prove they have access to their other records and prove that the information held about them by other organisations matches the information held by the bank.
For greater versatility, the person may then add and have verified a photograph and/or voice print. This allows the individual to prove their identity regardless of whether transacting online, over the telephone or in person.
Ultimately all associations that a person has with all organisations can be recorded in AusRegistrations, creating a secure, private register. This register is controlled by the individual and holds none of the actual data about the person. Instead it is simply a central record of the right-of-access to a multitude of associations.
AusRegistrations for Organisations who need to conform to the AML/CTF legislation
AusRegistrations can be used to achieve any level of electronic identity verification required by any organisation. For illustration we use online gaming. For gaming organisers AusRegistrations can establish a customer’s identity to an agreed level of authenticity for each type of customer, giving added surety to telephone or online transactions. Every time a customer electronically “signed” to deposit or withdraw money from their account, for example, AusRegistrations would confirm their voice print or online identity.
New customers to online gaming agencies could be referred to AusRegistrations for initial identity verification and registration. Existing customers would also be invited to register, enabling easy electronic signing of all their ongoing transactions.
Using AusRegistrations, every customer’s identity would be confirmed via three separate verified sources:
· address data to be verified using two separate data sources, plus
· proof of date of birth and/or name and address to be provided by a third association.
The last verification can be made using AusRegistrations’ associations where the customer has had a transaction history with the data source for at least three years.
While three separate verifications exceeds the legal requirement, they can be conducted quickly and simply without inconveniencing the customer and will provide additional assurance to the gaming operator.
There are numerous ways in which these verifications can be made once a customer registers with AusRegistrations. Examples include:
- Name, address and age verification through the Australian Electoral Commission. The customer claims they have a name, an address and are registered to vote. They put this up on AusRegistrations, attaching their voice print to the assertion. AusRegistrations checks the data against the electoral database. Given voting requires a person to be over 18, this process provides confirmation that the individual is of age to participate in gaming.
- Name and address verification and phone number through the phone book. The customer claims they have a name, and address and a phone number. They put this up on AusRegistrations, attaching their voice print to the assertion. AusRegistrations checks the data against the online white pages.
- Name, address and age verification through a credit card. The customer asserts their name and address, claiming they have a credit card in that name. They sign the claim with their voice print. With their permission, AusRegistrations takes a random amount of money from their claimed credit card and the customer reports how much money as been taken. Once again, proof of credit card ownership again confirms the customer is over 18 years of age. The money taken can be later credited against another transaction.
- Name and address confirmation through a bank account. The customer claims to have a bank account. AusRegistrations deposits a small amount of money into the account along with a code that appears on the statement. The person reports the amount, the code and signs with their voice print.
- Passport verification. A customer asserts they have a passport, discloses certain details from it and signs the assertion with their voice print. They then ask a person who knows them to sign that the details are correct and they have seen the passport. The person who verifies must be known to AusRegistrations, already having been through the verification process.
- Employer confirmation. The customer asserts they are employed by an employer in a particular role. They ask the employer to sign that they are indeed employed. The person signing for the employer must be verified via AusRegistrations.
- Educational details. The customer asserts they are enrolled at a tertiary institution and asks the institution through AusRegistrations to verify that they are enrolled or that they have received an award.
- Other online betting account. The customer states that they have a verified betting account with an online betting agency. They sign the assertion and AusRegistrations checks with the betting agency.
Identity verification through LinkedIn
LinkedIn provides a method for an individual to identify themselves through their associations with others. The individual asserts they have associations registered with LinkedIn. They supply their LinkedIn URL and register it with their voice. AusRegistrations checks these associations and contacts one or more of the associates of the individual independently to verify the identity of the person.
A system to significantly reduce fraud
As stated earlier, a critical factor in reducing fraud is AusRegistrations ability to ensure that there are no duplicate registrations and that a person may only be represented in the database once.
This is achieved using biometrics such as voice prints and photographs when establishing a person’s identity. Whenever such data is included in an AusRegistrations record, it is cross-checked against all others in the system to ensure no duplication. Similarly, when a person registers with an organisation that requires photo identification, the photograph can be cross-matched against all other photos held by the organisation and an automatic alert raised if any two photos appear to be the same. Voice prints may be used in the same way as photographs, bringing even greater security to telephone gaming transactions.
Biometrics aside, the complexity of recording multiple associations means that it is extremely difficult for one person to hold more than one AusRegistrations record. If a person had two distinct sets of registration records then they would need to have the collaboration of many other people in multiple organisations.
Why it is difficult to steal an electronic registration?
For a person to steal an electronic registration requires that they take over all the associations and alert all parties to an association change.
For example, if one person managed to somehow access to another’s registrations, gaining control would still require changing the photo-image and all the different associations. If a photo image is changed, each person or organisation with whom an association has been established is asked to verify that the change is still the same person. Such measures are necessary because as people get older, their images will change or their image may be altered through an accident.
When a person dies, an association is established with the Death Certificate Registry and becomes impossible for the person to change the various associations or act on those associations within AusRegistrations.
With AusRegistrations we establish that the same person, as evidenced by their voice print, has verified relationships with three independent organisations. We also know that this person is highly unlikely to have another identity in AusRegistrations because we check all information and the voice prints to check that this person is unique.
If this person is suspected of laundering money then the surveillance authorities are alerted. Authorities will locate the person using the information established through AusRegistrations; through one or more of the one or more of the relationships established through AusRegistrations; or through one or more of the transactions they perform.
The critical element is that it is one person with a number of relationships and that from those relationships they can be located. They cannot hide or establish other relationships under a different identity.
AusRegistrations conforms to all Australian privacy legislation. A full copy of our Privacy Impact Assessment can be obtained on request, or viewed at http://www.edentiti.com/privacy_policy