The recent approval of amendments to the Money Laundering (Jersey) Order 2008 by Deputy Miller will introduce a number of important changes to this cornerstone piece of local legislation from the 1st September 2023. In this article we seek to explore the impact it may have on the uptake of Regulatory Technology (RegTech), specifically the change in relation to Digital ID systems.
Article 3 (Meaning of Customer Due Diligence Measures) which sets out the purpose, method and standards for customer due diligence is altered with the introduction of amendment 3. This adds paragraph 4A to Article 3 of the Order so that it now states:
“For the purposes of paragraph (4)(b), a digital identification system that complies with the FATF Guidance on Digital Identity published on 6th March 2020 as amended or replaced from time to time constitutes a reliable and independent source.”
Digital ID systems (also known as eID systems) are not new, but uptake in Jersey appears to have been limited to those who were prepared to accept the risk that any system’s ability would be as good as, if not better than, the manual and documentary processes already in place. Early adopters of eID technology would also have to be convinced that system performance would satisfy regulatory scrutiny. As with many technological advances, there often needs to be a critical mass of adopters who begin to accelerate any tech trend toward standard practice. You only have to look at the divergence in success levels of innovations such as the dominance of iPhone versus the abject failure of the Google Glass headset. Availability and choice of systems can also be a factor in uptake, but in the case of eID there are already a range of solutions on offer already. Covid-19 also undoubtedly accelerated interest in this eID RegTech but it still didn’t provide enough momentum to break through the barriers to implementation which would see the use of eID systems become commonplace.
In 2022 the JFSC commissioned a report from RegTech Associates which examined the use of RegTech in Jersey in significant depth. In that report, the perceived barriers to RegTech adoption of those businesses surveyed included:
- A lack of regulatory encouragement to adopt RegTech (37.3% of respondents)
- A need for clear guidance on regulatory technology standards (32% of respondents)
- Fear that RegTech projects will not meet their compliance needs (16% of respondents)
While the amendment to the Order might not go as far as some would like, it does begin to address these barriers. The FATF Guidance named in the amendment can be found here bit.ly/479Bx28 and clearly sets out FATF’s expectations for eID systems. It provides information that should offer sufficient assurance to businesses that an eID system could be suitable for use.
As a high-level summary, Appendix A of the report provides detail on the functionality of an eID system, stating that Digital ID processes should have the following two components as a minimum:
1) Identity proofing and enrolment – The ‘who are you?’ of the processes. Collecting, validating and verifying information to associate it to a single individual;
2) Authentication – The process where the ID claimant can confirm that they are the person to whom the ID credential was issued.
There is also an optional, but potentially powerful, third process which covers credential portability. This allows a business to use a credential for new, unrelated customer relationships. Examples of this portability can already be seen in Jersey (Yoti and JerseyMe among others). Not only does this keep matters simple for customers but also further supports moves toward more ambitious FinTech developments such as Open Banking.
Appendix E of the report goes into greater technical detail, covering assurance frameworks and technical standards which should allow gap analysis between standards and systems to take place. It is important for IT, cybersecurity and compliance staff to collaborate over any such analysis as the standards require careful thought across these disciplines.
The FATF Guidance should also be read, considered and acted upon as a whole. A digital ID system used to conduct CDD must rely upon appropriate technology and adequate governance along with processes and procedures for operation to provide confidence that the system will produce accurate results. Businesses must ensure the operation of any proposed system is within their risk tolerance, but it should be noted that the FATF Guidance is clear that introducing an eID system is not inherently risky. The Guidance clarifies that, “non-face-to-face customer-identification and transactions that rely on reliable, independent digital ID systems with appropriate risk mitigation measures in place, may present a standard level of risk, and may even be lower-risk.”.
It will be interesting to see if the changes to the Order present a tipping point for eID adoption in Jersey. While it may not generate immediate spikes in uptake, the changes do offer a framework on which businesses can start to take a more informed position.
If you’d like to discuss the changes to the Order and the implications for your business, please get in touch.