Object of the identification and identity verification: Comments and recommendations
Introduction: the risk-based approach in performing the obligations to identify and verify the identity of the persons involved in a business relationship or occasional transaction
The previous AML/CFT regulations detailed the manner in which the obligations to identify and verify the identity of customers, agents and beneficial owners should be performed, without requiring that the level of ML/FT risk associated with the business relationship or occasional transaction concerned be taken into account. By contrast, the Anti-Money Laundering Law extends the principles of the risk-based approach to all due diligence obligations, including the obligation to identify and verify the identity of the persons involved. Articles 26 and 27 of the Law (i) define the objectives to be achieved when performing these obligations, (ii) establish the level of requirements in cases of “standard risk”, (iii) require these requirements to be strengthened in high-risk situations and (iv) allow them to be relaxed in low-risk situations. However, the exemption from the identification and identity verification obligations in certain cases (when the customer or his beneficial owner is a Belgian or European financial institution, a public authority, etc.), which was previously set out in Article 11 of the Law of 11 January 1993, has been removed as this legal presumption of low risk is contrary to the risk-based approach. It should also be noted that neither the Anti-Money Laundering Law nor the Anti-Money Laundering Regulation of the NBB lists in a precise, uniform and prescriptive manner the supporting documents or the reliable and independent sources of information that can be used to fulfil the obligation to verify the identity of the persons involved; although the Anti-Money Laundering Law explicitly authorises the use of certain electronic identification means, the degree of certainty required as to the identity of the persons involved is to be determined according to the risk level identified in the case concerned.
Consequently, each obliged financial institution is required to incorporate in its ML/FT risk management policy an appropriate reference framework for the application of the risk-based approach implemented by it with regard to the identification and verification of the identity of the persons involved. This reference framework should be established taking full account of the financial institution’s overall risk analysis and risk classification. This framework should subsequently serve as the basis for the establishment of the financial institution’s internal procedures on the subject.
For this purpose, as noted on the page “Policies, procedures, processes and internal control measures”, the NBB recommends that the procedure relating to the customer and transaction due diligence measures (the part on “identification and verification of the identity of customers, agents and beneficial owners”) include a correlation table of the supporting documents accepted for each risk class, as well as a list of the circumstances in which certain supporting documents need not be submitted.
As regards the latter point, documents with low probative value could for instance be accepted if one of the following ML/FT risk reducing measures applies in the context of a business relationship posing a low ML/FT risk:
- excluding any transaction involving the handling of cash,
- excluding cross-border transfers of funds
- only authorising flows of funds to or from a single account opened in the name of the same customer with a Belgian or European credit institution,
- capping the amount of the flows of funds authorised per period of time and/or per transaction,
- significantly limiting the offer of payment instruments linked to the account,
- etc.
Additionally, the legislation on basic banking services also provides for restrictive measures (Chapter 8 of Title 3 of Book VII of the Code of Economic Law).
It should also be recalled that, pursuant to Article 17, second subparagraph, of the Anti-Money Laundering Law, financial institutions should be able to demonstrate to the NBB that their reference framework and the procedures established on that basis are appropriate in view of the ML/FT risk identified through their overall risk assessments. In this respect, see the page “Policies, procedures, processes and internal control measures”. Moreover, in accordance with Article 19, § 2, third subparagraph, of the Anti-Money Laundering Law, financial institutions should be able to demonstrate to the NBB that the due diligence measures effectively implemented, by applying these procedures, in the context of each of their business relationships with customers or each of the occasional transactions they perform for them are appropriate in view of the ML/FT risk identified through the individual risk assessment.
The NBB considers that the internal procedures based on this reference framework should be binding for the entire staff of the financial institution, regardless of whether they are employees, agents or distributors. It follows in particular that, without prejudice to the consequences of a reclassification justified on the basis of the individual risk assessment, the obligations to identify and verify the identity of the persons involved may in no way be relaxed in individual cases because of low ML/FT risk if the extent and the terms of this relaxation are not authorised and specified in the internal procedures.
1. Objectives of the obligations to identify and verify the identity of the persons involved
In accordance with Articles 26, § 1, and 27, § 1, of the Anti-Money Laundering Law, fulfilling the obligations to identify and verify the identity of the persons involved requires (i) collecting relevant information on these persons that enables them to be distinguished from any other person with reasonable certainty, and (ii) in order to have a sufficient degree of certainty as to the identity of the persons involved, checking all or part of the identification data collected against one or more supporting documents or reliable and independent sources of information which enable this data to be confirmed, in particular against information collected, where appropriate, through certain electronic identification means.
These objectives should be pursued regardless of the level of ML/FT risk associated with the business relationship or transaction concerned, but the degree of certainty to be achieved is determined according to the risk level assigned on the basis of the individual risk assessment.
2. Cases of “standard risk”
2.1. Notion of “standard risk”
“Standard risk” here refers to all situations that are not recognised as presenting a high risk in the context of the individual risk assessment referred to in Article 19, § 2, of the Anti-Money Laundering Law.
Situations that only present a low ML/FT risk can only be excluded from the notion of “standard risk” if they have been specifically identified as low-risk situations by the overall risk assessment referred to in Article 16 of the Anti-Money Laundering Law and if the financial institution’s internal AML/CFTP procedures explicitly specify the relaxed due diligence measures that can be applied when the individual risk assessment leads to the conclusion that the risk level is low.
2.2 Identification data
For the list of the data to be collected on the person involved for the purposes of his identification, see Article 26, § 2, of the Anti-Money Laundering Law.
In respect of natural persons, whose place of birth – inter alia – must be collected by financial institutions, it is emphasised that the information thus collected may not be limited to the country of birth alone, except in specifically justified cases where a more precise place of birth is not available.
The identification data relating to the address of natural persons and to the place and date of birth of beneficial owners need only be collected “to the extent possible”. The NBB considers that each financial institution’s internal AML/CFT procedures should specify the measures to be taken by its staff when data cannot be collected using regular data collection measures, in order to be able to document, where appropriate, the inability to include the data in the identification of the person concerned.
It should also be stressed that the European Regulation on transfers of funds (Article 4(1)) requires transfers of funds to be accompanied by specific identification information, namely (i) the payer’s name, (ii) the payer’s payment account number, and (iii) one of the following additional information elements: the payer’s address, official personal document number, customer identification number or date and place of birth. For further information, see the page “Transfers of funds”.
2.3. Identity verification
2.3.1. Identification data to be verified
In accordance with Article 27, § 2, of the Anti-Money Laundering Law, all identification data collected on the person concerned should be checked against supporting documents or reliable and independent sources of information to confirm their accuracy.
It should also be noted that the European Regulation on transfers of funds requires the customer’s address or date and place of birth, if the payment service of the payer chooses this information to accompany a transfer of funds (see Article 4(1) of the aforementioned Regulation and point 2.2 above), to be verified by the payment service of the payer before being sent together with the funds to the payment service of the payee, in the same way as the payer’s last name, first name and account number (see Article 4(4) of the aforementioned Regulation). However, if this identification information has already been verified in the context of the due diligence obligations pursuant to Article 27, § 2, of the Anti-Money Laundering Law (e.g. at the start of the business relationship) and if the information obtained during this verification has been kept in accordance with legal requirements (see the page "Data and document retention”) and updated in accordance with the legal obligations (see point 5 below), it is not necessary to verify this information again for every transfer of funds (Article 4(5) of the aforementioned Regulation). On the other hand, if the customer’s last and first name, account number, address or date and place of birth have not been verified before the transfer of funds (e.g. if this information has not been verified at the start of the business relationship because it was considered to pose low ML/FT risk), it should therefore, like all other identification information, be verified before being sent with the transfer of funds concerned. For further information, see the page “Transfers of funds”.
2.3.2. Supporting documents and reliable and independent sources of information
a) General comments
Neither the Anti-Money Laundering Law nor the Anti-Money Laundering Regulation of the NBB lists in a precise, uniform and prescriptive manner the supporting documents or the reliable sources of information that may be used to verify the identification data of the person involved.
The Anti-Money Laundering Law does, however, explicitly authorise checking these data against the information obtained, where appropriate:
- through electronic identification means such as those provided or recognised within the authentication service as referred to in Articles 9 and 10 of the Law of 18 July 2017 on electronic identification, confirming the identity of persons online; this may be, for example, an electronic identity card that will be read with a card reader, or a secure mobile means of identification; or
- through the relevant trust services referred to in the eIDAS Regulation; examples of such trust services are electronic signatures or advanced seals.
Therefore, each financial institution should include in its internal procedures precise rules concerning the supporting documents or the reliable and independent sources of information that it accepts for the purposes of identity verification and which must enable it to have, according to the risk level identified in the case concerned, a sufficient degree of certainty as to the identity of the persons involved.
These rules should be based on an assessment of the level of reliability of each supporting document or source of information, to ensure that this level is sufficient to achieve the objective set out in Article 27, § 1, of the Anti-Money Laundering Law. Even where use is made of one of the electronic identification means expressly referred to in the said Law, financial institutions are expected to apply the necessary measures to mitigate any relevant risks arising from the use of such solutions, in accordance with paragraph 54 of the EBA Guidelines of 22 November 2022 on the use of remote customer onboarding solutions.
Where appropriate, the required level of reliability may be achieved through the combined use of two or more supporting documents.
For example, the NBB does not consider the identification data accompanying an initial transfer of funds carried out from a bank account opened in the name of the same person with another credit institution to be a “supporting document or reliable source of information” as such that can be sufficient to fulfil the obligation to verify the customer’s identity. However, verifying identification data through the information accompanying such an initial transfer of funds can be useful to corroborate the result of the verification of this data through another supporting document or source of information and thus increase the level of reliability of the verification performed.
As regards address verification, the NBB considers that financial institutions’ internal procedures should determine the measures to be taken to fulfil this legal obligation in a sufficiently precise manner. When the supporting document used to verify the customer’s identity provides relevant information on the customer’s address, this document should logically also be considered as the source of relevant information on his address. When this is not possible (in particular if the supporting document does not mention the customer’s address), the internal procedures should determine how this information can be obtained. In these cases, a simple declaration signed by the customer, agent or beneficial owner concerning his address generally suffices if the customer, business relationship or transaction does not present a high ML/FT risk.
For further information on electronic identification means explicitly authorised in accordance with Article 27, § 1, of the Anti-Money Laundering Law, please refer to the explanatory memorandum of the amending Law of 20 July 2020 (see the page “Main reference documents”).
Additionally, the NBB recommends taking into account the remarks below.
b) Verification of the identity of natural persons
§ 1. Identity card and passport
If the person to be identified is a natural person subject to a face-to-face identification, the NBB recommends that his identity generally be verified using his valid official identity documents such as his identity card or, where appropriate, his passport. It should be noted that these supporting documents should include a photograph of their legitimate holder and thus enable a visual check to reduce the risk of identity theft.
This measure appears particularly relevant for persons domiciled in Belgium that are holders of an identity card issued by the Belgian authorities. In case of doubt regarding the legitimacy of an identity card presented, it is however recommended to verify that it has not been registered as stolen or lost in the ad hoc database of the FPS Home Affairs (see https://www.checkdoc.be).
When financial institutions verify the customer’s identity by electronically reading the data registered on the microprocessor of his identity card, there should also be a simultaneous electronic verification to ensure that the data included on the chip was signed electronically by the National Register. In this respect, it is recommended to design the IT procedures in such a way that this verification takes place systematically and automatically without requiring the employee or agent who performs the identification to intervene and without enabling him to deactivate this check. To detect potential falsifications, it could moreover be useful to check the compliance of the data registered on the chip with the data legible on the identity card. Finally, it should be ensured that the certificate has not been revoked by the National Register.
If the verification is carried out through the customer’s passport, appropriate measures should be prescribed to ensure that this document meets the specifications for passports issued by the foreign country concerned. There should also be a check which allows to conclude reasonably that the passport presented has not been forged or falsified.
Identification data can also be verified remotely through the information registered on the microprocessor of the Belgian electronic identity card. However, it should be noted that this verification may be less reliable than a face-to-face verification as it does not allow for a visual check using the photograph included in the supporting document to ensure that the person using it is indeed its legitimate holder. It could therefore be necessary to systematically verify the legitimacy of the document presented by consulting https://www.checkdoc.be. Furthermore, a financial institution using this method of verifying the identity of the persons involved should implement measures that enable it to ensure that the objective set out in Article 27, § 1, of the Anti-Money Laundering Law will be met notwithstanding the lack of a visual check, where appropriate by implementing an additional verification measure.
§ 2. Other official documents
In specific cases listed in the internal procedures, for example when awaiting the issuance of the customer’s identity card or passport, other documents issued by Belgian or foreign authorities can be accepted as supporting documents until the verification can subsequently be performed using the customer’s identity card.
If the customer is a child below the age of 12 who is not yet required to hold an identity card (“Kids ID”), and until his identity can be verified upon his 12th birthday using his identity card, which he will receive at that time, the use of other official documents is recommended, such as his certificate of registration in the population register of his place of residence, a copy of his birth certificate or his parents’ marriage certificate.
The identity of foreign nationals residing in Belgium who do not hold an identity card or a passport may be verified in a valid manner using the document issued to them by Belgian authorities according to their status on Belgian territory, particularly their certificate of registration in the register of foreigners and the other documents included in the annexes to the Royal Decree of 8 October 1981 on access to the territory, residence, settlement and removal of foreign nationals. It should be noted in this regard that, although a residence permit issued by the Belgian State can be considered sufficient, the other documents referred to in the Annexes to the Royal Decree of 8 October 1981 on access to the territory, residence, settlement and removal of foreign nationals could be considered less reliable. Such documents cannot be accepted as supporting documents in standard-risk situations unless they are corroborated by other supporting documents, without prejudice to the measures governing the business relationship or transaction based on which they can be considered to pose a low risk (see below).
§ 3. Use of innovative technological instruments other than the electronic identification means referred to in the Anti-Money Laundering Law
If a financial institution intends to make use of innovative technology other than the electronic identification means referred to in Article 27, § 1, of the Anti-Money Laundering Law to verify the identity of the persons involved in business relationships or occasional transactions, it is required to comply with Article 12, 1°, second sentence, of the Anti-Money Laundering Regulation of the NBB, which stipulates that the acceptance of new technologies as instruments for verifying the identity of these persons must be based on a prior analysis conducted by the financial institution itself of the reliability of these new instruments with regard to the objective set out in Article 27, § 1, of the Anti-Money Laundering Law. The NBB expects this analysis to be correctly documented and retained so that it can be transmitted to it at its request.
The NBB moreover recommends taking full account of the Opinion of the ESAs dated 23 January 2018 on the use of innovative solutions and of the EBA’s ML/FT Risk Factor Guidelines dated 1 March 2021 (see in particular paragraphs 4.26 to 4.37 of these Guidelines).
In addition, the EBA Guidelines of 22 November 2022 on remote customer onboarding solutions specify the steps that financial institutions should take before adopting a new such solution.
These Guidelines also clarify the expected scope of the analysis required by Article 12, 1°, second sentence of the Anti-Money Laundering Regulation of the NBB. This analysis should include at least the following key elements:
- an assessment of the adequacy of the solution in terms of the completeness and accuracy of the identification data and documents to be collected, as well as of the reliability and independence of the information sources used by the solution;
- an assessment of the impact of the use of the solution on institution-wide risks, including ML/FTP, operational, reputational and legal risks;
- the identification of mitigating measures and remedial actions for each risk identified in the assessment referred to under (b);
- tests to assess fraud risks, including impersonation fraud risks and other ICT and security risks; and
- end-to-end testing of the functioning of the solution with regard to customers, products and services identified in the remote customer onboarding policies and procedures (see section 2.2.2.A. “Procedure for identifying and verifying the identity of customers, agents and beneficial owners” of the page “Policies, procedures, processes and internal control measures”).
Financial institutions should consider the criteria in points (a), (d) and (e) above to be met where the solution uses one of the following:
- electronic identification schemes notified in accordance with Article 9 of the eIDAS Regulation and meeting the requirements of “substantial” or “high” levels of assurance in accordance with Article 8 of that Regulation;
- relevant qualified trust services that meet the requirements of the eIDAS Regulation, in particular Chapter III, Section 3 and Article 24(1), subparagraph 2, point (b) of that Regulation.
Financial institutions should only start using a remote customer onboarding solution once they are satisfied that it can be integrated into their wider internal control system, thereby enabling them to adequately manage the ML/FTP risks that may arise from the use of the solution in question.
Article 19, § 2, third subparagraph, of the Anti-Money Laundering Act provides that entities must “ensure that they can demonstrate to the supervisory authorities competent pursuant to Article 85 that the due diligence measures applied by them are appropriate in view of the ML/FT risks they have identified”. This includes being able to demonstrate to the NBB which assessments they carried out prior to the implementation of the remote customer onboarding solution, the outcome of their assessment and how the use of the solution is appropriate with regard to the ML/FTP risks identified for the types of customers, services, geographical areas and products within the scope of the solution (see also the page “Supervisory powers, measures and policy of the NBB”).
For a more detailed overview of the expectations regarding the use of remote customer onboarding solutions, please refer to the text of the EBA Guidelines of 22 November 2022, in particular with regard to:
- the scope and methods of implementation of the assessment of the remote customer onboarding solution (§§ 20 and 21 of the Guidelines);
- the procedural and technical conditions to be met by the remote customer onboarding solution and process (§§ 24 to 26, 28, 30 to 32, 35, 36 and 38 of the Guidelines);
- expectations in terms of financial inclusion, taking into account the context in which the customer is onboarded remotely (§ 37 of the Guidelines);
- expectations relating to the use of certain specific identification data, processes and technologies (§§ 39 to 43 and 45 of the Guidelines);
- the additional control measures that financial institutions should implement to increase the reliability of the verification process, where this is warranted in light of the ML/FTP risks involved (§ 44 of the Guidelines);
- management of ICT and security risks (§§ 50 to 53 of the Guidelines).
§ 4. Copies of supporting documents and consultation of the National Register
A photocopy or electronic image of a supporting document (particularly the identity card or passport) of the person concerned is naturally not as reliable as the original supporting document.
Where financial institutions use such a reproduction, they should at least take appropriate steps to ensure that it is reliable and verify:
- that the reproduction includes the security features embedded in the original document and that the specifications of the original document that are being reproduced are valid and acceptable, in particular the font type and size and the structure of the document, by comparing them with official databases;
- that the personal data has not been altered or manipulated, or that the customer photo incorporated into the document has not been replaced;
- if the official document has been issued with a machine-readable zone (MRZ), that the integrity of the algorithm used to generate the unique identification number of the original document has been preserved. In addition, where financial institutions use tools to automatically read information from documents, such as Optical Character Recognition (OCR) algorithms or MRZ checks, they should take the necessary steps to ensure that these tools capture information accurately and consistently;
- that the reproduction provided is of sufficient quality and resolution so as to ensure that the relevant information is unambiguous;
- that the reproduction provided has not been displayed on a screen based on a photograph or scan of the original identity document.
The reliability of the copy may also be increased by providing both a simple copy or electronic image of the identity card or passport of the person concerned and another supporting document.
Pursuant to Article 19, §2, third subparagraph, of the Anti-Money Laundering Act, financial institutions providing for such methods for verifying the identity of customers should in any event be able to demonstrate that the overall level of reliability of the verification thus obtained is adequate, taking into account the level of ML/FTP risk.
Furthermore, Article 28 of the Anti-Money Laundering Law grants financial institutions the right to indirectly access the National Register to corroborate a copy of a supporting document and to verify the identity of the persons concerned (i.e. customers, their agents and their beneficial owners) where these persons are not physically present during their identification. This is the case when establishing business relationships with or carrying out transactions for a customer remotely, when identifying and verifying the customer’s beneficial owners or when updating the identification data of customers or beneficial owners that are not present at the time of the update.
However, it should be noted in these situations that, if there is no visual contact with the person providing the copy of the supporting document, the financial institution cannot use the photograph included in the supporting document to ensure that the person using it is its legitimate holder. As is the case when an electronic identity card is used to remotely verify the identity of a person involved, a financial institution providing for the verification of the identity of persons involved through a copy of a supporting document that is corroborated by consulting the National Register, should ensure and be able to demonstrate that the objective set out in Article 27, § 1, of the Anti-Money Laundering Law is nevertheless met or should, where appropriate, require the application of an additional verification measure to reach the level of reliability required.
The access to data from the National Register granted by the Anti-Money Laundering Law to financial institutions is indirect and requires the involvement of the professional associations designated by the King or of the institutions created by them for that purpose. The aim of the parallelism with the legal provisions on dormant accounts, safe deposit boxes and insurance contracts is to provide financial institutions with the same tools and procedures as those implemented by the professional associations in order to allow them to fulfil their obligations regardless of the legislative context.
It should however be stressed that the data that can be consulted in the National Register, can differ depending on the legislation. This procedure for consulting data in the National Register can only be used in the aforementioned circumstances for the verification of identification data required by or pursuant to the Anti-Money Laundering Law. Furthermore, the indirect access to the data of the National Register to verify the identity of customers or their agents or beneficial owners in accordance with the Anti-Money Laundering Law remains otherwise subject to the provisions of the Law of 8 August 1983 establishing a National Register of natural persons, to the General Data Protection Regulation (Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC) and to the Law of 30 July 2018 on the protection of natural persons with regard to the processing of personal data. For these legislations to be implemented correctly, please refer to the relevant decisions, opinions and recommendations from the Commission for the Protection of Privacy (CPP). It should be stressed, in particular, that the CCP deems it preferable, whenever possible, to perform the remote identity check by using the functions of the electronic identity card rather than by consulting the National Register.
§ 5. Consultation of the register of beneficial owners
Article 73 et seq. of the Anti-Money Laundering Law create a central register of beneficial owners (the “UBO register”) with the aim of providing useful assistance to the different AML/CFT stakeholders, including the obliged entities, for the identification and the verification of the identity of the beneficial owners of companies and legal arrangements.
Thus, Article 29 of the Anti-Money Laundering Law requires financial institutions, when entering into business relationships with companies incorporated in Belgium, trusts, foundations and (international) non-profit organisations or legal entities similar to fiducies or trusts, to collect proof of registration, in the register of beneficial owners, of information concerning the beneficial owners or to obtain an extract from such register.
However, it should be noted that Article 29 of the Anti-Money Laundering Law does not allow obliged entities to rely solely on the consultation of this register or on an extract thereof to identify and verify the identity of beneficial owners, but requires them to take additional measures to corroborate the data obtained by consulting the register. The nature of these measures must be determined according to a risk-based approach.
In low- and standard-risk situations, the NBB recommends that these additional measures at least include the reporting entity approaching the customer to obtain relevant information as to the identity of his beneficial owners, as well as supporting documents proving the identity of these persons or confirmation that the information in the UBO register is accurate, current and complete. These measures may also include consulting information published on the internet or any other available information, whether publicly available or, for example, available through external consultants for a fee.
c) Verification of the identity of companies and legal persons
In standard-risk situations, the NBB generally recommends verifying the identification data of companies and legal arrangements governed by Belgian law using documents that are generally accepted in Belgian law as proof of their existence, such as the latest coordinated statutes or the updated statutes of the company or legal person that have been lodged with the Commercial Court or published in the annexes of the Belgian Official Gazette.
As regards the list of directors of companies and legal persons governed by Belgian Law, financial institutions should make use of the publication of their appointment in the Belgian Official Gazette. Other documents can also be accepted, such as the publication in the Belgian Official Gazette of notarial deeds in which these persons are mentioned as directors, or the annual accounts filed with the NBB.
The provisions governing the power to make binding agreements on behalf of the company or legal person governed by Belgian law should be established using the latest publication of the representational powers of this company or legal person in the Belgian Official Gazette.
To verify the identity of companies and legal persons governed by Belgian law, financial institutions should use supporting documents equivalent to those listed above that are provided for in accordance with the national legislation applicable to these companies and legal persons. Where appropriate, these supporting documents should be completed by a reliable translation of these documents into one of the national languages or into English.
These supporting documents can be obtained from the customer himself, from official sources such as the Belgian Official Gazette or any other sources of information that can be considered reliable such as the Crossroads Bank for Enterprises established by the Law of 16 January 2003, or from other sources of the same nature created by the Member States governing the foreign companies and legal persons.
Financial institutions can also use, where appropriate, the electronic identification means referred to in Article 27, § 1, of the Anti-Money Laundering Law. Financial institutions that use a remote customer onboarding solution within the meaning of the EBA Guidelines of 22 November 2022 for customers that are companies or legal persons, should ensure that this solution meets the conditions set out in these Guidelines.
d) Verification of the identity of legal arrangements
Financial institutions should verify identification data of legal arrangements such as trusts using documents that have probative value in the legislation applicable to this trust or legal arrangements. The relevant rules should be specified in the financial institution’s internal procedures.
3. Cases of “high risk”
3.1. Notion of “high risk”
“High risk” here refers to all situations that are identified as such by the individual risk assessment required by Article 19, § 2, of the Anti-Money Laundering Law. These situations include those in which enhanced due diligence measures are required by Articles 37 to 41 of the Anti-Money Laundering Law.
3.2. Identification data
Pursuant to Article 26, § 4, of the Anti-Money Laundering Law, if the individual risk assessment performed in accordance with Article 19, § 2, first subparagraph, of the Law establishes that there is a high risk associated with the customer and with the business relationship or transaction, financial institutions should take particular care to ensure that the identification data required in standard-risk situations is sufficient to distinguish, in a manner that leaves no room for doubt, the person concerned from any other person. If this is insufficiently the case, financial institutions should collect additional information to achieve the desired result.
Where the persons concerned are natural persons, the additional information to be collected may for instance pertain to their professional activity, their nationality, their gender, etc. The internal procedure could also provide for an extension of the address verification obligation by stipulating that this information, which in a standard-risk situation need only legally be collected “to the extent possible”, must be collected in all high-risk cases. The additional identification data provided for by the internal procedures could also include the expiry date of the supporting document used to verify the identity of the person concerned. It should be noted that, if the financial institution includes this information in the list of identification data required, it should update the identification and verification of the identity of the person concerned when the validity of the supporting document expires.
For legal persons, the additional identification data could include their company number or, where appropriate, their Legal Entity Identifier if they have such a unique identification code, their line of business, the number of their places of business apart from their registered office and/or the countries in which these places are established, their trade names, if any, etc.
In cases of high risk, financial institutions should also ensure that they know the customer’s beneficial owners with a higher degree of certainty. Customers could thus be asked to fill in a beneficial owner identification form and attach the necessary supporting documents (see point 3.3 below).
3.3. Identity verification
3.3.1. Identification data to be verified
Pursuant to Article 27, § 4, of the Anti-Money Laundering Law, all identification data collected should be verified using particularly reliable means of verification.
3.3.2. Supporting documents and reliable and independent sources of information
In high-risk situations, the internal procedures should only authorise the use of the supporting documents accepted in standard-risk situations (see above) that are deemed the most reliable or, where appropriate, require the use of a combination of these supporting documents.
When verifying the identity of natural persons, it is recommended to only use supporting documents including a photograph of the person to be identified, and to require a visual check in order to ensure that the person presenting the supporting document is its legitimate holder.
When the financial institution authorises the use of innovative technologies other than electronic identification means as referred to in Article 27, § 1, of the Anti-Money Laundering Law (see above) in high-risk situations, the NBB expects it to tighten the terms and conditions for the application of this authorisation.
With the exception of cases involving the use of electronic identification means as referred to in the Anti-Money Laundering Law, the financial institution should moreover establish its list of supporting documents or sources of information that are accepted to verify the identity of the persons involved in high-risk situations based on a thorough analysis of the reliability of these verification tools that enables it to demonstrate that their high level of reliability is appropriate in view of the high level and the nature of the ML/FT risk incurred.
The NBB notes that it is even more important to know the customer’s address with a sufficient degree of certainty when there is a high ML/FT risk, particularly if this risk materialises. It therefore deems it necessary to implement enhanced due diligence measures to confirm the accuracy of the address provided by the customer. These measures could include sending a letter to the address specified by the customer stating that the relationship can only enter into force or the transaction can only be performed after the customer has sent back the acknowledgement of receipt attached to the letter.
When high ML/TF risks have been identified in the process of the individual risk assessment, the information and supporting documents provided by the customer regarding his beneficial owners (see point 3.2 above) should also be subject to enhanced scrutiny, including a comparison of the information thus obtained directly from the customer with that recorded in the UBO register and, to the extent possible, with information that can be obtained from other reliable and independent sources.
4. Cases of “low risk”
4.1. Notion of “low risk”
In order to benefit from the legally authorised relaxed identification and identity verification obligations with regard to persons involved in business relationships or occasional transactions posing a low ML/FT risk, the financial institution must choose, in its ML/FT risk management policy, to make use of and determine the terms of this possibility in its internal procedures. Moreover, the low risk level should be duly recognised in the overall risk assessment required by Article 16 of the Anti-Money Laundering Law and, in each specific case where relaxed obligations are being considered, in the individual risk assessment required by Article 19, § 2, of the Law. In this regard, please refer to the introduction of this page for existing measures to reduce the level of ML/FT risk, particularly in the legislation on basic banking services.
4.2. Identification data
In accordance with Article 26, § 3, of the Anti-Money Laundering Law, financial institutions’ internal procedures may reduce the amount of identification data that should be collected for the identification of persons involved in low-risk situations compared to the data required by the Law in standard-risk situations. However, the information collected should remain sufficient to enable the person concerned to be distinguished from any other person with reasonable certainty. For instance, the last and first name of a legal person or the corporate name of a legal person cannot reasonably be considered information that need not be collected. As this identification data alone does not suffice to eliminate an increased risk of homonymy, the NBB considers that, even in situations with low ML/FT risk, financial institutions should collect at least one additional item of identification data in order to reduce this risk of homonymy. Furthermore, the NBB expects financial institutions wishing to make use of the possibility to relax the identification obligation in low-risk situations to include in their internal procedures a detailed list of identification data that should in any case be collected.
4.3. Identity verification
4.3.1. Identification data to be verified
If the individual risk assessment required by Article 19, § 2, of the Anti-Money Laundering Law shows a case of low ML/FT risk, financial institutions are authorised to verify a smaller amount of the information collected. The amount of information verified should, however, remain sufficient to enable the obliged entity to have a sufficient degree of certainty as to its knowledge of the person concerned. The NBB therefore expects financial institutions making use of the possibility to relax the obligation to verify the identity of persons involved in the business relationship or transaction, to specify in their internal procedures the information for which verification remains obligatory.
4.3.2. Supporting documents and reliable and independent sources of information
Naturally, all supporting documents and reliable and independent sources of information which the financial identification has identified as eligible for verifying the identity of persons involved in a standard-risk business relationship or occasional relationship (see above) are also eligible in low-risk situations.
However, if the individual ML/FT risk assessment concludes that the level of ML/FT risk is low, financial institutions may choose to accept certain documents that they consider to have insufficient probative value to be accepted in standard-risk situations and even more so in high-risk situations.
When, for example, foreign nationals are established in Belgium without having an identity card or a certificate of registration in the register of foreigners, and taking into account the need to avoid excluding persons in precarious situations on the Belgian territory from access to financial services, the NBB considers that their identity may be verified using one of the documents referred to in the different annexes to the Royal Decree of 8 October 1981 on access to the territory, residence, settlement and removal of foreign nationals, which would be considered as having low reliability, if the level of associated ML/FT risk can be reduced using appropriate measures governing the intended business relationship or transaction. In this respect, see the Opinion of the European Banking Authority (EBA) on the application of customer due diligence measures to customers who are asylum seekers from higher-risk third countries or territories (EBA-Op-2016-07) as regards the situation of asylum seekers. Although a simple copy or electronic image of a supporting document is insufficiently reliable in itself to be accepted as a supporting document in standard-risk situations without being verified through the National Register as stipulated in Article 28 of the Anti-Money Laundering Law, it could be accepted in certain circumstances as the relationship is subject to strict limitations that can drastically reduce ML/FT risk. As regards the restrictive measures to reduce the level of ML/FT risk associated with these business relationships, please refer to the introduction of this page, which states, in particular, that financial institutions are expected to include, in their procedure relating to customer and transaction due diligence measures, a correlation table of the supporting documents required for each risk class, as well as a list of the circumstances in which certain supporting documents need not be submitted.
5. Update of the identification and verification of the identity of the persons involved
Article 35, § 1, 2°, of the Anti-Money Laundering Law requires the obliged entities to update the identification data they hold in the context of their business relationships, particularly in case of changes to items that are relevant to the individual risk assessment referred to in Article 19, § 2, of the Law. In this respect, see the page “Due diligence on business relationships and occasional transactions and detection of atypical facts and transactions”.
This update requirement also implies that, in case of a transfer of funds, any identification data received and verified beforehand over the course of a business relationship should be subject to another verification for the transfer of funds concerned if any information relevant to the individual risk assessment has been modified.
6. Inability to fulfil the obligations to identify and verify the identity of the persons involved
Article 33 of the Anti-Money Laundering Law provides that, if obliged entities cannot fulfil their obligations to identify and verify the identity of a customer, his agents or his beneficial owners within the time limits required, they may neither establish a business relationship with or carry out a transaction for that customer. In this respect, see the page “Non-compliance with the identification and identity verification obligation”.
Disclaimer: This English text is an unofficial translation and may not be used as a basis for resolving any dispute.