Traditionally, account opening processes in a financial institution required face-to-face contact between the financial institution’s onboarding team and the prospective client. However, as demand from investors for non-face-to-face (NFTF) onboarding is rising, a prominent international standard setting body, the Financial Action Task Force (FATF), has laid out a series of recommendations for financial institutions to consider when onboarding clients without interpersonal contact. Hong Kong’s financial services regulator, the Securities and Futures Commission (SFC) and Singapore’s Monetary Authority of Singapore (MAS) responded to the FATF recommendations by setting out requirements that financial institutions should follow to onboard clients using a NFTF approach. Many financial institutions operating in Hong Kong or Singapore must provide to the regulator at least one assessment – produced by an appropriate independent third-party – of any new technology implemented to facilitate NFTF. In this article, GreySpark Partners and Holland & Marie (i) explore the implications for financial institutions of the permissibility of NFTF client onboarding in Hong Kong and Singapore, (ii) outline the regulators’ expectations for financial institutions to provide a third-party evaluation of NFTF technology and (iii) propose a multi-jurisdictional approach to this third-party evaluation to make the exercise more efficient for both financial institutions and vendors.
By: Rachel Lindstrom, GreySpark Senior Manager
And: Chris Holland, Holland & Marie Partner
Historically, face-to-face meetings between prospective clients and financial institutions have been necessary during client onboarding to authenticate documentation and verify identities. However, there are many advantages to these in-person meetings no longer being necessary, where suitable processes and technology are in place to replace them. Not only will the end-to-end process for account opening be completed more quickly, but it will facilitate additional cross-border business for firms in those regions that permit it. Until recently, in-person verification of client identities was thought to pose the least risk of impersonation. However, technology utilised within the confines of a well-defined process can now facilitate reliable identification of a person and authentication of the required documentation without the need to meet in person.
The requirement to obtain an independent assessment of the effectiveness of a financial institution’s NFTF technology and processes is aligned with the recommendations set out by the FATF – an independent inter-governmental body that develops and promotes policies to protect the global financial system against money laundering, terrorist financing and the financing of proliferation of weapons of mass destruction. Revised in October 2021, Recommendation 15 in FATF’s International Standards on Combating Money Laundering and the Financing of Terrorism and Proliferation states that:
“Financial institutions must identify and assess money laundering or terrorist financing risks that may arise from the use of new or developing technologies for both new and pre-existing products…and such a risk assessment should take place prior to the use of new or developing technologies.”
From the perspective of the financial institution, two workstreams are needed, as shown in Figure 1. The first is to identify a technology vendor with a solution for the NFTF client onboarding capabilities and to progress that relationship from feasibility study to implementation of a proof of concept (PoC). The second workstream is to identify an independent third party which can fully assess the new processes and technology that are being implemented. Once both the vendor and assessor have been engaged, then the assessment report can be developed and, ultimately, delivered to the relevant regulator.
Non-face-to-face Client Onboarding in Hong Kong & Singapore
The requirements for NFTF client onboarding in Hong Kong and Singapore for residents of those jurisdictions and overseas prospective clients are fairly well aligned, as both are based on the FATF standards, but there are nuances that should be noted both by financial institutions wishing to undertake NFTF client onboarding in those geographies and the vendors providing them with technology to facilitate it.
Securities and Futures Commission (SFC)
The SFC has issued a Circular that specifies the circumstances wherein NFTF account opening for Hong Kong residents is acceptable. The first of the four circumstances (Option 1, Figure 2) is when the signing of the client agreement is carried out by any acceptable individual who also has seen and certified the relevant identity documents. Individuals include:
- any other licensed or registered person or their affiliate (a regulated financial institution)
- a Justice of the Peace
- a branch manager of a financial institution
- certified public accountant
- notary public; or
- chartered secretary.
The second circumstance (Option 2, Figure 2) is when the signing of the agreement and certification of identity documents is achieved via certification authorities. These services are recognised by the Electronic Transactions Ordinance (chapter 553) and include certification services outside Hong Kong whose electronic signature certificates have obtained ‘mutual recognition status’ accepted by the Hong Kong Special Administrative Region of the People’s Republic of China (HKSAR) government.
A third approach (Option 3, Figure 2) utilises traditional postal services, whereby the identity of the client can be verified by following several steps. The client sends to the financial institution a signed physical copy of the client agreement together with a copy of either their identity card or passport. The financial institution should receive a cheque from the client of an amount not less than HKD 10,000 bearing the client’s name, issued by the client and drawn on the client’s account with a licensed financial institution in Hong Kong. The signatures on the cheque and the signature on the client agreement should visually match.
The final acceptable circumstance for NFTF client onboarding (Option 4, Figure 2) relies on a client’s use of a Designated Bank Account in Hong Kong. Here a client signs the documentation using an electronic signature and sends this electronically together with a copy of either their identity card or passport. The client must then transfer an initial deposit of not less than HKD 10,000 from a bank account in the client’s name maintained with a Designated Bank in Hong Kong to the financial institution onboarding the client.
Verification of the identity of an overseas individual client can also be undertaken via a NFTF approach, provided that the following steps (shown in Figure 3) are followed.7 Firstly, the identity documents must be authenticated either using embedded data in the client’s identification document, such as a biometric passport or an identity card, or using an electronic copy of the relevant sections of the documents, including a high-quality photograph of the client. The financial institution must check the security features of the identity documents or verify the data using a reliable and independent source. Biometric passports can be authenticated by scanning the data page, capturing data through optical character recognition and checking the captured data against the client’s personal information stored in a chip in the passport. If a third party has been engaged to help the client, prior consent and authorisation must be obtained from the client and the third party must have their personal information confirmed.
Figure 3: An Acceptable Method for NFTF Client Onboarding for Overseas Residents
(click image to enlarge)
Source: SFC, GreySpark analysis
Secondly, the client must have their identity checked against the authenticated documentation. This must be achieved by obtaining the client’s biometric data. Intermediaries may capture the client’s facial image in real time and match it with the photograph stored in the chip of the client’s biometric passport using facial recognition technology.
Finally, the client agreement can be signed by the client using an electronic signature, and the transfer of an initial deposit of not less than HKD 10,000 to the intermediary’s financial institution account or from a Designated Overseas Bank Account (an account with a bank which is supervised by a banking regulator in an eligible jurisdiction listed in Figure 4).
Figure 4: A list of Eligible Jurisdictions According to the SFC
(click image to enlarge)
Monetary Authority of Singapore (MAS)
In Singapore, the rules and guidance applying to NFTF client onboarding can be found in Notices, Guidelines to such Notices and Circulars to Financial Institutions. On 8 February 2022, the MAS published a new circular including frequently asked questions (FAQ).
Since 2017, the government-maintained digital service platform, MyInfo, which stores personal data on users collected from different public agencies, has been available for private sector use. Singapore financial institutions (SFIs) (8) can use MyInfo for customer identification and verification of Singapore citizens and residents (Figure 5). Specifically, it can be used to verify the customer’s name, unique identification number, date of birth, nationality and residential address.
Where MyInfo is used, SFIs do not need to obtain additional identification documents, such as the client’s National Registration Identity Card (NRIC), photograph or passport, to verify the client’s identity. However, SFIs should continue to subject customers who are not enrolled on MyInfo (e.g. non-Singapore residents) or whom do not consent to the use of MyInfo for account opening/establishing business relations to the existing customer due diligence requirements. In addition, MyInfo does not cover sanctions screening.
Figure 5: Using the MyInfo System for NFTF Client Onboarding for Singapore Residents
(click image to enlarge)
(8) For simplicity, this article refers to financial institutions that are licensed under the PS Act. Other financial institutions are subject to similar rules and guidelines, however they are not required to obtain an independent report to assess the effectiveness of its policies and procedures, and of any technology solutions used to help manage impersonation risks, unless the financial institution is relying on a ‘new technology solution’ that is not yet widely adopted by financial institutions in Singapore for the purposes of onboarding customers and the financial institution has determined that its internal audit function does not have the necessary expertise to conduct the assessment.
Where the client’s identity is obtained electronically through any other means than through MyInfo, such as through the transmission of scanned or copied documents, SFIs should apply additional checks to mitigate the risk of impersonation. MAS Guidelines provide a number of illustrative examples of what such measures could be. The examples are non-exhaustive and financial institutions can apply any one of those measures, so long as it has assessed it to be appropriate to mitigate the risk. The client must present the SFI with the following documents:
- passport or a national identity card that bears a photograph of the customer and; either
- a national identity card, recent utility or phone bill, financial institution statement or correspondence from a government agency.
For companies, including (but not limited to) proprietary companies, public non-listed and listed companies, incorporated and limited partnerships, incorporated associations and cooperatives – termed ‘Legal Persons or Legal Arrangements’ – the documentation required by the SFI is more extensive and is listed in Figure 6.
For both individuals and companies, MAS requires that the document is verified to the same standard as for face-to-face onboarding, and suggests that SFIs could apply the following measures:
- holding real-time video conference that is comparable to face-to-face communication;
- verifying the identity of a customer through a document the customer has signed with a secure digital signature using a set of Public Key Infrastructure-based credentials issued by a certified Certificate Authority under the Electronic Transaction Act; and
- using new technology solutions.
A technology is considered ‘new’ if it is new to, or has yet to be widely adopted by, a financial institution in Singapore for the purposes of anti money laundering (AML) / counter-terrorist financing (CFT). This currently includes biometric technologies (e.g. fingerprint or iris scans and facial recognition).
Figure 6: Two Acceptable Methods for NFTF Client Onboarding for Singapore Residents Not Using the MyInfo Platform and All Overseas Clients
(click image to enlarge)
Requirement for a NFTF Client Onboarding Assessment Report
NFTF customer due diligence processes undertaken by financial institutions are required by both the Hong Kong and Singapore regulators to be at least as robust as those performed with face-to-face contact. To ensure that it is, Hong Kong financial institutions and SFIs are required to engage a suitably qualified independent professional to undertake an assessment of the NFTF policies and procedures, including any technology used to manage impersonation risks.
Currently, MAS requires SFIs to:
- conduct an internal assessment of the effectiveness of any new technology solutions in mitigating impersonation and fraud risks prior to implementing them. (However, if the SFI does not have the relevant capabilities or expertise, the assessment should be done by an independent third party); and
- undertake and complete an independent assessment within one year after commencing NFTF Know Your Customer (KYC) or implementing a substantial change to the SFI’s NFTF policies or procedures. This report must be submitted to the MAS.
The SFC, on the other hand, requires the assessment to be undertaken prior to implementation of the technology and, at least, annually thereafter (Figure 7).
Figure 7: Comparison of the SFC and MAS Timeline for Assessments of Technology Utilised by Financial Institutions in the NFTF Client Onboarding Process
(click image to enlarge)
Source: SFC, MAS, GreySpark / Holland & Marie analysis
MAS has stated that in appointing the external auditor or independent qualified consultant to conduct independent assessment, the SFI should consider the competency of the provider, including its track record and knowledge of technology solutions and regulatory requirements. MAS has listed some non-exhaustive areas that may be covered in the report, including:
- a review of the policies and procedures, including guidance and training provided to staff, on the use of any new technology solution;
- a test of the effectiveness of the new technology solution in detecting red flags;
- an assessment of the adequacy and effectiveness of controls that have been put in place to mitigate impersonation and fraud risks;
- the controls to ensure the proper oversight and governance of the adoption of the new technology solution; and
- the proposed recommendations for enhancements and timely remediation of any gaps.
In Hong Kong, financial institutions may also engage an external auditor or independent qualified consultant to conduct the assessment and certification of the effectiveness of the new technology in managing impersonation risk. The pre-implementation assessment and annual reviews should be performed by qualified independent assessors who are competent and possess the relevant knowledge, experience and resources to carry them out.
The SFC has laid out processes that should be assessed including:
- Identity document authentication
- Identity verification
- Execution of client agreements
- Designated overseas financial institution accounts
- Record keeping
Finally, the assessment should establish whether the processes and technologies have been properly implemented and tested, and that the organisation complies with the client onboarding and due diligence requirements. The assessment report should include:
- a detailed description of the processes and technologies adopted;
- details of the work performed, including an explanation of the scope and methodology of the assessment;
- a confirmation that the adopted processes and technologies are appropriate and effective for establishing the true identities of clients and the basis and justification for the confirmation; and
- an explanation of the potential limitations of the assessment as well as the processes and technologies adopted.
Some guidance is provided by the SFC as to what aspects of the proposed technology and process to cover in the assessment report (see Figure 8). Finally, the report should also include recommendations for improvement of the adopted processes and technologies, as well as the financial institution’s responses to the assessor’s recommendations and, where appropriate, the status and timeframe for implementing any recommended steps.
Figure 8: Aspects to Include the Discussion of the Technologies Adopted in the Assessment Report
(click image to enlarge)
Preparation of a NFTF Client Onboarding Technology Assessment Report
The complexity of the operations that should be incorporated into a new technology platform mean that any assessment of the technology’s effectiveness must be bi-focused. The legal aspect of the process, including how documents are validated, is an important aspect of the assessment, as is the review of the technology itself. The ideal third party to prepare an independent assessment report must have all the specialisations and expertise mentioned in Figure 9.
Figure 9: Specialisation and Expertise Required to Undertake an Evaluation of New Technologies used for NFTF Client Onboarding
(click image to enlarge)
Source: GreySpark / Holland & Marie analysis
Engaging an Independent NFTF Client Onboarding Technology Assessor
Typically, global financial institutions centralize their client onboarding processes and technology, so there is merit to approaching the creation of NFTF client onboarding technology assessment report in a coordinated manner for use in both Hong Kong and Singapore jurisdictions. There are significant commonalities between the guidance given by the SFC and MAS for NFTF client onboarding, and so an assessment that covers both jurisdictions is a cost effective and efficient approach. The knowledge and expertise to undertake this regulatory, operational and technology focused review could be difficult to find in one organisation. Accordingly, we believe that GreySpark, as a business and technology management consultancy, and Holland & Marie, a regulatory consulting firm specialising in the APAC region, provides those wishing to engage an assessor with a combination of organisations that could be considered the best of breed in both of those areas.