The COVID-19 pandemic is posing challenges for Australians and Australian businesses, particularly during this period of social distancing, self-isolation and other disruptions to everyday business.

We recognise this may create additional challenges for how you comply with your customer verification obligations under the anti-money laundering and counter-terrorism financing (AML/CTF) regime during this disruptive period.

As the AML/CTF regulator, AUSTRAC will work constructively with you as you manage your money laundering and terrorism financing risks during this disruptive period. This includes considering your circumstances when applying the AML/CTF laws.

Alternative processes to verify customer identity

While many reporting entities rely on electronic verification, others use face-to-face or documentation based procedures. As Australia responds to the COVID-19 pandemic, we recognise that some ‘know your customer’ (KYC) processes cannot be used.

The AML/CTF Rules support flexible KYC processes and procedures. Other ways that you can verify your customers’ identity and fulfil your KYC requirements include:

• using alternative proof of identity processes (Part 4.15)
• using electronic copies (scans or photographs) of reliable and independent documentation, in accordance with your AML/CTF program, to verify the identity of individual customers (Rule 4.9.3(3)) or companies (Rule 4.9.5(3))
• relying on disclosure certificates to verify certain types of information about customers who are not individuals, where measures put in place by industry as part of their response to the COVID-19 pandemic mean that such information is not otherwise reasonably available from other sources (Rules 4.3.12, 4.4.16, 4.5.8, 4.6.8 and 4.7.8)

In addition to these Rules, AUSTRAC has amended Part 4.15 to further enable flexible KYC processes during the COVID-19 pandemic. This is to ensure that you can rely on alternative proof of identity processes:

• where you can’t verify information based on the original, or a certified copy or certified extract, of a document usually relied on as part of your applicable customer identification procedures because of measures to prevent the spread of COVID‑19. In such cases you may rely on a copy of that document.
• where your customer can’t provide the identity documents you would usually rely on for applicable customer identification procedures because of measures to prevent the spread of COVID‑19. This may include where customers are in self‑isolation or where businesses have temporarily shut down.

AUSTRAC intends to repeal these amendments to Part 4.15 following the conclusion of the COVID-19 pandemic. When determining the timing, AUSTRAC will consider the extent to which the Commonwealth, State and Territory Governments are still mandating social distancing and quarantine measures to prevent the spread of COVID-19.

If you choose to verify a customer’s identity using the above options, you should still apply the risk-based systems and controls in your AML/CTF program.

After customers have provided copies of identification documents, you could consider additional verification through:

• using a video call, such as Skype, Zoom or FaceTime to compare the physical identity of a customer with scanned or photographed copies of identification documents;
• requiring a customer to provide a clear, front-view ‘selfie’ of themselves that can be compared with the scanned or photographed copies of identification documents; or
• telephoning the customer to ask questions about their identification, their reason for requesting a designated service or other questions that would assist in ascertaining whether the customer is who they claim to be.

You may wish to advise the customer of such additional systems and controls prior to the provision of scanned copies, to prevent attempts by criminals to use false names or identification

AUSTRAC recognises that a reporting entity may consider that it needs to amend its AML/CTF program to implement alternative processes to verify customers’ identity, but faces challenges in making formal amendments during this period.  In these circumstances, we expect that you keep a record of any changes in policies and procedures made due to the COVID-19 pandemic.

Importance of reporting during the COVID-19 pandemic

It’s important to exercise vigilance in the current environment in response to the changed risk environment for criminal activity, including fraud and identity theft. High-quality, accurate and timely suspicious matter reports give AUSTRAC and our partner agencies the best chance to detect, deter and disrupt criminal activity. Find out more about monitoring for new and emerging threats and submitting suspicious matter reports (SMRs) during the COVID-19 pandemic.

Following are four practical examples of how you might apply flexible KYC processes in your business.

Example 1: Opening a new account while a customer is in self-isolation

Business A receives a request from Jane to open an account. However, Jane advises that she is currently in self-isolation because of COVID-19.

Until recently, Business A required customers to verify their identity face-to-face and show their original documentation. However, Business A has recently updated their AML/CTF program and processes to allow a more flexible approach when managing situations arising from the COVID-19 pandemic.

Business A advises Jane that they have a new process to provide services to customers which may involve follow up telephone calls, use of ‘selfies’ and/or video calls to verify identity. Business A asks Jane to complete an account opening form and provide a photograph of two primary identification documents. Jane takes a photograph of her driver licence and passport and sends them in an email to Business A with the form.

Business A reviews Jane’s application and documents and a representative arranges a video call to complete identity checks. During the video call, the representative from Business A asks Jane about her identification, the reasons she is opening the account, and about her financial history. On the call, Jane shows Business A her driver licence and passport clearly on screen, so these can be checked against the copies submitted in her application.

Business A is satisfied of Jane’s identify and that she is person referred to in the original documents and the person on the video call. Business A decides to open an account for Jane. Business A makes a written record of the call made to Jane.

Example 2: Unable to verify a customer’s identity

Business B recently updated its KYC collection and verification processes to allow more flexibility in verifying a customer’s identity as a result of the COVID-19 pandemic.

John contacted Business B and asked to open a new account. As required by Business B, he submitted a scanned copy of his driver licence and Medicare card by email.

Business B started its verification process through a video call with John. At the start of the call, the representative noticed that the person on the call did not match the photo on the driver licence. The Business B representative asked to speak with John, and the person on the video call said that they were John. The Business B representative asked John to hold up their driver licence to display on the video call, however John advised that he couldn’t do that at this time.

The Business B representative offered to reschedule the call for a more convenient time which they arranged; however, when subsequent calls were made, Business B was not able to make contact with John.

Business B made a written record of the calls and attempted follow ups with John.

Business B did not proceed to open the account and lodged a suspicious matter report to AUSTRAC, as they suspected this was potentially related to fraud or identity theft.

Example 3: Unable to provide a certified copy of a trust deed

Business C is processing a request from Frank, the trustee of XYZ Trust, to open an account on behalf of the trust. In accordance with its AML/CTF Program and Rule 4.4.15, Business C would usually require a certified copy of a trust deed in order to complete its KYC collection and verification processes.

Frank advises Business C that he is unable to provide a certified copy of the trust deed because the local library where he usually has documents certified by a Justice of the Peace has closed due to COVID-19 measures.

As the library was closed at the direction of the State Government to help prevent the spread of COVID-19, Business C decides to rely on alternative proof of identity processes to verify information about the trust.

Business C asks Frank to email them a scanned copy of the uncertified trust deed which it proceeds to rely on. In addition, Business C calls Frank and asks certain questions about the trust, including the purpose of opening an account. Business C also applies a higher level of ongoing customer due diligence including transaction monitoring of the account.

As this process departs from existing procedures in Business C’s AML/CTF program, Business C makes a written record that the change is due to the exceptional circumstances created by COVID-19 measures.

Following the conclusion of the COVID-19 pandemic, Business C reviews all the customers that it on-boarded during the pandemic and requests certified copies of trust deeds from customers who could not provide them during the COVID-19 pandemic, including Frank.

Example 4: Customer with no access to technology

Gwen, who is aged 85 and has an existing medical condition, has been advised by her doctors to stay at home and avoid visitors to reduce her risk of contracting COVID-19.

Gwen makes contact with a stockbroker, Business D, to ask them to open an account so she can purchase shares to be held in trust for her 15-year-old grandson.

Business D’s AML/CTF Program usually requires Gwen’s government-issued proof of age card to establish her identity. However, Gwen doesn’t have access to technology to allow her to scan or photograph her proof of age card and provide it to Business D.

As Gwen is self‑isolating in her home, Business D decides to use alternative proof of identity processes to help establish Gwen’s identity.

A representative from Business D calls Gwen on her home phone and asks her a series of questions about the account she wants to open. They also ask if Gwen knows anyone who can provide a reliable and independent referee statement to confirm her identity. Gwen is a member of the local church, so provides the contact details of the priest there.

The representative from Business D calls the priest then requests a referee report via email confirming:

• their knowledge of the person’s name and any other names the person uses or has used
• their knowledge of the person’s address
• their knowledge of the person’s birth date (actual or approximate)
• how they know the person
• how long they have known them
• the date the reference was given.

The priest completes the statement, signs it and emails it back to Business D.

Business D is satisfied that Gwen is who she claims to be and proceeds to open the account. Following the conclusion of the COVID-19 pandemic, Business D considers whether additional ongoing due diligence is required for Gwen and decides on the basis of risk that it is not necessary at this time.

As this process departs from existing procedures in Business D’s AML/CTF program, Business D makes a written record that the change is due to the exceptional circumstances created by COVID-19 measures.