3.3. Third-Party Reliance and Provision of Digital ID Services
Effective from 31/10/2022Per Article 19 of the AML-CFT Decision, LFIs are permitted to rely on customer identification and verification undertaken by a third party at onboarding, provided the relying LFI:
| 1. | Immediately obtains the necessary information concerning customer identification and verification from the third party, including the assurance levels, where applicable; | |||
| ○ | For example, the digital ID system could enable the prospective customer to assert identity to the relying LFI and the third party to authenticate the person’s identity and provide additional needed information, such as the person’s name, date of birth, government-provided unique identity number, or other attributes required to prove official identity. | |||
| 2. | Takes adequate steps to satisfy itself that the third party will make available copies of or other appropriate forms of access to identification data and other relevant CDD information and documentation without delay; | |||
| ○ | For example, the relying LFI could take appropriate steps to satisfy itself: (a) that, as part of identity proofing and enrollment, the third party established a digital ID account for the identified person that contains adequate attribute evidence and other identity data and information; and (b) that the third party’s authentication processes enable it to provide that information to the relying party upon request without delay. | |||
| 3. | Satisfies itself that the third party adheres to the CDD and recordkeeping requirements set forth in the AML-CFT Decision and is regulated and supervised for compliance with these requirements. In practice, this means that the third party should either be another LFI, a designated non-financial business and profession (“DNFBP”), or another regulated entity, as defined in UAE regulation and guidance; and | |||
| 4. | Considers country risk information when determining in which countries a third party meeting the above conditions can be based. | |||
Unlike outsourcing relationships, in which an LFI engages a third-party provider to perform certain control functions on the LFI’s behalf and in conformity with the LFI’s AML/CFT policies and procedures,7 third-party reliance relationships typically involve an LFI relying the customer identification and verification measures already undertaken by another regulated entity on an existing customer of that entity in accordance with the entity’s own AML/CFT policies and procedures. In reliance relationships, that is, the third party will usually already have a business relationship with the customer that is independent of the relationship to be formed by the customer with the relying institution. The third party will therefore have onboarded the customer in accordance with its own AML/CFT policies and procedures. In a typical reliance scenario, a prospective customer will assert identity to the relying LFI using a digital ID system, at which point the third party will be prompted by the system to authenticate the person’s identity and (per condition 1 above) immediately provide relevant identification and verification information to the relying LFI. In all reliance relationships, the ultimate responsibility for CDD measures remains with the LFI that relies on the third party.
7 See also Guidance for Financial Institutions adopting Enabling Technologies, section 3.90 for additional detail related specifically to the outsourcing of biometric activities.