Changes to the British Virgin Islands' Anti-Money Laundering and Terrorist Financing Code of Practice, 2008 (the Code) will permit entities in the BVI to use digital verification of identities and receive electronic copies of documents instead of traditional "wet ink" paper-based processes. The amendments, which came into force on 1 August 2018, are further evidence of regulators in the BVI embracing the blockchain revolution and will set a new standard for Know-Your-Client ("KYC") verification in the region.
The changes are well-timed with an increase in digital KYC service providers, working to find solutions to the traditionally time-consuming and paper-heavy task of client due diligence. Such providers include those utilising cryptographic technologies, whereby customer information is uploaded and encrypted onto the blockchain. Such solutions allow customers to maintain control of their information, whilst giving businesses direct access to data, the ability to track any alterations therein and to rely on the immutable nature of the blockchain.
Overview of the existing legislation
The Code supplements a suite of anti-money laundering legislation in the British Virgin Islands, which includes the Proceeds of Criminal Conduct Act, 1997 (the Act) and the Anti-Money Laundering Regulations, 2008 (the Regulations). While the Act applies to all BVI persons (including BVI-incorporated entities) and sets out the principal money laundering offences, the Code and the Regulations apply only to certain 'relevant' businesses, which are at a higher risk of money laundering, and set out the identification, record keeping and internal control procedures that such businesses must establish in order to mitigate offences.
Overview of the changes to the Code
Where identity was verified electronically, or with only copies of documents, a business caught by the Code was generally required to treat the customer as high risk and apply additional, enhanced verification checks. Electronic checks were intended to be supplementary only and not a replacement for hard copy, wet ink verification. Whilst the explanation notes to the Code referred to using third parties to verify data, there were no direct authorisations in the Code itself.
The revised Code expressly allows businesses to use electronic or digital means to verify identity and to engage, and rely on the data of, a third party to carry out verification. In doing so, businesses must be satisfied that such third party:
- is independent from the business engaging it and from the customer to whom the verification relates;
- utilises a wide multiplicity of sources, including positive information sources (to confirm the existence of a customer), negative information sources (such as databases relating to fraud, criminal convictions and deceased persons) and alert data sources;
- has transparent processes which can be reviewed and assessed by the appointing business;
- has not been convicted of a criminal offence or sanctioned for breach of data or providing misleading data; and
- obtains and stores information which is sufficiently extensive, accurate and reliable.
Businesses must record the steps taken in engaging with third parties, their approval of the third party's procedures and the satisfaction of the above conditions. If a third party provider is used on a continuing basis, the business must review satisfaction of the above conditions at least once every three years. Where electronic or digital verification fails to make any significant discovery in relation to the customer which could have otherwise been discovered with care and diligence, full responsibility, lies with the business.
Where a business relied on a copy of a document provided by a customer, that document was required to be certified in a prescribed and lengthy manner by an independent certifier bound by professional or statutory rules of conduct. Repeated attempts to ensure the certification matched the Code's requirements often resulted in lengthy delays.
Where a business relies on a copy, a certified copy will no longer be required unless the business, having regard to appropriate risk assessment, considers that the uncertified copy may not be authentic, may be doubtful or generally has a concern with the uncertified copy. Where such concerns exist, the copy may be certified in any manner the business deems appropriate, provided that the certification includes the name, address and signature or seal of the certifier and the date of certification. The onus is on the business to determine whether the certifier is competent and has the authority to provide a reliable certification.
Non-face to face business relationships
A business was required, as far as possible, to meet customers face-to-face. Where face-to-face verification was not possible, businesses were generally required to regard such relationship as high risk and apply enhanced verification checks. This approach recognised a heightened risk of identity theft where only documentary evidence is relied upon.
Where identity is verified by electronic or digital means, rather than face-to-face, the business will not need to apply enhanced verification checks unless the business regards the customer to be, in actual fact, high risk or otherwise has doubts over authenticity of the documents provided.
Consequences and use cases
These changes present an opportunity for BVI entities to adopt forward-thinking and technologically supported anti-money laundering policies, with the comfort of regulatory backing.
A number of entities will turn to blockchain's distributed ledger technology, for its immutable and instantaneous qualities, and the ability to encrypt data. Such providers include SelfKey, who were advised by Appleby in connection with their initial token offering in January 2018. SelfKey's platform, KYC-Chain, can, among other checks, compare uploaded identity documents with selfies and live video, providing face-to-face style verification. Such digital checks, combined with the use of the blockchain, may have the ability to grant greater comfort in customer identification than traditional, wet ink requirements.
The amendments will also provide comfort to the increasing numbers of token issuers wishing to incorporate in the BVI. Whilst most utility token issues will not fall within the scope of the Regulations and the Code, we advise that issuers align their due diligence process with the Code as much as possible, in anticipation of changing legislation and to generally protect issuers from falling foul of the Act. With a large proportion of token issuers utilising the services of third parties to electronically verify the identity of participants, the amends to the Code validate this approach and provide a useful gauge of the BVI legislator's forward thinking in this area.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.