2Shakes Electronic Identity Verification:
Part 3 of the IDV Code of Practice
This page provides details of how electronic ID Verification in 2Shakes relates to each section of part 3 of the New Zealand Department of Internal Affairs Amended Identity Verification Code of Practice 2013.
The information below is for the benefit of New Zealand AML/CFT Reporting Entities to include or refer to it in their own AML Programmes.
A PDF version of the following information is also available for you to download.
The IDV Code of Practice Section 3 consists of Sections 14 to 18. Please find in the following information how 2Shakes meets each section.
· Section 14: Definition
· Section 15: Verification checks required
· Section 16: Duplicate ID check
· Section 17: Attributes of the sources of data
· Section 17a: Accuracy
· Section 17b: Security
· Section 17c: Privacy
· Section 17d: Method of information collection
· Section 17e: Link customer to claimed identity
· Section 17f: Source is a Government Body
· Section 17g: Source is additionally verified by another reliable source
· Section 18: Wording for your AML/CFT compliance programme
Section 14: Definition
2Shakes meets this definition of electronic identity verification described in section 14.
Section 15: Verification checks required
2Shakes uses the Centrix SmartID service. The table below shows the Centrix SmartID logic used to match name, date of birth and address against electronic data sources as outlined in section 15 of the Code of Practice.
This verification must match either a driver license or passport as a primary step in the electronic verification process.
Additionally, Centrix SmartID includes a Politically Exposed Person (PEP) check, required under
section 26 of the Act.
Section 16: Duplicate ID check
2Shakes automatically checks to ensure that you have not previously ID Verified a person with the same name. If name does match a previous record, you are able to interrogate this further to determine if it is the same identity or not.
- 2Shakes can automatically check for duplicate names because you store all your CDD (both electronic IDV and manual documentary ID records) in one place – 2Shakes’ cloud platform.
Section 17: Attributes of the sources of data
The Code of Practice asks that the data sources used for electronically verifying identity are accurate, secure, maintain privacy, are linked to the individual, come from government or from another reliable source.
Section 17a: Accuracy
Centrix SmartID matches information provided by individuals in real-time against trusted online databases. SmartID uses a method know as an Application Programme Interface (API) to allow the 2Shakes application to securely send client information that is verified directly against the source data systems. This means data is matched against the most up-to-date information available.
The SmartID service in 2Shakes has on average successfully verified an individual’s identity and address in over 85% of cases. In a further 10% of cases the identity was successfully verified with just the address needing to be verified manually. (Figures as at April 2020).
Section 17b: Security
All information in 2Shakes is securely protected on Microsoft’s world-class Azure cloud platform. 2Shakes have resilient geo-redundancy across two data centres in Australia, maintaining data sovereignty since the information is in a 5-eyes country but not subject to the Patriot Act in the USA.
2Shakes has completed NZ Department of Internal Affairs 105 questionnaire on secure cloud computing for government. The system has also undergone security assessments from MBIE and ACC, as well as an ACC Privacy Impact Assessment. This again provides an independent confirmation that we are storing client information safely and securely online.
Access to 2Shakes is restricted by users’ names and passwords with optional 2-Factor Authentication.
All information transmitted from 2Shakes to Centrix is securely encrypted using industry standard protocols.
Section 17c: Privacy
2Shakes adhere to the principal of Privacy by Design, privacy and protection of data were designed into our solution from the beginning. 2Shakes was developed to meet the New Zealand Governments strict requirements for Privacy and Security.
NZ Privacy Act requires that individuals only get asked for the information that is needed by the company they are dealing with. When you use 2Shakes the fields and selections you make only ask for required information. We have also designed our system in a way that prevents inadvertent sharing of private information.
For an electronic ID Verification, 2Shakes requests only the information required to meet the AML/CFT legislation, being an individual’s first, middle and last names, Date of Birth, Gender and address, and well as a primary identity document:
- Driver License: License number and version number
- Passport: Passport number and expiry date
Consent is required of the person whose identity you wish to verify. If you have selected to send an email link to this person then they are asked to give their consent when completing the online ID verification. If you are entering ID details on their behalf, then you are required to confirm that you have their consent.
Section 17d: Method of information collection
Electronic ID Verification can be completed by either the individual customer or the reporting entity entering the information into 2Shakes.
With the Send IDV Email option, ID information is collected remotely by sending the customer a unique URL link contained in an email. They click on the link, enter the required information, and consent to t being verified.
With the I’ll Do the IDV-Electronic option, the customer provides the reporting entity with the required information (through any means, including email, phone or in person). They also must provide consent for the information to be electronically verified. The reporting entity then enters the customer information for verification in 2Shakes, as well as confirming the verification has been consented.
Section 17e: Link customer to claimed identity
2Shakes always carries out either a Passport or Driver License verification via DIA or NZTA respectively. No electronic ID Verification can be completed successfully in 2Shakes without either of these two documents being electronically verified. Before the issuing of a Driver License or Passport, DIA and NZTA ensure they have linked the document to the actual individual, including a photograph that includes the biometric link.
2Shakes also includes additional measures that also link the person to their claimed identity. Depending on how 2Shakes has been configured, additional links to the individual can come from:
- Email sent to the individual
- Mobile phone texts sent to the individual
- The verification of other information provided by the individual (through Authority to Act linking at a government agency) including IRD number – IRD and ACC), and Companies Office details.
2Shakes reminds reporting entities that the responsibility to ensure the information provided relates to the individual they are dealing with, ultimately rests with the reporting entity. If needed, the reporting entity should consider additional steps such as (but not limited to) meeting in person, video and/or telephone calls, or any other steps they wish to take to satisfy their AML Programme.
Any additional steps taken can be recorded in 2Shakes under Notes & Files for future review and audit purposes.
Section 17f: Source is a Government Body
The following Government sources are used as the primary identification method:
- DIA Passports Database
- NZTA Driver License Database
The Passport or Driver License must be electronically verified for the ID Verification to succeed.
If the Passport or Driver License cannot be verified electronically, 2Shakes reverts the ID verification to Manual, and allows the reporting entity to record ID verification steps (including scanned files) in Notes & Files, and to mark the ID Verification as Done.
Section 17g: Source is additionally verified by another reliable source
Along with a verified Driver License or Passport, SmartID completes the ID and address verification rules (see s15 above) using a comprehensive set of databases (as allowed for by the Credit Reporting Privacy Code 2004). These verification steps use the following Government and private, reliable, independent sources:
- LINZ/NZ Property Owner Database
- Retail Energy accounts
- Finance companies
Section 18: Wording for your AML/CFT compliance programme
The IDV Code of Practice provides a safe harbor for AML reporting entities.
To comply with the code of practice while using 2Shakes, you can:
- Refer to the web page https:/2shakes.co.nz/IDVCOP in your AML Programme,
- Insert the contents of this document (or the webpage) in your AML Programme,
You can also insert similar text to the following, in your AML Programme:
As per the New Zealand Department of Internal Affairs Amended Identity Verification Code of Practice 2013. 2Shakes Limited is a reliable and independent method of carrying out Electronic Identity Verification. 2Shakes checks name, date of birth, address and PEP status from independent and reliable electronic sources. 2Shakes automatically matches on name to ensure that no person with this name has been identity checked before.
a. Depending on circumstances, 2Shakes can reliably and independently be used to:
- Electronically ID verify individuals in 2Shakes (via Centrix SmartID). The SmartID includes an electronic Politically Exposed Person (PEP) check.
- Manually record the steps and documentary evidence used in Manually ID Verifying an individual (when original or certified copies of identity documents are sighted in person and the results recorded in 2Shakes).
- With a manual ID Verification, 2Shakes can also be used to either:
i. Carry out an electronic Politically Exposed Person (PEP) check via Centrix, or
ii. Be used to record a PEP check result carried out in another system.
b. 2Shakes Limited electronic ID verification complies with Part 3 of New Zealand Department of Internal Affairs Amended Identity Verification Code of Practice 2013. Details of how 2Shakes Limited meets this code of standard, including the criteria outlined in section 17, are described here https:/2shakes.co.nz/IDVCOP
c. Details around the methods that can be used to supplement electronic identity verification are given here https://2shakes.co.nz/eidvreport/
NB: You should always obtain independent expert and/or legal advice in relation to your AML Programme and how you as a reporting entity comply with the legislation.