2Shakes and the IDV Code of Practice

Section 17a: Accuracy

Centrix SmartID matches information provided by individuals in real-time against trusted online databases. SmartID uses a method know as an Application Programme Interface (API) to allow the 2Shakes application to securely send client information that is verified directly against the source data systems. This means data is matched against the most up-to-date information available.
The SmartID service in 2Shakes has on average successfully verified an individual’s identity and address in over 85% of cases. In a further 10% of cases the identity was successfully verified with just the address needing to be verified manually. (Figures as at April 2020).

Section 17b: Security

All information in 2Shakes is securely protected on Microsoft’s world-class Azure cloud platform. 2Shakes have resilient geo-redundancy across two data centres in Australia, maintaining data sovereignty since the information is in a 5-eyes country but not subject to the Patriot Act in the USA.
2Shakes has completed NZ Department of Internal Affairs 105 questionnaire on secure cloud computing for government. The system has also undergone security assessments from MBIE and ACC, as well as an ACC Privacy Impact Assessment. This again provides an independent confirmation that we are storing client information safely and securely online.
Access to 2Shakes is restricted by users’ names and passwords with mandatory 2-Factor Authentication.
All information transmitted from 2Shakes to Centrix is securely encrypted using industry standard protocols.

Section 17c: Privacy

2Shakes adhere to the principal of Privacy by Design, privacy and protection of data were designed into our solution from the beginning. 2Shakes was developed to meet the New Zealand Governments strict requirements for Privacy and Security.
NZ Privacy Act requires that individuals only get asked for the information that is needed by the company they are dealing with. When you use 2Shakes the fields and selections you make only ask for required information. We have also designed our system in a way that prevents inadvertent sharing of private information.
2Shakes requests only the information required to meet the AML/CFT legislation, being an individual’s first, middle and last names, Date of Birth, Gender and address, and well as a primary identity document:

• Driver License:   License number and version number (plus card number if required for Australian ID verification)

• Passport:    Passport number and expiry date

Consent is required of the person whose identity you wish to verify. If you have selected to send an email link to this person then they are asked to give their consent when completing the online ID verification. If you are entering ID details on their behalf, then you are required to confirm that you have their consent.

Section 17d: Method of information collection

ID Verification can be completed by either the individual customer or the reporting entity entering the information into 2Shakes.

Biometric

When using the Biometric IDV option 2Shakes sends the client an email, and they enter their mobile number. We then send a text with a secure link for them to complete Biometric data collection and checks on their mobile phone. The data collected is then sent for verification, and the results presented to you to Accept/Decline.

Electronic (Data Only)

With the Electronic option, ID information is collected remotely by sending the customer a unique URL link contained in an email. They click on the link, enter the required information, and consent to it being verified.

With the I’ll Do the IDV-Electronic option, the customer provides the reporting entity with the required information (through any means, including email, phone or in person). They also must provide consent for the information to be electronically verified. The reporting entity then enters the customer information for verification in 2Shakes, as well as confirming the verification has been consented.

Remember: If you change the default from Biometric to Electronic IDV you must take Additional Measures to meet the requirements.

Section 17e: Link customer to claimed identity

2Shakes Biometric IDV uses a Biometric check to ensure:

• the ID Document is genuine and has not been altered

• the person is live

• the person biometrically matches the ID Document photo

• and then carries out the normal electronic data verification.

This is in line with Example 2 of the Updated Explanatory Note, and includes:

• robust methods to verify the document's authenticity.

• robust methods to link between the person and the identity document they were presenting.

After the Biometric part is complete, 2Shakes carries out the appropriate data verification. 2Shakes always carries out either a Passport or Driver License verification via DIA or NZTA respectively, or a DVS verification for Australian ID Documents.

No Biometric (or Electronic, if chosen) ID Verification can be completed successfully in 2Shakes without the primary ID Document’s data being electronically verified by the issuer.

For Electronic IDV you must take Additional Measures to link the person to the identity they are claiming.

2Shakes reminds reporting entities that the responsibility to ensure the information provided relates to the individual they are dealing with, ultimately rests with the reporting entity. Any additional measures taken can be recorded in 2Shakes under Notes & Files for future review and audit purposes.

Section 17f: Source is a Government Body

The following Government sources are used as the primary identification method:

• DIA Passports Database

• NZTA Driver License Database

• Australian DVS system for Australian Driver Licenses and Passports

The Passport or Driver License data must be electronically verified for the ID Verification to succeed (with final ID verification success subject to the other checks carried out).

If the Passport or Driver License cannot be verified electronically, 2Shakes reverts the ID verification to Manual, and allows the reporting entity to record ID verification steps (including scanned files) in Notes & Files, and to mark the ID Verification as Done.

Section 17g: Source is additionally verified by another reliable source

Along with a verified Driver License or Passport, the verification of data in SmartID completes the ID and address verification rules (see s15 above) using a comprehensive set of databases (as allowed for by the Credit Reporting Privacy Code 2004). These verification steps use the following Government and private, reliable, independent sources:

• LINZ/NZ Property Owner

• Database

• Banks

• Retail Energy accounts

• Finance companies

Section 18: Wording for your AML/CFT compliance programme

The IDV Code of Practice provides a safe harbuor for AML reporting entities.