Compliance
      Back to home
      1. Knowledge Base
      2. Product Documentation
      3. Compliance

      Customer Identification Procedures

      About iComply

      iComply Investor Services is a global compliance software provider that helps compliance teams
      enhance, improve, and transform their entire client lifecycle management for KYC and AML workflows while providing a seamless user experience to their KYC subjects.


      The iComplyKYC platform is a digital compliance administrator that leverages edge computing,
      machine learning/vision, and AI to provide companies with dynamic, guided KYC portals. Compliance teams can configure and monitor portal workflows to securely gather, validate, and encrypt client data and documentation before it leaves their device.

      Document Overview

      This document outlines how entities are identified and the steps involved in the compliance
      process(es) provided by iComply. The iComply platform is fully modular meaning that any of the
      following modules may be used independently or in a workflow configuration of multiple modules. Each workflow is deployed as an encrypted and secure portal to gather, authenticate, and verify entity information for KYC documentation, AML screening, and regulatory reporting purposes.


      Third-party services may be utilized in a streamlined workflow to perform each step. Depending on your configuration, these services can be provided by iComply, our partners, or you may integrate your preferred vendors (KYC Enterprise licenses only).


      Process Description for Natural Persons

      The following modules can be deployed via the iComplyKYC portal and used to verify,
      authenticate, and document the identity of a user in a non-face-to-face environment:
      - User Onboarding
      - Document Authentication
      - Identity Data Verification
      - Biometric Authentication
      - Liveness Detection
      - Live Face Matching
      - Supporting Documents
      - Enhanced Due Diligence

      User Onboarding

      The user onboarding module can be delivered as a web form within your portal (for scenarios such as user onboarding) or can be passed directly into the portal (using an API or similar technical solution). All data submitted via either method is prescreened and then encrypted within the portal before being sent to a server to begin third-party verification workflows.

      Via Web Form

      1. The user utilizes a web form embedded into your website and enter their personal information and address details. The data collected is as follows:

      1. The web form contains logic for data validation, bot detection, cyber-fraud monitoring, and preliminary user screening (i.e. jurisdiction, age, digital fingerprints).
      2. Additional hardware, software, behavioral, geolocation, and connectivity information (i.e.device IDs, IP Addresses, etc), may also be collected for fraud detection purposes.

      Via API

      1. User data is passed directly into the iComplyKYC portal and is encrypted before leaving the user’s device.
      2. You have the option to use the data to prepopulate the web form in the portal (i.e. to have the user confirm data accuracy), or bypass the web form entirely and move the user into the next step of the workflow.

      Via API + Web Form

      1. The user’s current data is passed into the web form via API to prepopulate fields for Personal Information and Address Details. 
      2. The user can review, edit, and submit the data populated into the web form(s). 
      3. This feature is best suited for applications where the user may need to correct or update their KYC data.

      Identity Document Authentication

      The document authentication process is designed to detect fraud, validate document authenticity, and verify user information such as name, address, date of birth, and jurisdiction of domicile, among others. The process is split into two stages; authentication which—in jurisdictions where possible—is largely performed on the user’s device, and verification which can involve third-party services and data sources including the applicable government for that user. 

      This comprehensive process includes a suite of high-performing technologies configured into a series of steps including:

      1. The user selects a supported document type and then uploads an identity document into the portal. Please see the Document Authentication Coverage list for details on supported documents by jurisdiction.
      2. Based on the user’s jurisdiction, a range/set of document files will be loaded into the portal and used to authenticate the User’s document.
      3. Depending on the type of document used for verification, either one or both sides of the document may be required (i.e. one side is required for a passport whereas a driver's license or government-issued ID card typically requires both sides).
      4. Machine Vision Technology is first used to determine if the document image is viable (blur, glare, fingers in front of text, barcodes, security features, etc).
      5. Machine Vision Technology is then used to analyze the document for the presence of security features, detect potentially fraudulent documents, read the MRZ or barcode, and confirm a match to the corresponding identity document validation file.
      6. Optical Character Recognition (OCR) technology is then used to read the data from the identity document and perform the following checks:
        a. MRZ or barcode data match;
        b. User onboarding data match.
      7. If any errors occur, the failure is logged and the user may be required to submit additional photos of their identity document, upload additional supporting documents, or enhanced screening during the identity verification process. 
      8. If the document undergoing authentication includes an image of the identified individual, the image is extracted from the document, encrypted, and held for analysis during the identity verification and facial matching processes.
      9. Once the document authentication process is complete the user data, test data, and data hashes are encrypted and securely stored* on the iComply platform by the client’s data retention requirements.
        *Clients may provide their servers to store their user data, speak to your account manager for more information.
      10. In some configurations, such as where document verification may be required, the document image may then be sent to a qualified third party for matching or verification against a government-issued identity document template, government agency database(s), or trusted and approved service provider.

      Identity Verification

      Digital identity verification is a process used by computer systems to represent a unique person, organization, application, or device. So for a natural person or legal entity, a “digital identity” is a trusted way of validating one or more attributes about the client, either online or offline, and then linking those validated attributes to a uniquely identifiable client. The identity verification process can change significantly by jurisdiction. 

      iComply’s primary sources for validating uniquely identifiable attributes are public data records. In our experience, identity verification services that rely solely on credit data have lower match rates and expose clients to significant privacy and technology risks such as the massive data breaches that frequently occur at these same credit agencies. However, in many jurisdictions, there may be legislated requirements to use data provided by credit headers, utilities, or mobile communications providers. In these cases, iComply uses qualified third parties with the appropriate licenses and current cyber-security certifications to validate attributes solely for digital identity verification. 

      Our data sources include more than 33 billion records and tens of thousands of resources and data is updated on monthly, daily, hourly, or near real-time maintenance cycles. We access a wide variety of data sources to meet the varying requirements across jurisdictions on a real-time basis including:

      Corporate Registries

      Reverse Lookup

      Professional Licenses

      DEA CS License

      Bankruptcy

      Mobile Providers

      Property Assessment

      FAA Aircraft Registry

      Driver’s License

      Civil Court Filings

      Credit Headers

      FAA Pilot License

      Geolocation

      Motor Vehicle Registries

      Concealed Weapons Permit

      Firearms & Explosives License

      Subscriber Identity Modules

      Hunting/Fishing License

      Voter Registration

      Property Deed Search

      Directory Assistance

      Person Search

      Criminal Conviction

      Accident Registries

      Internet Domain Name

      Merchant Vessels

      UCC Filings

      Companies House

       

      Biometric Authentication

      iComply supports two methods to complete a Biometric Authentication using Facial Matching; Live Face Match or Selfie Upload. 

      While the selfie upload is typically faster and more convenient for the user, it also represents an inherent weakness to fraud including manipulated images, stolen images (such as publicly available images from the individual's social media profiles), deep fake images, and more. 

      On the other hand, Live Face Match can take longer, and requires the user to have access to supported hardware and software, but can easily be used to prove that the user behind the screen is the same user whose identity is being authenticated, validated, or reverified. 

      The system administrator can configure settings for Biometric Authentication including:

      • Biometric Facial Match Confidence and Sensitivity
      • Liveness Confidence and Sensitivity
      • Auto-acceptance for straight-through processing where no potential issues are identified
      • Auto-assignment for escalations where potential issues are identified

      Facial Matching

      Facial matching is the process of comparing an image submitted by the user to the photo on their authenticated government-issued identity document. In many jurisdictions, facial matching is still not an explicit requirement for customer identification. However, in most of these same jurisdictions, there are requirements that a risk-based approach be applied and that a strong client authentication program is easy to demonstrate, audit, and review. In our experience, the facial matching process is a minimum requirement to ensure that the user behind the screen is the same user whose identity documents are being authenticated.

      Depending on your workflow configuration, the user can be directed through either the Live Face Match or Selfie Upload workflows to complete the Biometric Authentication processes.

      Liveness Detection

      Liveness detection is the process of ensuring that the user behind the screen is a living person by analyzing the user’s camera feed to confirm movement. There is a wide range of variability in how Liveness is performed including “blink detection”, facial expressions and movements, and gesture detection. 

      Processes that employ blink or motion detection are inherently weak as they only are capable of verifying basic information. For example, blink detection focuses on tracking the user’s face, locating their eyes by searching for the whites of their eyes, and then waiting to see if the whites of their eyes disappear - such as when they blink. Often, these processes can easily be cheated by simply taking a photo of the KYC subject, such as the one found on their identity document, holding it in front of the camera, and briefly covering the whites of the eyes in the photo. 

      Due to these vulnerabilities, iComply employs a combination of edge computing and machine vision techniques to generate a Live Face Match which includes a randomized series of liveness tests. Randomization is based on the number and type of tests activated in the system, such as detecting facial expressions: Neutral, Happy, Sad, Angry, and Surprised. 

      Live Face Match

      The Live Face Match module directly accesses the user’s camera hardware on their device to check in real-time if the user being identified is present, assess for deep fakes, detect fraud and suspicious behavior, and interact with the user to perform a facial match against the biometrics extracted from their identity documents, or if enabled, biometrics on file.

      1. The User begins a Live Face Match by activating the feed in the portal and allowing the program access to their camera. 
      2. Once initiated, the user is requested to look at the camera with a neutral facial expression to form a facial recognition baseline.
      3. A unique test program is assembled for every User journey based on the User’s jurisdiction, hardware, software, and workflow configurations, and test orders are randomized enabling hundreds of thousands of possible configurations. 
      4. The test program is then encrypted and sent to the User’s device to ensure the test is performed in the same jurisdiction the User’s device is currently in.
      5. Once a neutral facial expression is detected the program will simultaneously execute a battery of tests including:
      6. A series of facial expressions and gestures are randomly selected, ordered, and delivered to the user from iComply’s library of Liveness tests. The purpose of this test is to keep the user interacting long enough to ensure the highest degree of integrity in the test. 
      7. As the User interacts with the program, a unique biometric file is created based on the way their face moves (not a facial vector). This file is impossible to trace back to the user (i.e. reverse image search) as it is not an image file, the only way to recreate this file is for the same person to agree to successfully re-verify using the same program.
      8. As the User interacts with the program, machine vision is used to continuously identify and track the User’s face, assess whether other faces that may appear in the video stream, and match the User’s face to the image extracted from their identity document.
      9. As the User interacts with the program, a photo or series of photos may be captured for future audits - depending on your configuration.
      10. As the User interacts with the program, a series of fraud detection measures analyze the feed to detect bots, spoofing, and deep fakes.
      11. Device connectivity and attempts to manipulate the camera hardware are monitored, if present the test will fail and the error logged.
      12. Once the unique test program has successfully completed the data is encrypted on the device, hashed, and the data*, test data, and data hashes are encrypted and securely stored** on the iComply platform in accordance with the client’s data retention requirements.
        *Clients may provide their own servers to store their user data, speak to your account manager for more information.
        **Clients may configure the portal to send data directly from the user’s device to their own server, eliminating the need for user data to be sent to an iComply server.
      13. Should the User’s hardware or software not support live face matching, or should the program fail to initialize, the workflow can be configured to direct the user to a Selfie Upload alternative.
      14. Should the program fail or appear to be interrupted or corrupted during the test, the User will be directed to restart the process.

      Selfie Upload

      1. The user is directed to upload a file from their device or capture a “selfie” photo using the camera on their device.
      2. A facial matching program is loaded into the User’s device to perform the test on their device. This improves fraud detection measures and the user’s experience. The program executes a series of tests:
      3. The image is analyzed for potential fraud and media manipulation, and to ensure the image is viable.
      4. Machine vision is used to compare the face in the selfie against the photo extracted from the identity document submitted for validation.
      5. If problems are detected, the user may be requested to upload an additional image or may be required to capture an image only.
      6. Once the unique test program has been completed the data is encrypted and hashed, and the data, test data, and data hashes are encrypted and securely stored* on the iComply platform in accordance with the client’s data retention requirements. These are versioned to provide a compliance audit trail around future verifications (ie. in the case of an expired identity document).
        *Clients may provide their servers to store their user data, speak to your account manager for more information.

      Process Description for Legal Entities

      The following modules can be deployed via the iComply portal for Legal Entities and used for authentication, onboarding, and screening users globally as individuals or authorized representatives of legal entities. Secure and encrypted KYC Portals support unique regulatory workflows for all ISO-3166 jurisdictions. Legal Entity Portals enable:

      • Nominee Identification
      • Legal Entity Onboarding
      • Legal Entity Record Search
      • Supporting Documents
      • Enhanced Due Diligence
      • Attorney Confirmation
      • Agent Submissions

      Nominee Identification

      To verify the identity of the nominee the user will be directed to the URL that hosts the KYC Portal for Natural Persons. The user will be asked to submit KYC data and documents for onboarding, authentication, and verification according to the unique jurisdictional workflow configurations as outlined in the Process Description for Natural Persons. 

      Legal Entity Onboarding

      Once a portal user has been successfully identified, they can complete Legal Entity Onboarding as a verified user. While it is possible to configure the system to support the onboarding of Legal Entities with unverified users, it is not recommended as this tends to lead to higher rates of fraud, bad data, and increased costs.

      iComply supports three methods of onboarding legal entities: GLEI, manual entry, and corporate record search through a combination of open, public, and private proprietary data sources. The customer-facing LE Portal can support the GLEI or manual entry methods depending on the system configuration. 

      Global Legal Entity Identification Foundation - GLEIF

      Where a Global Legal Entity Identifier (GLEI) process is used, the portal user can search by the legal entity name or GLEI numbers. The portal user can select their company from the search results, review legal entity details, and provide updated key information such as address and contact information. Once submitted through the LE Portal, the legal entity data will be visible in the KYC Dashboard. 

      Companies can manage their LEI through iComply partners such as Bloomberg LEI. https://lei.bloomberg.com/

      Manual Entry

      When using the manual entry method, a portal user will be able to enter legal entity information, and review, and confirm their submission. No validation is performed at the submission stage. Once submitted through the portal, the legal entity data will be visible in the KYC Dashboard. In the KYC Dashboard, users may review, update, approve, or reject the submission, or initiate a Legal Entity Verification request on the legal entity.

      Open, Public, and Proprietary Data Sources

      When using the entity search tool to Add a Legal Entity, a new search is run to analyze billions of data points -  including search engine data, blogs, news, social media, watchlists, ownership records, registries, and other entity data - in real-time. Each search consolidates potential results into entity profiles for further disposition, investigation, and reporting.

      Legal Entity Verification

      Identity verification on legal entities can be completed almost instantly when sufficient data is available - such as when the legal entity has a valid GLEI file. For private companies, the GLEI data is often stale, or may not exist at all. In these cases, an Investigation into the company can be initiated to search open, public, and proprietary data sources to disposition the identity of the legal entity, documents, and related parties.

      Legal Entity Investigation

      Investigations can include tasks such as authenticating authorized contacts, directors & officers, addresses, proof of incorporation, and proof of residency. A search for a Legal Entity can be submitted in the dashboard, through workflow automation, or via the API.

      Legal Entity Addresses

      Address verification may require supporting documentation, biometric authentication, and manual processing. Authorized representatives of a legal entity can update their primary and secondary addresses through the Legal Entity Portal. 

      Address information can be validated against third-party data sources or automated processing. In exceptions where straight-through processing is not possible, the Issue will appear on the Legal Entity’s profile for manual review and approval.

      Nominee Authorization

      Once a user has been successfully identified and approved as a natural person, they will be able to submit data about a legal entity for identity and address verifications. Nominee authorization confirms that the identified natural person is authorized by the legal entity to represent the legal entity. 

      Nominee authorizations can be performed by matching the identity of the user to a primary contact, director, officer, or authorized representative of the legal entity. Straight-through processing can be configured but exceptions will still appear in the KYC Dashboard as Issues. Enhanced workflows can trigger Supporting Documents and Enhanced Due Diligence requests to the Legal Entity Portal while the user is still in session. 

      Beneficial Ownership

      Entity relationships can be created and linked in the Legal Entity profile to show beneficiaries above set thresholds of ownership or control. Enhanced Due Diligence workflows can be configured to accept Supporting Documents through the Legal Entity Portal. 

      A Beneficial Ownership search for related entity requests will identify potential beneficiaries through GLEI, open, public, and proprietary sources.

      Ultimate Beneficial Ownership

      In many cases, the list of Beneficial Owners can include legal entities, such as companies, trusts, organizations, etc.. Ultimate Beneficial Ownership reviews can be managed in the Legal Entity profile by initiating Beneficial Ownership reviews on all entities listed that are not Natural Persons. 

      Supporting Documents

      Throughout the customer due diligence lifecycle, Supporting Documents are frequently required to verify identities, addresses, beneficiaries, tax residence, creditworthiness, etc. Supporting Documents can be added to unique workflows varying by industry, jurisdiction, risk level, or portal. 

      Requests for Supporting Documents can be triggered by the User while they are in the Legal Entity and Natural Person Portals, they can also be triggered through the Entity Dashboard or iComply API.

      Custom Questions

      During the customer due diligence lifecycle, it's essential to gather specific information that may not be covered by standard forms. To address this, our platform allows you to add custom questions to the onboarding portals. These custom questions can be tailored to your unique workflows and are adjustable based on industry requirements, jurisdictional regulations, risk levels, or specific portal needs. This feature ensures that you capture all necessary information directly from users, enhancing the accuracy and completeness of your due diligence process.

      Supporting Document Packages

      Our platform offers the ability to create Supporting Document Packages, which combine both custom questions and supporting documents to optimize the onboarding process. These packages are customizable to fit the specific needs of your organization, taking into account industry requirements, jurisdictional regulations, risk levels, and more. By grouping custom questions with required supporting documents, you can ensure that all necessary information and verifications are collected in one cohesive workflow, simplifying the customer due diligence process and improving overall efficiency.

      Enhanced Due Diligence

      Enhanced Due Diligence workflows are frequently required in day-to-day user onboarding, KYC reviews, and annual tax or financial reporting. Thresholds and triggers can be configured to request Supporting Documents and other Services such as Identity Verification, Beneficial Ownership, or Third-Party confirmations. 

      The KYC Dashboard enables users to review pending requests, submit additional requests, and manually upload submissions for cases where a KYC subject has submitted the information through another channel, such as an unsecured email.

      The KYC Portals actively monitor the data submitted by the KYC Subject to assess for Enhanced Due Diligence thresholds. If a threshold is crossed, such as if the user is required to supply two pieces of address information in their jurisdiction, the additional KYC Request is triggered - in this case, the user could be presented with a web form to upload a recent bank statement or utility bill that shows their address. 

      Additional KYC Services can also be triggered by Enhanced Due Diligence thresholds. Jurisdictionally specific workflows can enable variations such as the percentage of ownership required for a Beneficial Ownership request. 

      Reporting 

      iComply provides the ability to generate comprehensive reports in either PDF or DOCX format. These reports are designed to capture all pertinent details regarding a Legal Entity or Natural Person, providing users with a complete overview of the entity’s information and associated data.

      Reports can be generated from within the entity’s profile, ensuring all relevant details are included based on the system’s configuration. The content and structure of the report will vary depending on the settings outlined later in this guide, ensuring that the report aligns with the user’s specific requirements.

      Reports Include:

      Automations

      During the customer due diligence lifecycle, automating routine tasks can streamline workflows and reduce the interaction points required. Our platform’s automation features allow administrators to configure and optimize processes for efficiency. 

      Auto Acceptance

      Auto Acceptance is an event-based automation that enables the system to automatically accept entries when no issues are detected during key compliance checks. When enabled, the following events will trigger auto-acceptance during a portal submission:

      1. Identity Authentication Event: Automatically accepts if the identity data provided by the user matches existing information within the KYC profile.
      2. Document Authentication Event: Validates and accepts identity documents based on authenticity checks.
      3. Biometric Authentication Event: Confirms identity through methods like liveness testing or selfie uploads, ensuring the individual matches their digital profile.

      Once these events are successfully triggered and completed within the portal submission, the entry’s status updates to “auto-accepted,” allowing a smooth continuation of the due diligence process.

      Auto Assignment

      Auto Assignment allows administrators to configure country-specific settings to streamline case routing and ensure efficient review allocation. This feature enables assignments by jurisdiction and specific event types, ensuring each entry is directed to the most suitable reviewer based on compliance needs and resource availability. Country-specific assignments can be set for entity profiles, identity authentication events, document authentication events, biometric authentication events, and supporting documents.

      Entity Profile Automations

      Entity Profile Automations empower administrators to set actions on Pending KYC requests when the status is Accepted, and at least one AML case is closed. These options allow for tailored compliance workflows as follows:

      • Next Periodic Review: Administrators can configure periodic reviews at specific intervals (e.g., days, months, years) for ongoing monitoring.
      • Set Profile Status To: Automatically updates the entity’s profile status to “New,” “Review,” “Escalated,” “Approved,” “Rejected,” or “KYC Refresh” based on configured parameters.
      • Set Risk Level To: Sets the entity’s risk level on a predefined scale from Low Risk (1) to High Risk (5), facilitating accurate risk classification.
      • Approved Entity Profile: Adjusts the profile’s status from “Approved” to another state (e.g., “New,” “Review,” “Escalated”) if a “Request for Update” event occurs or if new issues arise in an existing case.

      Next KYC Review Date and RCU Triggering

      The platform’s automation features support Request Client Update (RCU) processes, which can be automatically triggered when the “Next KYC Review Date” arrives. This automation applies to both Natural Person entities and Legal Entities, helping maintain current information with minimal manual intervention. Once the scheduled review date is reached, the system sends an RCU email to the user, prompting them to confirm existing information or submit updated documents as needed. This proactive approach ensures that due diligence information remains up-to-date and compliant with regulatory requirements.

      Third-Party Representatives

      Legal counsel, nominees, and powers of attorney are examples of third-party representatives that can be Authorized to submit information on behalf of a legal entity. 

      In jurisdictions where straight-through processing is not possible, whether due to regulation or market availability, third-party representatives such as legal counsel become an integral part of the KYC customer lifecycle. 

      Configure Enhanced Due Diligence workflows to include a review by the legal entity’s legal counsel or board of directors. Authorized representatives can review and confirm the information submitted by their clients for:

      • Beneficial Ownership
      • Regulatory Reporting
      • Financial Records
      • Board Resolutions
      • Annual Filings
      • Tax Reporting