Combating Impersonation risk via the new JMLSG

Up until now, the UK have allowed merchants to create a relatively frictionless on-boarding process using historic database data matching. As such, the use of historic data from data brokers has been a very popular solution for KYC in the UK for remote situations, such as online.
During this time, historic data has been an appropriate method of ‘identifying’ a customer to meet the 2014 Joint Money Laundering Steering Group (JMLSG) requirements. Historic data however, falls short in ‘verifying’ a customer under the new 2017 Draft UK JMLSG. In that it very often cannot be shown to be ‘up-to-date’ and it is insufficient by itself to meet Anti-Money Laundering (AML) enhanced due diligence (EDD) requirements.

The challenge with historic data is the ubiquity of social media, the increase in phishing and social engineering, including the sheer scale and impact of database breaches and hacks. This has exposed fraudsters to personal data that was once secret, or non-public, personal data, making it easier than ever for fraudster to impersonate someone online.

Data Recency
In order to keep up with the tightening of AML regulations, the 2017 Draft UK JMLSG have included the need for ‘recent’ or ‘up-to-date’ data and information to create a real-time verified KYC profile of the customer and to meet EDD standards.

This is highlighted in the 2017 Draft UK JMLSG where it states:

5.3.39A “for example, in relation to data sources used, or recency of information”

5.3.37 “The information maintained should be kept up to date, and the organisation’s verification – or re-verification – of different aspects of it should not be older than an agreed set period.”

Meaning data brokers and other KYC providers using static data will need to find ways to incorporate ‘recent’ and ‘dynamic’ data in order to stay compliant.

Enhanced Due Diligence
What is interesting and generally overlooked by many firms is that electronic verification by itself is insufficient to meet the requirements of EDD.

EDD is a requirement for most high risk and/or remote transactions, which means that firms that operate almost exclusively online should consider that all their clients fall into this category, unless they have mitigating measures.

Previously, the 2014 JMLSG only required regulated merchants to “identify” a customer by either electronic verification or document upload. Although, under the draft 2017 JMLSG these two methods are seen to fall short in “verifying” a customer. Therefore, regulated merchants must now “verify” a customer by either document upload or electronic verification in conjunction with at least one of the following;
verified payment, from a monetary financial institution in the EEA or a low risk jurisdiction, or

  • confirmation of address, by sending a verification letter, provided that the address is validated first as being linked to the customer via a public source (e.g. electoral roll or telephone index), or
  • confirmation of customer details via a call to a fixed landline, if the landline is linked to the customer via a telephone directory, or
  • Certified/notarised documents to follow by post.

Most Firms rely upon the verified payment option, as SWIFT and SEPA transfers include name and verification details of the customer.

iSignthis provides an alternative to receipt of verified payment by SWIFT or SEPA and uses instead regulated credit and debit cards, and then verifies the underlying account by proving control of the account, consistent with UK JMLSG Part II s3.48.


This post is sponsored by iSingthis. Content written and provided by iSingthis.  PlanetCompliance only publishes sponsored content from companies whose products and services we think our audience will find valuable or interesting. For more information please contact iSignthis at or visit