What is multiple matching and why you should care?
Determining how many and what type of identity checks to undertake is a compliance challenge for regulated entities, especially as the presumption that a 2+2 check is sufficient is long since gone.
Regulated entities are required under the Money Laundering Regulations to take a risk‑based approach to compliance. For identity verification this means the organisation must determine the appropriate identity checks to undertake. The Joint Money Laundering Steering Group’s (JMLSG) guidance states:
“The firm should obtain the following information in relation to the private individual:
- Full name
- Residential address
- Date of birth
“Verification of the information obtained must be based on reliable sources, independent of the customer – which might either be a document or documents produced by the customer, or electronically by the firm, or by a combination of both.”
Putting that into practice means determining whether data or documents or a combination of both checks are appropriate. When assessing data checks the organisation needs to determine what type and how many matches are required. The regulatory guidance is not specific here, as these criteria will be determined by the organisation’s risk assessment; taking into account organisation, customer, product and geographic risk factors.
These checks and the resulting matches are obtained using data from a number of sources including credit bureaux. In the UK there are three primary credit bureaux that hold data on individuals. Whilst much of the data is similar across bureaux, there are often differences that mean one or other bureau has more data on a specific individual for matching purposes. This could be because financial services providers that contribute data to the bureaux do not provide it to all three bureaux, or the bureau simply has no record of the individual. Only relying on the data from one bureau for obtaining sufficient identity matches on individuals will mean that in some cases an individual fails the check because that bureau does hold sufficient data on the individual.
Using two credit bureaux will improve the overall number of matches because the pool of available data is larger. So how does this work in practice? An individual will be checked against the primary bureau’s data using the appropriate criteria to determine the number of matches required. If that individual is not successfully matched the required number of times, then a check is run against the secondary bureau’s data. Successful data matches from the first check are used to exclude duplicates from the second check, for example a second match against a bank account as that could be the same bank account.
To take a real world example, if an individual’s identity has been successfully matched using the electoral roll and a bank account found at the primary bureau however an additional match is still required, then a further match at the secondary bureau would require a different data type, for example a mortgage or a loan account. Or if an individual was found on the electoral roll at the primary bureau but no financial accounts were found there, then a check would be run on the secondary bureau to determine if there was a suitable financial account there to complete the required number of matches.
While the use of two credit bureaux might seem complex, the cost of compliance failure if customers are onboarded with insufficient verification matches can be significant, both in reputational and financial terms. It depends on the severity of non-compliance however in the year 2018-19 the FCA imposed a fine of £102 million on a major UK bank for AML compliance failures.
Jonathan Jensen, GBG Commercial Director Identity, said: “The intelligent use of two credit bureaux delivers an incremental uplift in the customer onboarding success rate. This reduces the need for manual follow up with customers who failed verification and increases customer satisfaction.”