**Israel Securities Authority**

5 Heshvan 5785
November 06, 2024

### **Draft Directive for Payment Companies on the Implementation of Anti-Money Laundering Obligations via Online Identification Technology**

Directive pursuant to Section 11y(g)(c)(1) of the Prohibition of Money Laundering Law, 5760–2000, and Sections 4(b), 5(f), and 8(c) of the Prohibition of Money Laundering Order (Identification, Reporting, and Record-Keeping Obligations of a Payment Company for the Prevention of Money Laundering and Terrorist Financing), 5784–2024.

---

**[Box Text]**
**Draft for Public Comment**
Comments and responses will be accepted until **December 08, 2024**.
**Contact Persons:** Adv. Roni Beckman and Adv. Daphna Mizrahi Gidron
**Tel:** 02-6556434, 02-6556438; **Fax:** 02-6513646
**Email:** seclaw@isa.gov.il; ronib@isa.gov.il; dafnam@isa.gov.il

Please note the procedure published by the Israel Securities Authority regarding the initiation of regulation [link]. According to this procedure, the primary comments from the public will be included in a summary document of the finalized regulation, including the names of the respondents. See also Section 7 of that procedure regarding special requests to avoid publication of names.
**[End of Box Text]**

---

### **General Background**
The Law for the Regulation of Engagement in Payment Services and Payment Initiation, 5783-2023 (hereinafter: the **Law** or the **Payment Services Regulation Law**) authorizes the Israel Securities Authority (hereinafter: the **Authority**) to grant licenses and supervise companies engaged in non-banking payment services.

The services regulated under the Law requiring a license from the Authority are: issuance of payment instruments; clearing of payment transactions; and payment account management—all three being classic payment operations. Additionally, the Law allows for two new and advanced types of technological services: advanced initiation and basic initiation. These will enable easy and convenient execution of bank transfers, providing a competitive alternative to credit cards for payments to businesses.

Most payment services regulated under the Law have online and digital characteristics; most payment companies do not have branches and offer their services exclusively online.

The primary goal of the Law is to encourage competition in the payment services market by creating an equal opportunity for non-banking, Israeli, and international entities to enter and develop in this field alongside existing banking players, while protecting customer interests. To achieve this goal, it was decided to base the Law on international standards, with necessary adjustments, particularly on the two European directives regulating payment services in Europe—the Payment Services Directive (PSD2) and the Electronic Money Directive (EMD) (hereinafter: **European Regulation**).

---

### **Explanatory Notes**

The Prohibition of Money Laundering Order (Identification, Reporting, and Record-Keeping Obligations of a Payment Company for the Prevention of Money Laundering and Terrorist Financing), 5784–2024 (hereinafter: the **Order** or the **AML Order for Payment Companies**) was approved by the Knesset last August. Its effective date was set for six months after the publication of a directive regarding alternative digital means for identification and verification. Accordingly, the draft directive is intended to allow payment companies to identify and verify a customer online, without the necessity of a physical meeting, while ensuring the reliability of the identification and mitigating the risks of money laundering and terrorist financing (ML/TF) arising from the use of these alternative means.

The proposed draft directive details the ways in which a payment company must implement the obligations applicable to it under the AML Order when identifying and verifying the identity of customers via online identification technology. This includes: the implementation of Know Your Customer (KYC) obligations; receiving declarations regarding beneficial owners and controlling stakeholders; managing ML/TF risks; establishing policies; performing controls; retaining documents received during the online process; and managing risks specifically related to alternative identification means.

Similar to the purposes underlying the Payment Services Regulation Law, which was based on European regulatory principles to align Israeli regulation with international standards, the provisions of the AML Order for Payment Companies were also adapted, as far as possible during the legislative process, to advanced international principles accepted in the field of AML/CTF and technological developments. For example, the term "original signature," which reflects a handwritten signature appearing in other AML orders, was replaced during discussions in the Knesset Constitution, Law, and Justice Committee with the requirement that the "declaration be made in a manner that allows for the verification of the declarant's identity" to enable payment companies to operate digitally with their customers, as is done worldwide. Another example is the determination in the Order that the service provider must keep a copy of *one* identification document of the customer, rather than the two documents required by other AML orders in Israel. It should be noted that this change is also consistent with accepted standards worldwide and addresses issues raised during committee discussions regarding customer privacy and reducing data security exposures. Furthermore, the Order provides significant leniency for advanced payment initiation service providers at a low risk level, including an exemption from recording identification details for an occasional customer at low risk based on an ID document, where a low-value transaction is performed.

It should be emphasized that today, various financial entities such as banks, non-banking credit providers, and stock exchange members perform online identification for customers according to directives issued by financial regulators. The proposed draft directive was also established under the AML Law and the AML Order for Payment Companies and was written in the spirit of the changes established therein, while adapting to globally accepted requirements and technological developments. Therefore, the draft directive establishes several arrangements that differ from the online identification instructions applicable to other financial entities in the economy. Their purpose is to enable various advanced options for online identification while ensuring reliable and accurate identification and maintaining the objectives of the AML Law. For example, it is proposed to allow the online identification of a service recipient who is not a resident of Israel, while establishing increased controls for such identification. Another example is the addition of a definition for "Online Verification Technology," which will allow payment companies to adopt alternative digital ways to verify the identity of the service recipient, such as verification through the use of open banking or a symbolic bank transfer. The proposed directive even allows for the identification and verification process using one identification document instead of two, and declaring a beneficial owner and controlling stakeholder via an alternative means approved by the Supervisor (not necessarily a vocal declaration).

In light of the above, this draft directive is published for public comment. The Authority's staff invites the public to submit comments and express their positions, among other things, regarding the issues noted at the end of the Regulatory Impact Assessment (RIA) report attached as Appendix A to this draft.

---

### **Section 1 – Definitions Section**
Regarding the definition of **"Service Recipient"** – it is proposed to include in this definition a service recipient who is an individual resident of Israel, an individual who is a foreign resident (provided the country or territory is not listed in the First Schedule of the Order), a corporation registered in Israel, and a "Recognized Entity," whether the service recipient acts for a beneficial owner or not.

Regarding the definition of **"Online Verification Technology"** – this definition includes technologies for verifying the identity of the service recipient, such as: open banking (as defined in the Financial Information Service Law, 5782-2021); a symbolic bank transfer; the ADIB service; a J5 transaction; or an alternative verification mean approved by the Supervisor.

### **Section 2 – Preliminary Conditions and Principles for Using Online Identification Technology**
Given the risks involved in online identification, it is proposed to establish conditions in the directive under which a service provider may use online identification technology, as detailed below.

**Section 2(a) – Performing a Risk Assessment**
Pursuant to the obligations in Section 20 of the Order, for the purpose of managing and mitigating risks involved in online identification, the service provider must identify, understand, and assess the ML/TF risks inherent in online identification and implement a plan to minimize the identified risks, including the implementation of appropriate controls. In this regard, the service provider must distinguish, among other things, between a service recipient who is an individual resident of Israel and a service recipient who is a foreign resident or a corporation registered in Israel.

**Section 2(b) and 3 – Policy Establishment and Board Responsibility**
Pursuant to Section 20 of the Order, the service provider is required to establish a policy for the use of online identification technology, which shall include, at a minimum, reference to the topics established in the draft directive. The Board of Directors must discuss and approve the policy, including a framework for managing ML/TF risks arising from the online identification process, at least once every two years and upon any material change in the service provider's activities, the types of services offered, or the business, technological, or regulatory environment. Additionally, the Board is required to discuss and approve in advance the possibility of using online identification, including the technology to be used. The Board must ensure the implementation and effectiveness of the policy periodically and according to the risk assessment, including by establishing work procedures and receiving regular reports.

**Section 4 – Online Identification Officer**
As part of the obligations in Section 20 of the Order, and to ensure the implementation of the policy as approved by the Board, it is proposed that the service provider appoint an "Online Identification Officer." This may be the AML/CTF Compliance Officer of the service provider, a member of management, or someone directly subordinate to a member of management. It is further proposed that the Online Identification Officer be independent in fulfilling their duties. The section details the officer's duties, including ensuring work procedures for the recruitment of employees engaged in online identification, including checking their reliability and skills. Additionally, the section details topics for which procedures must be established, including the definition of circumstances under which the online identification process will be terminated based on risk management.

**Section 5 – Internal Audit**
Pursuant to Section 20 of the Order, the role of the Internal Auditor includes, among other things, examining the integrity and effectiveness of risk management processes in AML/CTF when engaging via online identification technology, the existence of weaknesses in internal controls, and the improvement of control procedures in this area of activity.

**Section 6 – Online Identification Procedures**
A service provider may identify a service recipient who is an individual, a proxy on behalf of a corporation, a proxy on behalf of a recognized entity (pursuant to Section 4(a)(6) of the Order), or a beneficial owner, online, through one of the two methods established in Section 6 of the directive.

Identification of a service recipient and beneficial owner performed via online identification technology subject to the conditions of the directive will be considered "face-to-face identification" approved by the Chair of the Authority under Section 8(c) of the Order.

Thus, per Section 4(b) of the Order, verification of identification details as required in Sections 4(a)(1) and 4(a)(2) of the Order may be performed via visual conference technology, instead of presenting an identification document or a certified copy. Identification via visual conference will be done based on an ID document, and the service provider must verify the details against the Population Registry or via online verification technology.

Similarly, verification of identification details may be performed via "Visual Identification Technology" (e.g., automated/asynchronous video), instead of presenting an ID document. Identification via visual identification technology will be done using an ID document presented to the service provider during engagement through the technology. To increase certainty regarding the authenticity of the document, it is proposed to add several technological controls detailed in the directive.

In this regard, it will be clarified that there is no obligation to compare identification details with the Population Registry or verify details with a *second* document bearing a photo and ID number. These provisions allow the service recipient to alternatively use open banking, symbolic bank transfer, or other technologies to verify identification details.

**Section 7 – Visual Conference Technology (Video Conference)**
Identification and verification processes for an individual service recipient performed via visual conference technology requiring real-time video and audio communication will be done based on *one* identification document, as detailed in the directive. The service provider must verify the details against the Population Registry or via online verification technology.

**Section 8 – Visual Identification Technology (Asynchronous/Automated Video)**
Visual identification technology is based on video communication that can be real-time or non-real-time. If the service recipient chooses a non-real-time process, it is proposed to establish additional controls to ensure the image presented is of a real person and not a result of technological manipulation (deepfake), and that the identification was performed legally. Controls are also proposed to increase certainty regarding document authenticity. The service provider must ensure high technical quality (communication, video, audio).

An additional control is that the technology should not allow the manual entry of ID numbers and issuance dates if verification is done against the Population Registry or online verification technology; instead, the technology itself must extract these details from the ID document. Other details (per Section 3(a) of the Order) may be entered by the customer, provided a representative of the service provider checks these fields against the ID document.

It is also proposed to establish a control of verifying the customer's phone number via OTP (One-Time Password).

Section 2(c) of the directive establishes the obligation to obtain an expert opinion from the technology provider, which must be independent and external. The opinion must be prepared legally (per the Evidence Ordinance) and detail the system's capabilities, how identification is performed, and the potential for false identification.

**Section 9 – Occasional Service Recipient**
A service provider may register an occasional service recipient via visual conference or visual identification technology. Alternatively, they may use online verification technology like open banking or symbolic transfer.

**Section 10 – Service Recipient that is a Recognized Entity**
The service provider may perform online identification for a recognized entity via visual conference or visual identification technology after being satisfied by a document that the recipient is authorized to act on behalf of the recognized entity.

**Section 11 – Service Recipient that is a Corporation**
The directive allows the service provider to receive the document required under Section 4(a)(3) of the Order for a corporate recipient online, when signed with an electronic signature (per the Electronic Signature Law, 2001) by an attorney, in place of an original document or certified copy.

**Section 12 – Receiving Declarations on Beneficial Owners and Controlling Stakeholders**
Pursuant to the Order, the service provider must receive a declaration from the service recipient at the time of engagement, in a manner that allows for verification of the declarant's identity, regarding whether they act for themselves or a beneficial owner.

To allow this online, the service recipient shall sign the declaration online, provided the service provider documents the recipient declaring the requirement in their own voice or via an alternative mean approved by the Supervisor. These requirements apply to both visual conference and visual identification technologies. If acting for a beneficial owner, the provider must document the recipient declaring this vocally and perform online identification for the beneficial owner through the methods in Sections 7 or 8.

**Section 13 – Online Identification via Third Party**
The use of outsourcing involves risks, including low-quality service, dependence, potential conflicts of interest, data leakage, and lack of sufficient controls. Therefore, in line with FATF recommendations, it is established that outsourcing of online identification activities will be performed by a provider found suitable in terms of technology, skill, and professional knowledge, provided the relationship is regulated by a well-defined written agreement. The service provider must implement effective monitoring and control. Outsourcing does not reduce or transfer the service provider's legal obligations and responsibilities.

**Section 14 – Know Your Customer (KYC) Process**
The purpose of this section is to clarify that there is no obligation to perform the KYC process via online identification technology, provided the service provider has taken measures to ensure the person answering the KYC questionnaire is the same person identified and verified.

It is further established that a service recipient who is a foreign resident identified online shall be marked as such in the computer systems and be subject to increased monitoring for a period determined by the service provider based on risk assessment. However, the risk level of the recipient will be determined and adjusted according to the KYC process performed.

**Section 15 – Record Keeping and Data Security**
The directive establishes that the service provider shall keep a full digital copy of the identification process, including the video and scans. This does not detract from obligations under Privacy Protection regulations, including provisions regarding biometric databases. Sensitive information must be stored on a secure server and backed up regularly. Retention requires notifying the service recipient (per Section 11 of the Privacy Protection Law) and obtaining their consent.

To allow for evidentiary validation, the service provider must perform a one-time process for creating an "Institutional Record" of the online identification process, supported by a legal opinion. The institutional record shall include the video taken during identification so that in a legal proceeding, one can directly assess if the person in the video is the person involved in the case.

**Section 16 – Monitoring, Control, and Risk Management**
Pursuant to the Order, based on risk management, the service provider shall consider not performing or terminating an online identification process or blocking payment services based on risk level. If there is a suspicion of money laundering, the provider should consider face-to-face identification or filing an unusual activity report (UAR). The provider must map unique risks and implement a dedicated monitoring system to identify anomalies.

**Section 17 – Approval by the Chair of the Authority**
A service provider wishing to use visual identification technology must obtain approval from the Chair of the Authority. Any material change in the technology or service requires prior approval.

**Periodic Review of the Regulation**
Per Section 36 of the Regulatory Principles Law, new regulation must include a provision for periodic review within 10 years. It is proposed that the first review of this directive take place 10 years from its commencement.

---

### **Draft Directive Text**

**1. Definitions**
*   **"Open Banking"** – Verification of a service recipient's identity by receiving information from an information source via the financial information interface system.
*   **"Recognized Entity," "Occasional Service Recipient," "Corporation," "Resident," "Foreign Resident"** – As defined in the Order.
*   **"Know Your Customer Process"** – Per Section 2 of the Order.
*   **"Symbolic Bank Transfer"** – A verification process where the service provider receives an exact amount of funds from the service recipient's bank account.
*   **"Online Identification"** – Procedures for identifying and verifying details via the methods in Section 6.
*   **"Privacy Protection Law"** – The Privacy Protection Law, 5741-1981.
*   **"Electronic Signature"** – As defined in the Electronic Signature Law, 5761-2001.
*   **"Visual Conference Technology"** – Technology allowing real-time video and audio communication between two or more points, provided it is secure and encrypted.
*   **"Visual Identification Technology"** – Technology based on video communication between the provider and recipient, which can be real-time interaction or non-real-time video recording.
*   **"Online Identification Technology"** – Visual conference or visual identification technology used for online identification.
*   **"Online Verification Technology"** – J5 technology, ADIB system, open banking, symbolic bank transfer, or alternative means approved by the Supervisor.
*   **"J5 Transactions"** – A digital verification process where the provider ensures a match between the recipient's identifier (e.g., ID number) and the credit card number transmitted.
*   **"Identification Document"** – One of: (a) ID card; (b) New immigrant certificate (up to 30 days from issuance); (c) Valid driver's license with photo; (d) Valid Israeli passport; (e) For foreign residents, a foreign passport or travel document.
*   **"Service Recipient"** – (1) Individual resident; (2) Individual foreign resident; (3) Corporation registered in Israel; (4) Recognized entity.
*   **"Technology Provider"** – The entity that developed the visual identification technology.
*   **"ADIB Service"** – A digital verification process matching the recipient's identifier with the bank account number transferred to MASAV.
*   **"Evidence Ordinance"** – The Evidence Ordinance [New Version], 5731-1971.

**2. Preliminary Conditions for Using Online Identification Technology**
A service provider may identify and verify a service recipient online subject to:
*   **A. Risk Assessment:** Identifying and assessing ML/TF risks, implementing a mitigation plan, and distinguishing between individual and non-individual recipients. Understanding the "Level of Assurance" (LoA) and setting minimum technological thresholds.
*   **B. Policy Establishment:** Establishing an Online Identification Policy covering service characteristics, risks, controls, technical requirements (quality of audio/video), data security, and resource allocation.
*   **C. Expert Opinion:** For visual identification technology, submitting an independent expert opinion per the Evidence Ordinance.
*   **D. Chair Approval:** Obtaining approval from the Chair of the Authority.

**3. Board Responsibility**
The Board must:
*   Evaluate the effectiveness of the risk assessment annually.
*   Approve the use of online identification and the specific technology in advance.
*   Approve the policy at least every two years.
*   Ensure implementation and effectiveness.
*   Ensure relevant employees are aware of the policy and that work procedures are set.
*   Establish required reporting (including immediate reporting of material failures).
*   Appoint an Internal Auditor and an Online Identification Officer.

**4. Online Identification Officer**
The provider shall appoint an officer (either the AML Officer or a member of management) who is independent and authorized. Responsibilities include advising the Board, reporting on tech usage, monitoring developments, and ensuring procedures for employee recruitment and technical quality (resolution, lighting, etc.) are followed.

**5. Internal Audit**
The auditor shall perform independent exams of compliance and the effectiveness of risk management in online identification.

**6. Online Identification Procedures**
The provider may perform identification per Sections 7 or 8.

**7. Visual Conference Technology (Video Conference)**
*   A. Identification based on an ID document bearing name, ID number, and date of birth.
*   B. Recipient sends a copy of the ID via email or other electronic means.
*   C. Provider identifies the recipient via real-time video conference based on the ID shown.
*   D. Provider matches the live face with the photo on the sent ID.
*   E. Provider verifies details against the Population Registry or via online verification technology.
*   F. Conference is recorded and saved, including the name of the representative.

**8. Visual Identification Technology**
*   A. Identification based on an ID document presented via the technology.
*   B. Provider verifies the authenticity of the document (security features, consistency).
*   C. ID number field is populated automatically by the technology (no manual entry by customer if verification is against the registry).
*   D. Provider verifies the ID shown is the recipient's ID (matching the live photo with the ID photo).
*   E. Verification of details against the registry or via online verification technology.
*   F. Technical quality must allow high-certainty identification.
*   G. Phone number verification via OTP.
*   H. Inclusion of "Liveness Detection" (active or passive) to ensure a real person is present.
*   I. Ongoing control via a "Control Procedure" (review by a representative) for high-risk accounts or a sample (at least 20%) of others.

**9. Occasional Service Recipient**
Registration can be done via Section 7 or 8 or online verification technology.

**10. Recognized Entity**
Online identification allowed per Section 7 or 8 after confirming the representative's authority via document.

**11. Corporation**
*   A. Identify proxies per Section 6.
*   B. Identification of the corporation based on electronically signed registration certificates or attorney certification.

**12. Declaration on Beneficial Owner/Controller**
Declarations can be signed online in a way that allows quality documentation of the signature and secure linkage. If acting for self, the provider documents a vocal declaration. If for a beneficial owner, the owner is also identified online.

**13. Third-Party Identification (Outsourcing)**
Allowed if the provider ensures the third party has the necessary technology and skills, follows the law (including Privacy Protection), and has a written agreement defining roles and responsibilities. The payment company remains fully responsible.

**14. Know Your Customer (KYC)**
KYC can be done via different tech, provided the provider ensures the person answering is the identified customer. Foreign residents identified online are marked for increased monitoring.

**15. Storage, Security, and Backup**
*   A. Prevent data leakage.
*   B. Keep digital copies of everything (video, scans, KYC).
*   C. Store phone number, IMEI (if policy allows), and IP address securely.
*   D. Data considered an "Identification Document" must be stored on secure servers with regular backups and no possibility of editing.
*   E. Notify customers of biometric data collection and obtain consent.
*   F. Create institutional records supported by legal opinions.

**16. Monitoring and Control**
Providers must consider face-to-face identification for high-risk recipients or suspicious behavior. They must implement monitoring for technological and business anomalies and track fraud trends.

**17. ISA Chair Approval**
Request for approval must include: tech provider details, tech description, independent expert opinion, CEO declaration of legal compliance, and a list of controls.

**18. Service Provider Obligations**
This directive concerns AML/CTF obligations. It does not reduce other legal obligations regarding risk management, impersonation, cyber events, or privacy.

---

### **Appendix A: Regulatory Impact Assessment (RIA)**

The Authority is required to conduct an RIA for new regulations. This report details the process of formulating the directive, public interests considered, and international reviews.

**General Background:**
The Payment Services Regulation Law (2023) empowers the ISA to supervise non-banking payment providers. The goal is to encourage competition while protecting customers. Regulation is based on PSD2 and EMD.

**Need for Regulatory Intervention:**
As payment companies are mostly digital and branchless, physical face-to-face identification is impossible. The ISA needs to establish alternative digital means that ensure identification reliability while mitigating ML/TF risks.

**International Review:**
*   **EU:** EBA guidelines provide a framework for remote ID, risk mapping, and ongoing monitoring.
*   **Germany (BaFin):** Allows real-time video identification with strict quality requirements. Also allows verification via bank transfer from an EU bank.
*   **France:** Allows combinations of ID documents and verified digital providers.
*   **Spain/Italy:** Focus on real-time video identification.
*   **UK/Netherlands:** Adopt a more risk-based approach, giving companies more freedom in choosing methods as long as they manage risk.

**Alternatives Considered:**
1.  **Alignment with current Israeli standards:** Requiring two ID documents and bank transfers. (Rejected as being too burdensome for digital-native companies and out of sync with international practice).
2.  **Alignment with International Standards:** Requiring one ID document plus technological verification (e.g., liveness detection, registry check). (Selected as the preferred alternative).

**Selected Option:**
Option 2 was chosen to provide a regulatory infrastructure adapted to payment companies, allowing them to serve populations without a second ID and aligning with European practices without compromising identification quality.

**Questions for Public Consultation:**
1.  Views on using J5, ADIB, open banking, and symbolic transfers for verification. What are the risks (identity theft, privacy)? Are there other effective alternatives?
2.  Alternatives to vocal declarations (Section 12) that ensure identity verification and provide sufficient evidence for legal proceedings.