Electronic Identity Verification (EIV) is becoming the go-to method for verifying customer identities. It’s faster, more secure, and can streamline compliance processes—but only if used correctly. Many businesses still struggle with understanding key requirements like matching sources, linking identities, handling failed verifications, and ensuring biometric verification is acceptable.
This article breaks down the five key aspects of EIV so you can stay compliant and avoid unnecessary roadblocks.
- Acceptable biometric verification methods
Biometric verification is a reliable way to match a person to their identity. But not all biometric methods are acceptable under AML/CFT rules.
What’s acceptable?
- Photographs matched to official identity documents (e.g., passport, driver’s licence).
- Iris or fingerprint recognition, as long as the data is from a reliable, independent electronic source.
- Personal information must be verified from a reliable and independent electronic source.
Biometric verification needs to be secure and trustworthy to meet compliance requirements.
- Two matching sources are essential (if not using biometrics)
If biometric verification isn’t used, your EIV process must include two independent and reliable data sources to verify identity.
Why it matters:
- Two separate electronic sources (e.g., drivers licence database and passport database) strengthen confidence in verification.
- These sources must match to confirm identity.
What’s required?
- Name: Must be verified by at least two independent sources.
- Date of birth: Can be verified by just one source (e.g., NZTA Driver Licence database).
Commonly used sources:
- DIA Confirmation Service (for name and date of birth)
- NZTA Driver Licence database
- Credit Bureau or Land Registry data
If you’re not using biometric verification, ensuring two independent, matching sources is non-negotiable.
- The linking requirement: proving someone is who they say they are
Even if identity details match, you still need to confirm that the person providing them is the actual individual.
How it works:
- Biometric verification automatically meets this requirement, as it uses physical traits to confirm identity and is considered highly secure.
- Without biometrics, you must take extra steps, such as requiring the first deposit to come from a New Zealand registered bank account in the customer’s name.
If biometrics aren’t in place, ensure you have alternative ways to prove someone is who they say they are.
- What to do when EIV fails
EIV failures happen—it’s part of the process. The key is knowing how to respond.
Steps to take:
- Escalate the issue: If verification fails, move to manual review.
- Use additional verification methods:
- Request certified copies of identity documents.
- Conduct face-to-face verification.
EIV failure isn’t the end of the road—it just means adding extra layers of security.
- Documenting your EIV process (why it matters)
Clear documentation of your EIV process isn’t just good practice—it’s a legal requirement under the AML/CFT Act.
What should you document?
- When you use EIV: Is it your default method, a backup, or for low-risk clients only?
- Your EIV provider and product: Which third-party provider do you use? Do you use different ones for NZ residents and overseas clients?
- Verification sources: List the electronic sources used to confirm name and date of birth.
- Record-keeping: Keep verification records for at least five years (AML/CFT requirement).
- What happens when verification fails: Outline your escalation and exception procedures.
Stay compliant & secure
Understanding and documenting your EIV process ensures compliance, improves efficiency, and strengthens security. Whether you’re using biometric verification, matching two sources, or dealing with failed verifications, having the right process in place protects your business and customers. Need help reviewing your EIV procedures? Strategi Compliance can assist – get in touch today!