JFSC requires risk assessments on technology e.g. EIDV

The JFSC AML/CFT/CPF Handbook (and the underlying Money Laundering (Jersey) Order 2008) does require

• Specific risk assessments when a firm adopts EIDV (Electronic Identity Verification, also called E-ID or electronic identification) and,
• More broadly, when adopting new or developing technologies for AML/CFT/CPF purposes.

This is not a generic “tick-box” exercise —

• It is a mandatory, documented assessment that must be done before the firm starts using the technology in its customer due diligence (CDD) processes.
• It feeds into the firm’s overall Business Risk Assessment (BRA) and systems/controls.

1. General Requirement for Any New/Developing Technology (including EIDV)

Article 11 of the Money Laundering (Jersey) Order 2008 requires every relevant person (supervised firm) to have policies and procedures for the identification and assessment of risks that arise from the use of new or developing technologies for new or existing products/services.

This is amplified in the AML/CFT/CPF Handbook (Section 2 – Corporate Governance / Business Risk Assessment and Section 4 – Identification Measures).

When technology forms part of delivery channels, CDD, transaction monitoring, screening, etc., the firm must:

• Identify and assess the ML/TF/PF risks the technology introduces.
• Document those risks.
• Put in place appropriate mitigation (and record it).
• Keep the assessment under review.

The JFSC’s separate Financial Crime and Regulatory Technology Guide (published to encourage safe tech adoption) reinforces this:

• Firms must “interrogate, assess, understand and document any limitations of the RegTech solutions they use, and document the mitigative measures that the firm puts in place to effectively manage risk.”

2. Specific Requirement for EIDV / Electronic Identification (E-ID)

The Handbook has dedicated guidance (historically in Section 4.3.5 “Use of electronic identification (E-ID)”) because EIDV is typically used for non-face-to-face customer onboarding — which automatically triggers higher risk considerations under Article 15(3) of the Order.

When deciding whether to incorporate a particular E-ID application/tool into your CDD processes, the Board/senior management must carry out and record a risk assessment that covers all of the following (this is an AML/CFT Code of Practice obligation):

• The risks involved in the use of the E-ID application itself (e.g. tampering/forgery of documents, alteration of images during capture/transmission, use of stolen/unauthorised documents).
• The risks involved in outsourcing any part of the CDD process to a third-party provider of the E-ID tool.
• Whether the features of the E-ID application effectively mitigate the identified risks (e.g. high-resolution imaging, biometric matching, liveness detection, secure transmission, real-time checks against independent data sources).
• Any additional measures the firm must apply to manage any residual risks.
• Application of enhanced CDD (on a risk-sensitive basis) because the customer is not physically present.

Important practical points:

• This is a one-time (or periodic) assessment of the tool, not something you do for every customer.
• Each E-ID application must be assessed on its own merits — you cannot rely on a generic “all EIDV is fine” assessment.
• The assessment must be documented and available for JFSC examination.
• If the E-ID tool only handles part of CDD, the firm must still apply the remaining identification/verification measures through its existing systems/controls.

3. How This Fits Into the Wider Risk Framework

• The EIDV/technology risk assessment feeds into the firm’s Business Risk Assessment (BRA) (Section 2 of the Handbook).
• The BRA must consider technology and delivery channels as part of the firm’s overall ML/TF/PF exposure.
• It also links to outsourcing policies (Section 2.4.4) and ongoing monitoring/testing of systems/controls.
• The JFSC expects the Board to understand and sign off on these risks — it cannot be left solely to the MLCO or operations team.

Why Does the JFSC Require This?

• Remote/digital onboarding (especially EIDV) can be very effective and lower certain risks (e.g. speed, accuracy via biometrics), but it also introduces new risks (deepfakes, synthetic identity fraud, data interception, algorithmic bias, etc.).
• The regulator wants firms to prove they have actively considered and mitigated those risks rather than simply buying a vendor solution and assuming it is compliant.

Where to Find the Exact Text

• Core E-ID risk assessment rules → AML/CFT Handbook Section 4 (Identification Measures) and the dedicated E-ID guidance PDFs on the JFSC website.
• General new-technology risk requirement → Article 11 Money Laundering Order + Handbook Section 2.
• Practical examples and “what good looks like” → JFSC Financial Crime and Regulatory Technology Guide (freely available on the JFSC site).

NOTE

• If your firm is adopting (or already uses) any EIDV platform or other AML tech (biometrics, automated screening, transaction monitoring AI, etc.), you should have a documented risk assessment on file that meets the points above.
• The JFSC will test this during examinations.

SOURCES

1. Core Legal Requirement (Article 11 – New/Developing Technologies)

• Money Laundering (Jersey) Order 2008 (consolidated current version) Direct link: https://www.jerseylaw.je/laws/current/ro_20_2008 What it covers: Article 11 – mandatory policies & procedures for identifying and assessing risks from new or developing technologies (including EIDV) before use. This is the primary legal obligation.

2. AML/CFT/CPF Handbook – Main Page & Full Consolidated Version

• AML/CFT/CPF Handbook – Official landing page (all sections & downloads) Direct link: https://www.jerseyfsc.org/industry/financial-crime/amlcftcpf-handbooks/amlcftcpf-handbook/ What it covers: Full access to every section, tracked changes, and consolidated PDFs. This is your starting point.
• Consolidated AML/CFT/CPF Handbook (Sections 1–18, latest tracked version) Direct link: https://www.jerseyfsc.org/media/e1ldlytw/use-to-amend-20230831-hb-consolidated-sections-1-18-track-01072024-23012025.pdf What it covers: The complete Handbook in one file (includes Section 2 – Business Risk Assessment and Section 4 – Identification Measures).

3. Specific Sections You Need

• Section 2 – Corporate Governance / Business Risk Assessment (BRA) Direct link (clean version): https://www.jerseyfsc.org/media/obqpswku/section-2-clean-060126.pdf What it covers: How technology/EIDV risk assessments feed into the firm-wide BRA.
• Section 4 – Identification Measures (finding out identity & obtaining evidence) Direct link (current clean version): https://www.jerseyfsc.org/media/7126/section-4-clean-131023.pdf What it covers: Dedicated EIDV / Electronic Identification guidance (historically 4.3.5) – the specific risk assessment requirements for E-ID tools, non-face-to-face onboarding, features that must be assessed, outsourcing risks, residual risks, and enhanced CDD.
• Older dedicated E-ID Guidance Note (still useful reference) Direct link: https://www.jerseyfsc.org/media/5070/e-id-publish.pdf What it covers: Detailed standalone E-ID risk assessment points (now largely incorporated into Section 4).

4. JFSC Financial Crime and Regulatory Technology Guide

• Financial Crime and Regulatory Technology Guide (full PDF) Direct link: https://www.jerseyfsc.org/media/7281/financial-crime-and-regulatory-technology-guide.pdf Key quote (page relevant to your query): “A general feature is the benefit of firms interrogating, assessing, understanding and documenting any limitations of the RegTech solutions they use, and documenting the mitigative measures that the firm puts in place to effectively manage risk.” What it covers: Practical “what good looks like” for assessing any AML tech (including EIDV), limitations, mitigation, and how it links to the Handbook.

Quick Reference Summary for Your Use

• General new technology risk assessment → Article 11 of the Order + Handbook Section 2
• Specific EIDV / E-ID risk assessment → Handbook Section 4 (and the dedicated E-ID note)
• RegTech / technology limitations & mitigation → Financial Crime and Regulatory Technology Guide

All of these documents are freely available, kept up to date by the JFSC, and are exactly what examiners will check during visits.