The Monetary Authority of Macau (AMCM) claims it is the agency in charge of centralising the data being collected through the Know Your Customer (KYC) technology implemented in local Automated Teller Machines (ATMs) in early July, according to information provided by the Authority to Macau Business.
The new KYC technology entails facial recognition and identity card reading, in addition to PIN number verification, of Mainland China UnionPay (CUP) cardholders withdrawing money from local ATMs.
Regulations issued last year first decreed that CUP withdrawals in Macau were to be capped at MOP10,000 per day.
Later, in early December 2016, new regulations by the AMCM had it that the cap for each withdrawal would be limited to a maximum of MOP5,000 (US$621) and not exceeding MOP10,000 in daily transactions.
Overall, the cumulative annual cap for UnionPay cardholders is set at RMB100,000 (MOP119,135).
Consecutive tightening regulations, of which face recognition is but the latest, have been linked to efforts by the central Chinese Government to curb cash outflow as well as criminal activity such as money laundering.
AMCM informed Macau Business that as at the end of July, of a total of 1,250 ATMs operating in the city a thousand feature the new KYC function – an increase of 166 units from 834 on July 2, when the policy was enacted.
Plans announced by the Macau SAR Government last May conveyed the intention of having the function implemented in all of the city’s ATMs although authorities did not provide a target date for completion of the project.
Who knows your customer?
AMCM explained to Macau Business that local banks are required to comply with their guidelines and specifications for handling the personal data of CUP customers collected.
According to information provided by one of the local banking institutions which has implemented KYC technology in nearly half of the ATMs it operates as of early July ‘all customer data is sent directly to the Macau [Monetary] Authority for verification and is deleted from the bank’s system and storage.’
“We only collect the information, take the photo, and send them out to the authorities. It is not the bank’s function to verify them,” the spokesperson for the bank told Macau Business on the phone.
In tandem with information provided by the bank, AMCM said that at its request ‘the bank should immediately delete the relevant personal data after the transaction has been completed.’
In response to our questions, AMCM added that ‘the relevant cardholders can go through the normal cash withdrawal process after their respective identities are verified.’
‘AMCM is strengthening the monitoring of ATM cash withdrawals by Mainland bankcards by verifying the identity of cardholders through KYC techniques,’ the Authority added.
If AMCM is the one agency conducting the identity verification, then one would assume it ought to compare the data received from local financial institutions to a previously established database containing the relevant information.
Professor Jacky Yuk Chow So, Dean of Faculty of Business Administration at the University of Macau, agreed that AMCM should have access to a database with personal information of UnionPay cardholders from the Mainland in order to proceed with the authentication of customer identification through the KYC technology.
“My answer is that it is correct. In order to match the facial structure of customers, they have to have access to [such] database,” the professor told Macau Business.
But have they – and how is the verification actually proceeding?
Smile, you’re on camera
If authentication is being undertaken in Macau, local authorities might have access to the biometric record of CUP cardholders.
A Macau lawyer who works with matters of personal data protection opined, on the one hand, that it is very likely that local authorities have “real time access” to the UnionPay database in China.
“It wouldn’t make much sense to have the database of all China UnionPay customers, which may be dozens of millions of people, transferred here,” he suggested. That said, the lawyer added that it could also be that the authentication is being conducted “a posteriori.”
“Credit card technology, for instance, does not use real time authentication,” he explained.
The relevant authorities – namely, the AMCM and the Financial Intelligence Office (GIF) – could not clarify the ways in which the KYC function is operating in connection with financial institutions on the Mainland and the Chinese Government proper in spite of several requests from Macau Business.
Professor So argued that “in order to carry out the [KYC] regulation, AMCM has to work with the Chinese Government.”
And how is that being done?
“I don’t think they are using a cloud solution because it is not safe enough. Everybody can have access to it. It could be some other type of technology. But I cannot speculate because it becomes sensitive,” he commented.
UnionPay was unreachable for comment.
Thus, the question boils down to the location, access, and control of the biometric record at the core of the KYC solution which enables identity matching verification.
Database matrix
Based upon the statements provided above, a more hands-on problem concerns the technology itself.
Know Your Customer technology is a multi-factor authentication solution which combines biometric elements such as a person’s fingerprints and face and voice recognition to enable identity assessment and verification.
Essentially, the technique consists of sending the data to a server, where it is compared to information previously stored on a database, which may thus include the person’s facial geometric scan.
The solution’s main goal is to avoid fraudulent activity. One of the most familiar uses of facial recognition technology is passport and visa authentication controls.
As in e-passport and e-visa control routines at cross-border checkpoints, KYC systems linked to banking solutions operate through the comparison and detection of identity against a person’s biometric record, as well as data such as his or her name and PIN number.
If a non-match is detected, then a more thorough investigation can ensue.
If the personal data of CUP cardholders, including their facial images, are being “sent out to the AMCM,” as the spokesperson for the financial institution claimed earlier then it is likely that banks are merely ‘recording’ customers’ images, and not immediately verifying or authenticating them during each withdrawal transaction in local ATMs – an action that should then fall under the purview of the monetary authority itself.
In any case, if the CUP database is here or shared by Mainland China, verification would imply that all CUP customers have had their face previously scanned – “perhaps when they have signed up for the card or after the policy was implemented,” the local lawyer suggested – and the images stored in a biometric record to enable the technology to operate.
Central calling
Aiming at curbing criminal activity such as money laundering and the financing of terrorism, the use of KYC technology in banking transactions involves other authorities, both local and national.
In addition to the matter of personal data regarding Mainland customers, there is the political framework binding the whole scheme under the ‘One country, two systems’ formula, and the question of autonomy that follows.
Who has rights to control what?
On the one hand, as AMCM explained to Macau Business, ‘the bank should immediately delete the relevant personal data after the transaction has been completed’ at the request of the Authority.
On the other hand, the lawyer who spoke to us explained that the personal data of CUP cardholders concern the relevant Chinese authorities and bank institutions on the Mainland.
“These are clients from China, which means they have probably authorised the collection of data on the Mainland,” he claimed.
According to AMCM, ‘the cardholder of the Mainland bank card expressly agrees to carry out the withdrawal operation as usual by presenting the Mainland ID card and taking [photos] and confirming the identity information through face recognition.’
To ‘expressly agree’ in this case could be a term of consent or authorisation.
“The difference is that consent is presumed; that is, it does not require previous authorisation, whereas authorisation cannot be assumed. UnionPay clients concerned with KYC is probably a case of consent,” the lawyer argued.
According to the information provided above, AMCM claims that the personal data of CUP customers collected during transactions in local ATMs are being centralised within the local monetary authority proper.
Assuming it is not China which is processing authentication, at what moment does it get involved?
Where do you go to, my lovely?
Contacted by Macau Business, the Office for the Protection of Personal Data (GPDP) said it ‘has been closely monitoring the situation’ following the implementation of KYC technology, although it also claimed that ‘the concrete operations of the KYC are not within GPDP’s legal competence.’
The Office spokesperson added that ‘as long as [GPDP is] an organisation that processes personal data, it should fulfill the legal requirements laid down by the Personal Data Protection Act (PDPA) in order to safeguard the involved personal data.’
According to the PDPA (Law no. 8/2005), the transfer of personal data to an entity outside Macau – in this case Mainland China – has first to be approved by the relevant office.
Moreover, GPDP told Macau Business, ‘under Article 43 of the Basic Law of Macau, persons in the Macao [SAR] other than Macao residents shall, in accordance with the law, enjoy the rights and freedoms of Macao residents prescribed in this Chapter.’
According to GIF, only when suspicious transactions related to money laundering or the financing of terrorist activities ‘are detected’ will financial institutions report such suspicious transactions to the Office ‘with relevant supporting customer information.’
GIF was established in 2006 with the primary role of collecting, analysing and disseminating information on transactions suspected of involving money laundering and the financing of terrorism, as well as establishing international co-operation on such matters, according to information provided by the Office.
Currently, some 20 Memoranda of Understanding (MoU) have been signed with foreign counterparts in order to share financial intelligence in relation to the aforementioned criminal activities.
The one with China’s counterpart – known as the China Anti-Money Laundering Monitoring & Analysis Centre – was signed in May 2008.
KYC regulations were published in the Official Gazette on June 28, 2017, a few days prior to the launch of the scheme in Macau.
‘Upon analysing the [reports], if there is any indication of money laundering or the financing of terrorism, or other predicate offence related to [the latter], according to the framework of the MoU, GIF will share the information with the foreign counterpart concerned in order to combat [such] activities,’ GIF explained.
UnionPay
According to the company, CUP cards were first introduced in Macau in September 2004. Currently, the company claims that some 6,257 Point of Sale (POS) terminals and 459 ATMs – distributed in major tourist and shopping areas of the city – accept the CUP card.
According to previous reports, Macau’s Judiciary Police estimate that unauthorised transactions linked to CUP transactions had reached some MOP4.99 billion (US$609.25 million) in 2016.
