Author: Paul Curwell

Introduction

On Friday 28th February 2020, Dan Oaks and Jeremy Story Carter of the Australian Broadcasting Corporation (ABC News) reported again on the issue of director registration in Australia. Whilst this recent article was presumably triggered largely by most recent sitting of the Parliamentary Joint Committee on Corporations and Financial Services on the same date, the official hansard for the previous sitting date of 19 November 2019 is now available. In the hansard, Senator Whish-Wilson asks a number of questions about ASIC’s director registration process of Commissioner John Price. Commissioner Price’s responds to the Senator’s questions as follows:

According to an excellent report prepared by the World Bank Stolen Assets Recovery Initiative (STAR) called “The Puppet Masters“, company registers have a four-fold function (van der Does de Willebois et al, 2011, p69):

• To record the establishment of a new legal entity (typically an incorporated entity and not a trust, foundation, partnership or other unincorporated vehicle),
• To capture any information required by law,
• To keep the registry up to date (with limitations, as highlighted by Oaks and Story Carter, such as how a director’s appointment might be backdated), and,
• To make certain information available to the public.

“Elvis Presley, Homer Simpson and Bob Marley could be installed as Australian company directors, ASIC admits”

Dan Oaks and Jeremy Story Carter, ABC News, Friday 28 February 2020.

While it might be tempting to think this is a uniquely Australian problem, the identification of directors in company registers is part of a global issue, as reported by the Tax Justice Network in relation to the 2019 Financial Action Task Force (FATF) report on Beneficial Ownership.

How has this problem arisen? Why do we find ourselves here?

In order to understand why we find ourselves at this juncture, we must first understand how company registers are used today. As part of global trade and commerce and increasing risk and regulation, as a society we are increasingly required to rely on the content of company registers for processes including Anti-Money Laundering / Counter Terrorist Financing (AML/CTF), credit risk, supplier vetting or end user verification, identifying employee conflicts of interest, anti-corruption and economic & trade sanctions enforcement, which contrasts with the original intended purpose of company registers as outlined in the Puppet Masters report. Interestingly, in some countries company registers have even been privatised. At the most basic level, there is a fundamental issue with the way most company registers operate:

As a professional, I use the information held in company registers almost every day, however I recognise this is only a starting point for any inquiry and that it has not been verified. I frequently come across other professionals who do not understand the concept of identity or the origins of company registers generally. Many individuals seek to place reliance upon company registers for processes that need to be legally defensible, such as with regulatory compliance. However, this perspective does nothing for risk scenarios such as fraud or credit risk, where the consumer of that information may suffer a loss or become a victim as a result of placing reliance upon that information without performing further due diligence. In these scenarios, caveat emptor again applies when consuming company register information:

So what can be done about this problem?

So, now we understand how company registries have evolved from limited historical use to becoming a foundational element of many commercial processes today. And we understand the functions of a company register, the fact that some are even privatised, that company registers are actually quite limited in terms of their coverage of the universe of legal entity types in a given jurisdiction (i.e. typically incorporated only), and that verification of information provided by the company is the exception rather than the rule (although to be fair, if you are caught and it can be proven you provided false information, you may often be prosecuted).

ASIC talks about implementing some sort of unique numbering system for company directors in Hansard but a simple starting point might be adapting existing standard Australian identification and verification processes and simply bolt these on to existing ASIC processes, along with a reconciliation of current director data against government information holdings to identify current offenders.

The nuts and bolts of a standard Identification and Verification Process in Australia

About 14 years ago, my first assignment on joining the consulting firm Booz Allen Hamilton was as an adviser on Identity Crime and Identity Security to the Howard Government’s now withdrawn ‘Access Card‘ program run by the Department of Human Services. I had joined Booz Allen from another consulting firm, where I worked on a project with the Chief Internal Auditor of Centrelink to review their Identity Fraud programs. Since then, the concept of identity has evolved substantially but the concepts remain the same.

Any identification process, whether of legal entities or individuals, involves a two-stage process:

• Identity Validation – this step seeks to answer the question ‘does the identity exist’, and is achieved by taking the biographical (and potentially biometric) attributes for a claimed identity and comparing them to the relevant official government register to ensure the identity is not fictitious or invented.
• Identity Verification – is the second step in any identification process, which seeks to answer ‘is the person claiming the identity actually the true owner of that identity’

The process of Identity Verification aims to conclusively tie the person or legal entity claiming that identity to (1) something they know, such as a password or date of birth, (2) something they have, such as a passport, official document or RSA SecureID token, or (3) something they are, which is a biometric identifier including a fingerprint or iris scan.

To simplify the application of identification concepts in an Australian context, where there is no single identity credential (such as a national identity card), the National Identity Proofing Guidelines have evolved to encompass five distinct steps (Commonwealth of Australia, 2016):

• Objective 1: Confirm uniqueness of the identity in the intended context to ensure that individuals can be distinguished from one another and that the right service is delivered to the right individual.
• Objective 2: Confirm the claimed identity is legitimate to ensure the identity has not been fraudulently created (i.e. the identity is that of a real person) through evidence of commencement of identity in Australia.
• Objective 3: Confirm the operation of the identity in the community over time to provide additional confidence that an identity is legitimate in that it is being used in the community (including online where appropriate).
• Objective 4: Confirm the linkage between the identity and the person claiming the identity to provide confidence that the identity confirmed through objectives 2 and 3 is not only legitimate, but that the person claiming the identity is its legitimate holder.
• Objective 5: Confirm the identity is not known to be used fraudulently to provide additional confidence that a fraudulent (either fictitious or stolen) identity is not being used.

Tools for Automated Identification & Verification (IDV) in Australia

In Australia, we have the Document Verification Service (DVS) which was setup in 2009 and is now managed by the Australian Government’s Department of Home Affairs, to help streamline the Identification and Verification (IDV) process. By typing the details of an official document, such as the Biographical Data Page of an Australian Passport into the DVS portal, users receive an automated ‘yes’ (match) or ‘no’ (no match) result based on the comparison of document identifiers against the Issuer’s (Issuing Government Department) records. Note that this service does not actually verify the person holding the identity document is who they actually claim to be (i.e. it does not verify biometrics, such as comparing a photo of the holder with the person presenting the passport for a service). However, there is a second element to DVS, the Face Verification Service, which recently started coming online for selected government agencies.

The challenge of identifying foreign nationals

As a global citizen, Australia allows foreign nationals (i.e. those individuals without Australian Citizenship, Permanent Residency or a long term visa) to operate a business in Australia. Whilst some countries have a residency requirement for company directors (e.g. Singapore), this does not apply in Australia. This means that it is quite conceivable that the director of a company will be from overseas. Conducting IDV for foreign nationals can be a challenge. Contrary to popular belief, there is no ‘global database’ of all people in the world, and most countries do not share wholesale databases of their citizens with other countries (even friendly ones). This means that when you try to check that a foreign passport is legitimate, you cannot use DVS (the record is not held there).

Aside from sighting the identification documents of the foreign national to see if they appear real (e.g. do an initial check of the passport), there are only two options for validating and verifying a foreign identity:

• Verify the visa details, which involves entering the holder’s name and passport details into the Immigration Department’s VEVO platform to obtain a ‘match’ or ‘no match’ for the records (which can also be verified via the DVS platform), or,
• Verify the individuals identity information against a database or service similar to DVS but operated by the foreign national’s government (e.g. Singapore, for a Singaporean Citizen).

This second option is much more complicated and may be subject to restrictions on privacy, IP address geoblocking, and other challenges. The challenge with the VEVO option is that the person’s details may not be in the system if they don’t hold the right visa, or if they haven’t notified Immigration of things like a new passport number. Unfortunately, an exceptions process is still required at this time for cases where IDV cannot be easily automated through platforms such as DVS.

The promise of a trusted digital identity – an ideal solution for verifying Company Directors in Australia?

Aside from political resolve to increase transparency, addressing the problem of company director aliases could be relatively simple through the use of emerging Digital Identity technology, which could be easily integrated into any online ASIC application for Australian citizens and permanent residents. Whilst some IDV workarounds would initially be required for foreign nationals who are Australian company directors, as other countries bring their Digital Identification solutions online they could also be linked to ASIC’ processes, thereby avoiding the issue I flagged with DVS above in that it only works with people who already have a strong nexus to Australia.

Digital Identification is one technological innovation with real promise, especially since the need to identify someone is only increasing in society today. I was privileged enough to consult a few years ago on product fraud and security risk to a company which develops Digital Identity products, giving me real insight into the benefits and utility of the solution for a whole range of applications, from obtaining credit to confirming the identity of a tradesperson before engaging them.

Digital Identity products work like a virtual identity credential in the online environment, however unlike traditional identity credentials such as a physical driver’s licence they can be verified with the Issuer of the identification credential and updated in real time. These products can even be designed in ways that increase the privacy of the user whilst also increasing the utility of the identity token; take, for example, where a digital identity might tell a user the holder is over 18 without disclosing their date of birth. Those who are interested can read more about how Australia’s Digital Identity ecosystem is being designed at the Digital Transformation Agency.

Further Reading

• Australian Government (2021). IDMatch identity matching services, a joint Australian, State and Territory Government initiative, www.idmatch.gov.au [accessed 28 February 2021]
• Commonwealth of Australia (2016). National Identity Proofing Guidelines, Identity Security, Attorney General’s Department, www.homeaffairs.gov.au [accessed 28 February 2021].
• Commonwealth of Australia (2019). Oversight of the Australian Securities and Investments Commission and The Takeovers Panel, Parliamentary Joint Committee on Corporations and Financial Services, Official Committee Hansard, Tuesday 19 November 2019.
• Curwell, P. (2021). End User Verification, https://forewarnedblog.com/2021/02/07/end-user-verification/
• Digital Transformation Agency (n.d.). Trusted Digital Identity Framework, Australian Government, www.dta.gov.au
• Knobel, A. (2019). FATF beneficial ownership report reveals cutting-edge verification processes, hesitates to endorse public registries. Tax Justice Network. https://www.taxjustice.net/2019/11/27/fatf-beneficial-ownership-report-reveals-cutting-edge-verification-processes-hesitates-to-endorse-public-registries/
• Oaks, D. and Story Carter, J. (2020). Elvis Presley, Homer Simpson and Bob Marley could be installed as Australian company directors, ASIC admits. 28 February 2020, www.abc.net.au
• van der Does de Willebois, E., Halter, E.M, Harrison, R.A., Park, J.W, and Sharman, J.C. (2011). The Puppet Masters: How the Corrupt Use Legal Structures to Hide Stolen Assets and What to Do About It, Stolen Assets Recovery Initiative, The World Bank and United Nations Office of Drugs and Crime, Washington D.C. https://star.worldbank.org/

DISCLAIMER: All information presented on ForewarnedBlog is intended for general information purposes only. The content of ForewarnedBlog should not be considered legal or any other form of advice or opinion on any specific facts or circumstances. Readers should consult their own advisers experts or lawyers on any specific questions they may have. Any reliance placed upon ForewarnedBlog is strictly at the reader’s own risk. The views expressed by the authors are entirely their own and do not represent the views of, nor are they endorsed by, their respective employers. Refer here for full disclaimer.