Managing Technology & Outsourced Providers

The BMA stipulates that when verifying identity electronically, you must rely on "reliable, independent source documents, data, or information." You are explicitly prohibited from relying on simple copies or data provided solely by the customer without independent validation.

How Verify by Tiller Exceeds This:

• NFC Chip Authentication: Tiller does not just "look" at a photo of a passport (which can be Photoshopped). It uses Near Field Communication (NFC) to cryptographically unlock the biometric chip inside the e-Passport. This gives you access to the verified and unchangeable document information including the original digital image of the individual.

  • Compliance Value: This accesses the data source of origin (the issuing government), meeting the highest standard of "independence" under the Guidance Notes.

• Document Verification: Verify by Tiller can validate over 3000 types of identity documents issued from over 180 different countries to check for authenticity and tampering. This satisfies the requirement for "verification" of presented forms of identification.

• Residential Address Verification: Verify by Tiller can validate residential addresses in 50 different countries using electoral rolls, credit bureaus or utility company sources. This satisfies the requirement for "multi-source independent verification" of key information.

The Guidance accepts non-face-to-face onboarding only if the process can mitigate the risk of impersonation. You must ensure the person presenting the ID is the person to whom it belongs (i.e., you must prevent "spoofing" with AI, static photos or video recordings).

How Verify by Tiller Exceeds This:

• Biometric Liveness Checks: Tiller utilizes advanced passive liveness detection and analysis to confirm the user is a live human being and not a screen, mask, or deepfake. The system is ISO/IEC 30107-3 Level 2 (Presentation Attack Detection) certified by the iBeta Quality Assurance testing body.

• 1:1 Facial Matching: The platform algorithmically compares the "Live" selfie against the "Trusted" high-resolution image extracted from the government ID chip when available or from the surface of the verified document.

  • Compliance Value: This provides a mathematical match score, removing the subjectivity of human review and providing the "audit trail of decision making" required by the BMA.

The BMA mandates that CDD cannot be "one size fits all." You must apply Enhanced Due Diligence (EDD) to higher-risk clients (e.g., non-residents, PEPs). A system that runs the same check on everyone is non-compliant.

How Verify by Tiller Exceeds This:

• Configurable Workflows: Tiller allows us to build distinct "Risk Journeys." We can configure a "Low Risk" journey where applicable and a separate "High Risk" journey for example additional proof of address or Source of Funds prompts are required.

  • Compliance Value: This demonstrates to the regulator that you are actively applying the Risk-Based Approach at the point of onboarding, rather than as an afterthought.

When outsourcing a "Material Function" (like KYC), you must retain ultimate responsibility. You must have "unrestricted access" to the data and ensure the vendor meets our security standards.

How Verify by Tiller Exceeds This:

• Highest Security Standards: Tiller meets or exceeds industry standards for information security. All the information to evidence this is available in our Trust Centre security documentation which is freely available to you for review as part of your "Vendor Due Diligence".

• Data Sovereignty & Portability: The platform allows for the export of fully compiled "KYC Client Report" as a PDF document including all information and images captured and the results of screening and validation checks. Any additional documents uploaded by the customer can also be downloaded. In addition, all this information in also available via our API for digital retrieval and injection into your CRM platform or other systems.

  • Compliance Value: If you ever leave Tiller, you retain the data. This prevents "Vendor Lock-in" risks, which is a key concern in the BMA’s Operational Resilience consultation.

• Audit Trail: Every action (document upload, verification check, or approval click) is recorded and tracked. This allows the MLRO to reconstruct the entire onboarding event at any time later during an audit.

Screening is not a one-off event. You must screen your customer base daily against updates to the UK Consolidated List (Sanctions) and changes in PEP status.

How Verify by Tiller Exceeds This:

• Daily "Delta" Screening: Tiller can automatically re-screens your entire book of business every night. We screen against not just the UK Consolidated List (Sanctions) but against hundreds of sanction lists, PEP data sources, and enforcement data sources along with Adverse Media if required.

• False Positive Reduction: The system uses "fuzzy logic" which we can tune to match your match confidence level to filter out irrelevant noise.

  • Compliance Value: This ensures you exceed the strict liability standard of the International Sanctions Regulations 2013 without needing to hire an army of analysts to manually check names every morning.

The BMA requires that data comes from a source that cannot be easily forged. Verify by Tiller uses NFC (Near Field Communication) technology to access the cryptographic chip embedded in e-Passports. This data is digitally signed by the issuing government (the "Country Signing Certificate Authority"). By validating this digital signature, Tiller accesses the most independent and reliable source possible—the government itself—exceeding the reliability of a human looking at a physical page.

The 2023 Guidance aligns with FATF standards, requiring mechanisms to ensure the person is "live" and not using a presentation attack (masks, photos of screens). Verify by Tiller utilizes advanced biometric liveness detection. Its passive liveness detection and analysis of micro-movements confirm they are a live human and not a screen, mask, or deepfake at the moment of capture, directly satisfying the BMA’s anti-impersonation requirements. The system is ISO/IEC 30107-3 Level 2 (Presentation Attack Detection) certified by the iBeta Quality Assurance testing body.

Under the 2023 Guidance, if an E-ID system meets the criteria for independence and security (which Tiller does via NFC and Biometrics), it effectively replaces the need for traditional "Certified Copies" for standard risk clients. Tiller creates a digital audit trail that serves as the "certification" of the data's authenticity, streamlining the customer experience without compromising regulatory standards.

Verify by Tiller aggregates data from major global watchlists, including the UK OFSI Consolidated List (mandatory in Bermuda), the UN Security Council list, EU lists, and US OFAC lists. This ensures that a Bermuda entity is compliant with both local Overseas Territories Orders and international best practices.

A one-time check at onboarding is insufficient. Verify by Tiller performs automated daily monitoring (delta screening). If a client you onboarded three years ago is added to a sanctions list tonight, Tiller will flag this alert the next morning, allowing your MLRO to freeze assets immediately and report to the Financial Intelligence Agency (FIA) as required by law.

Yes. The screening database categorizes Politically Exposed Persons (PEPs) by jurisdiction and role. This allows you to apply the correct level of Enhanced Due Diligence (EDD). For example, you can implement the procedure to manage a "Foreign PEP" for Senior Management Approval, a specific requirement under Regulation 11 of the POCR.

Absolutely. "Black box" screening is a regulatory risk. Verify by Tiller allows you to configure the "Fuzzy Logic" matching or switch it off completely. This allows your firm to define its own risk appetite and justify to the BMA why specific parameters were chosen to balance false positives against missed matches.

While the final decision rests with the firm, Verify by Tiller facilitates the assessment. Shortly a Risk Engine will be added to the platform which will allow you to build complex "Risk Scoring" that score clients based on various factors (e.g., Nationality, Region, SoW, SoF etc.). The system can suggest a risk rating based on your pre-configured rules, ensuring consistency across your entire client base—a key factor BMA auditors look for.

For some clients, simply knowing the "Source of Funds" is not enough. Verify by Tiller includes dynamic questionnaires that can specifically ask for SoW details and prompting the upload of evidence (e.g., share certificates, sale of property deeds) directly within the secure onboarding flow.

You are never locked in. Verify by Tiller allows you to export your data and compliance reports. This "Data Portability" ensures you meet the BMA’s Operational Resilience standards, proving you can retrieve your regulatory records even if you switch providers.

Although Verify by Tiller should not be considered you digital archive as that should exist in your CRM or Client Lifecycle platform, Verify provides all identification data, screening results, and decisions in a form (full "KYC Pack") that can be stored by you for the 5 years required ready for a BMA Onsite Inspection or an FIA information request.

Yes. Verify by Tiller is built with "Privacy by Design." Data is encrypted at rest and in transit. The platform supports your PIPA obligations by providing tools to manage Subjects rights and ensuring data is only accessible to authorized compliance staff (Access Control), mitigating the risk of internal data breaches.

The platform provides high-level dashboards and reporting metrics. You can view real-time data on onboarding status, the number of referrals, and pending PEP approvals. This empowers Management to make data-driven decisions and proves they are actively overseeing the compliance function, not just rubber-stamping it.

Yes. This is important for BMA audits. Every uploaded document, dismissing a false positive sanction match, or approving a PEP is logged. This prevents the "he said, she said" problem and proves exactly who made a compliance decision and when.