Guernsey’s AML Handbook Update

Published on Jul 13, 2026

Guernsey’s AML Handbook Update: What Firms Need to Know About Technology-Enabled CDD 

The Guernsey Financial Services Commission (GFSC) has updated sections of the Handbook on Countering Financial Crime (AML/CFT/CPF) to give Guernsey firms clearer guidance on the use of technology in financial-crime compliance. 

The update sits within the Commission’s Digital Finance Initiative, a GFSC programme designed to support the positioning of the Bailiwick of Guernsey as a trusted, agile and forward-thinking jurisdiction for digital financial innovation.  

In that wider context, the revised AML/CFT/CPF guidance is designed to provide clarity, reduce uncertainty and encourage firms to consider appropriate technological solutions that can improve the effectiveness and efficiency of financial-crime controls. In practical terms, the update gives clearer direction on commonly used tools such as electronic verification systems and digital signatures, particularly in areas including onboarding, monitoring and record keeping. 

The update clarifies how technology can sit inside existing AML/CFT/CPF obligations. For firms evaluating technology-led CDD and financial-crime platforms the revised guidance provides a clearer adoption framework.  

What has changed, and what is being clarified

The update does not create an entirely new technology regime. It clarifies where firms can use technology within existing AML/CFT/CPF obligations, while adding more detail in several important areas: 

A clearer regulatory stance on technology
The GFSC now expressly encourages firms to consider how developments in technology could help them comply with their obligations and streamline business processes. The revised guidance adopts a technology-neutral, positive stance toward solutions firms have assessed and deem appropriate. 

More practical guidance on assessing new technology. 
The GFSC has confirmed that firms were already expected to assess ML, TF and PF risks before adopting new or developing technologies. The update now gives firms more detail on what that assessment should cover, including how the technology will be used, the threats it may introduce, and the controls needed before deployment. 
 
Clearer conditions for electronic verification
Electronic verification can be used to verify all, or any combination, of the mandatory identity data points under Commission Rule 5.8. Firms must document what identity data is collected, what data sources are used and how the system assesses authenticity. Where the system does not complete all required checks, the firm must use another method to complete verification. 
 
New explicit focus on deepfakes and synthetic identities
Firms using electronic verification are now directed to consider how systems could be abused through AI-derived deepfakes or synthetic identities. They must also document the measures within the electronic verification system that address forged or tampered identification data, including manufactured audio-visual media used to create synthetic identities. 
 
Clearer recognition of electronic certification and digital signatures
The revised guidance expressly recognises electronic certification as an alternative to paper-based certification. Where the relevant requirements are met, electronically certified identification data is treated as equivalent to paper-based certification, and a digital signature in electronic form, or equivalent, can be as acceptable as a wet-ink or physical signature. 
 
New explicit examples of AI and analytics in CDD-related work
The update refers to electronic translation services including AI, AI-assisted identification of credible independent references for ECDD, blockchain analytics for source-of-funds or source-of-wealth work involving virtual assets, and AI-assisted searches of publicly available information where the information is obtained from a reliable public or private third-party source.

What the Update Means in Practice

1. Firms need to evidence the case for adopting new technology 
Before adopting and using a new or developing technology for a new or existing product, a firm must ensure its business risk assessments identify and assess the risks arising from that technology’s use or adoption. Examples include distributed ledger technology, virtual asset technology, electronic verification systems used to establish the identity of a natural person, and AI. That assessment must include, at a minimum, the ML, TF and PF risks and vulnerabilities inherent in using or adopting the technology. It must evaluate the technology itself, its anticipated use and the threats posed by that use before deployment. 

The GFSC has also clarified that the assessment does not need to be a highly technical report on system specifications. The purpose is to help the firm understand the technology, evaluate the ML, TF and PF risks arising from its use, and identify controls to limit exposure. 

What firms need to evidence: maintain a clear record for each material CDD or financial-crime tool. That record should explain what the technology does, what risks it introduces or reduces, which AML/CFT/CPF obligations it supports, what controls sit around it, and who approved its use. 
 

2. Implementation needs to be part of the compliance control framework 
Technology implementation is not only an IT or operations issue. The revised guidance says firms should plan how technology will be implemented, particularly where it integrates with existing systems, because poor implementation can create vulnerabilities in controls for preventing and detecting ML, TF and PF. Implementation plans should cover policies and procedures, data governance, user testing, management reporting, staff training, compliance testing, risk-based systems testing before and during deployment, resourcing and system upgrades. 

Where group technology is used, a Guernsey firm may rely on a group ML/TF/PF technology risk assessment only where that assessment considers the firm’s business and risk profile in sufficient detail. The firm should have a copy, and its board or senior managers should be familiar with it. 

What firms need to evidence: show how the technology changes the CDD or financial-crime process, what staff have been trained to do, how outputs are tested, how exceptions are handled, and how the Guernsey firm has satisfied itself that any group-level assessment is sufficiently relevant. 


3. Electronic verification needs a clear data-point map 
Electronic verification is defined as using an electronic method or system to verify, in whole or in part, the identity of a natural person by matching specified personal information against electronically captured physical documentation and/or independent electronic data sources. 

The updated guidance confirms that electronic verification can verify all, or any combination, of the mandatory data points required by Commission Rule 5.8. If the system does not meet all requirements, the firm must use one or more other methods to ensure the natural person is fully verified. When assessing an electronic verification system, firms must document the identity data and information collected, the data sources used and how the system assesses authenticity. 

What firms need to evidence: map each electronic verification tool against Rule 5.8. The file should show which data points the system verifies, which sources it checks, what authenticity checks it performs, what evidence is retained and what manual or alternative checks complete the process. 

 

4. Deepfake and synthetic identity controls need to be documented 
The update directly addresses the risk that electronic verification systems could be abused through AI-derived deepfakes or synthetic identities. Firms must consider and document the measures within the electronic verification system that address forged or tampered identification data, including manufactured audio-visual media used to create synthetic identities. That assessment must be reviewed at least annually to ensure it remains current with technological developments. 

The revised guidance points firms to factors such as copy clarity, biometric comparison, live-stream facial recognition, chip reading, security-feature analysis, geotagging or geolocation, transmission security, anti-impersonation measures, provider testing against cyber-attacks and deepfakes, and whether users or the firm can bypass security features. 

What firms need to evidence: ask vendors and internal technology owners direct questions about deepfake and synthetic identity controls. Keep evidence of the answers, review them at least annually, and record any compensating controls where the system has limitations. 

 

5. Video calls can support CDD, but they are not identity verification on their own 
The revised guidance recognises that video calls have a role in CDD, including helping firms discuss aspects of a new business application or a proposed transaction with an existing customer. However, relying solely on video calls without independent verification could expose firms to increased risks. Selfie photographs of natural persons with their identity document are not an acceptable means of verifying identity. 

What firms need to evidence: treat video calls as supporting evidence only. Firms should not rely on video calls alone, or selfie-plus-ID photographs, as the verification control. 

 

6. Electronic statements can be used, but validity and veracity must be checked 
The update recognises that postal statements have largely been replaced by online billing, email delivery or customer portal access. Examples of electronic statements that may be used for address verification include online statements from recognised banks, building societies, credit card companies or recognised lenders, and online rates, council tax or utility bills bearing the person’s name and residential address. 

Where a firm accepts an electronic statement as address verification, it must be satisfied as to the validity and veracity of the statement. Some electronic sources may be more easily tampered with than others. Where suspicions arise, firms should take practical and proportionate steps to establish whether those suspicions are substantiated and whether the statement should be accepted. 

What firms need to evidence: define what makes an electronic statement acceptable, what tampering indicators staff should look for, and which independent sources can be used for corroboration where concerns arise. 

 

7. Electronic certification and digital signatures can support smoother CDD 
The revised guidance now states that certification by a natural person can be paper-based or electronic. Electronic certification includes scanning hard-copy identification data and certifying it electronically by applying a signature in electronic form, as defined in the Electronic Transactions (Guernsey) Law, 2000. 

Electronically certified identification data is treated as acceptable and equivalent to paper-based certification where the relevant requirements are met. A digital signature in electronic form, or equivalent, applied to an electronic copy of identification data and provided electronically to the firm can be as acceptable as a wet-ink or physical signature. Where electronically certified identification data is accepted, the firm must satisfy itself as to the veracity of the certification process. The revised guidance clarifies that this is about understanding the basis on which the certifier met the person whose identity is being certified, not understanding the underlying technology used to certify documents. 

What firms need to evidence: update certification procedures so staff and intermediaries know when electronic certification is acceptable, what evidence must be retained, and how the firm records the basis on which the certifier met the person. 
 

8. Regulated-firm certification through electronic verification has a clearer route 
A firm may accept copies of identification data certified as true copies by a regulated firm that has verified the person through an electronic verification system, where the certifying firm is subject to AML/CFT supervision by a competent authority. There is no prescribed wording, but the certification must be sufficient to confirm that the person is a customer or key principal of a customer of the certifying firm, that the document is a true copy of identification data verified by that firm’s electronic verification system, and that the copy has been downloaded from that system. 

What firms need to evidence: retain evidence of the certifying firm’s AML/CFT supervision, the certification wording, the person’s status with the certifying firm, and confirmation that the document came from the electronic verification system. 


9. AI and analytics can assist specific CDD-related tasks 
The update expressly refers to specific uses of AI and analytics in CDD-related work. Firms may use electronic translation services, including AI, to translate documents, provided they are satisfied with the output. Where the foreign language is less familiar, a firm may use more than one electronic translation service to validate its understanding. The firm remains responsible for the electronically translated product and should record its understanding of the document. For enhanced CDD, AI may be used to identify credible independent references about the customer or beneficial owner for the firm’s due diligence considerations. 

For source of funds and source of wealth, the revised guidance refers to blockchain analysis products or other suitable services from reliable commercial vendors where virtual assets are involved. It also refers to publicly available information identified through online searches, searches by AI or subscription services, where the information is obtained from a reliable public or private third-party source. 

What firms need to evidence: AI can be used as a tool to translate, identify or organise information. The record should show the document translated, the firm’s understanding, the credible independent reference, the reliable third-party source or the blockchain analytics output. 
 

10. Vendor adoption remains the firm’s responsibility 
The GFSC does not plan to endorse particular technologies or system providers, because a prescriptive approach could risk stifling innovation and limit market development. The Commission also does not require firms to justify their technology choices to the regulator. However, firms must undertake the relevant risk assessment before launching new or developing technologies and keep it updated. The GFSC does not expect firms to assess or verify proprietary methodologies used by third-party providers. Instead, firms are expected to conduct a proportionate assessment of adopted solutions as part of their financial-crime risk-management frameworks. 

What firms need to evidence: Select the solution, assess it, document the basis for adoption, define the controls around it and test its output. 

 
 

Conclusion

The Handbook update is more than a technical clarification. It fits into Guernsey’s wider Digital Finance Initiative: a push to position the Bailiwick as a trusted, agile and forward-looking jurisdiction for digital financial innovation. The firms that benefit most will be those that treat technology adoption as a way to make compliance more effective, auditable and resilient. In practice, that means being able to explain why a solution was chosen, how it supports CDD, what evidence it creates, where human judgement remains required, and how the control is tested over time.



 

 

 

Streamline Risk Management across the Customer Lifecycle

The KYC360 platform is an end-to-end solution offering slicker business processes with a streamlined, automated approach to Know Your Customer (KYC) compliance. This enables our customers to outperform commercially through operational efficiency gains whilst delivering improved customer experience and KYC data quality.

Consolidate your system stack and data vendor relationships with one platform to cover all Onboarding, Screening, Perpetual KYC (pKYC) and CLM tasks, with market-leading data sources pre-integrated under a single license agreement. Live risk scoring and automated data collection enables a shift from periodic to event-driven review, while providing a single actionable picture of real-time risk with all documents and data in one place.

Streamline Risk Management across the Customer Lifecycle