HomeArt MarketBeyond the Passport: Protecting the Art Market from Cyberfraud and Impersonation

Beyond the Passport: Protecting the Art Market from Cyberfraud and Impersonation

  • May 28, 2025
  • Posted by: FCS Compliance
  • Category: Art Market, Blog
No Comments
A closeup of a UK visa with a pound next to it

The good news for the art market is that since Covid, online buyers and sellers have increased in number.  The bad news is that there has been a steady increase in cyberfraud. 

Half of the cyberfraud in the UK in 2024 involved false or manipulated identity documents (e.g., passports, driving licences, national identity cards).  Given the steady rise in cyberfraud, verifying the identity of customers, particularly remote customers,  is increasingly important for both commercial and regulatory reasons. 

In addition to the risk of being a victim of fraud, we find that in Interventions, HMRC is increasingly asking about the steps taken by art market participants (AMPs) to verify remote customers.

Art market participants must be satisfied that the person claiming a particular identity is in fact the person with that identity. AMPs may in the end pay dearly for not adequately managing the risk of impersonation fraud.

We frequently hear from art market participants: “I do obtain the passports of remote clients and their proofs of address”. However, with the surge of AI, it is easier than ever to create a fake identity document. For remote customers, it is critical to take extra steps beyond merely obtaining the documents to verify that the person whose identity document you have is the same person buying or selling the work of art.

There are a variety of techniques available to double-check and verify a remote customer’s identity.  Some of the technology options include secure online document verification, biometric facial recognition, and device and behavioural analytics.

Digital Document Verification

This is one of the more common methods provided by service providers.

Document verification usually includes uploading images of your client’s identity documents through secure online portals. Advanced software applies optical character recognition (OCR) to read and validate documents, including checking the Machine Readable Zone (MRZ) and cross-referencing police watch lists.  Some services follow up the technological checks with a  review by human experts of the documents that come back marked as suspicious or unreadable.  For example, FCS Compliance do these checks as part of our Customer Due Diligence service.

His Majesty’s Government’s advice to the art market is: “For an electronic/digital check to provide satisfactory evidence of identity on its own, it must use data from multiple sources, and across time, or incorporate qualitative checks that assess the strength of the information supplied, or be done through an organisation which meets the [certain] criteria…”  The listed criteria include that the Service Provider:

  • is on the trusted list maintained by the Department for Digital, Culture, Media and Sport under relevant legislation[1] amending the eIDAS Regulation see https://webgate.ec.europa.eu/tl-browser/#/
  • is recognised, through registration with the Information Commissioner’s Office, to store personal data
  • uses a range of multiple, positive information sources, including other activity history where appropriate, that can be called upon to link an applicant to both current and previous circumstances;
  • accesses negative information sources, such as databases relating to identity fraud and deceased persons
  • accesses a wide range of alert data sources;
  • has published standards, or those of the scheme under which it is accredited or certified, require its verified data or information to be kept up to date, or maintained within defined periods of re-verification;
  • ensures arrangements exist whereby the identity provider’s continuing compliance with the minimum published standards is assessed; and
  • has transparent processes that enable the AMP to know how much certainty they give as to the identity of the subject.

Biometric facial recognition

Anyone who has tried to open a bank account recently will likely have experienced another technique called biometric facial recognition technology.   This technology, often referred to as “liveness checks”  matches the customer’s live image or video with the photo on their identity document to confirm the person presenting the identity document  is genuine. This method may also include passive liveness checks to prevent fraud from photos or videos.  

Behavioural biometrics 

Some service providers, even those not subject to money laundering regulations, analyse device data such as IP address, location, and device fingerprinting.  This option helps to detect anomalies that may indicate fraud. Behavioural biometrics analyse how users interact with devices (e.g typing patterns, device handling) to confirm identity consistency. These methods complement document and biometric checks to enhance security without disrupting user experience.

There are service providers offering some or all of these services. If you are paying for a third party service to conduct due diligence checks for you, it is key to understand the full nature and extent of what services they are offering, such as digital document verification and/ or biometric facial recognition.

An easy additional step to help verify identity is to explore what publicly available images exist of the person and compare those to the photograph in the identity document. Another option that some galleries employ is to require a zoom or FaceTime to discuss a work of art being sold. 

As always when it comes to money laundering regulation, applying a risk-based approach is required. This approach is of particular relevance with clients that you have not yet met face-to-face. Another due diligence requirement is for art market participants to understand the nature and purpose of the transaction. Again, as the risks of transacting with remote only clients are higher, gaining insight into the reason for the purchase is important. Such reasons do not need to be long or complex, they may be as simple as: furnishing a new house, just got married, just sold my business, etc.

Finally, keeping a record of your investigations and conclusion is the important final step. Such a record should include screen shots of relevant search results and a note to file about why you are or are not concerned about the customer’s identity and the risk of money laundering.

 

[1] SI 2019/89: The Electronic Identification and Trust Services for Electronic Transactions (Amendment Etc)(EU Exit) Regulations 2019