Non-bank payment service providers operating in Israel, such as issuers of payment instruments, payment transaction acquirers, payment account managers, and payment initiators, are subject to regulatory requirements. These include obtaining a license from the Israel Securities Authority (the “Authority“), conducting Know Your Client procedures, and other compliance obligations that derive, inter alia, from the Regulation of Payment Services and Payment Initiation Law, 5783-2023 (the “Law“), and the Prohibition of Money Laundering (Identification, Reporting and Recordkeeping Duties of Payment Companies for the Prevention of Money Laundering and Terror Financing) Order, 2024 (the “Order“).

 

Most of the payment services regulated under the Law are digital by nature, and many payment companies operate exclusively online without physical branches. Accordingly, Israeli regulators have adopted an approach that enables payment companies to identify and verify customers online, and on February 13, 2025, the Authority published a directive to payment companies to implement anti-money laundering obligations using online identification technology (the “Directive“).

 

The Directive outlines the implementation of anti-money laundering and terrorist finance (“AML“) obligations by means of online identification technologies, thereby aligning with global standards and current technological advancements. It introduces new provisions for payment companies regarding online identification and verification. This includes, for example, a permit for the online identification of service recipients who are non-Israeli residents (while establishing increased controls on the actual identification process), which differs from the directives applicable to other financial entities operating in Israel. Additionally, the Directive permits payment companies to adopt alternative digital verification methods, such as obtaining data through the financial information interface system (open banking) or conducting a symbolic bank transfer.

Key Aspects of the Directive:

• Definition of “Service Recipient”:
  The definition of “service recipient” in the Directive includes a service recipient who is an individual and an Israeli resident, an individual who is a non-resident, provided that their country or territory of residence is not listed in the First Appendix to the Order, and a corporation registered in Israel or a recognized entity, regardless of whether the service recipient acts on behalf of a beneficiary or not.

 

• New Online Verification Technologies:
  The Directive defines “online verification technology” as including open banking and symbolic bank transfers, which may streamline processes and reduce reliance on physical documentation. Additionally, the definition encompasses other alternative verification methods that may be approved by the Authority, thereby allowing for greater flexibility in the future.

 

•  Identification and Verification Based on a Single Document:
  Under the Directive, payment companies may rely on a single identification document for fulfilling various obligations during the online identification processes, provided that one of the approved verification methods as outlined in the Directive is applied, such as cross-checking data with the Israeli Population Registry or using online verification technology (as mentioned above).
  An “identification document” is one of the following:
  (a) an Israeli ID card;
  (b) an immigration (“aliyah”) certificate, valid for up to 30 days from issuance;
  (c) a valid driver’s license bearing the holder’s photograph;
  (d) a valid Israeli passport issued under applicable Israeli law;
  (e) for non-residents, a foreign passport or a travel document.

 

• Online Declaration Requirement:
  In accordance with the terms of the Order, a service provider must obtain, at the time of engagement, a declaration from the service recipient verifying their identity and stating whether they are acting on their own behalf or for a beneficiary. If the service recipient is a corporation, it must also provide identification details of its controlling shareholders. The Directive permits this process to be conducted online, subject to prescribed conditions, including the use of alternative methods approved by the Authority (and not necessarily a verbal declaration).

 

• Preconditions for Using Online Identification Technology:
  The Directive lays down specific conditions that service providers must meet in order to use online identification technology. This includes conducting an AML risk assessment in remote identification processes and implementing a risk mitigation plan. Additionally, the service provider must establish an internal policy for the use of online identification technology, as detailed in the Directive.

 

• Online Identification Methods:
  The Directive allows service providers to verify the identity of a service recipient who is an individual, an authorized representative of a corporation or recognized entity, or a beneficiary, by means of two online methods:
  a. Video Conference Technology – requires real-time video and audio communication.
  b. Visual Identification Technology – allows identification via recorded video or real-time visual interaction.
  The Directive lays down the requirements for employing either method, including the adoption of additional oversight measures for the non-real-time identification process.

 

• Third-Party (Outsourced) Online Identification:
  The Directive permits identification to be carried out through a third-party identification service, subject to prescribed conditions, and without mitigating or transferring the duties and responsibilities owed by the service provider.

 

• Data Retention and Security:
  Service providers must adhere to recordkeeping requirements, including maintaining a complete digital record of the identification processes, such as video documentation, scanned ID documents, and other relevant data. In addition, the Directive imposes data security requirements which the service provider must meet, including ensuring secure server storage under the service provider’s control and maintaining data backups, and also requires that service recipients be informed of how their data is stored.

 

• Board of Directors’ Responsibility:
  The Directive imposes supervisory and oversight duties on the service provider’s Board of Directors, including its obligation to assess the efficiency of risk evaluations and policies regarding online identification technology.

 

• Appointment of a Compliance Officer for Online Identification:
  The Directive requires that service providers appoint a dedicated compliance officer having responsibility for overseeing the implementation of online identification policies, ensuring compliance with regulatory requirements, and maintaining independence in their role.

 

• Internal Audit Requirements:
  The Directive imposes an obligation on the service provider to implement internal audit mechanisms to assess the effectiveness of risk management controls in AML-related online identification processes, detect weaknesses, and ensure proper oversight.

 

• Approval from the Authority’s Chairman:
  Any service provider intending to implement visual identification technology is required to obtain prior approval from the Authority’s chairman. This includes submitting an expert opinion and obtaining approval before making any material changes to the technology or the services provided through it.

 

The Directive details the measures that payment companies operating in Israel must take to ensure compliance with their obligations under the Order when identifying and verifying customers online, while adapting to accepted global measures and current technological developments. Payment companies should assess whether the Directive impacts their operations and, where relevant, take the necessary steps to ensure compliance. This may include, inter alia, adopting a risk management policy that aligns with the new requirements, reviewing the existing online identification methods and ensuring their compliance with the Directive, complying with documentation and data security requirements, and obtaining regulatory approval for use of the technology where necessary.

 

These key aspects as outlined above are neither exhaustive nor do they purport to constitute a summary of all the provisions of the Directive.  They are being provided as general guidance only and should not be regarded as legal advice or a firm legal opinion on the subject.