Can virtual assistants (e.g. Philippines-based) be set up with restricted access?
Yes, scope VAs to the Frontline Staff role for KYC initiation and follow-up only (no sign-off, no completed-document access), with Authenticator or Passkey MFA instead of SMS.
Yes - with caveats around what's available today and what's coming.
What's available today:
- Scope role to Frontline Staff - VAs can initiate KYC requests, follow up clients, send VOI links, but can't view completed ID documents or sign off transactions. This handles most data-entry and customer-coordination work.
- Use Authenticator app or Passkey for MFA (not SMS) since SMS to offshore mobiles is unreliable.
- Restrict access to specific entities in multi-entity setups, so the VA only sees the entity / entities they're supporting.
What's coming:
- Restricted-view access is on the roadmap so VAs can do specific CDD tasks (e.g. data entry, document re-uploads) without seeing PII at all. This will allow VA support of CDD-User-level tasks without the data-protection concerns of giving them full access.
In the interim, the Frontline + authenticator-app + entity-scoped pattern works for most VA use cases. For firms with strict PII boundaries (e.g. legal firms with privilege considerations), the safer interim approach is to use AML On Demand outsourcing through the easyAML team rather than offshoring the CDD work - see Section 19.