EBA draft Guidelines on remote customer onboarding
On 10 December 2021, the European Banking Authority (EBA) has launched a public consultation on its draft Guidelines on the use of remote customer onboarding solutions (Guidelines).
Context and scope
The Guidelines have been developed as a part of the Digital Finance Strategy presented by the European Commission (EC) in 2020 and are covered by EBA’s legal mandate in the fight against money laundering and terrorist financing (ML/TF).
In fact, the EC has noted (and this will most certainly be confirmed by market participants and national supervisory authorities) that the current rules on customer due diligence (CDD) as laid down in AMLD5 do not provide “sufficient clarity and convergence about what is, and what is not, allowed in a remote and digital context”, which has led to inconsistencies in the use of remote onboarding by market participants as well as to divergent interpretations of the AMLD5 by Member States.
Recent technological developments and the adoption of open banking, accelerated by a decline in the use of local branches and the pandemic restrictions, have undoubtedly made remote services very common, especially when it comes to customer onboarding practices.
The consultation by the EBA is therefore launched to determine a unified regulatory approach to remote customer onboarding practices that respect the EU’s anti-money laundering and countering the financing of terrorism (AML/CFT) framework as well as its data protection framework.
Once adopted, the Guidelines will apply to all financial sector operators that are within the scope of the Anti-money Laundering Directive (AMLD) when carrying out initial CDD measures.
Initially, the EBA has been invited by the EC to develop guidelines determining:
- the types of acceptable innovative technologies for the remote onboarding of customers
- the conditions to be met when using innovative technologies to on-board customers remotely
- the acceptable forms of digital documentation used, and
- the conditions for third party reliance.
In addition to the request by the EC, the EBA has decided to include a “policies and procedures” section in the Guidelines as governance shortcomings have been identified as an “important source of risk in the remote customer onboarding”. The relevant section thus sets expectations regarding the controls to be put in place when using a remote customer onboarding solution and defines the role of the AML Compliance Officer when putting in place the respective policies and procedures.
The draft Guidelines are built around the following key areas, which are also highlighted by the questions of the consultation:
- Internal policies and procedures
- Acquisition of information
- Document Authenticity & Integrity
- Authenticity Checks
- Use of Digital Identities
- Reliance on third parties and outsourcing
- ICT and security risk management.
eIDAS and the use of digital identities
Although the electronic identification means under the eIDAS Regulation (eIDs) are validly recognized by the AMLD5 as a solution to identify customers and to secure non face-to-face business relationships, the EBA has observed its limited success when it comes to the use of digital identities in a cross-border environment and the cross-border acceptance of eIDs. Especially, as there is no requirement for Member States under the eIDAS Regulation to develop a national digital ID and to make it interoperable with the ones of other Member States, the acceptance of foreign eIDs is still very low. This is also due to the fact that the digital identities under the eIDAS Regulation were not designed with the private sector and thus, are mostly used in government services.
Moreover, the eIDAS Regulation does not harmonise the approach to certification of trusted service providers. To address the challenge of identifying reliable digital identity issuers, a secure digital identity for all Europeans has only recently been proposed by the EC.
In the meanwhile, the Guidelines provide that it will be possible for financial sector operators to determine themselves, whether a digital identity issuer is independent and sufficiently reliable to perform the initial CDD process. When doing such choice on their own, operators would then be responsible for demonstrating to the regulator that the digital identity solution used is appropriate and sufficient to ensure compliance with their AML/CFT obligations.
Authenticity checks and the principle of technology neutrality
One of the key aspects of the Guidelines are the methods used to verify the identity of the customer in a remote onboarding scenario.
In this regard, the Guidelines claim not to “favour or discriminate against particular technological solutions” used by firms (such as biometric data) which underpins the principle of technological neutrality.
Moreover, it is worth mentioning that where the ML/TF risk associated with a business relationship is increased (EBA giving the example of high ML/TF risk cases when firms do not resort to digital identity issuers and/or situations highly dependent on the technology with little or no direct human intervention), the Guidelines provide that firms should use remote verification processes that include liveness detection procedures1.
It will be interesting to follow the recently launched consultation process and the reaction of market participants to this quite detailed set of requirements, also because the use of a “fully automated remote customer onboarding solution, which is highly dependent on automated algorithms, without or with little human intervention”2 seems to be conceivable under certain conditions.
Anyhow, obliged entities under the AMLD5 should make themselves familiar with the Guidelines, even though they are still in draft form, as remote onboarding will continue to make its way.
Finally, it should be born in mind that the Guidelines, once adopted, will interact with a number of existing EBA Guidelines which they will complement, amongst which can be found the EBA Guidelines on outsourcing arrangements as well as the EBA Guidelines on ICT and security risk management. Thus, the Guidelines will need to be read in conjunction with these existing provisions.3
The consultation process will last until 10 March 2022, followed by a public hearing on 24 February 2022.
1 Procedures examining whether the video, picture or other biometric data captured during the remote customer onboarding process belong to a living person present at the point of capture, or real-time videoconference (see point 40 of the draft Guidelines).
2 See point 23 of the draft Guidelines
3 See point 7 of the draft Guidelines
Topic related article
Cover picture: Copyright © Adobe Stock / jirsak