After having publicly consulted on the draft Guidelines on the use of remote customer onboarding solutions until March 2022, the European Banking Authority (EBA) has in the meanwhile addressed concerns raised in the context of the consultation and has published a final version on 22 November 2022.
As a reminder, the Guidelines on the use of Remote Customer Onboarding Solutions under Article 13(1) of Directive (EU) 2015/8491 (Guidelines) have the mission to set out the steps financial institutions should take to ensure safe and effective remote customer onboarding practices in line with applicable anti-money laundering and countering the financing of terrorism (AML/CFT) legislation and the EU’s data protection framework.
In this article, we will have a look at both general aspects of the Guidelines as well as at some specific issues identified by the EBA as a result of the consultation process and the retained solutions.
The light regime for eID solutions: a true relief?
The EBA clarifies in the Guidelines that credit and financial institutions (Institutions) that are using solutions based on electronic identification schemes or issued by qualified trust service providers under the eIDAS Regulation2, are allowed to take into account the assessment already performed by the national competent authority according to the eIDAS Regulation.
In other words, as most of the aspects of the policies and procedures introduced by the Guidelines will be covered in the assessments conducted as part of rigorous conformity assessments and peer-to-peer reviews under eIDAS, the EBA concludes that the application of the said governance arrangements could create disproportionate work with respect to the onboarding process.
However, the eIDAS Regulation has its limitations and falls short of addressing the demands of the market, mostly due to its “inherent limitations to the public sector and the limited possibilities and the complexity for online private providers to connect to the system […]”, as outlined in the proposal of the European Commission for a Regulation amending the eIDAS Regulation, published on 3 June 2021.
In this regard, it might well be that the use cases for such a light regime will be limited. By the way, the EBA states in this regard that it “is aware that the European Commission’s proposal to review the eIDAS Regulation and introduce a European Digital Identity Wallet would significantly help overcome the existing fragmentation in this area. However, until the review is finalised and enters into force, the EBA must base its assessment on the existing regulatory framework” (see page 43 of the Guidelines).
Mandatory liveness detection: when and how?
Each time (and only when) Institutions use unattended remote onboarding solutions (i.e., where the customer does not interact with an employee to perform the verification process such as it will be the case during a live videoconference), liveness detection will be mandatory according to the Guidelines.
Indeed, the EBA outlines that unattended situations are highly dependent on the technology with little or no direct human intervention, and that liveness detection will increase the reliability of the verification process. By doing so, the EBA has removed the reference to “increased ML/TF risks” that has been criticized during the consultation phase.
Whilst neither providing a specific definition of liveness detection, nor establishing the liveness detection methods that might be used by the Institutions, the EBA merely mentions procedures where a specific action from the customer is required to verify that he/she is present in the communication session (active liveness detection) or which can be based on the analysis of the received data and does not require a specific action by the customer (passive liveness detection).
Moreover, the EBA refers ISO 30.107 that defines several standards for liveness detection techniques that might be consulted by Institutions.
Controls during the verification process: proportionality comes into play?
Independently of the verification method chosen (i.e., based on eIDAS or not), the EBA sets out that “where commensurate with the ML/TF risk associated with the business relationship”, Institutions should use additional controls in view of increasing the reliability of the verification process. In this context, the Guidelines provide a non-exhaustive list of controls such as the sending of a randomly generated passcode to the customer to confirm the presence during the remote verification process or the direct mailing (both electronic and postal) to the customer.
Such provision, which has not been further commented during the consultation process, leaves room for interpretation and entails that for each business relationship in scope of the Guidelines, Institutions will need to decide whether to apply these additional controls or not. Further, it is not excluded that they would in a second step need to evidence to their regulator on which criteria they took such decision (which is likely to create an additional layer to their internal risk analysis).
Reliance and outsourcing: new verifications required
In addition to the governance requirements set out in the Guidelines (such as the adoption of risk-sensitive policies and the pre-implementation assessment and monitoring of the remote onboarding solution), Institutions will need to adapt their reliance/outsourcing policies and procedures to the requirements laid down in the Guidelines and apply these to their reliance/outsourcing partners.
When it comes to outsourcing, this should be achieved through regular reporting, ongoing monitoring, on-site visits, or sample testing.
Where the outsourced service provider stores customer data during the remote onboarding process, Institutions must take additional verifications with regard to the collection, the retention, the access to and the protection of the stored data.
In terms of challenges Institutions might face when applying the Guidelines, it can be noted that the EBA does not expect the Guidelines “to create a significant burden on credit and financial institutions that use remote customer onboarding solutions” but “to provide significant benefit to the institutions as they will be able to have a common standard to follow and to make sure that the AML risk is minimized by following the recommended steps”.
According to the EBA, the Guidelines are clear that Institutions should have the choice of individual technological solutions, to the extent that national law and the Guidelines are respected.
Against this, one may certainly expect a certain regulatory burden that Institutions will face when adapting their policies and procedures to the requirements laid down in the Guidelines.
Moreover, Institutions will need to assess their current onboarding processes and, as the case may be, revise the contractual relationship with their service providers and/or outsourcing partners.
The Guidelines will enter into force 6 months after their publication in all EU official languages.
 Regulation (EU) No 910/2014 of the European Parliament and of the Council of 23 July 2014 on electronic identification and trust services for electronic transactions in the internal market and repealing Directive 1999/93/EC
Cover picture: Copyright © Adobe Stock/pickup