In the fight against money laundering and terrorist financing, accurate identification and verification of customer data are an essential pillar of the customer due diligence obligations that financial institutions must comply with. With the adoption of the 5th anti-money laundering directive¹, an additional option is introduced for financial services institutions, in the form of secure remote or electronic customer identification , by referring to the electronic identification means and relevant trust services as set out in the eIDAS Regulation of 2014².
Background to the eIDAS Regulation
eIDAS stands for electronic IDentification, Authentication and trust Services. The eIDAS Regulation, directly applicable in all EU Member States and fully in force since 2018, was adopted with the aim to enhance trust in electronic transactions between businesses, citizens and public authorities by providing a common legal framework for the cross-border recognition of national electronic identification schemes (eIDs) and consistent rules on trust services across the EU.
In this regard, the eIDAS Regulation enables the use of electronic identification means and trust services (i.e. electronic signatures, electronic seals, time stamping, registered electronic delivery and website authentication) by citizens, businesses and public administrations to access online services or manage electronic transactions (MEMO/14/586 of the European Commission).
Use cases for eIDAS include submitting tax declarations, enrolling in a foreign university, remotely opening a bank account, setting up a business in another Member State, authenticating internet payments, submitting bids to online calls for tender, etc., whilst providing higher security and more convenience for any of these online activities. In particular, it makes the requirement for customers to prove their identity via mail or in person for each new service redundant and cuts out any unnecessary paperwork.
Why does AMLD5 refer to eIDAS?
In the framework of the creation of a Digital Single Market, customer due diligence to be performed by financial institutions is one area where the eIDAS toolbox (i.e. electronic or remote identification and signing) can help expedite customer onboarding by rendering it fully digital and improve customer experience regarding their access to financial services.
Therefore, it was important to eliminate the inconsistency between eIDAS promoting remote electronic identification on the one hand and the 4th anti-money laundering directive³ on the other hand, which still considered non-face-to-face relationships as high risk and therefore requiring enhanced due diligence measures.
Moreover, as the rules for customer identification are not harmonized at European level, the reference to the electronic identification and signing methods as set out in the eIDAS Regulation was meant to promote secure cross-border electronic transactions as well as cross-border interoperability in the financial sector, by permitting citizens to use their own national eIDs to access public services in other EU countries in a seamless, faster andsecure way.
It should finally be noted that the approach to integrate the eIDAS standards in the identification and verification process of financial institutions has also been followed at international level. Thus, in light of the evolving assurance frameworks and technical standards for the reliability of digital ID technology, the recently released guidance on digital identity of the Financial Action Task Force (FATF) makes several references to the eIDAS framework and encourages AML/CFT authorities to work closely with counterparts in digital ID, cyber-security and other relevant agencies to identify applicable digital ID assurance frameworks and standards (FATF (2020), Guidance on Digital Identity Point 74). Moreover, the International Organisation for Standardization (ISO) is currently working on developing global standards for the identification of natural persons for financial services, including in a digital context (FATF (2020), Guidance on Digital Identity Point 52).
Is the reference a potential game changer for customer due diligence?
According to the European Commission, so far EU citizens and companies in eight EU Member States can use their national eID across the EU and as of next year, 55% of the EU population will be covered (Digital identity and trust: Commission launches public consultation on the eIDAS Regulation (July 2020)).
In this regard, Member States have started notifying their electronic means of identification to the EU Commission and recognition of notified electronic identification schemes has been mandatory since September 2018. For Germany, this is the National Identity Card and the Electronic Residence Permit, both of which have a high level of assurance according to the eIDAS standards. For Luxembourg, this is the National Identity Card, also with a high level of assurance. It should be noted here that the aim of the eIDAS Regulation is not to provide for harmonisation of eID systems, but to achieve interoperability between national systems.
Thus, there are still hurdles to overcome on the way to a harmonized EU framework for e-identification services and digital onboarding. Indeed, even though AMLD5 allows the use of trust services for identification as defined in the eIDAS Regulation, it is still up to national legislators and regulators to define the identification methods that they deem appropriate for the identification of a customer during their onboarding. This is another factor which renders scaling business models across borders more difficult.
One example showing the lack of harmonization is the use of the video-identification procedure which has been pushed and regulated in Germany (BaFin Circular 3/2017 (GW) – video identification procedures (announced to be reviewed in 2020)) but which is not permissible as an adequate identification method in all EU Member States due to differing requirements.
Moreover, the underlying technology of the identification via a trust service provider under the eIDAS Regulation, such as the electronic identification card, is often not (yet) available to all customers in all Member States, thus impeding cross-border scaling of harmonized identification methods.
Finally, the divergent implementation and interpretation of the AMLD5 and its predecessors as well as the resulting inconsistent Know-Your-Customer (KYC) practices and approaches across the European Union have led to an uneven playing field for cross-border interoperability of digital identity services.
In July 2020, the European Commission launched its public consultation to collect feedback on the drivers of and barriers to the development and uptake of eID and trust services in Europe and on the impacts of the options for delivering an EU digital identity.
The broad public, as well as companies directly impacted by the eIDAS Regulation, competent authorities in Member States, international organisations and concerned stakeholders have until 2 October 2020 to participate in the consultation.
After the evaluation of the feedback submitted, the Commission intends to consider revising the eIDAS Regulation to improve its effectiveness, extend its benefits to the private sector and promote trusted digital identity standards, whilst taking into account the latest technological and policy developments, such as the increased reliance on doing business online.
In this regard, one can certainly await a wide range of reactions, and it will be interesting to see if they will lead to a broader consolidation of the various digital identity standards and solutions which currently exist across the European Union.
¹ Directive (EU) 2018/843 of the European Parliament and of the Council of 30 May 2018 amending Directive (EU) 2015/849 on the prevention of the use of the financial system for the purposes of money laundering or terrorist financing, and amending Directives 2009/138/EC and 2013/36/EU; AMLD5
² Regulation (EU) No 910/2014 of the European Parliament and of the Council of 23 July 2014 on electronic identification and trust services for electronic transactions in the internal market and repealing Directive 1999/93/EC
³ Directive (EU) 2015/849 of the European Parliament and of the Council of 20 May 2015 on the prevention of the use of the financial system for the purposes of money laundering or terrorist financing, amending Regulation (EU) No 648/2012 of the European Parliament and of the Council, and repealing Directive 2005/60/EC of the European Parliament and of the Council and Commission Directive 2006/70/EC
Cover picture: Copyright © Adobe Stock / jirsak