Time for action – EBA Guidelines on Remote Customer Onboarding Solutions have been applicable since 2 October 2023
On 22 November 2022, the European Banking Authority (the EBA) published its Guidelines[i] on the use of Remote Customer Onboarding Solutions under Article 13 (1)[ii] of Directive (EU) 2015/849 (AMLD V)[iii] (the Guidelines).
The Guidelines provide guidance on the application of anti-money laundering and countering the financing of terrorism (AML/CFT) and data protection rules where customers are onboarded remotely (through websites/mobile apps). The Guidelines also lay down common EU standards for sound, risk-sensitive initial customer due diligence (CDD) processes in a remote customer onboarding context.
The Guidelines have been applicable since 2 October 2023.
The Guidelines form part of the European Commission’s Digital Finance Strategy[iv] aiming to promote digital finance for consumers and businesses and to address the fragmentation in the Digital Single Market for Financial Services. Its objectives are generally four-fold:
- Identify the permissible innovative technologies for remote customer onboarding.[v]
- Establish the conditions that need to be met when institutions use innovative technologies to on-board customers remotely.
- Specify the approved formats of digital documentation used in remote customer onboarding processes.
- Define the circumstances under which institutions can appropriately depend on information provided by third parties for purposes of remote customer onboarding.
The Guidelines complement and should be read in conjunction with other guidelines issued by EBA, such as the ML/TF Risk Factors Guidelines,[vi] the EBA Guidelines on Internal Governance under Directive 2013/36/EU,[vii] the Guidelines on Outsourcing Arrangements,[viii] the Guidelines on the AML/CFT Compliance Officer[ix] and the Guidelines on ICT and security risk management.[x]
Personal scope – The Guidelines are addressed to the competent national authorities (in Belgium: the National Bank of Belgium (the NBB) and the Financial Services and Markets Authority (the FSMA)) and to credit institutions and financial institutions[xi] as defined in AMLD V. “Financial institutions” include (amongst others) insurance undertakings (when carrying out life insurance activities) and intermediaries, investment firms, collective investments undertakings marketings its units or shares, and branches of financial institutions located in the EU.
Material scope – The Guidelines apply in situations where credit and financial institutions adopt “new” remote customer onboarding solutions (meaning newly adopted onboarding processes as of 2 October 2023 onwards), and in situations where institutions periodically review their existing remote customer onboarding solutions already in place.
The application of remote CDD measures in situations where existing customers acquire new products is explicitly excluded from the scope of the Guidelines, albeit that EBA nevertheless considers many provisions of the Guidelines also to be relevant in this context.
The topics covered in the Guidelines are:
1 Internal policies and procedures
- Policies and procedures – The Guidelines lay down the minimum content requirements for internal policies and procedures relating to remote customer onboarding. Amongst others, these policies and procedures should give a general description of the remote customer onboarding solutions that the credit and financial institutions have in place and should record information throughout the remote customer process. The policies and procedures should describe in which situations the solutions can be used and should indicate which steps in the remote customer onboarding process are fully automatized vs. which steps require human intervention. The policies and procedures should also set out the controls in place to ensure that the first transaction with a newly onboarded customer is executed only after all initial CDD measures have been completed.
- Pre-implementation assessment – When considering adopting a new remote customer onboarding solution, credit and financial institutions should carry out a pre-implementation assessment of the remote customer onboarding solution – the scope, steps and record keeping requirements of which should be included in the aforementioned policies and procedures. Institutions should be able to demonstrate to their competent authority which assessments they carried out before implementing the remote customer onboarding solution, the outcome of their assessment and how its use is appropriate in light of the ML/CTF risks identified for the types of customer(s), service(s), geographies and product(s) in its scope.
- Ongoing monitoring – Once implemented, credit and financial institutions should also monitor the remote customer onboarding solutions on an ongoing basis to ensure that it operates in line with the institutions’ expectations. Where a risk has materialised, or where errors have been identified that have an impact on the efficiency and effectiveness of the general remote customer onboarding solution, the institutions must provide for appropriate remedial measures.
- Governance – The Guidelines also provide for a particular responsibility for the AML/CTF compliance officer (to make sure that the remote customer onboarding policies and procedures are implemented effectively, reviewed regularly and amended where necessary) and for the management body of the institutions (to approve the policies and procedures and to oversee their correct implementation).
2 Acquisition of information
Secondly, the Guidelines lay down the EBA’s expectations in terms of customers’ identity verification procedures (depending on whether the customer is a natural person or legal entity), and the nature and purpose of the business relationship.
3 Document authenticity and integrity
The Guidelines provide guidance on the acceptance of reproductions of original documents and the use of algorithms and automatic recognition techniques for examining CDD documents. The Guidelines require that credit and financial institutions ensure the precise and consistent capture of information when using these tools.
4 Matching customer identity as part of the verification process
In a fourth section, EBA clarifies its expectations in terms of matching the customer identity as part of the identity verification.
Where the remote customer onboarding solution involves the use of biometric data[xii] to verify the customer’s identity, credit and financial institutions should make sure the biometric data is sufficiently unique to be unequivocally linked to a single natural person. In situations where the evidence provided is of insufficient quality, resulting in ambiguity or uncertainty so the performance of remote checks is affected, the individual remote customer onboarding process should be interrupted and restarted or redirected to a face-to-face verification.
The Guidelines provide for different minimum standards depending on whether or not the institutions use attended (ie where the customer interacts with an employee to perform the verification process) vs. unattended remote onboarding solutions (ie where the customer does not interact with an employee).
5 Reliance on third parties and outsourcing
The Guidelines also lay down detailed specifications when credit and financial institutions rely on third parties for remote customer onboarding functions and activities or outsource CDD in full or in part.
In case of reliance on third-party providers, institutions must take the steps necessary to be satisfied that the third party’s own CDD remote customer onboarding processes and procedures and the information and data they collect in this context, are sufficient and consistent with requirements laid down in the Guidelines.
If credit and financial institutions outsource their remote customer onboarding process to an outsourced service provider, they should (amongst others) ensure that the service provider implements and adheres to the institution’s remote customer onboarding policies and procedures by implementing regular reporting, ongoing monitoring, onsite visits etc.
6 ICT and security risk management
EBA reinstates the importance for credit and financial institutions to identify and manage their ICT and security risks related to the use of the remote customer onboarding process. In addition to complying with requirements set out in the EBA Guidelines on ICT and security risk management (where applicable), institutions should employ secure communication channels and industry-standard protocols and algorithms to protect the confidentiality, authenticity, and integrity of data exchanged during the remote customer onboarding process.
7 The use of trust services and national identification processes
Lastly, EBA clarifies in its Guidelines that the use of trust services and electronic identification processes as set out in Regulation (EU) No 910/2014,[xiii] and as regulated and accepted by the relevant national authorities, for purposes of compliance with its Guidelines is allowed, provided however that the appropriate measures are applied to mitigate any relevant risks that arise from the use of these solutions.
IMPACT FOR YOUR BUSINESS
The Guidelines have been applicable since 2 October 2023 and will be used by the national competent authorities (such as the NBB and the FSMA) to assess whether the remote customer onboarding tools as deployed by credit and financial institutions are adequate and fit for purpose.
Taking into account the detailed new requirements as prescribed by EBA, the current policies and procedures of credit and financial institutions will most likely not be sufficient to meet the new standards as set out in the Guidelines. The same applies to existing outsourced remote customer onboarding processes, which are unlikely to cover all the current requirements as set out by EBA. We therefore expect substantial modifications to current policies and procedures of credit and financial institutions to be required in the upcoming annual review or – if possible – earlier.
Our Financial Services team is happy to help you with any queries you may have, including a review of your current remote customer onboarding policies and procedures, or assistance regarding the transition from in-person onboarding methods to remote onboarding procedures.
Authors: Pierre E. Berger, Marie Goossens, Korneel Debruyn
[ii] Article 13 (1) of AMLD V establishes the foundations for the initial CDD that “obliged entities” must follow when initiating business relationships or conducting certain types of transactions. CDD is a fundamental component of AML/CTF efforts, and entails the verification of the identity of customers, the understanding of the nature of their business, and the ongoing monitoring of their transactions.
[iii] Directive (EU) 2015/849 of the European Parliament and of the Council of 20 May 2015 on the prevention of the use of the financial system for the purposes of money laundering or terrorist financing, accessible here.
[iv] Communication from the Commission to the European Parliament, the Council, the European Economic and Social Committee and the Committee of the Regions on a Digital Finance Strategy for the EU, accessible here.
[v] However, the Guidelines do not favour specific technological solutions and respect the principle of technological neutrality. Further, as long as the conditions set out in the Guidelines are met, and to the extent permitted by national law, the choice of individual technological solutions is made by the institutions concerned.
[xi] As defined by article 3(1) and 3(2) of the AML Directive.
[xii] ‘Biometric data’ is defined by the EBA Guidelines as “personal data relating to the physical, physiological or behavioural characteristics of a natural person, which allow or confirm the unique identification of that natural person, such as facial images or dactyloscopic data, which is obtained and processed using technical means.”
[xiii] Regulation (EU) 910/2014 of the European Parliament and of the Council of 23 July 2014 on electronic identification and trust services for electronic transactions in the internal market and repealing Directive 1999/93/EC, accessible here.
More Partner Blogs
Op 1 september 2021 trad het nieuwe goederenrecht in werking. In dit artikel bespreken wij enkele...
On October 24, 2023, the European Data Protection Supervisor (EDPS), which is the supervisory...
A personal data breach has to be notified to the competent data protection authority (DPA), except when...
Geschillenregeling in vennootschappen: de specifieke situatie van wederzijdse vorderingen tot uitsluiting
Bij Intersentia verscheen het ‘Handboek geschillenregeling in vennootschappen. Uitsluiting en uittreding van...