How to remotely x-ray the client? New EBA guidelines for remote onboarding

The global pandemic has further increased the transition to virtual and remote customer interaction and onboarding. For this reason, issues related to remote onboarding have recently become a subject of particular interest of both European and national financial supervisors (for example of the Polish Financial Supervision Authority). In order to ensure proper safety concerning the remote onboarding process, on December 10, 2021, the European Banking Authority (the “EBA”) released the draft Guidelines on the use of remote customer onboarding solutions (the “Guidelines”).

Who do the Guidelines apply to?

The Guidelines apply to financial sector operators who are carrying out due diligence measures (customer due diligence, “the CDD”) in accordance with the AML Directive in cases where the customers are onboarded remotely (without physical contact) (the “Financial Operators").

Internal policy on remote onboarding

Financial Operators shall put in place and monitor a policy on remote onboarding. The Guidelines define the detailed scope of the content of internal procedures and indicate that the AML Officer shall be responsible for their proper implementation and enforcement.

Acquisition of information during remote onboarding

In instances where Financial Operators do not utilize digital identity issuers to confirm the identity of the customer, they should make sure that the information obtained through remote customer onboarding is up-to-date, is captured in a sufficient quality and is stored according to GDPR.

Any proof of identification collected during the onboarding process should be timestamped and stored securely.

Authenticity Checks

When the person who is conducting the remote onboarding is not able to examine the original identification document, he or she should take steps to have sufficient assurance as to the reliability of the copy provided. The Financial Operator should, at a minimum, be able to verify the validity of official documents issued by a public authority.

The Guidelines also offer some additional solutions that should be taken by Financial Operators accordingly to the AML/CFT risk identified by them:

• first payment drawn on an account in the sole or joint name of the customer with an EEA-regulated credit or financial institution or in a third country that has AML/CFT requirements that are no less robust than those required by AML Directive;
• generation of a passcode (a single-use and time-limited) to be confirmed by the customer during the remote verification process;
• capture of the biometric data from the customer to compare with data collected through other independent and reliable sources;
• telephone contacts with the customer;
• direct mailing (both electronic and postal) to the customer.

The Guidelines also provides for specific steps that should be taken by Financial Operators when they use biometric data or rely on photo- or video- verification methods.

If the information provided during remote onboarding is insufficient, the onboarding process should be redirected to a face-to-face verification.

Use of Digital Identities

In circumstances where Financial Operators intend to use digital identity issuers other than those that fall per eIDas Regulation or those accepted by the relevant national authorities to verify and identify their customers, Financial Operators should determine the level of assurance, take adequate measures to understand the digital identity system based on its technical specifications, architecture, and governance and determine the reliability and independence of the digital identity issuer.

Where possible strong authentication should be applied when verifying the customers digital identity.

Outsourcing of CDD

If Financial Operators rely on third parties in the initial CDD, they should ensure that:

• the third party’s own CDD remote customer onboarding policy and procedures are sufficient with the Financial Operator’s own CDD policies and procedures;
• the business relationship between the customer and the Financial Operator is not damaged due to possible shortcomings of the third party in the remote customer onboarding process. 

Guidance of national supervisory authorities in the EU

The financial services market in individual European countries has been gradually implementing remote customer identification methods for quite some time.

Poland

In Poland the EU AML Directives are implemented in the form of Polish AML Act. It stipulates that remote onboarding may be connected with the higher risk of money laundering and terrorism financing and thus may require introduction of enhanced customer due-diligence methods. The Polish Financial Supervision Authority (the “PFSA”) has also issued its statement on customer identification and verification of customer identity in banks and branches of credit institutions based on the video-verification method on June 5, 2019 and on March 3, 2022 a statement was published, which concerns the video verification of institutional clients of entities supervised by the PFSA (for more details please refer to this legal alert).

Germany

In Germany, the German Money Laundering Act (Geldwäschegesetz “the GwG”) and Interpretation and Application Guidance in relation to the GwG of the Federal Financial Supervisory Authority (Bundesanstalt für Finanzdienstleistungsaufsicht “BaFin”) provide for a number of different methods that can be used for the purposes of remote customer identification. However, the two most frequently used methods in the German market are video-identification and account-identification method. In April 2017, BaFin has published a guidance note (Circular 3/2017) on the use of video identification method stipulating detailed requirements that obliged entities must fulfil when relying on this method of remote customer identification. In comparison to some other European countries, BaFin has generally shown a bit stricter approach by not allowing institutions under its supervision to use the photo-identification method for the purposes of remote customer identification. In the light of recent developments at the EU level (especially the EU Commission’s proposal for a Regulation establishing a framework for a European Digital Identity) the German lawmaker and BaFin may well decide to make some further changes to national framework on remote customer identification that will bring more flexibility to obliged entities operating in online environment.

Slovakia

In Slovakia, the Slovak Anti-Money Laundering Act (“the Slovak AML Act”) implemented the V. AML Directive in 2018. During December of the same year, the National Bank of Slovakia (“NBS”), as financial supervisory authority, in cooperation with Financial Intelligence Unit (a special unit of financial police of Slovak Police Forces) published its general note (note No. 1/2018) with respect to correct procedure for remote customer identification. Unfortunately, said general note is of a very general nature and does not provide more specific approach as can be identified in BaFin guidance or PFSA’s Statements. Said NBS general note provides for general obligations of obliged persons including obligations to consider higher risks during remote customer identification and verification of required documentation, as well as notification obligation of the technical system enabling remote verification to respective supervisory authority. In contrary to German approach, particularities setting up standards for video ID procedures, human, technical and other security standards specifications are not specifically elaborated in Slovak note. Detailed requirements for technical system enabling remote verification such as end-to-end encryption, requirements of adequate quality of both sound and image and others, are missing. Therefore, we are afraid that Slovak approach is not very practical and issues solving one. Having said the above, Slovak legislators could await higher demand for detailed and elaborated national legislation to be implement of EBA Guidelines outcomes.

Hungary

In Hungary, the AML IV. Directive was implemented by Act LIII of 2017 on the Prevention and Combating of Money Laundering and Terrorist Financing (“the Hungarian AML Act”), which entered into force in June that year. The Hungarian AML Act introduced the possibility of remote customer identification and onboarding to Financial Operators caught by its scope, and tasked the Hungarian National Bank (“MNB” as the Hungarian financial supervisory authority) to determine the rules on auditing electronic communication devices permitted to be used for such purposes and on the execution of customer due diligence procedures by such devices. After a 2020 amendment of the Hungarian AML Act , MNB adopted Decree 26/2020 on the detailed rules of the execution of the Hungarian AML Act (“MNB Decree”, replacing the previously applicable decree to fit the new risk-based approach). The MNB Decree does not only set out the IT security requirements for operating and auditing the electronic communication devices used for such purposes in mid-level detail (e.g. prescribing the so-called liveness test), it also regulates the forms and rules of direct (real-time) and indirect electronic customer due diligence processes. The MNB Decree specifies several different forms for conducting remote customer due diligence for the onboarding of new customers, including video-identification, a “simple selfie-based” identification (with certain limitations applicable to the customer), the use of the so-called central identification agent system (“KAÜ”), and e-personal identification cards. The MNB Decree also contains detailed rules on the appropriate processes to follow when applying such methods (e.g. requiring proper lighting and transmission resolution levels, continuous connection, recording, training requirements for personnel conducting the due diligence, etc.).

Austria

In Austria, there is also the possibility for financial sector operators to identify new customers online. The legal requirements for this can be found in the Austrian Anti Money Laundering Act (Finanzmarkt-Geldwäschegesetz “FM-GwG”). To meet the increased security requirements of the digital process, the Austrian Financial Market Authority (Finanzmarktaufsicht “FMA”) issued the Online Identification Ordinance (Online-Identifikationsverordnung “Online-IDV”) in 2017. The Online-IDV defines the requirements for data and forgery security as well as the organisational and procedural security measures. In November 2021, the Online-IDV was expanded and the possibility was opened to use solely biometric procedures for the remote identification of new customers. Previously, employees had to verify that the client actually physically participates in the identification at the end device. The FMA reacted to the technological progress and it is no longer necessary to rely on employees to carry out online identification; video systems based on artificial intelligence can now be used. As of January 1, 2023, the photo ID must be checked by reading the electronic security chip (NFC chip); until then, video-based checks of IDs are still permitted.

Czech Republic

In the Czech Republic, the AML Directives were implemented in the Czech Anti-Money Laundering Act (“Czech AML Act”) which provides for various methods that can be used for the purposes of remote customer identification including adoption of identification carried out by another person or mediated identification. Similarly to Germany, a method frequently used in the practice is the account-identification method. However, the Czech financial supervisory authority, Czech National Bank (“CZNB”), has not yet published any guidelines with regards to a good practice for remote customer identification. In practice, CZNB issues general notes pursuant to EBA guidelines publication and it might issue a general note in this regard once the Guidelines are finalised and published by EBA. The Financial Analytical Office of the Czech Republic (special administrative office with nationwide jurisdiction serving as the financial intelligence unit of the Czech Republic) have so far published only general guidelines no. 9 on February 26, 2021 for financial sector operators regarding customer identification pursuant to the Czech AML Act. However, these guidelines do not address any specific details regarding remote onboarding. Therefore, the situation in the Czech Republic is similar to the one in Slovakia, detailed guidelines and requirements on technical system enabling remote verification are not yet available but may be awaited once the Guidelines are published.