EBA Guidelines on the use of remote customer onboarding solutions
The European Banking Authority (“EBA“) adopted guidelines in November 2022 that address the use of remote customer onboarding solutions (the “Guidelines” (link)). The Guidelines apply to credit and financial institutions (“financial undertakings“) that fall within the scope of AML/CFT legislation (in the Netherlands: the Wwft).
Recently, the Guidelines have been translated into all relevant EU languages including Dutch, making it clear that the Guidelines will enter into force on 2 October 2023. Given the fact that more and more relationships are fully digital, these Guidelines are relevant for market participants. In this news item, we will highlight several relevant points.
The Guidelines establish common EU standards for the development and implementation of processes with respect to remote customer onboarding. The Guidelines outline the steps financial undertakings should take when choosing instruments for remote client onboarding. In addition, the Guidelines outline how firms should assess the adequacy and reliability of such instruments in order to effectively comply with their AML/CFT obligations.
In the Netherlands, financial undertakings, among others, use iDIN to verify a customer’s identification remotely. However, other (online) tools are also offered in the market with which the identity of a customer can be verified remotely, for example using the NFC chip in the identity card and other biometric data via a selfie, or a liveness check.
The Guidelines discuss the following seven topics:
- Internal policies;
- Acquisition of in information;
- Authenticity and integrity of documents;
- Matching client identity as part of the verification process;
- ICT and security risk management; and
- The use of trust services and national identification processes.
In what follows, we will discuss in more detail what the Guidelines require in terms of internal policies and procedures, client identity matching and outsourcing.
Policies and procedures
Financial undertakings must establish risk-based policies and procedures describing how the obligation to identify and verify a customer’s identity is met through the solution that facilitates remote customer onboarding (hereinafter the “online solution”). These policies and procedures must include at least – in sum – the following:
- A description of the online solution, including an explanation of the features and operation of the online solution;
- The situations in which the online solution may be used, taking into account the risk factors identified and assessed in accordance with Article 8(1) of AMLD4 (link) and in the business-wide risk analysis, including a description of the category of clients, products and services eligible for remote acceptance;
- An indication of which steps are completely autonomous, and which steps require human intervention;
- Control measures that ensure that no business relationship with the client is entered into, or a transaction performed, until the entire customer due diligence process has been completed;
- A description of the training that will be provided to ensure that staff are knowledgeable about the function of the online solution, the associated risks, and the remote client acceptance policies designed to mitigate the identified risks.
The AML/CFT compliance officer should ensure that remote client onboarding policies are effectively implemented, regularly reviewed and revised as necessary. The board of directors must ultimately approve the policy, and oversee its proper implementation.
Phase before implementation of new online tool
When financial undertakings consider introducing a new online solution, they should assess it in advance against the requirements set out in the Guidelines. This assessment should be detailed in policies and procedures, considering at least the following aspects:
- An assessment of the adequacy of the online solution in terms of the completeness and accuracy of the data and documents to be collected, as well as the reliability and independence of the information sources used;
- An assessment of the impact of using the online remote client onboarding solution on business-wide risks, including ML/TF-related, operational, reputational and legal risks;
- the identification of potential risk mitigation measures for each risk identified in the aforementioned assessment;
- tests to assess fraud risks, including impersonation fraud risks and other information and communications technology risks and security risks; and
- end-to-end testing of the operation of the online solution.
Financial undertakings can assume that an online solution meets the criteria described above if it uses: (i) electronic identifiers that have been notified under Article 9 eIDAS Regulation (link) and meet the requirements of the trust levels “substantial” or “high” in accordance with Article 8 of the eIDAS Regulation (in the Netherlands these are, for example, DigiD for natural persons, and eHerkenning for legal entities) or (ii) relevant qualified trust services that meet the requirements of the eIDAS Regulation. To clarify, trust services are services designed to increase trust in online transactions among businesses and consumers (e.g. electronic signatures, seals of authenticity and timestamps).
Ultimately, financial undertakings must be able to demonstrate what assessments they have performed prior to the introduction of the online tool, the outcome of their assessment and how its use is appropriate in light of the ML/TF risks identified for the types of client(s), service(s), geographic areas and product(s) covered within the use of the tool.
Financial undertakings may use an online remote customer acceptance solution only when they are satisfied that it can be integrated into the firm’s operations so that the firm can manage the ML/TF risks that may arise from the use of the online solution.
The Guidelines also require financial undertakings to continuously monitor (periodically and ad hoc) the online solution. To this end, policies should provide for effective quality control and review processes.
Matching identity client as part of the verification process
The applied online solution must check at least the following as part of the verification process:
- That the visible information of the natural person matches the documentation provided;
- if the client is a legal entity, that it is publicly registered (if applicable); and
- if the client is a legal person, that the natural person representing him is authorized to act on its behalf.
If the online onboarding solution uses biometrics, then additional obligations apply based on the Guidelines.
The Guidelines also describe a number of additional measures that financial undertakings may take to enhance the reliability of the verification process, if necessary, given the ML/TF risks associated with the business relationship. These could include, inter alia: (i) a payment from a payment account held solely or partly in the customer’s name at a regulated bank or other payment institution in the EEA or a regulated bank or other payment institution in a third country with AML/CFT requirements that are no less robust than those of AMLD4; (ii) transmission of a randomly generated code to the customer to confirm presence during the verification process; (iii) telephone calls to the customer; and (iv) direct mailing (both electronic and postal) to the customer.
The Guidelines also presume in this case that the above is satisfied if use is made of: (i) electronic identifiers notified under the eIDAS Regulation and meeting the requirements of the “substantial” or “high” confidence levels in accordance with the eIDAS Regulation; or (ii) relevant qualified trust services meeting the requirements of the eIDAS Regulation.
In addition to the ML/TF Guidelines (link) and EBA’s Guidelines on Outsourcing (link), the Guidelines require financial undertakings that outsource remote customer onboarding to take the following steps:
- Ensure that the provider of outsourced services effectively implements and complies with the policies of the financial undertaking in question in accordance with the outsourcing agreement;
- Conduct assessments to verify that the outsourced service provider is adequately equipped and capable of performing the remote client onboarding process; and
- Ensure that the outsourced service provider informs the financial undertaking in question of proposed changes to the remote client acceptance process or changes to the online solution offered by that provider.
Entry into force
As mentioned, the Guidelines will take effect as of 2 October 2023. DNB has yet to officially indicate whether it will incorporate the Guidelines in its supervision. In any case, the AFM has already indicated in December 2022 that it will incorporate the Guidelines in its new Guideline Wwft and Sanctions Act that will be published this year (link).
Impact and to do’s
Market participants who use technology to onboard clients online will have to assess in the coming period to what extent their current policies and procedures need to be adjusted in the light of the Guidelines. It is important here that market participants assess whether they use tools that fall within the scope of the Guidelines, and whether the provider of the tool, including the tool itself, meets the requirements set out in the Guidelines. This also requires now – but also when selecting a provider – far-reaching cooperation from the provider. Moreover, providers must actually ensure that the tool also meets the requirements set forth in the Guidelines. All in all, enough reason to enter into talks with the providers in good time.
Market participants who are considering using an online solution for onboarding can already take the obligations arising from the Guidelines into account to avoid duplication of effort at a later stage. Finnius can assist market participants with the implementation of the Guidelines.