New EBA AML Guidelines on the use of Remote Customer Onboarding Solutions
Written By
Introduction
The EBA published new guidance on customer onboarding solutions on 22 November 2022 following a consultation on the guidelines between 10 December 2021 and 10 March 2022, to ensure safe and effective remote customer onboarding practices with the growing availability of customer onboarding solutions, particularly following the COVID-19 pandemic.
The new guidelines are intended to help mitigate risks from the use of technological solutions to onboard customers by setting out steps companies should take when choosing customer onboarding tools to comply with customer due diligence (CDD) obligations and to mitigate against impersonation and identity fraud risk.
Who do the guidelines apply to?
The guidelines apply to credit and financial institutions.
Why are the guidelines relevant?
According to the European Commission, existing customer due diligence rules set out in Directive 2015/849 (AMLD) “do not provide sufficient clarity about what is and what is not, allowed in remote and digital context”, therefore the guidelines aim to aid credit and financial institutions with set out steps to satisfy themselves that the solution chosen is adequate and reliable.
The guidelines recommend credit and financial institutions put in place and maintain policies and procedures to comply with their obligations under Article 13 of the AMLD where a customer is onboarded remotely. Importantly credit and financial institutions should be able to demonstrate to their competent authority which assessments were carried out before the implementation of the customer onboarding solution.
Further to the assessment carried out prior to using the solution credit and financial institutions are also expected to demonstrate ongoing reviews and remedial steps taken for any shortcomings identified while using the customer onboarding solution.
Technology neutrality
The guidelines are technology neutral, setting out methods to help financial institutions to mitigate risks arising from the use of technological solutions. The EBA clarifies that solutions that are not within the scope of eIDAS regulation are permitted in line with Article 13(1)(a) of the ALMD and so the guidelines set out safeguards which institutions should apply to onboarding
solutions. If the conditions are met, the choice of technology solution is left to the credit or financial institution.
Even though a credit or financial institution can choose a solution approved or recognised at a national level, they should still assess whether the solution meets standards set out in the guidelines.
What do the guidelines set out?
- Pre-implementation assessment: Steps credit and financial institutions should take when adopting or reviewing solutions to comply with their obligations under Article 13(1)(a),(b) and (c) of the AMLD on identity verification CDD measures when onboarding customers remotely.
- Third parties and outsourcing: Steps credit and financial institutions should take when relying on third parties according to Chapter 2 Section 4 of AMLD and
- Remote Customer Due Diligence: Policies controls and procedures credit and financial institutions should put in place in relation to CDD as referred to in Article 8(3) and (4)(a) of the Directive where CDD measures are performed remotely.
How should the guidelines be implemented?
It’s the EBA’s intention that maintained policies and procedures are created around a credit or financial institutions remote customer onboarding solution reflective of risk sensitivity. The policy and procedures should include descriptions of the solutions put in place including steps which require human intervention, when to collect and verify information, situations where the onboarding solution would be used and the risk factors identified.
Risk appropriate adjustments
When considering the choice of remote onboarding solution Credit and Financial institutions should base their decision on the result of a risk assessment of the business relationship as a whole, based on the types of customers, services and products that are eligible for remote onboarding by the solution in accordance with Article 8 (1) of the AMLD. This should be clearly identified in the policies and procedures, in line with a business wide risk assessment, including a description of the category for customers, services and products.
Where credit and financial situations can apply simplified due diligence, aspects of the guidance can be adjusted which relate to the nature and type of verification data and documentation in accordance with a risk-based approach set out in the EBA ML/TF Risk Factors Guidelines.
Internal controls
In addition, the EBA expect internal controls to be put in place so that newly onboarded customers are only approved for commencement once CDD measures have been applied and regular training is created to keep staff up to date with the onboarding solution and associated risks for effective risk mitigation.
AML/CFT compliance officer will follow their general duty to prepare remote onboarding policies and procedures to comply with CDD requirements and implement them effectively.
Senior management will be expected to approve the remote onboarding policies and procedures and oversee their correct implementation.
Customer identification
eIDAS identification schemes or relevant trust services
Some of the guideline steps for initial and ongoing use of the remote customer onboarding solutions may already be met where a credit or financial institution use a remote customer onboarding solutions which uses either (a) electronic identification schemes notified under the eIDAS Regulation (EU) No 910/2014 (assurance levels ‘substantial’ or ‘high’), or (b) relevant qualified trust services that meet the eIDAS requirements, in the following instances:
- Some (but not all) of the pre-implementation assessment steps such as assessing the adequacy of the solution regarding accuracy of data as well as the reliability or independence of the sources, tests to assess fraud and impersonation including other ICT and security risks, and end to end testing for the functioning of the solution, targeting elements identified in policies and procedures.
- Steps around the acquisition of data when identifying a customer, such as information obtained during onboarding is up to date and accurate, images, video and sound data are captured in a reliable and quality sufficient format and the identification process is stopped when technical shortcomings or technical interruptions are detected.
- Some of the steps around validating the customers identity in the verification process, such as, when there is a match between the visible information of the customer and documentation provided, where the customer is a publicly listed legal entity and where the customer is a legal entity and the natural person who represent it is entitled to act on its behalf. In addition, credit and financial institutions may not need to use additional controls to increase the reliability of the verification process.
It is clear that credit and financial institutions will need to understand if the remote onboarding solution operates assurance levels which are substantial or high in the provision of its electronic identification scheme or if its trust services meet eIDAS requirements, before they can benefit from omitting some of these steps from their policy and procedures.
Biometric data
If the remote customer onboarding solution uses biometric data to verify the customer’s identity, the credit and financial institution should ensure that the biometric data is “sufficiently unique to be unequivocally linked to a single natural person”. To satisfy this credit and financial institutions should ensure strong and reliable algorithms are used to verify a match between the biometric data submitted on the customer onboarding document and customer.
If the solution doesn’t provide the appropriate level of confidence, further checks should be applied.
Next steps
The guidance will apply 6 months after its publication in the EU official journal.
Its apparent from the guidelines that credit and financial institutions will have a number of requirements to fulfil, the Payments and Regulatory team will be monitoring the publication of the guidelines in the official journal and will keep you up-to-speed with the latest developments.
If you would like to receive our regular Payments alerts in your inbox, click here
