The European Banking Authority (EBA) published on November 22, 2022, its Guidelines on the use of Remote Customer Onboarding Solutions.
This is the final version of the Guidelines submitted for public consultation a year ago and whose responses have helped finalize the guidelines that represent European confidence in a quality technology increasingly used by credit and financial institutions. Veridas participated in the public consultation process by contributing its proposals as a supplier with long experience in the sector.
What is the EBA, and what does it do?
The European Banking Authority (EBA) is a regulatory agency of the European Union that works to ensure the smooth functioning of the EU banking system. It is responsible for developing and implementing rules and regulations to protect the stability and integrity of the EU financial sector and for fostering cooperation between national banking regulators. The EBA also monitors developments in the banking sector and advises and guides the European Commission and other EU institutions on financial regulation.
What is the aim of the Guidelines?
The objective of these Guidelines is to set out “set out the steps credit and financial institutions should take when choosing remote customer onboarding tools and what [such institutions] should do to satisfy themselves that the chosen tool is adequate and reliable (…) and that it enables them to comply effectively with their initial Customer Due Diligence obligations”.
Thus, provided that the conditions set out therein are met, and to the extent permitted by national legislation, which may further specify the content of these Guidelines, the choice of the technological solutions to be used will be the responsibility of the credit and financial institutions. In this regard, it should be noted that the Guidelines are “technology neutral,” which the EBA considers “important to foster ongoing innovation and to ensure that the AML/CFT principles and procedures set out in these guidelines remain relevant and applicable.”
What are the Guidelines?
The Guidelines are divided into seven reference topics:
- Internal policies and procedures: focuses on the entity’s knowledge of the remote onboarding process implemented and procedures for operating and monitoring it, even before it starts using it.
- Acquisition of information: Focuses on obtaining the data necessary to verify the customer’s identity and the quality of the data needed to ensure the reliability of the process.
- Document authenticity and integrity: It includes the security checks that must be made on the identity document presented in the process to validate its authenticity and integrity.
- Matching customer identity as part of the verification process: The correspondence between the holder of the identity document presented and the person carrying out the process must be verified. For this purpose, the Guidelines propose the use of biometrics. They also establish the minimum requirements to be met in the process depending on whether there is a synchronous interaction between the customer and the financial institution’s agent (video call process) or whether it is a non-interactive process (usually known as the video-identification process).
- Reliance on third parties and outsourcing: Credit and financial institutions are allowed to outsource, in whole or in part, the process of verifying the identity of their customers while maintaining responsibility for the process, its definition, and supervision.
- ICT and security risk management: Reference is made to other guidelines published by the EBA about identifying and managing risks inherent to onboarding processes, which credit and financial institutions must take into account and implement.
- Compliance where credit and financial institutions use trust services: Allowing the use of trust services and electronic identification, it is indicated that it is necessary to analyze how such solutions comply with the requirements established in the Guidelines in case it is necessary to apply compensatory measures.
A further step in the regulation of onboarding services
Ultimately, these Guidelines are intended to help national authorities learn more about non-face-to-face customer onboarding processes to make the most of them, establishing “a common understanding by competent authorities and credit and financial institutions on the steps [the latter] should take to ensure safe and effective remote customer onboarding practices that are in line with the applicable AML/CFT legal and data protection framework.”
In Europe, some countries have had regulation in this area for many years, while others have been regulating it in greater detail more recently. The Guidelines are in line with the tools and processes that many credit and financial institutions are already using, but it is expected that in some countries, some regulatory changes or more details in the existing ones will be necessary.
When will these guidelines be applicable?
The Guidelines will be applicable six months after publication in the official EU languages on the EBA website, but within a shorter period (two months after publication), competent national authorities will have to report whether they comply or intend to comply with the Guidelines.