Executive Summary
On the 22 November 2022, the European Banking Authority ("EBA") published its final Guidelines on the use of remote customer onboarding solutions for credit and financial institutions (the "Remote Onboarding Guidelines").
The Remote Onboarding Guidelines set common EU standards, including:
- the steps credit and financial institutions should take when adopting or reviewing solutions to comply with their customer due diligence ("CDD") obligations when onboarding customers remotely; and
- policies, controls and procedures credit and financial institutions should put in place in relation to CDD under Directive (EU) 2015/849 ("4AMLD") when onboarding customers remotely.
Key Aspects of the Remote Onboarding Guidelines
Internal policies and procedures:
Credit and financial institutions should:
- put in place and maintain policies and procedures to comply with CDD obligations in situations where the customer is onboarded remotely;
- carry out a pre-implementation assessment of the remote customer onboarding solution and be able to demonstrate to the competent authority which assessments were carried out, the outcome and its appropriateness;
- monitor the remote customer onboarding solution on an ongoing basis.
Acquisition of information:
Credit and financial institutions should:
- set out in their policies and procedures the information needed to identify the customer, the types of documents, data, or information the institution will use to verify the customer's identity and the manner in which this information will be verified;
- determine in their policies the information they need to obtain to identify natural person customers remotely;
- define in their policies and procedures which category of legal entities they will onboard remotely, taking into account the level of ML/TF risk associated with each category, and the level of human intervention required to validate the identification information.
Other requirements under the Remote Onboarding Guidelines include, to ensure information obtained through the remote customer onboarding solution is up to date, images etc. are readable and of sufficient quality and, in the context of CDD for natural persons, information captured automatically is reliable.
Document authenticity & integrity:
Credit and financial institutions should:
- take steps to ascertain that reproductions of original documents are reliable;
- take the steps necessary to ensure that tools which automatically read information from documents capture information in an accurate and consistent manner.
Matching customer identity as part of the verification process:
Remote customer onboarding solutions should, as a minimum, allow for the following, as part of their verification process:
- there is a match between the visible information of the natural person and the documentation provided;
- where the customer is a legal entity, it is publicly registered, where applicable;
- where the customer is a legal entity, the natural person that represents it is entitled to act on its behalf.
The Remote Onboarding Guidelines also include requirements in relation to:
- the use of biometric data to verify the customer's identity, requiring that data to be sufficiently unique and requiring the use of strong and reliable algorithms to verify the match;
- the use of attended and unattended remote customer onboarding solutions. For example, in an unattended context, requiring photographs or videos to be taken under adequate lighting, the photograph or video is taken at the time of verification, the performance of liveness detection and the use of strong and reliable algorithms to verify if a photograph or video matches the picture on official documents;
- inclusion of randomness in the sequence of actions to guard against risks such as the use of synthetic identities or coercion; and
- additional controls, on a risk basis.
Reliance on third parties and outsourcing:
In the context of outsourcing, in addition to the EBA Risk Factors Guidelines (EBA/GL/2021/02) and the EBA Guidelines on Outsourcing (EBA/ mGL/2019/02), credit and financial institutions should:
- ensure that the outsourced service provider effectively implements and complies with the credit or financial institution's remote customer onboarding policies and procedures;
- carry out assessments to ensure that the outsourced service provider is sufficiently equipped and able to perform the remote customer onboarding process;
- ensure that the outsourced service provider informs the credit or financial institution of any proposed changes of the remote customer onboarding process.
Requirements are also included in relation to reliance on third parties.
ICT and security risk management:
In addition to the EBA Guidelines on ICT and security risk management (EBA/GL/2019/04), credit and financial institutions should:
- use secure communication channels to interact with the customer during the remote customer onboarding process;
- use secure protocols and cryptographic algorithms according to the industry best practices to safeguard the confidentiality, authenticity, and integrity of the exchanged data, where applicable;
- provide a secure access point for starting the remote customer onboarding process.
Use of trust services and national identification processes:
Credit and financial institutions may use trust services and electronic identification processes, however, they should assess in how far these solutions comply with the provisions of the Remote Onboarding Guidelines and apply measures necessary to mitigate any relevant risks that arise from the use of these solutions.
Simplified Due Diligence
The Remote Onboarding Guidelines apply to standard remote customer onboarding journeys. Nonetheless, where simplified due diligence could be applied, credit and financial institutions may adjust the elements of the Remote Onboarding Guidelines that relate to the nature and type of verification data and documentation in line with a risk-based approach.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.