EBA Consults on Remote Customer Onboarding Guidelines Author: Sarah Louise Azzopardi Published on February 2, 2022 On 10 December 2021, the European Banking Authority (“EBA”) issued a consultation paper on Draft Guidelines on the use of Remote Customer Onboarding Solutions under Article 13(1) of Directive (EU) 2015/849 (the “Consultation Paper”) which sets out common EU standards on the development and implementation of sound, risk-sensitive Customer Due Diligence (“CDD”) measures in the remote customer onboarding context. The draft guidelines set out in the Consultation Paper (the “Guidelines”) are a welcome measure to ensure harmonisation of remote solutions to CDD processes which have increasingly become a necessity due to restrictions related to the COVID-19 pandemic. The consultation period for the Guidelines shall run until 10 March 2022. Internal Policies and Procedures The Guidelines require financial sector operators (“FSOs”) put in place policies and procedures to comply with their obligations to (a) identify the customer and verify the customer’s identity in line with AML/CFT obligations; and (b) assess and as appropriate, obtain information on the purpose and intended nature of the business relationship, in situations where the customer is onboarded remotely. As is the case with AML/CFT policies and procedures, those documenting the controls applicable to remote customer onboarding solutions will be the responsibility of the AML/CFT compliance officer. As such, the compliance officer is responsible for preparing, reviewing and where necessary, amending these policies and procedures as well as ensuring that they are implemented effectively. On the other hand, the Board is responsible for approving such policies and procedures and overseeing their correct implementation. The Guidelines establish the EBA’s expectations with regards to the controls which FSOs should put in place when using the remote customer onboarding solution (“RCOS”) – which controls need to be documented within the policies and procedures. This would include documenting the features and functioning of the RCOS, from the pre-implementation assessment of the RCOS to ongoing monitoring of its effective operation. In addition, these policies and procedures must also specify how the RCOS shall be used and the controls in place at all stages of the customer onboarding process, from the initial request for information and documents (including the type of information and documents needed at the inception of the customer relationship), assessing which information requires verification, the manner in which this information is to be verified and how ongoing monitoring of the customer relationship shall be carried out. Pre-Implementation Assessment and Ongoing Monitoring of the RCOS The pre-implementation assessment of the RCOS should be commensurate to the ML/FT risks that the FSO has identified in its business risk assessment. The scope of this assessment should take into account various factors such as the completeness and accuracy of collected information and documents, the reliability and independence of the sources of information used to verify the information collected and identification of mitigating and remedial measures for deficiencies identified. The assessment should include testing to identify risks inherent within the RCOS as within its overall functioning should also be included within the pre-implementation assessment. This assessment must be documented and made available to the competent authority if required. Ongoing monitoring ensures that the RCOS continues to operate effectively and continues to meet its objectives by periodic review. FSOs are required to ensure that remedial measures are put in place in cases of resultant weaknesses, risks or errors. The Process of Remote Customer Onboarding Acquisition of information FSOs are required to ensure that all information obtained through the RCOS is adequate to meet the standards for CDD in line with AML/CFT requirements as also specified in its policies and procedures. As such, any images, video, sound and data must be captured in a readable format and with sufficient quality, time-stamped and stored securely. It should be noted that the FIAU Implementing Procedures include provisions relating to use of videoconferencing tools, identity verification software and other alternative measures for the acquisition and verification of CDD information. Therefore, the Guidelines should be read in parallel with these provisions of the Implementing Procedures. Authentication and Verification of Documents In the absence of original documents to verify photos or scans of paper-based copies, FSOs should take steps to assure themselves of the reliability of the documentation provided. This may include verifying security features embedded in the document (such as holograms) by comparing them to official databases and ensuring that any documents and photos provided are of sufficient quality and definition. As regards the use of videoconferencing tools, FSOs should ensure that the quality of the image and audio is adequate and train staff in the use of such tools. The Guidelines also specify that FSOs should develop an interview manual to guide staff on how to use such tools, including how to identify behaviour which might characterise suspicious behaviour during the remote verification process. Use of Digital Identities The Guidelines also provide for the use of digital identities in order to identify and verify the customer. The EU Commission has recently proposed a Regulation establishing a framework for a European Digital Identity (the “Proposed Regulation”).[1] The Proposed Regulation, slated to come into force later this year, establishes a framework for the establishment of a European Digital Identity Wallet which would enable people to upload, store and use their personal data (including copies of the identity card, driver’s licence or bank card) to create a ‘digital identity’. The information contained within this digital identity can then be shared with public authorities or businesses as necessary. In terms of the Proposed Regulation, EU member states shall be required to provide validation mechanisms for the European Digital Identity Wallet to ensure that (a) its authenticity and validity can be verified; (b) allow parties relying on this information to verify that the attestations of attributes are valid; and (c) allow third parties and qualified trust service providers to verify the authenticity and validity of the data. In terms of the Guidelines, FSOs may use digital identities to perform the identification and verification process, however they should still identify the risks involved and set out specific mitigation measures in their policies and procedures. FSOs are also required to assess the information provided by means of the digital identity and request additional information as necessary. It should be noted that in terms of the Guidelines, use of digital identities to perform the initial CDD process is not considered to be reliance or outsourcing although FSOs may outsource all or part of the remote customer onboarding process to a service provider. This is subject to the overarching requirements whenever outsourcing CDD measures to a third party. In particular, FSOs would need to implementation an outsourcing agreement and carry out an assessment of the suitability of the outsourcing provider. The obligations of the FSO in relation to outsourcing of CDD measures would need to take into account specific rules on outsourcing in terms of AML/CFT legislation[2] as well as the EBA’s Guidelines on Outsourcing which apply across all outsourcing relationships entered into by licensed entities. [1] Proposal for a Regulation of the European Parliament and of the Council amending Regulation (EU) No 910/2014 as regards establishing a framework for a European Digital Identity (SEC(2021) 228 final) – (SWD(2021) 124 final) [2] See Regulation 13 of the Prevention of Money Laundering and Funding of Terrorism Regulations (S.L. 373.01) and Chapter 6 of the FIAU’s Implementing Procedures Go back