Response to consultation on draft Guidelines on the use of remote customer onboarding solutions

Go back

1. Do you have any comments on the section ‘Subject matter, scope and definitions’? If you do not agree, please set out why you do not agree and if possible, provide evidence of the adverse impact provisions in this section would have.

General comments
PayPal welcomes the opportunity to comment on the draft EBA guidelines on remote customer onboarding of 10 December 2021. As societies and economies continue to digitize, with individuals and businesses increasingly looking for digital solutions to go about their daily lives or commerce – a process only accelerated by the coronavirus pandemic – we believe it is key to ensure a framework allowing for citizens and businesses to transact in a safe and secure digital environment.
As a non-face-to-face business operating in the digital sphere, PayPal is accustomed to the wide use of technological solutions to bring services to the customers in a fast and seamless manner. Digital identification and authentication of customer credentials form a cornerstone of our business model, and we support efforts to anchor the recognition of the benefits of such tools in terms of security and efficiency for both customers and businesses.

As an obliged entity under directive EU 2015/849, we support greater regulatory convergence on the elements related to identification and verification needed for on-boarding purposes, including customer due diligence processes carried out by third parties. We believe that regulation and technical guidance in relation to digital onboarding and related services should ultimately have at its core objective to support a strong risk-based approach enabling innovation and the targeted use of tools to support organizations in their journey to clamp down on illicit activity, while ensuring security of transactions, data and the protection of individuals. We have supported the direction proposed by the European Commission’s AML package of July 2021 to further harmonise certain CDD elements across the EU where these relate to digital onboarding and authentication of transactions.
We also note that the relevance of the use of digital identification tools in the financial sector extends beyond AML compliance, as they have a role to support inter alia the wider payments infrastructure and requirements, such as Strong Customer Authentication (SCA) under the Payment Services Directive (PSD2).

Recommendations
PayPal would like to underscore a number of aspects that the draft EBA remote onboarding guidelines should consider in subsequent drafts.
• Risk-based approach: PayPal believes that the draft guidelines fall short in acknowledging the importance of a strong risk-based approach to digital onboarding and KYC processes altogether. Business models within the financial sector vary significantly, and product design and underlying money-laundering controls should remain a strong prerogative of each individual business. We therefore would recommend a stronger acknowledgement of a risk-based approach that should underpin all aspects of the AML value-chain.
• Level of risk: We would like to note that the draft guidelines place emphasis on the premise that remote CDD tools and specifically underlying AML processes would be riskier than ‘traditional’ CDD methods, thereby requiring greater safeguards. We believe that a choice of remote identification tool is not a core determinant of a level of risk or strength of outcome.
• In line with a strong risk-based approach, we do not believe that guidelines in relation to remote onboarding should be overly prescriptive so as to not crowd out innovation in this space. For example, provisions in relation to the choice of remote tool or technology rightly do not promote certain solutions over others.
• Consistency of enforcement: PayPal welcomes convergence on the elements related to identification and verification needed for on-boarding purposes. This should further ensure that requirements that go beyond these guidelines are not imposed by individual member states on entities operating cross-border in the internal market.
• Recognition of digital tools for compliance: The draft EBA guidelines make a key reference to articles 13 (1)(a-c) of directive 2015/849 which requires obliged entities to have in place appropriate KYC programs. The draft EBA guidelines however do not explicitly state that where measures laid out therein are appropriately implemented by firms, full compliance with article 13 is assumed. More generally, the guidelines should underline that the use of remote KYC-tools are to be seen as compliant with meeting firms’ CDD requirements.

We would also like to note that while the eIDAS regulation and its ongoing review has created the framework for various national electronic ID-schemes, a number of shortcomings still persist in reaping the benefits of the various schemes, especially in cross-border situations. We welcome the FATF’s recommendations that call on competent authorities to encourage a flexible, risk-based approach to using digital ID systems for customer due diligence (CDD) processes that supports financial inclusion. The reliance on national e-ID schemes of high assurance for identification purposes should be fully embedded in the implementation of AML/CTF regulation.

In relation to to the 'subject matter, scope and definitions', PayPal agrees with the scope and definitions laid out in the draft EBA guidelines. It is important that these are consistent with definitions in primary EU AML legislation.

8. Do you have any comments on the Guideline 4.7 ‘ICT and security risk management’? If you do not agree, please set out why you do not agree and if possible, provide evidence of the adverse impact provisions in this section would have.

In relation to paragraph 62, PayPal would recommend avoiding the use of the terms “widely recognized encryption techniques”. It is not sufficiently clear what is meant by “widely recognized”, and this does not bring about any additional security or customer confidence.

PayPal believes that paragraph 64 should be clearer in relation to what is referred to under “multi-purpose device” (which could cover, for instance: PC, mobile phone, anything non-kiosk, or only the application used for remote authentication, etc.). The paragraph could also specify cases that could be considered as applicable (under “where applicable”). It should also be clearer what is meant under “security mechanism” as well as which security risks/attack vectors should be considered.

Name of the organization

PayPal