Response to consultation on draft Guidelines on the use of remote customer onboarding solutions
Go back
As the consultation paper mentions, "Most Member States set out in their national law, regulation or regulatory guidance provisions in relation to remote customer onboarding. While several Member States take a broad view of the methods financial sector operators can use to onboard remotely their costumers, others have opted for a more restrictive approach. These divergences might be an obstacle fostering innovation and at the same time, they might hamper cross-border provisions of the financial services".
We believe it is very important to ensure that the same standards are applied to all financial sector operators in the EU, avoiding fragmentation between different EU Member States. Fragmentation between different EU Member States would cause an imbalance in competition between different operators, hampering innovation and cross-border provisions of financial services (for example, some EU Member States could establish stricter standards).
To secure that the same rules apply to the same activities and same risks, the EBA therefore should ensure that national competent authorities apply these Guidelines as a common standard. Accordingly, even though we consider these Guidelines to be a good starting point, we believe that the publication of the Guidelines, which are not binding, is not an adequate measure to achieve the final objective pursued. For this reason, it would be necessary to take additional measures such as establishing a binding regulation that constitutes an acceptable standard for compliance with the requirements for the use of remote onboarding solutions by financial sector operators within the EU.
However, we would like to have clarification on whether the EBA is requiring financial sector operators to develop an ad hoc policy to comply with their obligations under Article 13(1) points (a) and (c) of Directive (EU) 2015/849 in situations where the customer is onboarded remotely. We believe that is not the case, as we believe that financial entities can fulfil the requirement having the identified points in different policies and procedures, even if they are in more than one document and are not specific to remote customer onboarding solutions. Moreover, the same doubt arises in relation to the pre-implementation assessment process and the ongoing monitoring of the remote customer onboarding solutions, which financial entities already carry out, although not in an ad hoc manner but in an integrated process with different sets of controls.
Regardless of the above, we believe it is important to highlight that the requirements included in the draft Guidelines urge financial services operators to carry out certain personal data processing that, under the General Data Protection Regulation (GDPR), may require compliance with the obligations established in the said regulation by the controller entities. It is true that the GDPR allows the processing of personal data in those cases in which there is a legal obligation to which the controller is subject. However, we must remember that in this case we are dealing with Guidelines that do not have a legal or binding status. For this reason, we want to express our concern to the EBA when it comes to justifying, in terms of privacy, the processing of these personal data in the manner established in the draft Guidelines, given that apparently there is no legal justification to do so.
In addition, we would appreciate the EBA to clarify the requirement established in point 42, in order to allow financial entities to fulfil these requirements based on their own available processes. Therefore, we propose to change the text to the following:
“42. In situations where the evidence provided is of insufficient quality resulting in ambiguity or uncertainty so that the performance of remote checks is affected, the individual remote customer onboarding process should be discontinued and redirected, where possible, and in accordance with the applicable national rules in each case, to a new onboarding process, a video conference with a financial entity agent or a face-to-face verification, in a physical location.”
Finally, we wish to ask the EBA to clarify point 45 of the draft Guidelines, which establishes that the financial sector operators should use remote onboarding solutions that include randomness in the sequence of actions to be performed by the customer for verification purposes. We believe that it is not clear whether the EBA here refers to introducing randomness in the sequence of actions within the liveness detection verifications carried out, or to introduce randomness in the sequence of actions within the total journey of the remote customer onboarding process. In this regard, we would like to highlight the different levels of effort that these two options imply for the financial sector operators, and, moreover, the imperceptible difference for the purpose pursued for each one.
1. Do you have any comments on the section ‘Subject matter, scope and definitions’? If you do not agree, please set out why you do not agree and if possible, provide evidence of the adverse impact provisions in this section would have.
We welcome the opportunity to comment on the EBA consultation paper on Draft Guidelines on the use of Remote Customer Onboarding Solutions under Article 13(1) of Directive (EU) 2015/849. We appreciate EBA's initiative to harmonize the remote onboarding process of all financial sector operators in the EU. This will allow all financial entities within the EU to apply the same standards.As the consultation paper mentions, "Most Member States set out in their national law, regulation or regulatory guidance provisions in relation to remote customer onboarding. While several Member States take a broad view of the methods financial sector operators can use to onboard remotely their costumers, others have opted for a more restrictive approach. These divergences might be an obstacle fostering innovation and at the same time, they might hamper cross-border provisions of the financial services".
We believe it is very important to ensure that the same standards are applied to all financial sector operators in the EU, avoiding fragmentation between different EU Member States. Fragmentation between different EU Member States would cause an imbalance in competition between different operators, hampering innovation and cross-border provisions of financial services (for example, some EU Member States could establish stricter standards).
To secure that the same rules apply to the same activities and same risks, the EBA therefore should ensure that national competent authorities apply these Guidelines as a common standard. Accordingly, even though we consider these Guidelines to be a good starting point, we believe that the publication of the Guidelines, which are not binding, is not an adequate measure to achieve the final objective pursued. For this reason, it would be necessary to take additional measures such as establishing a binding regulation that constitutes an acceptable standard for compliance with the requirements for the use of remote onboarding solutions by financial sector operators within the EU.
2. Do you have any comments on Guideline 4.1 ‘Internal policies and procedures’? If you do not agree, please set out why you do not agree and if possible, provide evidence of the adverse impact provisions in this section would have.
Financial entities have internal policies and procedures in place that include the provisions stated on section 4.1.1. of the consultation paper (e.g. AML and KYC policy, Data Protection and Privacy Policy, etc.). Therefore, we do not have comments in relation to the internal policies as such.However, we would like to have clarification on whether the EBA is requiring financial sector operators to develop an ad hoc policy to comply with their obligations under Article 13(1) points (a) and (c) of Directive (EU) 2015/849 in situations where the customer is onboarded remotely. We believe that is not the case, as we believe that financial entities can fulfil the requirement having the identified points in different policies and procedures, even if they are in more than one document and are not specific to remote customer onboarding solutions. Moreover, the same doubt arises in relation to the pre-implementation assessment process and the ongoing monitoring of the remote customer onboarding solutions, which financial entities already carry out, although not in an ad hoc manner but in an integrated process with different sets of controls.
3. Do you have any comments on the Guideline 4.2 ‘Acquisition of Information’? If you do not agree, please set out why you do not agree and if possible, provide evidence of the adverse impact provisions in this section would have.
Non-Applicable.4. Do you have any comments on the Guideline 4.3 ‘Document Authenticity & Integrity’? If you do not agree, please set out why you do not agree and if possible, provide evidence of the adverse impact provisions in this section would have.
Non-Applicable.5. Do you have any comments on the Guideline 4.4 ‘Authenticity Checks’? If you do not agree, please set out why you do not agree and if possible, provide evidence of the adverse impact provisions in this section would have.
On the one hand, financial entities use remote customer onboarding solutions, which allow for the fulfilment of the requirements set out in section 4.4 (Authenticity Checks) of the consultation paper and that involve measures to verify the customer’s identity. These measures include the use of biometric data, liveness detection procedures and different methods to ensure the proper quality of photographs and video conferences, depending on the means used in accordance with the applicable national rules in each case.Regardless of the above, we believe it is important to highlight that the requirements included in the draft Guidelines urge financial services operators to carry out certain personal data processing that, under the General Data Protection Regulation (GDPR), may require compliance with the obligations established in the said regulation by the controller entities. It is true that the GDPR allows the processing of personal data in those cases in which there is a legal obligation to which the controller is subject. However, we must remember that in this case we are dealing with Guidelines that do not have a legal or binding status. For this reason, we want to express our concern to the EBA when it comes to justifying, in terms of privacy, the processing of these personal data in the manner established in the draft Guidelines, given that apparently there is no legal justification to do so.
In addition, we would appreciate the EBA to clarify the requirement established in point 42, in order to allow financial entities to fulfil these requirements based on their own available processes. Therefore, we propose to change the text to the following:
“42. In situations where the evidence provided is of insufficient quality resulting in ambiguity or uncertainty so that the performance of remote checks is affected, the individual remote customer onboarding process should be discontinued and redirected, where possible, and in accordance with the applicable national rules in each case, to a new onboarding process, a video conference with a financial entity agent or a face-to-face verification, in a physical location.”
Finally, we wish to ask the EBA to clarify point 45 of the draft Guidelines, which establishes that the financial sector operators should use remote onboarding solutions that include randomness in the sequence of actions to be performed by the customer for verification purposes. We believe that it is not clear whether the EBA here refers to introducing randomness in the sequence of actions within the liveness detection verifications carried out, or to introduce randomness in the sequence of actions within the total journey of the remote customer onboarding process. In this regard, we would like to highlight the different levels of effort that these two options imply for the financial sector operators, and, moreover, the imperceptible difference for the purpose pursued for each one.