Response to consultation on draft Guidelines on the use of remote customer onboarding solutions
Go back
Second, the draft guidelines focus on what financial sector operators (FSO) should themselves determine in order to implement a reliable CDD process on risk-based approach. In that context, the draft reads “these Guidelines do not favor or discriminate against particular technology solutions (…) Instead, they focus on sound processes that financial sector operators should put in place to mitigate the impersonation fraud risks”.
We welcome the above approach and its technological neutral stance, which places the emphasis in allowing FSOs to explore and adopt the best possible solutions and procedures that ensure they can successfully onboard customers remotely. The importance of remote onboarding will only be further exacerbated in the coming years, as PSUs will expect it to become the new normal, and as we witness a decline in the number of bank branches across the EU, these solutions become ever more prominent. Moreover, we believe these guidelines present an excellent opportunity for the EBA to demystify the risk of remote processes vis-à-vis in person ones, which should be further explored and reflected in the final Guidelines. As society moves into a digital age, so must the financial sector.
This been said we believe EBA should ensure that these guidelines are adopted in a consistent way across all member states. Currently specific rules at member state level create an unlevel playing field between FSOs in that member state and FSOs operating cross border, that benefit from a more flexible approach from their Home NCAs vis-à-vis the Host MS. Thus creating situations where companies can remote onboard customers in a third country with a smoother experience and more efficient way than a FSO supervised in said country.
So in order to avoid any potential conflicts, the final Guidelines should further clarify the exceptional situations were a NCA can limit, via national legislation, policies and/or procedures that a FSO may use for remote onboarding. Such clarifications are important for the FSOs to operate and develop their business models in a consistent and safe manner.
Guidelines should not be limited to obliged entities in the financial sector only, but to all obliged entities in scope for AML, considering the predictable impact on the ongoing work on the EU Digital Identity Wallet.
Moreover, we believe that the scope of the guidelines should be expanded to ongoing customer reviews, especially when proven ML/TF risk profile of the customer/business relationship remains unchanged.
Finally, we would like to stress the importance of these GLs to prospectively pave the way for AMLA future RTSs/work on this field, promoting risk-sensitive supervisory criteria.
The final guidelines need to be more specific and detailed with regards to types of acceptable innovative technologies and acceptable forms of digital documentation. If they fail to do, it could happen that in certain Member States, as it is today, national legislation may continue to impose a single recognized and approved solution which restricts severely what the Guidelines are set to achieve.
As regards the use of Digital Identities, we would stress that there are some NCAs that, even with nationally acceptable Digital Identities, do require that additional measures are performed as they do not consider them to be sufficient. There is a risk that, those additional measures, combined with the requirements lay down in these Guidelines, could lead to a substantial impact regarding the use of remote onboarding.
Therefore, we would welcome that the final Guidelines would provide a more flexible guidance for intra-group shared services as well as banking communities shared services. We recall that in several Member States, banking communities make use of technological service providers to develop and provide services and tools that allow the sector to optimize synergies and be at the forefront of innovation. In this context, we recall that there are already some national initiatives that can be seen as best practices when it comes to reliance on third-party providers acting under equivalent CDD/KYC requirements under AMLD (please note the exemple of the Spanish Regulator regarding the regime of “AUTORIZACIÓN DE PROCEDIMIENTO DE IDENTIFICACIÓN NO PRESENCIAL” (autorizacion_procedimiento_identificacion_no_presencial.pdf (sepblac.es).
1. Do you have any comments on the section ‘Subject matter, scope and definitions’? If you do not agree, please set out why you do not agree and if possible, provide evidence of the adverse impact provisions in this section would have.
First, we would like to thank the EBA for putting together these guidelines and for providing much needed clarity and guidance, both to financial sector operators and national competent authorities, on what is possible to implement on remote onboarding situations for CDD purposes.Second, the draft guidelines focus on what financial sector operators (FSO) should themselves determine in order to implement a reliable CDD process on risk-based approach. In that context, the draft reads “these Guidelines do not favor or discriminate against particular technology solutions (…) Instead, they focus on sound processes that financial sector operators should put in place to mitigate the impersonation fraud risks”.
We welcome the above approach and its technological neutral stance, which places the emphasis in allowing FSOs to explore and adopt the best possible solutions and procedures that ensure they can successfully onboard customers remotely. The importance of remote onboarding will only be further exacerbated in the coming years, as PSUs will expect it to become the new normal, and as we witness a decline in the number of bank branches across the EU, these solutions become ever more prominent. Moreover, we believe these guidelines present an excellent opportunity for the EBA to demystify the risk of remote processes vis-à-vis in person ones, which should be further explored and reflected in the final Guidelines. As society moves into a digital age, so must the financial sector.
This been said we believe EBA should ensure that these guidelines are adopted in a consistent way across all member states. Currently specific rules at member state level create an unlevel playing field between FSOs in that member state and FSOs operating cross border, that benefit from a more flexible approach from their Home NCAs vis-à-vis the Host MS. Thus creating situations where companies can remote onboard customers in a third country with a smoother experience and more efficient way than a FSO supervised in said country.
So in order to avoid any potential conflicts, the final Guidelines should further clarify the exceptional situations were a NCA can limit, via national legislation, policies and/or procedures that a FSO may use for remote onboarding. Such clarifications are important for the FSOs to operate and develop their business models in a consistent and safe manner.
Guidelines should not be limited to obliged entities in the financial sector only, but to all obliged entities in scope for AML, considering the predictable impact on the ongoing work on the EU Digital Identity Wallet.
Moreover, we believe that the scope of the guidelines should be expanded to ongoing customer reviews, especially when proven ML/TF risk profile of the customer/business relationship remains unchanged.
Finally, we would like to stress the importance of these GLs to prospectively pave the way for AMLA future RTSs/work on this field, promoting risk-sensitive supervisory criteria.
3. Do you have any comments on the Guideline 4.2 ‘Acquisition of Information’? If you do not agree, please set out why you do not agree and if possible, provide evidence of the adverse impact provisions in this section would have.
With a view to promote regulatory and supervisory convergence, we believe the final guidelines should put forward the main principles that NCAs must respect when recognizing, approving and/or accepting innovative technologies and forms of digital documentation under AML/CTF framework.The final guidelines need to be more specific and detailed with regards to types of acceptable innovative technologies and acceptable forms of digital documentation. If they fail to do, it could happen that in certain Member States, as it is today, national legislation may continue to impose a single recognized and approved solution which restricts severely what the Guidelines are set to achieve.
6. Do you have any comments on the Guideline 4.5 ‘Digital Identities’? If you do not agree, please set out why you do not agree and if possible, provide evidence of the adverse impact provisions in this section would have.
We strongly support the EBA approach on paragraph 50 when it refers to the acceptance of additional digital identity issuers other than “qualified trust services” in accordance with Regulation (EU) No 910/2014 or those regulated, recognized, approved or accepted by the relevant national authorities”. This will send a strong and important signal to the entire ecosystem and help develop a more digitized banking sector. The possibility of having private identity solutions, especially those developed by or for the banking sector can help further innovation, security, reachability and competition to the financial sector.As regards the use of Digital Identities, we would stress that there are some NCAs that, even with nationally acceptable Digital Identities, do require that additional measures are performed as they do not consider them to be sufficient. There is a risk that, those additional measures, combined with the requirements lay down in these Guidelines, could lead to a substantial impact regarding the use of remote onboarding.
7. Do you have any comments on the Guideline 4.6 ‘Reliance on third parties and outsourcing’? If you do not agree, please set out why you do not agree and if possible, provide evidence of the adverse impact provisions in this section would have.
The use of third-parties and outsourcing is an extremely valuable tool as it allows to explore synergies and optimize services to PSUs. In our view, the draft Guidelines seem to add a level of regulatory complexity, which if not refrained could potentially lead to the unintended consequence of having obliged entities abstaining from outsourcing due to over-regulation.Therefore, we would welcome that the final Guidelines would provide a more flexible guidance for intra-group shared services as well as banking communities shared services. We recall that in several Member States, banking communities make use of technological service providers to develop and provide services and tools that allow the sector to optimize synergies and be at the forefront of innovation. In this context, we recall that there are already some national initiatives that can be seen as best practices when it comes to reliance on third-party providers acting under equivalent CDD/KYC requirements under AMLD (please note the exemple of the Spanish Regulator regarding the regime of “AUTORIZACIÓN DE PROCEDIMIENTO DE IDENTIFICACIÓN NO PRESENCIAL” (autorizacion_procedimiento_identificacion_no_presencial.pdf (sepblac.es).