Regarding 4.2.1
25.
c) the images, video, sound and data are stored according to GDPR Regulation18 and remain available to the financial sector operator;
and
26.
The identification proofs collected during the remote identification process, which are required to be retained in accordance with Article 40(1) point (a) of Directive (EU) 2015/849, should be time-stamped and stored securely. The content and the quality of stored records, including pictures and videos, should be available in a readable format and allow for ex-post verifications.
Clarification required whether the live selfie used to verify liveliness and/or biometrics is required to be stored, as storing the live selfie may be opposed to GDPR.
Regarding
4.6.2 Outsourcing of CDD
58. c) ensure that the outsourcing provider request the agreement of the financial sector operators on any proposed changes of the remote customer onboarding process or any modification made to the solution provided by the outsourcing provider.
The solutions provided by outsourcing providers are usually used by other associates of the provider that require similar services (such as points of entry in a country or governmental authorities) as well. Requesting the agreement of the financial sector operators may cause disturbance in the providers business and the providers will not be willing to contractually bind to this. We propose the replacement of ‘request the agreement of the financial sector operators’ to ‘inform the financial sector operators’.