Response to consultation on draft Guidelines on the use of remote customer onboarding solutions
Go back
d) the types of documents admissible to identify and verify customer: Will the process rely solely on primary documentation? What other documentation can be allowed? Would this vary by jurisdiction?
e) information and manner on which information needed to identify customer: How would this information be retrieved and updated? Real time as well as batch?
f) the level of human intervention required in the remote verification process: Is the aim to increase STP/reduce UIRs as much as possible?
Under 4.1.4 Ongoing monitoring of the remote customer onboarding solution
a) references “accuracy and adequacy of data collected during the remote customer onboarding process”: Potentially means that solution providers like Encompass will need to provide documentation as to how data is collected and validated.
30b) references information regarding beneficial owners in accordance with provision 4.12 of the EBA Risk Factor guidelines: Need to validate how BO information is collected and is consistent with non-remote customer onboarding methods
41) references “financial sector operators should verify the identity……through a reliable and independent source of information such as public registers, where available”: What if no public register for that jurisdiction is available or that access is restricted? Can other commercial registers be referenced? What if there are inconsistencies between public and commercial registers?
General comment – while the outsourcing provider will attempt to reference external data sources as part of the contractor agreement, in instances where access to external data sources is not consistent or governed by different data privacy rules, what are the implications? Example where outsourcing provider is based in India vs EU
1. Do you have any comments on the section ‘Subject matter, scope and definitions’? If you do not agree, please set out why you do not agree and if possible, provide evidence of the adverse impact provisions in this section would have.
N/A2. Do you have any comments on Guideline 4.1 ‘Internal policies and procedures’? If you do not agree, please set out why you do not agree and if possible, provide evidence of the adverse impact provisions in this section would have.
Under 4.1.1 Policies and procedures relating to remote customer onboardingd) the types of documents admissible to identify and verify customer: Will the process rely solely on primary documentation? What other documentation can be allowed? Would this vary by jurisdiction?
e) information and manner on which information needed to identify customer: How would this information be retrieved and updated? Real time as well as batch?
f) the level of human intervention required in the remote verification process: Is the aim to increase STP/reduce UIRs as much as possible?
Under 4.1.4 Ongoing monitoring of the remote customer onboarding solution
a) references “accuracy and adequacy of data collected during the remote customer onboarding process”: Potentially means that solution providers like Encompass will need to provide documentation as to how data is collected and validated.
3. Do you have any comments on the Guideline 4.2 ‘Acquisition of Information’? If you do not agree, please set out why you do not agree and if possible, provide evidence of the adverse impact provisions in this section would have.
Under 4.2.3 Identifying legal entities30b) references information regarding beneficial owners in accordance with provision 4.12 of the EBA Risk Factor guidelines: Need to validate how BO information is collected and is consistent with non-remote customer onboarding methods
4. Do you have any comments on the Guideline 4.3 ‘Document Authenticity & Integrity’? If you do not agree, please set out why you do not agree and if possible, provide evidence of the adverse impact provisions in this section would have.
N/A5. Do you have any comments on the Guideline 4.4 ‘Authenticity Checks’? If you do not agree, please set out why you do not agree and if possible, provide evidence of the adverse impact provisions in this section would have.
Under 4.4 Authenticity checks41) references “financial sector operators should verify the identity……through a reliable and independent source of information such as public registers, where available”: What if no public register for that jurisdiction is available or that access is restricted? Can other commercial registers be referenced? What if there are inconsistencies between public and commercial registers?
6. Do you have any comments on the Guideline 4.5 ‘Digital Identities’? If you do not agree, please set out why you do not agree and if possible, provide evidence of the adverse impact provisions in this section would have.
N/A7. Do you have any comments on the Guideline 4.6 ‘Reliance on third parties and outsourcing’? If you do not agree, please set out why you do not agree and if possible, provide evidence of the adverse impact provisions in this section would have.
Under 4.6.2 Outsourcing of CDDGeneral comment – while the outsourcing provider will attempt to reference external data sources as part of the contractor agreement, in instances where access to external data sources is not consistent or governed by different data privacy rules, what are the implications? Example where outsourcing provider is based in India vs EU