Response to consultation on draft Guidelines on the use of remote customer onboarding solutions
Go back
Subject matter and scope
• Besides the initial CDD for customer onboarding, there may be other instances as well where the use of remote channels could come to question (e.g., customer requests additional products or services). In our view, further clarification would be needed as to whether the Guidelines are intended to cover only the initial customer onboarding or such other instances, as well.
• The second subparagraph of the Art 13(1) requires that obliged entities shall also verify that any person purporting to act on behalf of the customer is so authorised and identify and verify the identity of that person. in our view, further clarification would be needed as to whether the Guidelines could or should apply also when financial sector operators carry out CDD measures on the representative of a customer (may the customer then be a natural person or legal entity).
Definitions
• Definition of “Digital Identity” speaks of “user” instead of “customer” which is the term used in definition of “Digital Identity Issuer”. In our view, the language used in the proposed definitions should be harmonised.
• “Impersonation Fraud Risk” is defined as the risk that the customer uses another person’s (natural or legal) details without the consent or knowledge of the person whose identity is being used. Here we would like to point out that besides the customer, another person’s details may be illegitimately used by for example the customer’s representative or another third party. Hence, we propose changing the word “the customer” to “a person”.
• However, the detailed requirements proposed in Guideline 4.1 would be burdensome to implement and, possibly, overlap or interfere with the existing national regulations. In combination, these factors might hamper the adoption and use of remote onboarding which would undermine the objectives of the Guideline.
• As an example, in accordance with paragraph 12 “the AML/CFT compliance officer should, as part of their general duty to prepare policies and procedures to comply with the CDD requirements, prepare remote customer onboarding policies and procedures and ensure that those remote customer onboarding policies and procedures are implemented effectively, reviewed regularly and amended where necessary.” While it is clear that all these tasks should be faithfully executed, we do not find necessary that they should all be the responsibility of the AML/CFT compliance officer only.
• Paragraph 26 would appear to require that all pictures, videos, and other identification proofs collected during the remote identification process would have to be stored securely. We would like to point out that Member States may have different requirements in terms of collecting and keeping of CDD information. Therefore, the Guideline should allow more discretion for the financial sector operators to determine which information it considers necessary to keep in case the national legislation does not set binding record keeping requirements.
• Regarding paragraph 31, we would like to point out that a natural person can have a representative, as well. Paragraphs 27 and 28 would seem to apply only to natural persons when they are customers but not if they are acting on behalf another customer (be it a natural person or legal entity). In this regard clarification would be highly useful.
• As regards paragraph 33.a, clarification would be needed for situations where the document cannot be compared to official databases because such databases do not exist.
• As regards paragraph 33.b, the document may include personal or privileged information that is not necessary for the CDD purposes and should not be stored or otherwise processed due to data protection requirements. Therefore, it should be allowed to hide a part of the document when the financial sector operator has justified grounds.
• As regards paragraph 38(c), we would like to point out that there are national differences in the rules regarding assurance of representation (mandate or entitlement to act). In our view, assurance of any mandate or entitlement to act should follow the rules and common practices of the jurisdiction in question.
• Paragraph 39 concerns the use of biometric data, and we would welcome more technical guidance on how this should be done remotely.
• Paragraph 44.c mandates financial institutions to “develop an interview guide defining the subsequent steps of the remote verification process as well as the actions required from the employee” which “should include guidance on observing and identifying psychological factors or other features that might characterise suspicious behaviour during remote verification.” This adds to the already burdensome requirements both under this Guideline and those issued by national competent authorities. This burden is further aggravated by paragraph 44.b which mandates staff to be sufficiently trained on the same issues. Consequently, we wish that paragraph 44, including subparagraphs, could be redrafted in a way that would financial sector operators more latitude to design, document, and implement their remote verification processes in a risk-sensitive manner.
• Moreover, in our view paragraph 45 introduces confusion with the proposed interview guide which requires randomness in the sequence of actions to be performed by the customer. If the intention is to mitigate possible conflicts of interest between the customer and the responsible employee, it should be noted that financial sector operators are already regulated in this regard. In any event, it would appear more proportionate and balanced to follow risk-based approach and introduce mitigating measures for any specific areas where such risks have been identified.
• Regarding paragraph 46, in line with risk-based approach and to allow financial sector operators necessary flexibility we believe the examples provided in the subparagraphs a to e should be regarded rather as examples of possible controls than a prescriptive menu of options to be followed notwithstanding technological developments, etc.
• In particular, further clarification would be needed to understand why the use of digital identities should not be considered as outsourcing as set out in the paragraph 60.
1. Do you have any comments on the section ‘Subject matter, scope and definitions’? If you do not agree, please set out why you do not agree and if possible, provide evidence of the adverse impact provisions in this section would have.
1. Do you have any comments on the section ‘Subject matter, scope and definitions’? If you do not agree, please set out why you do not agree and if possible, provide evidence of the adverse impact provisions in this section would have.Subject matter and scope
• Besides the initial CDD for customer onboarding, there may be other instances as well where the use of remote channels could come to question (e.g., customer requests additional products or services). In our view, further clarification would be needed as to whether the Guidelines are intended to cover only the initial customer onboarding or such other instances, as well.
• The second subparagraph of the Art 13(1) requires that obliged entities shall also verify that any person purporting to act on behalf of the customer is so authorised and identify and verify the identity of that person. in our view, further clarification would be needed as to whether the Guidelines could or should apply also when financial sector operators carry out CDD measures on the representative of a customer (may the customer then be a natural person or legal entity).
Definitions
• Definition of “Digital Identity” speaks of “user” instead of “customer” which is the term used in definition of “Digital Identity Issuer”. In our view, the language used in the proposed definitions should be harmonised.
• “Impersonation Fraud Risk” is defined as the risk that the customer uses another person’s (natural or legal) details without the consent or knowledge of the person whose identity is being used. Here we would like to point out that besides the customer, another person’s details may be illegitimately used by for example the customer’s representative or another third party. Hence, we propose changing the word “the customer” to “a person”.
2. Do you have any comments on Guideline 4.1 ‘Internal policies and procedures’? If you do not agree, please set out why you do not agree and if possible, provide evidence of the adverse impact provisions in this section would have.
• Remote customer onboarding should be governed by clear policies and procedures to be able to follow the guidelines and to allow flexibility when carrying out remote onboarding.• However, the detailed requirements proposed in Guideline 4.1 would be burdensome to implement and, possibly, overlap or interfere with the existing national regulations. In combination, these factors might hamper the adoption and use of remote onboarding which would undermine the objectives of the Guideline.
• As an example, in accordance with paragraph 12 “the AML/CFT compliance officer should, as part of their general duty to prepare policies and procedures to comply with the CDD requirements, prepare remote customer onboarding policies and procedures and ensure that those remote customer onboarding policies and procedures are implemented effectively, reviewed regularly and amended where necessary.” While it is clear that all these tasks should be faithfully executed, we do not find necessary that they should all be the responsibility of the AML/CFT compliance officer only.
3. Do you have any comments on the Guideline 4.2 ‘Acquisition of Information’? If you do not agree, please set out why you do not agree and if possible, provide evidence of the adverse impact provisions in this section would have.
• As stated in the Summary, the Commission is of the view that the CDD rules in Directive (EU) 2015/849 do not provide sufficient clarity and convergence about what is, and what is not, allowed in a remote and digital context and has therefore asked the EBA to issue guidelines. In our view, to meet this objective the Guideline should be more specific and detailed in regard to types of acceptable innovative technologies and acceptable forms of digital documentation. We certainly believe that all financial sector operators would welcome and benefit from clearer guidance on what is acceptable and not acceptable when onboarding a customer remotely.• Paragraph 26 would appear to require that all pictures, videos, and other identification proofs collected during the remote identification process would have to be stored securely. We would like to point out that Member States may have different requirements in terms of collecting and keeping of CDD information. Therefore, the Guideline should allow more discretion for the financial sector operators to determine which information it considers necessary to keep in case the national legislation does not set binding record keeping requirements.
• Regarding paragraph 31, we would like to point out that a natural person can have a representative, as well. Paragraphs 27 and 28 would seem to apply only to natural persons when they are customers but not if they are acting on behalf another customer (be it a natural person or legal entity). In this regard clarification would be highly useful.
4. Do you have any comments on the Guideline 4.3 ‘Document Authenticity & Integrity’? If you do not agree, please set out why you do not agree and if possible, provide evidence of the adverse impact provisions in this section would have.
• According to paragraph 33, “[financial sector operators] should take steps to have sufficient assurance as to the reliability of the copy provided. This may include verifying […].” Here. we would propose replacing the word “verifying” with, for example, “ensuring”, “examining” or “reviewing” to make sure that the requirement is not confused with the verification obligation under the AML/CFT legislation which might lead to additional requirements for the financial sector operators.• As regards paragraph 33.a, clarification would be needed for situations where the document cannot be compared to official databases because such databases do not exist.
• As regards paragraph 33.b, the document may include personal or privileged information that is not necessary for the CDD purposes and should not be stored or otherwise processed due to data protection requirements. Therefore, it should be allowed to hide a part of the document when the financial sector operator has justified grounds.
5. Do you have any comments on the Guideline 4.4 ‘Authenticity Checks’? If you do not agree, please set out why you do not agree and if possible, provide evidence of the adverse impact provisions in this section would have.
• As regards paragraphs 38 and 41, we would like to point out that as far as foreign nationals or foreign corporates are concerned verifying the validity of official documents by checking against public registers is at best problematic and often outright impossible task for a private sector financial sector operator. Thus, that should not be set as a minimum requirement until there are appropriate EU registers, network of interconnected national public registers, or similar other EU-wide mechanism that would enable such validity verifications and would be available for financial sector operators.• As regards paragraph 38(c), we would like to point out that there are national differences in the rules regarding assurance of representation (mandate or entitlement to act). In our view, assurance of any mandate or entitlement to act should follow the rules and common practices of the jurisdiction in question.
• Paragraph 39 concerns the use of biometric data, and we would welcome more technical guidance on how this should be done remotely.
• Paragraph 44.c mandates financial institutions to “develop an interview guide defining the subsequent steps of the remote verification process as well as the actions required from the employee” which “should include guidance on observing and identifying psychological factors or other features that might characterise suspicious behaviour during remote verification.” This adds to the already burdensome requirements both under this Guideline and those issued by national competent authorities. This burden is further aggravated by paragraph 44.b which mandates staff to be sufficiently trained on the same issues. Consequently, we wish that paragraph 44, including subparagraphs, could be redrafted in a way that would financial sector operators more latitude to design, document, and implement their remote verification processes in a risk-sensitive manner.
• Moreover, in our view paragraph 45 introduces confusion with the proposed interview guide which requires randomness in the sequence of actions to be performed by the customer. If the intention is to mitigate possible conflicts of interest between the customer and the responsible employee, it should be noted that financial sector operators are already regulated in this regard. In any event, it would appear more proportionate and balanced to follow risk-based approach and introduce mitigating measures for any specific areas where such risks have been identified.
• Regarding paragraph 46, in line with risk-based approach and to allow financial sector operators necessary flexibility we believe the examples provided in the subparagraphs a to e should be regarded rather as examples of possible controls than a prescriptive menu of options to be followed notwithstanding technological developments, etc.
6. Do you have any comments on the Guideline 4.5 ‘Digital Identities’? If you do not agree, please set out why you do not agree and if possible, provide evidence of the adverse impact provisions in this section would have.
• As regards the use of Digital Identities, we would like to point out that even with nationally acceptable Digital Identities, not all national competent authorities consider them as sufficient and, thus, require additional measures to be performed. Combined with the substantial requirements on policies and procedures proposed in these Guidelines, the overall impact on the availability and use of remote customer onboarding could be substantial.7. Do you have any comments on the Guideline 4.6 ‘Reliance on third parties and outsourcing’? If you do not agree, please set out why you do not agree and if possible, provide evidence of the adverse impact provisions in this section would have.
• In our view, the proposed Guideline would seem to further add on to the existing regulatory complexity as regards reliance on third parties and outsourcing.• In particular, further clarification would be needed to understand why the use of digital identities should not be considered as outsourcing as set out in the paragraph 60.