[4.3 – 33e]
“where applicable, that the picture of the customer embedded in the document was not replaced.”
The guidelines of the Dutch government state that the user may cover the (personal)photo when sharing his or her identity document. This means that this obligation is not possible. What is the EBA opinion on this and does the requirement conflict with the GDPR?
In general, the VBIN believes that a proper alignment and more clarity around the application of the GDPR should be included in the guidelines.
[4.3 - 35]
“In situations where the customer’s own device allows the collection of relevant data, for example the data contained in the chip of a national identity card, financial sector operators should use this information to verify the consistency with other sources, such as the submitted data and other submitted documents”
This should be optional and depend on the assessment of the overall risk of the solution used. It should not be stated as an obligation.
[4.4 - 42]
“In situations where the evidence provided is of insufficient quality resulting in ambiguity or uncertainty so that the performance of remote checks is affected, the individual remote customer onboarding process should be discontinued and redirected, where possible, to a face-to-face verification, in the same physical location.”
Payment institutions do not have a local network of service offices or other possibilities to perform physical face-to-face verification at the same physical location.
Also, the impact of creating additional fallback solutions is too large. This should be part of the risk appetite of the PSP. Stopping the customer on-boarding process at that point is sufficient. The wording “where possible” is too obligatory.