• guideline 7, page 13, (scope of application)
The current scope of the guidelines appears to be based on article 13 paragraph 1 under a, b, c of the Fifth anti-money laundering directive. However, the guidelines do not address the specific conditions by which remote onboarding can be applied to, where appropriate, obtaining information about the purpose and intended nature of the business relationship. It would be helpful if there would be more in-depth guidance for all of the CDD requirements.
• Guideline 10, page 15, (Internal policies and procedures):
The previous point (regarding guidelines 7) is also applicable here.
• Guideline 15 under e, page 16, (The pre-implementation assessment of the remote customer onboarding solution):
This guideline states that the pre-implementation assessment should include an ‘assessment of the level of adaptability of the solution(s) to any changes in legal or regulatory requirements’. It is unclear what is meant by the level of adaptability and how this may or should be measured.
• Guideline 25 under a, page 19, (Identifying the customer):
This guideline states that financial sector operators should ensure that the information obtained through a customer onboarding solution is up to-date and adequate to meet the standards for initial customer due diligence. As there is already an necessity for information acquired in the an onboarding process to be up-to-date, could be elaborated on what the distinctive or additional point of this guideline is.
• Guideline 25 under b, page 19, (Identifying the customer):
It is stated that any images, video, sound and data should be in a readable format. Could it be made clear this is meant to be digitally readable or readable by a person.
• Guideline 25 under c, page 19, (Identifying the customer):
This guideline contains a reference to the GDRP with regards to data retention of images, video, sound and other data. It would be helpful if it was made more explicit under which circumstances certain data can be stored, under what conditions and what the proper period of retention is as this would greatly increase legal certainty for financial sector operators and customers.
• Guideline 26, page 19, (Identifying the customer):
The term ‘identification proofs’ is used, it is however unclear what this definition entails. It would help if it was clearly described.
• Guideline 28, page 19, (Identifying natural persons):
It is specified that the financial sector operators should have appropriate mechanisms in place to ensure the reliability of information such as location information. In practice financial sector operators are in some cases dependent upon the information of other market operators or information that is linked to a device. This raises the question whether this guideline creates the legal obligation/requirement to receive, use and retain information.
I. During the acquisition of Information, validation of the Authenticity and Integrity and Authenticity Checks, it is crucial to validate the captured/provided data. One specific element must not be overlooked: data manipulation by deep fake and/or artificial intelligence. The same message is relevant when using digital identities. Many EU member states provide digital identities to its inhabitants using (remote) identification protocols that does not match modern technical security standards. (e.g. data manipulation by deep fake, artificial intelligence, and/or other technique is possible). When using digital identities, it is crucial that the initial enrolment (and the use of) of the digital identity is secure. The capturing technique must validate if the captured data is unaltered by the use of deep fake injection, resulting in a ‘perfect’ manipulated document / photo / video stream. Potential mitigating solution is to add the deep fake recognition and robust document authentication processes. Financial institutions should be made aware of this risk in the EBA guidelines.
• Guideline 35, page 19, (Document Authenticity & Integrity):
This guideline states that financial sector operators should make use of the chip on national identity cards if the customer’s own device allows this data to be collected. It lacks any description of the process and the conditions how the chip should be used in conjunction with other proof that financial sector operators may collect and verify.
Secure remote customer onboarding (identification) is key to ensure a secure financial sector. However we now see stronger guidance for initial customer onboarding, we think it is also crucial to have focus on securing the authentication of existing clients. For instance the “re-enrolment” of existing customers, (re-)enrolment of digital channels/authentication means.
To secure the financial sector, it is crucial to take all authentication / verification processes into account to limit the possibilities for fraud.
- Exclude the use of SMS in (transaction) authentication processes
- Ensure deep fake detection when capturing data
- Enrolment of authentication means is secure, using non-phishable means
- Limitation of service via less secure channels
• Guideline 51, page 19, (Identifying the customer):
Reference is made to strong authentication. Should financial sector operators assume that this is not the same definition as strong customer authentication as referred to in Regulatory Technical Standards on strong customer authentication and secure communication under PSD2. Clarification is needed when a similar but slightly different definition is being introduced.
• Guideline 53, page 25, (Use of Digital Identities):
According to this guideline, the signed certificate should be used to sign the contract with the customer. Certificates can be used in a number of ways. Not all certificates are issued to be used by the customer to sign contracts. Could be clarified whether this certificate is intended to be a legally binding signature by the customer, or is it intended as a technical signature to guarantee the integrity of the document.
Additionally, this guideline seems to add to existing contract law and rules of evidence of the member states and the eIDAS regulation. According to the draft guidelines, this requirement applies to “any contract”. Could be clarified whether this means it applies when a remote customer onboarding results in a contract between the financial sector operator only, or also to any subsequent contracts.