Eurofinas, the voice of consumer credit providers at the European level welcomes the opportunity to respond to the European Banking Authority’s (EBA) Draft Guidelines on the use of remote customer onboarding solutions.
The pace of digital transformation and use of relevant remote solutions are continuously increasing and further accelerated by the COVID-19 pandemic and related restrictions and countermeasures enacted.
Eurofinas supports the work of the EBA in facilitating a consistent and coherent regulatory framework. It is essential to ensure a comprehensive understanding of the various issues that come into play with remote onboarding of customers, enabling a common, innovative as well as technology-neutral approach across the EU. With the ever-increasing pace of digitalisation of financial services and uptake of new and innovative tools, including for remote onboarding solutions, it is important for lenders to carry out their core activities in an efficient, secure, and adaptable way, ensuring the continuation of services as well as in providing for the desired customer journey. Whilst the Member States across Europe are at varying stages of digital maturity, consumer finance providers moved quickly in the wake of the Covid-19 pandemic to ensure the continuous availability of services and support to their customers, despite challenging restrictions that necessitated reliance on distance-based services.
In this context, we want to provide a few select remarks and comments to the proposed Guidelines which we hope can further clarify and strengthen the application of the draft Guidelines.
We remain at the disposal of the authority should any further questions arise. As a Federation, Eurofinas brings together associations throughout Europe that represent finance houses, universal banks, specialised banks and captive finance companies of car or equipment manufacturers. The products sold by Eurofinas members include all forms of consumer credit products such as personal loans, linked credit, credit cards and store cards. Consumer credit facilitates access to assets and services as diverse as cars, furniture, electronic appliances, education, etc. In 2020, the firms represented through Eurofinas members granted new consumer loans worth €279 billion through 49 million new consumer credit contracts.
We welcome both the set-out remit of the draft Guidelines as well as the possible broader utilisation as highlighted by the EBA. To ensure the broadest possible utilisation and clarity, we would recommend amending paragraph 38 of the proposed guidelines by further clarifying that they apply to both new customer acquisition as well as for ongoing monitoring.
38. Remote customer onboarding solutions, for new customer acquisition as well as for on-going monitoring, implemented by the financial sector operators should, as a minimum, allow them to verify the validity of official documents issued by a public authority as part of their remote verification process to ensure:
a) that the identity of the customer coincides with the person identified or previously identified, in cases of natural persons
b) that the legal entity has the right to conclude contracts and it is established in its respective jurisdiction;
c) the natural person that represents a legal entity is entitled to act on behalf of such entity.
Furthermore, in relation to paragraph 39, we believe it would be important to further clarify the concrete impact of the term “unequivocally”, and to clarify the relevant test/threshold in existing guidance, e.g. concerning false positive rates as found in ETSI TS 119 461 V1.1.1 – section 8.4.3 (Electronic Signatures and Infrastructures (ESI); Policy and security requirements for trust service components providing identity proofing of trust service subjects) or the UK GPG45 ID proofing guidance. In this context, and the same token, we also want to point to the connected situation outlined under paragraph 43(d) where algorithms are used to verify the relevant match.
In relation to paragraph 42, in the situation where the evidence provided is of insufficient quality resulting in ambiguity or uncertainty so that the performance of remote checks is affected, we would suggest deleting the requirement of an alternative verification “in the same physical location”, and to clarify that alternative solutions can be sought as an alternative, e.g. logging onto online banking to avoid having to go straight to face-to-face. Also, in some jurisdictions, video identification is considered to be face-to-face interaction, and too immediate revert to a physical face-to-face interaction could disincentivise a focus on advancing more advanced and innovative solutions which can provide a satisfactory outcome.
42. In situations where the evidence provided is of insufficient quality resulting in ambiguity or uncertainty so that the performance of remote checks is affected, the individual remote customer onboarding process should be discontinued and redirected, where possible, to a face-to-face verification, in the same physical location.
Furthermore, concerning paragraph 43 as well as a general comment, we would want to propose to clarify what official documents (with an incorporated picture) could entail, given the variations/understandings existing across the various jurisdictions, i.e. ID-cards, driving licenses, and passports, etc., as well as accounting for variations as for the issuer of ID documents accepted.
43. Where financial sector operators use photograph(s) as a mean to verify the identity of the customer by comparing it with a picture(s) incorporated in an official document, they should:
a) ensure that the photograph(s) and image of the document is taken under proper lighting conditions and that the required properties are captured with absolute clarity;
b) ensure that the photograph(s) is taken at the time the customer is performing the verification process. This may be achieved by using a dynamic photograph, multiple photo shots under different angles or another similar method;
c) perform liveness detection verifications, which may include procedures where a specific action from the customer to verify that he/she is present in the communication session or it can be based on the analysis of the received data and does not require an action by the customer;
d) in the absence of human verification, use strong and reliable algorithms to verify if the photograph(s) taken match with the pictures retrieved from the official document(s) belonging to the customer or representative.
In relation to the use of digital identifies, the draft Guidelines set out the level of assurance required based on Regulation (EU) No 910/2014. However, to assess whether to use a digital identity issuer other than relevant trust services in accordance with Regulation (EU) No 910/2014 or those regulated, recognised, approved or accepted by the relevant national authorities to verify and identify their customers, financial sector operators should assess them based on elements of technical specifications and procedures outlined in the Annex to Regulation (EU) 2015/150221. In this context, we want to raise the potential concern whether the Annex is up-to-date with the reality of the existing toolbox of today.