Response to consultation on draft Guidelines on the use of remote customer onboarding solutions
Go back
Also, the Guidelines seems to refer to 4 main hypothesis, namely the use of :
a. trust service providers regulated under Regulation (EU) No 910/2014
b. service providers regulated, recognised, approved or accepted by the relevant national authorities
c. digital identity providers, other than the ones from point 1 and 2, as long as AMLD allows it, meeting the requirements provided under point 50 of the Guidelines
d. solutions developed by the obliged entities themselves or by third parties for the use of a specific obliged entity (considered by the obliged entities to be commensurate with their AML/TF risk)
In this context, please confirm that the wording of art. 13 para. (1) let. a) of AMLD does not limit the scope of providers of electronic identification means to those officially recognized under Regulation (EU) No 910/2014 and those regulated, recognised, approved or accepted by the relevant national authorities, obliged entities being allowed to use other providers of digital identity, subject to the requirements as provided under point 50 of the Guidelines or other methods of electronic identification that commensurate with their AML/TF risk.
In such an instance, considering the national option available for the Member States to adopt or retain in force stricter provisions in the field covered by AMLD4 to prevent money laundering and terrorist financing (Article 5 of AMLD4), we consider that it is possible to implement, at national level, an approach by which all solution used for the remote customer onboarding to be approved by the relevant national authority, the operation outside of the specific national regulatory framework being not permitted.
Also, we propose to add an explanation regarding the above-mentioned hypothesis in the section Subject matter.
1.2 Please clarify if the Guidelines envisage any identification techniques other than video.
1.3 Regarding scope of application, please confirm that, while the Guidelines only cover standard CDD, when the specific situation requires, enhanced measures would be also applied, in accordance with the Guidelines on the risk factors and add a corresponding explanation after guideline 7.
1.4 Please confirm that the digital identities relates only to the customers. The BO remote identification does not require for a digital identity.
1.5 While the scope of the Guidelines covers all the financial sector operator, it is possible that some of the references to other Guidelines determine the limitation the general scope (e.g. the reference from point 13 to EBA Guidelines on Internal Governance and and from 15 let. d) to EBA Guidelines on ICT and security risk management)
Furthermore, the technical requirements for the electronic identification solution (that are, in principle, in the competente of the authority which license the solution) should be provided separately from the requirements imposed for the AML purposes to obliged entities and that are in the competences of the AML authorities (i.e. internal procedure, governance, the assessment of the adequacy of the solution for the obliged entity that used it). The Guidelines should be structured accordingly.
2.2 Regarding guideline 10, the policies and procedures relating to remote customer onboarding should cover all customer due diligence applicable when onboarding a client, including measures related to the beneficial owner, especially since the guidelines apply also to the onboarding of legal persons. Therefore, the correct reference is to art. 13(1) points (a) to (c) of Directive (EU) 2015/849, instead of (a) and (c), correlated with the Scope of application of the proposed Guidelines, with guideline 20 point. a) and 30 point b).
10. Financial sector operators should put in place and maintain policies and procedures to comply with their obligations under Art 13(1) points(a) to and (c) of Directive (EU) 2015/849 in situations where the customer is onboarded remotely. These policies and procedures should set out at least:...
Guideline 13 states that In line with the EBA Guidelines on Internal Governance, the management body of the financial sector operator should approve remote customer onboarding policies and procedures, and oversee the correct implementation of those remote customer onboarding policies and procedures.
Since Guidelines EBA/GL/2017/11 on internal governance under Directive 2013/36/EU applies to credit institutions and investment firms and Guidelines EIOPA/BoS/14/253 on system of governance applies to insurance and reinsurance undertakings, there are other financial institutions like payment institutions, electronic money institutions and creditors regulated at national level that remain out of the scope of this particular guideline.
Thus, the text should be redrafted as follows: In line with the Without prejudice to EBA Guidelines on Internal Governance, the management body of the financial sector operator should approve remote customer onboarding policies and procedures, and oversee the correct implementation of those remote customer onboarding policies and procedures.
Guideline 16 should cover also other digital identity recognized by a national competent authority, similar to Guideline 47.
Financial sector operators should consider the assessment criteria in paragraph 15 to be appropriately met to the extend that the solution includes qualified trust services in accordance with Regulation (EU) 910/201417 or to any other digital identity issuer regulated, recognised, approved or accepted by the relevant national authorities as referred to in Article 13(1)(a) of Directive (EU) 2015/849, paragraphs 38 to 45 should not be applied.
A correction is needed in guideline 25 to make reference to Section 4.5 of the present Guidelines that addresses the use of Digital Identities, while section 4.6 comprises reliance on third parties and outsourcing.
42. In situations where the evidence provided is of insufficient quality resulting in ambiguity or uncertainty so that the performance of remote checks is affected, the individual remote customer onboarding process should be discontinued and redirected, where possible, to a face-to-face verification, in a the same physical location.
b) ensure the continuity of the business relationships established between the customer and the financial sector operator to guard against events that might reveal shortcomings on the remote customer onboarding process carried out by the third party.
There is a need of further clarification.
1. Do you have any comments on the section ‘Subject matter, scope and definitions’? If you do not agree, please set out why you do not agree and if possible, provide evidence of the adverse impact provisions in this section would have.
1.1 Regarding subject matter, in accordance with art. 13 para. (1) let. a) of AMLD, the customer due diligence measure refers to identifying the customer and verifying the customer’s identity on the basis of documents, data or information obtained from a reliable and independent source, including, where available, electronic identification means, relevant trust services as set out in Regulation (EU) No 910/2014 or any other secure, remote or electronic identification process regulated, recognised, approved or accepted by the relevant national authorities.Also, the Guidelines seems to refer to 4 main hypothesis, namely the use of :
a. trust service providers regulated under Regulation (EU) No 910/2014
b. service providers regulated, recognised, approved or accepted by the relevant national authorities
c. digital identity providers, other than the ones from point 1 and 2, as long as AMLD allows it, meeting the requirements provided under point 50 of the Guidelines
d. solutions developed by the obliged entities themselves or by third parties for the use of a specific obliged entity (considered by the obliged entities to be commensurate with their AML/TF risk)
In this context, please confirm that the wording of art. 13 para. (1) let. a) of AMLD does not limit the scope of providers of electronic identification means to those officially recognized under Regulation (EU) No 910/2014 and those regulated, recognised, approved or accepted by the relevant national authorities, obliged entities being allowed to use other providers of digital identity, subject to the requirements as provided under point 50 of the Guidelines or other methods of electronic identification that commensurate with their AML/TF risk.
In such an instance, considering the national option available for the Member States to adopt or retain in force stricter provisions in the field covered by AMLD4 to prevent money laundering and terrorist financing (Article 5 of AMLD4), we consider that it is possible to implement, at national level, an approach by which all solution used for the remote customer onboarding to be approved by the relevant national authority, the operation outside of the specific national regulatory framework being not permitted.
Also, we propose to add an explanation regarding the above-mentioned hypothesis in the section Subject matter.
1.2 Please clarify if the Guidelines envisage any identification techniques other than video.
1.3 Regarding scope of application, please confirm that, while the Guidelines only cover standard CDD, when the specific situation requires, enhanced measures would be also applied, in accordance with the Guidelines on the risk factors and add a corresponding explanation after guideline 7.
1.4 Please confirm that the digital identities relates only to the customers. The BO remote identification does not require for a digital identity.
1.5 While the scope of the Guidelines covers all the financial sector operator, it is possible that some of the references to other Guidelines determine the limitation the general scope (e.g. the reference from point 13 to EBA Guidelines on Internal Governance and and from 15 let. d) to EBA Guidelines on ICT and security risk management)
2. Do you have any comments on Guideline 4.1 ‘Internal policies and procedures’? If you do not agree, please set out why you do not agree and if possible, provide evidence of the adverse impact provisions in this section would have.
2.1 In order to facilitate the application, the internal policies and procedures section should include all the guidelines related to this matter (i.e. guideline 29).Furthermore, the technical requirements for the electronic identification solution (that are, in principle, in the competente of the authority which license the solution) should be provided separately from the requirements imposed for the AML purposes to obliged entities and that are in the competences of the AML authorities (i.e. internal procedure, governance, the assessment of the adequacy of the solution for the obliged entity that used it). The Guidelines should be structured accordingly.
2.2 Regarding guideline 10, the policies and procedures relating to remote customer onboarding should cover all customer due diligence applicable when onboarding a client, including measures related to the beneficial owner, especially since the guidelines apply also to the onboarding of legal persons. Therefore, the correct reference is to art. 13(1) points (a) to (c) of Directive (EU) 2015/849, instead of (a) and (c), correlated with the Scope of application of the proposed Guidelines, with guideline 20 point. a) and 30 point b).
10. Financial sector operators should put in place and maintain policies and procedures to comply with their obligations under Art 13(1) points(a) to and (c) of Directive (EU) 2015/849 in situations where the customer is onboarded remotely. These policies and procedures should set out at least:...
Guideline 13 states that In line with the EBA Guidelines on Internal Governance, the management body of the financial sector operator should approve remote customer onboarding policies and procedures, and oversee the correct implementation of those remote customer onboarding policies and procedures.
Since Guidelines EBA/GL/2017/11 on internal governance under Directive 2013/36/EU applies to credit institutions and investment firms and Guidelines EIOPA/BoS/14/253 on system of governance applies to insurance and reinsurance undertakings, there are other financial institutions like payment institutions, electronic money institutions and creditors regulated at national level that remain out of the scope of this particular guideline.
Thus, the text should be redrafted as follows: In line with the Without prejudice to EBA Guidelines on Internal Governance, the management body of the financial sector operator should approve remote customer onboarding policies and procedures, and oversee the correct implementation of those remote customer onboarding policies and procedures.
Guideline 16 should cover also other digital identity recognized by a national competent authority, similar to Guideline 47.
Financial sector operators should consider the assessment criteria in paragraph 15 to be appropriately met to the extend that the solution includes qualified trust services in accordance with Regulation (EU) 910/201417 or to any other digital identity issuer regulated, recognised, approved or accepted by the relevant national authorities as referred to in Article 13(1)(a) of Directive (EU) 2015/849, paragraphs 38 to 45 should not be applied.
3. Do you have any comments on the Guideline 4.2 ‘Acquisition of Information’? If you do not agree, please set out why you do not agree and if possible, provide evidence of the adverse impact provisions in this section would have.
25. Where financial sector operators do not resort to digital identity issuers to identify the customer, as set out in Section 4.5 4.6 of these Guidelines, they should ensure that:...A correction is needed in guideline 25 to make reference to Section 4.5 of the present Guidelines that addresses the use of Digital Identities, while section 4.6 comprises reliance on third parties and outsourcing.
5. Do you have any comments on the Guideline 4.4 ‘Authenticity Checks’? If you do not agree, please set out why you do not agree and if possible, provide evidence of the adverse impact provisions in this section would have.
Guideline 42 says that in case that the evidence provided does not suffice, the individual remote customer should be redirected to a face-to-face verification, in the same physical location. We suggest to delete the same, since the main advantage of the remote customer onboarding for the most clients is to avoid a visit to a physical location and make the onboarding available from home/the premises of a potential customer that is a legal entity for reasons related to time saving. Hence, we consider that the best way forward is to keep the last part of the guideline in a physical location.42. In situations where the evidence provided is of insufficient quality resulting in ambiguity or uncertainty so that the performance of remote checks is affected, the individual remote customer onboarding process should be discontinued and redirected, where possible, to a face-to-face verification, in a the same physical location.
7. Do you have any comments on the Guideline 4.6 ‘Reliance on third parties and outsourcing’? If you do not agree, please set out why you do not agree and if possible, provide evidence of the adverse impact provisions in this section would have.
Guideline 56 let. b) states that 56. Where financial sector operators rely on third parties in accordance with Chapter II, Section 4 of Directive (EU) 2015/849 to meet the initial CDD requirements, they should in addition to the EBA Risk Factor Guidelines22, in particular to guidelines 2.20 to 2.21 and 4.32 and 4.37 of those Guidelines, apply the following criteria: ...b) ensure the continuity of the business relationships established between the customer and the financial sector operator to guard against events that might reveal shortcomings on the remote customer onboarding process carried out by the third party.
There is a need of further clarification.