Skip to main content
European Banking Authority logo
  • Extranet
  • Log in
  • About us
    Back

    About us

    The EBA is an independent EU Authority.  We play a key role in safeguarding the integrity and robustness of the EU banking sector to support financial stability in the EU.

    Learn more
      • Mission, values and tasks
      • Organisation and governance
        • Governance structure and decision making
        • EBA within the EU institutional framework
        • Internal organisation
        • Accountability
      • Legal and policy framework
        • EBA regulation and institutional framework
        • Compliance with EBA regulatory products
      • Sustainable EBA
      • Diversity and inclusion
      • Careers
        • Vacancies
        • Meet our team
      • Budget
      • Procurement
    Close menu panel
  • Activities
    Back

    Activities

    To contribute to the stability and effectiveness of the European financial system, the EBA develops harmonised rules for financial institutions, promotes convergence of supervisory practices, monitors, and advises on the impact of financial innovation and the transition to sustainable finance.

    Start here
      • Single Rulebook
      • Implementing Basel III in Europe
      • Supervisory convergence
        • Supervisory convergence
        • Supervisory disclosure
        • Peer Reviews
        • Mediation
        • Breach of Union Law
        • Colleges
        • Training
      • Direct supervision and oversight
        • Markets in Crypto-assets
        • Digital operational resilience Act
      • Information for consumers
        • National competent authorities for consumer protection
        • How to complain
        • Personal finance at the EU level
        • Warnings
        • Financial education
        • National registers and national authorities responsible for handling complaints related to credit servicers
        • Frauds and scams
      • Research Workshops
      • Ad hoc activities
        • Our response to Covid-19
        • Brexit
    Close menu panel
  • Risk and data analysis
    Back

    Risk and data analysis

    To ensure the orderly functioning and stability of the financial system in the European Union, we monitor and analyse risks and vulnerabilities relevant for the regulation of banks and investment firms. We also facilitate information sharing among authorities and institutions through supervisory reporting and data disclosure.

    Learn more
      • Risk analysis
        • 2024 EU wide transparency exercise
        • EU-wide stress testing
        • Risk monitoring
        • Thematic analysis
      • Remuneration and diversity analysis
      • Pillar 3 data hub
      • Reporting frameworks
        • Reporting Time Traveller
        • DPM data dictionary
      • Data
        • Registers and other list of institutions
        • Guides on data
        • Aggregate statistical data
        • Secondary reporting: data from Competent Authorities to the EBA
        • Data analytics tools
    Close menu panel
  • Publications and media
    Back

    Publications and media

    Communicating to all our audiences in the most effective way and using the most appropriate channels is crucial for us. Through our publications, announcements, and participation in external events, we are committed to reaching out to all our stakeholders to report about our policies, activities, and initiatives.

    Learn more
      • Publications
        • Guidelines
        • Regulatory Technical Standards
        • Implementing Technical Standards
        • Reports
        • Consultation papers
        • Opinions
        • Decisions
        • Staff papers
        • Annual reports
      • Press releases
      • Speeches
      • Interviews
      • Events
      • Media centre
        • Media gallery
        • Media resources
    Close menu panel

Breadcrumb

  1. Home
  2. Single Rulebook Q&A
  3. 2021_5730 Electronic Identification Process
Question ID
2021_5730
Legal act
Directive (EU) 2015/849 (AMLD)
Topic
Customer Due Diligence
Article
13
Paragraph
1
Subparagraph
a
COM Delegated or Implementing Acts/RTS/ITS/GLs/Recommendations
Not applicable
Article/Paragraph
Not applicable
Type of submitter
Competent authority
Subject matter
Electronic Identification Process
Question

Please can you clarify the interpretation under Article 13(1)(a) of Directive (EU) 2015/849 (AMLD), in relation to the ability of obliged entities to incorporate innovative solutions and/or electronic tools (such as dynamic selfie verification, biometric tools etc.) into their operations, in the context of performing Customer Due Diligence measures.

Background on the question

RELEVANT PROVISIONS OF THE AMLD5

Article 13 (1) (a) of EU Directive 2018/843 (“AMLD5”), provides that:

“Customer due diligence measures shall comprise: (a) identifying the customer and verifying the customer’s identity on the basis of documents, data or information obtained from a reliable and independent source, including, where available, electronic identification means, relevant trust services as set out in Regulation (EU) No 910/2014 of the European Parliament and of the Council or any other secure, remote or electronic identification process regulated, recognised, approved or accepted by the relevant national authorities;”

Furthermore Recital 22 of AMLD5 provides that:

“Accurate identification and verification of data of natural and legal persons are essential for fighting money laundering or terrorist financing. The latest technical developments in the digitalisation of transactions and payments enable a secure remote or electronic identification. Those means of identification as set out in Regulation (EU) No 910/2014 of the European Parliament and of the Council (1) should be taken into account, in particular with regard to notified electronic identification schemes and ways of ensuring cross-border legal recognition, which offer high level secure tools and provide a benchmark against which the identification methods set up at national level may be checked. In addition, other secure remote or electronic identification processes, regulated, recognised, approved or accepted at national level by the national competent authority may be taken into account. Where appropriate, the recognition of electronic documents and trust services as set out in Regulation (EU) No 910/2014 should also be taken into account in the identification process. The principle of technology neutrality should be taken into account in the application of this Directive.”

 

DIFFERENT READINGS OF ARTICLE 13(1)(A) OF THE AMLD5

At national level, there are different readings of the content of Article 13(1)(a) amongst interested parties, including amongst the respective AML National Competent Authorities (“AML NCAs”), in relation to the ability of obliged entities to incorporate innovative solutions and/or electronic tools (such as dynamic selfie verification, biometric tools etc.) into their operations, in the context of performing Customer Due Diligence measures. It is clarified that the basis of the following readings is solely the EU Law and does not take into account whether Member States have incorporated provisions other than the ones provided for in AMLD5 per se, in transposing AMLD5.

READING 1:

According to this reading obliged entities are able to use such electronic identification solutions only where such electronic solutions are regulated, recognized, approved or accepted by a bespoke national authority, other than the AML NCAs.

READING 2:

According to this reading obliged entities may use such electronic identification solutions only where such electronic solutions are regulated, recognized, approved or accepted by the respective AML NCAs. The understanding that the responsible competent authority referred to in Article 13(1)(a) is the national competent authority responsible for the AML supervision per obliged entity, is stemming from the content of recital 22 of the AMLD5 and particularly from the reference to “secure remote or electronic identification processes, regulated, recognized, approved or accepted at national level by the national competent authority may be taken into account” (emphasis in the original), in conjunction with the absence of a definition or any other reference in AMLD5, to a different national authority responsible for the regulation, recognition, approval or acceptance of such electronic identification processes.

READING 3:

READING 3.1 – ABILITY OF OBLIGED ENTITIES TO USE INNOVATIVE SOLUTIONS IN ACCORDANCE WITH THEIR OWN RISK ASSESSMENT:

According to this reading the reference to: “any other secure, remote or electronic identification process regulated, recognised, approved or accepted by the relevant national authorities”, in Article 13(1)(a) of the AMLD5, is in relation to additional alternative methods of electronic verification and identification, which are regulated, recognized, approved or accepted by the relevant national authorities (where such regulation, recognition, approval or acceptance, by a national authority exist in the respective Member State) and does not prevent obliged entities from using other innovative/electronic solutions for the performance of client due diligence measures, including identifying the customer and verifying the customer’s identity, on a risk basis on their own responsibility, in accordance with their risk assessment; and which (the electronic identification and verification solutions) are not regulated, recognized, approved or accepted by any national authority.

The aforesaid reading is stemming from the following:

  1. The ability of obliged entities to use such innovative solutions in line with their risk assessment and that such innovative solutions may form an alternative source of independent and reliable sources of data and/or information, was corroborated by the ESAs Opinion on the Use of Innovative Solutions by Credit and Financial Institutions in the Customer Due Diligence Process (JC 2017 81), issued on 23 January 2018. The relevant regulatory framework at the time, underpinning the said the ESAs Opinion, was Directive (EU) 2015/849 (“AMLD4”). According to the ESAs Opinion such solutions may be considered as an alternative source of data and information. Specifically, Paragraph 10 of the ESAs Opinion states the following:

“EU law does not specify what ‘reliable and independent sources’ are. This means that, to the extent permitted by national legislation, firms have some flexibility regarding the sources of information they use to meet their CDD obligations. For example, while official documents such as passports (for natural persons) or certificates of incorporation (for legal persons) are largely relied upon by firms to verify their customers’ identity, EU law does not prevent the verification of the customer’s identity on the basis of alternative reliable and independent documents, data and information, as long as firms can demonstrate to their competent authority that the use of particular sources is commensurate with the ML/TF risks presented by the underlying business relationship.”

  1. The reference to “any other secure, remote or electronic identification process regulated, recognised, approved or accepted by the relevant national authorities;” was incorporated in Article 13(1)(a) by virtue of the AMLD5, whilst under AMLD4 (which was the basis underpinning the ESAs Opinion), Article 13(1)(a) was merely reading as follows: “Customer due diligence measures shall comprise: (a) identifying the customer and verifying the customer's identity on the basis of documents, data or information obtained from a reliable and independent source;”

In our view the addition in Article 13(1)(a) under AMLD5, shall be read in conjunction with the previous sentence, namely that “Customer due diligence measures shall comprise: (a) identifying the customer and verifying the customer’s identity on the basis of documents, data or information obtained from a reliable and independent source, including, where available, electronic identification means, relevant trust services as set out in Regulation (EU) No 910/2014 of the European Parliament and of the Council or any other secure, remote or electronic identification process regulated, recognised, approved or accepted by the relevant national authorities;” (emphasis in the original).

This means that such other secure, remote or electronic identification processes regulated, recognised, approved or accepted by the relevant national authorities, are included in the possible data sources of independent and reliable nature and may be used where they are available, but in no way obliged entities are prevented from using other innovative solutions that are not regulated, recognized, approved or accepted by relevant national authorities, in accordance with their own risk assessment.

For the avoidance of doubt, we would like to note that we consider that:

  1. Such innovative/electronic tools (e.g. dynamic selfie verification, biometric verification tools etc.) shall be viewed as sources of data and information and obliged entities must inter alia ensure that they are reliable and independent, as per article 13(1)(a) of the AMLD5; and
  1. The use of such innovative solutions must be subject to a risk assessment undertaken by the obliged entity in question and such risk assessment must inter alia take into account the ESAs Opinion and the FATF Guidance on Digital Identity.

READING 3.2 – WHICH ARE THE RELEVANT NATIONAL AUTHORITIES, FOR REGULATING, RECOGNIZING, APPROVING, OR ACCEPTING, THE (ALTERNATIVE) ELECTRONIC IDENTIFICATION PROCESSES:

Where such electronic identification processes that are regulated, recognized, approved or accepted by relevant national authorities exist, such relevant national authorities may in our view be either:

  1. The national competent authority responsible for the AML supervision per respective obliged entity; or
  1. A different bespoke national authority mandated to regulate, recognize, approve or accept such electronic identification processes (if such Authority exists at national level).

This understanding is stemming from the content of recital 22 of the AMLD5 and particularly from the reference that: “secure remote or electronic identification processes, regulated, recognized, approved or accepted at national level by the national competent authority may be taken into account” (emphasis in the original), in conjunction with the absence of a definition or any other reference in the recitals to a different national authority responsible specifically for the regulation, recognition, approval or acceptance of such electronic identification processes. This in our view indicates that Member States are not prevented from assigning such responsibility to the respective AML NCAs if they choose so. However the more general reference to relevant national authorities instead of national competent authority, in Article 13(1)(a), provides in our view also the ground for assigning such responsibility to a different bespoke national authority, if a Member State decides to do so.

Submission date
09/02/2021
Status
Question under review
Answer prepared by
Answer prepared by the EBA.

Footer

EUROPEAN BANKING AUTHORITY

Our mission is to contribute to the stability and effectiveness of the European financial system through simple, consistent, transparent, fair regulation and supervision that benefits all EU citizens.


UE logoAn agency of the EU

EU Agencies Network logoEU Agencies Network

EMAS logoSustainable EBA

Contact us

  • Contacts
  • Ask a general question
  • Send a press query
  • Ask a regulatory question
  • File a complaint
  • Whistleblower reports

Stay up to date with our work

  • Subscribe to our email alerts
  • News & press RSS feed

Follow us on Social media

  • Bluesky
  • LinkedIn
  • X
  • YouTube

Find out about us

  • The EBA at a glance
  • Vacancies
  • Privacy policy
  • Legal notice
  • Cookies policy
  • Frauds and scams

Explore related sites

  • EIOPA
  • ESMA
  • ESRB
  • CEBS archive