The EBA Guidelines on Remote Customer Onboarding Solutions
On the 12th of October 2023, the Cyprus Securities and Exchange Commission (CySEC) issued Circular C601 to inform regulated entities that the European Banking Authority (EBA) published the Guidelines on Remote Customer Onboarding Solutions. Comprised of 7 Guidelines, the report focuses on the remote verification measures that credit and financial institutions should consider when onboarding a new customer to mitigate ML/TF risks. The EBA Guidelines apply from the 2nd of October 2023 and have been adopted by CySEC pursuant to the Prevention and Suppression of Money Laundering and Terrorist Financing Law of 2007 (AML/CFT Law).
In this article, the SALVUS Regulatory Compliance team offers a detailed and in-depth analysis of the key Guidelines on remote customer onboarding solutions, exploring the important aspects surrounding it. Further, the article focuses on the following:
1. Basic elements of remote customer onboarding
2. Internal policies and procedures
3. Document authenticity and integrity
4. Reliance on third parties and outsourcing of CDD
5. How SALVUS can support your AML regulatory needs
1. Basic elements of remote customer onboarding
The EBA has a leading role in tackling Money Laundering and Terrorism Financing (ML/TF) activities by using EU’s financial system and its mandate is to monitor and harmonise it. For this reason, guidelines issued set common EU standards on the implementation of risk sensitive arrangements. In the EBA, and other European Supervisory Authorities’ (ESAs) view, there are some elements that do not provide sufficient clarity about what is and what is not allowed in a remote and digital context. These elements include the client identification and verification by remote customer onboarding solutions, its reliance on Customer Due Diligence (CDD) processes, and governance, but more specifically:
- the acceptable types of innovative technologies for remote customer onboarding processes.
- the requirements that should be satisfied when using those innovative technologies, including supplemental measures if required.
- the acceptable forms of digital documentation used for remote customer onboarding.
- the acceptable circumstances to rely on information provided by third parties when using the remote solution for customer onboarding.
2. Internal policies and procedures
In order to adopt a new remote customer onboarding solution, credit and financial institutions should carry out a pre-implementation assessment to make sure it is adequate, reliable and accurate based on their procedures. Once the quality assurance testing has proven that the suggested solution is effective, institutions must have in place risk-sensitive procedures for better CDD and governance arrangements necessary to create an ongoing secure environment and ensure consistency.
Such procedures shall include a description of the remote onboarding process, its features and which steps require human intervention. It should be ensured that the right controls must be in place to guarantee that a transaction can only happen if the required CDD measures have been applied. In addition, the institutions’ remote solution shall also be able to identify the risk factors:
- to be used by a business-wide risk assessment to establish eligibility of remote customer onboarding, and
- that come with the customer, product or service to determine the risk category they fall in.
Finally, to mitigate any risks, credit and financial institutions need to keep their staff informed and up to date about the induction process, the operation, the associated risks and policies of the remote customer onboarding solution by providing regular training programs.
Contact us at info@salvusfunds.com if you require guidance about your AML compliance obligations or information about our AML courses; we look forward to being of value.
3. Document authenticity and integrity
As a rule, the original documents shall be provided but if only copies are available, then there is an obligation for credit and financial institutions to examine the validity and reliability of the document by examining:
- if the reproduction includes security features embedded in the original document and if the specifications of the original document that are being reproduced are valid and acceptable. In particular, type, size of characters and structure of the document, by comparing them with official databases, such as the Public Register of Authentic identity and travel Documents Online (PRADO),
- whether personal data has been altered or otherwise tampered with or, where applicable, whether the picture of the customer embedded in the document was not replaced,
- whether the integrity of the algorithm used to generate the unique identification number of the original document, in case the official document has been issued with machine-readable zone (MRZ),
- whether the provided reproduction is of sufficient quality and definition to ensure that relevant information is unambiguous,
- the reproduction provided has not been displayed on a screen based on a photograph or scan of the original identity document.
Where Optical Character Recognition (OCR) and Machine-Readable Zone (MRZ) verifications are being used, then competent authorities shall certify that the information captured is accurate and consistent.
At the same time, if the official document is being used, then the institutions should check its authenticity by verifying the security features embedded in it, such as holograms. Furthermore, where unusual or weaker forms of documentation are submitted and accepted then, credit and financial institutions should apply enhanced measures or human intervention to ensure there is no ML/TF risk associated with the business relationship.
4. Reliance on third parties and outsourcing of CDD
Third-party outsourcing via automated systems shall follow the regulations to stay compliant and not jeopardize the regulated entities that use them. Of course, non-face to face introduction entails more risks than a face-to-face one. However, to mitigate risks competent authorities shall:
- take the necessary steps to be satisfied that the third party’s own CDD remote customer onboarding processes, procedures and the information and data they collect in this context, are sufficient and consistent with requirements laid down in these Guidelines.
- ensure the continuity of the business relationships established between the customer and the credit and financial institution to guard against events that might reveal shortcomings on the remote customer onboarding process carried out by the third party.
If the customer onboarding process is fully remote and outsourced to a service provider, then further guidelines shall be applied. The credit and financial institutions shall ensure that the outsourced service provider is:
- in compliance with required procedures, which can be achieved through regular reporting, ongoing monitoring, onsite visits or sample testing.
- sufficiently equipped; through assessments including the assessment of staff training, technology fitness and data governance of the provider.
- informing the institution of any changes or modifications regarding the remote customer onboarding process.
In cases where during the remote onboarding process the outsourced service provider is storing customer data such as photography, videos, documents, credit and financial institutions shall ensure that they are:
- collecting and storing only the required data for the stated retention period,
- limiting data access and registration, and
- implementing appropriate security measures for the stored data to be protected.
3. How can SALVUS support your AML regulatory needs?
The SALVUS Regulatory Compliance team has extensive expertise and can support regulated entities achieve compliance, fulfil their AML regulatory obligations, and establish the appropriate internal policies and procedures regarding remote customer onboarding solutions. Our dedicated team through our Anti-Money Laundering Consulting service can assist you by providing personnel training and establishing a detailed AML/CFT compliance program.
In addition, SALVUS Funds, in collaboration with the Institute for Professional Excellence (IforPE), offers a self-paced course entitled “A Complete Client Onboarding Procedure as per AML & MiFID”. This course ensures the delivery of valuable insights into the onboarding procedure a firm shall follow to ensure compliance with the MiFID II Assessment of Appropriateness and Product Governance requirements, the remote customer onboarding process, along with the Anti-Money Laundering (AML) Regulatory framework for the assessment and management of AML risks, as well as KYC and CDD procedures. Through participation in this program, professionals will acquire the expertise and capabilities needed to enforce practices that align with regulatory demands.
Further, this course can be of considerable value to Compliance Professionals, Board members, Senior Management personnel, lawyers and auditors who wish to cement their understanding of the topic. Last but not least, it grants 5 Continuous Professional Development (CPD) units counting towards the annual requirements of CySEC Advanced, Basic and AML certification holders.
Please contact us at info@salvusfunds.com if you require support with your AML regulatory compliance obligations or are interested in our “A Complete Client Onboarding Procedure as per AML & MiFID” with IforPE.
#StayAhead
Should you be interested in reading previously authored articles regarding Anti-Money Laundering, its compliance culture, and customer verification please visit the selected articles below:
- Decoding ML/TF Key Risks and Mitigation Measures in Payments
- AML Compliance Culture for CySEC Regulated Entities
- AML compliance for CySEC regulated entities
The information provided in this article is for general information purposes only. You should always seek professional advice suitable to your needs.