New EU standards on the development and implementation of processes in a remote customer onboarding context

Luxembourg

On 22 November 2022, EBA released guidelines on the use of remote customer onboarding solutions in relation to notably Article 13(1) of Directive (EU) 2015/849 of the European Parliament and of the Council of 20 May 2015 on the prevention of the use of the financial system for the purposes of money laundering or terrorist financing (“AMLD”) (the “Guidelines”).

The Guidelines, which apply to all credit and financial institutions (the “Entities”) that are within the scope of AMLD, set common EU standards on the development and implementation of sound, risk-sensitive, initial customer due diligence processes in a remote customer onboarding context. The Guidelines supplement other guidelines on AML topic.

They provide details (i) on the content to be added to policies and procedures of the Entities regarding the remote customer onboarding and (ii) more generally on customer due diligence to be done in this respect.

Before implementing a remote customer onboarding solution, the Entities carry out a pre-implementation assessment that they have defined in their policies and procedures, including the scope, steps and record keeping requirements in the context of the remote customer onboarding solution. The management body of the Entities approves remote customer onboarding policies and procedures and oversees their correct implementation. The Entities should also monitor the remote customer onboarding solution on an ongoing basis and supplement their policies and procedures with the elements described in the Guidelines, notably the review of the process, the remedial measures to a risk or an error and the adequacy and reliability of the remote customer onboarding solution. The Entities should be able to demonstrate to their competent authority (i) which assessments they carried out before implementation of the remote customer onboarding solution, the outcome of their assessment and how its use is appropriate in light of the money laundering / terrorist financing risks identified for the types of customer(s), service(s), geographies and product(s) in its scope and (ii) remedial steps they have taken to rectify any shortcomings identified throughout the lifetime of the remote customer onboarding solution.

In addition, the Entities supplement their policies and procedures with the adequate and updated information needed to identify the customer in the remote customer onboarding solution. The Guidelines define (i) the characteristics of such information for natural persons and for legal entities, and (ii) the conditions of its storage. The Guidelines also set forth the points on which the Entities must focus (i) concerning the authenticity and integrity of the identification documents of the customer of the remote customer onboarding and (ii) the matching of the identity of the customer as part of verification process.

The Entities include in their policies and procedures specifications setting out which remote customer onboarding functions and activities will be carried out or performed by (i) them, (ii) third parties or (iii) another outsourced service provider.

When relying on third parties, the Entities may use electronic identification schemes and relevant qualified trust services as provided for under Regulation (EU) 910/2014 (“eIDAS Regulation”) to the extent that they meet the criteria set in AMLD. They must verify that the third party’s own CDD remote customer onboarding processes and procedures and the information and data they collect in this context, are sufficient and consistent with requirements laid down in the Guidelines. They must furthermore verify that the outsourced service provider effectively implements and complies with the Entities’ remote customer onboarding policies and procedures, carries out the required assessments, informs the Entities of any change made to the solution provided by the outsourced service provider and stores the documents (including photography and videos) in line with a clearly defined retention period and a protected access.

The Entities identify and manage their ICT and security risks related to the use of the remote customer onboarding process, including where they rely on third parties or where the service is outsourced, including to group entities. They use secured communication channels to interact with the customer during the remote customer onboarding process, including secure protocols and cryptographic algorithms. They provide a secure access point for starting the remote customer onboarding process based on qualified certificates for electronic seals as set out under eIDAS Regulation and more generally a secure environment for such relationship. Their policies and procedures contain mitigating measures in particular regarding the risk of impersonation fraud.

Finally, the Guidelines remind that the Entities may use relevant trust services and electronic identification processes regulated, recognised, approved, or accepted by the relevant national authorities as referred to in Article 13 (1) point (a) of AMLD to comply with the Guidelines. However, they have to assess and mitigate the risks linked to the use of such solutions, such as risks involved in the authentication (impersonation fraud, lost, stolen, suspended, revoked, or expired identity evidence).

The Guidelines will enter into force 6 months after their publication in all EU official languages.

Should you have any questions on the above, please do not hesitate to contact one of our experts of the regulatory team.