RegTech Know-How Series #3
The draft guidelines aim to create harmonised EU standards to be implemented by financial industry professionals to ensure that remote onboarding processes are safe and effective. They are technology neutral and emphasise that digital onboarding processes can either create or mitigate risks depending on their implementation.
They include (1) internal governance requirements, (2) conditions that remote customer onboarding processes should meet and (3) specific requirements for relying on third parties as well as managing ICT and security risks.
We look at the key points for financial industry professionals to be aware of.
Related article: our previous contribution on Remote customer identification for Luxembourg-regulated companies: how and why?
The EBA has included a section in the draft guidelines about internal governance arrangements, which it has identified as an important source of risk. Financial industry professionals will need to:
Create policies and procedures specific to remote onboarding: These will need to describe when and how remote onboarding solutions are used, with a list of minimum elements that must be covered (e.g., detailing cases in which a remote onboarding solution is adapted; describing the functioning of solutions to be used; listing required information and admissible documentation; etc.).
Tip: Creating specific policies should ultimately give entities more control over which remote onboarding solutions to implement and how – especially when using outsourcing provider solutions, which will need to be flexible enough to incorporate the policy/procedure requirements.
Conduct and document pre-implementation assessments and ongoing controls: These should enable financial industry professionals to evaluate the adequacy and risk impact of remote onboarding processes. Pre-implementation assessments include, amongst others, end-to-end solution testing and fraud risk tests, whilst ongoing controls may include both ad hoc checks (e.g., sample testing, manual reviews) and the set-up of automated functions (e.g., automated alerts/notifications, regulated automated quality reports).
Tip: According to the draft guidelines, in addition to performing assessments and controls, the remote onboarding process should be adaptable: it must be able to evolve with any changes in the regulatory framework or risk level. This is also helpful so that any mitigating remedial measures can smoothly be integrated if risks/deficiencies are detected.
Remote customer onboarding should reliably establish the customer’s identity, by:
- acquiring information about their identity (directly from the customer, through automatic capture in documentation provided, or through other sources), and
- carrying out authenticity checks to make sure that the person is indeed who they claim to be.
The EBA draft guidelines do not list the information to be acquired and checked, but set out general conditions that the process should comply with:
Acquiring information about the customer: Conditions for acquiring information remotely are detailed, including (amongst other criteria as detailed further in the guidelines*) ensuring that current and appropriate information is obtained and that any images, videos, sounds, and data collected are readable and of sufficient quality. Another condition is to ensure the reliability of the information, especially if it is retrieved automatically, due to the specific risks involved (e.g., IP address spoofing, VPNs). A digital identity issuer can also be used for this stage of the process.
*Specific criteria are also detailed for identifying legal entities through remote onboarding.
The draft guidelines also focus on how the information is stored: It should always remain available to the company in a readable format for subsequent checks. This notably applies to all digital information captured as part of the remote onboarding process, including stored records (e.g., pictures, videos) and time-stamped identification proofs.
Verifying the authenticity and integrity of documents: When copies, photos, or scans of original documents are provided, steps should be taken to determine their reliability. The draft guidelines provide examples of what can be done (e.g., checking whether embedded security features are reproduced, ensuring sufficient quality of the copy, using OCR/MRZ tools, etc.).
Authenticity checks: Is the person who she/he claims to be? The draft guidelines establish the ground rule that authenticity checks should be performed without imposing a specific technology for doing so. For onboarding natural persons*, this includes comparing photographs/videos to a picture in provided documentation, implementing liveliness detection procedures, or using live video conference tools to verify the identity of the customer.
*The draft guidelines also include specific requirements relating to authenticity checks for legal entities (e.g., using independent sources such as public registers to verify information).
The draft guidelines also specify conditions to ensure the reliability of checks (e.g., sufficient quality of images/audio; strong and reliable algorithms; ensuring that any biometric data collected is sufficiently unique, etc.).
Additionally, in higher risk AML/CFT situations:
- Liveliness detection verifications are mandatory,
- One or more of the following controls should be used:
- drawing a first payment on an account in name of the customer with an EEA-regulated financial institution;
- OTP verification;
- using biometric data;
- telephone contacts with customer; or
- direct electronic/postal mailing to customers.
Good to know – on the use of digital identities:
As an exception to the above, step 3 (authenticity checks) is not required if companies use digital identity issuers to identify and verify the customer which are either (1) qualified trust services under eIDAS or (2) regulated, recognised, approved, or accepted by the relevant national authorities.
In addition, the EBA has opted to allow the use of other digital identity issuers if they meet certain conditions and undergo an appropriate assessment. Although authenticity checks still need to be carried out, this gives flexibility to financial sector operators to use a wider range of digital identity issuers for step 1 (acquiring information about the customer’s identity), assessing themselves whether the issuer is reliable on a risk-based approach.
The draft guidelines do not reinvent the wheel and should be read in conjunction with the existing EBA Guidelines on outsourcing arrangements and EBA Guidelines on ICT and security risk management, but they do give insight about certain risks specific to remote onboarding:
Outsourcing / third parties:
The EBA recalls that in the context of remote onboarding, two types of use of sub-contractors are possible: the support of third parties to perform due diligence on the client itself, and the outsourcing of all or parts of the remote onboarding process.
In the latter scenario (outsourcing), the draft guidelines focus on two core risks:
1. Retention of sufficient control by the financial services professional: ensuring that its remote onboarding policies and procedures are effectively implemented by the outsourcing provider (through ongoing reporting and monitoring, on-site visits, or sample testing) and that any changes to the solution provided by the outsourcing provider is subject to the financial industry professional’s agreement.
2. Storage of customer data: All customer data collected should be stored in accordance with the requirements of the GDPR (General Data Protection Regulation) and appropriate security measures.
ICT and security risk management: specific risks addressed notably include ensuring the security of communication channels with the customer and providing a secure access point to start the remote onboarding process.
Finologee provides a secure hosted KYC process management and customer lifecycle platform that has been designed with a Luxembourg regulation compliance focus and enables financial industry professionals to rely on this tool without having to implement their own framework and IT systems. Here are some of the highlights of KYC Manager with regards to digital onboarding and the new guidelines:
– Internal governance: Finologee’s KYC Manager platform can be configured to meet your company’s needs and create a customised onboarding process for your customers. With KYC Manager, you can offer your clients and teams modern, tailor-made and efficient options that meet your internal requirements and also provide the possibility to carry out effective ongoing controls and monitoring.
– Conditions that must be met by the remote onboarding solution: KYC Manager enables you to collect information, verify documents and perform authenticity checks through a centralised, robust platform with detailed audit logs and data storage. The platform already integrates most requirements of the draft guidelines along with state-of-the-art identification and verification technology (e.g., MRZ/OCR reading; liveliness checks; OTP verification; etc., also with the help of a selection of premium third-party providers), thus providing a “tick the box” approach to compliance.
– Outsourcing and ICT/security risk management: Finologee, as a regulated Luxembourg ‘Support PFS’ (Professional of the Financial Sector) and ISO 27001 certified provider, can provide you with an outsourcing service setup specifically designed and optimised for Luxembourg-regulated entities, relying on a platform implementing a market-leading security framework.
The public consultation on the new draft guidelines on remote customer onboarding ends on 10 March 2022, with final guidelines typically published in the following months.
Please get in touch with our team if you would like additional information about how Finologee’s KYC Manager product can help meet the EBA draft guidelines obligations, or a product demo: firstname.lastname@example.org – (+352) 27 75 08-1 or contact us on http://www.finologee.com.