Remote customer identification for Luxembourg-regulated companies: how and why?
Over the past year, the AML/KYC regulatory framework applicable to the Luxembourg banking and insurance sector has been subject to notable evolutions.
First, global sanitary precautions have become the new norm, resulting in an increased resort to remote interaction. This has impacted not only the customer user experience but also companies’ internal processes, with the challenge of remote working and an increased need for dematerialisation. In this context, the CSSF called on regulated entities to “use financial technology (Fintech) to manage some of the CDD (Customer Due Diligence) issues presented by COVID-19”, in particular by using digital onboarding to “reduce the risk of spreading the virus” (CSSF Circular 20/740).
Second, new AML regulations were introduced during the summer of 2020 (CSSF Regulation No 20-05 and CAA Regulation 20/03), creating new obligations for the Luxembourg Financial industry but also new possibilities – including the use of remote customer onboarding.
The above developments have the potential to make the balance tip in favour of dematerialisation of AML processes, so this is a good opportunity to shine the spotlight on new possibilities relating to remote client identification and identity management.
Client identification is usually the first stage of customer onboarding. It is also a key part of the client relationship lifecycle management, with required periodic verifications and updates, as well as remediation campaigns. For many years, it was done by scheduling conventional in-person meetings. But the aforementioned legislative evolutions, coupled with social distancing requirements, could change the norm.
Regulated players in the financial industry were (and still are) required to gather identification information on all their customers using at least one valid, authentic official identification document. The CSSF Regulation 20-05 and CAA Regulation 20/03 provide further flexibility for doing so remotely.
Until now, setting up non-face-to-face identification processes was quite a challenging endeavour from a regulatory perspective. First, it created a presumption of higher risk, triggering Enhanced Due Diligence. The exception was if “certain safeguards, such as electronic signatures” existed. This formulation was rather vague when aiming for the legal certainty necessary for comfortably relying on remote identification methods. In 2018, the CSSF brought some guidance as regards the specific topic of video chat onboarding by publishing a detailed FAQ on the matter, but overall, resorting to remote identification remained complex.
The new regulations have introduced:
- For the first time, explicit and positive authorisation of “electronic identification means”.
- Clear guidance on permitted means*:
- eIDAS trust services
- “any other secure, remote or electronic, identification process regulated, recognised, approved or accepted by the relevant national authorities”.
- eIDAS trust services
* If an electronic identification process falls outside of these two options, it can still be used, but companies must take additional measures as there is a presumption of higher risk. These can notably be asking for additional identification data or requiring that the first payment of transactions is carried out via an account in the customer’s name with a financial institution subject to equivalent AML/CFT obligations.
In addition, fully automated onboarding – without any human verification of collected information – is now possible in cases of simplified due diligence (i.e. for low risk profile prospects) and under certain conditions (such as: sufficient efficiency and reliability, regular review of robustness, alignment with internal AML policies). CSSF Regulation 20-05 provides that such automated processes should comply with further guidance issued by regulatory authorities, whereas CAA Regulation 20-03 expressly requires CAA approval. Conditions therefore remain quite strict.
Whilst the new regulations provide more flexibility, they maintain an adequately regulated environment. Indeed, the goal should not be to lower standards, but to use a suitable set of tools to aim at achieving a reliability of these dematerialised processes that is comparable to – if not exceeding – the trustworthiness of face-ot-face meetings.
First, in respect of the possibility to use “eIDAS trust services”, this can refer to:
- eIDAS electronic identification schemes: these enable companies to gain knowledge of a person’s identity through an electronic identity document (eID). eIDs must currently be issued either by a government or using a scheme mandated or recognized by the government (in Luxembourg, customers would need to be in possession either of the national eID card now issued by the government or a pre-activated LuxTrust certificate). This may become more flexible in the future, as a public consultation has been launched in view of potentially improving eIDAS.
- eIDAS trust services for electronic signatures and authentication: these do not assert a person’s identity per se but can be used to confirm they are who they claim to be. These trust services can be used once the formal customer identification has been performed. This is particularly useful for customer lifecycle management providing customers with secure authentication and/or signature means when they access their client portal or electronically sign documents.
Second, the possibility to use other processes “regulated, recognised, approved or accepted” by national authorities should generally refer to digital processes integrating tools such as video chat, automatic ID document recognition and validation (with technologies such as MRZ scanners) and others.
In practice, the wording entails that some form of validation of the process by the CSSF / CAA should be required. This could be:
- general validation of certain ‘pre-approved’ solutions,
- case-by case approvals.
In the first scenario, a list of pre-defined processes would need to be validated. However, given (i) the complex nature of AML verifications and the need to tailor it to each company’s needs and internal processes and (ii) the fact that companies may also wish to build digitalised processes internally rather than resorting to external providers, it is more likely that discussions with the Luxembourg regulators will need be carried out on a case-by-case basis.
This is without prejudice to the issuance of more general guidance by the CSSF/CAA to help point companies in the right direction. Also, CSSF Regulation 20-05 expressly provides the possibility for the CSSF to issue further guidance on automated customer acceptance (see above), which could also be useful in a more general onboarding context.
Independently from the regulator’s stamp of approval, companies should make their own independent assessment as to their adequacy. Below are some examples of criteria to take into consideration:
- Security: the level of security e.g. encryption of communications / other technical measures taken to mitigate risk of unauthorised access, low risk of fraud, sufficient carrying out of technical controls…
- Good to know: if you are relying on an electronic identification scheme (eID), eIDAS provides three assurance levels – low, substantial and high –, which give an indication on the level of reliability/security.
- Robustness, effectiveness and reliability: to note that these are criteria provided by the CSSF for automated onboarding, but which should generally apply to all remote identification processes;
- Clarity of instructions provided to customers, obtention of all required consents, and compliant processing of personal data collected (these are criteria stated in the CSSF’s video chat FAQs, which should also apply more generally to any remote onboarding process used);
- Adequate internal procedures supporting the use of processes (this too is mentioned by the CSSF in the video chat FAQs and should apply more broadly);
- Sufficient due diligence of external providers used, including the whole outsourcing chain (requirement stemming from general outsourcing requirements);
- Use of secure authentication mechanisms in support of the process and for lifecycle identity management, e.g. two-factor authentication (which can include, for example, SMS one time passwords (OTP) and/or biometric authentication means).
To go further:
- The CSSF’s FAQs on video chat provide some useful guidance (question 8) on data quality requirements where reading documents / identifying a person remotely
- The Financial Action Task Force (FATF) issued guidance on Digital Identity in March 2020.
Remote identification is a welcome trend in terms of providing customers with a “no-contact experience” in line with today’s social distancing measures. The aim is to create a streamlined, efficient user experience (which can be enhanced by features facilitating the customer journey, such as automated field completion).
From a regulatory standpoint, it can also assist companies with meeting their obligations:
- In line with CSSF and FATF guidance: as mentioned in the introduction of this article, the CSSF invited entities under its supervision, in Circular 20/740, to consider digital onboarding. This echoed the FATF’s recommendations.
- Enhanced security: when done properly, digitalised processes can strengthen security. For example, automated document verification processes can be more thorough than manual checks, with MRZ technology verifying elements such as expiration date and document number on-the-fly. In addition, data quality can be improved since documents with poor readability are typically rejected by automatic verification tools.
- Less human error: machines can sometimes be more accurate than human judgment; for instance, when identification processes rely on image analysis software which (for instance) compares a person’s ID document with a photo/video of them, sophisticated algorithms can be more efficient in spotting discrepancies.
- Digital evidence (i.e. electronic data trails and logs) make it easier to comply with document storage obligation and prove proper execution of due diligence: when carrying out identification via a digital process, digital evidence of the process are stored. This has two uses:
- Identification documents, data and information which companies are legally required to retain for a certain period of time can be easily stored in dematerialised form, since this is their original form (i.e. the electronic documents/data resulting from the remote identification process are originals and have inherent probative value). On the other hand, dematerialising physical documents (i.e. paper) is harder, requiring the intervention of a dematerialisation or conservation service provider to create copies with probative value.
- Such electronic data trails and logs can be used to prove proper execution of customer due diligence obligations if needed, especially where services such as timestamping or electronic signature are integrated within the process.
- Simplifying reporting: digitally storing records of customer due diligence carried out can make information easier to regroup and export in the context of reports.
- Simplification of lifecycle identity management / remediation campaigns: digital identification tools can make it easier to manage identity lifecycle for customers, for instance:
- Through the allocation of authentication credentials (see above),
- By using software which permits the sending of remote requests an ad hoc or periodic basis to customers, either to comply with periodic review obligations or to carry out targeted digital remediation or customer data curation campaigns.
Where a fully remote relationship is not suitable, it can also be an alternative to handle initial client onboarding at a in-person meeting, and then carry out additional identification checks remotely as a second step.
- More efficiency for back-office and compliance staff: as back-office and compliance staff are increasingly required to work remotely, using digitalised processes saves a lot of time and effort without prejudice to the quality of the process. Onboarding requests are also centralised rather than coming in through different channels.
Tip: For a more general look at whether digitalising KYC processes (beyond client identification) makes sense for you, take a look at our article on the subject: Is Digital KYC the right approach for you – as a Luxembourg-regulated institution? – Finologee
When implementing electronic identification processes it can make sense – first of all business-wise – to resort to a third-party provider whose core business is designing secure technological solutions for that matter.
However, from a regulatory standpoint, this should never result in a loss of control: Luxembourg regulators place a big emphasis on ensuring that companies retain ultimate responsibility and authority over their AML processes. One first step to ensure sufficient control is to cater for an unambiguous definition of the scope of the outsourcing: is it the remote identification process itself that is delegated to a third party or is it just about providing digital tools enabling the regulated entity to carry out the process using these tools?
New regulations strengthen financial industry professionals’ obligations when relying on outsourcing of AML processes (i.e. via third-party introducers or delegates). This targets situations where professionals let a third party fully or in part take care of customer identification. This could be the case for example where an entity has developed electronic identification processes and offers to operate as an introducer/delegate for another entity using this setup. Due to the obviously higher risk of loss of control, applicable legal conditions are strictly set out in relevant AML regulation.
The second option is to restrict the role of a service provider to the technical implementation of products/services enabling electronic identification, to be operated under the financial industry professional’s instructions and control. Here, the sub-contractor is neither a third-party introducer nor a delegate, but merely a technical service provider. This type of ‘softer’ KYC outsourcing is subject to common outsourcing regulation, such as CSSF Circulars 12/552 and 17/654 (as amended) and the EBA Guidelines for the financial industry, or Solvency II requirements and EIOPA Guidelines on Cloud Outsourcing for the insurance industry.
When choosing such a technical service provider, one attention point is to properly define and handle the level of modularity of provided products/services. They should be sufficiently customisable to provide for tailor-made implementations adapted to the company’s specific needs and internal processes/requirements. A “one size fits all” solution is less adapted to the AML landscape, which depends on so many factors and specificities (e.g. type of clientele, industry sector, internal/group level processes and policies…).
Tip: Finologee’s Digital Onboarding and Identification product enables Luxembourg financial industry professionals to choose from a catalogue of components and features to build a hosted remote account opening process and toolset that fully meets their requirements and AML policies.
Customer identification is only one of many obligations of companies stemming from the AML/CFT regulatory framework. In line with the foregoing and as companies aim to streamline customer and back-office/compliance staff’s journeys whilst facilitating regulatory compliance, remote identification tools can be integrated seamlessly within more complete KYC management platforms. Such platforms can cater for easy interactions between customers, back-office and compliance staff and can simplify the creation and management of customer profiles.
The following features can be integrated, for instance:
- customers’ risk classification (which can be translated from customers’ existing risk policies);
- additional documents, information and data required from customers, which can be requested or not based on the established risk profile – e.g. for a low risk profile, only essential documents are required;
- reminders of the frequency at which verifications need to be made (this can then also be linked to the risk profile; for instance, in cases of enhanced due diligence, identification information must be verified at least once a year):
- interfacing with public registers and data providers to verify obtained data against publicly available information (e.g. blacklists/sanction lists…);
- and more: the aim for each company being to determine which features and modules are appropriate for their own customer onboarding and lifecycle management process.
Tip: Finologee provides the tools to help you build your own fully digital KYC lifecycle management platform, tailored to your specific needs and requirements. For more information, please visit our KYC Manager product page.
Disclaimer: the information provided in this article does not, and is not intended to, constitute legal advice. All content is for general information purposes online.