Select Page

The global pandemic of coronavirus disease 2019 motivates the digital transformation of the financial industry and remote customer onboarding. This change led the European Commission (EC) to set its Digital Finance Strategy in 2020. The main goals that the plan pursued were the creation of an economy based on data and committing to a single digital market for financial services.

To address the regulatory fragmentation existing in the market, the EC asked the European Banking Authority (EBA) to pronounce the implementation of the Anti-Money Laundering and Countering the Financing of Terrorism policy (AML/CFT) in Digital Onboarding processes. It was because the EC considered that the due diligence rules contained in Directive (EU) 2015/849 did not clarify what was or was not allowed in remote customer registration.

The EBA, answering the EC request, published new guidelines on the use of remote customers Onboarding solutions.

What do the guidelines pursue, and when will they come into effect?

These guidelines plan to create a common European framework for developing and implementing the due diligence processes (CDD). It also aims to set out the rules for helping financial and credit institutions choose an optimal and secure solution to perform customers´ Digital Onboarding, for example, in digital account opening processes.

Furthermore, the EBA aims for organisations to know the capabilities of these solutions and raise awareness about the risks inherent to adopting remote solutions to onboard new customers, such as identity theft.

These measures were published by the banking authority on 22 November 2022 and are pending translation into all EU official languages. Once they have been translated, six months must pass by before they enter into force.

Therefore, the effective date will not be known until the guidelines are translated.

Who are the addressees, according to EBA?

These general rules are addressed to competent authorities and financial industry operators, such as credit and financial institutions.

 

Download our banking industry brochure

What are the guidelines on the use of onboarding solutions?

The guidelines applicable to entities of the financial industry are six and refer to internal policies and procedures, acquisition of information, matching of customer´s identity, outsourcing and technological, and security risks.

We cover each of the guidelines in the following lines to know its significance and facilitate understanding.

Internal policies and procedures

The objective of the first guideline is that institutions establish and keep policies and procedures that keep in mind the risk inherent to remote users´ digital onboarding processes and that, at a minimum:

  • Describe the Digital Onboarding solution, its features, and its running mode.
  • Determine the situations in which the solution will be used, the customers, and the products and services it will apply.
  • Specify the steps are automated and which are not.
  • Establish controls to ensure that the first new customer transaction begins when initial CDD measures have been applied.
  • Organise continuous learning programmes, so employees know how the solution works and have enough tools to face potential risks.

This guideline forces to asset the solution before its implementation to verify if it can guarantee the data integrity and accuracy and documents to be collected and the reliability and independence of the information sources it uses.

This assessment must include running tests, checks to asset security risks and frauds such as identity theft, and corrective measures for fraud cases.

Furthermore, KYC Digital Onboarding solutions should be reviewed regularly according to EBA, especially, when the technology presents deficiencies, an increase in fraud attempts, exposure to AML/CFT risks or regulatory changes affecting KYC solutions arise.

Monitoring should also include quality assurance testing of solutions, alerts and notifications of critical situations, regular reporting, sample testing, and manual checks.

Financial industry institutions should prove to the competent authority the monitoring and assessments they have performed and, where applicable, share the result obtained.

New customer information acquisition

The second guideline exposes that institutions should have policies and procedures that enable customers identification and that, at a minimum:

  • Collect the data necessary to identify the customer, the document types and the data to verify their identity.
  • Guarantee that the information obtained from the customer is updated and complies with due diligence obligations.
  • Ensure that photos, videos, data, and sound are readable and quality enough to recognise the customer reliably.
  • Assure the process will not continue if technical failures or connection problems are detected.
  • Determine whether the data is captured automatically or entered manually by the customer.
  • Guarantee that documents and information obtained in the customer registration process are kept and time-stamped. The conservation period will be five years after the end of the customer relationship.

This guideline requires institutions to define and keep mechanisms to guarantee that the data they capture is reliable. Organisations also have to control any risk scenarios associated with data collection, such as hiding or changing mobile devices´ location, IP address spoofing and, in general, any service that can disrupt customer information, such as Virtual Private Networks (VPNs).

Documents´ authenticity and integrity

The third guideline refers to the documentation that companies can take in their digital onboarding processes. Specifically, the measures when accepting reproductions of original documents and not examining the originals. Therefore, they should verify:

  • The existence and reliability of security features embedded in the document and the validity of the specifications of the original document, such as the Spanish ID card type, the character size or the structure, by comparing with official databases.
  • Whether the data or the photo has been altered or modified.
  • Whether the unique identification number of the document has integrity according to its generating algorithm, in the case of an official document issued with the machine-readable zone (MRZ).
  • Whether the reproduction has enough quality to ensure that the information is meaningful.
  • Whether the reproduction of the document has been obtained from a photo or scanned from the original document.

Entities must also verify the security features embedded in the ID document (holograms) during the process.

Matching customer identity as part of the verification process

Financial industry companies should implement onboarding solutions that guarantee that the new user’s visible information matches the documentation provided in the identity verification process. In cases where this process uses biometric identification methods, the person presenting the ID card must match the document’s picture. To ensure that biometric data is unique and linked to a single individual, institutions must have robust facial recognition algorithms such as Mobbeel.

This guideline exposes different measures depending on the intervention or not of an agent in the verification process.

  • In attended digital onboarding processes, institutions must ensure that the agent knows AML/CFT rules and is trained to prevent and detect fraud. They should also have an interview guide. Besides, this guide should include guidance on how to identify suspicious behaviour during the verification process.
  • In unattended onboarding processes, companies should guarantee that the pictures and videos taken has light enough and also ensure the user’s presence during the process. The activity detection can be justified by asking the user to perform a specific action – a side-to-side head movement during the facial recognition step.

Independently of whether the verification process is assisted or unassisted, the EBA recommends including randomness in the sequence of actions to avoid using synthetic identities.

Another way to apply and avoid synthetic identities is to set up additional controls. These controls can be:

  • Make a payment into an account in the customer’s name with a European Economic Area (EEA) bank or in a third country that complies with AML/CFT regulations.
  • Send an OTP to the user performing the process to confirm they are present.
  • Capture biometric data for comparison with data obtained from other sources.
  • Call the individual.
  • Send an email or letter to the customer.

Reliance on third parties and verification process outsourcing

Financial and credit institutions must include in their policies the functionalities they perform, either internally or through a service provider.

 

pin   Take a look at EBA guidelines on money laundering and terrorist financing risk factors (EBA/GL/2021/02) and outsourcing (EBA/GL/2019/02) for outsourced processes.

Security risk management

Companies should identify and manage the process security risks, even when performing the onboarding process by a third party.

Cryptographic algorithms and secure communication protocols should be used following industry best practice standards to protect the confidentiality, authenticity, and integrity of the exchanged data.

At the same time, organisations should provide a secure access point based on qualified certificates for electronic seals to initiate the onboarding process. They should also inform users about the additional security measures they should take to ensure the secure usage of the system.

When using a multi-purpose device (e.g. a smartphone), it must be assured that the execution of the software code on the customer side takes place in a secure environment. Besides, additional control measures must be implemented to ensure security, the code’s reliability, and the trustfulness of the collected data.

How does Mobbeel assist you in complying with EBA’s new guidelines?

MobbScan is our digital onboarding solution for financial and credit institutions. It is a modular solution that enables the scanning of identity documents and the extraction of data from them by OCR or NFC, validating their authenticity and even the identity of the individual presenting them.

Its flexibility makes remote account opening with attended or unattended video identification easier. It includes liveness detection (active or passive) as an activity detection method.

Our customer onboarding process complies with the requirements of the European Banking Authority and the European Anti-Money Laundering and Counter Terrorist Financing rules.

Would you like to comply with EBA requirements and do not know how? Reach our experts..