Customers Digital Onboarding according to SEPBLAC

Context

The prevention of money laundering and terrorist financing have become major global issues recently. These phenomena threaten economic stability, national security and the financial system’s integrity worldwide. In this context, compliance with AML (Anti-Money Laundering) rules and regulations has become critical for financial institutions.

Money laundering is the process by which individuals or entities attempt to hideor legitimise funds of illicit origin by transforming them into apparently legalassets. On the other hand, terrorist financing involves providing financial resourcesto perform terrorist activities, which can have devastating global security consequences.

Money laundering is the process by which individuals or entities attempt to hide or legitimise funds of illicit origin by transforming them into apparently legal assets. On the other hand, terrorist financing involves providing financial resources to perform terrorist activities, which can have devastating global security consequences.

Governments worldwide have implemented strict regulations to prevent and detect these illicit activities in this scenario. In the case of Spain, SEPBLAC (Servicio Ejecutivo de la Comisión de Prevención del Blanqueo de Capitales e Infracciones Monetarias) plays a key role.

The importance of AML compliance lies in ensuring that financial institutions operate ethically and legally, protecting their assets and the financial system’s integrity.

SEPBLAC works closely with financial institutions to establish guidelines, regulations and controls that enable them to identify and report suspicious transactions and maintain records of their economic activities.

Furthermore, it is also responsible for promoting training for the staff of these institutions, fostering an effective AML compliance culture.

Risks linked with money laundering

Money laundering presents several risks that go beyond the financial sphere. This crime can trigger economic destabilisation by distorting demand and generating unfair competition. Furthermore, the opacity of transactions undermines trust among market players and can seriously impact national security and global stability by financing criminal and terrorist activities.

Combating money laundering is essential for several reasons. First, it preserves the financial system’s integrity by maintaining confidence in its functioning. Furthermore, it is a key tool in preventing organised crime and terrorist activities by disrupting a crucial funding source for these illicit operations.

At the same time, it promotes a business culture based on transparency and ethics, which boosts the confidence of investors and the general public. It also contributes to sustainable development by preventing capital flight and tax evasion, facilitating investment in projects that promote sustainable economic growth.

Compliance with AML regulations, supervised by SEPBLAC, not only avoids legal and financial sanctions but also strengthens the reputation and operational continuity of financial institutions.

(Index) 

What is SEPBLAC?

SEPBLAC is the supervisory body in charge of preventing money laundering and terrorist financing in Spain. It works independently and is under the supervision of the Bank of Spain.

It plays a crucial role in preventing and detecting illicit money laundering and terrorist financing activities, as we have already mentioned. Its work involves supervising and controlling financial institutions and other obliged subjects, ensuring compliance with AML regulations.

At the European level, the European Union has set directives to harmonise policies to prevent money laundering and terrorist financing in all Member States. These directives seek to strengthen international cooperation and establish common standards.

In Spain, Law 10/2010, of April 28, 2010, on the Prevention of Money Laundering and Terrorist Financing (also named LPBCFT), as well as the regulation that develops it, Royal Decree 304/2014, of May 5 (articles 12 and 21 mainly) and Royal Decree 7/2021, of April 27, transposing European Union directives on competition, prevention of money laundering […] constitute the key regulatory framework. These rules establish customer identification and verification obligations and the obligation to report suspicious transactions to SEPBLAC. They also define due diligence procedures, internal controls and staff training on prevention.

Among the main provisions of the LPBCFT:

• Identification and verification obligation in business relationships and non-face-to-face operations: Entities must identify and verify their clients’ identity when they plan to establish business relationships or execute operations through telephonic, electronic or telematic means with clients who are not physically present.
• Suspicious transaction reporting: They must report to SEPBLAC any transaction that presents suspicions of money laundering or terrorist financing.
• Enhanced due diligence (EDD): A framework is established to apply more stringent measures in high-risk customers or complex transactions. EDD is required for high-risk customers, which may include additional verifications, face-to-face interviews and more detailed analysis.
• Documentation maintenance: Companies must retain transaction records and identification documents for a specified period.
• Training and awareness: Staff training in detecting and preventing these criminal activities is required.

(Índice) 

SEPBLAC Digital onboarding KYC obligations and procedures

SEPBLAC establishes rigorous non-face-to-face identification obligations and procedures for clients of financial entities to prevent money laundering and terrorist financing.

Article 21 of the regulation remarks that regulated entities may establish business relations or perform transactions by telephone, electronic or telematic means with customers who are not physically present when any of the following circumstances apply:

• The customer’s identity must be verified in accordance with the provisions of the applicable regulations on electronic signatures.
• The customer’s identity must be verified by means of a copy of the identity document, provided that such copy is issued by a public notary.
• The initial deposit must come from an account in the name of the same customer opened in an entity domiciled in Spain, in the European Union, or in equivalent third countries.
• The customer’s identity must be verified through the use of other secure procedures for identifying customers in non-face-to-face operations, provided that such procedures have been previously authorized by the Executive Service of the Money Laundering Prevention and Monetary Infractions Commission.

Under the authorization mentioned in point d) above, the SEPBLAC has recognized as valid non-face-to-face identification methods the remote identification procedure via videoconference, the remote identification procedure via video identification, and until 2023 the procedure for requesting confirmation of data on account ownership between entities.

(Index) 

So, what options exist for performing digital customer identification based on SEPBLAC digital onboarding?

SEPBLAC has implemented several regulations and announcements that digitally regulate customer identification. The main relevant rules and notifications in this area are:

A. Recommendations issued by SEPBLAC in 2016 on videoconferencing

On February 12, 2016, SEPBLAC introduced a significant advance by allowing a digital alternative to face-to-face identification, videoconferencing, provided that certain requirements and security guarantees are met:

• The non-in-person identification procedures through videoconferencing will only apply to customers with a DNI, Residence Card, Foreigner’s Identity Card, passport, etc.
• Before effectively implementing a non-face-to-face identification procedure by videoconference, the obliged subject must conduct a risk analysis.
• Before implementing a non-in-person identification procedure through videoconferencing, the regulated entity shall document the procedure, test its effectiveness, and write down the results.
• The regulated entity shall be responsible for implementing the technical requirements that ensure the authenticity, validity and integrity of the identification documents used and the correspondence of the holder with the client being identified.
• Employees with specific training in preventing money laundering and financing terrorism must manage the procedures.
• The identification process by videoconference must be recorded with a record of date and time.

• The client must expressly consent to the non-face-to-face identification procedure by videoconference and recording and preserving the process before or during the course. As part of the onboarding process, the organisation must clearly inform the customer of the procedure that will take place, the data that will be captured, and its purpose, as well as everything related to its storage. It is also essential to collect the customer’s explicit consent before proceeding. The system commonly requires the user to accept the Privacy Policy expressly, and the process cannot begin until this step is completed.
• During the videoconference, the regulated entity shall adopt measures to ensure the privacy of the talk held with the client. As part of the onboarding process, it is recommended that the institution include specific instructions for the process to be performed by the customer in an environment that ensures privacy.
• The obligated party must obtain and keep a photo of the front and back of the identification document used.
• Also, during the videoconference, the identified client must visibly display the front and back of the document used for identification. For this purpose, the institution should have an onboarding process where the technology takes control of the device’s cameraits purpose, and and automatically detects and captures the images, evaluating quality parameters such as focus, lighting, lack of reflections and adequate distance.
• Before the execution of any transactions, the regulated entity shall verify that the client is not subject to international financial sanctions or countermeasures.

B. Recommendations issued by SEPBLAC in 2017 on video identification.

On May 11, 2017, SEPBLAC issued specific recommendations on video identification as a method for performing customer identification digitally and as an alternative to videoconferencing. Processes with video identification are defined as those in which there is no online interaction between the potential customer and an agent (unassisted processes).

The omission of such interaction has to be replaced by a subsequent control involving recording, which entails additional safeguards.

These recommendations detail the controls that must be followed to ensure the reliability and validity of identification by this means. These controls are described in the point Explanation of the legal requirements to perform it and how MobbScan complies.

C. Authorisation of the procedure for requesting confirmation of account ownership data The National Electronic Clearing System (SNCE) and communication on modifications to this procedure in 2021

On May 22, 2015, SEPBLAC authorised a non-face-to-face identification procedure called “Procedure for requesting confirmation of data on account ownership between entities or Account Ownership Service”.

This service allowed financial entities to confirm electronically if a customer was the holder of an account in another entity. Provided this service by Iberpay facilitated information exchange between entities participating in the SNCE-03 subsystem of the National Electronic Clearing System. Specifically, it allowed a financial institution to verify a customer’s identity remotely, requesting confirmation of the customer’s identification data in real-time from another institution with which the customer already had a relationship.

In March 2021, Sociedad Española de Sistemas de Pago, S. A. (Iberpay) informed SEPBLAC about introducing a series of modifications to this procedure. Also, Iberpay communicated that it would incorporate, in the cases of opening non-in-person accounts, a customer verification system, using their banking credentials with reinforced authentication to strengthen the security of the processes.

Nevertheless, SEPBLAC did not see its use as a non-face-to-face identification procedure.

D. Announcement 2023 on the Invalidity of the Account Ownership Confirmation Service

Therefore, on January 17, 2023, SEPBLAC issued a relevant announcement on the invalidity of the account ownership confirmation service for not complying with the new EBA guidelines on non-face-to-face customer identification.

(Index) 

What evidence do I need to collect or maintain to compliance?

To demonstrate compliance with AML/CFT regulations, collecting and maintaining specific evidence of the video identification process is necessary. It involves the complete recording of the video identification process, with reliable recording of its date and time.

This action must be carried out following the provisions of Article 25 of Law 10/2010.

According to this article, the companies must keep the documentation evidencing compliance with the obligations outlined in the law for ten years. It is important to underline that the documentation must be disposed of once this period has elapsed.

Nevertheless, the internal control bodies of the obligated entity, including the technical prevention units and, if necessary, those in charge of its legal defence, will have access to this documentation kept only for specific purposes.

In particular, the following must be kept:

1. Copies of the documents required under the due diligence measures, for ten years from the ending of the business relationship or the execution of the transaction.
2. Original documents or copies with evidentiary force that adequately verify the operations, the parties involved and the business relationships, also for ten years from the execution of the process or ending the business relationship.

As for identification (DNI and passport), documents must be stored on optical, magnetic or electronic supports that ensure their integrity, legibility, unalterability and correct conservation and location.

The duty of conservation extends to the data and information supporting such identification. Furthermore, obtaining and keeping a photo of the front and back of the identification document used in the process is a must.

(Index) 

Security and data protection measures to be taken into account in the onboarding process

1. Data encryption

Security and data protection measures to be taken into account in the onboarding process to comply with video identification regulations

2. Strong customer authentication

Implement strong authentication to ensure the customer is who they claim to be. It can include the verification of identification documents and the use of facial recognition technologies.

3. Document verification

Ensure that the identification documents the customer presents are authentic and valid. It may involve the use of document verification technologies.

4. Identity theft protection

Implement measures to prevent identity theft (deepfakes, synthetic identities) , such as using real-time facial recognition technologies and comparison with identification documents.

5. Access control and personnel authentication

Ensure that only authorised staff have access to video identification processes and that authentication ensures the legitimacy of the personnel involved.

6. Logging and auditing of activities

Keep a record of all interactions and activities related to the video identification process. It allows auditing and traceability in case of any incident or query.

7. Informed customer consent

Obtaining the customer’s informed consent to perform the video identification process and to process their data is essential and must be done by data protection regulations.

8. Secure data retention and disposals

Establish clear policies on the retention and safe disposal of data collected during video identification.

9. Risk assessment and security testing

Conduct regular risk assessments and security testing to identify and mitigate potential vulnerabilities in the video identification process.

(Index) 

Remote identification procedure by video identification with MobbScan

The video identification process with our advanced digital onboarding solution, MobbScan, integrates remarkable features contributing to a smooth user experience and compliance with SEPBLAC regulations.

This process involves three steps to complete the process successfully.

1. SEPBLAC Digital onboarding process with video identification (technology)
2. Custody and stamping of the process
3. BPO -Certified Agent Service

A. Digital onboarding process with video identification (technology)

Mobbeel, through MobbScan, provides a full and secure digital onboarding process that incorporates document verification (OCR/NFC and data capture and validation of the customer’s identity document) with facial verification.

To ensure the correspondence between the document holder and the user performing the process, MobbScan provides a biometric facial verification functionality using the applicant’s image and the image on the ID.

MobbScan incorporates a biometric engine that performs a facial verification operation by comparing the facial image on the identity document with a photo taken of the user during the enrolment process.

The system is trained to provide the highest security rates. It is robust to aspects such as differences in appearance, time passing or poor preservation of the printed photograph. The biometric engine is built on deep learning technologies, obtaining robust vectors of 512 features that are then compared by calculating distances. The result is communicated to the agent backend as a similarity percentage for further review.

In addition to the biometric comparison, the tool implements technical measures to detect that the person is alive through active or passive evidence. In other words, mechanisms to detect biometric presentation attacks (Presentation Attack Detection, PAD) that prevent a possible successful verification of an impostor.

Indeed, MobbScan incorporates a Presentation Attack Detection (PAD) module that includes measures against the following attack instrument (PAI):

• Printed images.
• Masks made of paper, silicone or latex.
• Screen images.
• Recordings.
• Characterisation.
• Deepfakes.

Our technology eases a seamless and uninterrupted process flow so the customer can complete the identification in a single session.

Furthermore, a complete and uninterrupted recording of the entire process is made to comply with regulations. This functionality provides an additional layer of security and evidence for later review by the agent service.

B. Custody and stamping of the process

The custody and stamping of the process ensures that the information collected during video identification is protected and stored securely, complying with the security standards established by SEPBLAC.

C. BPO – Certified agents

The agents providing the service have to be trained and authorised to thoroughly and accurately review the recorded process.

Their main function is to verify that the process has been carried out correctly and to validate the veracity of the information collected during the onboarding process.

All documentation generated serves as solid evidence in case of future audits or regulatory reviews.

(Índex) 

Legal requirements to carry video identification out and how MobbScan complies

As we have commented, the process of remote video identification without human intervention in real-time is accepted by SEPBLAC, and it is the most widely used component by financial institutions today to perform digital records securely and efficiently. The process involves the video recording of the identified customer and the presentation of valid identification documents.

The video identification process must meet certain specifications, which are grouped into three categories: capture process, recording process and review process.

The b in each category and how MobbScan complies are specified below.

1. Capture process

The video identification procedures are only applicable to customers with reliable identification documents.

• Our onboarding platform provides technological support for reliable identity documents. On the other hand, as part of the process, the entity will not allow other identification documents apart from those mentioned in Article 6 of the Law 10/2010.

During the video identification process, the customer must visibly show the front and back of the document.

• MobbScan guides the user through the video identification process and asks the customer to show the front and back of their ID.

A photo of the front and back of the ID should be obtained.

• Our onboarding platform is set up to automatically request, detect and capture both sides of the document during the process. It will not allow the successful completion of processes in which this document has not been captured.

The photograph must be of a quality and sharpness that allows its analysis. It cannot be a frame extracted from the video identification process.

• The photograph’s capture is done automatically, allowing the technology to select the best quality picture for subsequent review.

2. Recording process

The identification process must be recorded immediately:

• When configured in SEPBLAC digital onboarding compliance mode, the solution only allows real-time document capture and immediate streaming (audio and video) recording of the full process. The tool also ensures the procedure is performed as a single sequential act in time.

The video identification recording process must leave a record of the date and time of the process:

• MobbScan is prepared to perform the custody of all process evidence and video identification video, including the recording of the video and ensuring its integrity by applying a digital signature, as well as the reliable proof of the date and time of acquisition by applying a time stamp issued by a recognised authority (TSA).

The video process has to be performed on a single device, and pre-recorded video will not be supported:

• The Mobbeel video identification process is carried out on a single device (desktop, mobile browser, native app) where the process is live. Once the process is started, switching to another device is not allowed. A change of device would mean the invalidation of the previous process and the start of a new process where all the evidence is captured again. If there is a break in communications, the video recording is ended, and the user is forced to restart the stream. Furthermore, uploading pre-recorded files (images and videos) is not allowed under any circumstances.

The images and sound are immediately transmitted to the obliged subject in digital format, unaltered and live (streaming):

• Our MobbScan component transmits the video identification process live, sending the sound and the image to the obliged party’s platform.

3. Review process

The review process will be addressed within the agent portal role.

The role of the agent portal in the acceptance or rejection of video identification processes

The agent portal plays a crucial role in the video identification process, providing an interface for certified agents to review evidence and make decisions about digital identification processes.

This portal or backend allows agents to access the video identification processes that require review. It includes viewing the complete recording of the process and the information, providing full traceability and compliance with regulatory requirements.

Agents can review each stage of the process and determine the validity of the capture of the images of the ID, both front and back.

Furthermore, the portal collects evidence from the facial capture step. In this case, the matching between the photo on the document and the selfie and the liveness detection are analysed. The technology returns an OK in case of a match or a KO when there is no match or liveness detection or when the matching threshold is very low.

Regarding the video recording, the agent should check:

• If the video is playable
• If the video is uninterrupted and can be seen from start to finish with all the steps of the process.
• If the video has an audio channel and good quality and lighting.
• If it does not show other people, only the user doing the process.

The process recording must be specifically and individually reviewed by the entity before the execution of any operations, documenting for each recording compliance with the specifications established in this authorisation.

For the process to be accepted, a green check of the general validations is required (valid document, of legal age, no specimen or screen or printed capture) of the MRZ (personal number, document number, DOB, expiry date and check digit) and provided that the facial matching and the life test are passed.

It may also be considered valid with a warning, provided that the manual review of the video or images allows the document’s authenticity to be verified.

The video identification process shall NOT be valid when:

• There are indications of falsification or manipulation of the identification document or a lack of correspondence between the holder of the document and the customer being identified,
• Or where the transmission conditions make verifying the authenticity and integrity of the identification document and the correspondence between the document holder and the customer being identified impossible or difficult.

Agents should reject all processes where there are attempts of fraud (in the document or the person presenting it) or where the conditions of the transmission environment simply do not allow the document’s authenticity to be verified with confidence.

Although the ultimate responsibility for the decision on the authenticity, validity and integrity of the identity document used and the correspondence of the document holder with the customer who is carrying out the video identification lies with the human agent who is reviewing the evidence, there is an area where the platform can significantly help the decision using some technical validations.

(Index) 

Use of video identification in different industries such as banking, fintech and other financial entities

The adoption of video identification in the financial industry, such as banking, fintech and other financial institutions, has introduced an additional level of security and irrefutable evidence in digital identification processes, allowing companies in the sector to carry out robust customer verification that significantly minimises the risk of fraud and identity theft by recording the process and then being reviewed by a qualified agent.

• Enhanced user experience: Video identification allows customers to complete the identification process in a single session without physically going to a branch. It improves convenience and efficiency, contributing to a more satisfying user experience.
• Simplifying internal processes: Video identification streamlines internal procedures by eliminating the need for physical procedures and paperwork. This results in more significant operational efficiency and time savings.
• Expanded customer coverage: By enabling remote identification, financial institutions can reach a wider customer base, including those who do not have easy access to physical branches.
• Improved market competitiveness: The adoption of video identification technologies demonstrates a commitment to innovation and security, which can give a competitive advantage in the financial marketplace.

(Index) 

Download the eBook on digital onboarding according to SEPBLAC in PDF

What will you find out in this eBook about SEPBLAC’s digital onboarding?

• What exactly is SEPBLAC? (Financial Intelligence Unit of Spain and supervisory authority in matters of money laundering prevention and counter-terrorism financing)
• What obligations and procedures must I follow according to Law 10/2010?
• How do I identify my clients in compliance with SEPBLAC digital onboarding?
• What agents do I need to review my digital customer onboarding processes?
• Uses of video identification in the financial industry
• Bonus Track – Is there a regulatory convergence between the new EBA guidelines on onboarding and the video identification regulations of SEPBLAC?