In the EU, the Digital Single Market for financial services is a powerful driver for cohesiveness and growth. But the critical goal of having a unified approach to remote customer onboarding is not being met; there’s no clarity or convergence across all the jurisdictional complexities of multiple laws, regulations and agencies on how to best digitally onboard financial service customers.
The European Banking Authority (EBA) has proposed guidelines for “common EU standards on the development and implementation of sound, risk-sensitive initial CDD processes in the remote customer onboarding context.” While the guidelines are meant as a consultation paper to elicit feedback, the EBA often has significant input into actual requirements. Reviewing these guidelines can help compliance teams understand the thinking and direction of regulators when it comes to performing initial Customer Due Diligence (CDD) remotely.
Guidelines for remote customer onboarding
The EBA is not proposing specific tools or technologies. Instead, it provides ways to frame the solution for the organization. What policies should they have, and how can they govern the process? How can they assess various solutions? And, how can they implement and monitor a solution?
Policies and procedures
Before choosing a solution, a financial institution or other obliged entity (FI) should consider their information collection, verification, storage, reporting and deletion processes. As an FI is handling sensitive personal and financial information, clear GDPR-compliant rules are necessary from the onset.
Determining what information is collected when and how to match the various risk scenarios will help clarify what type of solution will work best for the FI. Before any implementation, assessing all other elements such as training, controls and monitoring requirements is a good practice.
The designated AML/CFT compliance officer should prepare the remote onboarding policies and procedures and ensure effective implementation, review and adjustments. Management should understand the factors and approve the policies and procedures to meet legal requirements and the FI’s standards.
Assessing customer onboarding solutions
Using a risk-based approach, the FI needs to ensure a solution provides effectively complete, accurate, reliable and independent information. The FI also needs to understand the different risks that arise from using the solution and possible mitigations. Fraud and security risks require careful consideration, both for compliance purposes and to ensure integrity to customers.
Another vital consideration is the adaptability of the solution. Legal and other requirements change, so the ability to quickly update configurations helps ensure compliance and smooth operations.
The customer onboarding solution needs systematic and ad-hoc reviews to check the information’s quality, completeness, accuracy and adequacy. Remediating deficiencies and reviewing any potentially affected accounts should be undertaken.
Collecting onboarding information
Identifying the customer
A crucial step of the remote customer onboarding process is identity verification. The information collected for this needs to be up-to-date, adequate to meet onboarding standards, and be good enough quality, so the person is unambiguously recognizable. This information needs to be securely stored and available to be rechecked.
If the customer is an entity, the exact identity requirements apply to the person who represents the company. Collecting and verifying information on the ultimate beneficial owner(s) is also necessary.
Customer due diligence information such as identifying and verifying the nature of their financial activities and expected source of funds is also part of the onboarding process.
One distinctive trait of remote onboarding is that the customer and their documentation are not available for physical checks. Specific measures are needed to ensure the person and their documents are authentic and not altered.
For documents, necessary checks include:
- Accuracy of the document template
- Alteration of the personal data
- The integrity of the algorithm used to generate the document’s unique identification number
- Sufficient quality of the copy, photo or scan of the identification document
- The original customer photo of the document is in place
The guidelines also recommend using other data sources (if available) to corroborate the document. These include the use of embedded chips or security features. Beyond authenticating the document, steps to ensure that the person presenting the documents is the same person as the applicant are necessary. If representing an entity, further checks are needed to see if the person has the legal right to act on the entity’s behalf.
If using biometric checks, the data should be unique enough to identify one person and that the data matches the applicant. For situations that require more stringent due diligence, live video or another way to ensure the liveness of the applicant is advisable.
Currently, the EU doesn’t have a digital identity requirement. But there’s a proposal for a European Digital Identity Wallet which can be a game-changer for remote customer onboarding.
Understanding how qualified trust services or digital identity issuers work and analyzing and authenticating these new forms of ID might soon become fundamental to carrying out CDD procedures in the EU.
Seamless customer onboarding
The consultation period for the guidelines ends March 10th, 2022. With the goal of having one unified set of EU-wide AML rules, many of these points might make their way into actual EU legislation. While they might be amended or adapted, these guidelines offer an excellent way to gauge the effectiveness of a digital customer onboarding program.