On 22 November 2022, the European Banking Authority (EBA) published its final report on the guidelines on the use of Remote Customer Onboarding Solutions under Article 13 (1) of Directive (EU) 2015/8491 (the Guidelines). These Guidelines aim at setting a common EU framework for the development and implementation of sound, risk-sensitive initial customer due diligence (CDD) processes in the remote customer onboarding context. All credit and financial institutions in the scope of Directive 2015/8492 (Institutions) will have to review and adjust their remote customer onboarding solutions (RCOS) and their policies and procedures regarding remote customer onboarding in light of the Guidelines.
This eAlert is relevant for, among others, credit institutions, investment firms, authorised AIFMs, UCITS management companies, other professionals of the financial sector, payment institutions, emoney institutions, virtual asset service providers and providers of safekeeping or administration services in relation to virtual assets.
As demand for remote customer onboarding soared during the pandemic, following a consultation process, the EBA issued new Guidelines to clarify how Institutions can comply with their CDD obligations under article 13 (1) of the AMLD when using a remote customer onboarding solution (RCOS) and therefore ensure a level playing field and supervisory convergence across all EU Member States. These Guidelines supplement existing guidance3.
The Guidelines apply both to non-automated and automated RCOS. Furthermore, certain of the requirements of the Guidelines are deemed to be met automatically when an Institution relies on electronic identification schemes eligible for notification or relevant qualified trust services within the meaning of the so-called eIDAS Regulation4.
1. Institutions must adopt adequate rcos
When considering adopting a new RCOS, Institutions must carry out a preliminary assessment of the contemplated solution in order to ensure that it is compliant with applicable legal and regulatory requirements generally, and, more specifically, the Guidelines.
This assessment must cover items such as:
- the adequacy of the RCOS (ie the completeness and accuracy of the data and documents to be collected; the reliability and independence of the sources of information used);
- a risk assessment (ie the impact of the use of the solution on business-wide risks; for each risk, identification of mitigating measures and remedial actions in case the risk materialises);
- testing (ie assessment of fraud risks and other information and communications technology (ICT) and security risks; end-to-end testing of the functioning of the solution); and
- proper integration of the RCOS into the Institution’s wider internal control system.
This assessment must be duly formalised and documented by the Institution in order for the Institution to be in a position to evidence the adequacy of the selected solution in case of queries from the competent authority.
The adequacy and proper functioning of the RCOS must be monitored on an ongoing basis.
2. Institutions must adjust their policies and procedures
Institutions must review and adjust their AML/CTF policies and procedures, on a risk-sensitive basis, in order to ensure that they comply with the requirements set out in the Guidelines regarding remote customer onboarding.
They must, among others, ensure that their AML/CTF policies and procedures cover the following aspects:
- A description of the RCOS used (including details of its features and functioning);
- Situations in which the RCOS can be used;
- Indications on those CDD steps which are fully automated and those that require human intervention;
- The controls in place to ensure that the first transaction with a newly onboarded customer is executed only when all CDD measures have been applied;
- A description of the pre-assessment process of an RCOS;
- A description of the training programs to ensure staff awareness and up-to-date knowledge of the functioning of the RCOS and the associated risks;
- A description of the ongoing monitoring process of the RCOS;
- A description of the process allowing the Institution to identify its customers, including: types of documents, data, information collected and the manner in which this information will be verified. In that respect, the Institution must take into consideration the requirements set out in the Guidelines regarding: (i) the acquisition of the information required under article 13 (1) of the AMLD, (ii) the measures to be taken to ascertain the authenticity and integrity of documents, and (iii) how an Institution must ensure that the documents, data or information collected match the customer identity (when the Institution uses both an attended RCOS and an unattended RCOS); and
- Specifications on which remote customer onboarding functions and activities will be carried out or performed: by the Institution itself, by third parties, or by another outsourced service provider, and the controls to be carried out over third parties or outsourced service providers as required under the Guidelines.
In terms of internal governance and internal control, Institutions must ensure that:
- The AML/CFT Compliance Officer makes sure that the remote customer onboarding policies and procedures are implemented effectively, reviewed regularly and amended where necessary; and
- The management body approves the remote customer onboarding policies and procedures and oversees their correct implementation.
Finally, Institutions must take all necessary steps to identify and manage ICT and security risks related to the use of an RCOS as further detailed in the Guidelines.
3. Institutions should start reviewing their rcos and their aml/ctf policies and procedures
While the Guidelines will become applicable six months after their publication in all EU official languages and competent authorities will have to notify the EBA as to whether they comply or intend to comply with the Guidelines, Institutions should start reviewing their existing RCOS and AML/CTF policies and procedures to assess the extent to which they will have to be adjusted to comply with the Guidelines.
Institutions that are currently considering the adoption of a new RCOS should already take into consideration the requirements set out in the Guidelines.
2. Directive (EU) 2015/849 of the European Parliament and of the Council of 20 May 2015 on the prevention of the use of the financial system for the purposes of money laundering or terrorist financing, as amended (the AMLD).
3. ESAs’ Opinion on the use of innovative solutions in the customer due diligence process (JC-2017-81) of 23 January 2018 and specific guidance on collecting identity’s evidence for non face to face situations in the revised EBA Guidelines on ML/TF risk factors (EBA/GL/2021/02) of 1st March 2021.
4. Regulation (EU) No 910/2014 of the European Parliament and of the Council of 23 July 2014 on electronic identification and trust services for electronic transactions in the internal market.
Henri Wagner - Partner
Jean-Christian Six - Partner
Yannick Arbaut - Partner
Thomas Berger - Partner