The Guidelines will harmonise requirements for remote onboarding across Europe, bringing many opportunities for financial service providers to improve their services and provide them in multiple countries in a much easier way than today. Signicat’s identity proofing service and other services can help you comply with the EBA Guidelines.
On the 22nd of November 2022, the European Banking Authority (EBA) published Guidelines on remote customer onboarding to financial services, focusing on verifying the end-user’s identity without requiring physical presence and storing the data gathered during the customer onboarding (EBA/GL/2022/15). The EBA is preparing the Guideline translations; thus, the competent national authorities must prepare a compliance report to the EBA around June 2023 – two months after the translations have been made public. Accordingly, the Guidelines become effective around the end of 2023 – six months from the translations. The Guidelines target credit and financial institutions and competent national authorities within EU Member States.
Now is a good time for credit and financial institutions to get familiar with the Guidelines and evaluate available tools. The assessment procedure needs proper preparation as the tools and procedure framework need to be presented to the competent authority for approval before deployment.
# Purpose of the EBA Guidelines
In the 5AML Directive, remote identification is referred to as whatever is “regulated, recognised, approved or accepted by the relevant national authorities”. This has led to a biased situation as authorities in each Member State have specified different requirements. Financial service providers have challenges complying, and cross-border remote onboarding has become complicated. Observing this situation, the European Commission, through the Digital Finance Strategy launched in September 2020, handed EBA the task of providing guidelines to harmonise requirements across the EU. These Guidelines are now published.
The Guidelines provide practical-level recommendations to clarify customer due diligence (CDD) requirements defined in the AML directive. The reasons are:
- The credit and financial institutions’ compliance-related activities vary between EU Member States.
- There are also deviations between competent authorities’ national regulations.
- To help credit and financial institutions to choose the right tools for remote customer onboarding.
- There is a need for more practical guidance around utilising modern identity verification technologies.
- The objective around harmonisation also has a global reach among others regarding ETSI TS 119 461 Electronic Signatures and Infrastructures Policy and security requirements for trust service components providing identity proofing.
While the Guidelines are, in principle, technology-neutral, they do, in practice, provide directions regarding which technologies that can be applied and which cannot.
# Requirements for identity verification using eIDs and ID documents
Here is a summary of the key points from the EBA Guidelines that will assist you in becoming acquainted with the guidelines and evaluating the tools necessary to be compliant.
Regarding eID schemes, it is possible to use:
- Notified eID schemes with a substantial or high eIDAS Level of Assurance (LoA).
- Relevant trust services and electronic identification processes regulated and accepted by the relevant national authorities.
- The risk-based approach needs to be applied.
Regarding using ID documents for self-service, remote and digital onboarding:
- Ensure the captured photograph(s) or video's clarity allows proper verification of the customer’s identity.
- Verify that a customer takes a photograph(s) or video during the verification process.
- Run a liveness check making sure the user is present in the communication session.
- Ensure that a photograph(s) or video taken matches the picture(s) originating from the customers’ ID document(s).
For business customers, credit and financial institutions need to:
- Ensure the legal person is identified and verified.
- Verify the authorisation and identity of the natural person who acts on behalf of the legal person.
- Identify the beneficial owners.
- Verify the purpose and intended nature of the business relationship.
When the risk-based approach requires, the reliability of the verification process can be increased, among others, with these measures:
- Payment transaction from a bank account.
- One-time password.
- Capturing biometric data to compare them with data collected through other independent and reliable sources.
# Requirements for storing evidence from the onboarding process
The Guidelines require information and documents gathered from the remote onboarding process to be timestamped and stored securely to be available for audit or other ex-post verification purposes. This is a perfect match for Signicat’s Digital Evidence Management (DEM) service. DEM is a service that builds on Signicat’s own qualified timestamping service, providing the highest level of security and legal certainty for timestamps. DEM adds metadata to the timestamped object and securely stores the result. The metadata provides powerful search and retrieval capabilities, with the qualified timestamp providing legal “presumption of the accuracy of the date and the time it indicates and the integrity of the data to which the date and time are bound”, as stated by the eIDAS Regulation article 41. Metadata also provides directions for managing the stored objects, such as time to live before secure deletion.
Learn more about Digital Evidence Management.