Circular C601: EBA’s Guidelines on the use of Remote Customer Onboarding Solutions under Article 13(1) of Directive (EU) 2015/849

On October 12th, 2023, the Cyprus Securities and Exchange Commission (the “CySEC”) issued Circular C601 on EBA’s Guidelines on the use of Remote Customer Onboarding Solutions under Article 13(1) of Directive (EU) 2015/849 (the “Circular”).

Further to the issuance of CySEC’s Circular C479 in relation to the public consultation by the European Banking Authority (the “EBA”) on new draft Guidelines on the use of Remote Customer Onboarding Solutions, CySEC wishes to inform Regulated Entities* via the Circular that the EBA has published its Guidelines on the use of Remote Customer Onboarding Solution under Article 13(1) of Directive (EU) 2015/849 (the “Guidelines”).

The purpose of the Guidelines is to guide the credit and financial institutions to understand the capabilities of the Remote Customer Onboarding Solutions and set out the actions they should take when choosing remote customer onboarding tools and when assessing the adequacy and reliability of such tools, in order to comply effectively with their AML/CFT obligations.

The Guidelines set clear expectations of the role, tasks, and responsibilities of Financial Institutions, the Money Laundering Compliance Officer (MLCO) and the Management Body. More specifically:

As to the role and responsibilities of the MLCO and the Management Body, the following, inter alia, are indicated:

The MLCO should, as part of their general duty to prepare policies and procedures to comply with the Client Due Diligence (CDD) requirements, make sure that remote customer onboarding policies and procedures are implemented effectively, reviewed regularly and amended where necessary. The Management Body of the Financial Institution should approve remote customer onboarding policies and procedures and oversee their correct implementation.

Governance:

When considering whether to adopt a new remote customer onboarding solution, financial institutions should carry out a pre-implementation assessment of the remote customer onboarding solution. Financial institutions should set out the scope, steps and record keeping requirements of the pre-implementation assessment in their policies and procedures, which should include at least:

an assessment of the adequacy of the solution regarding the completeness and accuracy of the data and documents to be collected, as well as of the reliability and independence of the sources of information it uses;
an assessment of the impact of the use of the remote customer onboarding solution on its business-wide risks, including ML/TF, operational, reputational and legal risks;
an end-to-end testing of the functioning of the solution targeting customer(s), product(s) and service(s) identified in the remote customer onboarding policies and procedures.

Financial institutions should be able to demonstrate to CySEC which assessments they carried out before implementation of the remote customer onboarding solution, the outcome of their assessment and how its use is appropriate in light of the ML/TF risks identified for the types of customer(s), service(s), geographies and product(s) in its scope.

Ongoing Monitoring of the remote customer onboarding solution:

Financial institutions should monitor the remote customer onboarding solution on an ongoing basis to ensure that it operates in line with the credit and financial institutions expectations. They should complement their policies and procedures with a description of at least:

the steps they will take to be satisfied of the ongoing quality, completeness, accuracy and adequacy of data collected during the remote customer onboarding process, which should be commensurate to the ML/TF risks to which the credit and financial institution is exposed to,
the scope and frequency of such regular reviews, and
the circumstances that will trigger ad hoc reviews, which should include at least: (i) changes to the ML/TF risk exposure of the credit and financial institution, (ii) deficiencies on the functioning of the solution detected in the course of monitoring, audit or supervisory activities, (iii) a perceived increase in fraud attempts, (iv) changes to the legal or regulatory framework.

Financial institutions should consider the most effective way to monitor the ongoing adequacy and reliability of the remote customer onboarding solutions. They should consider one or more of, but not limited to, the following means: (i) quality assurance testing; (ii) automated critical alerts and notifications, (iii) regular automated quality reports, (iv) sample testing, (v) manual reviews.

Acquisition of information:

The documents and information collected during the remote identification process should be time-stamped and stored securely by the financial institution. Financial institutions should ensure that: (i) the information obtained through the remote customer onboarding solution is up to-date and adequate to meet the applicable legal and regulatory standards for initial customer due diligence, (ii) any images, video, sound and data are captured in a readable format and with sufficient quality so that the customer is unambiguously recognisable, (iii) the identification process does not continue if technical shortcomings or unexpected connection interruptions are detected.

Matching customer identity as part of the verification process:

Remote customer onboarding solutions implemented by a financial institutions should, as a minimum, allow for the following, as part of their verification process:

there is a match between the visible information of the natural person and the documentation provided,
where the customer is a legal entity, it is publicly registered, where applicable,
where the customer is a legal entity, the natural person that represents it is entitled to act on its behalf.

Where financial institutions use unattended remote onboarding solutions, in which the customer does not interact with an employee to perform the verification process, they should:

ensure that any photograph(s) or video is taken under adequate lighting conditions and that the required properties are captured with necessary clarity to allow the proper verification of the customer’s identity;
ensure that any photograph(s) or video is taken at the time the customer is performing the verification process;
perform liveness detection verifications, which may include procedures where a specific action from the customer is required to verify that he/she is present in the communication session or which can be based on the analysis of the received data and does not require a specific action by the customer;
use strong and reliable algorithms to verify if the photograph(s) or video taken matches the picture(s) retrieved from the official document(s) belonging to the customer.

It is important to highlight that where financial institutions accept reproductions of an original document and do not examine the original document, they should take steps to ascertain that the reproduction is reliable. Financial institutions should establish at least the following: (i) if the reproduction includes security features embedded in the original document and if the specifications of the original document that are being reproduced are valid and acceptable, in particular, type, size of characters and structure of the document, by comparing them with official databases, such as PRADO, (ii) whether personal data has been altered or otherwise tampered with or, where applicable, whether the picture of the customer embedded in the document was not replaced (iii) whether the integrity of the algorithm used to generate the unique identification number of the original document, in case the official document has been issued with machine-readable zone (MRZ), (iv) whether the provided reproduction is of sufficient quality and definition so as to ensure that relevant information is unambiguous, (v) that the provided reproduction has not been displayed on a screen based on a photograph or scan of the original identity document.

In situations where the evidence provided is of insufficient quality resulting in ambiguity or uncertainty so that the performance of remote checks is affected, the individual remote customer onboarding process should be interrupted and restarted or redirected to a face-to face verification.

Reliance on third parties and outsourcing:

Where financial institutions outsource all or parts of the remote customer onboarding process to an outsourced service provider, as referred in Article 29 of Directive (EU) 2015/849, financial institutions should apply in addition to guidelines 2.20 to 2.21 and 4.32 and 4.37 of the EBA Risk Factors Guidelines and in addition to the EBA Guidelines on Outsourcing where applicable, before and during the business relationship with the outsourced service provider the following measures, the extent of which should be adjusted on a risk-sensitive basis:

ensure that the outsourced service provider effectively implements and complies with the credit and financial institution’s remote customer onboarding policies and procedures in accordance with the outsourcing agreement. This should be achieved through regular reporting, ongoing monitoring, on-site visits or sample testing,
carry out assessments to ensure that the outsourced service provider is sufficiently equipped and able to perform the remote customer onboarding process. Assessments may include, but are not limited to, the assessment of staff training, technology fitness and data governance at the outsourced service provider,
ensure that the outsourced service provider informs the credit and financial institutions of any proposed changes of the remote customer onboarding process, or any modification made to the solution provided by the outsourced service provider.

Where the outsourced service provider stores customer data, including, but not limited to, photography, videos, and documents, during the remote onboarding process, credit and financial institutions should ensure that:

only necessary customer’s data is collected and stored in line with a clearly defined retention period,
access to the data is strictly limited and registered,
appropriate security measures are implemented to ensure that the stored data is protected.

Moreover, CySEC has adopted the Guidelines under Section 61(1) of the Prevention and Suppression of Money Laundering and Terrorist Financing Law of 2007 to 2022.

Further to the above, CySEC wishes to inform Regulated Entities that the Guidelines are applicable since the 2^nd of October 2023, to the point where they do not conflict with CySEC’s Directive of 2020 for the Prevention and Suppression of Money Laundering and Terrorist Financing, as amended (the “AML Directive”).

Lastly, as CySEC notes, the AML Directive is currently under an amendment procedure to reflect the provisions of the Guidelines.

Should you require any further assistance and/or clarification in respect to the relevant matter, do not hesitate to contact us.

*Regulated Entities:

i. Cyprus Investment Firms (“CIFs”)

ii. Administrative Service Providers (“ASPs”)

iii. UCITS Management Companies (“UCITS MC”)

iv. Self-Managed UCITS (“SM UCITS”)

v. Alternative Investment Fund Managers (“AIFMs”)

vi. Self-Managed Alternative Investment Funds (“SM AIFs”)

vii. Self-Managed Alternative Investment Funds with Limited Number of Persons (“SM AIFLNP”)

viii. Companies with sole purpose the management of AIFLNPs

ix. Small Alternative Investment Fund Managers (“Small AIFMs”)

x. Crypto Asset Service Providers

Cookie	Duration	Description
cookielawinfo-checkbox-advertisement	1 year	Set by the GDPR Cookie Consent plugin, this cookie records the user consent for the cookies in the "Advertisement" category.
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
CookieLawInfoConsent	1 year	CookieYes sets this cookie to record the default button state of the corresponding category and the status of CCPA. It works only in coordination with the primary cookie.
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.

Cookie	Duration	Description
_ga	1 year 1 month 4 days	Google Analytics sets this cookie to calculate visitor, session and campaign data and track site usage for the site's analytics report. The cookie stores information anonymously and assigns a randomly generated number to recognise unique visitors.
_ga_*	1 year 1 month 4 days	Google Analytics sets this cookie to store and count page views.