Imminent deadline for compliance with the EBA Guidelines on the use of Remote Consumer Onboarding Solutions
On 22 November 2022, the European Banking Authority ("EBA") published its Guidelines on the use of Remote Customer Onboarding Solutions under Article 13(1) of Directive (EU) 2015/849 (the "Guidelines"). The Guidelines are designed to set common EU standards on the development and implementation of sound, risk-sensitive initial customer due diligence ("CDD") processes in the remote onboarding context and will apply from 2 October 2023.
The European Commission asked the EBA to issue guidelines on the application of anti-money laundering and countering the finance of terrorism ("AML/CFT") rules where customers are on-boarded remotely (such as through mobile apps, or via websites). The demand for remote onboarding options in respect of financial institutions increased significantly in the COVID-19 era and as digitalisation of financial services becomes more widespread, the use of remote customer onboarding solutions is increasing all the time.
The Guidelines ensure that these processes are in line with the applicable AML/CFT legal and data protection frameworks that apply to financial institutions with AML/CFT obligations – and not just fintechs. As with most other EBA guidance, the Guidelines seek to protect the principle of technological neutrality and do not endorse or criticise particular technologies or methods for remote customer onboarding but nonetheless provide very useful regulatory guidance on the adoption of new technologies to support remote onboarding processes.
The Guidelines complement and sit alongside existing AML/CFT guidelines issued by the EBA such as the EBA Risk Factor Guidelines, the EBA Guidelines on the AML/CFT Compliance Officer, and the Revised EBA Guidelines on Outsourcing.
The Guidelines have four clear aims:
- To set out the steps that financial institutions should take when choosing remote onboarding tools,
- To clarify what regulated financial institutions should do to satisfy themselves that the chosen tool is adequate and reliable,
- What needs to be done to ensure that the chosen tool remains adequate and reliable, and
- To ensure that the chosen tool enables the financial institution to comply effectively with their initial CDD obligations.
When do the Guidelines take effect?
The Guidelines will apply from 2 October 2023. The Central Bank of Ireland has confirmed to the EBA that it will comply with the Guidelines in full, which means financial institutions regulated by the Central Bank will need to factor them into their compliance frameworks from that date onwards.
Who are the Guidelines relevant to?
These Guidelines are going to be of critical interest to existing credit and financial institutions that already use remote on-boarding solutions and/or are considering shifting away from face-to-face methods to on-board their customers. We also think the Guidelines will be particularly relevant for financial institutions seeking authorisation for the first time, and for virtual asset service providers seeking to become authorised as crypto-asset service providers under the new Markets in Crypto Assets Regulation.
What changes to existing AML policies and procedures are required – will firms need to make new edits/revisions or create standalone policies for remote onboarding processes?
Yes. The Guidelines are clear in saying that financial institution's policies and procedures should now address a number of key points when using remote onboarding solutions:
- Documenting the pre-implementation assessment of the remote customer onboarding solution, including the scope, steps and record keeping requirements applying to these exercises. This is likely to involve a multi-disciplinary assessment of AML/CTF, information security and data protection considerations for each solution to see if the solution is in fact suitable for the financial institution's needs. The assessment needs to be documented so that it can be later shared with the relevant competent authority (if requested) and provide an audit trail confirming that the assessment conducted was in fact a robust one and informed by the risk profile of the financial institution.
- A general description of the solutions in place to collect, verify and record information throughout the remote customer onboarding process, to include an explanation of the features and functioning of the solution.
- The situations where remote customer onboarding can be used and a description of the categories of customers, products and services that are eligible for remote onboarding. This needs to be justified by way or reference to the outputs of the business-wide risk assessment that the financial institution will have prepared previously.
- To document which steps are fully automatized and which require human-intervention.
- A description of the ongoing monitoring controls and quality assurance testing applied to ensure the remote onboarding solution is working effectively.
- A description of the induction and regular training programs to ensure staff awareness and up-to-date knowledge of the functioning of the remote customer onboarding solution, the associated risks arising, and the relevant policies and procedures aimed at mitigating such risks.
- The procedures to be followed to remedy issues where a risk has materialised, or where errors have been identified that have an impact on the efficiency and effectiveness of the remote customer onboarding solution. These procedures need to be detailed in terms of setting out how the financial institution will review the adequacy of CDD held on file, the approach to re-adjusting the risk-rating associated with a customer (if necessary), and to terminate or restrict business relationships if necessary.
Other key points to note
- The Guidelines give guidance on the use of algorithms and optical character recognition methods to review CDD documents and require financial institutions to ensure these tools capture information accurately and consistently.
- Financial institutions are now expected to be able to define what information and data points during the CDD process are manually entered by the customer, automatically captured from the customer, and which data are sourced from internal or external sources.
- When verifying identity, guidance around ensuring the process is reliable and real-time in nature, such as use of one-time passwords, biometric data collection, phone calls with customers, etc. are encouraged.
- Quality assurance testing is considered critical to ensure the ongoing adequacy and reliability of remote customer onboarding solutions.
- External audits do not replace the responsibility of the financial institution to ensure ongoing effectiveness of any solution it uses.
- Where the remote onboarding solution is adopted via an outsourcing arrangement, it is clear the Guidelines will need to be factored into any vendor due diligence exercise conducted on the outsourcing service provider. This will add an extra degree of complexity to existing outsourcing governance processes.
Do financial institutions need to apply the Guidelines to all existing remote customer onboarding processes? Or only on a go forward basis to newly launched remote onboarding processes?
The EBA Guidelines specifically state that they apply to the adoption of "new" remote customer onboarding solutions but may also be useful in situations where financial institutions conduct a periodic review of their existing remote customer onboarding solutions already in place.
This means that the pre-implementation assessment requirements appear to apply on a go-forward basis only to new onboarding processes adopted from 2 October 2023 and do not necessitate an implementation assessment to be papered for existing solutions already in place. That being said, that if an existing process undergoes material revision or review after the Guidelines come into effect then the need for a pre-implementation assessment is likely to be merited.
However it is also clear that the Guidelines require a series of material changes to a firm's existing policies and procedures across a number of areas, and these should be progressed in the next annual review process if not sooner.
Matheson's view
Our view is that most financial institutions will not have all of the Guideline's requirements expressly covered off in the requisite level of detail in their existing AML/CTF manuals and other frameworks such as those governing outsourcing, data protection and information security.
It is also quite possible that due diligence reports prepared when a remote onboarding solution was previously being chosen may need a comprehensive refresh at the next periodic review. This may mean any additional risks identified will then have to be embedded into updated risk registers and risk assessments, such as outsourcing risk assessments, operational risk registers, and of course the AML/CTF business-wide risk assessment. This is likely to be a significant body of work for risk and compliance professionals within financial institutions.
It is difficult to avoid the conclusion that a wide-ranging and far-reaching policy and procedural uplift will be required to ensure the new regulatory requirements set down by the Guidelines are fully addressed by financial institutions within their compliance, governance and risk management frameworks.
If you have any questions, please contact Joe Beashel, Ian O'Mara or your usual Financial Institutions Group contact at Matheson.