EBA publishes its guidelines on remote customer onboarding

NL Law

On 22 November 2022, the European Banking Authority (“EBA”) published its final Guidelines on the use of remote customer onboarding solutions (the “Guidelines”). In recent years, there was a significant increase in demand for remote onboarding from institutions and their customers, especially since the COVID-19 pandemic. However, the European Commission (“EC”) established that the customer due diligence (“CDD”) rules in Directive (EU) 2015/849 (“AMLD”) did not provide sufficient clarity about what is, and what is not, allowed in a remote and digital context.

The Guidelines “set out the steps credit and financial institutions should take to ensure safe and effective remote customer onboarding practices in line with applicable anti-money laundering and countering the financing of terrorism (AML/CFT) legislation and the EU’s data protection framework.

1. Purpose of the guidelines

The Guidelines on remote customer onboarding have been developed by the EBA – in consultation with the other European Supervisory Authorities – in response to the EC’s request in the context of its Digital Finance Strategy (as published in 2020). To help eliminating the fragmentation in the Digital Single Market for financial services, the EC had invited the EBA to develop Guidelines on remote customer onboarding determining:

  • the types of innovative technologies that are acceptable when credit and financial institutions on-board customers remotely;
  • the conditions that need to be met when credit and financial institutions use innovative technologies to on-board customers remotely;
  • the acceptable forms of digital documentation used for remote customer onboarding; and
  • the conditions under which it is acceptable for credit and financial institutions to rely on information provided by third parties when on-boarding customer remotely.

The EBA identified converging approaches in the different Member States in their expectations in respect of supervision and the measures credit and financial institutions take to comply with the AMLD. The AMLD prescribes what credit and financial institutions should do to comply with the AML/CFT obligations. However, the details what is, and what is not, allowed in a remote and digital context, when onboarding new customers is not prescribed. This had lead to varying approaches in the relevant Member States. Because of these differences, innovation and cross-border provision of financial services can be hindered and, in addition, the EU single market may be exposed to financial crime.

The Guidelines are published to harmonise the use of remote customer onboarding across the EU. By providing the Guidelines, the EBA set common EU standards on the development and implementation of sound, risk-sensitive initial CDD process in the remote customer onboarding context.

2. The Guidelines

The Guidelines are categorized into the following seven topics:

  • Internal policies and procedures;
  • Acquisition of information;
  • Document authenticity & integrity;
  • Matching customer identity as part of the verification process;
  • Reliance on third parties and outsourcing;
  • ICT & Security risk management; and
  • The use of trust services and national identification processes.

3. Scope and application

The Guidelines are addressed to the competent national authorities and to credit and financial institutions.

Translations of the Guidelines will be published on the EBA website. The deadline for the competent national authorities (in the Netherlands: the Dutch Central Bank)) to report whether they comply with the Guidelines, or not, is two months after the publication of these translations. The translations of the Guidelines have not yet been published on the website (1 December 2022). 

Credit and financial institutions should make themselves familiar with the Guidelines and should bear in mind that the Guidelines, once adopted, will interact with a number of existing EBA Guidelines which they will complement, amongst which the EBA Guidelines on outsourcing arrangements as well as the EBA Guidelines on ICT and security risk management. Thus, the Guidelines will need to be read in conjunction with these existing provisions.