European Banking Authority (EBA) guidelines on Remote Customer Onboarding Solutions have come into effect as of October 2023. These guidelines represent a notable improvement as they provide more clarity and guidance on the onboarding process in digital contexts. At the same time, the EBA allowed for some serious amendments to the original text, weakening the recommendations on the identification technologies. These amendments open the door for fraudsters and will lead to higher costs for mitigating measures. Focusing on chip-based identity document verification will give them a solid first step in the onboarding process.
According to the European Commission, the AML/CFT rules on Customer Due Diligence for remote and digital contexts lacked clarity. Variations in approaches among Member States hindered innovation and cross-border financial services. To address this, the Commission requested the European Banking Authority (EBA) to provide guidelines for harmonising remote customer onboarding in the financial sector at the EU level. These guidelines outline the procedures that credit and financial institutions ought to follow when implementing solutions for remote onboarding of new customers. It also addresses supervisors as they shall employ these guidelines to evaluate the adequacy of tools used by credit and financial institutions.
The final version of the EBA/GL/2022/15 guidelines, following a three-month public consultation, was published in November 2022 and officially took effect on October 2, 2023. By the end of May 2023 competent authorities in each Member State were required to report their compliance status. Except for Estonia, all others expressed either current compliance or the intention to comply with the guidelines in the future.
Inverid, as an identity verification technology provider, have primarily focused our analysis on the technological aspects of the guidelines. It is crucial to note that these guidelines emphasise technological neutrality, but there appears to be some influence from certain identity verification solution vendors on the EBA. For example, the first draft of the guidelines stated the following “In situations where the customer’s own device allows the collection of relevant data, for example the data contained in the chip of a national identity card, financial sector operators should use this information to verify the consistency with other sources, such as the submitted data and other submitted documents.” The initial text essentially affirmed that chip-extracted data is the most trustworthy, and financial institutions should use it for cross-verification with data obtained from other sources. However, due to pressure from optical vendors, the sentence was weakened in the final text, replacing "should use" with "should consider using."
The primary arguments submitted to the EBA from the optical vendors against mandatory use of NFC were concerns about friction during the customer onboarding journey, with one vendor citing challenges in instructing users on how to position their smartphones over the identity document due to variations in devices and identity documents. At Inverid, we prioritise creating an enjoyable and easy to understand user flow thanks to the efforts of our dedicated UX team, including dynamic animations, tailored to each device and document. Unfortunately, rather than challenging identity verification solution vendors to enhance their technology, the EBA accepted their excuses and changed this guideline in the final version.
Rather than challenging identity verification solution vendors to enhance their technology, EBA changed this guideline in the final version.
The guidelines are divided into seven topics:
1. Internal policies and proceduresThe guidelines emphasise the importance of having clear policies and procedures for remote customer onboarding compliance. It is the responsibility of an AML/CFT Compliance Officer to create such policies and ensure their effective implementation and regular review. Before deciding on a new remote customer onboarding solution, a pre-implementation assessment of the solution should be conducted, and once a solution is chosen, it should be monitored on an ongoing basis.
2. Acquisition of informationCredit and financial institutions should define the type of information and documents required for onboarding. They must ensure that the information and images captured meet legal and quality standards.
3. Document authenticity & integrityIf reproductions of documents are accepted in lieu of originals, there should be measures in place to ensure the reliability of these copies. When employing Optical Character Recognition (OCR) solutions for automated information extraction from documents, it is crucial to verify the accuracy of these tools. Financial institutions are also advised, if technically feasible, to directly retrieve information from the chip embedded in the identity document.
4. Matching customer identity as part of the verification processFinancial institutions are also advised, if technically feasible, to directly retrieve information from the chip embedded in the identity document.
A link between the identity document owner and the person carrying out the verification process must be established. To achieve this goal, the guidelines suggest utilising biometrics and strong, reliable algorithms. Additionally, liveness detection verifications should be performed. The guidelines also advise incorporating randomness in the sequence of actions performed by the customer to mitigate risks associated with synthetic identities or coercion.
5. Reliance on third parties and outsourcingIt is possible to outsource all or parts of the remote customer onboarding process to an third party service provider, if it adequately enforces and adheres to the remote customer onboarding policies of the credit and financial institution. Specific requirements regarding data retention by the outsourced service provider are also listed in the guidelines. Namely, collecting and storing only the strictly required data in line with a clearly defined retention period, limiting and logging the data access, as well as implementing appropriate security measures
6. ICT and security risk managementIn addition to adhering to the EBA Guidelines on ICT and security risk management, credit and financial institutions must consider additional requirements. These include using secure channels for customer interactions during remote onboarding and providing a secure access point to initiate the remote onboarding process.
7. Compliance with these guidelines where credit and financial institutions use trust services and national identification processesIf a Trust Service Provider or a national identification process is chosen for the remote onboarding process, as referred to in Article 13(1) (a) of Directive (EU) 2015/849, credit and financial institutions should examine if these solutions fully align with the established guidelines and apply measures necessary to mitigate any relevant risk.
ReadID employs NFC (near-field communication) technology for identity verification, requiring only a smartphone and a chipped identity document for secure identity verification with 100% certainty. As per the guidelines, data extracted from the chip is considered the most reliable and should be utilised for cross-verifying information obtained from other sources. On the other hand, optical solutions, relying on photos or videos of identity documents, can be easily fooled and are susceptible to data errors. For instances where the document lacks a chip, optical verification is offered as a fallback. This is in line with recommendations from Gartner as well as national financial industry guidelines such as introduced by the Austrian FMA.
The guidelines also state that the ID document owner and the person conducting the verification process must be matched. ReadID extracts a high-resolution face image from the ID document chip, while optical verification providers use the photo from the ID document data page, which, in most cases, is of low quality, typically with some form of watermark printed on it to hinder falsification. A better picture results in more trustworthy facial recognition. Inverid can orchestrate with a facial biometrics partner to offer the best and most secure identity verification solution available.
ReadID also complies with the specific requirements regarding data retention by the outsourced service provider outlined in the guidelines. Banks set their retention time for ReadID, which can never be more than 50 days. Moreover, Inverid is ISO27001 & 27701 certified, SOC type 2 compliant, and has the eIDAS module certification High & Qualified Trust Service Providers, as well as Cyber Essentials Plus
By selecting ReadID, financial institutions are choosing the most secure and robust technology, ensuring a solid foundation for the remote onboarding process. There is no good reason for any bank to settle for less – for the sake of their security as well as for the wellbeing of their customers.