The demand for tools to onboard or accept remote clients is increasing. This presents opportunities, but also additional risks in terms of Money Laundering & Terrorist Financing (ML/MT risks). This prompted the European Banking Authority (EBA) to issue guidelines on this. On 2 October 2023, these EBA guidelines on the use of remote customer acceptance solutions will enter into force.
Why EBA guidelines?
The guidelines set standards for the development and implementation of policies and processes for initial customer due diligence (CDD) in the context of remote onboarding. They describe the steps financial institutions should take when choosing tools for remote customer onboarding or acceptance, and when assessing the suitability and reliability of such tools. In this way, institutions can effectively take steps to mitigate ML/TF risks and comply with their AML/CFT obligations – even when a financial institution outsources customer onboarding.
We are currently awaiting the Dutch AFM guidance. This is likely to be published this year. In the run-up to this, we already set out what institutions should consider when implementing these Guidelines in their policies and procedures. This will include the following points:
- To whom do the Guidelines apply?
- AML/CTF compliance officer as the responsible party
- Assessment process prior to the use of tools
- Assess and adjust policy (Policy Checklist)
- Other points of attention
To whom do the Guidelines apply?
The guidelines are addressed in particular to banks, investment fund managers, investment firms, payment service providers, financial service providers, leasing companies and life insurers that (wish to) use tools when onboarding remote customers. Thus, the guidelines do not apply to all Wwft institutions.
AML/CTF compliance officer in charge
Since 1 December 2022, the guidelines on policies and procedures on compliance management and the role and responsibilities of the AML/CFT compliance officer dated 14 June 2022 apply to the aforementioned financial institutions. These guidelines specify the role, duties and responsibilities of the AML/CFT compliance officer, the management body and the senior manager in charge of AML/CFT compliance in internal policies, controls and procedures.
The guidelines we write about in this article appoint the AML/CTF compliance officer as responsible for complying with them. This officer is responsible for the effectiveness of the policies and procedures, will review them regularly and revise them if necessary. The managing body approves and monitors proper implementation of policies and procedures.
Assessment process prior to using tools
Do you want to use a tool or digital solution in remote onboarding? If so, you will first need to assess and record in advance whether the tool meets the conditions below. According to the guidelines, you assess at least the following:
- The adequacy of the tool with regard to the completeness and accuracy of document and data collection;
- The reliability and independence of the information sources used;
- The impact of using the tool on company-wide risks (including ML/TF-related, operational, reputational and legal risks). In addition, identify potential risk mitigation and corrective actions for each identified risk;
- Fraud risks (including counterfeit risks and other information and communication technology and security risks) using testing (as in the EBA Guidelines on ICT and Security Risk Management);
- The operation of the tool using end-to-end testing; and
- The management of ML/TF risks: these risks can be adequately managed and integrated into the wider internal control system.
If you conclude that the tool meets the assessment, you may use the tool.
If you want to use eIDAS or some kind of similar system, you only need to assess the impact of the tool on the company-wide risks in advance and identify risk mitigation and corrective actions.
Policy checklist
If you intend to use the tool for remote customer onboarding that meets the (minimum) requirements, you will need to adjust the policy accordingly. The guidelines describe general points and more specific items that the policy should describe in any case. We have summarised the points in a checklist below:
| General | ||
| ● | General description of the tool with an explanation of its features and operation. | |
| ● | Situations in which the tool can be used, taking into account identified and assessed risk factors, including description client categories, products and services. | |
| ● | Distinction of steps in the procedure: which steps are autonomous and which require human actions? | |
| ● | Control measures so that the first transaction of a new client takes place only after all initial customer due diligence measures have been carried out. | |
| ● | Description training and awareness of employees. | |
| Continuous monitoring | ||
| ● | Reviews of ongoing quality, completeness, accuracy and adequacy of data collected (in relation to ML/TF risks). | |
| ● | Scope and frequency of these reviews. | |
| ● | Circumstances for ad hoc reviews, anyway: | |
| ● | Changes in ML/TF risk exposure; | |
| ● | Deficiencies in operation of the tool (e.g. revealed during an audit/monitoring); | |
| ● | Observed increase in fraud attempts; | |
| ● | Changes in legislative or regulatory framework. | |
| Identification of the client | ||
| ● | Information necessary to identify the client, including the types of documents, data or information you will use to verify the client’s identity and how this information will be verified. | |
| Identificatie van natuurlijke personen | ||
| ● | Information needed to remotely identify the client. | |
| ● | A distinction with regard to information. An overview of which information is entered manually by the client, which is automatically taken over by the client-provided documentation, and which information is collected using other internal or external sources. | |
| Identificatie van rechtspersonen | ||
| ● | If remotely accepting clients who are legal entities, the category of legal entities will be described. This will take into account the level of ML/TF risk associated with each category, as well as the extent to which employee intervention is required to verify the identification information. | |
| Beroep op derden en uitbesteding | ||
| ● | A description of the remote customer acceptance functions and activities and who performs them: by the financial institution itself, by third parties or by another outsourced service provider. | |
Other points to consider
Some points that also deserve attention andwhich the guidelines expect institutions to take into account include:
- the assessment of the purpose and intended nature of the business relationship;
- the authenticity and integrity of documents;
- matching customer identity as part of the verification process; and
- managing ICT and security risks.
While it does not explicitly follow from the guidelines that the points above should be included in policies, we recommend that they should be set out in procedures and the necessary processes put in place for this purpose.
Want to know more?
Would you like personal advice on customer onboarding and compliance with the guidelines? Feel free to contact us without any obligation.
For more information on conducting customer surveys, you can take our Wwft Customer Survey e-learning through our training institute, The Ministry of Compliance.
