Clients remote onboarding – Upcoming changes for payment institutions in Poland
As of October 2, 2023, the European Banking Authority’s (hereinafter: “EBA”) guidelines on the use of remote customer relationship solutions (EBA/GL/2022/15) – so-called “remote onboarding” – will come into force. The guidelines will apply to all credit and financial institutions that fall within the scope of the AML Directive (including but not limited to: national payment institutions, small payment institutions, payment service bureaus, collective investment undertakings marketing their units or shares, insurance intermediaries, currency exchange offices – hereinafter collectively “Institutions”). The guidelines are technology-neutral and do not give preference to the use of one tool over another.
The EBA guidelines introduce a number of obligations that will include, in particular, the need to:
- implement remote onboarding policies and procedures, the content of which will include:
- a general description of the implemented technological solutions that institutions use to collect, verify and record information during such a process including an explanation of the solution’s features and operation,
- situations in which a remote customer service solution can be used, taking into account the risk factors identified and assessed in accordance with Article 8 (1) of Directive (EU) 2015/849 and in an enterprise-wide risk assessment,
- information on which activities will be performed in the process fully autonomously, and which manually,
- a description of the controls in place that will ensure that the first transaction with a new customer is not executed until all initial customer due diligence (CDD) measures have been applied,
- a description of induction programs and regular training to ensure that employees have an awareness and up-to-date knowledge of how the remote customer onboarding solution works, the risks involved, and the policies and procedures to mitigate those risks;
- conduct a pre-implementation assessment that will include, at a minimum:
- assessment of the adequacy of the solution in terms of the completeness and accuracy of the data and documents to be collected, as well as the reliability and independence of the sources of information used;
- assessment of the impact of using a remote client intake solution on business-wide risks, including money laundering and terrorist financing (“ML/TF“), operational, reputational and legal risks;
- identification of possible mitigation measures and remedial actions for each risk identified in the assessment under (b);
- tests to assess fraud risks, including impersonation risks and information and communication technology (“ICT“) and security risks, in accordance with provision 43 of EBA Guideline EBA/GL/2019/04;
- comprehensive test of how the solution targeting customers, products and services specified in the policy and procedures for remote onboarding of customers functions;
- conduct continuous monitoring of the solution used for remote customer onboarding (for example – (i) quality tests, (ii) automatic critical alerts and notifications, (iii) automatic quality reports, (iii) random testing, (iv) manual reviews). Institutions are required to document the testing activities carried out;
- include in its internal procedures records of the documents, data or information that the Institution will use to verify the identity of the customer and how this information will be verified. Institutions should store the acquired data in a secure manner and time-stamp it. Records, including images, videos, sounds and data should be available in a readable format and allow the institution to verify them ex-post;
- take steps to ensure that the copy of the customer’s documents (if the Company does not examine the originals) is reliable. At a minimum, institutions should determine:
- whether the copy contains the security features built into the original document, and whether the specifications of the original document being reproduced are valid and acceptable, particularly the type, character size and structure of the document, by comparing them with official databases such as PRADO,
- whether personal data has not been altered or otherwise compromised, or, if applicable, whether the customer’s photo included in the document has not been replaced,
- whether the integrity of the algorithm used to generate the unique identification number of the original document number was preserved, in case the official document was issued with a machine-readable zone,
- whether the copy is of sufficient quality,
- whether a copy was not displayed on the screen based on a photo or scan of the original ID.