Connect with a Daon solutions expert

Let us know how we can assist you

  • Product/Solution Information
  • Product Demonstration
  • Request for Proposal
  • Partnership Opportunities

See why many of the world’s strongest brands chose Daon to help them build lasting trust with their customers.

New EBA Guidelines

The European Banking Authority just finalised its new guidelines for remote customer onboarding

by Clive Bourke, President, EMEA & APAC
December 21, 2022

The EBA (European Banking Authority) recently finalised its guidelines on remote customer onboarding. These new guidelines aim to reduce fragmentation across the single market and will apply where any regulated credit or financial institution adopts a new remote customer onboarding solution, and in situations where institutions review remote customer onboarding solutions that are already in place. The guidelines will enter into force 6 months after their publication in all EU official languages.

 

Background
Currently, the financial services regulators of each EU country can set different guidelines for how credit and financial institutions perform remote digital onboarding. The variations make it difficult – especially for banks and fintechs operating in multiple countries – to evaluate different tech solutions and to know what is acceptable to the regulators.

In Germany, for example, there are very specific guidelines for digital onboarding; you must conduct an online video call with an agent where you are asked to hold your passport or ID card, move it in specific ways so various aspects can be checked, and so on, while the identification takes place. Contrarily, in some countries, there are no formal guidelines, which has led to many variations in the approaches that banks use for digital onboarding.

The EBA’s new set of guidelines should bring much more consistency to digital onboarding services across borders. This consistency is good news for regulators, banks, and their customers. For a customer who takes advantage of innovative financial services from different EU countries, the guidelines will reduce the friction associated with unexpected and inconsistent identity verification processes.

 

What’s New?
The EBA’s new guidelines make it clear that banks may use attended or unattended approaches for digital onboarding, and that fully automated or human assisted processes can be used. The guidelines allow for the use of EIDAS, either (national) eID schemes or QTSPs, where available, but also state that other approaches can be used if they meet the guidelines.

The guidelines include requirements for the creation of internal policies, pre-implementation assessment, ongoing monitoring of solutions, customer identity data, document authenticity, matching, use of third parties/outsourcing, and ICT & security risk. Below is a brief overview of some of the main takeaways from the new guidelines.

Document Authenticity & Integrity
Per the EBA, documents must establish:

    • If an image includes security features embedded in the original document
      • This is used to determine if the specifications of the original document are valid and acceptable, in particular, if the type, size of characters, and structure of the document are correct, by comparing them with official databases, such as PRADO
    • That the personal data has been not altered, and that the picture of the customer has not been replaced
    • The integrity of the algorithm used to generate the unique identification number of the original document
    • That the image is of sufficient quality and definition to be unambiguous
    • That the image has not been displayed on a screen or based on a photograph or scan

Matching Customer Identity
For unattended methods, organizations must:

    • Ensure lighting is adequate
    • Ensure the photo/video is taken at the time of onboarding
    • Use liveness detection,
    • Use strong and reliable algorithms to check against the document photo
  • Where possible, include randomness in the sequence of actions by the customer
  • Use one or more additional controls, based on risk, e.g., random time-limited OTP; biometric data to compare with other independent, reliable sources; telephone contact; or direct mailing (electronic and postal)

EIDAS Trust Services
The guidelines also address how:

    • It is not necessary for the financial institution to specifically assess many of the detailed requirements above, including for pre-implementation assessment, so long as an eID scheme at substantial/high, or a QTSP, is used
    • The EBA allows other methods, “such as non-qualified trust services or other solutions that are regulated, recognized, approved, or accepted at a national level”

 

What Do Credit and Financial Institutions Need to Know?
Where pre-implementation assessment is concerned, the EBA’s new requirements place the onus on credit and financial institutions to do significant due diligence. This means it is more important than ever that these organizations partner with a reputable, well-established company that is transparent about how their technology works.

 

How We Can Help
The EBA have made it known that organizations can leverage attended or unattended digital onboarding processes, as well as utilize either automated or human-supported ones. Daon® offers identity proofing and authentication solutions that support both automated and human-involved digital onboarding processes.