Digital onboarding in the financial sector: this is how Sepblac requires customers to be identified
Francesc Cholvi and María Luz Gómez, senior associate y associate at Garrigues Corporate Department.
Advancements in the digital world, propelled by the impact of COVID-19 have shot up the number of non-face-to-face business relationships, and increased the need for authorized non-face-to-face mechanisms that are sufficiently secure to allow remote onboarding of customers. In this context, it needs to be remembered that the anti-money laundering and counter-terrorist financing (AML/CFT) legislation requires the adoption of policies and procedures that identify the specific risks associated with this type of business relationships, as well as fulfillment of the secure non-face-to-face identification procedures set out in the legislation in force or authorized by the Anti-Money Laundering and Monetary Infringements Commission (Seblac - Servicio Ejecutivo de la Comisión de Prevención del Blanqueo de Capitales e Infracciones Monetarias). Here we describe the non-face-to-face identification procedures that financial institutions need to take into account.
Both the Spanish AML/CFT Law (Law 10/2010, in article 12) and the regulations implementing it (Royal Decree 304/2014, in article 21) allow business relationships to be established or transactions to be conducted by phone, electronically or remotely with customers who are not in the same physical location, provided the customer is identity proofed using secure non-face-to-face identification procedures.
The non-face-to-face identification procedures allowed by those articles, are restricted to cases where:
Importantly for this procedure, Order ETD/465/2021, of May 6, 2021 moved things along to facilitate non-face-to-face application and issuing procedures for qualified electronic signatures, using remote video identification methods, under the rules on trusted electronic services in the eIDAS Regulation. This order implements article 7.2 of Law 6/2020, of November 11, 2020, on certain aspects of trusted electronic services.
As regards the need for authorized mechanisms mentioned in letter d), Sepblac has recognized and authorized the following secure non-face-to-face identification procedures:
It is a procedure able to be used by any institution wishing to establish business relationships or conduct transactions remotely to apply for confirmation of the identification particulars by another institution that it knows has a relationship with that customer, and which participates in SNCE-03.
On May 13, 2021, Sepblac issued a statement informing that the described procedure was to stop being used on September 30, 2021. On September 28, 2021, however, Seblac issued another information notice giving temporary authorization (until Iberpay produces a new procedure authorized by Sepblac), for the procedure to continue to be used for non-face-to-face identification of customers, and provided that additional measures are used to verify that the person participating in the remote procedure is the owner of the account to which the identification procedure relates.
As with the system described above, there are a number of minimum requirements to be fulfilled, namely: (i) the customer must expressly give consent to the video identification procedure being carried out and the recording of the process being retained, which may be given either before or during the procedure; (ii) the recording must be revised by the obliged entity before any transaction is conducted and it must be verified that the customer visibly shows both sides of the identity document, in addition to the obliged entity having to obtain and retain a photocopy or copy of that document; and (iii) the procedure must ensure that the process is carried out by the customer from a single device, that the images and sound are transmitted immediately to the obliged entity in digital format, with no alterations and streamed in real time, and that the obliged entity makes an immediate recording of the process, able to be reproduced sequentially. It is not acceptable for these purposes to use files that were prerecorded by the customer or others.
In the two preceding cases (points II and III), before they are implemented, obliged entities must carry out the specific risk assessment mentioned in article 32.2 of the implementing regulations for Law 10/2010. Similarly, they will have to document the non-face-to-face identification procedure, test its effectiveness and record the results in writing. The various procedures documented and implemented by obliged parties will not require a fresh particular authorization by Sepblac and each obliged entity will be responsible for implementing the technical requirements that will ensure the authenticity, validity, integrity, as well as the privacy of the procedures and identification documents used.
Both identification procedures may be carried out by external service providers. This option is fundamental from the standpoint that technological innovation in the financial industry has the potential to lower costs, increase competition, and provide customers with a better service. Consequently, Sepblac welcomes the use of new technologies as long as they provide the required security levels. This has no effect on the financial institution remaining fully responsible for the fulfillment of its non-face-to-face identification obligations.
A last point to consider is that, with the exception of the non-face-to-face procedure using a qualified electronic signature, within a month from establishment of the non-face-to-face business relationship, obliged entities will have to obtain from these customers single copies of all the documents needed to conduct due diligence, including a copy of the reliable identification document. It is crucial to remember, moreover, that the non-face-to-face identification process cannot be completed if there is any discrepancy among the information provided by the customer, or doubts over the match between the owner and the customer being identified. In those cases, in-person identification is mandatory.