Digital onboarding in the financial sector: this is how Sepblac requires customers to be identified
Francesc Cholvi and María Luz Gómez, senior associate y associate at Garrigues Corporate Department.
Advancements in the digital world, propelled by the impact of COVID-19 have shot up the number of non-face-to-face business relationships, and increased the need for authorized non-face-to-face mechanisms that are sufficiently secure to allow remote onboarding of customers. In this context, it needs to be remembered that the anti-money laundering and counter-terrorist financing (AML/CFT) legislation requires the adoption of policies and procedures that identify the specific risks associated with this type of business relationships, as well as fulfillment of the secure non-face-to-face identification procedures set out in the legislation in force or authorized by the Anti-Money Laundering and Monetary Infringements Commission (Seblac - Servicio Ejecutivo de la Comisión de Prevención del Blanqueo de Capitales e Infracciones Monetarias). Here we describe the non-face-to-face identification procedures that financial institutions need to take into account.
Both the Spanish AML/CFT Law (Law 10/2010, in article 12) and the regulations implementing it (Royal Decree 304/2014, in article 21) allow business relationships to be established or transactions to be conducted by phone, electronically or remotely with customers who are not in the same physical location, provided the customer is identity proofed using secure non-face-to-face identification procedures.
The non-face-to-face identification procedures allowed by those articles, are restricted to cases where:
- The customer is identity proofed using the qualified electronic signature regulated in Regulation (EU) of the European Parliament and of the Council on electronic identification. This new requirement was included following the transposition into Spanish law of the Fifth Directive on AML/CFT (Directive (EU) 2018/843). A noticeable feature of this case is that it will not be necessary to obtain a copy of the identity document (unlike in the other cases), although the identification information supporting the validity of the procedure will need to be retained.
Importantly for this procedure, Order ETD/465/2021, of May 6, 2021 moved things along to facilitate non-face-to-face application and issuing procedures for qualified electronic signatures, using remote video identification methods, under the rules on trusted electronic services in the eIDAS Regulation. This order implements article 7.2 of Law 6/2020, of November 11, 2020, on certain aspects of trusted electronic services.
- The first payment comes from an account in the customer’s name opened at an institution domiciled in Spain, in the European Union or in equivalent third countries.
- The customer is identity proofed using a copy of their identity document, which must be issued by a public authenticating official.
- The customer is identity proofed using other secure non-face-to-face identification procedures, provided they have first been authorized by Sepblac.
As regards the need for authorized mechanisms mentioned in letter d), Sepblac has recognized and authorized the following secure non-face-to-face identification procedures:
- The application procedure for confirmation of information on the ownership of accounts between institutions at Sociedad Española de Sistemas de Pago S.A. (Iberpay) was authorized by Sepblac on May 22, 2015. This procedure is only allowed to be used by participating institutions in the SNCE-03 subsystem of the Spanish Electronic Clearing System, which is the mechanism used for the electronic exchange, clearing and settlement of transactions, between these authorized institutions.
It is a procedure able to be used by any institution wishing to establish business relationships or conduct transactions remotely to apply for confirmation of the identification particulars by another institution that it knows has a relationship with that customer, and which participates in SNCE-03.
On May 13, 2021, Sepblac issued a statement informing that the described procedure was to stop being used on September 30, 2021. On September 28, 2021, however, Seblac issued another information notice giving temporary authorization (until Iberpay produces a new procedure authorized by Sepblac), for the procedure to continue to be used for non-face-to-face identification of customers, and provided that additional measures are used to verify that the person participating in the remote procedure is the owner of the account to which the identification procedure relates.
- The non-face-to-face video identification procedure was authorized by Sepblac on February 12, 2016 for customers holding the reliable identification documents referred to in the legislation. This identification process, of which a recording showing the date and time must be made and retained as required in the legislation, is subject to a number of requirements, namely: (i) before the recording starts, the customer must expressly give consent to this non-face-to-face procedure, as well as to it being recorded and retained; and, (ii) during the video call, the customer that is providing proof of identity must visibly show both sides of the document. The obliged entity will also need to obtain and retain a photograph or copy of this identification document.
- The video identification procedure was authorized by Sepblac on May 11, 2017 for customers holding reliable identification documents. The main difference from the previous procedure is the absence of online interaction between customer and operator. This process is based on the customer recording a video, which is sent to the obliged entity for it to make the necessary identification.
As with the system described above, there are a number of minimum requirements to be fulfilled, namely: (i) the customer must expressly give consent to the video identification procedure being carried out and the recording of the process being retained, which may be given either before or during the procedure; (ii) the recording must be revised by the obliged entity before any transaction is conducted and it must be verified that the customer visibly shows both sides of the identity document, in addition to the obliged entity having to obtain and retain a photocopy or copy of that document; and (iii) the procedure must ensure that the process is carried out by the customer from a single device, that the images and sound are transmitted immediately to the obliged entity in digital format, with no alterations and streamed in real time, and that the obliged entity makes an immediate recording of the process, able to be reproduced sequentially. It is not acceptable for these purposes to use files that were prerecorded by the customer or others.
In the two preceding cases (points II and III), before they are implemented, obliged entities must carry out the specific risk assessment mentioned in article 32.2 of the implementing regulations for Law 10/2010. Similarly, they will have to document the non-face-to-face identification procedure, test its effectiveness and record the results in writing. The various procedures documented and implemented by obliged parties will not require a fresh particular authorization by Sepblac and each obliged entity will be responsible for implementing the technical requirements that will ensure the authenticity, validity, integrity, as well as the privacy of the procedures and identification documents used.
Both identification procedures may be carried out by external service providers. This option is fundamental from the standpoint that technological innovation in the financial industry has the potential to lower costs, increase competition, and provide customers with a better service. Consequently, Sepblac welcomes the use of new technologies as long as they provide the required security levels. This has no effect on the financial institution remaining fully responsible for the fulfillment of its non-face-to-face identification obligations.
A last point to consider is that, with the exception of the non-face-to-face procedure using a qualified electronic signature, within a month from establishment of the non-face-to-face business relationship, obliged entities will have to obtain from these customers single copies of all the documents needed to conduct due diligence, including a copy of the reliable identification document. It is crucial to remember, moreover, that the non-face-to-face identification process cannot be completed if there is any discrepancy among the information provided by the customer, or doubts over the match between the owner and the customer being identified. In those cases, in-person identification is mandatory.