Response to consultation on draft Guidelines on the use of remote customer onboarding solutions
Go back
Paragraph 46 is a fixed (exhaustive) list of controls which can be used by financial sector operators in case it is appropriate to the ML/TF risk presented by the business relationship. Taking into account the principle of technology neutrality, the list of measures should remain non-exhaustive.
Paragraph 46.a should be extended with the possibility to use the account information service (AIS) which enables the financial sector operator to obtain necessary data from the payment account of the customer (e.g. customer’s name, address).
Paragraph 58.c requires the outsourcing provider to obtain consent (agreement) of the financial sector operator to any proposed changes of the remote customer onboarding process or to any modification made to the solution provided by the outsourcing provider. This requirement should be limited only to such changes or modifications which jeopardise proper performance of the outsourcing provider obligations specified in the agreement. It should be noted that many financial sector operators use solutions which are provided in SaaS model and previous consent to any modification in such solution would be simply impossible.
1. Do you have any comments on the section ‘Subject matter, scope and definitions’? If you do not agree, please set out why you do not agree and if possible, provide evidence of the adverse impact provisions in this section would have.
NA2. Do you have any comments on Guideline 4.1 ‘Internal policies and procedures’? If you do not agree, please set out why you do not agree and if possible, provide evidence of the adverse impact provisions in this section would have.
NA3. Do you have any comments on the Guideline 4.2 ‘Acquisition of Information’? If you do not agree, please set out why you do not agree and if possible, provide evidence of the adverse impact provisions in this section would have.
NA4. Do you have any comments on the Guideline 4.3 ‘Document Authenticity & Integrity’? If you do not agree, please set out why you do not agree and if possible, provide evidence of the adverse impact provisions in this section would have.
NA5. Do you have any comments on the Guideline 4.4 ‘Authenticity Checks’? If you do not agree, please set out why you do not agree and if possible, provide evidence of the adverse impact provisions in this section would have.
Exhaustive list of measures undertaken by financial sector operator in paragraph 46:Paragraph 46 is a fixed (exhaustive) list of controls which can be used by financial sector operators in case it is appropriate to the ML/TF risk presented by the business relationship. Taking into account the principle of technology neutrality, the list of measures should remain non-exhaustive.
Paragraph 46.a should be extended with the possibility to use the account information service (AIS) which enables the financial sector operator to obtain necessary data from the payment account of the customer (e.g. customer’s name, address).
6. Do you have any comments on the Guideline 4.5 ‘Digital Identities’? If you do not agree, please set out why you do not agree and if possible, provide evidence of the adverse impact provisions in this section would have.
NA7. Do you have any comments on the Guideline 4.6 ‘Reliance on third parties and outsourcing’? If you do not agree, please set out why you do not agree and if possible, provide evidence of the adverse impact provisions in this section would have.
Outsourcing of CDD – paragraph 58.c – consent of the financial sector operator:Paragraph 58.c requires the outsourcing provider to obtain consent (agreement) of the financial sector operator to any proposed changes of the remote customer onboarding process or to any modification made to the solution provided by the outsourcing provider. This requirement should be limited only to such changes or modifications which jeopardise proper performance of the outsourcing provider obligations specified in the agreement. It should be noted that many financial sector operators use solutions which are provided in SaaS model and previous consent to any modification in such solution would be simply impossible.