- Question ID
-
2021_5730
- Legal act
- Directive (EU) 2015/849 (AMLD)
- Topic
- Customer Due Diligence
- Article
-
13
- Paragraph
-
1
- Subparagraph
-
a
- COM Delegated or Implementing Acts/RTS/ITS/GLs/Recommendations
- Not applicable
- Article/Paragraph
-
Not applicable
- Type of submitter
-
Competent authority
- Subject matter
-
Electronic Identification Process
- Question
-
Please can you clarify the interpretation under Article 13(1)(a) of Directive (EU) 2015/849 (AMLD), in relation to the ability of obliged entities to incorporate innovative solutions and/or electronic tools (such as dynamic selfie verification, biometric tools etc.) into their operations, in the context of performing Customer Due Diligence measures.
- Background on the question
-
RELEVANT PROVISIONS OF THE AMLD5
Article 13 (1) (a) of EU Directive 2018/843 (“AMLD5”), provides that:
“Customer due diligence measures shall comprise: (a) identifying the customer and verifying the customer’s identity on the basis of documents, data or information obtained from a reliable and independent source, including, where available, electronic identification means, relevant trust services as set out in Regulation (EU) No 910/2014 of the European Parliament and of the Council or any other secure, remote or electronic identification process regulated, recognised, approved or accepted by the relevant national authorities;”
Furthermore Recital 22 of AMLD5 provides that:
“Accurate identification and verification of data of natural and legal persons are essential for fighting money laundering or terrorist financing. The latest technical developments in the digitalisation of transactions and payments enable a secure remote or electronic identification. Those means of identification as set out in Regulation (EU) No 910/2014 of the European Parliament and of the Council (1) should be taken into account, in particular with regard to notified electronic identification schemes and ways of ensuring cross-border legal recognition, which offer high level secure tools and provide a benchmark against which the identification methods set up at national level may be checked. In addition, other secure remote or electronic identification processes, regulated, recognised, approved or accepted at national level by the national competent authority may be taken into account. Where appropriate, the recognition of electronic documents and trust services as set out in Regulation (EU) No 910/2014 should also be taken into account in the identification process. The principle of technology neutrality should be taken into account in the application of this Directive.”
DIFFERENT READINGS OF ARTICLE 13(1)(A) OF THE AMLD5
At national level, there are different readings of the content of Article 13(1)(a) amongst interested parties, including amongst the respective AML National Competent Authorities (“AML NCAs”), in relation to the ability of obliged entities to incorporate innovative solutions and/or electronic tools (such as dynamic selfie verification, biometric tools etc.) into their operations, in the context of performing Customer Due Diligence measures. It is clarified that the basis of the following readings is solely the EU Law and does not take into account whether Member States have incorporated provisions other than the ones provided for in AMLD5 per se, in transposing AMLD5.
READING 1:
According to this reading obliged entities are able to use such electronic identification solutions only where such electronic solutions are regulated, recognized, approved or accepted by a bespoke national authority, other than the AML NCAs.
READING 2:
According to this reading obliged entities may use such electronic identification solutions only where such electronic solutions are regulated, recognized, approved or accepted by the respective AML NCAs. The understanding that the responsible competent authority referred to in Article 13(1)(a) is the national competent authority responsible for the AML supervision per obliged entity, is stemming from the content of recital 22 of the AMLD5 and particularly from the reference to “secure remote or electronic identification processes, regulated, recognized, approved or accepted at national level by the national competent authority may be taken into account” (emphasis in the original), in conjunction with the absence of a definition or any other reference in AMLD5, to a different national authority responsible for the regulation, recognition, approval or acceptance of such electronic identification processes.
READING 3:
READING 3.1 – ABILITY OF OBLIGED ENTITIES TO USE INNOVATIVE SOLUTIONS IN ACCORDANCE WITH THEIR OWN RISK ASSESSMENT:
According to this reading the reference to: “any other secure, remote or electronic identification process regulated, recognised, approved or accepted by the relevant national authorities”, in Article 13(1)(a) of the AMLD5, is in relation to additional alternative methods of electronic verification and identification, which are regulated, recognized, approved or accepted by the relevant national authorities (where such regulation, recognition, approval or acceptance, by a national authority exist in the respective Member State) and does not prevent obliged entities from using other innovative/electronic solutions for the performance of client due diligence measures, including identifying the customer and verifying the customer’s identity, on a risk basis on their own responsibility, in accordance with their risk assessment; and which (the electronic identification and verification solutions) are not regulated, recognized, approved or accepted by any national authority.
The aforesaid reading is stemming from the following:
- The ability of obliged entities to use such innovative solutions in line with their risk assessment and that such innovative solutions may form an alternative source of independent and reliable sources of data and/or information, was corroborated by the ESAs Opinion on the Use of Innovative Solutions by Credit and Financial Institutions in the Customer Due Diligence Process (JC 2017 81), issued on 23 January 2018. The relevant regulatory framework at the time, underpinning the said the ESAs Opinion, was Directive (EU) 2015/849 (“AMLD4”). According to the ESAs Opinion such solutions may be considered as an alternative source of data and information. Specifically, Paragraph 10 of the ESAs Opinion states the following:
“EU law does not specify what ‘reliable and independent sources’ are. This means that, to the extent permitted by national legislation, firms have some flexibility regarding the sources of information they use to meet their CDD obligations. For example, while official documents such as passports (for natural persons) or certificates of incorporation (for legal persons) are largely relied upon by firms to verify their customers’ identity, EU law does not prevent the verification of the customer’s identity on the basis of alternative reliable and independent documents, data and information, as long as firms can demonstrate to their competent authority that the use of particular sources is commensurate with the ML/TF risks presented by the underlying business relationship.”
- The reference to “any other secure, remote or electronic identification process regulated, recognised, approved or accepted by the relevant national authorities;” was incorporated in Article 13(1)(a) by virtue of the AMLD5, whilst under AMLD4 (which was the basis underpinning the ESAs Opinion), Article 13(1)(a) was merely reading as follows: “Customer due diligence measures shall comprise: (a) identifying the customer and verifying the customer's identity on the basis of documents, data or information obtained from a reliable and independent source;”
In our view the addition in Article 13(1)(a) under AMLD5, shall be read in conjunction with the previous sentence, namely that “Customer due diligence measures shall comprise: (a) identifying the customer and verifying the customer’s identity on the basis of documents, data or information obtained from a reliable and independent source, including, where available, electronic identification means, relevant trust services as set out in Regulation (EU) No 910/2014 of the European Parliament and of the Council or any other secure, remote or electronic identification process regulated, recognised, approved or accepted by the relevant national authorities;” (emphasis in the original).
This means that such other secure, remote or electronic identification processes regulated, recognised, approved or accepted by the relevant national authorities, are included in the possible data sources of independent and reliable nature and may be used where they are available, but in no way obliged entities are prevented from using other innovative solutions that are not regulated, recognized, approved or accepted by relevant national authorities, in accordance with their own risk assessment.
For the avoidance of doubt, we would like to note that we consider that:
- Such innovative/electronic tools (e.g. dynamic selfie verification, biometric verification tools etc.) shall be viewed as sources of data and information and obliged entities must inter alia ensure that they are reliable and independent, as per article 13(1)(a) of the AMLD5; and
- The use of such innovative solutions must be subject to a risk assessment undertaken by the obliged entity in question and such risk assessment must inter alia take into account the ESAs Opinion and the FATF Guidance on Digital Identity.
READING 3.2 – WHICH ARE THE RELEVANT NATIONAL AUTHORITIES, FOR REGULATING, RECOGNIZING, APPROVING, OR ACCEPTING, THE (ALTERNATIVE) ELECTRONIC IDENTIFICATION PROCESSES:
Where such electronic identification processes that are regulated, recognized, approved or accepted by relevant national authorities exist, such relevant national authorities may in our view be either:
- The national competent authority responsible for the AML supervision per respective obliged entity; or
- A different bespoke national authority mandated to regulate, recognize, approve or accept such electronic identification processes (if such Authority exists at national level).
This understanding is stemming from the content of recital 22 of the AMLD5 and particularly from the reference that: “secure remote or electronic identification processes, regulated, recognized, approved or accepted at national level by the national competent authority may be taken into account” (emphasis in the original), in conjunction with the absence of a definition or any other reference in the recitals to a different national authority responsible specifically for the regulation, recognition, approval or acceptance of such electronic identification processes. This in our view indicates that Member States are not prevented from assigning such responsibility to the respective AML NCAs if they choose so. However the more general reference to relevant national authorities instead of national competent authority, in Article 13(1)(a), provides in our view also the ground for assigning such responsibility to a different bespoke national authority, if a Member State decides to do so.
- Submission date
- Status
-
Question under review
- Answer prepared by
-
Answer prepared by the EBA.