European super-regulators call for more automated KYC checks

Chris Hamblin

9 February 2018

As the tenor of EU policy becomes ever-more authoritarian, the European Banking Authority, the European Securities and Markets Authority and the European European Insurance and Occupational Pensions Authority are now looking forward to the day when people are not allowed access to finance without being fingerprinted.

In a document cumbersomely entitled "opinion on the use of innovative solutions by credit and financial institutions in the customer due diligence process," these bodies (who draw their income from charges that they levy on national financial regulators) want firms to keep all necessary records that let them determine the receipt date and applicable retention period for KYC documents (or other information they have received as part of the CDD process) by means of 'innovative solutions,' i.e. not on paper, the better to transmit them to the police straight away. More to the point, they also look forward to regulators limiting the type of acceptable identifying documents to those that contain:

'high security features' or biometric data, including fingerprints and facial images (e.g. e-passports and e-ID);
qualified electronic signatures created in line with standards set in Regulation (EU) No 910/2014, which deals with electronic identification and trust services for electronic transactions in the EU;
a feature that links the 'innovative solution' in question with trade registers or other reliable data sources such as an EU country's company registration office database; or
a feature that adjoins the 'innovative solution' with the government-established CDD data repository or the 'notified e-ID scheme' (a term from the aforementioned regulation), if the scheme’s assurance level is classified as 'substantial.'

Other wishes to make the 'onboarding' process more onerous abound. The Euro-authorities want national regulators to make sure that firms have enough IT expertise on the spot (in addition to external expert advice) to ensure that these 'solutions' work well and can survive breakdowns or the severance of business relationships with software vendors. They want the regulators to ascertain:

whether or not the firms have the technical skills to oversee the development and proper implementation of 'innovative solutions,' especially if deveoped by external vendors;
whether or not their senior managers and compliance officers know enough about the software; and
whether or not the firms have proper contingency plans in place.

Of all the points that the EU bodies make in the paper, one none-too-literate observation stands out: "Meeting CDD obligations can be challenging for firms, as this process is often associated with significant costs and customer inconvenience." This problem may be about to intensify.