In a new joint opinion (19-page / 225KB PDF) they have issued, the European Banking Authority (EBA), the European Insurance and Occupational Pensions Authority (EIOPA), and the European Securities and Markets Authority (ESMA) set out the type of issues financial regulators should consider when assessing whether firms' use of "innovative solutions" for customer due diligence (CDD) processes adequately address risks of money laundering and terrorist financing.
While aimed at regulators, the opinion provides guidance on the type of controls they might put in place to satisfy regulators that they are appropriately addressing those risks.
The regulators acknowledged that innovation in CDD processes offers potential to "improve the effectiveness and efficiency" of controls to address money laundering and terrorist financing. However, they also said that there is a risk that innovation in those processes could "weaken" firms' safeguards, and potentially "undermine the integrity of the markets in which they operate", if that innovation is "ill understood or badly applied".
Regulators should check that firms have "sufficient in-house expertise, in addition to any external expert advice, to guarantee the implementation and use of the innovative solution as well as to ensure the continuation of services should the innovative solution suffer irreparable system failure or the termination of a business relationship between the firm and an external provider of the solution (where it is not developed in-house)", the opinion said.
This assessment should include a review of whether or not the senior management and the compliance officer at firms "have appropriate understanding of the innovative solution" as well as whether "proper contingency plans" are in place, it said.
According to the opinion, firms also need to have written agreements in place with external providers of CDD solutions. Those agreements must set out "the roles and responsibilities of each party" and should provide "guarantees that the firm should be informed of, and have decision-making powers over, any changes proposed to the innovative solution or the CDD measures and processes", the three regulators said.
When outsourcing the provision of digital CDD solutions, firms must also be able to provide regulators with a copy of "all necessary records that enable them to determine the receipt date and applicable retention period for the documentation, information and data received as part of the CDD process through innovative solutions". Those records should be produced by firms "without delay" when regulators request them, they said.
Firms should also be able to show that they have "effective controls in place to demonstrate that high standards of data and IT security are adhered to, including where data storage has been outsourced to a cloud service provider", the opinion said.
The EBA, EIOPA and ESMA said that national regulators should carry out checks on the quality and adequacy of firms' CDD measures.
The regulators should examine whether firms have controls in place to ensure, among other things, "that innovative solutions are operating effectively and efficiently", and that "documentation, data and information gathered during the customer on-boarding process through innovative solutions remains accurate and up to date", they said.
Firms should have controls in place to prevent the alteration of data in documentation providing proof of identity, the regulators said. They should put controls in place to address potential counterfeiting and fraud, they said.
Measures firms might consider are "limiting the type of acceptable identity documents to those that contain: high security features or biometric data including finger prints and a facial image … [or] … a qualified electronic signature created in line with standards set in [EU law]", the opinion said.
Firms could also verify customers' identities through electronic identification (e-ID) schemes that many EU countries operate, it said.