The Cypriot regulator, CySEC, issued last week a “Policy Statement on the Enhancement of the Non-Face-to-Face Customer Onboarding Process with Electronic Methods”.
The Statement is a welcomed alignment with EU norms and technological advancements. It removes unnecessarily specific arrangements in favor of a more balanced, material approach. Among the elements highlighted are technology neutrality, risk management, GDPR, and information security.
I believe this new focus will allow for a more holistic onboarding process, empowering firms to harness available technologies more efficiently and correctly. This will result not only in better compliance but also in improved customer experience.
Why?
As technology advances, so does regulation regarding it. The Statement is the culmination of several processes, among them CySEC’s October 2020 consultation paper CP-02-2020 and EBA’s October 2023 guidelines on Remote Customer Onboarding Solutions.
It also takes into account experience gained through CySEC’s Innovation Hub, an important initiative as it allows RegTechs, who are key players in regulatory processes, a direct avenue for information and ideas exchange with the regulator.
Who?
The Statement applies to a wide range of Obliged Entities (OEs) supervised by CySEC, from investment firms and UCITs to AIFMs and CASPs.
What?
The Statement—and the amendment to the CySEC AMLD attached to it as Annex I—cover two aspects related to customer onboarding:
1. The selection of Remote Customer Onboarding Solutions (RCOS).
2. The onboarding process itself.
In regard to the selection of RCOS, the Statement:
- Clarifies OEs need to select RCOS for Non-Face-to-Face customer onboarding (NFTF) according to a risk-based approach.
- It allows for OEs to use RCOS in a ‘technology-neutral’ manner and permits the use of RCOS that are outside the scope of the eIDAS Regulation.
- Clarifies the need for continuous monitoring of the business relationships between the OEs and RCOS on an ongoing basis.
- Submission of a declaratory attestation is no longer required, only a notification.
In regard to the onboarding process itself, the Statement clarifies that:
- Video calls are no longer the only eligible onboarding method.
- The type of documentation accepted for NFTF Customers is no longer exclusively passports, and PRADO-included documentation is no longer exclusive when performing identification via dynamic selfie/video call.
- Liveness detection is mandatory only with respect to unattended solutions.
- The use of RCOS is possible not only for natural persons but also for other legal entities, including natural persons acting on their behalf.
- The identification procedure is no longer required to take place through just one device.
- When biometric solutions are used, a unique number need no longer be communicated only by means of SMS.
- Addresses can be verified by the collection of copies of original documents through RCOS.
When?
The amended CySEC AMLD enters into force on the date of its publication in the Cypriot Official Gazette. The Statement’s new RCOS-related rules will come into application on 1 December 2024.
Note-Worthy
- The statement includes an extensive overview of various onboarding-related considerations, including those derived from EBA’s guidelines. It emphasizes GDPR compliance and information security.
- Emphasis is placed on customer risk assessment, including geographical risk. In this context, CySEC states that OEs should “assess the reasons why NFTF customers from other jurisdictions are using their services,” which can be seen as part of implementing ESMA’s recommendations regarding the supervision of cross-border investment activities.
Practical Steps and Tips
The new rules highlight the need for RCOS, which:
- Allow for quick change management. The reality is that regulation changes quite frequently. The best compliance tools allow you to perform the required changes (in this case, the quick changing of verification methods) by easy, no-code configuration.
- Cover a large part of the onboarding process. The larger the part they cover, the less RCOS you require; the easier it is for you to comply with the Statement’s requirements such as OE-RCOS relationship monitoring.
- Provide an integrated, configurable CRA tool that brings into account jurisdictional risk.
- Are GDPR compliant? Only choose RCOS that do not otherwise use data collected in the onboarding process (and preferably do not have direct exposure to the said data as well).
- Are secure. In this sense, an ISO 27001 or equivalent certification will make the RCOS DD process easier for the firm.
If chosen correctly, the right RCOS can turn onboarding from an organizational pain point to a competitive advantage. The new Statement perfectly empowers firms to choose the right RCOS and shape their onboarding process according to their needs and preferences without compromising customer experience or compliance.