CySEC Circular C601 on EBA Guidelines for Remote Customer Onboarding under AMLD

TO : Regulated Entities i. Cyprus Investment Firms (‘CIFs’) ii. Administrative Service Providers (‘ASPs’) iii. UCITS Management Companies (‘UCITS MC’) iv. Self-Managed UCITS (‘SM UCITS’) v. Alternative Investment Fund Managers (‘AIFMs’) vi. Self-Managed Alternative Investment Funds (‘SM AIFs’) vii. Self-Managed Alternative Investment Funds with Limited Number of Persons (‘SM AIFLNP’) viii. Companies with sole purpose the management of AIFLNPs ix. Small Alternative Investment Fund Managers (‘Small AIFMs’) x. Crypto Asset Service Providers FROM : Cyprus Securities and Exchange Commission DATE : 12 October 2023 CIRCULAR NO. : C601 SUBJECT : EBA’s Guidelines on the use of Remote Customer Onboarding Solutions under Article 13(1) of Directive (EU) 2015/849 Further to the Cyprus Securities and Exchange Commission’s (the ‘CySEC’) C479 in relation to the public consultation of the European Banking Authority on new draft Guidelines on the use of Remote Customer Onboarding Solutions, the CySEC wishes with this Circular to inform the Regulated Entities that the EBA has published its Guidelines on the use of Remote Customer Onboarding Solutions under Article 13(1) of Directive (EU) 2015/849 (‘Guidelines’). The Guidelines set common EU standards on the development and implementation of sound, risk￾sensitive initial CDD processes in the remote customer onboarding context. They set out the steps institutions should take when adopting or reviewing solutions to comply with their obligations under Article 13(1) points (a), (b) and (c) of Directive (EU) 2015/849 (the ‘AMLD’) to onboard new customers remotely. It also sets out the steps institutions should take when relying on third parties in accordance with Chapter I, Section 4 of the AMLD, and the policies controls and procedures institutions should put in place in relation to customer due diligence (CDD) as referred to in Article 8(3) and (4) point (a) of the AMLD where the CDD measures are performed remotely. Some of the of key points for the institutions when using remote onboarding solutions are:

• Institutions should put in place and maintain policies and procedures to comply with their obligations under Article 13(1) (a) and (c) of the AMLD in situations where the customer is

2 onboarded remotely. These policies and procedures should be risk-sensitive and set out specific details.

• When considering whether to adopt a new remote customer onboarding solution, credit and financial institutions should carry out a pre-implementation assessment of the remote customer onboarding solution.
• When verifying identity, guidance around ensuring the process is reliable and real-time in nature, such as use of one-time passwords, biometric data collection, phone calls with customers, etc. are encouraged.
• Quality assurance testing is considered critical to ensure the ongoing adequacy and reliability of remote customer onboarding solutions.
• Where the remote onboarding solution is adopted via an outsourcing arrangement, the Guidelines will need to be factored into any vendor due diligence exercise conducted on the outsourcing service provider.
• The Guidelines give guidance on the use of algorithms and optical character recognition methods to review CDD documents and require institutions to ensure these tools capture information accurately and consistently. CySEC has adopted the Guidelines, under section 61(1) of the Prevention and Suppression of Money Laundering and Terrorist Financing Law of 2007, as amended (the ‘AML/CFT Law’), which transposes Article 13(1) of the AMLD. The CySEC brings to the attention of the Regulated Entities that the Guidelines apply since 02.10.2023 and are applicable to the point where they do not conflict the CySEC’s Directive for the Prevention and Suppression of Money Laundering and Terrorist Financing (the ‘AML/CFT Directive’). The AML/CFT Directive is currently under an amendment procedure to reflect the provisions of the Guidelines. Sincerely, Dr George Theocharides Chairman, Cyprus Securities and Exchange Commission