LogoRegulatory Alerts
2025-02-28

Circular to Banks No. 2025-06 of February 28, 2025

The Central Bank of Tunisia issued Circular No. 2025-06 to establish minimum regulatory requirements for the electronic onboarding of clients, mandating banks to implement secure, automated or semi-automated identification processes that meet or exceed physical verification standards. The circular requires comprehensive governance frameworks, including formalized procedures, risk mapping, incident management, continuous staff training, and pre-implementation technological testing to minimize false acceptance rates. It further regulates third-party outsourcing, mandates prior notification and approval dossiers to the central bank, and imposes strict data protection, biometric verification, audit, and reporting obligations to combat money laundering and terrorist financing.

Banque Centrale de Tunisie logo

Tunisia

Banque Centrale de Tunisie

Click to view thumbnail

1 Tunis, February 28, 2025 Circular to Banks No. 2025-06 Subject: Minimum Rules Governing Electronic Client Onboarding. The Governor of the Central Bank of Tunisia, Having regard to Organic Law No. 2004-63 of July 27, 2004 on the protection of personal data; Having regard to Organic Law No. 2015-26 of August 7, 2015 on the fight against terrorism and the repression of money laundering, as amended and supplemented by Organic Law No. 2019-09 of January 23, 2019; Having regard to Law No. 2000-83 of August 9, 2000 on electronic communications and e-commerce; Having regard to Law No. 2005-51 of June 27, 2005 on electronic fund transfers; Having regard to Law No. 2016-35 of April 25, 2016 establishing the status of the Central Bank of Tunisia; Having regard to Law No. 2016-48 of July 11, 2016 on banks and financial institutions; Having regard to Circular to Credit Institutions No. 2006-01 of March 28, 2006 on the regulation of outsourcing operations; Having regard to Circular to Credit Institutions No. 2006-19 of November 28, 2006 on internal control; Having regard to Circular to Banks and Financial Institutions No. 2017-08 of September 19, 2017 on internal control rules for managing money laundering and terrorist financing risk, as amended and supplemented by Circular No. 2018-09 of October 18, 2018; Having regard to Circular to Banks and Financial Institutions No. 2021-05 of August 19, 2021 on the governance framework for banks and financial institutions; Having regard to Circular to Banks and Financial Institutions No. 2024-02 of January 29, 2024 on the conditions for marketing and pricing of financial products and services; Having regard to the opinion of the Compliance Control Committee No. 2025-06 of February 28, 2025, as provided for by Article 42 of Law No. 2016-35 of April 25, 2016 establishing the status of the Central Bank of Tunisia; Decides:

2 TITLE I: GENERAL PROVISIONS Article 1: The measures established by this circular constitute minimum requirements for the electronic onboarding of clients, without prejudice to the application of more stringent measures by banks. The provisions of this circular supplement those of Circular to Banks and Financial Institutions No. 2017-08 of September 19, 2017 on internal control rules for managing money laundering and terrorist financing risk, which together with this circular form a unified and inseparable regulatory framework.

Article 2: For the purposes of this circular, the following definitions apply: − Electronic client onboarding: the process by which a bank uses an automated or semi-automated technological method to digitize all or part of the process of collecting, verifying, and retaining client identification elements. − Electronic identification: the process consisting of using personal identification data in electronic form that uniquely represents a natural or legal person. − False Acceptance Rate (FAR): the probability that the technological process accepts a relationship initiation request from a person when it should be rejected. This rate indicates the technological process's ability to detect inauthentic identity verification attempts. It is calculated using the following formula: FAR = (Number of False Positives / (Number of False Positives + Number of True Positives)) × 100 − False positives: cases where the technological process verified and accepted a person's identity when it should have been refused. − True positives: cases where the technological process correctly verified and accepted a person's identity. − False negatives: cases where the technological process incorrectly rejected a person's identity verification when it should have been accepted. − True negatives: cases where the technological process correctly rejected a person's identity verification. − Incident management system: the set of procedures that a bank must implement in the event of a security breach, fraud attempt, or any other suspicious activity. − Scalability: the capacity of a technological process to withstand increased load to manage a rise in the number of users effectively and without performance loss.

3 − Performance register: the performance register records key indicators used to evaluate the effectiveness and reliability of the technological process implemented for electronic client onboarding. − Proof of life: the process of verifying that a person providing biometric data is genuinely a living human being.

Article 3: In the event that a bank proceeds with the electronic onboarding of clients, it must:

  • use a technological process that meets the minimum requirements defined in this circular;
  • implement due diligence measures proportionate to client risk profiles; and
  • guarantee a level of identity verification at least equivalent to that involving the physical presence of clients, in accordance with Circular No. 2017-08.

TITLE II: GOVERNANCE RULES Article 4: A bank planning to use electronic client onboarding must establish formalized, adequate, and coherent procedures aligned with its risk appetite policies and the protection of banking service users' interests and personal data, as provided for by Circular to Banks and Financial Institutions No. 2021-05 of August 19, 2021. These procedures must be approved by the bank's governing body and must include, in particular:

  • a detailed description of the end-to-end electronic client onboarding process, including the interview procedure, as well as steps that are fully automated and those requiring human intervention;
  • a detailed description of the technological process to be implemented for electronic client onboarding;
  • a risk map associated with electronic client onboarding, such as operational risks, risks related to personal data processing and identity theft, cyber risk, scalability risk, business interruption risk, as well as money laundering and terrorist financing risks;
  • risk mitigation measures;
  • the incident management system for identifying and resolving issues that could impact the security or performance of the electronic client onboarding process; and
  • where applicable, the total or partial use of third parties during the electronic client onboarding process.

4 Article 5: A bank that has adopted the procedures referred to in Article 4 of this circular must:

  • allocate the necessary financial and technical resources;
  • continuously ensure the security and performance of the electronic client onboarding technological process;
  • provide continuous training programs for personnel involved in the electronic client onboarding process;
  • establish a risk management system associated with electronic client onboarding, emphasizing data security and system integrity; and
  • maintain continuous technological monitoring to ensure the adaptability and resilience of the technological processes used.

TITLE III: MINIMUM TECHNICAL REQUIREMENTS Article 6: During the electronic onboarding of clients, the bank must collect client and beneficial owner identification elements in accordance with Circular to Banks and Financial Institutions No. 2017-08. The bank is required to verify client identities. To this end, it must, in particular: − obtain the client's prior consent regarding the processing of their personal data; − implement an adequate combination of authentication factors for the electronic identification of clients, proportionate to the assessed risks; − verify the authenticity and integrity of identification documents provided by the client when a connection or integration is available with the electronic systems of the competent authorities that issued these documents. Where remote access to the required information is not possible, the relationship initiation cannot be validated. To this end, the bank will manually verify the identification documents provided by the client; − ensure the client's physical presence using audiovisual communication technology, facial recognition, or any other reliable technology that allows confirming proof of life;

5 − conduct a matching analysis between the client's entered identification data and their biometric data, using character recognition techniques.

Article 7: During the electronic onboarding of clients, the bank must ensure filtering and profiling in accordance with Circular to Banks and Financial Institutions No. 2017-08.

Article 8: The bank must ensure that, at the end of the electronic onboarding process, the technological process used automatically generates a client "KYC" identification sheet recording at least all information required by Circular No. 2017-08. In the event of changes to client data, the identification sheet must be updated within a period not exceeding one month.

Article 9: For corporate clients, and in addition to the measures provided for in Articles 6, 7, and 8 of this circular, the bank must collect paper copies of the client's identification documents. The validation of the relationship initiation is contingent upon the prior collection of identification documents, unless a low risk has been duly assessed and documented.

Article 10: The client's consent to the terms of the relationship initiation is given upon their signature, either electronically or manually. When the signature is electronic, it must be based on a reliable identification method that establishes a secure link between the signature and the electronic document to which it pertains.

Article 11: The bank must take all necessary measures to securely retain "KYC" sheets, personal data, copies of identity documents, and other necessary documents provided for by Circular No. 2017-08 and collected as part of the electronic client onboarding process. These measures must guarantee, using a reliable cryptographic process, the integrity of these documents.

Article 12: The bank is required to ensure the reliability of the electronic client onboarding technological process prior to its implementation. To this end, it must, in particular: − submit the technological process, before going into production, to tests whose results must be recorded in a performance register maintained on a monthly basis in accordance with Annex 1 to this circular, and take necessary measures to minimize the False Acceptance Rate (FAR).

6 − subject the technological process to penetration testing conducted by an audit body accredited by the National Cybersecurity Agency to detect the presence of vulnerabilities that could significantly impact the protection of personal data or the security of operations; and − establish an incident management system for incidents that may occur during the electronic onboarding of clients. It is understood that the deployment of the technological process into production is conditional upon its technical capability to eliminate all cases of false acceptances.

Article 13: The procedures provided for by this circular form part of the internal control system for managing money laundering and terrorist financing risk. Said procedures and the technological process used for electronic client onboarding must be subject to an audit mission every two years, the results of which must be approved by the audit committee. These results must be documented and retained for review by the Central Bank of Tunisia.

TITLE IV: USE OF THIRD PARTIES Article 14: In the event that a bank plans to use a third party to carry out part or all of the electronic client onboarding process, it must, in particular: − comply with the provisions of Circular No. 2017-08 on internal control rules for managing money laundering and terrorist financing risk; − ensure that the third-party service provider is capable of providing the necessary documents to meet the requirements of Circular No. 2017-08, and to allow the bank access to electronic systems, websites, or databases to verify the validity and accuracy of these documents, data, or information, in accordance with applicable regulations; − comply with the legal and regulatory provisions governing outsourcing operations, particularly those provided for in Article 81 of Law No. 2016-48 on banks and financial institutions; − ensure that the third-party service provider has submitted the technological process to tests in accordance with the provisions of Article 12 of this circular; and − subject the activities involving the use of third parties to annual audits to evaluate their compliance with applicable regulations and their adequacy with required security and reliability standards.

7 Article 15: Without prejudice to the legal and regulatory provisions governing outsourcing operations, the contract to be concluded with the third party, upon favorable opinion from the bank's compliance control officer, must include at minimum the following elements: − the maintenance of registers and the management of data, information, and documents, as well as the respect of their confidentiality; − the definition of circumstances under which the bank may assess the third party's failure to meet its obligations and take necessary corrective measures; − the determination of cases in which the bank may examine the third party's failure to perform its obligations and take necessary measures; − the bank's right to timely access all relevant data, information, and documents for the electronic onboarding procedures implemented by the third party; − the prohibition for the third party to disclose data, information, and documents related to electronic onboarding procedures, except in cases authorized by law; − the prohibition for the third party to subcontract the operations outsourced to them; − the provision, upon request, to the Central Bank of Tunisia of all documents and information it deems necessary, and acceptance of the control of outsourced operations at its headquarters and any premises it owns; and − the systematic periodic review of contracts concluded with third parties and their updating, if necessary. The use of third parties in no way exempts the bank from its ultimate responsibility regarding the third party's execution of the electronic client onboarding process and the bank's compliance with money laundering and terrorist financing prevention requirements and any requirements set forth in this circular.

TITLE V: INFORMATION TO THE CENTRAL BANK OF TUNISIA Article 16: Without prejudice to the provisions of Article 17 of Circular No. 2024-2 and prior to implementing an electronic client onboarding technological process, the bank must submit to the Central Bank of Tunisia a file including, in particular: − the electronic client onboarding process specifying steps that are fully automated and those requiring partial human intervention; − a description of the technological process the bank plans to implement to collect, verify, and retain client information throughout the remote business relationship initiation process;

8 − a detailed report on risks associated with the onboarding process, including the residual money laundering and terrorist financing risk level, identity theft and personal data risk, cyber risk, scalability or business interruption risk, as well as additional measures taken to mitigate them; − a copy of the penetration test report conducted by the audit body accredited by the National Cybersecurity Agency; − an evaluation of the technological process's performance based on a test sample in the pre-production phase, including an analysis of observed FAR rates in accordance with Annex 1 to this circular; − proposed actions to reduce the FAR; − mitigation measures or additional controls envisaged to maintain the effectiveness of the onboarding process. In the event of using a third party, the bank is required to inform the Central Bank of Tunisia, in addition to the documents cited in the first paragraph of this article, of the contract to be concluded as well as the updated attestations from the third party for the processing of personal and biometric data issued by the National Authority for the Protection of Personal Data.

Article 17: The bank is required to promptly inform the Central Bank of Tunisia of any major technical, technological, or functional incident related to the electronic onboarding of clients. This notification must detail the nature of the incident, underlying causes, client notification procedures, and corrective actions to be undertaken by the bank in response to the incident.

TITLE VI: TRANSITIONAL PROVISIONS AND ENTRY INTO FORCE Article 18: This circular enters into force as of the date of its publication. Banks that have been authorized by the Central Bank of Tunisia to implement an electronic client onboarding process prior to the publication date of this circular must comply with its provisions within a period not exceeding six (06) months from the date of its entry into force. The Governor, Fethi Zouhaier NOURI

9 Annex 1 to Circular No. 2025-06 of February 28, 2025 Technological Process Performance Register Used for Electronic Client Onboarding

DataMonth 1Month p
Total sample size of identification and verification cases
Number of true positive cases
Number of true negative cases
Number of false positive cases
Number of false negative cases
False Acceptance Rate (%)
Share