The Swiss Financial Market Supervisory Authority (“FINMA”) has updated its due diligence requirements for client onboarding via digital channels set forth in the FINMA Circular 2016/7 video and online identification (“FINMA-Circular 2016/7”). A consultation period for the changes to the circular will now run until March 28, 2018.
Roughly two years ago, the FINMA Circular 2016/7 came into force. The circular addresses how financial intermediaries are to conduct video and online identification of their contractual parties and under which conditions such identifications are deemed to fulfil the due diligence requirements set forth in the Swiss Anti-Money Laundering Act (“AMLA”) and further related statutes and regulations (such as in particular, the FINMA-regulation on Anti-Money Laundering [“FRAML”]). In order to ensure competitiveness of the Swiss financial market, an opportunity for financial institutions to enter into customer-relationships on a digital path proves an important factor. Based on public available data, currently only 6% of clients onboarded digitally have also entered into binding agreements. But an increasing interest is recognizable. Nevertheless, risks are also involved in such practices. While initial experience with digital identification seems positive in the Swiss financial market, the technology has advanced and new risks of misuse have emerged. Governmental authorities have expressed the concern that identification rules should be shaped in a stricter manner to reduce attempts of fraud, minimize cyber-risks and counteract anonymity as a potential facilitator for unlawful endeavors. On the other hand, financial institutions have also expressed that certain provisions of the current FINMA Circular 2016/7 are too restrictive and cumbersome to implement in daily practice. The amended circular takes note of both concerns and strives to ensure a continued effective money-laundering prevention while maintaining innovative capacity and technology neutrality in Switzerland.
2. What are the most significant changes in the FINMA-Circular 2016/7?
2.1 Under the current regime, video identification of a contractual party must occur in real time (live), be recorded with the prior consent of the contractual party and such records must remain safeguarded. Any identification documents submitted by a contracting party must be accessible to a so called machine readable zone (“MRZ”, i.e., suited for optical reading of particular sections of an identification document and de-crypting encrypted information features) and ascertained under variable security features on the identification document; as regards the latter, so far only one variable security feature was considered sufficient to examine. The identity of the contractual party must also be ascertained by a particular transaction number (“TAN”, i.e., a particular code transmitted to the contractual party via e.g. SMS). In addition to the video identification, separate identification measures should occur in parallel. In particular, hard-fact-data of a contractual party must be provided independently, ideally in advance (such as name, date of birth, domicile, nationality etc.) and must also be verified by the financial intermediary in the course of the video identification process (see marginal note 11 FINMA-Circular 2016/7, with reference to Articles 44 and 60 FRAML).
Under the new regime, verification of the contracting party by a TAN will no longer be required. Instead, the identity of the contracting party should be ascertained with the identification document itself. In particular, not fewer than three randomly selected optical security features contained in the identification document (such as e.g. holographic-kinematic features, pressure-elements with visual spill-effects, personalized materials etc.) must be verified. Information encrypted in such features (and de-crypted in the MRZ) must match the visual data apparent on the identification document. The rationale of abolishing the TAN-requirement is that a TAN does not necessarily provide an added value to the identification process for onboarding itself (if identification has not been established or if it is better established with accurate technical means captured in the identification document itself). Nonetheless, a TAN still remains an optional, additional security measure after onboarding (i.e. during the ongoing service provision process as a separate security mechanism to avoid service provision to non-entitled third parties).
In addition, form-related features of an identification document (such as layout, spelling and font) will now have to be cross-checked with an identity document database such as the public Online-Register PRADO or private databases with equivalent content. As an exception, when examining not only the identity of a contractual party, but also the beneficial ownership of a party, a TAN can still be used (see marginal note 48 FINMA-Circular 2016/7).
2.2 Under the current regime, the video identification process must be aborted, if there are indications for higher risks. This procedural rule has been criticized by financial institutions since it interrupts the customer-relationship in an unpleasant manner (and hinders a customer-friendly “straight-through process”).
Under the new regime, the video identification process may still be carried out despite evidence or indications of higher risks. However, a business relationship may only be established after the consent of the line manager, a superior instance or senior management.
2.3 Under the current regime, online identification of a contractual party may occur in different variations:
a. Identification by (i) an electronic photograph of an identification document (accessible to a MRZ) and (ii) a photograph of the contractual party itself followed by a validity-examination of the both. In addition, the contractual party must wire a certain amount of money to the intermediary from a bank in Switzerland or Liechtenstein with an account running on the contractual party’s name. Furthermore, the contractual party’s domicile must be verified with adequate means (such as e.g. verification of utility bills, postal test deliveries or verification in a public register).
b. Identification by electronic copy of an identification document and its authentication by a nationally recognized offeror of certification services with a so called “qualified electronic signature”. In addition, the contractual party must wire a certain amount of money to the intermediary from a bank in Switzerland or Liechtenstein with an account running on the contractual party’s name.
c. Identification by authentications issued by “authenticators”, such as e.g. notaries, attorneys, other financial intermediaries subject to same or equivalent regulation (as all set forth in Art. 49 FRAML). If such authentications are issued at the same address as the contractual party itself, a verification of the party’s domicile as set forth in variation a. can be omitted.
Under the new regime, financial intermediaries will – in addition to the above – have to (i) compare the identification document with an identity document database, (ii) ascertain the authenticity of the identity document using three optical security features perceptible from the digital image of the identity document. In particular, (iii) the contracting party’s photo (as mentioned under variation a.) will have to be established during the identification process, i.e., a “selfie with liveness detection”. The underlying rationale is to avoid the use of existing old photographs or photographs of third parties. Specific technology (such as e.g. “eyeballtracking-software” or instructions given to the contractual party to undertake certain gestures while being photographed) can be deployed for this purpose.
Financial institutions have raised criticism that imposition to open a Swiss bank account for digital onboarding is too burdensome and unattractive, especially for international clients. As can be seen in the new circular, this concern was heard. Under the new regime, a payment transfer from a Swiss-based bank will no longer be required. Payment transfers from a bank based in a Financial Action Task Force (“FATF”) member country will suffice, provided the relevant country has been rated by FATF as partially compliant or better with regard to FATF’s recommendations on customer due diligence and wire transfers. Alternatively, countries having their anti-money laundering and combating the financing of terrorism system rated as moderate or better under Immediate Outcome 3 (Supervision) and 4 (Preventive measures) may also benefit from the aforementioned rule (see marginal note 33 of FINMA-Circular 2016/7) .
The FINMA-Circular 2016/7 will now enter into a consultation period scheduled until March 28, 2018. The additional efforts imposed on financial intermediaries by the new circular seem manageable. Although some criteria seem burdensome (e.g. the verification with three security features and cross-checking with an identity document database), certain financial institutions have already used this as a best practice-standard. Furthermore, concerns expressed by Swiss financial institutions appear to have been heard (with the introduction of the non-interruption of the online-video-onboarding process and the acceptability of wire transfers of contractual parties conducted from a bank not based in Switzerland). FINMA endeavors to set the Circular into force immediately with a transition period of six (6) months as of publication for financial institutions to implement.