Over the past few years, financial transactions and business relationships have become increasingly digitized, creating customer expectations of almost instantaneous access to, and delivery of, financial products and services. Consequently, firms are compelled to adapt their practices to stay competitive. While the move towards a more technologically driven financial services market presents many benefits, which include reduced costs, improved customer experience, increased speed of transactions, reduced account opening times and continuous access to service online, firms have to be mindful of the impact these changes might have on their money-laundering and terrorist financing (ML/TF) risk exposure.

Innovation is not confined to new financial products and services. It also includes the development of new solutions to address specific compliance challenges, such as customer due diligence (CDD), which is central to the ML/TF regime. Meeting CDD obligations can be challenging for firms, as this process is often associated with significant costs and customer inconvenience.

Additional challenges arise from the fact that in an increasingly digitized environment, where most services are accessible online, firms may have to move away from traditional face-to-face interactions to non-face-to-face online channels.

As regards non-face-to-face online channels to be used by the firms for CDD purposes, the Italian legislation has also developed in line with international standard and European directives.

This article focuses on non-face-to-face CDD discipline issued by the Bank of Italy, applicable to banking and financial institutions operating in Italy, also operating through a branch or without branch (freedom to provide services regime) ([1]).

Italian regulatory framework

The primary legislation implementing the Directive (EU) 2015/849 ([2]) gives to the competent Authorities the power to identify, inter alia, the modalities through which customers are identified for CDD purposes, considering the evolution of non-face-to-face techniques.

On 30 July 2019, the Bank of Italy issued its new provisions on CDD measures, taking into consideration the Directive and the ESAs’ Joint Guidelines published on 26 June 2017 (the so-called “Risk Factors Guidelines”) ([3]). The new provisions have been published in the Official Gazette of the Italian Republic on 13 August 2019 and are in force since 28 August 2019. The firms shall comply with the new provisions starting from 1 January 2020.

The provisions lay down, inter alia, the discipline related to the non-face-to-face business relationships and transactions, i.e. those carried out without physical presence, at the firms’ premises, of the customer (or the executor, in case the customer is a person other than a natural person), the firms’ employee or other personnel appointed by the latter (e.g., through telephone or IT communication systems).

EU law no longer designates situations where a customer is not physically present for identification purposes as high risk in all cases. Instead, Annex III to Directive (EU) 2015/849 lists non-face-to-face business relationships or transactions ‘without certain safeguards’ as ‘potentially higher risk’ in recognition of approaches to non-face-to-face verification of identity becoming more reliable. In the same way, the ESAs Risk Factors Guidelines do not suggest that non-face-to-face relationships are always high risk but instead ask obliged entities to consider how the customer comes to the entity, which may or may not give rise to higher risk.

However, since Directive (EU) 2015/849 lays down only minimum CDD requirements that firms must comply with, Member States have some flexibility in imposing more stringent standards through their national legislation where this is necessary in the light of the money laundering and terrorist financing risk.

Non-face-to-face CDD procedure

The Bank of Italy requires to the firms to pay attention to non-face-to-face operations, in consideration of the absence of a direct contact with the customer or with the executor. The firms shall consider the risk of fraud related to identity theft.

In cases of non-face-to-face operations, the firms are required to:

  1. acquire the identification data of the client and the executor and check on a copy - obtained by fax, mail, in electronic format or in a similar way – by a valid identity document, pursuant to current legislation;
  2. carry on additional checks on the data acquired, in the most appropriate ways in relation to the specific risk. As an example, the following methods are indicated:
    1. telephone contact (welcome call);
    2. sending of communications to a physical address with acknowledgment of receipt;
    3. wire transfer made by the customer through a banking and financial intermediary based in Italy or in a Member State;
    4. request to send countersigned documentation;
    5. check on residence, domicile, activity performed, through requests for information to the competent offices or through on-site meetings.

In compliance with the risk-based approach, firms can use mechanisms of feedback based on innovative and reliable technological solutions (e.g., those that provide for forms of biometric recognition), provided they are assisted by robust security checkpoints;

3. identify, in the anti-money laundering policy document, the specific mechanisms of which intend to use to carry out the activities of matching sub b) and illustrate the assessments conducted by the AML function on the risk profiles that characterize each of these tools and related safety devices.

Alternative: video identification procedure

As an alternative to the “standard” CDD procedure set in provisions under a), b), c) above, the identification of the customer-natural person can be carried out by the firms digitally remotely according to the audio / video registration regulated in a specific identification procedure.

The firms shall implement a system that guarantees, prior to the establishment of the audio / video session, the encryption of the communication channel through the adoption of mechanisms updated standards, applications and protocols. They shall also guarantee the use of applications oriented to customer usability and accessibility.

Firms ensure that remote identification by the operator assigned to the video-identification (hereinafter, "operator"), respect the following conditions:

  1. the video images are in color and allow a clear visualization of the interlocutor in terms of brightness, sharpness, contrast, fluidity of images;
  2. the audio is clearly audible, free of distortions or obvious disturbances;
  3. the audio / video session, which concerns the video images and the audio of the client e of the operator, is carried out in environments without disturbing elements.

Firms shall ensure that the operator refrains from starting the identification process or suspend it when the audio / video quality is poor or not considered adequate to allow customer identification.

The operator: i) acquires the identification data provided by the customer; ii) requires the presentation of a valid identity document, with a recent photograph e recognizable and signed by the applicant, issued by a public administration; and iii) verify the tax code via the valid health card.

The operator can exclude the admissibility of the audio/video session for any reason, including the inadequacy of the document presented by customer.

The audio/video session is fully recorded and stored.

Firms request consent to the processing of personal data contained in the audio-video, specifying this aspect in the disclosure to be made to the interested party pursuant to provisions on the data protection.

The audio/video session shall be conducted following a written procedure formalized by the firm.

When doubts, uncertainties or inconsistencies in the identification of the customer emerge, the firms shall carry out further checks.

The documentation to be kept includes information and documents that have been collected during the registration activity.

The firms shall keep, in a manner consistent with the provisions on storage of the anti-money laundering decree, the registration data as well as the explicit option of the customer to set up the ongoing relationship, stored in audio-video files, images and metadata structured in electronic format.

Innovative solutions in the CDD process

With the opinion issued on 23 January 2018 ([4]), the ESAs ([5]) highlighted, on one side, the factors to be considered when assessing the adequacy of CDD measures where innovative solutions are used and, on the other side, developed a common regulatory understanding of the appropriate use of innovative solutions.

In the ESAs’ view, competent authorities should consider several factors when assessing the extent to which the use or intended use of innovative CDD solutions is adequate in the light of the ML/TF risk associated with individual business relationships and firms’ business-wide risk profiles. These factors are technology-neutral and apply in addition to the customer, product, services, transaction, delivery channel and geographical risk factors firms should consider when assessing the risks associated with their business relationships, in line with Article 8 of the Directive (EU) 2015/849 and Risk Factors Guidelines. Competent authorities should consider:

  • oversight and control mechanisms;
  • the quality and adequacy of CDD measures;
  • the reliability of CDD measures;
  • delivery channel risks; and
  • geographical risks.

Oversight and control mechanisms

Notwithstanding the means chosen to employ innovative CDD solutions, the responsibility for meeting the AML/ CFT obligations remains with the obliged entities. The ESAs therefore believe that the competent authorities should consider, in addition to the entities’ risk assessment, at least the factors set out below when assessing the adequacy of governance and controls frameworks in the context of their decision to use the innovative CDD solutions for AML/ CFT compliance purposes:

  • appropriate risk management systems that are compatible with products and services offered, especially when the solution is not developed in-house;
  • sufficient decision-making powers, specifically in respect of changes proposed to the innovative solution, the on-boarding process or the applicable CDD measures;
  • process in place that would ensure continuous monitoring of the innovative solution’s effectiveness;
  • controls in place to ensure that entities are meeting their data retention requirements, regardless of the type of innovative solution;
  • controls in place to prevent any data security and privacy breaches;
  • sufficient safeguards been put in place to ensure that the use of innovative solutions as part of their customer identification and verification processes does not lead to a breach of data protection legislation or other relevant legislation;
  • sufficient controls in place to ensure that staff conducting the identity verification of customers through innovative solutions are not colluding with criminals;
  • sufficient controls in place to ensure that staff using the innovative solutions are sufficiently trained.

A relevant part relates to compliance and operational risks that should be considered by firms before commencing the use of an innovative CDD solution as well as laws that do not permit information sharing between the external provider of the innovative solution and the firm, and/or between the external provider and the competent authority where these external providers are based in third countries.

Quality and adequacy of CDD measures

Article 13(4) of Directive (EU) 2015/849 requires obliged entities to demonstrate to their competent authority that the extent of CDD measures is commensurate with the ML/TF risks they have identified. This means that, based on their analysis of the innovative solution’s characteristics and the assessment of ML/TF risks linked to their customers and business relationships, entities should be able to demonstrate to their competent authorities that the innovative solution is sufficiently reliable and commensurate with the level of ML/TF risks presented. Furthermore, the ESAs believe that competent authorities should also consider the following factors:

  • sufficient controls in place to ensure that a business relationship with a customer commences only once all CDD measures commensurate with the ML/TF risk;
  • controls in place to ensure the quality of the CDD measures applied and also the quality of data and information used or collected when carrying out CDD through innovative solutions, including on-going and transaction monitoring;
  • with regard to innovative solutions for ongoing monitoring purposes, controls in place to ensure that innovative solutions are operating effectively and efficiently;
  • controls in place to ensure that documentation, data and information gathered during the customer on-boarding process through innovative solutions remains accurate and up to date.

Reliability of CDD measures

In ESAs’ opinion, it is important that obliged entities have regard to the validity and authenticity of data, documentation and information obtained in respect of their customers through innovative solutions at onboarding or during the business relationship. Where customers are required to transmit their ID documentation, data or information via video conferences, mobile phone apps or other digital means, the ESAs believe that obliged entities have considered at least the risk-factors set out below:

  • the customer’s image visible on the screen is being tampered with during the transmission;
  • an ID document displayed on the screen by a customer during the transmission belongs to another but similar-looking person;
  • identity documents produced during the transmission have been altered (i.e. changes made to data in a genuine document), counterfeited (i.e. reproduction of an identity document) or recycled (i.e. creation of a fraudulent identity document using materials from legitimate documents);
  • most potentially suspicious transactions have not been identified.

Delivery channel risks

The ESAs believe that the obliged entities should consider at least the following risks:

  • potential customers who are on-boarded via the innovative CDD solution are not who they claim to be as they are impersonating another person or using another person’s personal data or identity documents (i.e. identity fraud);
  • a customer could be intimidated, threatened or under duress during the transmission of the identity verification.

To this end, see also paragraphs 32-33 of the Risk Factors Guidelines.

Geographical risks

The key feature of most commonly used innovative CDD solutions is that they enable obliged entities to on-board customers remotely and verify their identity via the internet, regardless of customers’ location or distance.

On this point, the ESAs believe that the obliged entities should:

  • be able to assess geographical risks presented by a business relationship, including through controls that capture their customers’ location (e.g. through device fingerprinting or GPS data on mobile phones) to establish if they are based in a jurisdiction associated with higher ML/TF risks; and
  • have practices in place to assess the reasons why customers from other jurisdictions are using their services.

To this end, see also paragraphs 22-27 of the Risk Factors Guidelines.