The Cypriot regulator, CySEC, issued last week a “Policy Statement on the
Enhancement of the Non-Face-to-Face Customer Onboarding Process with Electronic
Methods”.
The Statement is a welcomed alignment with
EU norms and technological advancements. It removes unnecessarily specific arrangements in favor of a more balanced, material approach. Among the elements highlighted are technology neutrality, risk management, GDPR, and information security.
I believe this new focus will
allow for a more holistic onboarding process, empowering firms to harness
available technologies more efficiently and correctly. This will result not only in better compliance but also in improved customer experience.
CySEC finalises new rules on digital onboardinghttps://t.co/gl32ruueiC
Η ΕΚΚ ανακοίνωσε νέους κανόνες ψηφιακής ταυτοποίησης των πελατώνhttps://t.co/LdlbkdYPrU
— CySEC – Cyprus Securities and Exchange Commission (@CySEC_official) August 6, 2024
As technology advances, so does regulation regarding it. The
Statement is the culmination of several processes, among them CySEC’s October
2020 consultation paper CP-02-2020 and EBA’s October 2023 guidelines on Remote
Customer Onboarding Solutions.
It also takes into account experience gained
through CySEC’s Innovation Hub, an important initiative as it allows RegTechs,
who are key players in regulatory processes, a direct avenue for information
and ideas exchange with the regulator.
Who?
The Statement applies to a wide range of Obliged Entities (OEs)
supervised by CySEC, from investment firms and UCITs to AIFMs and CASPs.
What?
The Statement—and the amendment to the CySEC AMLD attached
to it as Annex I—cover two aspects related to customer onboarding:
1. The
selection of Remote Customer Onboarding Solutions (RCOS).
2. The
onboarding process itself.
In regard to the selection of RCOS, the Statement:
- Clarifies
OEs need to select RCOS for Non-Face-to-Face customer onboarding (NFTF)
according to a risk-based approach. - It allows for OEs to use RCOS in a ‘technology-neutral’ manner and permits the use of RCOS that are outside the scope of the eIDAS Regulation.
- Clarifies
the need for continuous monitoring of the business relationships between
the OEs and RCOS on an ongoing basis. - Submission
of a declaratory attestation is no longer required, only a notification.
Delighted to provide the opening speech at the World Finance Conference, organized in Cyprus this year by the @EuropeanUniCy. Many thanks to the organizers for inviting me and especially to @sim010101. @CySEC_official https://t.co/milcVdZXuH
— George Theocharides (@Theocharides_G) August 1, 2024
In regard to the onboarding process itself, the Statement
clarifies that:
- Video calls are no longer the only eligible onboarding method.
- The
type of documentation accepted for NFTF Customers is no longer exclusively
passports, and PRADO-included documentation is no longer exclusive when
performing identification via dynamic selfie/video call. - Liveness detection is mandatory only with respect to unattended solutions.
- The
use of RCOS is possible not only for natural persons but also for other
legal entities, including natural persons acting on their behalf. - The identification procedure is no longer required to take place
through just one device. - When
biometric solutions are used, a unique number need no longer be
communicated only by means of SMS. - Addresses
can be verified by the collection of copies of original documents through
RCOS.
When?
The amended CySEC AMLD enters into force on the date of its
publication in the Cypriot Official Gazette. The Statement’s new RCOS-related
rules will come into application on 1 December 2024.
Note-Worthy
- The statement includes an extensive overview of various onboarding-related considerations, including those derived from EBA’s guidelines. It emphasizes GDPR compliance and information security.
- Emphasis
is placed on customer risk assessment, including geographical risk. In this context, CySEC states that OEs should “assess the reasons why NFTF customers from other jurisdictions are using their services,” which can be seen as part of implementing ESMA’s recommendations regarding the supervision of cross-border investment
activities.
Have you seen our proposals?
🔴 #ESMA made 2⃣0⃣recommendations for more effective & attractive capital markets in 🇪🇺→ https://t.co/1VQyN57ni9.
3 dimensions
🎯 citizens
🎯 companies
🎯 EU regulatory & supervisory frameworkFactsheet → https://t.co/L3ZT4iVhD7
CC: @EU_Finance pic.twitter.com/dwtWmsqB6o
— ESMA – EU Securities Markets Regulator 🇪🇺 (@ESMAComms) July 3, 2024
Practical Steps and Tips
The new rules highlight the need for RCOS, which:
- Allow
for quick change management. The reality is that regulation changes
quite frequently. The best compliance tools allow you to perform the
required changes (in this case, the quick changing of verification
methods) by easy, no-code configuration. - Cover
a large part of the onboarding process. The larger the part they
cover, the less RCOS you require; the easier it is for you to comply with
the Statement’s requirements such as OE-RCOS relationship monitoring. - Provide
an integrated, configurable CRA tool that brings into account
jurisdictional risk. - Are GDPR compliant? Only choose RCOS that do not otherwise use
data collected in the onboarding process (and preferably do not have
direct exposure to the said data as well). - Are secure.
In this sense, an ISO 27001 or equivalent certification will make the RCOS
DD process easier for the firm.
If chosen correctly, the right RCOS can turn onboarding from an organizational pain point to a competitive advantage. The new Statement perfectly empowers firms to choose the right RCOS and shape their onboarding process according to their needs and preferences without compromising customer
experience or compliance.
The Cypriot regulator, CySEC, issued last week a “Policy Statement on the
Enhancement of the Non-Face-to-Face Customer Onboarding Process with Electronic
Methods”.
The Statement is a welcomed alignment with
EU norms and technological advancements. It removes unnecessarily specific arrangements in favor of a more balanced, material approach. Among the elements highlighted are technology neutrality, risk management, GDPR, and information security.
I believe this new focus will
allow for a more holistic onboarding process, empowering firms to harness
available technologies more efficiently and correctly. This will result not only in better compliance but also in improved customer experience.
CySEC finalises new rules on digital onboardinghttps://t.co/gl32ruueiC
Η ΕΚΚ ανακοίνωσε νέους κανόνες ψηφιακής ταυτοποίησης των πελατώνhttps://t.co/LdlbkdYPrU
— CySEC – Cyprus Securities and Exchange Commission (@CySEC_official) August 6, 2024
As technology advances, so does regulation regarding it. The
Statement is the culmination of several processes, among them CySEC’s October
2020 consultation paper CP-02-2020 and EBA’s October 2023 guidelines on Remote
Customer Onboarding Solutions.
It also takes into account experience gained
through CySEC’s Innovation Hub, an important initiative as it allows RegTechs,
who are key players in regulatory processes, a direct avenue for information
and ideas exchange with the regulator.
Who?
The Statement applies to a wide range of Obliged Entities (OEs)
supervised by CySEC, from investment firms and UCITs to AIFMs and CASPs.
What?
The Statement—and the amendment to the CySEC AMLD attached
to it as Annex I—cover two aspects related to customer onboarding:
1. The
selection of Remote Customer Onboarding Solutions (RCOS).
2. The
onboarding process itself.
In regard to the selection of RCOS, the Statement:
- Clarifies
OEs need to select RCOS for Non-Face-to-Face customer onboarding (NFTF)
according to a risk-based approach. - It allows for OEs to use RCOS in a ‘technology-neutral’ manner and permits the use of RCOS that are outside the scope of the eIDAS Regulation.
- Clarifies
the need for continuous monitoring of the business relationships between
the OEs and RCOS on an ongoing basis. - Submission
of a declaratory attestation is no longer required, only a notification.
Delighted to provide the opening speech at the World Finance Conference, organized in Cyprus this year by the @EuropeanUniCy. Many thanks to the organizers for inviting me and especially to @sim010101. @CySEC_official https://t.co/milcVdZXuH
— George Theocharides (@Theocharides_G) August 1, 2024
In regard to the onboarding process itself, the Statement
clarifies that:
- Video calls are no longer the only eligible onboarding method.
- The
type of documentation accepted for NFTF Customers is no longer exclusively
passports, and PRADO-included documentation is no longer exclusive when
performing identification via dynamic selfie/video call. - Liveness detection is mandatory only with respect to unattended solutions.
- The
use of RCOS is possible not only for natural persons but also for other
legal entities, including natural persons acting on their behalf. - The identification procedure is no longer required to take place
through just one device. - When
biometric solutions are used, a unique number need no longer be
communicated only by means of SMS. - Addresses
can be verified by the collection of copies of original documents through
RCOS.
When?
The amended CySEC AMLD enters into force on the date of its
publication in the Cypriot Official Gazette. The Statement’s new RCOS-related
rules will come into application on 1 December 2024.
Note-Worthy
- The statement includes an extensive overview of various onboarding-related considerations, including those derived from EBA’s guidelines. It emphasizes GDPR compliance and information security.
- Emphasis
is placed on customer risk assessment, including geographical risk. In this context, CySEC states that OEs should “assess the reasons why NFTF customers from other jurisdictions are using their services,” which can be seen as part of implementing ESMA’s recommendations regarding the supervision of cross-border investment
activities.
Have you seen our proposals?
🔴 #ESMA made 2⃣0⃣recommendations for more effective & attractive capital markets in 🇪🇺→ https://t.co/1VQyN57ni9.
3 dimensions
🎯 citizens
🎯 companies
🎯 EU regulatory & supervisory frameworkFactsheet → https://t.co/L3ZT4iVhD7
CC: @EU_Finance pic.twitter.com/dwtWmsqB6o
— ESMA – EU Securities Markets Regulator 🇪🇺 (@ESMAComms) July 3, 2024
Practical Steps and Tips
The new rules highlight the need for RCOS, which:
- Allow
for quick change management. The reality is that regulation changes
quite frequently. The best compliance tools allow you to perform the
required changes (in this case, the quick changing of verification
methods) by easy, no-code configuration. - Cover
a large part of the onboarding process. The larger the part they
cover, the less RCOS you require; the easier it is for you to comply with
the Statement’s requirements such as OE-RCOS relationship monitoring. - Provide
an integrated, configurable CRA tool that brings into account
jurisdictional risk. - Are GDPR compliant? Only choose RCOS that do not otherwise use
data collected in the onboarding process (and preferably do not have
direct exposure to the said data as well). - Are secure.
In this sense, an ISO 27001 or equivalent certification will make the RCOS
DD process easier for the firm.
If chosen correctly, the right RCOS can turn onboarding from an organizational pain point to a competitive advantage. The new Statement perfectly empowers firms to choose the right RCOS and shape their onboarding process according to their needs and preferences without compromising customer
experience or compliance.
