Language

27 Oct 2023in Business use cases

EBA Guidelines on the Use of Remote Customer Onboarding Solutions: How Regula Aligns

Henry Patishman

Executive VP, Identity Verification solutions at Regula

Starting from October 2, 2023, the new guidelines from the European Banking Authority (EBA) are changing how European financial institutions bring in customers remotely. 

In this article, we’ll guide you through the main touchpoints of the new EBA guidelines and show you how Regula's products can help you comply with them.

Stay Tuned

We'll deliver hand-picked content from Regula's experts into your inbox

Understanding EBA guidelines on remote customer onboarding

The European Banking Authority (EBA) guidelines are like a rulebook that financial institutions in the European Union must follow when they onboard new customers online. These guidelines bring some important changes to how this process should work.

The main idea behind this is to address the fragmentation in the European financial service market. Previously, each national bank had its own unique requirements, causing challenges for financial institutions in meeting compliance standards. This diversity also complicated the process of cross-border remote onboarding and left room for regulatory gaps, making the EU single market susceptible to financial crime. The offered framework aims to standardize the process, providing a consistent approach for all European financial service providers.

The EBA guidelines spell out some key requirements for identity verification solutions. In simple terms, here's what they want financial institutions to do:

1. Collect up-to-date and accurate identity information

Financial institutions must make sure that the information provided by the customer is current, correct, and meets the applicable requirements for customer due diligence. 

In practice, this means details such as names, addresses, etc., should be accurate and, moreover, captured in a readable format and with sufficient quality.

This EBA guidelines requirement resonates with the Attribute and Evidence Collection stage described in the ETSI guidelines we wrote about in another post: What Is Identity Proofing & What Proofing Techniques Does It Imply?

2. Verify document authenticity

When banks and financial institutions accept identity documents remotely, they need to ensure that the images of those documents are authentic (not a copy of a copy) and not forged. 

This is achieved by checking if the provided ID has all the appropriate security features specific to the authentic ID, there’s no sign of alterations of any kind, and the integrity of the algorithms used for encoding unique identifiers is preserved.

3. Use biometrics for matching documents with users

One way to make sure that a client is the person they claim to be is by comparing the submitted information (a photo or video) with their actual physical features. This is especially important for remote customer onboarding. To comply with EBA guidelines, financial organizations should use powerful algorithms to double-check that the biometric data lines up perfectly, leaving no room for error.

Face Recognition vs. Face Verification in Identity Verification: The Expert Explanation

4. Provide quality assessment

For unattended remote onboarding solutions, where customers don’t interact with employees during verification, quality assessment is crucial. It’s necessary to make sure that any photographs or videos taken during the process are captured under proper lighting conditions, and that all necessary features and properties are clearly visible, making it easier to verify the customer’s identity.

5. Conduct liveness detection

To enhance the reliability of the verification process in remote customer onboarding, financial institutions should consider implementing liveness detection, either passive or active. This step helps confirm that the photo or video being captured is from a real person in real time. 

For the best security, EBA guidelines recommend making liveness detection mandatory in all unattended situations.

Read also: How UBS, the largest bank in Switzerland and the world’s largest private bank, created a totally new experience for opening accounts

7. Ensure secure data handling

To align with EBA guidelines, organizations must keep all documents and information collected during remote identification time-stamped and securely stored, maintaining a clear record of the identity verification process. 

Stored records should be easily accessible in a readable format, but they must be safe from unauthorized access. If an outsourced service provider is handling customer data, institutions must take extra precautions, including collecting and storing only necessary customer data for a defined period, with strict control and logging of data access.

How Regula and EBA guidelines align

Now, let’s explore how Regula's solutions align with these new guidelines, making sure that financial institutions can meet these requirements and keep their remote customer onboarding experience safe and hassle-free.

You can download the table as a PDF file [PDF, 4 pages, 5.5 MB]

StageEBA requirementCoverage by Regula solutions

Acquisition of information

4.2.1 (24): Identity data is up to date and in a readable format

Data capture. Document Reader SDK automatically identifies the document type, instantly analyzes the ID layout against Regula’s extensive document template database, and reads the data. Then it reads and validates the fields and structures the output. Once the analysis is complete, the data is ready for cross-validation with other sources of information.

The solution works for both mobile devices and desktops.

Learn more about document parsing →

Document authenticity & integrity

4.3 (33, a): Security features embedded in the original document are in place and comply with the specifications of the original document (e.g., type, size of characters and structure of the document by comparing them with official databases, such as PRADO15).

Extensive database of identity document templates. Regula solutions come with the world’s most comprehensive database, including over 13,000 templates to date, along with detailed descriptions.

For additional manual verification by experts, there are also Informational Reference Systems that contain hi-res images of documents and their security features in white, UV, and IR light.

4.3 (33, b): Personal data hasn’t been altered or otherwise tampered with or, where applicable, the picture of the customer embedded in the document was not replaced.

Data validation and authenticity verification. This is achieved through a multi-faceted approach that includes, but isn’t limited to:

  • Performing lexical analysis and validating every field in the visual zone, MRZ, barcode, and other sources in the document;

  • Reading and verifying the embedded RFID chip with an NFC module;

  • Running numerous cross-checks to make sure all the data matches.

As for the portrait, validating it also involves:

  • Checking the presence and position of the main and secondary photo;

  • Verifying the presence of LASINK portrait printing technology.

4.3 (33, c): The confirmed integrity of the algorithm used to generate the unique identification number of the original document, in case the official document has been issued with machine-readable zone (MRZ).

Advanced MRZ reading.Regula Document Reader SDK employs over 200 parsers for MRZ codes, allowing validation of checksum and personal number algorithms, as well as background, resolution, size, font spacing, line position, and more parameters.

4.3 (33, d): The provided reproduction (of the document) is of sufficient quality and definition so as to ensure that relevant information is unambiguous.

Quality assessment.Regula provides advanced document capture capabilities that guide the user and auto-assess that there are no glares, blur, or cropped elements, and that the data is unambiguously readable.

4.3 (33, e): The provided reproduction has not been displayed on a screen based on a photograph or scan of the original identity document.

Document liveness check.Regula Document Reader SDK verifies document liveness. It validates its dynamic security features and detects if the document is being presented as a screenshot or demonstrated from a digital device.

4.3 (35): In situations where the device the customers use to prove their identity allows the collection of relevant data, for example because the data is contained in the chip of a national identity card, and it is technically feasible for the credit and financial institutions to access this data, credit and financial institutions should consider using this information to verify its consistency.

NFC-based verification. Regula Document Reader SDK reads and verifies the embedded RFID chip with NFC verification technology, and additionally re-verifies the NFC chip by processing data on a server to ensure the chip is not cloned or manipulated.

4.3 (36): Where available, during the verification process, credit and financial institutions should verify the security features embedded in the official document, if any, such as holograms, as a proof of their authenticity.

Advance authenticity checks. Regula instantly detects and authenticates data from the document, and checks its security features using numerous techniques.

It automatically verifies the presence of IPI and holograms, plus analyzes MLI (Multiple Laser Image) and OVI (Optical Variable Ink) via mobile applications.

Matching customer identity

4.4 (39): Biometric data is sufficiently unique to be unequivocally linked to a single natural person. 

Credit and financial institutions should use strong and reliable algorithms to verify the match between the biometric data provided on the submitted identity document and the customer being onboarded.

Biometric verification. The Face Matching module enables precise comparison of the photo captured by the camera with the holder’s portraits in the document (including the photo encoded in the RFID chip, or a secondary photo such as a ghost, kinegram, or in a barcode).

4.4 (41, a): Any photograph(s) or video is taken under adequate lighting conditions and the required properties are captured with necessary clarity to allow the proper verification of the customer’s identity.

Advance face capture. Regula Face SDK evaluates image quality as users capture selfies, identifying and selecting the best image by assessing factors like glares, shadows, head position, and face size, directly within the mobile app or website.

4.4 (41, b): Any photograph(s) or video is taken at the time the customer is performing the verification process.

4.4 (41, c): Liveness detection verifications, which may include procedures where a specific action from the customer is required to verify that he/she is present in the communication session or which can be based on the analysis of the received data and does not require a specific action by the customer.

Liveness detection (based on biometric parameters). Regula’s proprietary liveness detection technology streamlines remote biometric verification. It instantly detects and prevents presentation attacks (the use of static face images, video replays or injections, or masks instead of a real person).

To do so, Regula Face SDK uses different methods, like examining textures, depth and shape of an image, facial movements, and more.

Learn more about Liveness Detection →

Data processing and storage

4.2.1 (26): The documents and information collected during the remote identification process should be time-stamped and stored securely by the credit and financial institution.

On-premises implementation. 

Regula can operate on-premises, allowing all processes to occur within your secure perimeter and minimizing potential risks. Since the results of all verification sessions are stored on the customer’s server, it’s possible to access them later.

4.2.1 (26): The content of stored records, including images, videos, sound and data should be available in a readable format and allow for ex-post verifications.

Records of prior verification sessions can be accessed for re-verification or in case of repeated sessions for the same individuals.

The results of every verification session are stored on a server, so it is possible to review or re-process them afterwards if required.

4.5.2 (49): Where the outsourced service provider stores customer data, (...), credit and financial institutions should ensure that: a) only necessary customer’s data is collected and stored in line with a clearly defined retention period; b) access to the data is strictly limited and registered; c) appropriate security measures are implemented to ensure that the stored data is protected.

Data safety and enhanced privacy.

Regula does not collect, store, or share your customers’ data. All verification session results are securely stored on your server, keeping personal data within your secure perimeter for maximum privacy and control.

Conclusion

The EBA guidelines are designed not only for compliance but also serve as a common framework for all financial organizations to follow. Regula’s technology facilitates this journey, making it a win-win situation for institutions and their customers, as they can enjoy secure, hassle-free, and standardized remote customer onboarding.

If you face any challenges in implementing these guidelines, don't hesitate to contact Regula's experts for tailored solutions and support.

Let's talk?

Identity verification
for your mission-critical projects

On our website, we use cookies to collect technical information. In particular, we process the IP address of your location to personalize the content of the site

Cookie Policy rules