Starting from October 2, 2023, the new guidelines from the European Banking Authority (EBA) are changing how European financial institutions bring in customers remotely.
In this article, we’ll guide you through the main touchpoints of the new EBA guidelines and show you how Regula's products can help you comply with them.
Understanding EBA guidelines on remote customer onboarding
The European Banking Authority (EBA) guidelines are like a rulebook that financial institutions in the European Union must follow when they onboard new customers online. These guidelines bring some important changes to how this process should work.
The main idea behind this is to address the fragmentation in the European financial service market. Previously, each national bank had its own unique requirements, causing challenges for financial institutions in meeting compliance standards. This diversity also complicated the process of cross-border remote onboarding and left room for regulatory gaps, making the EU single market susceptible to financial crime. The offered framework aims to standardize the process, providing a consistent approach for all European financial service providers.
The EBA guidelines spell out some key requirements for identity verification solutions. In simple terms, here's what they want financial institutions to do:
1. Collect up-to-date and accurate identity information
Financial institutions must make sure that the information provided by the customer is current, correct, and meets the applicable requirements for customer due diligence.
In practice, this means details such as names, addresses, etc., should be accurate and, moreover, captured in a readable format and with sufficient quality.
This EBA guidelines requirement resonates with the Attribute and Evidence Collection stage described in the ETSI guidelines we wrote about in another post: What Is Identity Proofing & What Proofing Techniques Does It Imply?
2. Verify document authenticity
When banks and financial institutions accept identity documents remotely, they need to ensure that the images of those documents are authentic (not a copy of a copy) and not forged.
This is achieved by checking if the provided ID has all the appropriate security features specific to the authentic ID, there’s no sign of alterations of any kind, and the integrity of the algorithms used for encoding unique identifiers is preserved.
3. Use biometrics for matching documents with users
One way to make sure that a client is the person they claim to be is by comparing the submitted information (a photo or video) with their actual physical features. This is especially important for remote customer onboarding. To comply with EBA guidelines, financial organizations should use powerful algorithms to double-check that the biometric data lines up perfectly, leaving no room for error.
4. Provide quality assessment
For unattended remote onboarding solutions, where customers don’t interact with employees during verification, quality assessment is crucial. It’s necessary to make sure that any photographs or videos taken during the process are captured under proper lighting conditions, and that all necessary features and properties are clearly visible, making it easier to verify the customer’s identity.
5. Conduct liveness detection
To enhance the reliability of the verification process in remote customer onboarding, financial institutions should consider implementing liveness detection, either passive or active. This step helps confirm that the photo or video being captured is from a real person in real time.
For the best security, EBA guidelines recommend making liveness detection mandatory in all unattended situations.
7. Ensure secure data handling
To align with EBA guidelines, organizations must keep all documents and information collected during remote identification time-stamped and securely stored, maintaining a clear record of the identity verification process.
Stored records should be easily accessible in a readable format, but they must be safe from unauthorized access. If an outsourced service provider is handling customer data, institutions must take extra precautions, including collecting and storing only necessary customer data for a defined period, with strict control and logging of data access.
How Regula and EBA guidelines align
Now, let’s explore how Regula's solutions align with these new guidelines, making sure that financial institutions can meet these requirements and keep their remote customer onboarding experience safe and hassle-free.
You can download the table as a PDF file [PDF, 4 pages, 5.5 MB]
|Stage||EBA requirement||Coverage by Regula solutions|
Acquisition of information
4.2.1 (24): Identity data is up to date and in a readable format
Data capture. Document Reader SDK automatically identifies the document type, instantly analyzes the ID layout against Regula’s extensive document template database, and reads the data. Then it reads and validates the fields and structures the output. Once the analysis is complete, the data is ready for cross-validation with other sources of information.
The solution works for both mobile devices and desktops.
Learn more about document parsing →
Document authenticity & integrity
4.3 (33, a): Security features embedded in the original document are in place and comply with the specifications of the original document (e.g., type, size of characters and structure of the document by comparing them with official databases, such as PRADO15).
Extensive database of identity document templates. Regula solutions come with the world’s most comprehensive database, including over 13,000 templates to date, along with detailed descriptions.
For additional manual verification by experts, there are also Informational Reference Systems that contain hi-res images of documents and their security features in white, UV, and IR light.
4.3 (33, b): Personal data hasn’t been altered or otherwise tampered with or, where applicable, the picture of the customer embedded in the document was not replaced.
Data validation and authenticity verification. This is achieved through a multi-faceted approach that includes, but isn’t limited to:
As for the portrait, validating it also involves:
4.3 (33, c): The confirmed integrity of the algorithm used to generate the unique identification number of the original document, in case the official document has been issued with machine-readable zone (MRZ).
Advanced MRZ reading.Regula Document Reader SDK employs over 200 parsers for MRZ codes, allowing validation of checksum and personal number algorithms, as well as background, resolution, size, font spacing, line position, and more parameters.
4.3 (33, d): The provided reproduction (of the document) is of sufficient quality and definition so as to ensure that relevant information is unambiguous.
Quality assessment.Regula provides advanced document capture capabilities that guide the user and auto-assess that there are no glares, blur, or cropped elements, and that the data is unambiguously readable.
4.3 (33, e): The provided reproduction has not been displayed on a screen based on a photograph or scan of the original identity document.
Document liveness check.Regula Document Reader SDK verifies document liveness. It validates its dynamic security features and detects if the document is being presented as a screenshot or demonstrated from a digital device.
4.3 (35): In situations where the device the customers use to prove their identity allows the collection of relevant data, for example because the data is contained in the chip of a national identity card, and it is technically feasible for the credit and financial institutions to access this data, credit and financial institutions should consider using this information to verify its consistency.
NFC-based verification. Regula Document Reader SDK reads and verifies the embedded RFID chip with NFC verification technology, and additionally re-verifies the NFC chip by processing data on a server to ensure the chip is not cloned or manipulated.
4.3 (36): Where available, during the verification process, credit and financial institutions should verify the security features embedded in the official document, if any, such as holograms, as a proof of their authenticity.
Advance authenticity checks. Regula instantly detects and authenticates data from the document, and checks its security features using numerous techniques.
It automatically verifies the presence of IPI and holograms, plus analyzes MLI (Multiple Laser Image) and OVI (Optical Variable Ink) via mobile applications.
Matching customer identity
4.4 (39): Biometric data is sufficiently unique to be unequivocally linked to a single natural person.
Credit and financial institutions should use strong and reliable algorithms to verify the match between the biometric data provided on the submitted identity document and the customer being onboarded.
Biometric verification. The Face Matching module enables precise comparison of the photo captured by the camera with the holder’s portraits in the document (including the photo encoded in the RFID chip, or a secondary photo such as a ghost, kinegram, or in a barcode).
4.4 (41, a): Any photograph(s) or video is taken under adequate lighting conditions and the required properties are captured with necessary clarity to allow the proper verification of the customer’s identity.
Advance face capture. Regula Face SDK evaluates image quality as users capture selfies, identifying and selecting the best image by assessing factors like glares, shadows, head position, and face size, directly within the mobile app or website.
4.4 (41, b): Any photograph(s) or video is taken at the time the customer is performing the verification process.
4.4 (41, c): Liveness detection verifications, which may include procedures where a specific action from the customer is required to verify that he/she is present in the communication session or which can be based on the analysis of the received data and does not require a specific action by the customer.
Liveness detection (based on biometric parameters). Regula’s proprietary liveness detection technology streamlines remote biometric verification. It instantly detects and prevents presentation attacks (the use of static face images, video replays or injections, or masks instead of a real person).
To do so, Regula Face SDK uses different methods, like examining textures, depth and shape of an image, facial movements, and more.
Learn more about Liveness Detection →
Data processing and storage
4.2.1 (26): The documents and information collected during the remote identification process should be time-stamped and stored securely by the credit and financial institution.
Regula can operate on-premises, allowing all processes to occur within your secure perimeter and minimizing potential risks. Since the results of all verification sessions are stored on the customer’s server, it’s possible to access them later.
4.2.1 (26): The content of stored records, including images, videos, sound and data should be available in a readable format and allow for ex-post verifications.
Records of prior verification sessions can be accessed for re-verification or in case of repeated sessions for the same individuals.
The results of every verification session are stored on a server, so it is possible to review or re-process them afterwards if required.
4.5.2 (49): Where the outsourced service provider stores customer data, (...), credit and financial institutions should ensure that: a) only necessary customer’s data is collected and stored in line with a clearly defined retention period; b) access to the data is strictly limited and registered; c) appropriate security measures are implemented to ensure that the stored data is protected.
Data safety and enhanced privacy.
Regula does not collect, store, or share your customers’ data. All verification session results are securely stored on your server, keeping personal data within your secure perimeter for maximum privacy and control.
The EBA guidelines are designed not only for compliance but also serve as a common framework for all financial organizations to follow. Regula’s technology facilitates this journey, making it a win-win situation for institutions and their customers, as they can enjoy secure, hassle-free, and standardized remote customer onboarding.
If you face any challenges in implementing these guidelines, don't hesitate to contact Regula's experts for tailored solutions and support.