Despite being in one of Europe’s largest financial centers, Austrian businesses onboarded customers manually for a long time. This was problematic, since traditional Know Your Customer (KYC) procedures were time-consuming, error-prone, and required a lot of financial and human resources.
Austria’s first step toward digitalization was video-based identification for onboarding new customers, which the Austrian Financial Market Authority (FMA) approved on January 3rd, 2017. This gave businesses the opportunity to onboard their customers remotely by identifying them through a video chat.
Then, in November 2021, the Austrian Financial Market Authority (FMA) issued an amendment to the Austrian Online Identification Regulation (“Online-Identifikationsverordnung“) that allowed fully automated biometric procedures for identity verification under the Austrian Anti-Money Laundering Act (Finanzmarkt-Geldwäschegesetz). This means that banks, financial institutions and other entities subjected to the Anti-Money Laundering (AML) regulations can now use biometric identity verification in addition to previous verification means.
- Who’s affected
- What’s changed
- How to stay compliant
- Compliance challenges
Austria’s recently amended regulations allow the use of biometric KYC onboarding for the following businesses, which fall under Austrian AML and KYC requirements issued by the Financial Market Authority (FMA):
- financial service providers;
- credit institutions;
- cryptocurrency service providers.
For convenience, we will use the blanket term “financial service providers” in this article.
In the context of the amendments, the FMA’s legal provision on Online Identification Regulation describes the following terms:
- Official photo identification document: an official photo identification document containing optical security features that are at least comparable to holographic elements;
- Screenshot: a graphical representation generated and stored by means of electronic data processing. It reproduces the content shown on screen as a visual component of the online identification process. The quality of the screenshot corresponds to the respective standards for verification and documentation purposes. If a customer provides electronically-signed photo identification documents for verification, there is no need to keep screenshots.
- Processor: a natural or legal person, public authority, agency, or other body which processes personal data on behalf of the financial service provider.
- Biometric identification processes: automatic online identification processes that entirely or partially don’t involve the participation of a team member.
Online biometric identification specifics
Before, financial service providers onboarded customers through operator-involved video identification. Now, financial service providers have the option to use fully automated biometric procedures for online identity verification that do not involve human intervention.
According to the amendments, the biometric identification process covers a presence check (a multi-step process of customer verification, including a liveness check), collecting electronically signed ID (with NFC chip) data instead of taking screenshots, and consent to biometric data processing. Also, the process must be technologically advanced and meet the same security requirements as “in-person” identification.
Let’s analyze each of these requirements in detail.
- Presence check
This can be either active or passive. The first includes the steps below:
- To prove that the right person is present during biometric identification, applicants are asked to move their head and show their face. This step could be completed through the liveness check;
- Upon request, the potential customer communicates/enters the following:
- the serial number of an individual official photo identification document;
- a string of characters or words of at least four characters in length generated randomly by the financial service provider.
3. The employee records a video of the biometric identification process (process step recording).
At the moment of article publication, the FMA has provided no specifications for passive presence checks.
For the biometric online identification process, only IDs signed electronically by the issuing authority can be used. Data from such IDs must be used instead of screenshots of the ID. However, the FMA still recommends keeping electronic copies of the front and back of IDs in addition to the data recording.
The ID used must contain an electronic security chip (NFC chip). This will be obligatory for the biometric identification procedure from January 1st, 2023. Financial service providers are obliged to verify the authenticity of the electronic signature and the integrity of the data. For this purpose, the NFC chip must be read out, for instance, through an NFC reader on a mobile phone.
- Сonsent to processing biometric data
If a financial service provider uses a biometric identification process for KYC, it should notify the customer and obtain their consent to the processing of biometric data under Article 9 (2) a) of the EU GDPR.
- Compliance with the requirements
Biometric identification process should :
- correspond to the technological “state of the art”;
- be updated on an ad hoc basis;
- achieve a level of security that is at least comparable to the online identification process conducted by a staff member;
- be documented by the financial service provider in a comprehensible manner. This means that, in any case, the process must cover the security factors applied in the identity verification as well as the results of separate verification steps.
Online customer onboarding can be performed with an AI-powered solution, which checks biometric data and submitted documents to provide immediate results. The process doesn’t require an employee’s involvement during the onboarding procedure, as is the case with operator-assisted video verification procedure.
At the same time, previous identification methods, such as video identification, will still be an option.
How to stay compliant
If financial service providers prefer using biometric identification processes instead of video verification, there are a few things to remember.
To onboard customers online through biometrics in line with the FMA online identification regulation, financial service providers need to do the following:
- Use appropriate technical and security measures. Financial service providers must take appropriate measures to protect the integrity and security of their verification procedures, including regular active monitoring measures. This is to recognize and mitigate all risks without delay. The biometric identification process must technologically correspond to the level of risk, and achieve a level of security that is at least comparable to the online identification process conducted by a staff member. Commonly used security standards on information security and biometric processing, such as those provided by the ISO, may be used.
- Check for presence. This refers to the process of ensuring the actual participation of a potential customer in the online identification process. To do so, it is necessary to record a video of the whole presence check process.
- Record-keeping. Financial service providers are required to document biometric identification processes in a comprehensible manner. This includes:
- keeping the recordings made for online identification purposes, such as opening a bank account and so on;
- keeping records of the presence check process (including audio, if available).
4. Work with the processor. If the financial service provider involves a processor to conduct the online identification process, it should make sure that the processor’s security measures comply with the FMA’s online identification regulations. However, this does not mean that the processor is solely liable for meeting these requirements, since necessary actions are expected to be undertaken on both sides. In the course of cooperation with the processor, the company should establish its rights and responsibilities in written form.
There are already some concerns about requiring electronically-signed ID documents with NFC chips.
- Many ID cards, especially non-Austrian ones (including foreign passports of CEE/SEE countries outside the EU), lack NFC chips (or have included this feature very recently and are not yet active and valid);
- NFC-enabled mobile devices become essential for passing biometric KYC verification.
This means that if a smartphone is not technically capable of reading NFC chips, users will need to install a separate application which makes the onboarding process less user-friendly. Therefore, requiring NFC-enabled IDs may be a significant drawback for financial service providers, since this negatively affects the customer experience and increases the drop-off rate.
However, the FMA has provided a transitional period until December 31, 2022. During this period, there may be clarifications concerning the use of NFC technology or ID cards without electronic signatures.
The latest FMA amendments for Austrian financial service providers prove once again that in-person identification is becoming a thing of the past, and that businesses now have an opportunity to choose digital alternatives. One of these alternatives is implementing entirely automated biometric identification for online customer onboarding.
However, biometric identification nonetheless raises compliance-related concerns, since it requires NFC technology and ID cards with electronic signatures. Therefore, Austrian financial service providers must strike a balance between the full implementation of biometric identification and regulatory compliance.