Despite being in one of Europe’s largest financial centers, Austrian businesses onboarded customers manually for a long time. This was problematic, since traditional Know Your Customer (KYC) procedures were time-consuming, error-prone, and required a lot of financial and human resources.
Austria’s first step toward digitalization was video-based identification for onboarding new customers, which the Austrian Financial Market Authority (FMA) approved on January 3rd, 2017. This gave businesses the opportunity to onboard their customers remotely by identifying them through a video chat.
Then, in November 2021, the Austrian Financial Market Authority (FMA) issued an amendment to the Austrian Online Identification Regulation (“Online-Identifikationsverordnung“) that allowed fully automated biometric procedures for identity verification under the Austrian Anti-Money Laundering Act (Finanzmarkt-Geldwäschegesetz). This means that banks, financial institutions and other entities subjected to the Anti-Money Laundering (AML) regulations can now use biometric identity verification in addition to previous verification means.
Austria’s recently amended regulations allow the use of biometric KYC onboarding for the following businesses, which fall under Austrian AML and KYC requirements issued by the Financial Market Authority (FMA):
For convenience, we will use the blanket term “financial service providers” in this article.
In the context of the amendments, the FMA’s legal provision on Online Identification Regulation describes the following terms:
Before, financial service providers onboarded customers through operator-involved video identification. Now, financial service providers have the option to use fully automated biometric procedures for online identity verification that do not involve human intervention.
According to the amendments, the biometric identification process covers a presence check (a multi-step process of customer verification, including a liveness check), collecting electronically signed ID (with NFC chip) data instead of taking screenshots, and consent to biometric data processing. Also, the process must be technologically advanced and meet the same security requirements as “in-person” identification.
Let’s analyze each of these requirements in detail.
This can be either active or passive. The first includes the steps below:
3. The employee records a video of the biometric identification process (process step recording).
At the moment of article publication, the FMA has provided no specifications for passive presence checks.
For the biometric online identification process, only IDs signed electronically by the issuing authority can be used. Data from such IDs must be used instead of screenshots of the ID. However, the FMA still recommends keeping electronic copies of the front and back of IDs in addition to the data recording.
The ID used must contain an electronic security chip (NFC chip). This will be obligatory for the biometric identification procedure from January 1st, 2023. Financial service providers are obliged to verify the authenticity of the electronic signature and the integrity of the data. For this purpose, the NFC chip must be read out, for instance, through an NFC reader on a mobile phone.
If a financial service provider uses a biometric identification process for KYC, it should notify the customer and obtain their consent to the processing of biometric data under Article 9 (2) a) of the EU GDPR.
Biometric identification process should :
Online customer onboarding can be performed with an AI-powered solution, which checks biometric data and submitted documents to provide immediate results. The process doesn’t require an employee’s involvement during the onboarding procedure, as is the case with operator-assisted video verification procedure.
At the same time, previous identification methods, such as video identification, will still be an option.
If financial service providers prefer using biometric identification processes instead of video verification, there are a few things to remember.
To onboard customers online through biometrics in line with the FMA online identification regulation, financial service providers need to do the following:
4. Work with the processor. If the financial service provider involves a processor to conduct the online identification process, it should make sure that the processor’s security measures comply with the FMA’s online identification regulations. However, this does not mean that the processor is solely liable for meeting these requirements, since necessary actions are expected to be undertaken on both sides. In the course of cooperation with the processor, the company should establish its rights and responsibilities in written form.
There are already some concerns about requiring electronically-signed ID documents with NFC chips.
This means that if a smartphone is not technically capable of reading NFC chips, users will need to install a separate application which makes the onboarding process less user-friendly. Therefore, requiring NFC-enabled IDs may be a significant drawback for financial service providers, since this negatively affects the customer experience and increases the drop-off rate.
However, the FMA has provided a transitional period until December 31, 2022. During this period, there may be clarifications concerning the use of NFC technology or ID cards without electronic signatures.
The latest FMA amendments for Austrian financial service providers prove once again that in-person identification is becoming a thing of the past, and that businesses now have an opportunity to choose digital alternatives. One of these alternatives is implementing entirely automated biometric identification for online customer onboarding.
However, biometric identification nonetheless raises compliance-related concerns, since it requires NFC technology and ID cards with electronic signatures. Therefore, Austrian financial service providers must strike a balance between the full implementation of biometric identification and regulatory compliance.