The Cypriot Securities and Exchange Commission (CySEC) has introduced updated guidelines for digital customer onboarding, emphasizing technology neutrality, risk management, data protection (GDPR), and information security.
These new rules aim to provide flexibility in remote customer onboarding, enhancing both operational efficiency and regulatory compliance while improving the overall customer experience.
Overview
Last week, CySEC released a “Policy Statement on Enhancing the Non-Face-to-Face Customer Onboarding Process through Electronic Methods,” signaling a shift towards a more balanced and modernized approach that aligns with EU standards and technological developments. The statement focuses on key aspects such as technology neutrality, risk management, GDPR, and information security.
This updated framework is designed to empower organizations to leverage advanced technologies effectively, ensuring better compliance and an enhanced customer experience.
Rationale
As technology evolves, so must the regulations that govern it. This new policy builds on CySEC’s previous work, including its October 2020 consultation paper (CP-02-2020) and the European Banking Authority’s (EBA) October 2023 guidelines on Remote Customer Onboarding Solutions. The policy also reflects insights gained from CySEC’s Innovation Hub, which facilitates direct communication between regulatory technology (RegTech) firms and the regulator.
Applicability
The new guidelines are relevant to a broad range of entities regulated by CySEC, including investment firms, UCITs, AIFMs, and CASPs.
Key Updates:
- Selection of Remote Customer Onboarding Solutions (RCOS):
- Entities must adopt a risk-based approach when selecting RCOS for Non-Face-to-Face (NFTF) onboarding.
- RCOS can be used in a technology-neutral manner, allowing for the use of solutions outside the eIDAS Regulation scope.
- Continuous monitoring of the relationship between entities and RCOS is required, but submission of a declaratory attestation is no longer necessary.
- Onboarding Process:
- Video calls are no longer the sole method for customer onboarding.
- Documentation for NFTF customers is no longer limited to passports, and other forms of identification are now accepted.
- Liveness detection is only mandatory for unattended solutions.
- RCOS can now be used for onboarding not only natural persons but also legal entities.
- Biometric verification no longer requires communication through SMS only, and address verification can be done using copies of original documents via RCOS.
Implementation Timeline
The amended CySEC Anti-Money Laundering Directive (AMLD) will take effect upon its publication in the Cypriot Official Gazette. The new rules related to RCOS will be enforceable starting December 1, 2024.
Additional Insights
The statement provides an extensive overview of considerations for customer onboarding, incorporating guidelines from the EBA. It underscores the importance of GDPR compliance and information security. It also highlights the necessity of assessing customer risk, including geographical risks, in line with ESMA’s recommendations for supervising cross-border investment activities.
Practical Advice:
The new rules stress the importance of selecting RCOS that:
- Offer quick adaptability to regulatory changes.
- Cover substantial parts of the onboarding process to simplify compliance.
- Include configurable Customer Risk Assessment (CRA) tools that account for jurisdictional risk.
- Ensure GDPR compliance, particularly regarding data usage.
- Maintain high security standards, ideally certified by ISO 27001 or equivalent.
Selecting the right RCOS can transform onboarding from a compliance burden into a competitive edge. CySEC’s updated guidelines empower firms to customize their onboarding processes, balancing efficiency, compliance, and customer satisfaction.
