know your customer: corporate customer verification in the … · 2019-03-25 · relevance for the...
TRANSCRIPT
March 2019
Know Your Customer: Corporate customer
verification in the Single Market
The digital transformation is one of the key challenges today – also for the financial industry. The Associati-
on of German Banks is meeting this challenge by, among other things, cooperating with start-ups from the
financial sector, fintechs. The cooperation was institutionalised in the Digital Banking Project Committee,
which is vigorously driving forward the cross-cutting issue of digitalisation. The committee is a high-level
body comprising bank Chief Digital Officers (CDOs) and leading figures from the German fintech scene. The
present paper is the result of intensive cooperation between banks and fintechs.
Contacts at the Association of German Banks:
Tobias Frey | Legal Affairs | [email protected]
Dr. Hendrik Hartenstein | Corporate Finance | [email protected]
Mario Labes | Fiscal Affairs | [email protected]
Tobias Tenner | Digital Banking | [email protected]
Common positions of banks and fintechs
Andreas Krautscheid, Hauptgeschäftsführer, Staatsminister a.D.
bankenverband
Positionen 3
Preamble
The financial services sector is undergoing a radical
transformation affecting corporate customers in particu-
lar. New companies, so-called “fintechs”, have entered
the market with new business models and new products.
The Association of German Banks (BdB) is responding to
this transformation: it supports cooperation between
banks and fintechs and is instrumental in ensuring that
common positions can be drafted.
A feature of many banks and fintechs is that they operate
across national borders. This poses specific challenges:
in the face of digitalisation, cross-border companies are
increasingly addressing the question of the extent to
which processes can be performed uniformly and cen-
trally for the entire company from one EU member state,
taking account of national legislation in each case. The
primary focus here is on the so-called „know your custo-
mer“ (KYC) processes1, which are of crucial importance
to all companies operating in the financial marketplace.
A particular problem in this context is that different ar-
rangements in EU member states hinder cross-border
digital approaches to customer acceptance by financial
institutions and others obliged to comply with KYC re-
quirements („obliged entities“).
The European Commission shares this view: it noted in its
Green Paper on retail financial services of 10 December
2015 that the differences between legislation in force in
member states seriously affect the costs and risks associ-
ated with cross-border retail financial services2.
To blame for the fact that in most cases KYC processes
cannot be used or reused either digitally or across bor-
ders within the EU are differing requirements with re-
gard to the following questions:
1 The term “KYC processes”, as used in the present position paper, means the collection and
verification of data due to legal requirements. The relevant requirements follow, in particu-
lar, from the EU member states’ anti-money laundering laws, but also from tax regulations
– in Germany, for example, from the Fiscal Code and other strictly national provisions or
provisions reflecting EU law.
2 The Commission’s finding in the Green Paper applies likewise to wholesale financial
services.
(1) Which natural or legal persons should be assigned
which roles (contracting parties, persons authorised to
draw on the account, acting persons, legal representati-
ves or beneficial owners3 )?
(2) Which data should be collected on these roles?
(3) Which type of verification of the data collected
should be used and on which scale should verification
be carried out?
(4) Which conditions should be fulfilled for the reusabili-
ty of completed KYC processes?
Whenever they enter into a business relationship with
an obliged entity – both across borders and within an EU
member state – corporate customers are usually forced
to undergo the KYC process all over again. This is incon-
venient for them, impedes cross-border use of financi-
al products and undermines efforts to achieve digital,
efficient and user-friendly cross-border KYC solutions.
Above all, it is diametrically opposed to the EU’s funda-
mental objective of facilitating and encouraging cross-
border business.
The Second Payment Services Directive (“PSD2” (EU)
2015/2366) does not improve the situation in this res-
pect either. While this directive essentially deals with
cross-border and secure payment services, the functions
it addresses (e.g. access to bank interfaces) would be ge-
nerally apt to support the digital Single Market through
the transfer of data and thus allow the reuse of KYC pro-
cesses on behalf of customers. However, specific rules
on whether and how these interfaces may be used to
perform KYC processes otherwise required under the
law are missing.
3 German legislation calls persons who control a significant part of companies “economic
beneficiaries”. Superordinate EU legislation and Austrian laws refer to “beneficial owners”.
The legal concept as such is not defined uniformly. The present position paper uses the
term “beneficial owners” as the term inherent in EU law.
4 Positionen
the European Supervisory Authorities (ESAs) on 23 Ja-
nuary 2018. The ESAs’ right approach does not go far
enough, though, since the reusability of KYC proces-
ses is not yet on the authorities’ agenda.
In this position paper, drafted jointly by banks and
fintechs, the Association of German Banks wishes to
draw attention to the existing challenges and propose
regulatory solutions.
The requirement to perform new KYC processes eve-
ry time because a completed KYC process may not be
reusable increases the administrative burden on ob-
liged entities and corporate customers alike. Yet the
basic need for innovative KYC process solutions at
European level is, in fact, acknowledged. This is un-
derlined, for example, by the “Opinion on the use of
innovative solutions by credit and financial institutions
in the customer due diligence process”, published by
�� uniformly defining on a rules basis the KYC data to be collected for corporate customers as contracting parties, their
beneficial owners and for persons who indicate that they intend to act on behalf of customers (natural persons with
right of representation such as legal or contractual representatives, the so-called “persons authorised to draw on
the account”) – and doing so solely in a single law/a single EU regulation,
�� unifying the documents admissible for verification and the up-to-dateness requirements,
�� unifying the requirements to be met under the updating procedure,
�� expanding the transparency register into a “golden source” KYC register which is open to obliged entities and public
authorities and from which an obliged entity can retrieve at any time the data to be collected for the various roles
and any verification documents that may be necessary,
�� remaining open to new (including private) verification procedures through automatic “most favourable treatment”
of procedures that are admitted in an EU member state and thus regarded as sufficiently secure,
�� creating a uniform interface to connect both existing and new verification procedures, and
�� permitting the reuse of KYC processes, performed in accordance with EU legal standards, on the basis of uniform
criteria both within and outside a corporate group.
This requires:
Needed: convenient, innovative and uniform KYC processes for the Single Market
bankenverband
Positionen 5
Definition of the roles to be addressed
Establishing uniform KYC processes requires uniform
EU-wide rules stipulating which conditions have to be
fulfilled to assign certain roles (e.g. contracting party,
person authorised to draw on the account, acting per-
son or beneficial owner) to natural and legal persons.
It has not yet been finally specified which roles actu-
ally need to be taken into account in the course of the
onboarding of corporate customers. Moreover, there
are no uniform rules stipulating which specific infor-
mation has to be collected and verified by an obliged
entity for which of the various roles when it is onboar-
ding a customer.
Ideally, it should be made clear EU-wide that the role
of the acting person in the case of companies is of no
relevance for the KYC process. The verification of right
of representation performed by the obliged entity in
any case under civil law suffices.
Collection of data
In the EU member states, different KYC data are coll-
ected, though not all European corporate customers
automatically have these at their disposal. Apart
from this, the data to be collected differ not only
from one member state to the next but also with
regard to the product (e.g. depository or custodial
account) for which verification is performed. This is
due in some cases to the fact that the requirements
under EU law regarding the data to be collected are
interpreted and applied differently.
Private banks and fintechs call for uniform EU-wide
definition of the KYC data to be collected for all pro-
ducts and roles, i.e. a minimum data set in line with
the principle of data minimisation. To satisfy this
principle of data minimisation, the reduced require-
ments that currently apply in isolated cases should
be specified EU-wide for all roles. An example in this
respect is the KYC process for persons authorised
to draw on an account under the Implementing Or-
dinance on Section 154 of the German Fiscal Code.
Generally speaking, only data that are actually nee-
ded to effectively combat money laundering and ter-
rorist financing and to comply with sanctions or tax
regulations should be collected. This should also be
data that can actually be requested from customers
and verified. Where beneficial owners are concer-
ned, such data are at best first name and surname
and – with sanction screening in mind – date of bir-
th and place of residence.
It should be noted at this point that the present
quantitative and qualitative requirements for KYC
data collected on beneficial owners should not be
raised further. This would not be feasible in practi-
ce, as there are hardly any objective and reliable
sources that can be used to verify data on beneficial
owners. Only a reliable KYC register containing the
data of interest to investigating authorities would
really help in this respect.
The criteria for identifying a low, simple, or high
risk of a particular customer laundering money or fi-
nancing terrorism are also defined differently within
the EU, though these determine, among other
things, the amount of data to be collected. Broadly
adopting a risk-based approach without providing
enough sufficiently concrete examples at European
level leads in this area to a complete fragmentation
of the Single Market. So that obliged entities can
in future collect uniform EU data sets on each role
that would then be more easily exchangeable within
a corporate group as well, a rules-based approach
6 Positionen
�� Address: German legislation uses different terms when it comes to the “address”, so that its wording alone does not make
clear what exactly is meant. The Anti-Money Laundering Act, for example, says that the beneficial owner’s “address” has
to be recorded. The transparency register, on the other hand, calls for entry of the beneficial owner’s “place of residence”.
Stipulating that recording the beneficial owner’s business address suffices would be appropriate. Practitioners only come
to this conclusion after laborious interpretation, however.
This problem is not a purely German phenomenon. There appears to be no uniform EU-wide approach on which address
should be collected for beneficial owners.
�� c/o address: a bank could also record a c/o address as the address of a corporate customer’s seat or head office, provided
this is noted in an official register as the address of the seat; this arrangement is not worded clearly enough, however. Cla-
rification is therefore required to the effect that, where registered corporate customers are concerned, the official register
is the principal source for collecting the data required. If obliged entities use the data contained in the register, they fulfil
the verification requirements, even if a c/o address is noted as the address of the seat.
�� Requirement to update customer data: the measures taken by obliged entities in connection with the (routine) updating
of KYC data vary widely in practice. Neither in Germany nor in Austria or Italy are there any sufficiently concrete require-
ments. The legal requirements are not precise enough particularly in regard to the customer’s duty to cooperate and use
of the customer’s confirmation. Where the customer confirms that the data collected by the obliged entity are correct
and complete, the obliged entity should be able to rely on this unless it itself has evidence to the contrary. This should be
made clear under the law..
�� Legal representatives: at present, the names of a corporate customer’s legal representatives have to be recorded in Ger-
many. Recording the name of only one legal representative would suffice, however. This has also been acknowledged by
the Federal Banking Supervisory Authority, BaFin, elsewhere: in its December 2018 guidance on application and interpre-
tation of the Anti-Money Laundering Act, it says that, when recording senior management officials as fictitious beneficial
owners, it suffices to record only one of those. Accordingly, the requirements for recording the legal representatives of
corporate customers should also be lowered as a whole. To ensure effective sanction screening, it should at the same
time be made clear that, in addition to their name, obliged entities should be allowed to collect at least their date of birth.
�� Tax Identification Number: In Germany, a corporate customers’ German tax number always has to be recorded; where
persons authorised to draw on the account or beneficial owners are concerned, their German tax identification number
(TIN) is required. Apart from discrimination of German residents, it appears that in this case – because of the need to
check whether no German TIN is actually available – the German arrangement may even discriminate indirectly against
citizens of other EU member states. The requirement to record the TIN or the tax number should therefore be dispensed
with for at least as long as there is no uniform EU-wide number.
Example:
should always be pursued. The relevant require-
ments for the various roles in question should be
dealt with exhaustively in a legal act at European
level (e.g. an EU regulation) and thus not be amen-
dable by national legislation.
bankenverband
Positionen 7
Verification of data
The requirements for verification of the KYC data to be
collected should be specified uniformly EU-wide as well.
That goes for both the documents needed for verifica-
tion and the scope of the verification measures that are
carried out in connection with either customer onboar-
ding or legally required updating.
The obligation to perform verification should, moreover,
be confined to KYC data that must be collected due to
legal requirements. Data that an obliged entity merely
collects on the basis of an authorisation to do so should
be exempted from mandatory verification.
In addition, it should be specified uniformly EU-wide
how long the documents that may be used for verifica-
tion of KYC data (e.g. an extract from a register, an eID
function or a qualified electronic signature) are deemed
to be up to date. The period within which their use is
possible should be long enough and the same as that
during which a KYC process already completed – pos-
sibly also by other obliged entities – may be reused. It
should, moreover, be made clear that the required data
may be collected from any officially operated register.
Obliged entities should be able to fully rely on the accu-
racy of such register data.
As regards the requirements for updating data, it should
be made clear that an obliged entity need not take any
further measures if there are no doubts about the accu-
racy of the previously collected data and the corporate
customer confirms their accuracy or continued validity.
Automatic most favourable treatment
Many member states currently use national solutions
for verification procedures. The result is a wide array
of different procedures – an essentially highly positive
innovative diversity from which hardly anyone benefits,
however, as long as procedures admitted for verification
in individual EU member states cannot be used equally
in all member states. There is no automatic mutual re-
cognition of a KYC process adopted in one member sta-
te. The absence of any such automatic most favourable
treatment delays the proliferation of user-friendly proce-
dures such as video identification. Particularly innovative
solutions such as video identification or the use of eID
functions are, however, vital for the digitalisation of the
Single Market and also deliver significant added value
when it comes to effectively combatting money launde-
ring and terrorist financing.
The approach providing for admission of uniform KYC
processes through notification to the European Commis-
sion under the eIDAS Regulation must be welcomed as
a first step in the right direction. Yet this step is by no
means sufficient to create a real level playing field and
simplify KYC processes for the benefit of customers. The
barriers to verification procedures under the eIDAS Re-
gulation are currently still very high, with the result that
in practice these procedures are only slowly gaining a
foothold in the marketplace. It would thus appear ad-
visable to lower the relevant requirements. Moreover, at
present only EU member states can notify KYC processes
to the Commission. There is no plausible reason to exclu-
de processes developed by the private sector from such
notification.
The best way to encourage innovative KYC processes is
to continue recognising new procedures and processes.
In addition, in line with the “most favourable treatment”
principle, all KYC processes admitted in member states
should be automatically admitted EU-wide. To allow ap-
plication of the “most favourable treatment” principle
in practice, the Commission should publicly operate and
maintain a list of the KYC processes admitted in member
states along with the necessary process requirements in
each case. Should this result in similar KYC processes, e.g.
two KYC processes for verification by video chat, being
admitted in different countries, it can be assumed that
the better process will ultimately prevail EU-wide. The
same goes for procedures whereby database providers
transmit KYC data collected from an official register to
obliged entities in compressed digital format. Virtually
simultaneous admission of highly similar KYC processes
8 Positionen
by different national supervisors in several EU member
states is, however, most unlikely in any case, given the
continuous dialogue that national supervisors conduct
with each other and with the European Supervisory
Authorities (ESAs). Application of the “most favourable
treatment” principle would therefore allow controlled
competition between innovative verification procedures
in the EU and thus at the same time strengthen the Euro-
pean Union as a digital financial marketplace.
Uniform interfaces
Creating a uniform interface allowing obliged entities to
easily connect and thus use existing and future KYC pro-
cesses would also be helpful. That goes particularly for
digital solutions. It should at the same time be ensured
that private innovative KYC processes are given the same
recognition status as processes that comply with the re-
quirements of the eIDAS Regulation.
An easing of the requirements under the eIDAS Regula-
tion for customer acceptance by the private sector – by
banks and fintechs, for example – would, moreover, be
welcome, since for every new process they wish to use
for KYC purposes obliged entities are currently required
to establish a separate technical interface to connect
it. This is costly, work-intensive and time-consuming
and means in practice that many obliged entities offer
only one or two innovative KYC processes. The barriers
to new technical solutions are thus unnecessarily high.
Also important in this context is that false security con-
siderations do not lead to innovative verification proce-
dures being tied to impracticable conditions such as the
requirement to make a “reference credit transfer”.
For corporate customers as well, uniform KYC processes
in the EU for both onboarding and updating would be
important. Such standardisation would mean that estab-
lishing (onboarding) and maintaining (updating) a cross-
border business relationship within the EU with one or
more obliged entities would be uncomplicated, without
any great need for adaptation.
�� Up-to-dateness of extracts from registers for companies: in Austria, an extract from the Commercial Register
that is to be used for verification purposes in a KYC process should not be older than six weeks at the most. In
Germany, there are currently no specific rules. It should be made clear which requirements are set for the age of
extracts from registers and for the form in which they should be obtained. A requirement to present a simple copy
of an extract in digital or analogue form would suffice. The maximum age for extracts should be fixed uniformly
EU-wide at a sufficiently long period of time.
�� Use of a driving licence to verify data: under the German Anti-Money Laundering Act, German driving licences
may not be used for verification of KYC processes, as they do not meet passport and identity document requi-
rements. In Austria, on the other hand, a driving licence may be presented for such purpose, provided it is an
Austrian one at any rate. Identification based on a driving licence is allowed in the UK as well.
�� Valid identity document containing a different address due to a change of address: There is no uniform ap-
proach on how verification is to be handled if, following a change of address at short notice, a valid identity do-
cument contains an address that differs from that indicated by the person authorised to draw on the account. It is
Examples:
bankenverband
Positionen 9
also unclear what the procedure is if an admissible identity document presented does not contain a full address
but only the place of residence, for example. In some instances, presentation of further documents may then be
required to fully verify the address; in other instances, such measures are dispensed with. The latter is the case
in Austria, for example: as not even the holder’s place of residence is indicated on an official Austrian identity
document, the address of the natural person to be identified is not verified in Austrian practice.
There is as yet no uniform and exhaustive EU-wide arrangement for dealing with such cases. However, as flexib-
le an approach as possible, i.e. risk-based reuse of initial verifications EU-wide, should be adopted here.
�� Video identification: Video identification was first admitted in Germany, where it subsequently proved success-
ful, particularly also in cross-border use. In some other EU member states that had not yet admitted the proce-
dure, this was seen as a competitive advantage to the detriment of national obliged entities. The consequence:
Austria, Luxembourg, Spain, Portugal and further EU member states have since admitted the German-type KYC
video identification procedure, adapted to their own domestic requirements and featuring in some cases diffe-
rent criteria. In other EU member states, including France and Poland, national admission of video identification
is planned.
What is basically a success story also has a downside, however, since ‘the wheel’ is ultimately being reinvented
in 28 EU member states for the KYC video identification process. Every EU member state sets different wheel
sizes and different spoke lengths, so that providers remain confined to their national market or have to tailor
their identification procedure separately to each member state. It goes without saying that this causes further
problems for cross-border reuse of these KYC processes.
The solution would be automatic recognition in all EU member states of a KYC process admitted by national
supervisors in one member state. This would preserve and foster the uniformity of the Single Market. Admission
by national supervisors would guarantee security and legal compliance of the new KYC process, and customers
would directly benefit from use of the new, convenient and innovative KYC process.
�� eID – electronic proof of identity: The German eID function of the identity document and the electronic resi-
dence permit for non-EU citizens is officially admitted within the EU as a cross-border means of verification. In
addition, there are plans to make it available on a card to non-German EU citizens as well.
The EU-wide usability of the German eID function for verification of natural persons is based on its notification
to the European Commission under the eIDAS Regulation. Germany was the first EU member state to officially
notify its eID function to the Commission. Also further EU member states, such as Italy, Spain, Luxembourg,
Belgium, Croatia and Estonia, have concluded notification processes.
The advantage of this national eID lies in the eIDAS Regulation, which applies equally to all 28 EU member
states. General use of the eID function as an EU means of verification is thus legally safe, officially recognised
on a permanent basis and technically secure. One weakness at present is, however, the only slowly emerging
customer acceptance of the use of this technically sophisticated and legally sound verification procedure.
10 Positionen
Further development of registers of beneficial owners
The private banks and fintechs believe that existing
registers of beneficial owners, such as the trans-
parency register in Germany, should be expanded
throughout the EU to become “golden source” KYC
registers. This means that these registers should con-
tain all the information that has to be collected and
verified on all roles. Obliged entities should be allo-
wed to store and process data from the register for
all necessary purposes, such as sanction screening or
identifying politically exposed persons.
Furthermore, companies should deposit in the re-
gisters digital copies of the identity cards or other
documents relating to their beneficial owners. The
Austrian register of beneficial owners, which is linked
to the national register of residents and contains co-
pies of the identity documents of non-resident be-
neficial owners, is a good example of best practice
(see box).
The registers should be filled and kept up to date by
the companies themselves. They are in the best positi-
on to do so, as they will invariably be better informed
and more up to date about their own affairs than are
third parties. In addition, they generally have better
contact with the beneficial owner, in particular, than
do obliged entities. It should be borne in mind that
there is no contractual relationship between the ob-
liged entity and the beneficial owner on the basis of
which the obliged entity could request information
from the beneficial owner.
It should be mandatory to identify the beneficial
owner on the basis of the relevant entries in the re-
gisters, so that the obliged entity can rely on the ver-
acity of the information. The requirement under the
Fifth Anti-Money Laundering Directive to report any
discrepancies to the registers of beneficial owners
could then be dropped, as could the obligation for
obliged entities to have their own measures in place
to identify beneficial owners. The corresponding pro-
visions, together with any existing reporting require-
ments for obliged entities concerning the beneficial
owner (e.g. reports to the file allowing automated
access to account data under section 24c of the Ger-
man Banking Act), should be deleted.
This approach would achieve practical simplifications
and is in the interests not only of obliged entities,
but also of corporate customers, and thus of the eco-
nomy as a whole. The KYC process would be much
easier for business customers since all the necessary
data on them could be retrieved direct from the KYC
registers and obliged entities would need to ask for
and verify much less information.
Access to the registers should be free of charge for
the purposes of fulfilling KYC requirements. Den-
mark, which offers general free access to its register,
represents best practice in the EU at present.
Once the planned EU-wide link-up of national re-
gisters of beneficial owners has been completed, it
should be made possible to access an extract from
any national register via a central European Union
website. It should be ensured that obliged entities
can obtain an extract with uniformly defined fields
and with the field names provided in all official lan-
guages of the EU (along the lines of an international
birth certificate). When the language of a member
state uses another alphabet, entries should be auto-
matically transcribed into the Latin alphabet on the
basis of uniform rules.
bankenverband
Positionen 11
The right approach: register of beneficial owners in Austria
�� In Austria, the register of beneficial owners contains extensive information on these persons. Reliable information about
the residential address is ensured by means of a link with the registers of residents. Copies of the identity cards of bene-
ficial owners from other EU member states must be deposited in the register by companies subject to registering requi-
rements. It would make good sense to adopt this second element, in particular, across the EU as it should be possible to
implement it in all member states irrespective of how the national register of residents is designed.
�� In addition, obliged entities in Austria are already permitted to rely conclusively on an “extended extract” from the re-
gister of beneficial owners and – if only simplified due diligence obligations have to be applied – on information about
beneficial owners from the register.
�� Although the information in the register cannot be accessed free of charge, the fees are generally lower than in Germa-
ny, for example. Furthermore, it is possible to minimise costs by purchasing various flat-rate access packages, which are
available in different sizes.
�� Even if the Austrian register of beneficial owners does not yet fully reflect the ideal described above – in particular,
limiting the ability to rely on the information to simplified due diligence obligations does not go far enough – it never-
theless comes very close. This makes it clear that a reliable register which offers genuine added value to obliged entities
and corporate customers is by no means an unattainable ideal.
Example:
Reusability
Private banks and fintechs call for uniform EU-wide
rules governing the conditions under which the fin-
dings of KYC checks may be reused. It is important
that their cross-border reuse within the EU is also
made possible.
Not only are there no standardised rules at all at pre-
sent on whether and, if so, under what conditions KYC
processes can be reused within EU member states, let
alone across borders. There are also no uniform rules
on the extent to which third parties may rely on KYC
processes that have already been completed. This is
true even if the customer agrees to a transfer of the
findings of a previously carried out KYC check.
Where reuse is permitted at least at national level,
this is the result sometimes of legislation and some-
times of administrative practice, but the permission
to reuse always covers only KYC processes carried out
in the same EU member state. As things stand, there-
fore, the cross-border reuse of KYC processes within
the EU is only possible to a limited extent and requi-
res considerable time and effort. This applies even to
the transfer of a previously completed KYC process
within a corporate group.
Owing to the downright chaotic divergence of na-
tional requirements, it is virtually impossible to es-
tablish uniform processes for reusing KYC processes
within a group – let alone for the reuse by third par-
ties (e.g. public authorities or other obliged entities
with which the corporate customer wishes to estab-
12 Positionen
lish business relations). There can consequently be
no question of a level playing field and thus a single
EU market when it comes to the reusability of KYC
processes.
It should therefore be permitted to reuse the findings
of KYC processes carried out in accordance with EU
law both for further KYC processes within a group of
companies and elsewhere across the EU. If an obli-
ged entity wished to exercise this option, the entity
which carried out the original KYC process would be
responsible for transmitting the correct data or using
an appropriate technical interface to pass it on in the
form of a standardised data set. It would need to be
made clear that the receiving entity could fully rely
on a KYC process carried out by the forwarding entity
in accordance with its national law, particularly if the
recipient belonged to the same group of companies
as the party originally conducting the KYC process.
Confidence in the KYC process
Confidence in the KYC process covers both trust in
the accuracy of the forwarded data and trust that any
forwarded documents are correct and complete. It
should possible to store KYC documents centrally at
one company in the group so that it would normally
be sufficient to transfer the collected data while (phy-
sical) documents would only have to be forwarded if
a particular need arose. Firms should have the opti-
on of either storing all documents centrally in one
place or storing documents locally at the unit dealing
with the customer in question. In the absence of EU-
wide customer due diligence standards, it should at
least be ensured that the local standards for the unit
dealing with the customer apply to the entire group.
This should also go for the frequency of updating
customer data.
European legislation already (via the legal require-
ments to be met for involving a reputable third party)
permits a third party to carry out a KYC process for
an obliged entity in accordance with the national law
applicable to that third party. There is no objective
justification for treating the performance of the KYC
process by a third party differently to the reuse of
an already completed KYC process by another com-
pany belonging to the same group. Nor should the
reuse of a completed KYC process within a group
be limited only to KYC processes carried out by
the group itself. There is no objective justification
for this restriction either, provided that there are
uniform EU-wide rules on the maximum age of a
completed KYC process and the accompanying do-
cuments obtained for verification purposes. There
should be no obligation to pass on the accompa-
nying documents, however. Obliged entities should
merely be granted the right to share both the data
set with the KYC data and the accompanying docu-
ments within a group.
Above all, it should also be made possible to reuse
a KYC process outside a group. The ability to reuse
KYC data instead of requiring the customer to go
through the process again could take the form out-
side a group of a risk-based decision by the second
obliged entity, enabling it to choose between reuse
and re-verification depending on factors such as the
age of the existing information.
Real-time KYC processes
Reusing data will make it possible to create innovati-
ve, customer-friendly, barrier-free, secure and cross-
border KYC processes that can be carried out in real
time. It would be possible, for instance, to conclude
an agreement for a new product with Bank B using
Bank A’s access data by simply transferring the re-
quired data and immediately processing it digitally.
Customers could save themselves the trouble of pro-
viding the data and going through the verification
process again and would have full control over who
transfers which data to whom. Security could be en-
sured by two-factor authentication, for example.
If reusability were permitted on a uniform basis
EU-wide, this would further promote digital trans-
formation and create opportunities for innovative
bankenverband
Positionen 13
database solutions to be effectively used by obliged
entities across the EU. It would also make it even
easier to switch banks within the customer’s home
state and to establish business relations in another
member state. This is in line with the declared ob-
jectives of the EU. For customers, reusability would
have the positive effect of dismantling major barriers
and obstacles to a true single market in the EU while
generally making it more convenient to make use of
the products and services offered by obliged entities.
In addition, it would make data repositories and the
history and transfer of data more transparent.
In the interests of corporate customers, in particular,
but also of obliged entities and public bodies, the-
re is therefore an urgent need for harmonised, EU-
wide rules on the reusability of KYC processes. Given
the need for full harmonisation in this area, it would
make good sense to introduce these rules by way of
an EU regulation, in which it should be made clear
that the receiving entity can fully rely on an identi-
fication carried out in accordance with national law.
The reuse of a KYC process should, moreover, be allo-
wed irrespective of whether the process in question
has been completed only recently or was carried out
some time ago but has been updated.
Looking further ahead, the reuse of KYC processes
(keyword: “digital identity”) does not need to be con-
fined only to the financial sector: reuse would also be
conceivable in the insurance, retail or administrative
sectors. If their data could be actively and frequent-
ly reused, customers would have a strong interest in
keeping their details up to date. In addition, a basis
for new business models (such as an “IdentityHub”)
would be created.
The conclusion is therefore clear: given the associ-
ated minimisation of costs and increase in efficien-
cy, all parties involved would benefit if the reuse of
all KYC processes carried out in accordance with EU
law were permitted on a uniform basis EU-wide. This
would also make an important contribution to com-
pleting the EU single market.
14 Positionen
�� Regulation of the reuse of KYC processes is highly fragmented in EU member states: In some EU member states,
the (standard) transfer of a KYC process requires the consent of, or at least notification to, supervisors (usually
data protection supervisors). We understand this to be the case, for example, in Austria and France (consent
requirement) and in Luxembourg and Italy (notification requirement).
�� In some cases, there are specific requirements regarding how old certain KYC documents may be: in Slovakia
and Austria, for instance, they should not be older than three months and six weeks respectively. Sometimes,
there is a vague requirement for the KYC process to be “up-to-date”: this applies in Luxembourg, for example. In
Austria, the supervisory authority also points out with reference to the case-law of the Austrian Higher Adminis-
trative Court that, in some cases, a several-day-old extract from the register may not be considered “conclusive”,
since the Austrian register is generally accessible to legal entities. This apparently also applies to extracts from
foreign registers if they are publicly accessible.
�� National requirements sometimes stipulate that foreign ID documents have to be translated into the local lan-
guage by a certified translator and presented along with the original. In addition, extracts from foreign regis-
ters may only be accepted in some member states (e.g. Austria) if they have been notarised or apostilled by an
official authority.
�� Finally, the use of a KYC process performed by another bank is only permissible in some EU member states
for anti-money laundering purposes. Other purposes, such as a streamlined and customer-friendly customer
onboarding process, are not allowed without the explicit consent of the customer; this applies in France, for
example. In some cases, the reuse of KYC processes is completely ruled out if enhanced due diligence require-
ments apply or is only possible if further checks are performed. This is true of Austria and Slovakia, for example.
Example:
bankenverband
Positionen 15
Annex: Summary of the mandatory data set to be obtained for the various roles
In the interests of all obliged entities, it is desirable to have clear rules on the data which firms have to report to
the KYC register about the various parties involved in a business relationship. Business relationships will commonly
involve the following:
1. Contracting party
2. Legal representative (who does not deal directly with the bank or have power of attorney over the account)
3. Beneficial owner (e.g. proprietor)
4. Person authorised to draw on the account/authorised representative (e.g. employee with power of attorney
over the account)
The following data sets for the following roles should be retrievable from the KYC register:
1. Contracting party:
- Name
- Type of enterprise
- Registration number (if available)
- Common European tax number or other legally required identification number
- Industry/sector
- Address of registered office as entered in the register
- Address of the head office (if the registered office is not the operational headquarters)
2. Legal representative (who does not deal directly with the bank or have power of attorney over the account):
- Name
- First name(s)
- Date of Birth
3. Beneficial owner:
- Name
- First name(s)
- Date of birth
- Country of residence
- Common European tax number or other legally required identification number
4. Person authorised to draw on the account/authorised representative (e.g. employee with power of
attorney over the account):
- Name
- First name(s)
- Date of birth
- Country of residence
- Common European tax number or other legally required identification number
- Scope of authorisation
N.B.: The entry of data on the authorised representative in the KYC register is voluntary.
The Association of German Banks can be contacted
by post:
Bundesverband deutscher Banken
P.O. Box 040307,
10062 Berlin
Germany
by email:
online:
bankenverband.de
by phone:
+49 30 1663-0
Publishing details | Publisher: Bundesverband deutscher Banken e. V., Postfach 040307, 10062 Berlin | Legally responsible: Oliver Santen bankenverband.de | Foto: ressourcenmangel | As at March 2019