← Back to all briefings
Compliance 6 min read Published Updated Credibility 91/100

EBA Remote Customer Onboarding Guidelines — Compliance Playbook

EBA’s remote onboarding guidelines require EU financial institutions to retool digital KYC programs with risk-based identity proofing, third-party oversight, and tested controls before the October 2023 application date.

Kodi C.

Editor & Research Lead

Fact-checked and reviewed — Kodi C.

Compliance pillar illustration for Zeph Tech briefings
Compliance controls, audit, and evidence briefings

On the European Banking Authority (EBA) published its Guidelines on remote customer onboarding (EBA/GL/2022/15). The guidelines, applicable from , clarify supervisory expectations for financial institutions performing customer due diligence (CDD) without physical interaction. Banks, payment institutions, and electronic money issuers must embed risk-based controls across identity proofing, liveness detection, document verification, data quality, and outsourcing. Senior management and compliance officers need to ensure remote onboarding solutions align with anti-money laundering and countering the financing of terrorism (AML/CFT) frameworks, GDPR data protection requirements, and national competent authority (NCA) guidelines.

The guidelines cover a broad set of obliged entities under the Fourth and Fifth Anti-Money Laundering Directives (AMLD4/5). They address the entire onboarding lifecycle—from risk assessments and technology selection to record keeping and monitoring.

Financial institutions must document how they assess customer risk, verify identity documents, conduct biometric checks, and ensure secure data handling. The EBA emphasizes that remote onboarding should achieve the same assurance level as face-to-face processes, with controls proportionate to risk. Institutions must maintain oversight over third-party providers delivering digital identification, liveness detection, or video verification services, ensuring contractual arrangements preserve accountability.

Risk assessment and governance foundations

Institutions must update their AML/CFT risk assessments to capture risks introduced by remote onboarding channels. This includes evaluating customer segments, geographies, products, distribution channels, and technologies used.

The risk assessment should inform the selection of onboarding tools and the level of verification required. Boards should approve remote onboarding strategies, assign accountable executives (often the chief compliance officer or money laundering reporting officer), and ensure policies articulate responsibilities for operations, IT, and AML teams. Governance frameworks should cover change management, model risk oversight for automated decisioning, and reporting to senior management on key risk indicators.

Policies must explicitly describe when remote onboarding is permissible, the evidence required to verify customers, and scenarios that trigger improved due diligence or denial. Document decision trees that escalate higher-risk customers—for example, politically exposed persons (PEPs), complex ownership structures, or customers from high-risk jurisdictions—to manual review. Establish thresholds for risk scoring that differentiate retail customers, SMEs, and corporate clients, acknowledging differing verification requirements.

Identity proofing controls and technology assurance

The guidelines require strong identity proofing processes. Institutions must verify the authenticity and integrity of government-issued documents, including security features, holograms, and machine-readable zones. Digital solutions should detect document tampering, deepfakes, or synthetic identities. Biometric verification (facial recognition, liveness detection) must include safeguards against presentation attacks such as printed photos, masks, or deepfake videos. The EBA expects institutions to conduct pre-deployment testing, ongoing performance monitoring, and periodic independent validation of biometric algorithms to detect bias and accuracy degradation.

Where qualified trust service providers (QTSPs) or national electronic identification schemes (eIDAS) are used, institutions must verify the assurance levels and ensure they meet national regulatory requirements. For automated verification, document the algorithms used, input data, output decisions, and fallback procedures. Maintain explainability documentation for AI-driven components to show compliance with forthcoming EU AI Act obligations. Implement controls for data capture quality, including guidance to customers on lighting, document positioning, and network stability during onboarding sessions.

Data integrity, security, and privacy

The EBA stresses secure data handling. Institutions must ensure that data captured during onboarding (images, video recordings, metadata) is encrypted in transit and at rest, stored within the EU/EEA or jurisdictions with adequate data protection, and retained only as long as necessary.

Conduct Data Protection Impact Assessments (DPIAs) when introducing new technologies, documenting legal bases, data minimization steps, and customer consent flows. Ensure alignment with GDPR Articles 5 and 32, covering integrity, confidentiality, and accountability. Access to onboarding data should be limited to personnel with legitimate roles, supported by role-based access control, logging, and regular access reviews.

To guarantee data quality, implement validation checks that flag incomplete or inconsistent information. Automate cross-referencing of captured data with reliable sources such as government databases, credit bureaus, or trusted third-party registries. For corporate customers, verify beneficial ownership using national company registers and cross-check with European Beneficial Ownership Registries. Implement procedures to refresh data periodically and to update records when customers notify changes.

Outsourcing and third-party oversight

Many institutions rely on technology providers for video identification, biometric verification, or document authenticity checks. The guidelines require that outsourcing arrangements comply with EBA outsourcing guidelines (EBA/GL/2019/02). Contracts must require performance metrics, security requirements, audit rights, and data protection obligations.

Institutions remain fully accountable and must have contingency plans if providers fail to deliver. Conduct due diligence on providers’ security certifications (ISO/IEC 27001, ISO/IEC 30107), data residency, and incident response capabilities. Monitor service-level agreements, review independent audit reports, and test exit strategies periodically.

Where agents or intermediaries assist with onboarding, institutions must ensure they follow the same procedures and training, with clear segregation of duties and oversight mechanisms. Maintain an inventory of outsourced processes and regularly review risk assessments to reflect provider changes.

Ongoing monitoring and improved due diligence

Remote onboarding does not end at account opening. Institutions must perform ongoing monitoring proportionate to risk, including transaction monitoring, periodic KYC refreshes, and screening against sanctions and adverse media lists. Use analytics to identify unusual behavior patterns—for example, multiple accounts opened from the same device or IP address, sudden transaction spikes, or attempts to bypass thresholds. For higher-risk customers, implement improved due diligence measures such as verifying source of funds, obtaining additional documentation, or conducting video interviews.

Establish feedback loops where monitoring outcomes inform the effectiveness of onboarding controls. For example, if fraud detection identifies accounts opened with synthetic identities, review whether document verification or biometric checks need improvement. Maintain metrics on false positives and false negatives to calibrate systems.

Testing, assurance, and regulatory engagement

The EBA expects institutions to test their remote onboarding frameworks before launch and periodically thereafter. Conduct user acceptance testing, penetration testing, and adversarial simulations (red teaming) focusing on identity spoofing, document forgery, and system resilience. Engage internal audit to evaluate governance, control design, and operational effectiveness. Document test methodologies, results, remediation actions, and retest outcomes. Regulatory compliance teams should prepare evidence packs demonstrating adherence to each guideline paragraph, ready for supervisory reviews.

Institutions should early engage with NCAs, especially when deploying new onboarding solutions. Provide regulators with setup plans, risk assessments, and testing evidence. Monitor EBA Q&As, national guidance, and AML/CFT policy developments that may influence remote onboarding expectations. Coordinate with industry bodies to share good practices and emerging risks.

Customer experience and communication

Balancing compliance with user experience is critical. Provide customers with clear instructions, accessible support channels, and privacy notices explaining data usage. Offer alternatives for customers unable to complete digital onboarding (for example, branch visits, notarized documents). Implement accessibility features for individuals with disabilities, including language support, adaptive interfaces, and assistance options.

Track customer drop-off rates, onboarding times, and satisfaction metrics to identify friction points. Collaborate with product and UX teams to improve flows without compromising security. Ensure frontline staff and customer support teams are trained to handle escalation scenarios, fraud alerts, and privacy inquiries.

By aligning remote onboarding programs with the EBA guidelines—covering governance, technology assurance, data protection, and outcome testing—financial institutions can deliver compliant, flexible digital account opening while maintaining strong defenses against financial crime.

More on this topic

Further reading from our research library.

Continue in the Compliance pillar

Return to the hub for curated research and deep-dive guides.

Visit pillar hub

Latest guides

  • Third-Party Risk Oversight Playbook

    Operationalize OCC, Federal Reserve, EBA, and MAS outsourcing expectations with lifecycle controls, continuous monitoring, and board reporting.

  • Compliance Operations Control Room

    Implement cross-border compliance operations that satisfy Sarbanes-Oxley, DOJ guidance, EU DORA, and MAS TRM requirements with verifiable evidence flows.

  • ESG Assurance Operating Guide

    Deploy credible ESG assurance across CSRD, SEC climate disclosure, and ISSA 5000 requirements with regulator-aligned controls, data governance, and audit-ready evidence.

Coverage intelligence

Published
Coverage pillar
Compliance
Source credibility
91/100 — high confidence
Topics
EBA remote onboarding · AML/CFT compliance · Digital identity controls · Financial crime governance
Sources cited
3 sources (eba.europa.eu, iso.org)
Reading time
6 min

Source material

  1. EBA Guidelines on remote customer onboarding — European Banking Authority
  2. EBA publishes Guidelines on remote customer onboarding — European Banking Authority
  3. ISO 37301:2021 — Compliance Management Systems — International Organization for Standardization
  • EBA remote onboarding
  • AML/CFT compliance
  • Digital identity controls
  • Financial crime governance
Back to curated briefings

Comments

Community

We publish only high-quality, respectful contributions. Every submission is reviewed for clarity, sourcing, and safety before it appears here.

    Share your perspective

    Submissions showing "Awaiting moderation" are in review. Spam, low-effort posts, or unverifiable claims will be rejected. We verify submissions with the email you provide, and we never publish or sell that address.

    Verification

    Complete the CAPTCHA to submit.