EBA Remote Customer Onboarding Guidelines — Compliance Playbook
EBA’s remote onboarding guidelines require EU financial institutions to retool digital KYC programs with risk-based identity proofing, third-party oversight, and tested controls before the October 2023 application date.
Executive briefing: On the European Banking Authority (EBA) published its Guidelines on remote customer onboarding (EBA/GL/2022/15). The guidelines, applicable from , clarify supervisory expectations for financial institutions performing customer due diligence (CDD) without physical interaction. Banks, payment institutions, and electronic money issuers must embed risk-based controls across identity proofing, liveness detection, document verification, data quality, and outsourcing. Senior management and compliance officers need to ensure remote onboarding solutions align with anti-money laundering and countering the financing of terrorism (AML/CFT) frameworks, GDPR data protection requirements, and national competent authority (NCA) guidelines.
The guidelines cover a broad set of obliged entities under the Fourth and Fifth Anti-Money Laundering Directives (AMLD4/5). They address the entire onboarding lifecycle—from risk assessments and technology selection to record keeping and monitoring. Financial institutions must document how they assess customer risk, verify identity documents, conduct biometric checks, and ensure secure data handling. The EBA emphasizes that remote onboarding should achieve the same assurance level as face-to-face processes, with controls proportionate to risk. Institutions must maintain oversight over third-party providers delivering digital identification, liveness detection, or video verification services, ensuring contractual arrangements preserve accountability.
Risk assessment and governance foundations
Institutions must update their AML/CFT risk assessments to capture risks introduced by remote onboarding channels. This includes evaluating customer segments, geographies, products, distribution channels, and technologies used. The risk assessment should inform the selection of onboarding tools and the level of verification required. Boards should approve remote onboarding strategies, assign accountable executives (often the chief compliance officer or money laundering reporting officer), and ensure policies articulate responsibilities for operations, IT, and AML teams. Governance frameworks should cover change management, model risk oversight for automated decisioning, and reporting to senior management on key risk indicators.
Policies must explicitly describe when remote onboarding is permissible, the evidence required to verify customers, and scenarios that trigger enhanced due diligence or denial. Document decision trees that escalate higher-risk customers—for example, politically exposed persons (PEPs), complex ownership structures, or customers from high-risk jurisdictions—to manual review. Establish thresholds for risk scoring that differentiate retail customers, SMEs, and corporate clients, acknowledging differing verification requirements.
Identity proofing controls and technology assurance
The guidelines require robust identity proofing processes. Institutions must verify the authenticity and integrity of government-issued documents, including security features, holograms, and machine-readable zones. Digital solutions should detect document tampering, deepfakes, or synthetic identities. Biometric verification (facial recognition, liveness detection) must include safeguards against presentation attacks such as printed photos, masks, or deepfake videos. The EBA expects institutions to conduct pre-deployment testing, ongoing performance monitoring, and periodic independent validation of biometric algorithms to detect bias and accuracy degradation.
Where qualified trust service providers (QTSPs) or national electronic identification schemes (eIDAS) are used, institutions must verify the assurance levels and ensure they meet national regulatory requirements. For automated verification, document the algorithms used, input data, output decisions, and fallback procedures. Maintain explainability documentation for AI-driven components to demonstrate compliance with forthcoming EU AI Act obligations. Implement controls for data capture quality, including guidance to customers on lighting, document positioning, and network stability during onboarding sessions.
Data integrity, security, and privacy
The EBA stresses secure data handling. Institutions must ensure that data captured during onboarding (images, video recordings, metadata) is encrypted in transit and at rest, stored within the EU/EEA or jurisdictions with adequate data protection, and retained only as long as necessary. Conduct Data Protection Impact Assessments (DPIAs) when introducing new technologies, documenting legal bases, data minimization steps, and customer consent flows. Ensure alignment with GDPR Articles 5 and 32, covering integrity, confidentiality, and accountability. Access to onboarding data should be limited to personnel with legitimate roles, supported by role-based access control, logging, and regular access reviews.
To guarantee data quality, implement validation checks that flag incomplete or inconsistent information. Automate cross-referencing of captured data with reliable sources such as government databases, credit bureaus, or trusted third-party registries. For corporate customers, verify beneficial ownership using national company registers and cross-check with European Beneficial Ownership Registries. Implement procedures to refresh data periodically and to update records when customers notify changes.
Outsourcing and third-party oversight
Many institutions rely on technology providers for video identification, biometric verification, or document authenticity checks. The guidelines require that outsourcing arrangements comply with EBA outsourcing guidelines (EBA/GL/2019/02). Contracts must stipulate performance metrics, security requirements, audit rights, and data protection obligations. Institutions remain fully accountable and must have contingency plans if providers fail to deliver. Conduct due diligence on providers’ security certifications (ISO/IEC 27001, ISO/IEC 30107), data residency, and incident response capabilities. Monitor service-level agreements, review independent audit reports, and test exit strategies periodically.
Where agents or intermediaries assist with onboarding, institutions must ensure they follow the same procedures and training, with clear segregation of duties and oversight mechanisms. Maintain an inventory of outsourced processes and regularly review risk assessments to reflect provider changes.
Ongoing monitoring and enhanced due diligence
Remote onboarding does not end at account opening. Institutions must perform ongoing monitoring proportionate to risk, including transaction monitoring, periodic KYC refreshes, and screening against sanctions and adverse media lists. Use analytics to identify unusual behavior patterns—for example, multiple accounts opened from the same device or IP address, sudden transaction spikes, or attempts to circumvent thresholds. For higher-risk customers, implement enhanced due diligence measures such as verifying source of funds, obtaining additional documentation, or conducting video interviews.
Establish feedback loops where monitoring outcomes inform the effectiveness of onboarding controls. For instance, if fraud detection identifies accounts opened with synthetic identities, review whether document verification or biometric checks need enhancement. Maintain metrics on false positives and false negatives to calibrate systems.
Testing, assurance, and regulatory engagement
The EBA expects institutions to test their remote onboarding frameworks before launch and periodically thereafter. Conduct user acceptance testing, penetration testing, and adversarial simulations (red teaming) focusing on identity spoofing, document forgery, and system resilience. Engage internal audit to evaluate governance, control design, and operational effectiveness. Document test methodologies, results, remediation actions, and retest outcomes. Regulatory compliance teams should prepare evidence packs demonstrating adherence to each guideline paragraph, ready for supervisory reviews.
Institutions should proactively engage with NCAs, especially when deploying innovative onboarding solutions. Provide regulators with implementation plans, risk assessments, and testing evidence. Monitor EBA Q&As, national guidance, and AML/CFT policy developments that may influence remote onboarding expectations. Coordinate with industry bodies to share best practices and emerging risks.
Customer experience and communication
Balancing compliance with user experience is critical. Provide customers with clear instructions, accessible support channels, and privacy notices explaining data usage. Offer alternatives for customers unable to complete digital onboarding (e.g., branch visits, notarized documents). Implement accessibility features for individuals with disabilities, including language support, adaptive interfaces, and assistance options.
Track customer drop-off rates, onboarding times, and satisfaction metrics to identify friction points. Collaborate with product and UX teams to improve flows without compromising security. Ensure frontline staff and customer support teams are trained to handle escalation scenarios, fraud alerts, and privacy inquiries.
By aligning remote onboarding programs with the EBA guidelines—covering governance, technology assurance, data protection, and outcome testing—financial institutions can deliver compliant, scalable digital account opening while maintaining robust defenses against financial crime.
Continue in the Compliance pillar
Return to the hub for curated research and deep-dive guides.
Latest guides
-
Third-Party Risk Oversight Playbook — Zeph Tech
Operationalize OCC, Federal Reserve, EBA, and MAS outsourcing expectations with lifecycle controls, continuous monitoring, and board reporting.
-
Compliance Operations Control Room — Zeph Tech
Implement cross-border compliance operations that satisfy Sarbanes-Oxley, DOJ guidance, EU DORA, and MAS TRM requirements with verifiable evidence flows.
-
SOX Modernization Control Playbook — Zeph Tech
Modernize Sarbanes-Oxley (SOX) compliance by aligning PCAOB AS 2201, SEC management guidance, and COSO 2013 controls with data-driven testing, automation, and board reporting.