Stanowisko UKNF dot. prawidłowego wykorzystania w sektorze finansowym rozwiązań w zakresie nawiązywania stosunków gospodarczych bez fizycznej obecności klienta

KNF has released a list of their view on best practices for fulfilling the requirements (by institutions) that stem from the Law from 1 March 2018 on anti-money laundering and combating the financing of terrorism, especially when:
– business relations with new counterparties commence without the physical presence of the client
– activities are outsourced to third parties
– introducing internal control and risk management when security measures towards the client takes place remotely
Currently it is required for institutions to perform KYC processes on a new client, which includes a background check on potential AML and CFT topics. To perform this, the institution requires an identification document (or documents). The institution is required to introduce thorough, complete, and adequate internal procedures to capture potential risks accordingly. It is also encouraged to address the issues on an individual level if the client requires additional background checks due to insufficient information or limited availability of resources.
All institutions are required to create and update internal procedures for commencing business activities with new clients where the client is not physically present. These procedures must contain at least:
– a description of how information is gathered, verified, and registered during the entire process of remote business relations commencement
– a description of situations where such remote business relations commencement is allowed, including all the risks associated with it (e.g. cross-border and regional risk, product risk, transaction risks)
– remote onboarding possibilities, with all associated risks
– a description of which activities will be fully automated and which will require an employee’s monitoring
– all means to ensure that the very first transaction with the client will only take place after all the business safety checks have been performed
– internal trainings offered to staff in order to raise awareness of remote business activities
The implementation, maintenance and updating of the procedures is AMLRO’s responsibility.
Before implementing the procedures of remote business relations commencement, it is necessary for an institution to assess at least the following risks associated with this:
– assessment of adequacy considering the completeness of the available documents and sources
– assessment of the overall impact on the institution’s risks: ML/FT, operational, reputational, jurisdictional
– assessment of available methods of risk mitigation
– availability of testing methodologies to assess financial risks
– clear rules to ensure that the proposed requirements are correctly implemented.
The institution is required at all times to be able to provide proof of the implemented measures to mitigate risk to a governing or supervisory body.
Constant monitoring of the implementation methods is also subject to procedure updates, which should at least include:
– description of activities taken to ensure the completeness, thoroughness and adequacy of the collected information whilst participating in business activities on a remote basis
– frequency of information screening
– description of situations where additional control and monitoring has been undertaken.
Client, authorized persons and end-beneficiary identification require at least to ensure that the provided documents are up to date, readable and accessible at any time. It is also necessary to decide which documents will be provided manually by the client, which will be automatically downloaded from the package provided by the client, and which have been collected using external sources. In case documents have not been submitted in an original form (but, e.g., a copy) it is necessary to ensure that the copy does not contain any manual alterations and is readable.
For remote client verification where no institutional employee is involved, it is mandatory to consider at least the following:
– all photos and videos have been taken at the time of the verification in a bright space, with a high resolution tool
– verification that the client is performing the requested activities, which are spontaneously asked of during the session
– usage of strong algorithms to avoid fake photos
In case the ML/FT risk is higher, it is recommended to include additional checks:
– the first payment should be made to an institution supervised by the EEA or if it is in a third-country, the AML/CFT measures of that country should be at least equivalent to that specified in Directive (EU) 2015/849.
– sending the client a one-time code during the process of remote verification
– accessing biometrical information, if available
– phone contact with the client
– direct correspondence with the client
If an institution is outsourcing remote verification to a third party, it is necessary to consider that:
– the final responsibility for completeness is within the institution, not the third party; this includes quality control and mitigation of potential conflict of interests
– putting a written contract between the institution and the third party in place
– risks associated with outsourcing the activities exist and they need to be addressed
– AMLRO should implement internal control and frequent quality checks on the outsourced activities
– a clearly outline which activities will be outsourced and which one will not must be put into place
– the third party should only be allowed to collect and store relevant documents and information on the client.