All you need to know regarding e-signature, digital identification and the legal environment around it
In the digital age we live in, the old-fashioned solutions don't meet our modern needs. The technological advancement gains more speed year after year, increasing the demand of expeditiousness and global availability. Signing documents and contracts with a pen and paper is nowadays a time-consuming and inefficient burden that no company should bear.
Today's fast-paced business world demands a more flexible and responsive solution in order to stay competitive and relevant in a hyperconnected and digitized marketplace. Adaptation to this new environment may seem challenging but cannot be considered as an option, it must be recognized as a necessary way to avoid the risk of being left behind in a society moving towards digital technology. Embracing digital processes and investing in digital solutions allow a company to take full advantage of these changes and bring unprecedented convenience and capability in terms of keeping up with an evolving market and saving time and resources. And it's where digital signature joins the game.
e-Signatures and Digital Signatures
- How do digital signatures work?
- Are digital signatures legally binding?
- What are the benefits of using digital signatures and why our customers choose us?
- How can I verify the validity of a digitally signed document?
Current eSignature laws around the world
Digital signatures are just as valid as handwritten signatures and enable to perform their same traditional functions wherever you are and whenever you want. The use of this powerful business tool is constantly growing as a means for optimizing efficiency and enabling faster and more secure authentication that cannot be easily forged or compromised, while still protecting the privacy of the subjects involved.
This faster, safer and cheaper alternative enables a completely paperless process, raises productivity and efficiency, helps to reduce our impact on the environment and establish a globally uniform digital market. From common citizens to enterprises and all the way up through governments, nobody can deny the importance of relying on electronic signatures to protect their documents and to ensure trust and confidence with their business practices.
An increasing number of companies are undertaking this digital transformation and recognizing the huge benefits it involves. Implementing new technologies improves synergies by streamlining the processes, reducing costs and increasing profits. The transactional process requires customer-focused company-wide changes. The rising of the figure of the digital customer, who requires the availability of the services he needs anywhere and anytime at the click of a button, has likely been the major drive for digital-oriented improvement. Digital solutions allow to meet the needs of customers providing a better and personalized experience and grant more business opportunities. What's more, the legal framework is also on our side. Digital signatures are legal, trusted and enforceable in nearly every industrialized nation worldwide and are actively in use in Europe.
In the past few decades, the increasing frequency and severity of issues pertaining to corruption, terrorist financing, and money laundering has made more and more evident and urgent the need of an implementation of KYC policies. What's more, the security of electronic identification schemes is not only essential in the client-business relationship lifecycle; it's also the key to trustworthy cross-border mutual recognition of electronic interactions. Given that, know-your-customer processes have been evolving and expanding globally as an important tool to combat illegal transactions in the international finance field.
All companies need to verify the identity of their clients, either before or during the time that they start doing business with them, along with the potential risk factors or illegal intentions towards the business relationship. To achieve this AML goal and minimize the risk of fraud, it's crucial to be sure that customers are who they say they are and to identify suspicious elements earlier on. To this purpose, traceability of financial information has an important deterrent effect.
The authentication process known as KYC, namely Know Your Customer (or Know Your Client), aims to prevent money laundering, terrorist financing, theft and so on. The expression is also often used to refer to anti-money laundering regulations and regulated bank practices which govern these activities.
Today not only banks and credit or insurance agencies put in place a policy framework to know their customers. More and more online businesses of all sizes are implementing this process, demanding that customers provide detailed due diligence information for the purposes of assessing the suitability of their clients and ensuring they are anti-bribery and AML compliant.
How Penneo can help you
The process of Know-Your-Customer concerns what businesses do in order to verify the identity of their clients. Following this procedure allows companies to protect themselves by ensuring that they are doing business legally and with legitimate entities, and it also protects the individuals who might otherwise be harmed by financial crime.
Getting to know your customer cannot be reduced to the initial identity check to establish an identity. It's important to acquire additional information such as
- the purpose of the business relationship;
- if the customer is a company, the customer's business, finance and ownership strictly controlled;
- representatives must be identified and their right to represent the company must be checked.
Establishing the identity of customers is a regular but important step for businesses. Many companies begin their KYC procedures by simple collecting basic data and information about their customers. Often, company's processes are a bit « old school » by requesting scanned copies of passports, Driving Licenses or similar IDs. This requires that the person needs to be present or those information need to be communicated by email. In any case, it is cumbersome, time consuming and insecure.
To resolve the issues linked with compliance and security, and make the processes smoother, Penneo created a solid solution based on the identity validation through eID. It is also possible to utilize the Penneo KYC form without eID, however, this is not something Penneo recommends if you wish high security.
Penneo's solution lets your customers handle everything using their national digital IDs directly from their computer or smartphone and still comply with Know Your Customer (KYC) and Anti-Money Laundering (AML) regulations.
- When does the process take place?The KYC verification is equally needed during client, candidate or corporate onboarding, user registration, in case of processing of high-profile transactions, in order to re-verify existing users and ensuring regulatory compliance.
- What parts is a KYC process made up of?
KYC policies usually include four key elements:
- Customer Acceptance Policy, document collection
- Customer Identification Procedures, data assessment
- Continuous Monitoring of Transactions
- Ongoing Risk management and reporting
Moreover, the KYC process must be relevant and time-bound, scalable and proportionate to the risk and resources, and it must be documented and available for inspection by regulators.
- What are the typical controls included to ensure AML compliance?
KYC processes seek to verify and validate the customer's identity with reasonable assurance; to this end:
- basic Personally Identifiable Information (PII) are collected and analysed;
- the status of public exposure and adverse media is determined by screening of identity particulars (PII) against global watch-lists;
- it is also determined the customer's risk in terms of the tendency to commit money laundering, terrorist finance, or identity theft;
- a 'Customer Profile' is created and assessed on the basis of a customer's transactional behaviour;
- customer's transactions are monitored against expected behaviour and recorded profile as well as that of the customer's peers.
Testing the customer's profile, business and account activity, allows to identify relevant adverse information and risk, assess the potential for money laundering and/or terrorist financing and ensure regulatory compliance.
- What is the Enhanced Due Diligence (EDD)?Enhanced due diligence is a more comprehensive set of procedures for customers with a higher risk profile, either through sources of origin or transactions that exhibit irregular behavior.
- What is KYCC?
KYCC stands for Know Your Customer's Customer. It's a process that detects the nature and activities of a client's client by identifying those people and assessing their associated risk levels. This derivative of the standard KYC process was necessitated from the growing risk of fraud originating from fraudulent individual or companies that might otherwise be hiding in second-tier business relationships.
How does it work?
Collect information about your customers and verify their identity to minimize risk and save time in a secure, fast and compliant way.
- Create a new verification in Penneo and choose what kind of information you want your customer to validate
- Send it to one or multiple customers along with automatic reminders
- Once done, your customer gets an email with a link where they can upload the required information
- Signed and finalised verification ends up in your chosen folder in the Penneo archive
Penneo KYC process offers many advantages:
- KYC access control is simple and secure
- It is possible to pair the form with other documents that need to be send and signed
- It can be used on the phone and go directly to the camera, no need for a pre scan or anything
- Forms can be customized, you can even pre-fill a form and share it with a unique link
- KYC form can also be plugged with the Penneo API for a full integration
- If your company is subject to AML, KYC is part of the process
EU legal framework on anti-money laundering
The European Union adopted the first anti-money laundering Directive in 1990 in order to prevent the misuse of the financial system for the purpose of money laundering. It established that obliged entities must apply customer due diligence requirements when entering into a business relationship, i.e. identify and verify the identity of clients, monitor transactions and report suspicious transactions.
This legislation has been constantly revised in order to mitigate risks until the EU adopted a modernized regulatory framework in 2015, encompassing:
- the Directive (EU) 2015/849 on preventing the use of the financial system for money laundering or terrorist financing (4th Anti-Money Laundering Directive)
- the Regulation (EU) 2015/847 on information on the payer accompanying transfers of funds (that makes fund transfers more transparent, thereby helping law enforcement authorities to track down terrorists and criminals)
- both instruments take into account the 2012 Recommendations of the Financial Action Task Force (FATF) and go further on a number of issues to promote the highest standards for anti-money laundering and to counter terrorism financing.
The new EU AML Directive
The latest technical developments in the digitalization of transactions and payments enable secure remote or electronic identification and verification of data. The 5th Anti-Money Laundering EU Directive (n. 2018/843), takes into account the new means of identification as set out in EU eIDAS Regulation of 2014 (or regulated, recognized and approved at national level), in particular with regard to notified electronic identification schemes and ways of ensuring cross-border legal recognition.
The 5th AML Directive, which amends the 4th Anti-Money Laundering Directive, was published on 19 June 2018. Setting high standards on customer due diligence in terms of both individuals, businesses and its representatives, the Directive requires Member States to transpose it by 10 January 2020 and implement their national Money Laundering laws and KYC rules.
The amendments introduce substantial improvement to better equip the Union, aiming to:
- protect the integrity of the EU financial system by strengthening the fight against terrorist financing through more accurate identification and verification of data of natural and legal persons;
- enhance transparency by setting up publicly available registers for companies, trusts and other legal arrangements;
- enhance the powers of EU Financial Intelligence Units (FIUs), and provide them with access to broad information for the carrying out of their tasks;
- set up central bank account registries or retrieval systems in all Member States;
- enhance vigilance in business relationships and transactions involving greater risk of money laundering or terrorist financing. Although the identity and business profile of all customers should be established, there are cases in which particularly rigorous customer identification and verification procedures are required.
Customer Due Diligence (CDD)
According to art. 13 the EU AML Directive of 2015, as amended by EU AML Directive of 2018, Customer due diligence measures must include:
- identifying the customer and verifying the customer's identity on the basis of documents, data or information obtained from a reliable and independent source, including, where available, electronic identification means, relevant trust services as set out in Regulation (EU) No 910/2014 of the European Parliament and of the Council (eIDAS Regulation) or any other secure, remote or electronic identification process regulated, recognized, approved or accepted by the relevant national authorities;
- identifying the beneficial owner and taking reasonable measures to make sure that person's identity so that the obliged entity is satisfied that it knows who the beneficial owner is, including, as regards legal persons, trusts, companies, foundations and similar legal arrangements, taking reasonable measures to understand the ownership and control structure of the customer;
- when performing the above described measures, obliged entities shall also make sure that any person purporting to act on behalf of the customer is so authorized and verify the identity of that person;
- assessing and, as appropriate, obtaining information on the purpose and intended nature of the business relationship;
- conducting ongoing monitoring of the business relationship including scrutiny of transactions undertaken throughout the course of that relationship to ensure that the transactions being conducted are consistent with the obliged entity's knowledge of the customer, the business and risk profile, including where necessary the source of funds and ensuring that the documents, data or information held are kept up-to-date.
The Directive also requires that obliged entities apply the customer due diligence measures not only to all new customers but also at appropriate times to existing customers on a risk-sensitive basis, or when the relevant circumstances of a customer change, or when the obliged entity has any legal duty in the course of the relevant calendar year to contact the customer for the purpose of reviewing any relevant information relating to the beneficial owner(s).
Data protection, Record-Retention & Statistical Data
For the purpose of preventing, detecting and investigating, by the EU Financial Intelligence Units (FIUs) or by other competent authorities, possible money laundering or terrorist financing, the following documents and information must be retained:
- in the case of customer due diligence, a copy of the documents and information which are necessary to comply with the customer due diligence requirements, including, where available, information obtained through electronic identification means, relevant trust services as set out in EU eIDAS Regulation (n. 910/2014) or any other secure, remote or electronic, identification process regulated, recognized, approved or accepted by the relevant national authorities, for a period of five years after the end of the business relationship with their customer or after the date of an occasional transaction;
- the supporting evidence and records of transactions, consisting of the original documents or copies admissible in judicial proceedings under the applicable national law, which are necessary to identify transactions, for a period of five years after the end of a business relationship with their customer or after the date of an occasional transaction.
Politically Exposed Persons (PEPs)
Although the identity and business profile of all customers should be established, in some situations particularly rigorous customer identification and verification procedures are required. In these cases, business relationships and transactions may involve higher risks of money laundering or terrorist financing; therefore, enhancing the level of vigilance and control is necessary and legally mandatory.
"Politically exposed person" means a person who is or who has been entrusted with prominent public functions. Member States are in charge of issuing and updating national lists that indicate the specific functions which, in accordance with national laws, qualify as prominent public functions.
Obliged entities must have in place appropriate risk management systems, including risk-based procedures, to determine whether the customer or the beneficial owner of the customer is a politically exposed person; in cases of transactions or business relationships with politically exposed persons, organizations must put in place additional measures in addition to the customer due diligence, such as
- obtain senior management approval for establishing or continuing business relationships with such persons;
- take adequate measures to establish the source of wealth and source of funds that are involved in business relationships or transactions with such persons;
- conduct enhanced, ongoing monitoring of those business relationships;
- where a politically exposed person is no longer entrusted with a prominent public function, take into account the continuing risk posed by that person and apply appropriate and risk-sensitive measures until such time as that person is deemed to pose no further risk specific to politically exposed persons.
These measures also apply to family members or persons known to be close associates of politically exposed persons. The EU Directive specifies that the requirements relating to politically exposed persons are of a preventive and not criminal nature and should not be interpreted as stigmatizing politically exposed persons as being involved in criminal activity.