All you need to know regarding e-signature, digital identification and the legal environment around it
In the digital age we live in, the old-fashioned solutions don't meet our modern needs. The technological advancement gains more speed year after year, increasing the demand of expeditiousness and global availability. Signing documents and contracts with a pen and paper is nowadays a time-consuming and inefficient burden that no company should bear.
Today's fast-paced business world demands a more flexible and responsive solution in order to stay competitive and relevant in a hyperconnected and digitized marketplace. Adaptation to this new environment may seem challenging but cannot be considered as an option, it must be recognized as a necessary way to avoid the risk of being left behind in a society moving towards digital technology. Embracing digital processes and investing in digital solutions allow a company to take full advantage of these changes and bring unprecedented convenience and capability in terms of keeping up with an evolving market and saving time and resources. And it's where digital signature joins the game.
e-Signatures and Digital Signatures
- How do digital signatures work?
- Are digital signatures legally binding?
- What are the benefits of using digital signatures and why our customers choose us?
- How can I verify the validity of a digitally signed document?
Current eSignature laws around the world
Digital signatures are just as valid as handwritten signatures and enable to perform their same traditional functions wherever you are and whenever you want. The use of this powerful business tool is constantly growing as a means for optimizing efficiency and enabling faster and more secure authentication that cannot be easily forged or compromised, while still protecting the privacy of the subjects involved.
This faster, safer and cheaper alternative enables a completely paperless process, raises productivity and efficiency, helps to reduce our impact on the environment and establish a globally uniform digital market. From common citizens to enterprises and all the way up through governments, nobody can deny the importance of relying on electronic signatures to protect their documents and to ensure trust and confidence with their business practices.
An increasing number of companies are undertaking this digital transformation and recognizing the huge benefits it involves. Implementing new technologies improves synergies by streamlining the processes, reducing costs and increasing profits. The transactional process requires customer-focused company-wide changes. The rising of the figure of the digital customer, who requires the availability of the services he needs anywhere and anytime at the click of a button, has likely been the major drive for digital-oriented improvement. Digital solutions allow to meet the needs of customers providing a better and personalized experience and grant more business opportunities. What's more, the legal framework is also on our side. Digital signatures are legal, trusted and enforceable in nearly every industrialized nation worldwide and are actively in use in Europe.
In the past, most businesses were local businesses, so it wasn’t that difficult to get to know your customers. In today’s global, internet-based economy, though, companies are under growing pressure to verify the identity of their clients along with their potential risk factors or illegal intentions. While performing cross-border high-value business transactions, there is no guarantee that the person who approaches your business is who they say they are - nor could you know what they might be involved with. Besides, the increasing frequency and severity of corruption, terrorist financing, and money laundering have made more and more urgent the need for Know-Your-Customer (KYC) policies. That is why identification procedures are now not only a business need, but also mandatory activities required by Anti Money Laundering (AML) Regulations.
What exactly is meant by KYC?
Know-Your-Customer (KYC) refers to the steps taken by a company to perform identity checks on clients: for a potential customer to be considered as trustworthy, they need to prove their identity and the legality of their business and this assessment is equally needed during client or corporate onboarding, user registration, in case of processing of high-profile transactions, to re-verify existing users and ensure regulatory compliance.
The identification procedure is called Customer Due Diligence (CDD) and involves background checks run according to the level of risk presented by the client. If the client has a higher risk profile, being, for instance, a Politically Exposed Person (PEP, meaning a person who is or has been entrusted with prominent public functions), particularly rigorous CDD is required – the so-called Enhanced Due Diligence (EDD).
What if I run a B2B?
Companies that offer their services to other companies (B2B) need to verify the identity of the real person they are doing business with, that is the natural person who ultimately owns or controls the legal entity customer on whose behalf a transaction is being conducted, also known as Ultimate Beneficial Owner/s (UBOs). Know-your-Business (KYB) concerns indeed the same identification process when this applies to businesses, instead of individual consumers (also known as Corporate KYC).
Where are the KYC requirements established?
KYC rules are dictated by AML regulations, therefore abiding by them is mandatory for the “obliged entities” these laws apply to. Although their scope includes most of the businesses, today not only formally obliged organizations put in place a KYC policy framework. Any company needs to make sure a potential client is truthful and legitimate, so KYC compliance is rapidly becoming the norm on the international business stage for all the industries.
How Penneo can help you
The traditional onboarding process is time-consuming for both clients and employees – affecting business efficiency and providing an unpleasant customers experience. What’s more, manual data collection is hardly reliable: when processes are not standardized or automated, the KYC documentation obtained can be fragmented, duplicative and inconsistent, thereby limiting a company’s ability to meet compliance requirements.
To solve those issues and make the processes safer and smoother, Penneo created a user-friendly solution based on identity validation through eID. Our KYC feature lets your customers handle everything using their national digital IDs directly from their computer or smartphone in full compliance with AML rules.
Click here for more information about Penneo’s KYC.
Check our KYC Guide to read more about KYC and AML.
EU legal framework on anti-money laundering
The European Union adopted the first anti-money laundering Directive in 1990 in order to prevent the misuse of the financial system for the purpose of money laundering. It established that obliged entities must apply customer due diligence requirements when entering into a business relationship, i.e. identify and verify the identity of clients, monitor transactions and report suspicious transactions.
This legislation has been constantly revised in order to mitigate risks until the EU adopted a modernized regulatory framework in 2015, encompassing:
- the Directive (EU) 2015/849 on preventing the use of the financial system for money laundering or terrorist financing (4th Anti-Money Laundering Directive)
- the Regulation (EU) 2015/847 on information on the payer accompanying transfers of funds (that makes fund transfers more transparent, thereby helping law enforcement authorities to track down terrorists and criminals)
- both instruments take into account the 2012 Recommendations of the Financial Action Task Force (FATF) and go further on a number of issues to promote the highest standards for anti-money laundering and to counter terrorism financing.
The new EU AML Directive
The latest technical developments in the digitalization of transactions and payments enable secure remote or electronic identification and verification of data. The 5th Anti-Money Laundering EU Directive (n. 2018/843), takes into account the new means of identification as set out in EU eIDAS Regulation of 2014 (or regulated, recognized and approved at national level), in particular with regard to notified electronic identification schemes and ways of ensuring cross-border legal recognition.
The 5th AML Directive, which amends the 4th Anti-Money Laundering Directive, was published on 19 June 2018. Setting high standards on customer due diligence in terms of both individuals, businesses and its representatives, the Directive requires Member States to transpose it by 10 January 2020 and implement their national Money Laundering laws and KYC rules.
The amendments introduce substantial improvement to better equip the Union, aiming to:
- protect the integrity of the EU financial system by strengthening the fight against terrorist financing through more accurate identification and verification of data of natural and legal persons;
- enhance transparency by setting up publicly available registers for companies, trusts and other legal arrangements;
- enhance the powers of EU Financial Intelligence Units (FIUs), and provide them with access to broad information for the carrying out of their tasks;
- set up central bank account registries or retrieval systems in all Member States;
- enhance vigilance in business relationships and transactions involving greater risk of money laundering or terrorist financing. Although the identity and business profile of all customers should be established, there are cases in which particularly rigorous customer identification and verification procedures are required.
Customer Due Diligence (CDD)
According to art. 13 the EU AML Directive of 2015, as amended by EU AML Directive of 2018, Customer due diligence measures must include:
- identifying the customer and verifying the customer's identity on the basis of documents, data or information obtained from a reliable and independent source, including, where available, electronic identification means, relevant trust services as set out in Regulation (EU) No 910/2014 of the European Parliament and of the Council (eIDAS Regulation) or any other secure, remote or electronic identification process regulated, recognized, approved or accepted by the relevant national authorities;
- identifying the beneficial owner and taking reasonable measures to make sure that person's identity so that the obliged entity is satisfied that it knows who the beneficial owner is, including, as regards legal persons, trusts, companies, foundations and similar legal arrangements, taking reasonable measures to understand the ownership and control structure of the customer;
- when performing the above described measures, obliged entities shall also make sure that any person purporting to act on behalf of the customer is so authorized and verify the identity of that person;
- assessing and, as appropriate, obtaining information on the purpose and intended nature of the business relationship;
- conducting ongoing monitoring of the business relationship including scrutiny of transactions undertaken throughout the course of that relationship to ensure that the transactions being conducted are consistent with the obliged entity's knowledge of the customer, the business and risk profile, including where necessary the source of funds and ensuring that the documents, data or information held are kept up-to-date.
The Directive also requires that obliged entities apply the customer due diligence measures not only to all new customers but also at appropriate times to existing customers on a risk-sensitive basis, or when the relevant circumstances of a customer change, or when the obliged entity has any legal duty in the course of the relevant calendar year to contact the customer for the purpose of reviewing any relevant information relating to the beneficial owner(s).
Data protection, Record-Retention & Statistical Data
For the purpose of preventing, detecting and investigating, by the EU Financial Intelligence Units (FIUs) or by other competent authorities, possible money laundering or terrorist financing, the following documents and information must be retained:
- in the case of customer due diligence, a copy of the documents and information which are necessary to comply with the customer due diligence requirements, including, where available, information obtained through electronic identification means, relevant trust services as set out in EU eIDAS Regulation (n. 910/2014) or any other secure, remote or electronic, identification process regulated, recognized, approved or accepted by the relevant national authorities, for a period of five years after the end of the business relationship with their customer or after the date of an occasional transaction;
- the supporting evidence and records of transactions, consisting of the original documents or copies admissible in judicial proceedings under the applicable national law, which are necessary to identify transactions, for a period of five years after the end of a business relationship with their customer or after the date of an occasional transaction.
Politically Exposed Persons (PEPs)
Although the identity and business profile of all customers should be established, in some situations particularly rigorous customer identification and verification procedures are required. In these cases, business relationships and transactions may involve higher risks of money laundering or terrorist financing; therefore, enhancing the level of vigilance and control is necessary and legally mandatory.
"Politically exposed person" means a person who is or who has been entrusted with prominent public functions. Member States are in charge of issuing and updating national lists that indicate the specific functions which, in accordance with national laws, qualify as prominent public functions.
Obliged entities must have in place appropriate risk management systems, including risk-based procedures, to determine whether the customer or the beneficial owner of the customer is a politically exposed person; in cases of transactions or business relationships with politically exposed persons, organizations must put in place additional measures in addition to the customer due diligence, such as
- obtain senior management approval for establishing or continuing business relationships with such persons;
- take adequate measures to establish the source of wealth and source of funds that are involved in business relationships or transactions with such persons;
- conduct enhanced, ongoing monitoring of those business relationships;
- where a politically exposed person is no longer entrusted with a prominent public function, take into account the continuing risk posed by that person and apply appropriate and risk-sensitive measures until such time as that person is deemed to pose no further risk specific to politically exposed persons.
These measures also apply to family members or persons known to be close associates of politically exposed persons. The EU Directive specifies that the requirements relating to politically exposed persons are of a preventive and not criminal nature and should not be interpreted as stigmatizing politically exposed persons as being involved in criminal activity.