March 2019

Know Your Customer: Corporate customer

verification in the Single Market

The digital transformation is one of the key challenges today – also for the financial industry. The Associati-

on of German Banks is meeting this challenge by, among other things, cooperating with start-ups from the

financial sector, fintechs. The cooperation was institutionalised in the Digital Banking Project Committee,

which is vigorously driving forward the cross-cutting issue of digitalisation. The committee is a high-level

body comprising bank Chief Digital Officers (CDOs) and leading figures from the German fintech scene. The

present paper is the result of intensive cooperation between banks and fintechs.

Contacts at the Association of German Banks:

Tobias Frey | Legal Affairs | tobias.frey@bdb.de

Dr. Hendrik Hartenstein | Corporate Finance | hendrik.hartenstein@bdb.de

Mario Labes | Fiscal Affairs | mario.labes@bdb.de

Tobias Tenner | Digital Banking | tobias.tenner@bdb.de

Common positions of banks and fintechs

Andreas Krautscheid, Hauptgeschäftsführer, Staatsminister a.D.

bankenverband

Positionen 3

Preamble

The financial services sector is undergoing a radical

transformation affecting corporate customers in particu-

lar. New companies, so-called “fintechs”, have entered

the market with new business models and new products.

The Association of German Banks (BdB) is responding to

this transformation: it supports cooperation between

banks and fintechs and is instrumental in ensuring that

common positions can be drafted.

A feature of many banks and fintechs is that they operate

across national borders. This poses specific challenges:

in the face of digitalisation, cross-border companies are

increasingly addressing the question of the extent to

which processes can be performed uniformly and cen-

trally for the entire company from one EU member state,

taking account of national legislation in each case. The

primary focus here is on the so-called „know your custo-

mer“ (KYC) processes1, which are of crucial importance

to all companies operating in the financial marketplace.

A particular problem in this context is that different ar-

rangements in EU member states hinder cross-border

digital approaches to customer acceptance by financial

institutions and others obliged to comply with KYC re-

quirements („obliged entities“).

The European Commission shares this view: it noted in its

Green Paper on retail financial services of 10 December

2015 that the differences between legislation in force in

member states seriously affect the costs and risks associ-

ated with cross-border retail financial services2.

To blame for the fact that in most cases KYC processes

cannot be used or reused either digitally or across bor-

ders within the EU are differing requirements with re-

gard to the following questions:

1 The term “KYC processes”, as used in the present position paper, means the collection and

verification of data due to legal requirements. The relevant requirements follow, in particu-

lar, from the EU member states’ anti-money laundering laws, but also from tax regulations

– in Germany, for example, from the Fiscal Code and other strictly national provisions or

provisions reflecting EU law.

2 The Commission’s finding in the Green Paper applies likewise to wholesale financial

services.

(1) Which natural or legal persons should be assigned

which roles (contracting parties, persons authorised to

draw on the account, acting persons, legal representati-

ves or beneficial owners3 )?

(2) Which data should be collected on these roles?

(3) Which type of verification of the data collected

should be used and on which scale should verification

be carried out?

(4) Which conditions should be fulfilled for the reusabili-

ty of completed KYC processes?

Whenever they enter into a business relationship with

an obliged entity – both across borders and within an EU

member state – corporate customers are usually forced

to undergo the KYC process all over again. This is incon-

venient for them, impedes cross-border use of financi-

al products and undermines efforts to achieve digital,

efficient and user-friendly cross-border KYC solutions.

Above all, it is diametrically opposed to the EU’s funda-

mental objective of facilitating and encouraging cross-

border business.

The Second Payment Services Directive (“PSD2” (EU)

2015/2366) does not improve the situation in this res-

pect either. While this directive essentially deals with

cross-border and secure payment services, the functions

it addresses (e.g. access to bank interfaces) would be ge-

nerally apt to support the digital Single Market through

the transfer of data and thus allow the reuse of KYC pro-

cesses on behalf of customers. However, specific rules

on whether and how these interfaces may be used to

perform KYC processes otherwise required under the

law are missing.

3 German legislation calls persons who control a significant part of companies “economic

beneficiaries”. Superordinate EU legislation and Austrian laws refer to “beneficial owners”.

The legal concept as such is not defined uniformly. The present position paper uses the

term “beneficial owners” as the term inherent in EU law.

4 Positionen

the European Supervisory Authorities (ESAs) on 23 Ja-

nuary 2018. The ESAs’ right approach does not go far

enough, though, since the reusability of KYC proces-

ses is not yet on the authorities’ agenda.

In this position paper, drafted jointly by banks and

fintechs, the Association of German Banks wishes to

draw attention to the existing challenges and propose

regulatory solutions.

The requirement to perform new KYC processes eve-

ry time because a completed KYC process may not be

reusable increases the administrative burden on ob-

liged entities and corporate customers alike. Yet the

basic need for innovative KYC process solutions at

European level is, in fact, acknowledged. This is un-

derlined, for example, by the “Opinion on the use of

innovative solutions by credit and financial institutions

in the customer due diligence process”, published by

�� uniformly defining on a rules basis the KYC data to be collected for corporate customers as contracting parties, their

beneficial owners and for persons who indicate that they intend to act on behalf of customers (natural persons with

right of representation such as legal or contractual representatives, the so-called “persons authorised to draw on

the account”) – and doing so solely in a single law/a single EU regulation,

�� unifying the documents admissible for verification and the up-to-dateness requirements,

�� unifying the requirements to be met under the updating procedure,

�� expanding the transparency register into a “golden source” KYC register which is open to obliged entities and public

authorities and from which an obliged entity can retrieve at any time the data to be collected for the various roles

and any verification documents that may be necessary,

�� remaining open to new (including private) verification procedures through automatic “most favourable treatment”

of procedures that are admitted in an EU member state and thus regarded as sufficiently secure,

�� creating a uniform interface to connect both existing and new verification procedures, and

�� permitting the reuse of KYC processes, performed in accordance with EU legal standards, on the basis of uniform

criteria both within and outside a corporate group.

This requires:

Needed: convenient, innovative and uniform KYC processes for the Single Market

bankenverband

Positionen 5

Definition of the roles to be addressed

Establishing uniform KYC processes requires uniform

EU-wide rules stipulating which conditions have to be

fulfilled to assign certain roles (e.g. contracting party,

person authorised to draw on the account, acting per-

son or beneficial owner) to natural and legal persons.

It has not yet been finally specified which roles actu-

ally need to be taken into account in the course of the

onboarding of corporate customers. Moreover, there

are no uniform rules stipulating which specific infor-

mation has to be collected and verified by an obliged

entity for which of the various roles when it is onboar-

ding a customer.

Ideally, it should be made clear EU-wide that the role

of the acting person in the case of companies is of no

relevance for the KYC process. The verification of right

of representation performed by the obliged entity in

any case under civil law suffices.

Collection of data

In the EU member states, different KYC data are coll-

ected, though not all European corporate customers

automatically have these at their disposal. Apart

from this, the data to be collected differ not only

from one member state to the next but also with

regard to the product (e.g. depository or custodial

account) for which verification is performed. This is

due in some cases to the fact that the requirements

under EU law regarding the data to be collected are

interpreted and applied differently.

Private banks and fintechs call for uniform EU-wide

definition of the KYC data to be collected for all pro-

ducts and roles, i.e. a minimum data set in line with

the principle of data minimisation. To satisfy this

principle of data minimisation, the reduced require-

ments that currently apply in isolated cases should

be specified EU-wide for all roles. An example in this

respect is the KYC process for persons authorised

to draw on an account under the Implementing Or-

dinance on Section 154 of the German Fiscal Code.

Generally speaking, only data that are actually nee-

ded to effectively combat money laundering and ter-

rorist financing and to comply with sanctions or tax

regulations should be collected. This should also be

data that can actually be requested from customers

and verified. Where beneficial owners are concer-

ned, such data are at best first name and surname

and – with sanction screening in mind – date of bir-

th and place of residence.

It should be noted at this point that the present

quantitative and qualitative requirements for KYC

data collected on beneficial owners should not be

raised further. This would not be feasible in practi-

ce, as there are hardly any objective and reliable

sources that can be used to verify data on beneficial

owners. Only a reliable KYC register containing the

data of interest to investigating authorities would

really help in this respect.

The criteria for identifying a low, simple, or high

risk of a particular customer laundering money or fi-

nancing terrorism are also defined differently within

the EU, though these determine, among other

things, the amount of data to be collected. Broadly

adopting a risk-based approach without providing

enough sufficiently concrete examples at European

level leads in this area to a complete fragmentation

of the Single Market. So that obliged entities can

in future collect uniform EU data sets on each role

that would then be more easily exchangeable within

a corporate group as well, a rules-based approach

6 Positionen

�� Address: German legislation uses different terms when it comes to the “address”, so that its wording alone does not make

clear what exactly is meant. The Anti-Money Laundering Act, for example, says that the beneficial owner’s “address” has

to be recorded. The transparency register, on the other hand, calls for entry of the beneficial owner’s “place of residence”.

Stipulating that recording the beneficial owner’s business address suffices would be appropriate. Practitioners only come

to this conclusion after laborious interpretation, however.

This problem is not a purely German phenomenon. There appears to be no uniform EU-wide approach on which address

should be collected for beneficial owners.

�� c/o address: a bank could also record a c/o address as the address of a corporate customer’s seat or head office, provided

this is noted in an official register as the address of the seat; this arrangement is not worded clearly enough, however. Cla-

rification is therefore required to the effect that, where registered corporate customers are concerned, the official register

is the principal source for collecting the data required. If obliged entities use the data contained in the register, they fulfil

the verification requirements, even if a c/o address is noted as the address of the seat.

�� Requirement to update customer data: the measures taken by obliged entities in connection with the (routine) updating

of KYC data vary widely in practice. Neither in Germany nor in Austria or Italy are there any sufficiently concrete require-

ments. The legal requirements are not precise enough particularly in regard to the customer’s duty to cooperate and use

of the customer’s confirmation. Where the customer confirms that the data collected by the obliged entity are correct

and complete, the obliged entity should be able to rely on this unless it itself has evidence to the contrary. This should be

made clear under the law..

�� Legal representatives: at present, the names of a corporate customer’s legal representatives have to be recorded in Ger-

many. Recording the name of only one legal representative would suffice, however. This has also been acknowledged by

the Federal Banking Supervisory Authority, BaFin, elsewhere: in its December 2018 guidance on application and interpre-

tation of the Anti-Money Laundering Act, it says that, when recording senior management officials as fictitious beneficial

owners, it suffices to record only one of those. Accordingly, the requirements for recording the legal representatives of

corporate customers should also be lowered as a whole. To ensure effective sanction screening, it should at the same

time be made clear that, in addition to their name, obliged entities should be allowed to collect at least their date of birth.

�� Tax Identification Number: In Germany, a corporate customers’ German tax number always has to be recorded; where

persons authorised to draw on the account or beneficial owners are concerned, their German tax identification number

(TIN) is required. Apart from discrimination of German residents, it appears that in this case – because of the need to

check whether no German TIN is actually available – the German arrangement may even discriminate indirectly against

citizens of other EU member states. The requirement to record the TIN or the tax number should therefore be dispensed

with for at least as long as there is no uniform EU-wide number.

Example:

should always be pursued. The relevant require-

ments for the various roles in question should be

dealt with exhaustively in a legal act at European

level (e.g. an EU regulation) and thus not be amen-

dable by national legislation.

bankenverband

Positionen 7

Verification of data

The requirements for verification of the KYC data to be

collected should be specified uniformly EU-wide as well.

That goes for both the documents needed for verifica-

tion and the scope of the verification measures that are

carried out in connection with either customer onboar-

ding or legally required updating.

The obligation to perform verification should, moreover,

be confined to KYC data that must be collected due to

legal requirements. Data that an obliged entity merely

collects on the basis of an authorisation to do so should

be exempted from mandatory verification.

In addition, it should be specified uniformly EU-wide

how long the documents that may be used for verifica-

tion of KYC data (e.g. an extract from a register, an eID

function or a qualified electronic signature) are deemed

to be up to date. The period within which their use is

possible should be long enough and the same as that

during which a KYC process already completed – pos-

sibly also by other obliged entities – may be reused. It

should, moreover, be made clear that the required data

may be collected from any officially operated register.

Obliged entities should be able to fully rely on the accu-

racy of such register data.

As regards the requirements for updating data, it should

be made clear that an obliged entity need not take any

further measures if there are no doubts about the accu-

racy of the previously collected data and the corporate

customer confirms their accuracy or continued validity.

Automatic most favourable treatment

Many member states currently use national solutions

for verification procedures. The result is a wide array

of different procedures – an essentially highly positive

innovative diversity from which hardly anyone benefits,

however, as long as procedures admitted for verification

in individual EU member states cannot be used equally

in all member states. There is no automatic mutual re-

cognition of a KYC process adopted in one member sta-

te. The absence of any such automatic most favourable

treatment delays the proliferation of user-friendly proce-

dures such as video identification. Particularly innovative

solutions such as video identification or the use of eID

functions are, however, vital for the digitalisation of the

Single Market and also deliver significant added value

when it comes to effectively combatting money launde-

ring and terrorist financing.

The approach providing for admission of uniform KYC

processes through notification to the European Commis-

sion under the eIDAS Regulation must be welcomed as

a first step in the right direction. Yet this step is by no

means sufficient to create a real level playing field and

simplify KYC processes for the benefit of customers. The

barriers to verification procedures under the eIDAS Re-

gulation are currently still very high, with the result that

in practice these procedures are only slowly gaining a

foothold in the marketplace. It would thus appear ad-

visable to lower the relevant requirements. Moreover, at

present only EU member states can notify KYC processes

to the Commission. There is no plausible reason to exclu-

de processes developed by the private sector from such

notification.

The best way to encourage innovative KYC processes is

to continue recognising new procedures and processes.

In addition, in line with the “most favourable treatment”

principle, all KYC processes admitted in member states

should be automatically admitted EU-wide. To allow ap-

plication of the “most favourable treatment” principle

in practice, the Commission should publicly operate and

maintain a list of the KYC processes admitted in member

states along with the necessary process requirements in

each case. Should this result in similar KYC processes, e.g.

two KYC processes for verification by video chat, being

admitted in different countries, it can be assumed that

the better process will ultimately prevail EU-wide. The

same goes for procedures whereby database providers

transmit KYC data collected from an official register to

obliged entities in compressed digital format. Virtually

simultaneous admission of highly similar KYC processes

8 Positionen

by different national supervisors in several EU member

states is, however, most unlikely in any case, given the

continuous dialogue that national supervisors conduct

with each other and with the European Supervisory

Authorities (ESAs). Application of the “most favourable

treatment” principle would therefore allow controlled

competition between innovative verification procedures

in the EU and thus at the same time strengthen the Euro-

pean Union as a digital financial marketplace.

Uniform interfaces

Creating a uniform interface allowing obliged entities to

easily connect and thus use existing and future KYC pro-

cesses would also be helpful. That goes particularly for

digital solutions. It should at the same time be ensured

that private innovative KYC processes are given the same

recognition status as processes that comply with the re-

quirements of the eIDAS Regulation.

An easing of the requirements under the eIDAS Regula-

tion for customer acceptance by the private sector – by

banks and fintechs, for example – would, moreover, be

welcome, since for every new process they wish to use

for KYC purposes obliged entities are currently required

to establish a separate technical interface to connect

it. This is costly, work-intensive and time-consuming

and means in practice that many obliged entities offer

only one or two innovative KYC processes. The barriers

to new technical solutions are thus unnecessarily high.

Also important in this context is that false security con-

siderations do not lead to innovative verification proce-

dures being tied to impracticable conditions such as the

requirement to make a “reference credit transfer”.

For corporate customers as well, uniform KYC processes

in the EU for both onboarding and updating would be

important. Such standardisation would mean that estab-

lishing (onboarding) and maintaining (updating) a cross-

border business relationship within the EU with one or

more obliged entities would be uncomplicated, without

any great need for adaptation.

�� Up-to-dateness of extracts from registers for companies: in Austria, an extract from the Commercial Register

that is to be used for verification purposes in a KYC process should not be older than six weeks at the most. In

Germany, there are currently no specific rules. It should be made clear which requirements are set for the age of

extracts from registers and for the form in which they should be obtained. A requirement to present a simple copy

of an extract in digital or analogue form would suffice. The maximum age for extracts should be fixed uniformly

EU-wide at a sufficiently long period of time.

�� Use of a driving licence to verify data: under the German Anti-Money Laundering Act, German driving licences

may not be used for verification of KYC processes, as they do not meet passport and identity document requi-

rements. In Austria, on the other hand, a driving licence may be presented for such purpose, provided it is an

Austrian one at any rate. Identification based on a driving licence is allowed in the UK as well.

�� Valid identity document containing a different address due to a change of address: There is no uniform ap-

proach on how verification is to be handled if, following a change of address at short notice, a valid identity do-

cument contains an address that differs from that indicated by the person authorised to draw on the account. It is

Examples:

bankenverband

Positionen 9

also unclear what the procedure is if an admissible identity document presented does not contain a full address

but only the place of residence, for example. In some instances, presentation of further documents may then be

required to fully verify the address; in other instances, such measures are dispensed with. The latter is the case

in Austria, for example: as not even the holder’s place of residence is indicated on an official Austrian identity

document, the address of the natural person to be identified is not verified in Austrian practice.

There is as yet no uniform and exhaustive EU-wide arrangement for dealing with such cases. However, as flexib-

le an approach as possible, i.e. risk-based reuse of initial verifications EU-wide, should be adopted here.

�� Video identification: Video identification was first admitted in Germany, where it subsequently proved success-

ful, particularly also in cross-border use. In some other EU member states that had not yet admitted the proce-

dure, this was seen as a competitive advantage to the detriment of national obliged entities. The consequence:

Austria, Luxembourg, Spain, Portugal and further EU member states have since admitted the German-type KYC

video identification procedure, adapted to their own domestic requirements and featuring in some cases diffe-

rent criteria. In other EU member states, including France and Poland, national admission of video identification

is planned.

What is basically a success story also has a downside, however, since ‘the wheel’ is ultimately being reinvented

in 28 EU member states for the KYC video identification process. Every EU member state sets different wheel

sizes and different spoke lengths, so that providers remain confined to their national market or have to tailor

their identification procedure separately to each member state. It goes without saying that this causes further

problems for cross-border reuse of these KYC processes.

The solution would be automatic recognition in all EU member states of a KYC process admitted by national

supervisors in one member state. This would preserve and foster the uniformity of the Single Market. Admission

by national supervisors would guarantee security and legal compliance of the new KYC process, and customers

would directly benefit from use of the new, convenient and innovative KYC process.

�� eID – electronic proof of identity: The German eID function of the identity document and the electronic resi-

dence permit for non-EU citizens is officially admitted within the EU as a cross-border means of verification. In

addition, there are plans to make it available on a card to non-German EU citizens as well.

The EU-wide usability of the German eID function for verification of natural persons is based on its notification

to the European Commission under the eIDAS Regulation. Germany was the first EU member state to officially

notify its eID function to the Commission. Also further EU member states, such as Italy, Spain, Luxembourg,

Belgium, Croatia and Estonia, have concluded notification processes.

The advantage of this national eID lies in the eIDAS Regulation, which applies equally to all 28 EU member

states. General use of the eID function as an EU means of verification is thus legally safe, officially recognised

on a permanent basis and technically secure. One weakness at present is, however, the only slowly emerging

customer acceptance of the use of this technically sophisticated and legally sound verification procedure.

10 Positionen

Further development of registers of beneficial owners

The private banks and fintechs believe that existing

registers of beneficial owners, such as the trans-

parency register in Germany, should be expanded

throughout the EU to become “golden source” KYC

registers. This means that these registers should con-

tain all the information that has to be collected and

verified on all roles. Obliged entities should be allo-

wed to store and process data from the register for

all necessary purposes, such as sanction screening or

identifying politically exposed persons.

Furthermore, companies should deposit in the re-

gisters digital copies of the identity cards or other

documents relating to their beneficial owners. The

Austrian register of beneficial owners, which is linked

to the national register of residents and contains co-

pies of the identity documents of non-resident be-

neficial owners, is a good example of best practice

(see box).

The registers should be filled and kept up to date by

the companies themselves. They are in the best positi-

on to do so, as they will invariably be better informed

and more up to date about their own affairs than are

third parties. In addition, they generally have better

contact with the beneficial owner, in particular, than

do obliged entities. It should be borne in mind that

there is no contractual relationship between the ob-

liged entity and the beneficial owner on the basis of

which the obliged entity could request information

from the beneficial owner.

It should be mandatory to identify the beneficial

owner on the basis of the relevant entries in the re-

gisters, so that the obliged entity can rely on the ver-

acity of the information. The requirement under the

Fifth Anti-Money Laundering Directive to report any

discrepancies to the registers of beneficial owners

could then be dropped, as could the obligation for

obliged entities to have their own measures in place

to identify beneficial owners. The corresponding pro-

visions, together with any existing reporting require-

ments for obliged entities concerning the beneficial

owner (e.g. reports to the file allowing automated

access to account data under section 24c of the Ger-

man Banking Act), should be deleted.

This approach would achieve practical simplifications

and is in the interests not only of obliged entities,

but also of corporate customers, and thus of the eco-

nomy as a whole. The KYC process would be much

easier for business customers since all the necessary

data on them could be retrieved direct from the KYC

registers and obliged entities would need to ask for

and verify much less information.

Access to the registers should be free of charge for

the purposes of fulfilling KYC requirements. Den-

mark, which offers general free access to its register,

represents best practice in the EU at present.

Once the planned EU-wide link-up of national re-

gisters of beneficial owners has been completed, it

should be made possible to access an extract from

any national register via a central European Union

website. It should be ensured that obliged entities

can obtain an extract with uniformly defined fields

and with the field names provided in all official lan-

guages of the EU (along the lines of an international

birth certificate). When the language of a member

state uses another alphabet, entries should be auto-

matically transcribed into the Latin alphabet on the

basis of uniform rules.

bankenverband

Positionen 11

The right approach: register of beneficial owners in Austria

�� In Austria, the register of beneficial owners contains extensive information on these persons. Reliable information about

the residential address is ensured by means of a link with the registers of residents. Copies of the identity cards of bene-

ficial owners from other EU member states must be deposited in the register by companies subject to registering requi-

rements. It would make good sense to adopt this second element, in particular, across the EU as it should be possible to

implement it in all member states irrespective of how the national register of residents is designed.

�� In addition, obliged entities in Austria are already permitted to rely conclusively on an “extended extract” from the re-

gister of beneficial owners and – if only simplified due diligence obligations have to be applied – on information about

beneficial owners from the register.

�� Although the information in the register cannot be accessed free of charge, the fees are generally lower than in Germa-

ny, for example. Furthermore, it is possible to minimise costs by purchasing various flat-rate access packages, which are

available in different sizes.

�� Even if the Austrian register of beneficial owners does not yet fully reflect the ideal described above – in particular,

limiting the ability to rely on the information to simplified due diligence obligations does not go far enough – it never-

theless comes very close. This makes it clear that a reliable register which offers genuine added value to obliged entities

and corporate customers is by no means an unattainable ideal.

Example:

Reusability

Private banks and fintechs call for uniform EU-wide

rules governing the conditions under which the fin-

dings of KYC checks may be reused. It is important

that their cross-border reuse within the EU is also

made possible.

Not only are there no standardised rules at all at pre-

sent on whether and, if so, under what conditions KYC

processes can be reused within EU member states, let

alone across borders. There are also no uniform rules

on the extent to which third parties may rely on KYC

processes that have already been completed. This is

true even if the customer agrees to a transfer of the

findings of a previously carried out KYC check.

Where reuse is permitted at least at national level,

this is the result sometimes of legislation and some-

times of administrative practice, but the permission

to reuse always covers only KYC processes carried out

in the same EU member state. As things stand, there-

fore, the cross-border reuse of KYC processes within

the EU is only possible to a limited extent and requi-

res considerable time and effort. This applies even to

the transfer of a previously completed KYC process

within a corporate group.

Owing to the downright chaotic divergence of na-

tional requirements, it is virtually impossible to es-

tablish uniform processes for reusing KYC processes

within a group – let alone for the reuse by third par-

ties (e.g. public authorities or other obliged entities

with which the corporate customer wishes to estab-

12 Positionen

lish business relations). There can consequently be

no question of a level playing field and thus a single

EU market when it comes to the reusability of KYC

processes.

It should therefore be permitted to reuse the findings

of KYC processes carried out in accordance with EU

law both for further KYC processes within a group of

companies and elsewhere across the EU. If an obli-

ged entity wished to exercise this option, the entity

which carried out the original KYC process would be

responsible for transmitting the correct data or using

an appropriate technical interface to pass it on in the

form of a standardised data set. It would need to be

made clear that the receiving entity could fully rely

on a KYC process carried out by the forwarding entity

in accordance with its national law, particularly if the

recipient belonged to the same group of companies

as the party originally conducting the KYC process.

Confidence in the KYC process

Confidence in the KYC process covers both trust in

the accuracy of the forwarded data and trust that any

forwarded documents are correct and complete. It

should possible to store KYC documents centrally at

one company in the group so that it would normally

be sufficient to transfer the collected data while (phy-

sical) documents would only have to be forwarded if

a particular need arose. Firms should have the opti-

on of either storing all documents centrally in one

place or storing documents locally at the unit dealing

with the customer in question. In the absence of EU-

wide customer due diligence standards, it should at

least be ensured that the local standards for the unit

dealing with the customer apply to the entire group.

This should also go for the frequency of updating

customer data.

European legislation already (via the legal require-

ments to be met for involving a reputable third party)

permits a third party to carry out a KYC process for

an obliged entity in accordance with the national law

applicable to that third party. There is no objective

justification for treating the performance of the KYC

process by a third party differently to the reuse of

an already completed KYC process by another com-

pany belonging to the same group. Nor should the

reuse of a completed KYC process within a group

be limited only to KYC processes carried out by

the group itself. There is no objective justification

for this restriction either, provided that there are

uniform EU-wide rules on the maximum age of a

completed KYC process and the accompanying do-

cuments obtained for verification purposes. There

should be no obligation to pass on the accompa-

nying documents, however. Obliged entities should

merely be granted the right to share both the data

set with the KYC data and the accompanying docu-

ments within a group.

Above all, it should also be made possible to reuse

a KYC process outside a group. The ability to reuse

KYC data instead of requiring the customer to go

through the process again could take the form out-

side a group of a risk-based decision by the second

obliged entity, enabling it to choose between reuse

and re-verification depending on factors such as the

age of the existing information.

Real-time KYC processes

Reusing data will make it possible to create innovati-

ve, customer-friendly, barrier-free, secure and cross-

border KYC processes that can be carried out in real

time. It would be possible, for instance, to conclude

an agreement for a new product with Bank B using

Bank A’s access data by simply transferring the re-

quired data and immediately processing it digitally.

Customers could save themselves the trouble of pro-

viding the data and going through the verification

process again and would have full control over who

transfers which data to whom. Security could be en-

sured by two-factor authentication, for example.

If reusability were permitted on a uniform basis

EU-wide, this would further promote digital trans-

formation and create opportunities for innovative

bankenverband

Positionen 13

database solutions to be effectively used by obliged

entities across the EU. It would also make it even

easier to switch banks within the customer’s home

state and to establish business relations in another

member state. This is in line with the declared ob-

jectives of the EU. For customers, reusability would

have the positive effect of dismantling major barriers

and obstacles to a true single market in the EU while

generally making it more convenient to make use of

the products and services offered by obliged entities.

In addition, it would make data repositories and the

history and transfer of data more transparent.

In the interests of corporate customers, in particular,

but also of obliged entities and public bodies, the-

re is therefore an urgent need for harmonised, EU-

wide rules on the reusability of KYC processes. Given

the need for full harmonisation in this area, it would

make good sense to introduce these rules by way of

an EU regulation, in which it should be made clear

that the receiving entity can fully rely on an identi-

fication carried out in accordance with national law.

The reuse of a KYC process should, moreover, be allo-

wed irrespective of whether the process in question

has been completed only recently or was carried out

some time ago but has been updated.

Looking further ahead, the reuse of KYC processes

(keyword: “digital identity”) does not need to be con-

fined only to the financial sector: reuse would also be

conceivable in the insurance, retail or administrative

sectors. If their data could be actively and frequent-

ly reused, customers would have a strong interest in

keeping their details up to date. In addition, a basis

for new business models (such as an “IdentityHub”)

would be created.

The conclusion is therefore clear: given the associ-

ated minimisation of costs and increase in efficien-

cy, all parties involved would benefit if the reuse of

all KYC processes carried out in accordance with EU

law were permitted on a uniform basis EU-wide. This

would also make an important contribution to com-

pleting the EU single market.

14 Positionen

�� Regulation of the reuse of KYC processes is highly fragmented in EU member states: In some EU member states,

the (standard) transfer of a KYC process requires the consent of, or at least notification to, supervisors (usually

data protection supervisors). We understand this to be the case, for example, in Austria and France (consent

requirement) and in Luxembourg and Italy (notification requirement).

�� In some cases, there are specific requirements regarding how old certain KYC documents may be: in Slovakia

and Austria, for instance, they should not be older than three months and six weeks respectively. Sometimes,

there is a vague requirement for the KYC process to be “up-to-date”: this applies in Luxembourg, for example. In

Austria, the supervisory authority also points out with reference to the case-law of the Austrian Higher Adminis-

trative Court that, in some cases, a several-day-old extract from the register may not be considered “conclusive”,

since the Austrian register is generally accessible to legal entities. This apparently also applies to extracts from

foreign registers if they are publicly accessible.

�� National requirements sometimes stipulate that foreign ID documents have to be translated into the local lan-

guage by a certified translator and presented along with the original. In addition, extracts from foreign regis-

ters may only be accepted in some member states (e.g. Austria) if they have been notarised or apostilled by an

official authority.

�� Finally, the use of a KYC process performed by another bank is only permissible in some EU member states

for anti-money laundering purposes. Other purposes, such as a streamlined and customer-friendly customer

onboarding process, are not allowed without the explicit consent of the customer; this applies in France, for

example. In some cases, the reuse of KYC processes is completely ruled out if enhanced due diligence require-

ments apply or is only possible if further checks are performed. This is true of Austria and Slovakia, for example.

Example:

bankenverband

Positionen 15

Annex: Summary of the mandatory data set to be obtained for the various roles

In the interests of all obliged entities, it is desirable to have clear rules on the data which firms have to report to

the KYC register about the various parties involved in a business relationship. Business relationships will commonly

involve the following:

1. Contracting party

2. Legal representative (who does not deal directly with the bank or have power of attorney over the account)

3. Beneficial owner (e.g. proprietor)

4. Person authorised to draw on the account/authorised representative (e.g. employee with power of attorney

over the account)

The following data sets for the following roles should be retrievable from the KYC register:

1. Contracting party:

- Name

- Type of enterprise

- Registration number (if available)

- Common European tax number or other legally required identification number

- Industry/sector

- Address of registered office as entered in the register

- Address of the head office (if the registered office is not the operational headquarters)

2. Legal representative (who does not deal directly with the bank or have power of attorney over the account):

- Name

- First name(s)

- Date of Birth

3. Beneficial owner:

- Name

- First name(s)

- Date of birth

- Country of residence

- Common European tax number or other legally required identification number

4. Person authorised to draw on the account/authorised representative (e.g. employee with power of

attorney over the account):

- Name

- First name(s)

- Date of birth

- Country of residence

- Common European tax number or other legally required identification number

- Scope of authorisation

N.B.: The entry of data on the authorised representative in the KYC register is voluntary.

The Association of German Banks can be contacted

by post:

Bundesverband deutscher Banken

P.O. Box 040307,

10062 Berlin

Germany

by email:

bankenverband@bdb.de

online:

bankenverband.de

by phone:

+49 30 1663-0

Publishing details | Publisher: Bundesverband deutscher Banken e. V., Postfach 040307, 10062 Berlin | Legally responsible: Oliver Santen bankenverband.de | Foto: ressourcenmangel | As at March 2019