FMA permits automated biometrical customer identification – a game changer for the KYC process?

On 2 November 2021 the Austrian Financial Market Authority (FMA) published its long-awaited amended Online Identification Regulation¹ (Online-Identifikationsverordnung, "Online-IDV"). The FMA herewith enables financial service providers subject to the KYC obligations of the Financial Market Anti-Money Laundering Law (Finanzmarkt-Geldwäschegesetz; "FM-GwG") to use purely biometrical processes for remote identification of new customers. Biometrical identification processes are all procedures for online customer identification where the entire or parts of the online identification are carried out by an automated electronic procedure without the involvement of employees – there is no need for personal contact in the whole remote identification process anymore.

This is expected to make the customer identification process easier and faster as well as to significantly lower the costs compared to the current video identification process which so far required employees (instead of an algorithm) to carry out the identification. Other identification methods (including the video identification process) will remain possible.

Key requirements of the biometrical remote identification process

Pursuant to the amended Online-IDV the following key requirements need to be complied with when making use of the biometrical processes for remote identification:

1. State-of-the-art technology: The most sophisticated biometrical processes for remote identification are required and must be updated regularly. Furthermore, they must achieve a level of security comparable to online identification with involvement of employees (§ 4 (6) no 1 Online-IDV).
2. Documentation: The obligor has to document the whole biometrical process for remote identification properly. This includes in particular keeping records of the results of the checks conducted, including recording the liveness check.
3. (No) Photo copies of ID: Instead of keeping copies of the front and back of a photo ID, obliged parties may also only document and record the electronically signed ID data when checking electronically signed photo IDs (§ 4 (6) no 3 Online-IDV). However, for the time being it is advisable to in addition keep electronic copies of the front and back of the relevant ID document.
4. Liveness check: This is the key requirement of the new biometrical ID process. It is crucial that only a real person actively participates in the online ID process, thus not only a video (or similar historic recording) is used during the biometrical online ID process. The FMA does not detail the procedure of the liveness-check and required security features; obliged parties need to implement state-of-the-art security measures appropriate to their ID process (the FMA therefore regulates the process in a technology-neutral manner). The FMA suggests that the liveness check can, for instance, involve the person being identified reading out a sequence of characters or words specified during the ID process, having to repeatedly track an area randomly selected on the screen by means of head movements, or moving the head in different directions after being asked to do so. Regardless, a video recording (including audio) of the whole biometrical remote identification process needs to be made and stored (§ 4 (6) no 4 Online-IDV).
5. Electronic security chip (NFC-chip) / electronically signed photo IDs: For the biometrical remote identification process only photo IDs which are electronically signed by the issuing authority can be used. The obliged party has to verify the authenticity of the electronic signature/certificate and the integrity of the data (§ 4 (6) no 5 Online-IDV). This requires the reading of the electronic security chip (NFC-chip), e.g. via the NFC reader of a mobile phone. This requirement was criticised by certain market participants. During a transition period ending on 31 December 2022, the FMA will permit the use of IDs without electronic signature/certificate of an authority (and without reading the NFC-chip); in such case the ID needs to be checked visually (and a copy needs to be stored) (§ 9 (2) Online-IDV).
6. Customer consent: The customer has to agree to the biometrical identification in accordance with the GDPR (Regulation (EU) 2016/679).

Implementation of NFC technology and related difficulties

One of the most discussed issues in connection with the new fully-automated biometrical remote identification process is the requirement to verify the electronic signature/certificate of an ID document by reading the ID's NFC-chip. While e.g. Austrian passports have been equipped with an electronic NFC-chip since approx. 2007, other Austrian IDs or many foreign IDs (including in particular foreign passports of CEE/SEE countries outside the EU) are not equipped with such a NFC-chip (or have only included this feature very recently - thus many active and valid IDs (other than Austrian passports) lack an NFC chip). Furthermore not all smartphone models are technically capable of reading NFC chips. The requirement to read the NFC-chip (which applies from 1 January 2023) could thus lead to a situation where a large group of persons will not be able to make use of the biometrical identification process. To read the NFC chip with a smartphone it will generally be necessary to install a separate application which makes the customer onboarding process more complicated and lowers consumer-friendliness. Some market participants questioned whether the implementation of NFC technology in fact makes the identification process more secure.

The FMA is addressing these concerns with a transitional period and has decided not to require the use of the NFC technology in the biometrical identification process before 1 January 2023. It remains to be seen how the situation will develop, especially in technical terms.

Conclusion of the amendment to the Online Identification Regulation

The use of biometrical identification is becoming increasingly important during digital transformation and can support traditional financial institutions as well as FinTechs to implement an even easier, faster but equally secure customer onboarding process. The new amended Online-IDV of the FMA now brings this new identification process to Austria too. It can help strengthen the international competitiveness of Austrian financial service providers and the Austrian financial market, also considering that many other countries have not introduced such a biometrical identification processes yet. Therefore the introduction of the purely biometrical identification processes can be a game changer to Austrian customer identification/KYC procedures.

¹ See BGBl. II Nr. 455/2021

authors: Matthias Pressler and Nicole Kicinski