Why do we have to digitize online onboarding and contract signing processes?
The development of technology, and thus the digitization of the world, forces legal and regulatory changes. On the other hand, legal and regulatory issues may block or even slow down the implementation of changes.
It all began with Regulation (EU) No 910/2014 of the European Parliament and of the Council of 23 July 2014 on electronic identification and trust services in relation to electronic transactions in the internal market. They allowed for remote identification of the client and signing of the contract.
The regulation raised many questions. First of all, the problem was the qualified signature, which required a special device: from the point of view of the average user it is a problem and an additional (considerable) cost.
Finally, the PFSA issued (05.06.2019) a collection of good practices regulating a set of guidelines.
The PFSA devotes part of its guidelines to the competence of employees supporting verification and part of the elements that can be implemented by an IT system. In general, it sets out the necessary steps that ensure the implementation of increased financial security measures and due diligence, key factors in meeting the provisions of the Act on Counteracting Money Laundering and Terrorism Financing (AML), which is crucial especially when setting up bank accounts.
Citing the original, the PFSA writes:
In terms of verifying the customer's identity without his physical presence - the most reliable instruments are electronic identification means referred to in Regulation (EU) No 910/2014 of the European Parliament and of the Council of 23 July 2014 on electronic identification and services trust in electronic transactions on the internal market and repealing Directive 1999/93 / EC (Official Journal L 257 of 28.08.2014, p. 84), including a qualified electronic signature. If the above electronic identification means cannot be used, the bank should consider using - in accordance with art. 43 paragraph 2 point 7 of the AML Act - increased financial security measures.
The regulator understands that a qualified electronic signature strongly limits the development of the electronic form of signing contracts and introduces a set of good practices implementing "increased financial security measures". Thanks to this, we were able to create and propose a platform that, on the one hand, implements and supports good practices, and on the other provides the client with a convenient form of contract conclusion.
A set of good practices allows the implementation of the contract signing process to be implemented in a fully automatic way (without the need for a back-office employee).
Of course, all automatic steps can be finally completed with manual steps (manual verification). We tried to create such a solution to enable additional process steps easily, i.e. via configuration.
Below are the direct guidelines that can and should be implemented in an automated process (these elements should be supported by the machine), which we have included in our solution. I quote a given guideline and then comment on its implementation if necessary.
According to Article 36 para. 1 of the AML Act, the customer identification process should be based on personal data provided by the customer. In our solution, the client in one of the first steps provides their data, which will be later verified based on the next steps of the process and collected documents.
To quote the PFSA guidelines:
- Use a document confirming your identity in accordance with the regulations, i.e.: ID card, passport, residence card. Additionally, you can use another document with a photo, e.g. driving license. In addition, use a utility bill to confirm your identity and address.
The system expects to attach a scan of the relevant document. Because we have document templates (which by the way change periodically), we verify that the attached document is really the one we expect. The system should react appropriately if it considers that this is not the right document (reject the application, direct it for manual verification, ask for repetition a finite number of times. As each machine determines the level of error of its decision, it should be possible to parameterize the decision depending on the calculated error rate of the machine). The analysis requires the use of the OCR process. While the OCR of a known format is simple, the OCR of any format (utility bills do not have a fixed format) is definitely more difficult. The machine will not be effective in this case. The company must consider whether to implement this step because it will cause more applications to be expected to be verified manually.
Our solution takes a step forward and allows you to connect not one but many documents, not only those mentioned by the PFSA. We use all available sources, including public EU registers of identity documents and documents, available online (including birth certificates, marriages, non-resident documents). The machine enables comparison of the above-mentioned documents with official templates of these documents published by the Council of the European Union. This is an interesting and innovative step, unheard of in other solutions.
Incidentally (due to the limited amount of data) you can use the transfer from the customer's account. In the case of non-banking organizations, to accomplish this step automatically, a short circuit with the Banking interface (via API or files) is required. This step eliminates the possibility of conducting the online process (the transfer will be delayed by up to 1 day). It can be a step closing the process taking into account additional conditions (e.g. final launch of the contract the next day, etc.).
The bank may use the video verification method, including video call. While the concept of video verification is broader, the PFSA's guidelines mainly concern video calling. In our solution, video calling is a complementary element, while the main element of video verification is the collection of artifacts prepared by the client without the participation of a Bank employee, i.e. document scans and face profile recordings. The artifacts collected in this way are subject to automatic verification. The system analyzes several dozen elements according to the algorithm. This is to confirm that the person pretending to be in the proof is actually one. This is the first key element of the automatic process. It should be remembered that face recordings are biometric data, so it is required to collect the client's consent to download and process this data. This is a necessary step in the process and results from art. 9 item 1 GDPR (Regulation 2016/679), which in principle prohibits the processing of biometric data (hence the necessary consent).
- In the area of video calling, many tips mainly refer to its course, which we will not deal with in the article. The system should ensure the appropriate connection quality so that the employee can properly verify the documents and the person. In this case, however, a lot depends on the quality of the client-side camera. It depends on the bank what level of quality it accepts and at which it withdraws from the video call process (due to too high risk of incorrect verification). What is important, the PFSA writes about this: "In the case of using the video verification service, the bank should consider using increased financial security measures - minimizing the risk of incorrect customer verification". In the set of practices, this translates into e.g. limiting the method to a specific group of people (e.g. only Polish citizens), defining the hardware requirements on the client's side (camera resolution, medium - workstation, tablet, smartphone), product restrictions (e.g. quota limits payments, exclusion of a loan or limitation of its sum, exclusion of an insurance contract and other restrictions in the contract).
- Archiving of video verification records is an important element. In this case, the PFSA does not specify the procedures. We assume that these elements should be archived, which in the context of several years can be used in legal proceedings to prove that the verified party to the contract was the one they claimed to be.
- In addition, the video verification process should be subject to an internal control system. In the case of the system, this translates into the transmission of relevant reports (on-line, off-line) about suspicious activities in the context of selected customer and employee data, verification of cross-area data, launching the alert system that provides information on suspicious situations whether it is on a regular basis or during certain periods of time. These steps are performed by the system automatically, in a way in the background.
- The PFSA clearly indicates the use of external databases and the following databases appear here literally:
- Database of restricted documents,
- Register of Identity Cards,
- PESEL number database,
- List of Wanted People,
- Hazard Warning Exchange System,
- Sanction lists,
- Bank's internal databases (so-called "blacklists")
This is about checking the client and the information contained in the documents he presents. The above list is therefore a reference point and a proposal that mainly includes AML guidelines. From the point of view of the IT system, it should provide online access to the databases required by the company and be able to automatically download relevant data and perform automatic verification, so that the process runs smoothly and without unnecessary delays. If inconsistencies are found, the process rules decide whether to refer the case for manual verification (exit the automatic process). The exit conditions should be part of the system parameterization, as there is often an inconsistency in data from different databases. Too optimistic assumption that the data is consistent may cause that all requests will be directed to the operator who will not be able to process them. The process becomes costly (one-off costs of process handling increase due to employee involvement). In our system, the above actions are the third important element of the automatic process (about two in a moment).
- PFSA points to supplementary techniques that confirm due diligence and specifically refers to several elements:
- designing the process so that an employee of the Bank takes part in the video verification process (which is consistent with the point below in specific cases),
- the use of biometric techniques, e.g. comparison of the client's face with a photo in the ID card (with an indication of the percentage of compliance). In our system, we enable the attachment of a document scan and the recording of the client's face by a camera triggered from the Bank's application (which is recommended by the PFSA). The artifacts collected in this way are automatically compared and the level of compliance is determined. If the compliance is too low, the PFSA Office recommends performing verification confirmation:
- by a back-office employee (without connecting to the client),
- switching to the video verification channel when connecting online with the client,
- during a client's direct visit to a bank branch,
- for performing OCR of documents requiring verification and performing steps confirming their authenticity (compliance with templates, special characters) and data integrity (e.g. MRZ code for evidence, comparison of OCR data with data entered by the customer in the application or downloaded from external systems). These steps are also performed automatically by the system. This is the second important element of the automatic process. Regulations, e.g. German (BaFin) say directly about checking at least three random elements of document security, as well as its expiry date or issue date (which requires having templates of these documents in force in a given period). Such verifications are of course carried out.
BaFin additionally recommends that the verification ends with the employee sending the appropriate TAN code, which the other person should return electronically. Of course, TAN generation, transmission and verification is done automatically (I mention BaFin, because before the KNF issued its guidelines, it commented on the guidelines of the German regulator).
A well-designed system should allow such risk thresholds to be set up to optimally use a back-office employee, prevent suspicious situations from passing without manual verification, and on the other hand not burden the employee with cases of low risk of automatic verification.
Security of stored biometric data
I will discuss this issue separately, because the PFSA does not devote too much time to it, and considering the restrictions of other regulations, it is important.
The GDPR (Article 24 et seq.) And the Personal Data Protection Act require the implementation of technical measures preventing (minimizing the risk of) access to such data by third parties.
We guarantee all of this through proper data protection (encryption) and monitoring of operations related to their collection. No unauthorized user has the right to access them, and access is restricted by appropriate privileges granted according to established processes.
Cooperation between organizations
Digitization of processes creates opportunities that have never been seen before. First of all, it gives the possibility of ongoing monitoring of processes.
Due to competition, this is unlikely, but I believe that institutions should exchange information on clients signing many contracts at the same time (in-line). This would make it easier to catch fraud. Of course, such a solution must be imposed by appropriate supervision and law, and such information should flow to an external supervisor, a regulator who only monitors fraud, and does not exchange information about clients between competing institutions.
The introduction of electronic processes allows you to enable monitoring. On the one hand, this may raise another Orwellian controversy, on the other, it supports the area of eliminating fraud and hinders the work of thieves.
Summary
The above guidelines regulated the general ordinances and reduced them to specific actions that must be carried out by both the system supporting the process and the employees.
The guidelines mainly apply to companies related to financial transactions, but the process has become so simple that they may as well be met by other institutions that want to support the signing of contracts or the exchange of other documents in this way.
The described steps are implemented by the system we offer. The process of client’s onboarding or signing any contract is now simple and fast. It only takes a few minutes to realize it. From the client side, the process requires going through several screens of the mobile or WWW application, including attaching document scans and making face recordings. This is a great convenience and a chance to popularize this form of contracting.
Nothing but implement a ready-made solution. Given the convenient and free access to the qualified signature (as part of the new PKO BP and KIR promotion, the clients of the first can use the mSzafir qualified digital signature until the end of June for free), you can safely handle the process of signing the contract with a qualified digital signature (required for leasing contracts). As you can see, organizations react dynamically to market needs.
Maybe the current situation will make the use of a qualified digital signature a standard?
It is no longer necessary to plan visits and make appointments, and the client will be able to sign any contract simply and conveniently at home, at his choice, at any time.
I would like it to be an easily available alternative.
We will devote a separate article to the qualified digital signature, because changes in this area are crucial to change the culture of service contracts in Poland.