Digital Identity and Onboarding Data

Adistinction must be made as to whether the insurance distributor is an obliged entity or not in accordance with the Anti-Money Laundering regulations. If it is an obliged entity, the Belgian Anti-Money Laundering Law applies, as well as the Financial Services and Markets Authority (“FSMA”) guidelines.

If it is not an obliged entity, there are certain common practices in the sector such as developing a customer identification and recognition procedure.

In both cases, the Regulation 910/2014 applies on electronic identification and trust services for electronic transactions in the internal market and repealing Directive 1999/93/EC.

Any insurance contract must be preceded by a prior information of the insured in order to guarantee that the client is aware of the conditions and the price, the modalities are provided for in articles L. 222-1 and seq. of the French consumer code.

The customer identification procedure, also known as Know Your Client (“KYC”), for online onboarding changes whether the contract is a life insurance policy or not:

• if it is a life insurance policy, then article R. 561-5 of the French monetary and financial code imposes a reinforced double verification, notably by identifying the beneficial owner of the policy;
• in the case of any other insurance contract, article R. 561-14-2 of the French monetary and financial code requires simple identification of the client by providing an identity card.

There are no specific provisions on client digital identification nor regulations ruling onboarding procedures for Insurtech. However, the Public Digital Identity System (“SPID”) regulation laid down in the Legislative Decree no. 82/2005 “Digital Administration Code” might apply to Insurtech.

A number of points still remain under debate, such as the standardisation of customer identification procedures or those for signing contracts online. However, there is still no official guidance from the authorities on the correct use of such tools.

The Law no. 83/2017 establishes the measures to combat money laundering and terrorist financing and partially transposes Directives 2015/849/EU of the European Parliament and of the Council of 20 May 2015 and 2016/2258/EU of the Council.

The financial entities are, in the terms of Law no. 83/2017, obliged to implement the identity verification and a due KNC system, according to which, before establishing a business relation, the following identification element must be provided:

*For private individuals: (i) photograph; (ii) name; (iii) signature; (iii) birth date; (iv) nationality; (v) expiry date and issuer of identification document; (vi) job; (vii) full address; and (viii) place of birth.

*For legal persons: (i) the object; (ii)address of registration; (iii) VAT; (iv) identification of the shareholders or directors; and (v) country of incorporation.

A second assessment must take place based on one of the following means of proof of identification:

• through videoconference in line with Regulation no. 2/2018 from the Bank of Portugal;
• means of electronic identification, qualified electronic signature; or secure authentication of the State through the card reading system; the Digital Mobile Key (“CMD”, from its name in Italian Chiave mobile digitale), under Law No. 37/2014, of 26 June, establishes an alternative and voluntary system of authentication of citizens in portals and websites;
• the use of interoperability platforms between the information systems issued by public services, in accordance with Regulation 910/2014 on electronic identification and trust services for electronic transactions in the internal market (“eIDAS”);
• the data subject's authorisation for transferring the data, pursuant Article 4-A (1) and (4) of Law 37/2014;
• access to the client’s electronic identification or of equivalent value through the use of secure devices, recognised, approved or accepted by the competent authorities to provide qualified certification;
• through qualified trust service providers, from those listed by the National Cyber Security Office;
• the use of interoperable platforms between information systems, issued by public services.

A distinction must be made as to whether the insurance distributor is an obliged entity according to the Dutch Anti-Money Laundering and Anti-Terrorist Financing Act, in Dutch: Wet ter voorkoming van witwassen en financieren van terrorisme (“WWFT”). In the Netherlands only life insurance distributors are subject to the WWFT. Such insurance distributors should ensure that the risks associated with digital onboarding are mitigated.

In any case, the insurance distributor is required to screen clients on possible sanctions as referred to in Dutch and international sanction legislation.

On 23 January 2018, the ESAs published their Opinion on the use of innovative solutions in the customer due diligence process. The DNB explicitly refers to this opinion in its Anti Money Laundering (“AML”) guideline a framework on how to apply innovation techniques in customer due diligence procedures and rules.

On 18 October 2022, the Dutch Trade and Industry Appeals Tribunal (“CBb”), the highest economic administrative court in the Netherlands, issued an important ruling concerning the use of innovation techniques and artificial intelligence for AML purposes. The CBb ruled that the WWFT does not prescribe exactly how the screening requirements following from the WWFT must be fulfilled and that also digital tools and innovation techniques may be used in order to be compliant with the WWFT. The ruling has been issued in relation to an online Dutch bank (a FinTech), but may also have relevance for other financial institutions (e.g. Insurtech) that make use of innovate techniques for onboarding or transaction monitoring purposes.

There are no specific rules on digital identification and online onboarding of clients for insurance providers. The insurers thus abide by general rules of Ukrainian law and applicable rules depend on the transactions that such insurer will carry out with the client. For example, under the Law of Ukraine “On Prevention and Counteraction to Legalisation (Laundering) of Proceeds from Crime, Terrorism Financing and Financing of Proliferation of Weapons of Mass Destruction” No. 361-IX, dated 6 December 2019, insurers are defined as the subject of the initial financial monitoring. This implies that insurers are required to proceed with the identification and regular duly checks of their new and existing clients. Such checks can happen both in person and remotely (i.e., online).

The specific requirements as to the identification procedure (including digital identification) should be defined by internal policies of insurers depending on their size and business model, as well as size and business model of their client. For individuals in retail insurance, such checks would typically be limited to checking of ID only.

First an assessment must be made as to whether the relevant firm is a ‘relevant person’ for the purposes of the Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017 (“MLRs 2017”). If so, digital identification and onboarding will need to be carried out in accordance with the MLRs, with due regard to be paid to the guidance set out by the Joint Money Laundering Steering Group.

Due consideration should also be given to the requirements of:

• The Proceeds of Crime Act 2002
• The Terrorism Act 2000
• The rules and guidance contained in the Senior Management Arrangements, Systems and Controls sourcebook of the FCA Handbook.

In relation to electronic identification, the UK has retained elements of eIDAS by virtue of the Electronic Identification and Trust Services for Electronic Transactions (Amendment etc.) (EU Exit) Regulations 2019. Consideration should also be given to the Electronic Identification and Trust Services for Electronic Transactions Regulation 2016.

Note that, for the purposes of eIDAS, trust service providers established in the UK are now third country trust service providers, can no longer provide ‘qualified trust services’ in the EU, and UK electronic identification schemes notified prior to 1 January 2021 are no longer recognised by EU member states.

A distinction must first be made as to whether the insurance distributor is an obliged entity or not in accordance with the Anti-Money Laundering regulations. If it an obliged entity, the following will apply:

• Law 10/2010, on the prevention of money laundering and the financing of terrorism;
• Royal Decree 304/2014, approving the Regulation of Law 10/2010, of 28 April, on the prevention of money laundering and the financing of terrorism;
• Authorisation of video-identification procedures by Executive Service of the Commission for the Prevention of Money Laundering and Monetary Offences(“SEPBLAC”) on 11 May 2017.

1. In case it is not an obliged entity, there are certain common practices in the sector such as to develop a customer identification and recognition procedure.
2.  In both cases it is also applicable the Regulation 910/2014, on electronic identification and trust services for electronic transactions in the internal market and repealing Directive 1999/93/EC.