TCAB (Trust Conformity Assessment Body) has registered an expert in electronic identity management techniques as an assessor within the framework of the anti-money laundering regulation supervised by SEPBLAC.
In this way, the expert is in a position to audit the control measures used in the “video onboarding” environments of the financial institutions in the context of the recent regulation published for that purpose by the Executive Service of the Commission for the Prevention of Money Laundering and Monetary Infringements (the aforementioned SEPBLAC).
The Commission for the Prevention of Money Laundering and Monetary Infringements, which reports to the Economy and Business Support Secretary of State of the Ministry of Economy and Competitiveness, created by Law 19/1993 of 28 December, is a collegiate body formed by representatives of different ministerial departments and agencies, the Public Prosecutor’s Office, as well as the Autonomous Communities. It is the main responsible for the development of the anti-money laundering policy in Spain. Currently it is regulated by Law 10/2010, of April 28, on the prevention of money laundering and the financing of terrorism.
The Commission is supported by the Secretariat, currently held by the General Subdirectorate of Inspection and Control of Capital Movements of the Treasury and Financial Policy General Secretariat and the Executive Service of the Commission for the Prevention of Money Laundering and Monetary Offenses (SEPBLAC).
SEPBLAC is the Spanish financial intelligence unit and performs actions aimed at preventing and stopping the use of the financial system or of companies or professionals of another nature for money laundering, as well as the functions of investigation and prevention of administrative infractions of the legal regime of capital movements and economic transactions with foreign countries.
The Article 28 of Law 10/2010 stipulates that the internal control measures referred to in article 26 of the aforementioned Law will be subject to annual review by an external expert and those who wish to act as such should report it to the Executive Service of the Commission before starting its activity and inform the latter half-yearly about the list of obliged subjects whose internal control measures have been examined. This management has already been done by TCAB.
It is the responsibility of the obliged subjects to select suitable professionals, as well as to verify that the external examination is carried out in the terms established in Order EHA / 2444/2007, of July 31.
TCAB is an evaluation entity for products and services related to computer security and, in particular, for Electronic Trust Service Providers, within the framework of the #eIdAS Regulation (European Regulation EU 910/2014). It is governed by ISO 17065 and by EN 319 403 in relation to the evaluation of Providers.
Due to its specialization and the arrangements already made, it can prepare the External Expert Report on the evaluation of internal control measures aimed at preventing money laundering and terrorist financing. In particular in application of the AUTHORIZATION OF IDENTIFICATION NON-PRESENCE BY VIDEOCONFERENCE PROCEDURES published by SEBPLAC.
The aforementioned authorization allows the obliged subjects to use non-presence identification procedures by videoconference according to the following specifications:
- The non-presence identification procedures by videoconference will only be applicable to clients provided by the reliable identification documents referred to in Article 6 of the Regulation of Law 10/2010.
- Prior to the effective implementation of a non-presence identification procedure by videoconference, the regulated subject must carry out the specific risk analysis referred to in Article 32.2 of the Regulation of Law 10/2010.
- Prior to the effective implementation of a non-presence identification procedure by video conference, the obliged subject will document the procedure and will test its effectiveness, outlining the results in writing. The actual implementation of the procedure will not proceed if the results of the tests do not prove its effectiveness.
- It is the responsibility of the obliged subject to implement the technical requirements that ensure the authenticity, validity and integrity of the used identification documents and the correspondence of the owner with the customer that is being identified.
- Non-presence videoconference procedures must be managed by staff with specific training. This training, which will be congruent with the performed functions, must be accredited in accordance with the provisions of article 39 of the Regulation of Law 10/2010.
- The process of videoconference identification shall be recorded with date and time, and the recording shall be kept in accordance with the provisions of article 25 of Law 10/2010. The client must expressly consent to the non-presence identification procedure by videoconference and the recording and preservation of the process, either prior to or during the course of the process.
- During the development of the videoconference, the obliged subject will adopt measures that ensure the privacy of the conversation with the client.
- In any case, in the course of the videoconference the customer subject to identification must visibly display the front and back of the document used for identification.
- The identification process may not be completed when (i) there is evidence of falsehoof or manipulation of the identification document, or (ii) there is evidence of a lack of correspondence between the document holder and the customer being identified, or (iii) the conditions of communication prevent or make it difficult to verify the authenticity and integrity of the identification document and the correspondence between the holder of the document and the customer being identified.
- The obligated subject must obtain and keep a photograph or snapshot of the front and back of the used identification document. The photograph or snapshot obtained must meet the quality and clarity conditions that allow its use in research or analysis and will be preserved in accordance with the provisions of article 25 of Law 10/2010.
- Prior to the execution of any transaction, the obliged party will verify that the client is not subject to international financial sanctions or countermeasures, in the terms established in article 42 of Law 10/2010.
- The implementation of non-presence identification procedures by videoconference can be outsourced, keeping the bound subject the full responsibility.
- The external expert report referred to in article 28 of Law 10/2010 must expressly express its opinion on the adequacy and operational efficiency of the non-presence identification procedure by videoconference.
- This authorization is understood without prejudice of the compliance by the obliged parties with any other legal obligations, particularly in tax matters, planning and discipline, information and consumer protection and protection of personal data.
- The specific non-presence identification procedures by videoconference that the obliged subjects establish under this authorization will not be subject to a new authorization, without limiting its control in the exercise of the supervisory and inspection powers reflected in the article 47 of Law 10/2010 by the Executive Service.