Requirements and procedure for identification of persons and verification of persons’ identity with information technology means
Passed 21.10.2016 No. 48
The regulation is established on the basis of subsections 15 (12) and 30 (6) of the Money Laundering and Terrorist Financing Prevention Act.
Chapter 1 General provisions
§ 1. Scope of application
The regulation applies to the information disclosure requirements of credit institutions and financial institutions (hereinafter service provider), the rules of procedure applicable upon the establishment of a business relationship and to the making of transactions using information technology means, requirements for activities related to the declarations of intent of the parties to a transaction, the organisation of questionnaire surveys and mandatory real-time interviews held upon establishment of a business relationship, conditions of processing of the facial image of a person, and requirements for the quality of the synchronised audio and video stream during the aforementioned procedures as well as for recording and for the reproducibility of recordings.
§ 2. Preconditions of identification of a person and verification of identity
(1) A service provider who uses information technology means for the identification of a person and verification of the person’s identity must use highly reliable technical means, which guarantee tru thful identification of a person and make it possible to prevent the alteration or misuse of the forwarded data.
(2) Upon the identification of a person and verification of person´s identity, the natural person or the legal representative of a legal entity who wants to open an account or use another service must use a document prescribed for the digital identification of a person issued pursuant to the Identity Documents Act and an information technology means, which has a working camera, microphone, the hardware and software required for digital identification and an internet connection of adequate quality.
(3) Upon the identification of a person and verification of person`s identity specified in subsection (2), the service provider may use information technology mean s that have the hardware and software required for the digital identification of biometric data.
(4) A natural person or the legal representative of a legal entity identifies themselves when entering the information system specified by the service provider and confirms upon the establishment of a business relationship and the conclusion of a transaction on occasional basis that they have read the information about the use of information technology mean s on the service provider’s website or in the specified information system and agree to the conditions of identification of a person and verification of person`s identity with information technology means.
(5) A natural person or the legal representative of a legal entity confirms with his or her digital signature upon the establishment of a business relationship and the conclusion of a transaction on occasional basis that:
1) he or she agrees that his or her data will be processed and recorded in the course of the procedures to be carried out;
2) he or she carries out the procedures specified in this regulation personally, except for the cases stipulated in subsections 10 (3) and 11 (3);
3) the data submitted by him or her in the identification questionnaire specified in section 10 and in the course of the interview specified in section 11 are true and complete, and he or she is aware of the consequences associated with the submission of incorrect, misleading or incomplete information upon the establishment of a business relationship;
4) he or she meets the conditions established by the service provider for the establishment of business relationships and the conclusion of transactions.
(6) In addition to the obligations set out in subsection (5), a natural person or legal representative of a legal entity who uses the e-resident’s digital identity card must also:
1) agree with the application of Estonia n law by confirming this with his or her digital signature;
2) show to the service provider in front of the camera the personal data page of the valid travel document issued by the foreign country.
§ 3. Unsuccessful identification of a person and verification of person`s identity
(1) The identification of a person and verification of person`s identity with the help of information technology means upon the establishment of a business relationship is considered unsuccessful if:
1) the natural person or the legal representative of a legal entity has intentionally submitted data that do not correspond to the identification data entered in the identity documents database or do not coincide with the information or data obtained with other procedures;
2) the session expires during the identification of a person, the identification questionnaire or the interview, or the information flow that transmits synchronised sound and image does not comply with the requirements set out in § 5;
3) the natural person or the legal representative of a legal entity has not given the confirmations stipulated in subsections 2 (4) to (6);
4) the natural person or the legal representative of a legal entity refuses to comply with the service provider’s instructions specified in § 7;
5) the natural person or the legal representative of a legal entity uses the assistance of another person without the service provider’s permission;
6) there are circumstances that give rise to suspicions of money laundering or terrorist financing.
(2) The session specified in clause (1) 2) expires when the natural person or the legal representative of the legal entity has not completed any activities in the service provider’s information system during a period of 15 minutes.
(3) In the event of the circumstances set out in clauses (1) 1) to 6) the service provider rejects the application of the natural person or the legal representative of a legal entity for opening an account or conclusion of a transaction.
(4) In the event of the circumstances set out in clauses (1) 1) and 6) the service provider sends a notice to the Financial Intelligence Unit.
§ 4. Publication of information about the use of information technology means
The service provider must publish information about the technical conditions for the identification of a person and verification of person`s identity with information technology means on its website or in the specified information system. At least the following facts must be presented in the published information:
1) a reference to the applicable legislative provisions;
2) the information that the rights and obligations extended to the person and the service provider upon the identification of a person and verification of identity with information technology means are the same as the rights and obligations in the event of the identification of a person or verification of identity while being present at the same place with them for the purposes of subsection 15 (1) of the Money Laundering and Terrorist Financing Prevention Act;
3) a warning that the identification of a person and verification of identity does not oblige the service provider to establish a business relationship or guarantee the accessibility of services;
4) the conditions in the event of which the identification of a person and verification of person`s identity with information technology means is considered unsuccessful.
Chapter 2 Technical requirements for the information system of service provider
§ 5. Minimum requirements for the quality of information flow transmitting synchronised sound and image
(1) The information system of the service must allow for digital identification of a person and digital signing.
(2) The service provider must check whether the information system guarantees the transmission of clear, quality, recordable and reproducible synchronised sound and image, which is sufficient to understand the transmitted content unambiguously and reliably.
§ 6. Requirements for recording and reproducibility of recording
(1) The service provider must record the information flow containing image and sound in such a manner that allows for it to be reproduced with a quality equal to the initial transmission of synchronised sound and image.
(2) The information flow that contains image and sound must be recorded with the time stamp, the client’s IP address, the name of the person to be identified and the personal identification code of the person to be identified, whilst the time stamp must be tied to the data concerning it in such a manner that any later changes in data, the person who made the changes, and the time, manner and reason thereof can be identified.
(3) The service provider is obliged to record the data collected with identification questionnaires and the following procedures in the manner specified in subsection (2):
1) the identification of the person;
2) the confirmations and consents specified in subsections 2 (4) to (6) and the granting thereof;
3) the carrying out of the mandatory real-time interview.
(4) The recording starts with the identification of the person and ends when the data specified in subsection (3) have been collected and the procedures specified in the same subsection have been carried out.
(5) The recordings containing the data and procedures specified in subsection (3) must be reproducible within five years of the end of the business relationship.
(6) The service provider has the right to record the procedure specified in § 10 as data stream containing image and sound.
§ 7. Requirements for framing the face and document of a person
(1) The person’s head and shoulders must be visible and framed, and the face must be clear of shadows and uncovered, and clearly distinguishable from the background and other objects, and recognisable.
(2) The service provider may instruct the person to change his or her position and place themselves and the document in the frame to make it possible to identify the person and verify person´s identity, including to view the data or images on the document.
(3) The service provider has the right to require the removal of items covering the head or face and glasses or compliance with any other instructions of the service provider given in order to guarantee the identification of the person and verification of person`s identity.
Chapter 3 Rules of procedure applicable uponthe establishment of business relationship and conclusion of a transaction
§ 8. Rules of procedure applicable upon the establishment of a business relationship and conclusion of a transaction
(1) Proceeding from the risks of the service and the Minister of Finance Regulation No 10 of 3 April 2008 ‘Requirements for procedural rules established by credit and financial institutions and their implementation and inspection of compliance with them’, the service provider prepares and implements activity guidelines for the implementation of due diligence measures upon the establishment of a business relationship and the conclusion of a transaction.
(2) The procedures set out in sections 2 and 10 are carried out by an employee of the service provider or an automated system.
(3) The service provider is obliged to prevent the risk s of the automated system being manipulated.
§ 9. Determination of the client profile and risk profile
(1) The service provider prepares the client profile and the risk profile as a part thereof on the basis of the activity guidelines and procedural rules specified in subsection 8 (1) and the identification questionnaire, interview and other accessible information, and the systematised collection and analysis of data and clarification of facts.
(2) The service provider must prepare the client profile and risk profile specified in subsection (1) in a format that can be reproduced in writing.
§ 10. Identification questionnaire
(1) The identification questionnaire is used to ascertain a natural person’s residential address, activity profile, area of activity, purpose and nature of establishment of a business relationship, connection of the person’s economic or family interests with Estonia, expected volumes of the services used by the person in appropriate cases, the beneficial owner, whether the person is a politically exposed person and other important information.
(2) The identification questionnaire is used to ascertain the legal entity’s business name, registry code, location and places of operation, including branches located in foreign countries, the entity’s legal form, legal capacity, lawful and contractual representatives, beneficial owner(s) and, if appropriate, whether the beneficial owner is a politically exposed person, economic connections with Estonia, contracting states of the European Economic Area and third countries, most important business partners, the legal entity’s activity profile, main and secondary areas of activity, purpose and nature of establishment of a business relationship and other important information.
(3) With the service provider’s permission, the natural person or the legal representative of a legal entity may use the assistance of another person when the identification questionnaire is carried out.
(4) The employee of the service provider must assess the answers given in the identification questionnaire and record his or her opinion and the circumstances that are the basis thereof in the client profile and risk profile specified in § 9.
(5) The service provider may waive a separate identification questionnaire if the requirements specified in subsections (1), (2) and (4) are complied with in the course of the interview. The service provider must explain the waiver of the separate identification questionnaire in the l rules of procedure of the service provider to be prepared according to § 12.
§ 11. Interview
(1) In order to collect and verify the information and data required for the determination of the client profile, the employee of the service provider asks partly structured questions in the course of the interview, proceeding from the results of the identification questionnaire.
(2) The employee of the service provider must carry on the interview that is mandatory for the establishment of a business relationship in real time.
(3) The natural person or the legal representative of a legal entity may use the assistance of another person during the interview with the permission of the service provider.
(4) The employee of the service provider must assess the client’s reaction during the interview, the reliability of the obtained information and data and compliance with the information and data obtained with other procedures, and record his or her opinion and the circumstances that are the basis thereof in the client profile and risk profile specified in § 9.
§ 12. Rules of procedure of a service provider
(1) The service provider must establish procedural rules for identification of a person and verification of person`s identity with information technology mean s, which contain at least the following:
1) the guidelines for carrying out the procedure of identification of a person with information technology mean s, including requirements for identification of a person and verification of the submitted data;
2) the guidelines for preparation of the identification questionnaire;
3) the guidelines for the service provider for preparation of the questions of the mandatory real-time interview and for carrying out the interview;
4) technical requirements for the quality of the information flow transmit ting synchronised sound and image, and for the inspection thereof;
5) requirements for the collection and updating of submitted data and preservation of data and recordings;
6) measures for inspecting the performance of the guidelines specified in clauses 1) to 5).
(2) The employee of the service provider must give an opinion of the results of the procedures specified in §§ 2, 10 and 11 and make a proposal about the regime of monitoring business relationships to be applied to the client. The opinion of the employee of the service provider is the basis on which the decision to establish a business relationship is made.
Sven Sester
Minister of Finance
Veiko Tali
Secretary General
Facebook
X.com