Updated Information on Biometric Identity Verification for Account Opening in Austria [April 2022 Edition]
Starting from January 1st, 2023, financial service providers in Austria will be obligated to verify the authenticity of electronic signatures and the integrity of data from IDs containing an NFC chip. This is part of the updated regulations aimed at enhancing identity verification processes, as outlined by the Austrian Financial Market Anti-Money Laundering Act (FmGwG) and the EU’s AML and KYC framework, alongside GDPR data protection rules.
Biometric Data Use and Consent
Biometric data, such as facial images and fingerprint data, may be processed for identity verification and fraud prevention in onboarding, but only with explicit user consent. This consent can be revoked at any time. The processing of biometric data is justified by the public interest in fraud prevention under Art 9 para 2 lit g GDPR and §21(6) FmGwG.
Data Processing and Retention
Biometric data processing is typically conducted by specialized external service providers. The financial or crypto firms themselves receive only the verification results (positive/negative) and do not retain the raw biometric data. The biometric data must be erased within 3 years after identification.
Integration in Digital Onboarding
Digital onboarding, including eKYC procedures using biometric verification, is mandated to automate and enhance client identification and continuous monitoring starting from 2025 under EU-wide AML updates. This approach must balance AML obligations with GDPR requirements around data privacy.
Verification Standards
Identity verification involves validation of official documents and beneficial ownership information, treaty to AML/KYC guidelines, including sanctions screening, PEP (Politically Exposed Persons) checks, and adverse media screening.
Compliance Oversight
A qualified compliance officer plays a critical role in managing and ensuring compliance with biometric KYC, AML, and data protection regulations at all stages.
For Cryptocurrency Providers
AML/KYC rules are particularly strict for cryptocurrency providers, requiring robust client identification similar to banks, with continuous updates aligned with FATF recommendations, and integration of biometric verification as a fraud-prevention tool.
Presence Check and NFC Technology
The presence check includes steps for proving the right person is present, such as a liveness check and requesting the serial number of an official photo identification document. The use of NFC technology or ID cards without electronic signatures is covered under a transitional period until December 31, 2022, during which there may be clarifications concerning its use.
Mobile Devices and Customer Experience
NFC-enabled mobile devices are essential for passing biometric KYC verification, which may negatively affect the customer experience and increase the drop-off rate. The FMA has not yet provided specifications for passive presence checks at the time of article publication.
Previous Identification Methods
Previous identification methods, such as video identification, will still be an option for financial service providers. Electronic copies of the front and back of IDs are recommended to be kept in addition to the data recording.
The Austrian Financial Market Authority (FMA) approved video-based identification for customer onboarding in January 2017. Online customer onboarding can be performed with an AI-powered solution, which checks biometric data and submitted documents to provide immediate results, without requiring employee involvement. The biometric identification processes should correspond to the technological "state of the art", be updated on an ad hoc basis, and achieve a level of security at least comparable to the online identification process conducted by a staff member. The amendments apply to financial service providers, credit institutions, and cryptocurrency service providers.
- In the digital onboarding process, financial service providers may use biometric data, such as facial images and fingerprint data, for identity verification and fraud prevention, provided the users have given explicit consent, in compliance with both the GDPR and the Austrian Financial Market Anti-Money Laundering Act (FmGwG).
- Despite the presence of strict AML/KYC regulations, cryptocurrency providers are encouraged to integrate technology solutions, such as biometric verification, to enhance their client identification processes, mirroring the security measures employed by banks, with updates aligned with FATF recommendations.
