Faculty of law blogs / UNIVERSITY OF OXFORD

Let’s Agree on Common Identity Verification Rules for a Common Digital Banking Market


Jonas Sturies


Time to read

5 Minutes

Challenger banks do not only challenge traditional banks but also the rules aimed at them. The detail, how banks have to verify the identity of new customers in different jurisdictions, shows how digitalization increases the need to find common rules for a common digital market.

Challenger banks such as Revolut, Monzo and N26 are currently in fierce competition, both worldwide and within the EU. The quicker they accumulate customers, the quicker they can exploit economies of scale. The first relevant point of interaction of a bank with its customer, and an important step to combat money laundering, is the verification of the customer’s identity. There are different approaches:

If you open an account with Revolut (seated in London, licensed in Lithuania) you have to verify your identity by sending them a selfie and a picture of your ID (‘photo-identification’), a more traditional online bank like DKB (seated in Berlin, licensed in Germany) requires video-identification (have a videochat with a call center agent), whereas N26 (seated in Berlin, licensed in Germany) makes the requirements dependent on where you are located: If you live in Germany, you need to videochat while for new customers from any other jurisdiction the selfie is sufficient.

Why do we find different approaches for what should be the same situation from a regulatory viewpoint? This seemingly technical issue deserves consideration as it shows how digitalization might increase pressure to advance the integration of the common market:

The different procedures are based on Article 13(1)(a) of the 4th European anti-money laundering directive (AMLD4), which obligates member states to require banks to verify the identity of their customers ‘on the basis of documents, data or information obtained from a reliable and independent source’, but leaves the details to the member states and their supervisory authorities. Member states, in turn, based on the above broad wording, established different regimes. Some (such as the UK) consider photo-identification as sufficient while others (such as Germany) require video-identification.

While traditional banks established branches or subsidiaries in multiple member states which competed with other local entities, online banks compete with each other more directly, in many member states without any permanent local establishment. Obviously, to require one competitor to force its customers to video-chat increases the cost of the onboarding process significantly and also means a more burdensome process for customers, thus a lower conversion rate (ie, ratio of website visitors to signed up customers) for that competitor.

In a limited area, the AMLD4 allows for regulatory arbitrage 

This makes another part of the AMLD4 interesting: Article 25 provides that banks may rely on subsidiaries or other third parties to perform the customer due diligence, even if such entity is seated in a jurisdiction with lower customer due diligence requirements than the bank, as long as the entity relied on:

a) applies requirements consistent with those laid down in the AMLD4; and

b) is being supervised accordingly (Article 26(1)).

N26, for example, cooperates with the UK seated and FCA supervised company Safened Limited, which performs photo identification procedures for them. The possibility of such regulatory arbitrage might sound like an editorial mistake of the legislator. However, it’s not—it is rather a consequence of an incomplete common market. Unlike prudential regulation, AML is not generally supervised by the ‘home authority’ (ie, supervisory authority of the member state where the bank is seated). According to Article 28, for group-wide policies and procedures, the authority of the home member state should be competent, while for branches and subsidiaries, the authority of the host member state should be in charge. If the host authority is competent for supervision, this also means that their interpretation of the AMLD4 trumps. The same applies if it’s not a subsidiary performing the customer due diligence, but some other third party seated and supervised in another member state.

From a practical point of view, allowing such cooperation concerning customer due diligence across member states also makes sense. In the course of the harmonization of the legal systems across member states, the formal seat of a bank within the common market might gradually lose importance—this is especially true for an online bank with only a minority of customers residing in its home member state. In fact, enabling cross-border value creation by a truly European bank with hubs across multiple member states would be a core-benefit of the common market.

What would you choose?

From the perspective of a national legislator or supervisor from a jurisdiction with higher identity-verification standards, however, this creates a dilemma. Either you allow—in accordance with the AMLD4—supervised banks to apply lower identification standards, or you give a significant competitive advantage to banks supervised by the national competent authority of another member state with possibly overall lower standards. The latter might lead to what you sought to prevent in the first place: More bank customers within the common market are on-boarded by lower standards. What should be done?

Confronted with the dilemma, Germany’s BaFin tried to strike a compromise. According to their interpretative guide to the national law implementing the AMLD4, customer due diligence by a third party for a German bank should be performed by standards of the state where the entity relied on is seated (even if those standards might be lower and include photo-identification). However, if the customer resides in Germany, the national standard and therefore video-identification is required.

As is quite common for compromise solutions to dilemmas, this one is imperfect. Legally, there is no indication in the AMLD4 nor in the implementing national law that the residence of the customer somewhat affects due diligence requirements. Practically, a differentiation according to the residence of the customer is questionable as a fraudster would of course declare residence in a state where lower requirements apply, such as the UK.

Three possible ways to ensure a level playing field

There are three other options to ensure both a level playing field and adequate customer onboarding requirements.

1. Common identification standards for online banks could be imposed by the legislator. However, the upcoming AMLD5 and AMLD6 do not impose specifications concerning customer-identification. As regards identity verification, AMLD4’s broad wording indicated above remains in force. Also, a directly applicable European AML Regulation solving the issue is not within sight. Therefore, ideally the supervisory authorities of the member-states should find an agreement on working level.

2. If that’s not possible, another path would be to stay with the regime as foreseen in the AMLD4. If the benefit of having a level playing field right away without a lengthy legislative or administrative process outweighs the dangers of the photo-identification method, fragmenting the internal market in this regard for video-identification’s sake would not be justified.

3. If, however, photo-identification really leads to significant fraud rates, a quick solution at national level could be warranted. For Germany, currently a draft law is being discussed which would deviate from Articles 25, 26(1) and 28 of the AMLD4. German banks would at all times have to apply the national customer due diligence regime and would only be allowed to rely on subsidiaries or third parties if those perform customer due diligence in accordance with national law. This option of course would come at a cost: it certainly leads to an imbalance in competition and might even lead to a drain of online-banks and customers to the jurisdiction with the lowest standards. Let’s see whether in the end, the relevant draft clause (§ 17 Abs 1 S 3 GWG-E) might be dropped for those reasons. You might discover the outcome when opening your next online bank account.

Jonas Sturies is a lawyer at Schalast in Frankfurt. He regularly advises fintechs on regulatory issues.


With the support of