Issues Relating to Opportunities for New Identification Means And

Ministry of Finance of the Republic of Lithuania Bank of Lithuania https://www.lb.lt/lt/mokejimu-taryba Vytautas Magnus University FINTECH Lithuania Group http://finmin.lrv.lt/lt/veiklos- Association of Lithuanian Banks sritys/finansu-rinku-politika/mokejimu- Association of Lithuanian Chambers of Commerce, Industry and Crafts taryba Lithuanian Small and Medium-Sized Business Council Alliance of Lithuanian Consumer Organisation Association of Payment and Electronic Money Institutions Fintech Hub LT Kaunas University of Technology 18 April 2019

Vilnius Feasibility study

Issues relating to opportunities for new identification means and compatibility with anti-money laundering objectives Task Force Report on Opportunities for New Identification Means and Compatibility with Anti-Money Laundering Objectives ISBN 978-609-8204-44-5 (online)

Table of contents

Summary ...... 3 Introduction ...... 4 1. Overview of the development of legal framework and practices of remote identification in Lithuania and relevant issues ...... 5 1.1. Overview of the Law of the Republic of Lithuania on the prevention of money laundering and terrorist financing and the development of the legal regime of remote identification ...... 5 1.2. Overview of the application and interpretation of the Rules for Remote Identification by Lithuanian courts 6 1.3. Practical relevance of and issues pertaining to regulating remote identification ...... 8 2. Examining remote identification means ...... 10 2.1. Fundamental assumptions and methods of the study...... 10 2.2. Process analysis of remote identification means ...... 11 2.2.1. Direct video streaming/image transmission ...... 13 2.2.2. Qualified electronic signature ...... 18 2.2.3. Electronic identification ...... 22 2.2.4. Payment order ...... 23 2.2.5. Third-party information ...... 25 2.3. Comparison of remote identification means ...... 27 2.4. Evolution trends of remote identification means ...... 31 3. Goals and possibilities for regulating remote identification ...... 32 4. Recommendations on regulating remote identification means ...... 34 Sources ...... 36

2 Summary Remote identification is becoming a crucial and integral part of innovation in financial services but such changes create challenges for legal regulation. The purpose of this study is to draw up recommendations on legal regulation of remote identification (before establishing a business relationship) in Lithuania. An overview of legal framework and the development of practices in the area of remote identification in Lithuania has shown that up until the end of 2016 the rules for remote identification were interpreted narrowly, legitimate identification means being only personal identification documents (or duly certified copies thereof) received from third parties. A stringent legal framework gave rise to delays or inefficiency issues in remote financial services business that were partially tackled only at the end of 2016 when the list of proper remote identification means was expanded. However, the history of regulating remote identification and the narrow application and interpretation of the legal regime established in Lithuanian courts call for the conclusion that to-date national regulation has been lacking a tradition of adaptation to technical progress. A process analysis of current statutory remote identification means has revealed that out of all statutory remote identification means it is only direct image transmission (by transmitting a photograph) that does not require physical contact with the customer or purchasing special tools. Moreover, a structured online survey of payments market participants has revealed certain peculiarities pertaining to the use of remote identification means and accuracy, security and accessibility parameters of those instruments:  respondents believe that the most secure means are qualified electronic signature and e-identification tools while a payment order and image transmission an are seen as the least secure tools even though the latter has also been listed as a tool of the greatest popularity and potential;  respondents believe that the most accessible means is image transmission/video streaming tools while the least accessible is third parties’ means of information, i.e. the more automated the identification process is and the fewer special instruments it requires, the greater is the accessibility of those means;  respondents believe that the most accurate means are qualified electronic signature and e-identification tools while image transmission/video streaming tools are seen as the least accurate. The means issued and used in Lithuania are exclusively associated with the category of possession or knowledge. However, the ever-improving technological advances of mobile devices and an increasing use of biometric security elements in personal identification documents issued by the state, have the potential to greatly enhance the effectiveness and efficiency of customer identification by inherence (biometric) measures. Still, in order to ensure due adaptation of legal regulation to highly dynamic market conditions, there is a need to compile a non-exhaustive list of means setting out the terms and procedures for the recognition of new identification means. An overview of goals and possibilities for regulating remote identification has revealed that the state should not establish any legal regulation that would create unfavourable conditions for economic entities to exercise their freedom to pursue an economic activity. Furthermore, AMLD5 does not contain an exhaustive list of tools for remote identification. On the contrary, it requires ensuring that obliged entities could prove to competent authorities or self-regulation bodies that the means are appropriate given the established risk of money laundering and terrorist financing. Therefore, with a view to ensuring the adaptation of legal framework to highly dynamic market conditions and implementing the AMLD5 requirements, here are some recommendations:  to make a non-exhaustive (open) list of remote identification means as well as procedures and methods for the state to regulate, recognise, approve or adopt all secure and accessible remote identification processes;  to enable all obliged entities to prove to national or self-regulation authorities (e.g. associations of obliged entities) that the means they use are appropriate given the established risk of money laundering and terrorist financing, the nature of the business and the size of the entity;  to implement a proactive policy on e-identification tools ensuring that anyone has convenient access to e-identification or other remote identification means.

3 Introduction

With the expansion of the market in payment services, remote accessibility and security of these services acquire ever-increasing relevance. New financial technologies (FINTECH) actually change business models of payment service providers while the promotion of innovation in this area has already become synonymous with Lithuania’s economic policy. Market players providing all services online are being established. Remote establishing of business relationships and remote identification as its component therefore become a critical and integral part of their activity. Significant changes create challenges for legal framework that does not always keep pace with unprecedented development of financial technology. Still, there is a need to create legal framework of remote identification so that it does not hinder innovation or cause delay or inefficiency problems and that it also ensures the compatibility of the process with anti-money laundering objectives. The need to promote financial innovation and make the compliance with money laundering and terrorist financing prevention more efficient has also been acknowledged by responsible authorities. At the plenary of the Financial Action Task Force (FATF) on 19 October 2018 the drawing up of digital identity guidelines was listed among strategic initiatives of that authority.1 On 23 January 2018 the European Banking Authority (EBA) also formally expressed its position that there is a need to support innovation and novel technologies in the area of financial services, especially where they make the compliance with money laundering prevention of undertakings more efficient.2 Recital 22 of Directive (EU) 2018/843 of the European Parliament and of the Council of 30 May 2018 (AMLD5) also clearly stipulates that the latest technical developments in the digitalisation of transactions and payments enable a secure remote or electronic identification.3 The importance of technical and legal means to identify customers remotely is also clearly emphasised in Order No 1K-185 of 8 May 2017 of the Minister for Finance of the Republic of Lithuania on the development of the financial technology (FINTECH) industry in Lithuania.4 This context pertaining to innovation in payment services implies two main requirements for regulating remote identification processes. Firstly, regulatory arrangements must be proportionate to the money laundering risk5 and non-discriminatory towards consumers lawfully staying in the EU where such consumers file a request to open a payment account or use it in the EU.6 Secondly, any requirements set may not, without an objective and constitutionally sound reason, create obstacles for human initiative to manifest and develop, annihilate their economic endeavours and prevent them from being implemented, even if their usefulness for the public is not obvious.7 Certainly, in the light of the exponential development of financial technology and the pace of innovation in payment services, legal requirements must also shape the tradition of regulation adapting to technical progress. This study therefore deals with the problem of how to regulate the process of remote identification (before establishing a business relationship) in Lithuania to make sure that legal requirements promote financial innovation and ensure that the process is in line with anti-money laundering objectives. The purpose of this study is to draw up recommendations on legal framework for remote identification (before establishing a business relationship) in Lithuania. With a view to tackling the problem and achieving the goal of the study, the following objectives are set: 1. to provide an overview of the development of legal framework and practices of remote identification in Lithuania; 2. to describe the process pertaining to remote identification means and characteristic practical uses as well as their accuracy, security and accessibility parameters; 3. to set regulation objectives for remote identification in the area of money laundering prevention;

1 Financial Action Task Force, Outcomes FATF Plenary, 17-19 October 2018. Online: https://bit.ly/2FyNp2Z [last accessed on 24 March 2019]. 2 European Banking Authority, Opinion of 23 January 2018 on the use of innovative solutions by credit and financial institutions in the customer due diligence process. Online: https://bit.ly/2U7n7N8 [last accessed on 24 March 2019]. 3 Directive (EU) 2018/843 of the European Parliament and of the Council of 30 May 2018 amending Directive (EU) 2015/849 on the prevention of the use of the financial system for the purposes of money laundering or terrorist financing, and amending Directives 2009/138/EC and 2013/36/EU. 4 Order No 1K-185 of 8 May 2017 of the Minister for Finance of the Republic of Lithuania on the development of the financial technology (FINTECH) industry in Lithuania (TAR, 19 May 2017, No. 2017-08423), subparagraph 3.1.2. 5 See footnote 3: recital 2. 6 See Directive 2014/92/EU of the European Parliament and of the Council of 23 July 2014 on the comparability of fees related to payment accounts, payment account switching and access to payment accounts with basic features (Article 15); also see footnote 4: “In order to improve possibilities for financial technology undertakings to be established and develop in Lithuania, it is also of great importance to start to implement the e-resident project as soon as possible enabling foreigners in the Republic of Lithuania to use electronic administrative, public and commercial services irrespective of the foreigner’s place of residence and/or legal status. This would enable persons who only have economic interests and may even be outside of Lithuania to use e-services in Lithuania.” 7 Resolutions of the Constitutional Court of 31 May 2006, 8 June 2009, 29 April 2009, 31 May 2006, 9 April 2002, 17 March 2002, 26 January 2004 and others.

4 4. to draw up recommendations on legal framework for remote identification (before establishing a business relationship) in Lithuania. In accordance with the above list, there is firstly an overview of the development of legal framework and practices of remote identification in Lithuania. The analysis has revealed certain issues with the adaptation of legal framework to technical progress. The second part presents the findings of a study of remote identification means and key trends in the development of these technologies. Based on the conclusions presented in these chapters, the third part establishes a legal base for regulatory recommendations then drawn up in the fourth part of the study.

1. Overview of the development of legal framework and practices of remote identification in Lithuania and relevant issues This part contains a historical overview of the development of the legal regime for remote identification focusing on two key aspects, i.e. (a) the Law of the Republic of Lithuania on the prevention of money laundering and terrorist financing and relevant implementing acts and (b) Lithuanian case-law. The overview presents to-date experience in regulating and implementing remote identification in Lithuania. The last chapter in this part summarises the practical relevance of regulating remote identification and the issues with adapting to technical progress. 1.1. Overview of the Law of the Republic of Lithuania on the prevention of money laundering and terrorist financing and the development of the legal regime of remote identification The original wording of the Law of the Republic of Lithuania on the prevention of money laundering and terrorist financing (hereinafter – the AML/CTF Law)8 adopted on 19 June 1997 obliged credit and financial institutions to identify their customers before initiating a monetary operation. That version of the Law did not elaborate on specific customer identification instruments or means or other details of the process. Article 9(3) of that version stipulated that the procedure for customer identification was to be established by the Government but a relevant Government resolution was only adopted as late as on 24 September 2008. In the course of the European Union legal harmonisation procedures, a (twelfth) recast of the AML/CTF Law was adopted in 17 January 2008; Articles 9 to 11 of the recast set out general requirements for customer and beneficial owner identification and the terms and conditions for simplified and enhanced customer identification. Article 9(8) of the recast provided for a possibility to identify the customer and the beneficial owner on the basis of documents, data or information obtained from a reliable and independent source while the regulatory scope of Article 11(1)(1) also included customer identification without the customer being present (i.e. remotely). Like in the previous versions of the Law, the procedure for customer and beneficial owner identification was up to the Government (Article 9(14) of the twelfth recast of the AML/CTF Law). A Government resolution directly regulating the procedure for customer and beneficial owner identification was adopted on 24 September 20089, following the entry into force of the new (twelfth) recast of the AML/CTF Law. The original version of the Rules for the Identification of the Customer and the Beneficial Owner and Multiple Interconnected Monetary Operations (hereinafter – the Rules), in principle, only elaborated upon identification on the basis of an original personal identification document or a duly certified copy thereof (Part II of that version of the Rules). Such customer identification requirements are equally applicable to all customers including those directly approaching a financial institution or another entity and those whose transactions or business relations are carried out through a representative or where the customer is not physically present for identification (paragraph 10 of that version of the Rules). The requirements for customer identification without the customer being physically present were supplemented with the third recast of the Rules adopted on 21 August 2013. Paragraph 10 of that recast of the Rules made it possible to identify residents of the Republic of Lithuania without them being physically present, i.e. remotely, using a qualified electronic signature and only where the customer’s identity was established before issuing the qualified certificate with them being physically present and in line with the other requirements laid down in the Rules. Given that the remote customer identification procedure in place in Lithuania was inefficient and contained superfluous requirements for market participants, on 26 October 2016 the Government of the Republic of

8 Law of the Republic of Lithuania on the prevention of money laundering and terrorist financing (TAR, 12 July 2017, No. 2017-12068). 9 Resolution No 924 of the Government of the Republic of Lithuania of 24 September 2008 on the list of criteria for considering a customer to pose a low threat of money laundering and/or terrorist financing and criteria based on which a threat of money laundering and/or terrorist financing is considered to be high, on the approval of the rules for customer and beneficial owner identific ation as well as the detection of multiple interconnected monetary operations and on the establishment of the procedure for providing information on known indications of possible money laundering and/or terrorist financing and violations of the Law of the Republic of Lithuania on the prevention of money laundering and terrorist financing and the measures taken against perpetrators.

5 Lithuania adopted amendments to the Rules (the fifth recast) making it possible to identify the customer remotely, without them being physically present, by the following means: (a) using a qualified electronic signature; (b) using highly or sufficiently secure e-identification tools issued in the European Union; and (c) by means of direct video streaming (using two possible alternatives). Following the adoption of the twenty-fifth (new) recast of the AML/CTF Law on 29 June 2017 (that was still in force during this study, with minor amendments), the Rules were repealed by Resolution No 713 of the Government of 30 August 2017. Remote identification means provided for in the Rules were essentially moved to the recast of the AML/CTF Law where customer and beneficial owner identification is regulated by Articles 9 to 15. Article 11 of the current wording of the AML/CTF Law stipulates that the identity of the customer that is a natural person or a representative of the customer that is a legal person and of the beneficial owner may be established without the physical presence of the customer only in the following cases: (a) when using information from third parties about the customer or the beneficial owner; (b) when using electronic identification means issued in the European Union which operate under the electronic identification schemes with the assurance levels high or substantial; (c) when using a qualified electronic signature; (d) by means of direct video streaming using one of the two means provided for in that article; (e) by making a payment order to the account of the relevant obliged entity (with additional conditions applicable to this option). This evolution of regulating customer identification tools is approximately outlined in Fig. 1.

DirectTiesioginis video vaizdasstreaming E-Eatpažinties-identification priemonės means QualifiedKval. e-signature e-parašas QualifiedKval. e- parašase-signature DokumentaiDocuments Dokumentai Dokumentai Documents Documents Rules (1) TAISYKLĖS (1) RulesTAISYKLĖS (3) (3) TAISYKLĖSRules (5) (5) ...

PPTFPĮ (1) PPTFPĮ (12) PPTFPĮ (25) AML/CTF Law (1) AML/CTF Law (12) AML/CTF Law (25) Nedetalizuot Dokumentai, duomenys, informacija Dokumentai, duomenys, informacija Not elaborated Documents, data, information Documents,Trečiųjų asmenų data, informacijainformation EThird-atpažinties-party information priemonės E-identificationKval. e-parašas means Tiesioginis vaizdas QualifiedMokėjimo e pavedimas-signature Direct video streaming Payment order Fig. 1. Evolution timeline of the AML/CTF Law and the Rules

1.2. Overview of the application and interpretation of the Rules for Remote Identification by Lithuanian courts A search in the Infolex database in accordance with the practice of applying Article 9 of the AML/CTF Law has revealed that within the two decades of the AML/CTF Law being in force Lithuanian courts applied the rules for customer identification (Article 9 of the AML/CTF Law) in twelve cases (Annex 1). In five of them these rules were quoted verbatim in narrow episodes as the legal base for obliged entities to carry out customer identification, to notify suspicious operations to the FCIS, etc. Particular aspects of remote customer identification for money laundering prevention were examined in five proceedings in which judgments were passed in 2014 (2 cases), 2015 (1 case) and 2016 (2 cases). The first case examining certain aspects of the application of Article 9 of the AML/CTF Law in greater detail was finalised with the Supreme Court of Lithuania on 14 October 2014 adopting a ruling in the administrative case No 2AT-44-2014. Action in that case was brought when it transpired that until 20 June 2013 an entity obliged under the AML/CTF Law (a financial institution giving small consumer loans) identified customers without them being physically present, using a bank payment order (for 1 cent), without copies of those customers’ identification documents. That court ruling was used as precedent in a similar case relating to a similar identification practice used by another obliged entity until 3 December 2015. That case was resolved by the Supreme Court of Lithuania on 20 December 2016 adopting a ruling in the administrative case No e2AT-98-303/2016. In both proceedings the Court examined whether in accordance with the legal regime in force between 2013 and 2015 the transfer of one cent to an account of an undertaking remotely providing consumer loans was in line with customer identification requirements set in Article 9 of the AML/CTF Law and implementing acts.

6 In both proceedings the applicants claimed that the AML/CTF Law (the then wording) made it possible to identify customers not only based on documents but also using data or information received from a reliable and independent source. According to the applicants, this identification tool where persons are identified using data received from banks via those banks’ e-banking systems is undoubtedly reliable and secure while the requirement to obtain, verify and store a personal identification document (a duly certified copy thereof) is superfluous and detrimental to the possibility to pursue e-business activity. In both proceedings the FCIS supporting the prosecution’s argument maintained that legislation of the Republic of Lithuania did not create any obstacles for identifying the customer by using customer information provided by third parties. According to the FCIS, an institution wishing to use third-party information on the customer and the beneficial owner approaches such a third party and can obtain all requested information and data including personal identification documents. According to the FCIS, a payment order from an account with another financial institution is an additional enhanced customer identification tool ensuring enhanced customer identification where it is performed remotely but is not a self-sufficient customer identification means. In both proceedings the Court supported the FCIS’s arguments and stated that the general requirement for identifying the customer and the beneficial owner not physically present when concluding a transaction was their identification on the grounds of personal documents. Customer data verification in information bases of Sodra (The State Social Insurance Fund Board) and the Population Register and the credit history database as well as the receipt of a 1-cent transfer from a customer’s bank account are supplementary security features not usable without first fulfilling the general requirement to possess copies of personal identification documents when a transaction is concluded remotely. According to the Court, when identifying a customer not physically present, it is impossible to obtain the original personal identification document and make a copy thereof but this aspect in the Law is reflected by enabling a financial institution or another entity to request that a third party (in the case at hand it is a bank) provide copies of documents pertaining to the identification of the beneficial owner and other documents relating to the customer or the beneficial owner. As regards that right of the obliged entity, courts have stated that duly certified copies of personal documents may be submitted in accordance with legislation regulating personal data protection, with the customer’s consent and at the customer’s request. However, in both proceedings the applicants questioned the efficiency and possibility of obtaining a duly certified copy of personal documents from banks. According to the applicants, physical submission of written consent forms and applications and the procedures for examining and responding to them are not actually in line with the practices concerning the accessibility (speediness and costs) of remote services and customer requirements and destroy any competitive advantage of such services. The applicants also claimed that such requirements were incompatible with recital 27 of Directive 2005/60/EC stipulating that the right to obtain third-party data and information could be exercised precisely with a view to avoiding repeated customer identification procedures, leading to delays and inefficiency in business. Those arguments however failed to convince the courts to carry out a critical assessment of the proportionality of the rules in place and their compatibility with EU regulation. It should also be noted that the applicants in Case No 2AT-44-2014 of 14 October 2014 of the Supreme Court of Lithuania questioned the proper transposition of Directive 2005/30/EC of the European Parliament and of the Council and the constitutionality of the Rules implementing the AML/CTF Law. The applicants asked to lodge a request for a preliminary ruling with the Court of Justice of the European Union and with the Constitutional Court but those requests were rejected. Furthermore, in the proceedings in Case No e2AT-98- 303/2016 of 20 December 2016 of the Supreme Court of Lithuania the applicants claimed that when identifying a person remotely, connecting via e-banking and performing a bank transfer have the same legal effect as using a qualified electronic signature but the Court rejected the applicant’s complaint without expressing its position on those arguments. An essentially similar case was resolved by a ruling of the Supreme Court of Lithuania of 17 February 2015 in Case No 2AT-6-942/2015 on administrative law infringements dealing with a similar practice of identification by a payment order. In that case the Court clearly stated that undertakings were to take all relevant targeted and proportionate measures to establish whether the customer acted of their own name or was under someone’s control and to establish and verify their identity. The required scope of customer identification data is warranted by customer data obtained from a personal identification document or a notarised copy thereof, and a financial institution must in all cases possess a copy of the original document furnished by the customer for identification purposes certified by the employee’s signature and sealed. The fourth case to be examined was concluded with the Supreme Court of Lithuania on 30 December 2016 passing a ruling in Case No 2AT-93-895/2016 on administrative law infringements concerning the practice at UAB PaySera LT to identify customers remotely essentially using that same payment order procedure. Relying on the aforementioned cases No 2AT-44-2014 and No 2AT-6-942/2015, the Court pointed out that the receipt of a 1-cent transfer from the customer’s bank account was a supplementary security feature not usable without fulfilling the general requirement to possess copies of personal identification documents when

7 concluding a transaction remotely. Such customer identification is in breach of the procedure for implementing customer and beneficial owner identification tools provided for in the Law of the Republic of Lithuania on the prevention of money laundering and terrorist financing. The last case to be examined was resolved with Vilnius Regional Court on 29 October 2014 adopting a ruling in Civil Case No 2A-2847-345/2014, illustrating additional aspects of applying a stringent customer identification policy. The dispute in that case arose as on 27 November 2013 AB Swedbank terminated an e- services contract with UAB Bitmarket relating to their trade in virtual currencies, which creats conditions for anonymous payments. In those proceedings the Court decided that the bank’s actions were well founded, non-discriminatory and proportionate. According to the Court, financial institutions are obliged to identify the beneficial owner prior to conducting a banking operation and where financial institutions cannot fulfil these requirements, they are forbidden to carry out transactions via bank accounts, establish business relations and carry out transactions. Moreover, based on that case-law, failure to fulfil identification requirements boosted viability risks for providers of remote financial services because of possible restrictions of banking services. The entirety of the cases examined leads to the conclusion that up to 2016 courts upheld stringent requirements for remote identification and essentially maintained that proper identification constituted solely customer data obtained from a personal identification document or a notarised copy thereof and demanded that a financial institution would at all times possess a copy of the original document furnished by the customer for identification purposes certified with the employee’s signature and sealed. As seen from the cases analysed, such practices affected undertakings remotely providing consumer loans, electronic money services or trading in virtual currencies, i.e. those obliged entities that based their business model on remote relations with customers (completely or partially) refusing any physical contact with customers. The fact that third parties could refuse to cooperate in a constructive manner (e.g. provide no document copies for an economically reasonable fee or set disproportionately long deadlines for providing document copies) was not examined at all. Even though the third recast of the Rules (21 August 2013) made it possible to use a qualified electronic signature, the actual use of officially issued certificates was not very common at the time. Moreover, that possibility was interpreted and used very narrowly. Even though in the cases discussed the Court did not express its position on the applicant’s arguments concerning the application of the Electronic Signature Law, the outcome of the cases examined clearly shows that the Court did not consider the use of e-banking systems to have an equivalent legal effect as that of a qualified electronic signature. Furthermore, obliged entities using a qualified electronic signature only could face a legal risk arising from a case-law conclusion that a financial institution was obliged at all times to possess a copy of the original document furnished by the customer for identification purposes certified with the employee’s signature and sealed. Thus, to sum up the historical analysis of regulating remote identification, one may state that up until the end of 2016 the rules for remote identification were interpreted narrowly, legitimate identification instruments being only personal identification documents (or duly certified copies thereof) received from third parties. The latter option was then practically unattainable in the context of the pace and costs pertaining to remote financial services. Because of that, some obliged entities following a business model based on remote customer relations were forced to assume additional legal risks (possibly transferring risk-related costs on to customers through the price of services) or to discontinue or refrain from such activity. A stringent legal base was likely to give rise to delays or inefficiency issues for remote financial services business that were partially tackled only at the end of 2016 when the list of proper remote identification means was supplemented. 1.3. Practical relevance of and issues pertaining to regulating remote identification Amendments to the AML/CTF Law adopted at the end of 2016 supplemented the relevant list of measures, which coincided with Lithuania’s active participation in the financial technology (FINTECH) industry which shaped the country’s line of development and improved infrastructure supporting financial innovation and expert qualifications. Subparagraph 192.10 of the Programme of the Government of the Republic of Lithuania approved by the Seimas of the Republic of Lithuania on 13 December 201610 stipulates that supporting innovative digital services and products and the development and export of financial technology will be one of the top priorities for the Government in office. Since then Lithuania has been positioning itself as one of the industry hubs for financial technology in Europe and creating an environment inducive to the development of the financial technology industry, thus actively seeking to attract investment in financial innovation.

10 Resolution No XIII-82 of the Seimas of the Republic of Lithuania of 13 December 2016 on the Programme of the Government of the Republic of Lithuania (TAR, 13 December 2016, No 2016-28737).

8 Within the context of this study, unfortunately, neither the Bank of Lithuania nor any other authority collects or publishes statistics on the extent to which institutions providing payment services use remote identification means in their activity before establishing a business relationship with customers. Such statistics would enable a better understanding of the current practices and trend analysis. For the purpose of this study the evolution of the use of identification means is examined relying solely on indirect data or individual events on the market in payment services. At the moment, remote identification trends are indirectly reflected by data collected by the Bank of Lithuania on the number of payment institutions and electronic money institutions and the dynamics of customer service offices of credit institutions in Lithuania. The number of physical customer service offices of credit institutions is constantly dropping while 2015 and 2016 have seen a boost in the number of electronic money institutions (see Figs. 2 and 3).

Fig. 2. Customer service offices of credit institutions in Lithuania Fig. 3. Dynamics of the number of payment institutions and e- money institutions established in Lithuania (Source: Bank of Lithuania) (Source: Bank of Lithuania) Significant growth of electronic services is also obvious in the analysis of general payments statistics. The number of non-cash payments is increasing while cash operations at customer service offices are becoming less numerous11. These data certainly reflect the overall development of payment services covering not only the establishment of business relationships but also their execution stages. Nevertheless, the importance of technical and legal possibilities for remote identification is also clearly stressed in Order No 1K-185 of the Minister for Finance of 8 May 2017 on the development of financial technology (FINTECH) industry in Lithuania12, which leaves no room for questioning their significance and relevance. This strategic document states that Lithuania boasts a top-quality communications infrastructure making it possible to provide remote financial services to Lithuania’s population in a convenient manner. It even E-money institutions instructs to ensure that legislation regulating economic activity is drawnPayment up institutionswithout limiting economic entities’ ability to employ innovative ways to provide services and to provide services remotely. By implementing the national strategy in the FINTECH area Lithuania has become the second biggest European licenser of such undertakings. Last year Lithuania issued 46 licences to electronic money institutions including UAB Revolut Technologies and UAB Google Payment Lithuania. By the number of licences issued Lithuania was second only to the United Kingdom that in 2018 issued 146 such licences.13 In this context it should be noted that the UK’s decision to withdraw from the EU creating challenges for financial sector undertakings established in that country is another prerequisite for successfully attracting investment in the financial technology sector and a real opportunity to become the European Union’s FINTECH leader.14 One may claim that remote identification before establishing a business relationship has by now become a highly important practical and legal tool directly affecting the possibilities for providing remote financial services. The list of remote identification means expanded at the end of 2016 created more favourable legal conditions for further development of remote payment services in Lithuania. Facts relating to the development of the FINTECH industry in Lithuania clearly show that businesses and investors welcome it.

11 Bank of Lithuania, Payments statistics. Online: https://www.lb.lt/lt/mokejimu-statistika-2#group-2128 [last accessed on 24 March 2019]. 12 See footnote 4. 13 Paulius Čiulada, Lietuva – antra Europoje pagal „fintech“ įmonių licencijavimą (Lithuania – Europe’s Second in Licensing Fintech Undertakings), (14 January 2019, Verslo žinios). Online: https://www.vz.lt/rinkos/2019/01/14/lietuva--antra-europoje-pagal-fintech- imoniu-licencijavima#ixzz5j5gLRWV0 [last accessed on 24 March 2019]. 14 See footnote 4.

9 Still, the history of regulating remote identification and the narrow application and interpretation of the legal regime established in Lithuanian courts during nearly 20 years (between 1997 and 2016) call for the conclusion that to-date national regulation has been lacking a tradition of adaptation to technical progress. Because of that, up until 2016 entities obliged under the AML/CTF Law providing (intending to provide) remote payment services could experience delays and inefficiency issues. Such regulation might have disproportionately restricted financial innovation as well. The possibilities for remote identification expanded at the end of 2016 may be seen as the first significant attempt to adapt to technical progress after decades of stagnation in regulating this area. That said, legal stagnation may still return if any new or mixed remote identification tools or other innovations for managing money laundering or terrorist financing risks emerge in this area. An analysis of the currently admissible remote identification means has already revealed that the existing regulation is somewhat restrictive, which is why it is advisable to establish such legal regulation that would make it possible to introduce due adjustments taking into account the needs for remote payment services and exponentially evolving technological possibilities.

2. Examining remote identification means This study has been conducted with a view to describing the process pertaining to remote identification means and characteristic practical uses and limitations as well as their accuracy, security and accessibility parameters. This part focuses on fundamental assumptions and methods of the study. Remote identification means have been analysed from the viewpoint of the process. To that end, the initial focus is on the details of methodological approaches and the limits of the analysis followed by an outline and a comprehensive description of each of the currently admissible remote identification means. To summarise and compare those means, this part of the analysis ends with the results of the survey of payment services market participants and relevant conclusions on the security, accessibility and accuracy parameters of the remote identification means in question. This part ends with an overview of development trends in remote identification instruments. 2.1. Fundamental assumptions and methods of the study In international studies15 digitalisation of the process of providing financial services is seen as a financial institution’s competition strategy. From the management viewpoint, it is particularly important that financial institutions efficiently implement digitalisation processes including remote identification means, thus duly respecting consumer interests and successfully competing in the market. This study therefore follows a multidisciplinary approach combining digitalisation, business process management and legal compliance (compatibility) in the financial services sector. For the sake of greater overall soundness and reliability of the study, an examination of remote identification means is based on the philosophy of pragmatism making it possible to apply certain methods combining them with others.16 Moreover, with a view to highlighting individual aspects of the problem at hand, this study makes use of various qualitative methods. Remote identification tools are described by means of process analysis covering each of the remote identification tools. Process stages were selected based on the classification proposed by PwC (2017)17; they were justified and interpreted on the grounds of a systemic comparative synthesis analysis of international and national legislation and studies. Modelling business processes (here those of the application of remote identification tools) covers existing processes and structurally describes their activities and related elements18 and makes it possible to describe new processes and evaluate their functioning19. This process analysis is therefore given as a graphic representation of actions, decisions and their interrelations taking into account the selected remote identification means.

15 See e.g. OECD, 2018, Financial Markets, Insurance and Services: Digitalisation and Finance (2018). Online: https://bit.ly/2R90H9a [last accessed on 24 March 2019]; Deloitte, EMEA Digital Banking Maturity (2018). Online: https://bit.ly/2Aqv5pR [last accessed on 24 March 2019]; Oracle, Digital Transformation: the Challenges and Opportunities Facing Banks (2016). Online: https://bit.ly/2j3QTNM [last accessed on 24 March 2019]. 16 Žydžiūnaitė, V. and Sabaliauskas, S. Kokybiniai tyrimai. Principai ir metodai. Vadovėlis socialinių mokslų studijų programų studentams. (Qualitative Research. Principles and Methods. Textbook for Students of Social Studies) (Vilnius, 2017. VAGA); Creswell, J. W., Qualitative Inquiry and Research Design: Choosing Among Five Approaches. 3rd Edition, (2012). 17 PwC EU Services EEIG, Study on eID and digital on-boarding: mapping and analysis of existing on-boarding bank practices across the EU (2017). 18 Krogstie J., Organizational Value of Business Process Modeling. In: Quality in Business Process Modeling. (Springer, Cham, 2016). 19 Lin, F. R., Yang, M. C., Pai, Y. H, A generic structure for business process modeling. Business Process Management Journal, 2002, Vol. 8, pp.19-41.

10 The study also included a survey of market participants about the characteristics (accuracy, security and accessibility) of statutory remote identification means and essential aspects of their application including the current prevalence, application issues and development trends. A structured online survey form (a questionnaire) was selected for that purpose. Having coordinated the questionnaire (Annex 5) with the members of the Task Form, on 20 August 2018 the Bank of Lithuania directly addressed in writing the most active participants in the Lithuanian payments market asking them to provide one reply per institution. The survey took place until 12 September 2018. The most active participants in the Lithuanian payments market were selected at the discretion of the Bank of Lithuania having assessed the scope of their activity and other available data. Replies were received from 18 market participants: (1) banks (AB Citadele, Luminor Bank AB, AB SEB bankas, AB Swedbank, AB Šiaulių bankas); (2) central credit unions (the Central Credit Union of Lithuania, the United Central Credit Union); (3) payment institutions (Sollo, OPAY Solutions); (4) electronic money institutions (UAB Mokėjimo terminalų sistemos, UAB Perlo paslaugos, UAB IBS Lithuania, AB NEO Finance, UAB Pervesk, UAB Argentum Mobile, UAB MisterTango, UAB Mobilieji mokėjimai, UAB Paysera LT). Respondents were not obliged to answer all questions and some of them were thus answered by fewer parties. The survey targeted payments market participants. The results obtained should therefore be associated with the payments market only. Other business sectors also applying anti-money laundering and terrorist financing measures (e.g. insurance undertakings, gaming companies and auditors) may have different views. Individual replies without linking them to specific respondents were presented and discussed at a meeting of the Task Force III of the Payments Council on 17 September 2018. 2.2. Process analysis of remote identification means Remote identification terms in legislation are not used uniformly. For example, Regulation (EU) No 910/2014 on electronic identification and trust services for electronic transactions in the internal market (hereinafter – the eIDAS Regulation) stipulates that person identification is defined by a set of data enabling the identity of a natural or legal person, or a natural person representing a legal person to be established. The process of using person identification data in the eIDAS Regulation is referred to as electronic identification (e- identification). The Anti-Money Laundering Law sees identification as part of the customer due diligence process covering a broader data set required not only for identification but also for evaluating the risk level of a business relationship (a comparison of data sets is given in Annexes 1 and 2). A larger data set for customer due diligence means that only some of those data can be collected through e- identification schemes but those too warrant varying data quantities of different levels of reliability (see Annex 3). Based on the principle of data minimisation established in the General Data Protection Regulation, e-identification schemes only collect data that are necessary to establish a person’s identity. Obliged entities collect and verify other data relating to customer due diligence using other sources. In this context it should be noted that the subject matter, the purpose and the objectives of the study essentially relate only to remote identification and do not analyse the need for or appropriateness of data for evaluating the level of risk of a business relationship (i.e. the full customer due diligence process falls out of the scope of this study). Assuming that e-identification may be associated with and covers the identification process within the overall customer due diligence process under the Anti-Money Laundering Law, remote identification for the purposes of this study is understood to have the same meaning as in the eIDAS Regulation. As already mentioned in the first part of the study, Article 11 of the AML/CTF Law provides for six remote identification tools: (1) when using information from third parties about the customer or the beneficial owner (in accordance with Article 13 of the AML/CTF Law); (2) when using electronic identification means issued in the European Union; (3) when using a qualified electronic signature; (4) when using direct video streaming in one of the following ways: (a) the original of the identity document is recorded and the identity is verified using at least an advanced electronic signature, or (b) the facial image of the customer and the original of the identity document are recorded at the time of direct video streaming or image transmission; (5) when using a payment order and providing a duly certified copy of a personal identification document. Having selected one identification process (or several of them), financial institutions, payment institutions and other obliged entities collect data (attributes) on the customer (beneficial owner) and verify them based on documents, data or information received from a reliable and independent source.

11 The identification requirement applies when a natural or legal person becomes a new customer of a financial institution, a payment institution or another obliged entity, e.g. when issuing a first payment card, opening a bank account or providing a first loan. All identification processes may be analysed from the viewpoint of the consumer, the institution and the system, using a common system for analysing process stages. With that in mind, the subject matter, the purpose and the objectives of the study actually relate only to remote identification and do not cover a conventional documentary process. Identification processes are comprehensively discussed in the PwC report. It has been used in this study as a methodological source. Table 1 shows the application of existing remote identification means (eID) in the process of remote on-boarding of natural and legal persons. According to PwC20, the process consists of four stages including application, verification, collection and management.

Table 1. Existing remote identification means (eID) used in the process of remote on-boarding of natural and legal persons. Compiled on the basis of AMLD5 and the PwC study (2018).

Stages Natural persons Legal persons Application The application is submitted remotely by filling in an electronic form on the institution’s website. Verification Verifying the authenticity of the personal Verifying the authenticity of the personal identification document21 identification document A scanned or photographed copy of an identification A scanned or photographed copy of an document is sent remotely (via the institution’s identification document is sent remotely (via the website or by email). An employee of the institution institution’s website or by email). An employee of conducts a visual and physical verification of the the institution conducts a visual and physical copy of the identification document. verification of the copy of the identification The identification document is shown using direct document. Moreover, the applicant furnishes a video streaming/image transmission technologies. scanned or photographed copy of a document An employee of the institution sees the document certifying that they represent a legal person. during the video interview and video screenshots.

Identity verification Identity verification – The identification document is checked manually. – The identification document presented remotely No visual comparison takes place. In such a case and documents proving representation of a legal the institution carries out additional risk assessment person are verified manually. In such a case the procedures. institution may perform additional risk assessment – An employee of the institution conducts a procedures, e.g. request additional documents. verification of the personal document and its visual – A confirmation (on a digital medium) of the comparison during the video interview. person’s identity and legal person representation – A confirmation of the person’s identity is received has been received from third parties (credit from third parties (credit agencies, the post office, agencies, the post office, tax authorities, etc.). tax authorities, etc.). Identity attributes**22 are verified based on materials contained on digital eID media.

Anti-fraud check Anti-fraud check A confirmation of anti-fraud check has been received A third party manually enters identity attributes in from third parties. its own or the provider’s database and performs a check. The final result is uploaded to the applicant’s digital medium. The institution receives a confirmation of anti-fraud check on a digital medium provided by a third party (e.g. a third party creates the applicant’s digital ID). Collection – Collecting identification documents, photocopies or – Collecting scanned identification documents or video screenshots (and the video recording proper) photocopies thereof. – Identification attributes are collected by third – Third parties collect identification instruments parties. electronically. – Collecting identity attributes from eID instruments may be simplified by using various digitalisation tools (e.g. a card reader). Management Scanned identification documents, photocopies or video screenshots are stored in an electronic system.

Identity verification practices in various EU Member States vary because of broad possibilities afforded by the AML Directive to set national regulations and because of an infrastructure supported by a respective country. Practices of implementing the stages are relatively uniform only at the application and management

20 See footnote 15, Oracle (2016) and the OECD (2018) also follow a similar logic when evaluating the stages. 21 A personal identification document is a document confirming personal identity issued by a state authority, e.g. a personal ID card, a passport, a residence permit (for non-nationals) or a birth certificate. 22 Identification attributes are set for natural and legal persons; they may be mandatory (e.g. name, personal ID number, date of birth) and additional (e.g. address, nationality, place of birth).

12 stages commonly completed remotely online where any data and documents collected when performing these actions are digitalised and stored in e-storage. However, at the stages of verification and collection practices vary. For example, Germany allows carrying out identity verification procedures at post offices while in the UK it can be done at credit offices. In Belgium where it is required to have an eID card (NeID) this function is performed using special eID equipment. Estonia adopted legislation clearly defining how to use eID attributes to verify identity. In Sweden financial institutions may issue an eID (i.e. BankID) to their customers and on a contractual basis it may be used for verifying identity in other financial institutions or when using e- government services.23 Practices for collecting personal identification documents and attributes (data) also vary. A copy of a state- issued personal identification document, e.g. an ID card, a passport or a birth certificate (for minors), is the most commonly used mechanism for collecting a natural person’s identity attributes. Varying collection practices are usually attributable to legislation of individual Member States or risk management solutions chosen by the financial institution, which makes it possible to apply various mechanisms. For instance, Germany, Luxembourg and Spain allow collecting personal identification attributes using a high-quality video call. Belgium and Sweden have national eID solutions allowing for secure transmission of personal identification documents and data.24 Based on these analytical approaches, next is a description of the process pertaining to each of the currently admissible remote identification tools. 2.2.1. Direct video streaming/image transmission Technical requirements for the direct video streaming/image transmission tool are set in Order No V-314 of the FCIS Director of 30 November 2016.25 In accordance with that act, the direct video streaming/image transmission tool may be used by using one of the two alternatives: (1) using direct video streaming/image transmission (I): the original of the identity document is recorded and the identity is verified using at least an advanced electronic signature; (2) using direct video streaming/image transmission (II): the facial image of the customer and the original of the identity document are recorded at the time of direct video streaming or image transmission. Under the first direct video streaming/image transmission alternative, image and sound can only be transmitted continuously warranting direct real-time broadcast of the image or transmitting the photograph to the financial institution or another entity. To that end, financial institutions and other entities must use special software, applications or other tools ensuring that the photographing process is uninterrupted and that it would be impossible to transmit photographs in a mode other than real-time. The quality of direct video streaming or directly transmitted images must warrant that identification documents furnished are easily legible and that the facial features of the person on the photograph in the identification document are clearly visible. Where the original identification document shown by the customer is recorded during direct video streaming/image transmission, the respective identification document is shown in one of the following ways: (a) a personal ID card and a residence permit of the Republic of Lithuania are shown on both sides; (b) when showing a passport, the document page where the natural person’s photograph is and the passport cover are shown. During direct video streaming/image transmission any identification document must be tilted several times so that it is possible to make sure that the document shown is authentic and original. After these actions are completed, the customer confirms their identity and the veracity of the data provided by signing an electronic customer identification document (e.g. a questionnaire) drawn up by the financial institution or another entity, using at least an advanced electronic signature meeting the requirements of Regulation (EU) No 910/2014. The confirmation using at least an advanced electronic signature must be provided immediately but no later than within one hour following the submission of the copy of the documents and must be part of the same customer identification procedure. When conducting a verification based on an advanced electronic signature, financial institutions and other entities must verify the legitimacy and authenticity of the signature. The process for the first alternative is shown in Fig. 4.

23 See footnote 17. 24 Ibid. 25 Order No V-314 of the Director of the Financial Crime Investigation Service under the Ministry of the Interior of the Republic of Lithuania of 30 November 2016 approving technical requirements for the customer identification process where identification is performed remotely using electronic means enabling direct video streaming/image transmission (TAR, 1 December 2016, No 2016- 27955).

13 Application Collection Verification Management

State-

issued Proper document e-signature

The original document The questionnaire is provided during is signed Consumer Sui direct video streaming ta ble wa Improper Identity data re e-signature successfully confirmed are saved The original A customer identification Verification of The signature is document is document is provided signature Unsuitable authentic recorded (questionnaire) veracity/authenticity Identity data ware Institution unsuccessfully confirmed are saved

The signature is not authentic

Suitable software is At least advanced installed e-signature is obtained 1 hour has passed

systems

Third parties or or parties Third

Fig. 4. Direct video streaming/image transmission process where the original of the identity document is recorded and the identity is verified using at least an advanced electronic signature

14 The process for the second direct video streaming/image transmission alternative (where the customer’s facial image and the original personal identification document are recorded) is partially similar. This tool is subject to the same general requirements for image transmission and document demonstration, recording and verification. It should be noted that this alternative may also be implemented in one of the following two alternative ways: (a) video streaming and (b) direct image transmission. Where the customer’s facial image is transmitted by video streaming, the rules also require that during a single uninterrupted direct video streaming: (1) the customer’s facial image is recorded from the front (the image must show the customer’s face and shoulders and it must be clearly visible and distinguishable from surrounding objects); (2) the customer’s frontal facial image and the original identification document are shown simultaneously for some time to make it possible to see that the customer’s facial features are identical to the facial features of the person in the photograph in the identification document furnished; (3) the customer must be asked questions about their identity using an approved questionnaire drawn up by the financial institution or another entity; (4) the customer’s facial image and the identification document shown must be photographed during direct video streaming. When the customer’s facial image and the original identification document shown by the customer are recorded by means of direct image transmission, the following actions are performed: (1) the customer’s facial image is photographed from the front (the image must show the customer’s face and shoulders and it must be clearly visible and distinguishable from surrounding objects); (2) the photograph of the identification document furnished is transmitted directly. Financial institutions and other entities must use special software, applications or other tools ensuring that the photographing process is uninterrupted and that it would be impossible to transmit photographs in a mode other than real-time. It should be noted that following direct transmission of the photograph of the identification document furnished the customer must in any case be asked questions about their identity using an approved questionnaire drawn up by the financial institution or another entity that may be presented either in an electronic form or during a video conference. All actions are performed without interruption and must be part of a single customer identification process. Moreover, the approved rules contain detailed requirements for the customer’s facial image and sound quality and entitle the obliged entity to give additional instructions and guidelines to the customer to ensure that these technical requirements are met.26 After all the actions are completed, the customer must receive explanations that by submitting the data he or she simultaneously confirms that they are correct. The entire process for the second alternative is shown in Fig. 5.

26 According to iDenfy, one of the providers of direct image transmission services for identification purposes active in Lithuania, the requirement to record shoulders or the passport cover is superfluous and should be revised.

Application Collection Verification Management

State- The customer and the

issued Photo original document are document photographed

User The customer’s image Questions are answered and the original S Video document are provided and all additional actions during direct video are performed u streaming i t Identity data a successfully Identical b confirmed are saved l The customer’s image Questions on the customer’s Explanation to the The identity of the Unsuitable and the original identity are asked using a customer about the customer’s image and ware Institution e document are recorded questionnaire and instructions veracity of the data the document features (photographs are taken) are given (where necessary) provided is determined Identity data Non-identical unsuccessfully w confirmed are saved a r

Suitable software is e installed

systems

rd parties or or rd parties

Thi

Fig. 5. Personal identification process where the customer’s facial image and the original personal identification document are recorded

Direct video streaming/image transmission tools supported by the transmission of the facial image and the identification document (especially by transmitting the photograph) are gaining more and more popularity in Lithuania. Based on the data submitted by providers of those services, ten times more persons use this identification method as compared to e-signature. The popularity of this tool is due to several reasons. Firstly, the process is similar to the historically common physical customer identification. During direct video streaming/image transmission the same data are collected, the document is photographed (a copy is made) and the applicant’s image and the photograph in the document are compared.27 Secondly, this tool is highly accessible as compared to other e-identification means. The direct video streaming/image transmission tool may be used by any person having a personal identification document28 and a video camera (on their phone, tablet or computer). Thirdly, this way financial institutions can reach potential customers not only in Lithuania but also abroad. That said, according to market participants, the direct video streaming/image transmission tool and regulation thereof are not without drawbacks (Table 4). Security and accuracy features of this tool are rated less highly than those of other remote identification tools (Fig. 3). In the direct video streaming/image transmission process it is important to make sure that the document furnished is authentic and that the person presenting the document has a connection with the image in the document while keeping the entire identification process integral and uninterrupted. If at least one of these elements is breached, the reliability of the entire process is compromised. What is challenging is that official documents and means for protecting them from counterfeiting have been designed without remote use in mind. Using software tools, an improvised document imitator can be turned into and presented as an authentic document. Furthermore, various technologies may alter the actual image of a person.29 There are not any official data about their practical use yet. Still, it is important to note that direct video streaming/image transmission technologies are developing quickly, with additional security controls being implemented.30 Moreover, technical features of video cameras and the speed of the internet connection are improving. It is therefore possible to enhance the security and accuracy of these instruments. It should be noted that to face these additional security challenges, quite often providers already use additional technical measures not required by law to check the liveliness of the face (to avoid re-photographing of photos), to eliminate the flash effect (to ensure the authenticity of the document) and to check the document validity in special databases. The direct video streaming/image transmission tool requires specialised knowledge. Therefore, financial institutions often outsource this service to undertakings specialising in this area. As according to legislation it is always the financial institution that is responsible for the prevention of money laundering, institutions look for efficient ways to manage liability. In accordance with effective legislation, the FCIS sets (minimum) requirements for the direct video streaming/image transmission tool. Respondents to the survey noted that currently there is no process to enable financial institutions to check whether a third party providing direct video streaming/image transmission technology meets and respects the requirements set. A confirmation recognised by responsible authorities (e.g. a certificate or presence on a certain list) would help financial institutions to select proper providers. Market participants also need more clarity in respect of the levels of confidence of such measures to be able to identify direct video streaming/image transmission tools of high and sufficient confidence levels. At the moment the confidence level is only attributed to e-identification where a Member State notifies the European Commission of the e-identification tool under the eIDAS Regulation. Member States usually choose to notify e- identification measures managed by the public sector31. Lithuanian legislation however does not provide for how confidence levels can be evaluated and attributed to e-identification means managed by private entities and falling outside of the scope of the eIDAS Regulation. This is very different from a qualified e-identification service that is regulated, with security requirements laid down in legislation, a supervisory body is appointed (the Communications Regulatory Authority of the Republic of Lithuania) and conformity assessment is carried out. If similar measures were determined for e-identification, it would contribute to the development of the sector and to enhanced security.

27 Contrary to other e-identification tools, this one allows collecting and verifying data on the customer’s nationality, signature and image. 28 It suffices to present a personal ID card, a passport or a residence permit of the Republic of Lithuania. In accordance with legislation of the Republic of Lithuania, all nationals of the Republic of Lithuania over 16 years of age must hold a personal ID card or a passport. 29 This includes conventional tools (wigs, masks, make-up) and software tools. 30 For instance, in Norway identification data signed with a private key of the issuing institution are read directly off the document chip. Other solutions employ advanced software tools (e.g. artificial intelligence) to establish any data anomaly. Yet other solutions check data using interfaces with public registers. 31 Overview of pre-notified and notified eID schemes under eIDAS. Online: https://bit.ly/2N70TUE [last accessed on 24 March 2019].

This tool is therefore attractive to obliged entities because it is less costly and reaches a large number of potential customers including those abroad. Moreover, this method is convenient and intuitive for consumers, thus helping customers to have a positive experience. On the other hand, service providers are not certified and the confidence level of the tools or processes used is not supervised, which causes the confidence risk to increase. 2.2.2. Qualified electronic signature Article 11(1)(3) of the AML/CTF Law stipulates that customer may be identified remotely where identity information is confirmed by a qualified electronic signature using a qualified certificate for electronic signature in line with the requirements of Regulation (EU) No 910/2014. This tool may be used for identifying the customer and beneficial owner only where the customer is initially identified being physically present before issuing a qualified certificate for electronic signature. As far as this provision is concerned, it should be noted that in accordance with Article 11(1) of the Law of the Republic of Lithuania on trust services for electronic identification and electronic transactions32 and the provisions of the second section of Order No 1V-1055 of the Director of the Communications Regulatory Authority of the Republic of Lithuania of 26 October 201833, the person to whom a qualified certificate is issued may be identified remotely as provided for in points (b) and (c) of the second paragraph of Article 24(1) of Regulation (EU) No 910/2014, i.e. using proper electronic identification tools or a qualified certificate for electronic signature or electronic seal. This means that Article 11(1)(3) of the AML/CTF Law narrows down the legal effect of a qualified certificate for electronic signature banning the use of a qualified certificate for electronic signature issued to the customer not physically present when it is issued. Although the AML/CTF Law does not articulate it, a qualified electronic signature is used not only to verify customer identity but also to declare their will, i.e. in order to confirm their identity using this tool the customer is also forced to declare their will that may create, alter or terminate civil rights and obligations. The entire process for this alternative is shown in Fig. 6.

32 Law of the Republic of Lithuania on trust services for electronic identification and electronic transactions (TAR, 8 May 2018, No 2018- 07474). 33 Order No 1V-1055 of the Director of the Communications Regulatory Authority of the Republic of Lithuania of 26 October 2018 approving the procedure for verifying personal identification and additional specific attributes when issuing qualified certificates for electronic signature, electronic seal and website identification (TAR, 26 October 2018, No 2018-16894).

Application Collection Verification Management

State- issued document

User Proper The identity and the will e-signature are confirmed certificate

Identity data The document to be Improper The signature is successfully confirmed signed is provided e-signature authentic are saved certificate

Institution

Identity data The signature is not unsuccessfully authentic confirmed are saved

A qualified e-signature certificate is issued in the physical presence of the customer

systems

Third parties or or parties Third

Fig. 6. Process for personal identification using a qualified electronic signature

According to respondents, given the accessibility and security of the tool, the e-signature is viewed as the opposite of direct video streaming/image transmission. Respondents stressed that the tool is only accessible to a relatively low number of potential customers but rated its security level highly. This has to do with the public key infrastructure used to perform the signing process. Higher security is also contributed to by the fact that the e- signature service is regulated and its providers are supervised by a responsible authority. As for the drawbacks of the e-signature tool, respondents quoted the diversity of e-signature service providers and technologies they use, which implies that integration solutions on the consumer side are also different. In accordance with the data of the Communications Regulatory Authority of the Republic of Lithuania34, qualified services for the creation of certificates for electronic signature in Lithuania are provided by the following service providers established in the Republic of Lithuania: the Identity Documents Personalisation Centre under the Ministry of the Interior of the Republic of Lithuania (‘the ADIC’) and the State Enterprise Centre of Registers (‘the RC’). The ADIC is responsible for issuing personal documents and the dissemination of the certificates for e- signature and e-identification stored on a personal ID card. In accordance with the 2017 Overview of the Market in Trust Services No ND-8 of the Communications Regulatory Authority of the Republic of Lithuania of 31 May 201835, at the end of 2017 the number of such valid qualified certificates for electronic signature at the end of the period was about 944,000. This certainly does not mean that as many people use electronic signature verified with an electronic certificate. It should be noted that many qualified certificates (645,000) are certificates stored on personal ID cards. Such certificates are issued to persons older than 18 years together with a personal ID card and remain valid for 3 years. Although it is possible to extend the validity of certificates, few persons use that possibility because of the relatively low popularity of the tool.36 However, the mere entry does not suffice to make it possible to use the electronic signature verified with a valid electronic certificate; one also needs to have a certificate (card) reader that the person must purchase or use one at a public library. This greatly diminishes the attractiveness of the tool. The e-signature tool provided by the ADIC had a chance to become usable en masse (e.g. as in Estonia) because it was compulsory to have it. However, this was hindered by a lack of convenience (as additional software and hardware were required), the possibility to use e-government services through other (more convenient) instruments (e.g. via banks) and insufficient publicising and promotion. Currently contact technologies are often replaced with contactless ones (e.g. contactless payment cards). ADIC certificates with their current technical solution are not expected to become more popular. In 2018 only about 1% of adult Lithuanian residents holding an account with a credit institution regularly used this tool to connect to banking services.37 In the future a personal ID card may become usable in new ways. Some countries store e-identification and e- signature certificates in contactless chips as well (e.g. Estonia). The ADIC is also considering this option. This would allow avoiding the use of physical readers, which is one of the key hindrances at the moment. That said, specific time limits for new personal ID cards are not known; it is also unclear who would disseminate supplementary software needed for contactless signing. The prevalence of this tool would also be affected by the number of phones equipped with NFC readers. Another qualified e-signature tool disseminated in Lithuania (a mobile signature) is based on qualified certificates for electronic signature stored on the phone’s SIM card. In cooperation with mobile network operators, by the end of 2017 the RC had issued 250,000 e-signature certificates of that kind. Still, in 2018, having regard to the security and stability of the services, mobile network operators replaced the RC certificates with certificates issued by an Estonian company SK ID Solutions. Although Lithuanian residents use the mobile signature more often than the ADIC’s e-signature, this tool has not been rolled out massively either. In accordance with the data of the Bank of Lithuania, in 2018, 11% of adult population in Lithuania holding an account with a credit institution used this tool regularly when connecting to e-banking services. Its popularity is likely to increase slightly because of the banks’ plans to stop using paper code cards.

34 List of qualified trust service providers in Lithuania. Online: https://www.elektroninisparasas.lt/kvalifikuoti-patikimumo-uztikrinimo-paslaugu- teikejai.html [last accessed on 24 March 2019]. 35 Communications Regulatory Authority of the Republic of Lithuania, 2017 Overview of the Market in Trust Services. (31 May 2018, No ND- 8). Online: https://www.elektroninisparasas.lt/images/ataskaitos/2017.pdf [last accessed on 24 March 2019]. 36 About 4,000 persons renew their certificates every year. 37 Bank of Lithuania, Overview of the 2018 Survey of Payment Habits of Lithuanian Residents. Online: https://www.lb.lt/lt/leidiniai/lietuvos- gyventoju-apklausos-del-mokejimo-iprociu-apzvalga-2018-m [last accessed on 24 March 2019].

That said, it is likely that within a few years Smart-ID will become the most popular e-signature tool in Lithuania making it possible to connect to e-banking services and confirm banking operations using only a smartphone. This is another product of the Estonian company SK ID Solutions accessible to Lithuanian residents. Smart-ID is actively promoted by the banking sector. The Smart-ID brand covers two legally separate products. The basic version matches the advance e-signature category and is usually provided to natural persons who activate Smart-ID using bank code cards or code generators. The standard version matches the qualified e-signature category38 and can be provided if a person physically arrives at a branch of a bank disseminating it or uses a mobile signature.39 It should be noted that banks actively replacing code cards do not necessarily control which version of Smart-ID their customers install. This makes it impossible to conclude that the standard version of Smart-ID matching the qualified e-signature category and recognised under the AML/CTF Law will be accessible en masse to Lithuanian residents for a few more years. The primary purpose of e-signature is to sign documents with legal effect. The person is identified at the same time as the document is signed. It is impossible to establish someone’s identity without the signing step with this tool. To offset this shortcoming, e-signature service providers often issue another certificate, i.e. the e- identification certificate that does not give legal effect to the signature but makes it possible to identify the person. For example, the ADIC, the m-signature and Smart-ID tools function based on this principle. Still, in the legal sense, the e-identification certificate in Lithuania is not formally regulated and this service is not subject to security requirements. This means that the same service provider is supervised in respect of the e-signature service but is not supervised for e-identification. This may give rise to a false sense of security among market participants. The Anti-Money Laundering Law mentions e-signature and e-identification tools individually but does not explain how to assess actual market practices where the tools are used in business processes together, e.g. where the e-signature is qualified but an e-identification certificate is also used at the same time, which is not regulated under the eIDAS Regulation. For more information on the differences between e-signature and e-identification see Table 2.

Table 2. Differences between e-signature and e-identification

Feature E-signature E-identification Makes it possible to sign Yes No documents with legal effect Makes it possible to identify the Yes, but only where the document is signed. It Yes person is impossible to identify the person without signing (unless another e-identification certificate is used). Reaching foreign customers The EU does not have a central infrastructure The eIDAS infrastructure creates through a one-stop shop that would make it possible to reach all e- conditions for reaching users in all EU signature tools issued to residents of the EU Member States having notified the Member States through a one-stop shop. European Commission of an e- Each tool therefore requires individual identification tool through a single national integration. hub. Confidence levels Available for those tools that are included in Available for those tools that are notified to the list of qualified trust service providers the European Commission under the established in the Republic of Lithuania and eIDAS Regulation as high, adequate and qualified trust services provided thereby. low. Service supervision The service is regulated and supervised. Private e-identification service providers may choose service supervision for themselves. Service providers seeking to have confidence levels attributed to them must conduct business in accordance with the eIDAS Regulation. Thus, this tool is characterised by a high level of security and information accuracy and is regulated and supervised by supervisory bodies while service providers are certified. The tool also implies lower costs because identification data are collected by the trust service provider. The main drawback of this tool is however low prevalence. E-signature tools are scarcely publicised and promoted and there is a lack of business and technical

38 As of 8 November 2018. For more information see https://www.sk.ee/en/News/smart-ids-security-was-recognized-on-the-highest-possible- level/. 39 In accordance with Article 24(1)(c) of the eIDAS Regulation.

21 conditions for reaching foreign customers. Some e-identification tools are provided to consumers for a fee. Personal ID cards as the most common tool need additional hardware (a reader) and software as well as knowledge and skills to install them. Moreover, physical contact with the customer is still necessary at least once to sign a contract and to attribute credentials and there is a requirement for a superfluous declaration of the will. All these facts prove that the tool accessibility is limited. 2.2.3. Electronic identification Article 11(1)(2) of the AML/CTF Law allows identifying the customer remotely using electronic identification means issued in the European Union which operate under the electronic identification schemes with the assurance levels high or substantial as specified by Regulation (EU) No 910/2014.40 The process of using this tool is essentially similar to the process of using a qualified electronic signature described in subparagraph 2.3.2, except for the requirements to verify the process of issuing the electronic identification instrument or to declare one’s will in respect of the creation, alteration or termination of rights or obligations. The entire process for this alternative is shown in Fig. 7.

Application Collection Verification Management

State- issued

document

User Proper The identity is e-identification confirmed tool

Identity data Improper e- successfully confirmed identification Identified are saved tool

Institution

Identity data Unidentified unsuccessfully confirmed are saved

A qualified e-signature certificate is issued in the physical presence of the customer

or systems or

Third Third parties

Fig. 7. Personal identification process using electronic identification means It is still not possible in Lithuania to use this tool because of certain drawbacks of national infrastructure. According to survey respondents, e-identification tools are not going to spread massively within the next few years but there is almost no doubt that they will be in use in some customer segments. This, in particular, has to do with the eIDAS infrastructure making it possible to reach users in all EU Member States having notified the European Commission of an e-identification tool through a one-stop shop, with confidence levels warranted by the Member States. Reaching new customers abroad is one of the key goals for non-banking service providers (Fig. 4). The AML/CTF Law specifically mentions e-identification means issued in the EU which operate under the electronic identification schemes with the assurance levels high or substantial but there are often varying views

40 Regulation (EU) No 910/2014 of the European Parliament and of the Council of 23 July 2014 on electronic identification and trust services for electronic transactions in the internal market and repealing Directive 1999/93/EC (OJ L 257, 2014, p. 73).

22 on the practical application of such legal provisions in the market. The reference to e-identification means issued in the EU implies that the tool is initially designed to make sure that new customers abroad can be reached. To that end, the eIDAS Regulation gives relevant legal guarantees and technical conditions for a one-stop shop.41 That said, this has given rise to certain expectations in respect of e-identification means disseminated in Lithuania too, which, if they were to get a confidence stamp under the eIDAS Regulation, would formally be compatible with the AML/CTF Law. It should be noted that e-identification tools disseminated in Lithuania do not necessarily seek to be recognised in other EU Member States and under usual circumstances may not seek to be compatible with the provisions of the eIDAS Regulation but Lithuania does not have another legal way to obtain a trust stamp. What is currently known is only that personal ID cards are to be compatible with the eIDAS Regulation. The Ministry of the Interior plans to carry out required security checks on personal ID cards and inform the European Commission. Owners of privately managed e-identification tools have not expressed any intention to notify the European Commission of Smart-ID or mobile signature tools. This therefore leads to the conclusion that the existing provision of the AML/CTF Law concerning e-identification means is currently purely theoretical. Confidence levels are not attributed to mobile signature and Smart-ID schemes while the personal ID card, even if it meets the eIDAS requirements, is scarcely used in Lithuania. Certain developments may be expected from another functionality (still little used) of the personal ID card42, i.e. access to data via the NFC chip. Now information on the personal ID card holder is stored not only in e- certificates but also on the card’s NFC chip (see Annex 3). Data are freely accessible with a video camera and an NFC reader. Data reliability is the responsibility of the ADIC signing data sets with a private key. This open functionality of a personal ID card can be integrated into other e-identification means or used during the remote identification process. However, to be usable in practice, this tool should be listed in the AML/CTF Law. The European Commission looks for ways to promote and expand the eIDAS functionality. It also examines what data attributes needed for business could be added to existing technical specifications (see Annexes 1 and 2). That said, eIDAS as a means of transport for transmitting additional data attributes would meet only some of the needs. Furthermore, it would be necessary to draw up procedures and principles for reliable identification of new attributes. It should be noted that the attributes needed for proper customer identification are usually provided by other attribute providers rather than e-identification schemes. This instrument therefore has pros and cons that make it similar to a qualified electronic signature, except that it does not require that the person being identified would also declare their will, and because of infrastructure drawbacks it is still not accessible to entities conducting business in Lithuania. 2.2.4. Payment order Article 11(1)(5) of the AML/CTF Law allows remote customer identification before starting to use the obliged entity’s services: a payment order is made into their payment account from an account held in the name of the customer at a credit institution registered in a European Union Member State or a third country imposing equivalent requirements, and a paper copy of the identification document certified in accordance with the procedure laid down by legal acts of the Republic of Lithuania is submitted. The procedure for certifying and submitting copies of personal identification documents is laid down in Order V- 131 of the Director of the Financial Crimes Investigation Service of 12 September 2017.43 In accordance with paragraphs 3, 6 and 7 of the Procedure for Certifying and Submitting Copies of Personal Identification Documents approved by the Order, a paper copy of the personal identification document must be notarised or certified by a local chief or a consular officer of the Republic of Lithuania (in the case of legal persons – documents of authorised representatives thereof) and submitted to the obliged entity by mail, courier or parcel terminal services, or physically delivered otherwise. The entire process for this alternative is shown in Fig. 8.

41 On the other hand, technical and business conditions for the accessibility of the eIDAS hub in Lithuania to its private sector remain unclear. 42 A similar functionality is also embedded in passports of the Republic of Lithuania. 43 Order No V-131 of the Director of the Financial Crime Investigation Service under the Ministry of the Interior of the Republic of Lithuania of 12 September 2017 approving the procedure for certifying and submitting copies of personal identification documents (TAR, 15 September 2017, No 2017-14738).

Application Collection Verification Management

A duly certified paper State- Proper copy of the copy of the customer’s issued identification identification document is document document provided

Proper customer User account

A payment is made from the person’s account

The identification Identity data document is successfully confirmed Improper copy of the accepted are saved

Improper Proper account identification of the obliged document Improper account of the A paper copy of the entity customer account obliged entity customer’s identification document is accepted

Institution

The identification Identity data document is not unsuccessfully accepted confirmed are saved

s A proper account is A paper copy of the opened with a credit customer’s institution identification document

system is duly certified

Third parties or or parties Third

Fig. 8. Personal identification process using a payment order

This tool is attractive as it does not require customers to use any special technical means (e.g. e-signature or related equipment), except for access to e-banking. The obliged entity does not however have a real possibility to manage the risk of improper identification at a credit institution from which the payment order is received. Moreover, where identity is established using this instrument, the customer is still required to carry out the process for making and submitting a duly certified copy of the personal identification document that implies physical contact. 2.2.5. Third-party information Article 13 of the AML/CTF Law allows customer or beneficial owner identification without them directly being present, based on customer information from other obliged entities where they meet the reliability requirements applicable to such third parties. A person may only be identified using this tool where the obliged entity has sufficient means to ensure that the third party of its own will fulfils both of the following conditions: (1) when requested, it immediately provides the requesting obliged entity with all required information and data necessary under personal identification requirements; (2) when requested, it immediately provides the obliged entity with copies of documents relating to personal identification and other documents concerning the person in question that are necessary under personal identification requirements. This measure is possible (and used) only where two (or more) obliged entities have an agreement on sharing personal identification data and documents. The entire process for this alternative is shown in Fig. 9.

Application Collection Verification Management

State- issued document

User The person’s identity is Consent to receive properly data/documents from a established by third party is given a third party

Identity data The identity is successfully confirmed established are saved

There is an Customer identification agreement with a The person’s data are accepted identity is not third party properly

Institution established by Identity data a third party The identity is not unsuccessfully established confirmed are saved

There is no agreement with a third party

Proper personal An agreement on the identification provision of systems data/documents are data/documents is submitted concluded

Third parties or or parties Third

Fig. 9. Personal identification process using third-party information

This tool is designed, in particular, for customers who are legal entities. Customers do not need to fill in questionnaires and submit relevant documents repeatedly. As there is a requirement that the institution and the third party have an agreement, the tool capable of cutting costs for data and document collection, verification and management, is better suited for institutions conducting business as part of a financial group. Accepting such payments as an identification instrument requires that the parties have a free-will agreement on exchanging information, data and documents but third parties are not obliged to share information or may set unsustainable economic conditions. There is no standard API for receiving information. It should also be noted that there is no list of reliable third parties, which means that even an agreement concluded does not guarantee that personal identification is adequate. Moreover, the Lithuanian market is too small for foreign customers so that a third party conducting business in another jurisdiction would be interested to adjust to Lithuanian legal norms or share its customer data and documents. 2.3. Comparison of remote identification means All of the above processes can be summarised by comparing the need for specific actions, solutions or physical contact with the customer or special tools (e.g. e-signature). As seen from the summary put forward, among all statutory remote identification means, only direct image transmission does not require physical contact with the customer or any special tools. All the other instruments require additional action to be taken by the customer at least once or every time when being authenticated in order to start a business relationship with a certain undertaking providing payment services. Table 3. Comparison of processes of remote identification means Need for physical contact or special Tool Actions Solutions tools Direct video streaming/image transmission (I): the original of the identity document is recorded 1 – procedures for obtaining an 8 4 and the identity is verified using at least an advanced e-signature advanced electronic signature Direct video streaming/image transmission (II): the facial image of the customer and the 8 3 0 original of the identity document are recorded by means of video streaming Direct video streaming/image transmission (II): the facial image of the customer and the 7 3 0 original of the identity document are recorded by means of image transmission 1 – procedures for obtaining a Qualified electronic signature 4 2 qualified e-signature 1 – procedures for obtaining e- Electronic identification 3 2 identification 2 – (a) opening a proper account; Payment order 6 4 (b) submitting an identification document 2 – (a) submitting documents to a Third parties 5 3 third party; (b) obtaining documents from a third party

Furthermore, the findings of the above analysis make it possible to give a concise overview of the pros and cons of currently admissible remote identification means.

Table 4. Overview of the pros and cons of currently admissible remote identification instruments

Remote Pros Cons identification means Direct video The financial institution incurs less costs Service providers are not certified streaming/image High reachability of potential customers Confidence level of tools or processes used is not supervised transmission Possibility to reach foreign customers Recording of the original document and using at least an advanced Convenient and intuitive tool for consumers e-signature require that the customer complete procedures for obtaining a relevant e-signature which requires physical contact Positive customer experience can be created Facial image and document transmission by means of video streaming requires remote contact with the customer Facial image and document transmission as photographs does not require physical contact with the customer and can be automated E-signature High level of security and information Low prevalence of the tools accuracy E-signature instruments are scarcely publicised and promoted The service is regulated and supervised by a Business and technical conditions for reaching foreign customers supervisory body are lacking Service providers are certified Some e-identification measures are provided to consumers for a The financial institution incurs less costs as fee identity data are collected by the trust Personal ID cards as the most common tool need additional service provider hardware (a reader) and software as well as knowledge of how to install them Physical contact with the customer is still necessary at least once to sign a contract and to attribute credentials There is a requirement for superfluous declaration of the will E-identification Potentially high level of security and Low prevalence of the tools information accuracy Business and technical conditions for reaching foreign customers The service is regulated and supervised by a are lacking supervisory body (only if functioning under Some e-identification measures are provided to consumers for a eIDAS) fee Service providers are certified (only if Personal ID cards as the most common tool need additional functioning under eIDAS) hardware (a reader) and software as well as knowledge of how to The financial institution incurs less costs as install them identity data are collected by the trust Physical contact with the customer is still necessary at least once service provider to sign a contract and to attribute credentials Not yet available for entities conducting business in Lithuania because of infrastructure deficiencies Transfer and No need for customers to have special No possibility to manage the risk of improper identification at a document technical tools (e.g. e-signature or relevant credit institution from which the payment order is received equipment) There is still a need to carry out the process for making and submitting a duly certified copy of a personal identification document requiring physical contact Third parties Customers do not need to fill in Third parties are not obliged to share information or may set questionnaires and submit relevant unsustainable economic conditions documents repeatedly There is no standard API for receiving information Suitable tool for institutions conducting The Lithuanian market is too small for a third party conducting business as part of a financial group business in another jurisdiction to adjust to Lithuanian legal norms The financial institution incurs less costs There is no list of reliable third parties when collecting, verifying and managing data and documents

The results of the survey of market participants have shown that out of 16 respondents having submitted their replies 5 institutions do not currently use any remote identification tool, 7 institutions use one and 4 institutions use two tools. None of them uses 3 or more tools. As far as the popularity of the instruments is concerned (Fig. 10), the leading position is taken by e-signature and direct video streaming based on the identification of the facial image and an identification document. Each of these instruments is used to one extent or another by four different institutions while one institution uses both of them. Not a single institution in the payments market uses direct video streaming based on a combination of an identification document and e-signature.

As for the future, institutions have outlined their personal plans and offered a forecast of the overall line that the market may take. Most hopes are linked with direct video streaming technology (the face and an identification document). At least 8 institutions plan to install it. The majority of respondents believe that the direct video streaming/image transmission tool will become widely common throughout the market within 2 to 3 years (Fig. 11). Similar market popularity is likely on the horizon for the e-signature tool as well while individual institutions have fewer plans to install this instrument (only 5 institutions prepare to do so). If the institutions’ are approved, all the banks having replied to the questionnaire will use direct video streaming and e-signature tools.

16 16 14 14 12 12 10 10 8 8 6 6 4 2 4 0 2 0

Does not know No opinion Does not use/does not intend to use Most probably will be not used at all Intends to use May be used to a certain extent for certain services Uses May become commonly used

Fig. 10. Use of remote identification means irrespective of the Fig. 11. Evolution of remote identification means in the next 2 to 3 extent of such use (16 respondents) years (16 respondents) Source: Task Force of the Payments Council. Source: Task Force of the Payments Council.

The market participants involved in the survey were asked to list the objectives to be achieved by using remote identification means in the order of importance. The banks clearly highlighted the attraction of Lithuanian customers and their experience as priority goals for using these tools. The most important for the non-banking sector are the aspirations to attract more customers from abroad but some importance is also attached to other goals such as the attraction of customers from Lithuania and overall customer experience. The breakdown of those replies is shown in Fig. 12.

New customers in Lithuania New customers from abroad Customer experience

12 8 12

7 10 10 6 8 8 5

6 4 6 3 4 4 2

2 1 2

0 0 0

Bank CCU Non-bank Bank CCU Non-bank Bank CCU Non-bank

Fig. 12. Objectives to be achieved by using remote identification tools (18 respondents)

The market participants involved in the survey were also asked to evaluate the accessibility, accuracy and security parameters of each of the tools allowed. The results on this question are presented in Fig. 13.

Very good

Good

Moderate Accessibility Accuracy

Poor Security

Very poor

Fig. 13. Quality assessment of remote identification means (average of replies from respondents who had a position) Source: Task Force of the Payments Council. Security. eIDAS distinguishes three assurance levels: low, substantial and high. In accordance with Article 6 of the eIDAS Regulation, the public sector must recognise other e-identification tools of the Member States corresponding to the level high or substantial, provided that they are on the list published by the European Commission. Remote identification means currently used in the market do not have any assurance level assigned to them. According to the respondents involved in the survey, none of the tools in question is completely secure. The respondents involved in the survey believe that the most secure tool is a qualified electronic signature and e-identification instruments while the payment order and video streaming tools are listed among the least secure. It should be noted that the institutions participating in the survey listed video streaming tools as the ones enjoying the greatest popularity and having the biggest potential, albeit the least secure. This leads to the conclusion that accessibility of remote identification means to market participants is a more important factor than security.

Accessibility. Accessibility of remote identification means is usually assessed based on the relevant tool’s price and complexity of integration (Štitilis et al., 2011) as well as geographical distribution. The distribution criterion is understood to indicate to what extent a specific eID tool is suitable for remotely identifying a person from Lithuania, other EU Member States and third countries (i.e. non-EU). The respondents participating in the survey believe that the most accessible are video streaming tools while third-party information is viewed as the least accessible. Direct video streaming/image transmission tools do not require physical contact between the consumer and the institution, except for remote contact (interview) when recording the customer’s facial image during video streaming/image transmission. Moreover, video streaming/image transmission tools are freely accessible to all those who have a smartphone or a computer equipped with a camera. All other measures require physical contact that may take place: (1) when obtaining special tools (e.g. e-signature or e-identification tools) or (2) when providing paper copies of documents. Even though the third-party information instrument seems the simplest, it requires an agreement between the new and the current payment service providers of the customer, which limits accessibility of the tool. A comparison of the processes for these and other individual instruments therefore leads to the assumption that the more automated the identification process is and the fewer special instruments it requires, the more accessible is the respective tool. Accuracy. The respondents participating in the survey believe that the most accurate tools are a qualified electronic signature (a state-supervised instrument) and e-identification tools. Respondents give essentially the same assessment of tools whose accuracy is confirmed either by third parties (credit institutions) or authorised public officials providing a duly certified copy of a paper document (a notary, a local chief or a consular official of the Republic of Lithuania). Respondents believe that the most accessible tools, i.e. video streaming, are the least accurate. 2.4. Evolution trends of remote identification means Article 4(30) of the PSD244 sets out the concept of strong customer authentication. It means an authentication based on the use of two or more elements categorised as (a) knowledge (something only the user knows), (b) possession (something only the user possesses) and (c) inherence (something the user is) that are independent, in that the breach of one does not compromise the reliability of the others, and is designed in such a way as to protect the confidentiality of the authentication data. The same categories have also been highlighted by Lithuanian scholars45:

Identification in cyberspace

1. User name 1. Electronic certificate 2. Password 2. PIN generator 1. Biometrics

What must be known What the user has What the user is  Public e-services  E-mail  E-voting  Electronic  Electronic conferences banking  Identification while travelling  VoIP communications  Electronic services documents  E-commerce  Etc.  Alternative electronic settlements  Social media  Etc.

Fig. 14. Identification methods in the electronic space The completed analysis of legal framework and practical application of remote identification instruments has also revealed that the instruments issued and used in Lithuania are exclusively associated with the category of possession or knowledge. However, the ever-improving technological advances of mobile devices and an

44 Directive (EU) 2015/2366 of the European Parliament and of the Council of 25 November 2015 on payment services in the internal market, amending Directives 2002/65/EC, 2009/110/EC and 2013/36/EU and Regulation (EU) No 1093/2010, and repealing Directive 2007/64/EC. 45 Darius Štitilis et al., Preconditions for Legal Regulation of Personal Identification in Cyberspace, (Jurisprudence, 2011, 18(2)) p. 703-724.

increasing use of biometric security elements in personal identification documents issued by the state, have the potential to greatly enhance the effectiveness and efficiency of customer identification by inherence (biometric) measures. Biometrics (inherence) may be defined as personal identification by using statistical methods to analyse a person’s physiological and behavioural characteristics. Biometrics are commonly seen as a securer and more reliable identity verification method than alternative methods. These technologies receive more and more attention as mobile devices advance together with solutions enabling the use of a person’s facial features, fingerprints, hand geometry, voice or irises to establish that person’s identity.46 The human body is indeed a catalogue of unique identifiers and there are already biometric technologies enabling the use of these unique features to verify one’s identity with a high level of assurance. Apart from the aforementioned physiological attributes of a person (the face, fingerprints, voice, etc.), unique behaviour recognition technologies enabling personal identification by hand-writing, typing, manner of walking, etc. are also developing quickly. The popularity of biometric tools has also to do with the fact that biometric features of a person cannot be transferred to another person and the person does not need any special instruments to be able to use this identification method.47 Global revenue of the market in biometric tools between 2016 and 2025 should amount to almost USD 70 billion. Fingerprint readers have already been integrated in the identification system of a smartphone and become a standard tool many years ago. The latest iPhone 8 and iPhone X are also expected to accelerate the rolling out of facial recognition technology. The development of voice recognition systems is also associated with the growing popularity of virtual assistants such as Amazon Alexa or Google Assistant. Consumers are increasingly identified with the help of biometric technologies and use them in the authentication process, first of all, for the sake of convenience and speed. Moreover, given immigration trends and challenges posed by terrorism, the UK’s Ministry of the Interior alone plans to invest GBP 96 million in the use of fingerprints, facial recognition and DNA checks for law-enforcement purposes, especially for handling visa applications and combating terrorism. The USA have similar plans to equip their main airports with biometric systems within four years. All these trends are likely to continue and expand.48 So, the market in remote identification means is still developing, especially in the area of inherence (biometrics). These innovations already greatly affect global and EU trends in payment services and are also expected to have an impact on the payment services market in Lithuania as a European FINTECH hub. The completed analysis of the evolution of the AML/CTF Law and the Rules has revealed that to-date national regulation lacks the tradition of adaptation to technical progress while the current regulation is close-ended, i.e. the effective recast of the AML/CTF Law and the Rules contains an exhaustive list of remote identification means. This therefore leads to the conclusion that the evolving market in identification means will sooner or later stumble upon some gaps or inadequacies in legal framework. Thus, in order to ensure due adaptation of legal framework to highly dynamic market conditions, there is a need to compile a non-exhaustive list of instruments setting out the terms and procedures for the recognition of new identification means.

3. Goals and possibilities for regulating remote identification Lithuania’s experience in regulating remote identification, currently admissible statutory identification tools and their development trends as described in the previous chapters have shaped the underlying context for an analysis of regulation goals and possibilities. This chapter thus contains an analysis of goals of regulating remote identification that will serve as a foundation for setting the limits of the regulator’s discretion and drawing up recommendations. Regulating issues cover a complex juxtaposition of freedom and control. Superfluous regulation unreasonably undermines the foundation of a democracy that is freedom. Hence, the key challenge for regulators is to strike a balance between freedom and control so as to maximise individual and collective well-being of the nation and to promote useful behaviours suppressing harmful ones (Hertog, 2010). One should also support the approach put forward by Pigou (1932) that a regulator needs to interfere only where the free market is dysfunctional and only to eliminate such market failures.

46 PwC, The Future of Onboarding (December 2016) 47 See footnote 45. 48 European Commission, Biometrics technologies: a key enabler for future digital services (January 2018).

Indeed, an analysis of the need for regulation is commonly based on two assessments before interfering with the free market. The first one covers the reasons for free market dysfunction. After these are established, the second assessment is then conducted to find out regulation of what nature and scope could diminish the adverse effect of such reasons. Poorly chosen regulatory measures may be detrimental. Regulatory measures are therefore subject to rather stringent conditions: (a) restrictions will only be possible pursuant to laws; (b) restrictions within the society must be necessary to protect rights and freedoms of other persons, other fundamental values and overarching goals of general interest; and (c) the principle of proportionality must be respected.49 Moreover, there is a need to ensure the lawfulness, reason, impartiality and objectivity of the regulator’s decisions, warranting equality before the law for persons whom such decisions affect, proportionality to the objective to be attained, the requirement for a reasonable period to be set in the process of exercising administrative discretion and the respect for other principles pertaining to a proper process of exercising administrative discretion. The principle of legal regulation of economic activity set in Article 46 of the Constitution of the Republic of Lithuania also defining certain goals, directions, methods and limits of regulating economic activity is also important in the context of personal identification means. The Constitutional Court has on a number of occasions stated that when regulating economic activity the state must seek balance between individual and public interests.50 The state may not establish legal regulation creating unfavourable conditions not suited for exercising the right to pursue an economic activity by economic entities.51 This implies that state and municipal authorities and officials may not by any decision or action, without an objective and constitutionally sound reason, create obstacles for human initiative to manifest and develop, annihilate their economic endeavours and prevent them from being implemented, even if their usefulness for the public is not obvious.52 It is understood that the content of legal framework may change in the long run but even then, according to the Constitutional Court, constitutional principles of economic regulation may not be overruled.53 Thus, in principle, identification requirements should not hinder innovation either. In the context of legal framework in Lithuania it is also important to note that, based on the doctrine of indirect effect of directives54, where EU directives are implemented through national legislation, national law must be interpreted and applied so as to be as aligned with the provisions of a relevant European Union directive as possible. Recital 22 of Directive 2018/843 of 30 May 2018 (hereinafter – the AMLD5 or the Directive)55 stipulates that the latest technical developments in the digitalisation of transactions and payments enable a secure remote or electronic identification, in addition, taking into account other secure remote or electronic identification processes, regulated, recognised, approved or accepted at national level by the national competent authority. Thus, remote identification is a new reality where e-identification tools established in the EU56 and accepted at national level are admissible. Article 13(1)(a) of the Directive allows identifying the customer and verifying the customer’s identity (a) on the basis of documents, data or information obtained from a reliable and independent source, (b) electronic identification means and relevant trust services as set out in Regulation (EU) No 910/2014 of the European Parliament and of the Council or (c) any other secure, remote or electronic identification process regulated, recognised, approved or accepted by the relevant national authorities. Member States are obliged to ensure that obliged entities implement a policy, controls and procedures for efficient minimisation and management of money laundering and terrorist financing risks identified on the levels of the Union, a Member State and an individual obliged entity. The policy, controls and procedures must be proportionate taking into account the nature and size of obliged entities (Article 8(3) of the AMLD5). Risk-based approach to customer identification is also provided for in Article 13(4) setting an obligation to ensure that obliged entities could prove to competent authorities or self-regulatory bodies that the measures were

49 See e.g. resolutions of the Constitutional Court of 14 March 2002, 31 May 2006, 4 December 2008, 29 April 2009, 21 December 2000, 14 March 2006, 10 April 2009, 8 June 2009, 31 January 2011, 5 July 2013 and others. 50 See e.g. resolutions of the Constitutional Court of 18 January 2000, 9 April 2002, 17 March 2003 and 26 January 2004. 51 See e.g. resolutions of the Constitutional Court of 9 April 2002, 17 March 2002 and 26 January 2004. 52 See e.g. resolutions of the Constitutional Court of 31 May 2006, 8 June 2009, 29 April 2009 and 31 May 2006. 53 See e.g. the resolution of the Constitutional Court of 6 October 1999. 54 See e.g. judgments of the EU Court of Justice Von Colson, 14/83 (10 April 1984) and Marleasing, C-106/89 (13 November 1990). 55 Directive (EU) 2018/843 of the European Parliament and of the Council of 30 May 2018 amending Directive (EU) 2015/849 on the prevention of the use of the financial system for the purposes of money laundering or terrorist financing, and amending Directives 2009/138/EC and 2013/36/EU (AMLD5). 56 See footnote 40.

suitable given the risk of money laundering and terrorist financing. Given the purpose of the relations, the size of transactions performed by the customer and the periodicity or duration of business relations, risks may vary, so the choice of admissible tools must also be adequate to enable entities to choose a customer identification tool proportionate to the risk. The risk-based approach is also used when regulating the moment where customer identity must be established. Article 14 of the Directive provides that customer and beneficial owner identity needs to be properly checked before commencing business relations or before completing the transaction but Member States may let complete the verification of customer and beneficial owner identities when commencing a business relationship where this is necessary under common business practices and where money laundering or terrorist financing risks are not high. In such cases those procedures are completed as soon as possible following the initial commencement of any relationships. The Directive makes it possible to rely on third parties to fulfil customer due diligence requirements but ultimate responsibility for the performance of those requirements falls on the obliged entity relying on them (Article 25 of the AMLD5). The Directive however obliges Member States to ensure that obliged entities to which the customer is referred take adequate steps to ensure that the third party provides immediately, upon request, relevant copies of identification and verification data, including, where available, data obtained through electronic identification means, relevant trust services as set out in Regulation (EU) No 910/2014, or any other secure, remote or electronic, identification process regulated, recognised, approved or accepted by the relevant national authorities (Article 27(1) of the AMLD5). The word “immediately” used in the Directive can be interpreted as the grounds for setting momentary (automated) transmission requirements or protocols for otherwise standardised direct database access. Thus, the AMLD5 does not provide for any exhaustive list of identification or e-identification tools and allows the state regulating, recognising, confirming or accepting all e-identification processes that are secure. The AMLD5 obliges the state to ensure the possibility to prove to it or self-regulatory bodies (e.g. associations) that the instruments they use are appropriate given the established risk of money laundering and terrorist financing, the nature of the business and the size of the entity. The AMLD5 also provides for a possibility to allow establishing a person’s identity before commencing a business relationship, before completing a transaction and, where this is proportionate to risks and is line with common practices, having commenced the transaction and makes it possible for entities to assess the level of risk and choose proportionate identification tools accordingly. The AMLD5 also obliges the state to ensure immediate transfer of copies of information and documents necessary for identification from a third party.

4. Recommendations on regulating remote identification means National regulation has to-date lacked the tradition of adaptation to technical progress, which is why the business of remote financial services has been struggling with delays or inefficiency issues. Upon the adoption at the end of 2016 of amendments to the AML/CTF Law and the Rules, the possibilities for identification were expanded by compiling a broader but exhaustive list of admissible tools. Such changes coincided with Lithuania’s active participation in the financial technology (FINTECH) industry. Such participation takes the form of both shaping the political direction of the country’s development and developing an infrastructure inducive to financial innovation. As Lithuania aspired to become a FINTECH leader in the European Union, remote identification before commencing a business relationship has become a highly important practical and legal vehicle directly affecting possibilities of providing remote financial services. A study has revealed that out of the 7 admissible tools only direct video streaming/image transmission do not require maintaining physical contact (directly or by means of video streaming) with the customer or special equipment. The enhanced accessibility video streaming tool is one of the most popular instruments among market participants, irrespective of any accuracy and security deficiencies of the tool perceived by market participants. The market in remote identification means is however still improving, especially in the area of inherence (biometrics). These innovations already have colossal effect on global and European trends in payment services and are expected to affect Lithuania’s market in payment services too. Therefore, in order to avoid repeated regulatory stagnation present before 2016, there is a need to ensure that legal framework duly adapts to dynamic market conditions. To that end, there is a need to compile a non-exhaustive list of tools when setting the conditions and procedures for the recognition of identification means.

In this context it should be noted that even following the 2016 amendments the Lithuanian legal regime of remote identification is still based on rules while the AMLD5 clearly provides for a risk-based approach. The AMLD5 enables national authorities to recognise remote identification means not provided for in the Directive. On the contrary, the AMLD5 requires to ensure that obliged entities could prove to competent authorities or self- regulation bodies that the instruments are appropriate given the established risk of money laundering and terrorist financing. The risk-based approach to customer identification is rational because it allows taking into account the purpose of the relationship, the size of transactions performed by the customer and the periodicity or length of business relations; they may vary, and the choice of admissible instruments must be adequate so that entities can choose a customer identification means proportionate to the risk. With the development of financial technology, this risk- based approach is also in line with the requirements of the Constitution of the Republic of Lithuania to avoid legal regulation putting economic entities in unfavourable conditions not suitable for exercising the freedom to pursue an economic activity and hindering innovation or disproportionate to the objective to be attained. Therefore, with a view to ensuring the adaptation of legal framework to highly dynamic market conditions and implementing the AMLD5 requirements, here are some recommendations: – to make a non-exhaustive (open) list of remote identification means as well as procedures and methods for the state to regulate, recognise, approve or adopt all secure remote identification processes; – to enable all obliged entities to prove to national or self-regulation authorities (e.g. associations of obliged entities) that the means they use are appropriate given the established risk of money laundering and terrorist financing, the nature of the business and the size of the entity; – to implement a proactive policy on e-identification tools ensuring that anyone has convenient access to e- identification or other remote identification means.

Sources

Scientific literature, studies and overviews 1. Creswell, J. W., Qualitative Inquiry and Research Design: Choosing Among Five Approaches. 3rd Edition, (2012). 2. Darius Štitilis et al., Preconditions for Legal Regulation of Personal Identification in Cyberspace, (Jurisprudence, 2011, 18(2)) p. 703–724. 3. Deloitte, EMEA Digital Banking Maturity (2018). Online: https://bit.ly/2Aqv5pR [last accessed on 24 March 2019]. 4. European Banking Authority, Opinion of 23 January 2018 on the use of innovative solutions by credit and financial institutions in the customer due diligence process. Online: https://bit.ly/2U7n7N8 [last accessed on 24 March 2019]. 5. European Commission, Biometrics technologies: a key enabler for future digital services (January 2018). 6. European Commission, CEF EID Building Block for Banking and Educational Domains – Architectural Solution Document. 7. European Commission, Study on eID and digital on-boarding: mapping and analysis of existing on-boarding bank practices across the EU (2018). 8. Financial Action Task Force, Outcomes FATF Plenary, 17–19 October 2018. Online: https://bit.ly/2FyNp2Z [last accessed on 24 March 2019]. 9. Krogstie J., Organizational Value of Business Process Modeling. In: Quality in Business Process Modeling. (Springer, Cham, 2016). 10. List of qualified trust service providers in Lithuania. Online: https://www.elektroninisparasas.lt/kvalifikuoti- patikimumo-uztikrinimo-paslaugu-teikejai.html [last accessed on 24 March 2019]. 11. Bank of Lithuania, Overview of the 2017 Survey of Payment Habits of Lithuanian Residents. Online: https://www.lb.lt/uploads/publications/docs/18395_7c990911d3d9be38d4cdc2ba2f522555.pdf [last accessed on 24 March 2019]. 12. Bank of Lithuania, Payments statistics. Online: https://www.lb.lt/lt/mokejimu-statistika-2#group-2128 [last accessed on 24 March 2019]. 13. Communications Regulatory Authority of the Republic of Lithuania, 2017 Overview of the Market in Trust Services. (31 May 2018, No ND-8). Online: https://www.elektroninisparasas.lt/images/ataskaitos/2017.pdf [last accessed on 24 March 2019]. 14. Lin, F. R., Yang, M. C., Pai, Y. H, A generic structure for business process modeling. Business Process Management Journal, 2002, Vol. 8, pp.19-41. 15. OECD, 2018, Financial Markets, Insurance and Services: Digitalisation and Finance (2018). Online: https://bit.ly/2R90H9a [last accessed on 24 March 2019]. 16. Oracle, Digital Transformation: the Challenges and Opportunities Facing Banks (2016). Online: https://bit.ly/2j3QTNM [last accessed on 24 March 2019]. 17. Overview of pre-notified and notified eID schemes under eIDAS. Online: https://bit.ly/2N70TUE [last accessed on 24 March 2019]. 18. Paulius Čiulada, Lietuva – antra Europoje pagal „fintech“ įmonių licencijavimą (Lithuania – Europe’s Second in Licensing Fintech Undertakings), (14 January 2019, Verslo žinios). Online: https://www.vz.lt/rinkos/2019/01/14/lietuva--antra-europoje-pagal-fintech-imoniu-licencijavima#ixzz5j5gLRWV0 [last accessed on 24 March 2019]. 19. PwC EU Services EEIG, Study on eID and digital on-boarding: mapping and analysis of existing on-boarding bank practices across the EU (2017). 20. PwC, The Future of Onboarding (December 2016). 21. Žydžiūnaitė, V. and Sabaliauskas, S. Kokybiniai tyrimai. Principai ir metodai. Vadovėlis socialinių mokslų studijų programų studentams. (Qualitative Research. Principles and Methods. Textbook for Students of Social Studies) (Vilnius, 2017. VAGA).

Legislation 1. Directive (EU) 2018/843 of the European Parliament and of the Council of 30 May 2018 amending Directive (EU) 2015/849 on the prevention of the use of the financial system for the purposes of money laundering or terrorist financing, and amending Directives 2009/138/EC and 2013/36/EU.

2. Regulation (EU) No 910/2014 of the European Parliament and of the Council of 23 July 2014 on electronic identification and trust services for electronic transactions in the internal market and repealing Directive 1999/93/EC (OJ L 257, 2014, p. 73). 3. Directive 2014/92/EU of the European Parliament and of the Council of 23 July 2014 on the comparability of fees related to payment accounts, payment account switching and access to payment accounts with basic features. 4. Council Implementing Regulation (EU) 2015/1501 of 8 September 2015. 5. Directive (EU) 2018/843 of the European Parliament and of the Council of 30 May 2018 amending Directive (EU) 2015/849 on the prevention of the use of the financial system for the purposes of money laundering or terrorist financing, and amending Directives 2009/138/EC and 2013/36/EU (AMLD5). 6. Directive (EU) 2015/2366 of the European Parliament and of the Council of 25 November 2015 on payment services in the internal market, amending Directives 2002/65/EC, 2009/110/EC and 2013/36/EU and Regulation (EU) No 1093/2010, and repealing Directive 2007/64/EC. 7. Order No V-314 of the Director of the Financial Crime Investigation Service under the Ministry of the Interior of the Republic of Lithuania of 30 November 2016 approving technical requirements for the customer identification process where identification is performed remotely using electronic means enabling direct video streaming/image transmission (TAR, 1 December 2016, No 2016-27955). 8. Order No V-131 of the Director of the Financial Crime Investigation Service under the Ministry of the Interior of the Republic of Lithuania of 12 October 2017 approving the procedure for certifying and submitting copies of personal identification documents (TAR, 15 September 2017, No 2017-14738). 9. Law of the Republic of Lithuania on trust services for electronic identification and electronic transactions (TAR, 8 May 2018, No 2018-07474). 10. Order No 1K-185 of 8 May 2017 of the Minister for Finance of the Republic of Lithuania on the development of the financial technology (FINTECH) industry in Lithuania (TAR, 19 May 2017, No. 2017-08423). 11. Law of the Republic of Lithuania on the prevention of money laundering and terrorist financing (TAR, 12 July 2017, No. 2017-12068). 12. Order No 1V-1055 of the Director of the Communications Regulatory Authority of the Republic of Lithuania of 26 October 2018 approving the procedure for verifying personal identification and additional specific attributes when issuing qualified certificates for electronic signature, electronic seal and website identification (TAR, 26 October 2018, No 2018-16894). 13. Resolution No XIII-82 of the Seimas of the Republic of Lithuania of 13 December 2016 on the Programme of the Government of the Republic of Lithuania (TAR, 13 December 2016, No 2016-28737). 14. Resolution No 924 of the Government of the Republic of Lithuania of 24 September 2008 on the list of criteria for considering a customer to pose a low threat of money laundering and/or terrorist financing and criteria based on which a threat of money laundering and/or terrorist financing is considered to be high, on the approval of the rules for customer and beneficial owner identification as well as the detection of multiple interconnected monetary operations and on the establishment of the procedure for providing information on known indications of possible money laundering and/or terrorist financing and violations of the Law of the Republic of Lithuania on the prevention of money laundering and terrorist financing and the measures taken against perpetrators.

Case-law (other than that listed in Annex 1) 1. Resolutions of the Constitutional Court of 6 October 1999, 18 January 2000, 21 December 2000, 14 March 2002, 17 March 2002, 9 April 2002, 17 March 2003, 26 January 2004, 31 May 2006, 4 December 2008, 10 April 2009, 29 April 2009, 8 June 2009, 31 January 2011 and 5 July 2013. 2. Judgments of the EU Court of Justice Von Colson, 14/83 (10 April 1984), and Marleasing, C-106/89 (13 November 1990).

Annex 1

Date Case No and reference Summary Decision 16 January 2009 Ruling of the Supreme Administrative AB bankas (confidential) was accused To reject as Court of the Republic of Lithuania in of the failure to fulfil the requirements of unrelated to Administrative Case No N-575-3882- Article 9(1) of the AML/CTF Law as it identification. 09 (http://www.infolex.lt/tp/93750) did not terminate various payments exceeding LTL 50,000 and failed to notify such suspicious operations by that customer to the FCIS. 29 October 2010 Ruling of the Supreme Administrative UAB Nesė organising games of chance To reject as Court of the Republic of Lithuania in was accused of failing to ensure that all those were not Administrative Case No N-756- persons exchanging cash for tokens or remote financial 1167/2010 tokens for cash were registered, thus services. (http://www.infolex.lt/tp/176504) violating Article 9 of the AML/CTF Law. 2 January 2014 Ruling of the Supreme Court of the In the bankruptcy proceedings of AB To reject as the Republic of Lithuania in Civil Case No bankas Snoras third parties A.S. and application of 3K-3-106/2014 M.S. requested that their credit claim the AML/CTF (http://www.infolex.lt/tp/779618) were satisfied and that they were Law was not included in the list of depositors. interpreted on Article 9 of the AML/CTF Law was cited the merits. in a narrow episode as the legal base for recording transactions but there was no broader interpretation of the application of that provision. 14 October 2014 Ruling of the Supreme Court of the G.V. was accused of having infringed To examine as Republic of Lithuania in Administrative on Article 9 of the AML/CTF Law it was directly Case No 2AT-44-2014 because as Director General of UAB related to (http://www.infolex.lt/tp/874549) (confidential) he failed to ensure that customer the customer’s identity was properly identification established before commencing a when providing business relationship with customers remote financial who were not physically present and services. because no copies of the customer’s identification documents were made or received from a third party (identity was established by transferring one cent to the company’s account). 15 October 2014 Ruling of the Supreme Administrative S.F.’s claim against the Lithuanian To reject as the Court of the Republic of Lithuania in State represented by the Bank of application of Administrative Case No AS-556-1129- Lithuania and a third interested party the AML/CTF 14 (http://www.infolex.lt/tp/874875) AB Citadele for damages and others. Law was not Article 9 of the AML/CTF Law was cited interpreted on in a narrow episode dealing with the the merits. matter of admissibility of the complaint but there was no broader interpretation of the application of that provision. 29 October 2014 Ruling of the Supreme Administrative The lawsuit by UAB Bitmarket against To examine as Court in 2A-2847-345/2014 AB Swedbank to deem unilateral it was directly (http://www.infolex.lt/tp/954421) termination of the Electronic Services related to Agreement void and to reinstate the customer rights violated where AB Swedbank identification restricted the provision of the services when providing in respect of the Applicant’s trade in remote financial virtual currencies creating conditions for services. anonymous settlements and thus falling within the category of higher risk.

17 February 2015 Ruling of the Supreme Court of the J.S. was accused of having infringed on To examine as Republic of Lithuania in Case No 2AT- Article 9 of the AML/CTF Law because it was directly 6-942/2015 on administrative law as the Director of UAB A he failed to related to infringements ensure that the customer’s identity was customer (http://www.infolex.lt/tp/1003895) properly established before identification commencing a business relationship when providing with customers who were not physically remote financial present and because no copies of the services. customer’s identification documents were made or received from a third party (identity was established by transferring one cent to the company’s account). 5 October 2015 Judgment of Vilnius Regional The Applicant S.F. brought action To reject as the Administrative Court No I-4601- claiming that the Defendant the State of application of 561/2015 Lithuania represented by the Bank of the AML/CTF (http://www.infolex.lt/tp/1409965) Lithuania was to be ordered to pay Law was not them EUR 1,000,000 (in material and interpreted on non-material damages) because the the merits. currency exchange unit of AB Citadele unlawfully requested that the Applicant showed a personal identification document before exchanging less than EUR 1,000 into LTL and entered it into its IT system. Article 9 of the AML/CTF Law was cited in a narrow episode as the legal base for customer identification but there was no broader interpretation of the application of that provision. 20 December 2016 Ruling of the Supreme Court of the P.G. was accused of having infringed To examine as Republic of Lithuania No e2AT-98- on Article 9 of the AML/CTF Law it was directly 303/2016 because as the Director of UAB I he related to (http://www.infolex.lt/tp/1395862) failed to ensure that the customer’s customer identity was properly established before identification commencing a business relationship when providing with customers who were not physically remote financial present and because no copies of the services. customer’s identification documents were made or received from a third party (identity was established by transferring one cent to the company’s account). 30 December 2016 Ruling of the Supreme Court of the K.N. and T.B. were accused of having To examine as Republic of Lithuania in Case No 2AT- infringed on Article 9 of the AML/CTF it was directly 93-895/2016 on administrative law Law because as the Director of UAB related to infringements (confidential) they failed to ensure that customer (http://www.infolex.lt/tp/1418119) the customer’s identity was properly identification established before commencing a when providing business relationship with customers remote financial who were not physically present and services. because no copies of the customer’s identification documents were made or received from a third party (identity was established by transferring one Litas to the company’s account). 7 February 2018 Ruling of Klaipėda District Court in N.R. was accused of having infringed To reject as the Civil Case No AN2-50-361/2018 on the Republic of Lithuania Gaming application of (http://www.infolex.lt/tp/1570326) Law as he let M.B. enter the company’s the AML/CTF betting shop even though M.B. had filed Law was not a request to keep him from gambling interpreted on and was included in the Register of the merits. Persons Restricting Their Own Ability to Gamble. Article 9 of the AML/CTF Law was cited in a narrow episode as the

one of the legal bases for protecting public interests in regulating games of chance but there was no broader interpretation of the application of that provision. 26 September 2018 Ruling of Panevėžys Regional Court in The Applicant brought action to annul To reject as the Civil Case No e2S-605-280/2018 the refusal by Notary Public B.Š. to application of (http://www.infolex.lt/tp/1645734) issue a certificate of inheritance rights the AML/CTF and to oblige her to issue a certificate of Law was not inheritance rights. Article 9 of the interpreted on AML/CTF Law was cited in a narrow the merits. episode as the legal base for Notaries Public to notify the FCIS of suspicious operations but there was no broader interpretation of the application of that provision.

Annex 2 Comparison of data sets used for identifying natural persons and ensuring customer due diligence

Attribute Identification57 Customer due diligence58 Current surname(s) Mandatory Yes Current first name(s) Mandatory Yes Date of birth Mandatory Yes Unique identifier generated by Mandatory No uniform practices the Member State Name(s) and surname(s) at birth Optional Place of birth Optional Yes Current address Optional Yes Gender Optional Yes Nationality Yes Phone number No uniform practices E-mail No uniform practices Profession (occupation) Yes Politically exposed person Yes Source of funds No uniform practices Tax residence No uniform practices Sanctions Yes

57 Based on Commission Implementing Regulation (EU) 2015/1501 of 8 September 2015. 58 Based on Subsection 6.2.24 of the European Commission’s document CEF EID Building Block for Banking and Educational Domains – Architectural Solution Document.

Annex 3 Comparison of data sets used for identifying legal persons and ensuring customer due diligence

Attribute Identification59 Customer due diligence60 Current legal name Mandatory Yes Unique identifier generated by the Mandatory Yes Member State Current address Optional Yes VAT number Optional No uniform practices Taxpayer registration number Optional No uniform practices ID code within the meaning of Optional No uniform practices Article 3(1) of Directive 2009/101/EC of the European Parliament and of the Council Legal entity identifier (LEI) as referred Optional No uniform practices to in Commission Implementing Regulation (EU) No 1247/2012 Economic Operators Registration and Optional No uniform practices Identification (EORI) number as referred to in Commission Implementing Regulation (EU) No 1352/2013 Excise number referred to in Optional No uniform practices Article 2(12) of Council Regulation (EU) No 389/2012 E-mail No uniform practices Beneficial owners Yes Manager of the legal entity Yes Trademark No uniform practices Source of funds No uniform practices

59 Based on Commission Implementing Regulation (EU) 2015/1501 of 8 September 2015. 60 Based on European Commission’s document Study on eID and digital on-boarding: mapping and analysis of existing on-boarding bank practices across the EU (2018)

Annex 4 Comparison of data sets used in personal ID cards, Smart-ID and Mobile-ID

Attribute Exterior of the Publicly Electronic Smart-ID Mobile-ID personal ID accessible identification card chip of the certificate of the personal ID personal ID card card Name(s) Yes Yes Yes Yes Yes Surname Yes Yes Yes Yes Yes Gender Yes Yes Yes Date of birth Yes Yes Yes * * Personal Yes Yes Yes Yes Yes identification number Nationality Yes Yes Yes Facial image Yes Yes Signature Yes Date of issue Yes Yes (date of issue of the certificate) Name of the Yes issuing authority Expiry date Yes Yes Document Yes Yes number

* The date of birth attribute is not stored and transmitted separately but in Lithuania it can be deduced from the personal identification number.

Annex 5

Questionnaire on the start of remote business relations

1. Requested institution Name of the institution Contact person Contact details (phone number, email) Could a representative of your institution, if needed, present their opinion at a meeting of the Payments Council? (Yes or no) 2. Purposes of remote identification Legislation stipulates that obliged entities may commence business relations with prospective customers by means of remote identification. That said, obliged entities may use that process in pursuit of very different objectives, e.g. seeking to attract new customers within the country or from abroad, to enhance the efficiency of conformity requirements (lower costs, more accurate results, etc.), to meet customer expectations, etc. What objectives does or would your institution seek to attain by using remote identification means?

Very Important Moderately Not Completely important important important unimportant

Attraction of new customer within the country

Attraction of new customers from other countries

Meeting customer expectations and ensuring convenience

Advantages of the remote process against the physical process for economic reasons (lower costs, etc.)

Advantages of the remote process against the physical process for risk management reasons (more accurate results, etc.)

3. Remote identification using third-party information on the customer or the beneficial owner In accordance with Article 11(1)(1) of the Law of the Republic of Lithuania on the prevention of money laundering and terrorist financing, third-party information may be used under the procedure laid down in Article 13 including but not limited to situations where third parties are obliged entities, third parties immediately provide all information requested, the customer has been identified by a third party when physically present, etc. Does your institution use or intend to use this tool (irrespective of the scale of its use)? [Uses, intends to use, does not use and does not intend to use, no opinion] Please explain what legal or practical obstacles to use this tool there are. What, in your opinion, are the advantages of this remote identification tool? How does this instrument contribute to the attainment of your institution’s objectives associated with remote identification? What, in your opinion, are the disadvantages of this remote identification tool? What, in your opinion, is the likely evolution of this remote identification instrument within the next 2 to 3 years? [May become commonly used, may be used to a certain extent for certain services, most probably will still be unused, no opinion] How do you assess the accessibility, security and accuracy of information provided by third parties?