EBA Remote Onboarding (GL/2022/15): Didit's Adequacy

For most of the last decade, "can we onboard customers remotely?" was a question every European bank, electronic money institution (EMI), and payment firm answered nervously — with a patchwork of national rules, supervisory expectations, and legal opinions. In 2022 the European Banking Authority (EBA) finally drew a single line in the sand: Guidelines EBA/GL/2022/15 on the use of remote customer onboarding solutions. They tell regulated firms exactly what a compliant remote onboarding process must do.

Didit was built for those guidelines. And it doesn't just claim adequacy — an independent legal advisory, finReg360, examined the Didit remote onboarding tool against EBA/GL/2022/15 and the incoming EU Anti-Money-Laundering (AML) Single Rulebook and concluded it is adequate. This post explains what the guidelines require, why that matters, and exactly how Didit satisfies them.

Key takeaways

• EBA/GL/2022/15 is the EU-wide standard for compliant remote customer onboarding under Anti-Money-Laundering and Counter-Terrorist-Financing (AML/CFT) rules — it tells firms how to capture, verify, and assure identity at a distance.
• It requires reliable identity-document capture, proof the person is real and present (liveness), a match between the document and the person, and a complete, auditable record of every step.
• finReg360 — an independent Spanish AML/CFT legal advisory — issued a memo dated 2026-04-28 concluding that Didit's remote onboarding tool meets EBA/GL/2022/15 and is compatible with the incoming EU AML Single Rulebook.
• The opinion supports that, with Didit's automated controls in place, the video-identification process does not require manual human review.
• Didit maps each guideline requirement to a concrete control: document verification, NFC chip reading, active and passive liveness, biometric face match, and a full audit trail via webhooks.
• The same posture is reinforced by Didit's other attestations, including the Spanish Tesoro / SEPBLAC / CNMV sandbox conclusion that Didit's remote verification meets and exceeds in-person identification.

What the rule requires

EBA/GL/2022/15 applies to credit and financial institutions across the EU and governs how they may rely on remote solutions — video, document capture, biometrics — to identify and verify a customer at the start of a business relationship. The guidelines set expectations across several areas:

• Reliable identity capture. The solution must capture the customer's identity documents in a way that lets the firm assess their authenticity, validity, and integrity — detecting tampering, forgery, and reused images.
• Proof of presence and authenticity (liveness). The firm must be satisfied the person being onboarded is real, present, and the genuine holder of the document — not a photo, a video replay, a mask, or a deepfake.
• Binding the person to the document. A reliable match between the live person and the photograph on the identity document.
• Risk-sensitivity. Stronger controls where money-laundering risk is higher; the ability to escalate to additional checks.
• Record-keeping and auditability. A complete, tamper-evident record of the onboarding — what was captured, what was checked, what the outcome was — retained and retrievable for supervisors.
• Quality and oversight of the solution, including pre-implementation testing and ongoing monitoring of its performance.

A recurring practical question under the guidelines is whether a firm must keep a human reviewer in the loop for every video-identification — a costly model that doesn't scale. The guidelines allow automated processes provided the controls are robust enough to deliver an equivalent level of assurance.

Why it matters

The cost of getting remote onboarding wrong runs in two directions. Onboard too loosely and you let fraudsters, mules, and sanctioned parties into the system — with the fines and enforcement actions that follow. Onboard too tightly, with a human reviewing every session, and you bottleneck growth, inflate cost per customer, and lose applicants to drop-off.

EBA/GL/2022/15 is the reference point supervisors and Money Laundering Reporting Officers (MLROs) use to judge whether a firm's remote onboarding is defensible. When a vendor can show — backed by an independent legal opinion — that its tool satisfies those guidelines, the MLRO's procurement risk drops sharply. The harder question ("does this let us drop manual review?") is exactly the one the finReg360 memo addresses.

How Didit helps

Didit's remote onboarding is a composable set of automated controls, each mapping to an EBA requirement:

• Identity-document verification. Didit reads and validates over 14,000 document types from 220+ countries and territories, checking authenticity, validity, and integrity — the reliable-capture requirement.
• NFC chip reading. For documents with an electronic chip, Didit reads the cryptographically signed data directly from the chip ($0.15 per read), giving the highest-assurance proof that the document data is genuine and untampered.
• Active and passive liveness. Passive liveness ($0.10) and active liveness ($0.15) confirm a real, present human — directly answering the presence-and-authenticity requirement. Didit's Presentation Attack Detection is independently tested to iBeta Level 1 under ISO/IEC 30107-3, with a 0% attack success rate / 0% IAPAR across 360 attack attempts.
• Biometric face match. Face Match 1:1 ($0.05) binds the live person to the document photo — the document-to-person link the guidelines demand.
• Full audit trail. Every step emits webhook events (status.updated, data.updated) and is recorded for retrieval, satisfying the record-keeping and auditability requirement.
• Risk-sensitivity through orchestration. Didit's no-code Workflow Builder lets you compose exactly the checks a given risk tier needs and escalate — add Anti-Money-Laundering screening ($0.20, 1,300+ lists), proof of address ($0.20), or step-up verification — on a risk basis.

Didit's core verification flow — ID + passive liveness + face match + Internet Protocol (IP) analysis — starts at $0.33, with 500 free checks every month and pay-per-success billing.

Deep dive: the finReg360 adequacy opinion

On 2026-04-28, finReg360 — an independent AML/CFT legal advisory in Madrid — issued a formal memo analyzing whether Didit's remote customer-onboarding tool is adequate under EBA/GL/2022/15 and the new EU regulatory framework. The memo works through the regulatory framework for non-presential identification under AML/CFT rules, the current Spanish position, the European situation following the entry into force of the EU AML Single Rulebook, and a specific analysis of whether manual review of the video-identification process is required.

Its conclusion: Didit's remote onboarding tool meets the EBA Guidelines on the use of remote customer onboarding solutions and is compatible with the incoming EU AML Single Rulebook — and the video-identification process does not require manual human review when Didit's automated controls are in place.

This is the document an MLRO can put in front of a board or a supervisor: an independent legal opinion, not a vendor self-assessment. It is distributable to prospects and customers on request. It complements the Tesoro / SEPBLAC / CNMV sandbox conclusion — the only EU member-state government attestation that a remote identity verification tool meets and exceeds in-person identification standards.

Use cases

• EU neobanks and EMIs that need a defensible, fully remote onboarding flow without staffing a manual video-review team.
• Payment institutions scaling across multiple EU markets that need one onboarding standard supervisors recognize.
• Crypto VASPs preparing for the EU AML Single Rulebook and Markets in Crypto-Assets (MiCA) obligations.
• Lenders and brokerages that must demonstrate risk-sensitive onboarding to regulators during audits.

Frequently asked questions

What is EBA/GL/2022/15?

It is the European Banking Authority's guidelines on the use of remote customer onboarding solutions — the EU-wide standard for how regulated firms may verify identity remotely under AML/CFT rules.

Does Didit's remote onboarding require a human to review every session?

According to the independent finReg360 legal opinion, no — with Didit's automated controls in place, the video-identification process does not require manual human review. You can still add manual review on a risk basis through orchestration if your internal policy requires it.

Is the finReg360 memo something I can share with my regulator?

It is distributable to prospects and customers on request. It is an independent legal opinion intended exactly for procurement and MLRO use; whether to submit it to a supervisor is your firm's decision.

How does Didit prove liveness to the standard the guidelines expect?

Through active and passive liveness checks whose Presentation Attack Detection is independently tested to iBeta Level 1 under ISO/IEC 30107-3, achieving a 0% attack success rate across 360 attack attempts.

Does this cover the new EU AML Single Rulebook too?

The finReg360 memo concludes Didit's remote onboarding is compatible with the incoming EU AML Single Rulebook, in addition to EBA/GL/2022/15.

Ready to get started?

See Didit's attestations and regulatory posture on the trust hub, explore the ID Verification product, and review transparent per-check pricing on the pricing page. When you're ready, start free — 500 free KYC checks every month, with a core verification flow from $0.33.