Shufti-Sphere-Website-Banner
burger-menu cross-icon-2

Resources

us

216.73.216.200

FMA Video Identification in Austria: FM-GwG Compliance Guide for Financial Institutions

TL;DR

  • Austria’s FM-GwG requires financial institutions to follow eight mandatory VideoIdent requirements for compliant remote onboarding.
  • FMA-compliant onboarding includes secure identity verification, document checks, and complete audit evidence.
  • Austria’s VideoIdent rules differ from Germany’s BaFin framework, particularly regarding typed-code verification and active monitoring.
  • Shufti supports FM-GwG compliance with document verification, liveness detection, and AML screening in a single onboarding workflow.

FMA supervisors reviewing an Austrian bank’s remote onboarding evidence file in 2026 keep asking the same question. Does the current VideoIdent flow actually satisfy the Financial Market Authority (Finanzmarktaufsicht, or FMA) under the Financial Markets Anti-Money Laundering Act, the FM-GwG? The answer matters. Austrian banks, payment institutions, e-money issuers, crypto-asset service providers, insurers, and securities firms all rely on attended video identification to onboard customers without an in-person branch visit.

A weak evidence pack, an undertrained operator, or a missing typed code entry can void the verification and trigger an enforcement file. Compliance heads and decision maker should know what FMA video identification Austria requires in 2026, how it differs from Germany’s BaFin (Bundesanstalt für Finanzdienstleistungsaufsicht) regime under Circular 3/2017, and where Austria video ident compliance teams typically slip.

What Austria’s FM-GwG requires for video identification

The FM-GwG sets the baseline for identity verification of customers in regulated financial relationships. Section 6 of the Act allows remote identification through secure video procedures, and the FMA has issued Online-IDV guidance that details exactly what “secure” means in practice. FM-GwG KYC remote Austria is shaped by these eight load-bearing elements.

  1. Trained operator working from a secured location. The agent must be a vetted employee of the obliged entity (or a properly contracted provider) operating from a controlled premises. Home offices, co-working desks, and customer-facing branches do not satisfy the standard.
  2. Explicit consent on record. The user gives recorded, on-camera consent before identification begins. Pre-call click-through consent does not satisfy FMA expectations.
  3. Document inspection that includes a hologram tilt and a lamination check. The operator inspects the document live, verifying tactile and visual security features. The machine-readable zone (MRZ) must validate against the visual data on the document.
  4. Spoken verbal challenge of at least four characters. A randomly generated alphanumeric string is read aloud by the user during the call, defeating pre-recorded video attacks.
  5. Typed numeric code entry. A second, system-generated numeric code is sent to the user’s registered channel and typed into the session interface as a binding factor. This is a structural difference from the German regime and is a frequent gap in flows ported from BaFin.
  6. Structured screenshot set. Defined-quality images of the user’s face, the document front, and the document back are captured during the call and packaged into the evidence file.
  7. Active monitoring of procedures. A supervisor or QA process actively monitors a defined portion of sessions, with documented checks and drift sampling on top.
  8. Mandatory termination of doubt. If the operator suspects fraud, manipulation, or coercion, the session must be terminated and escalated. Continuing the session “to be sure” voids the evidence.

Skip any one of these and the verification can be challenged by the FMA at audit.

Which Austrian financial institutions must use FMA-compliant video identification

The FM-GwG applies broadly. Any obliged entity under § 1 FM-GwG that performs remote customer identification falls under the FMA’s Online-IDV rules. The list is wider than many compliance teams assume, and the obligation does not switch off just because a relationship is small or a product is digital-only. Six categories of institutions carry the bulk of FMA video ident compliance volume in Austria.

Banks and credit institutions

Tier 1 and Tier 2 Austrian banks, building societies, regional Sparkassen, and Raiffeisen branches use FMA-compliant video ident for current accounts, lending decisions, and securities accounts opened remotely.

Payment and e-money institutions

Licensed payment service providers under the Austrian Payment Services Act (ZaDiG) and e-money issuers verify customers under the same standard. PSD2 strong customer authentication is a separate obligation. The FM-GwG governs the identity step itself.

Crypto-asset service providers

Austrian CASPs registered with the FMA, and from 2025 onward those licensed under the EU’s Markets in Crypto-Assets Regulation (MiCA), must use compliant video identification for non-face-to-face onboarding. Travel Rule and customer due diligence add overlapping evidence requirements that examiners cross-reference.

Insurance companies

Life insurers and other insurers covered by § 1 FM-GwG verify policyholders under the same regime. Pure motor third-party policies and certain non-life lines are out of scope, but most consumer-facing life and investment products are not.

Investment firms and fund managers

WAG-licensed investment firms, InvFG-regulated fund managers, and securities firms onboarding retail or professional clients use FMA video ident as the high-assurance default whenever no branch visit happens.

Other obliged entities

Currency exchange offices, real estate intermediaries above transaction thresholds, and certain commercial agents fall under FM-GwG when relationships qualify as regulated. Lawyers, notaries, and tax advisors handling client funds in scope of the Act follow the same identification standard.

How Austria’s FMA Online-IDV differs from Germany’s BaFin Circular 3/2017

DACH compliance teams running both jurisdictions often assume one VideoIdent flow can cover both. It cannot. The two regimes share a philosophy that attended video equals face-to-face, but they diverge on six structural requirements that drive flow design and operator training.

Requirement Austria (FM-GwG / FMA Online-IDV) Germany (BaFin Circular 3/2017)
Verbal challenge Spoken random alphanumeric, ≥4 characters Spoken random alphanumeric, no fixed length floor
Second factor Typed numeric code into the session UI TAN/OTP delivered to a registered channel
Document features Hologram tilt + lamination as named checks 3+ random security features from an enumerated list, plus MRZ
Required screenshots Structured face + ID front + ID back at defined quality Photo of user holding ID, plus security feature captures
Active monitoring Mandatory live or sampled supervision of procedures QA sampling and drift checks (sampling can be retrospective)
Retention At least 5 years, up to 10 depending on record class 5 years from end of business relationship

The biggest practical difference is the typed code. Austria requires a system-generated numeric code typed into the session interface, not just sent as a TAN to the user’s phone. A flow built for BaFin that only delivers a TAN and asks the user to read it back is non-compliant in Austria without that typed-entry step.

The second difference is monitoring intensity. BaFin tolerates QA sampling after the fact. The FMA expects active monitoring of procedures, which the regulator has interpreted to mean live supervision of a defined portion of sessions, plus documented sampling of the rest. Operators running both regimes either build two distinct flows or build one configurable flow that switches behaviour based on the user’s jurisdiction. The second approach scales better and reduces operator training overhead.

The third difference is documentation depth. Austrian audit files lean heavily on the structured screenshot set and the typed-code binding artefact. German files lean on the full feature-by-feature security check log. A unified evidence pack should produce both styles on demand.

Operational requirements: agents, premises, and active monitoring

The FMA cares as much about how a video session is run as what the session captures. Three operational pillars carry weight in audits and surface repeatedly in enforcement findings. Compliance teams that focus only on the session script and the evidence pack still fail readiness reviews when training records, premises controls, and quality assurance (QA) documentation are not in defensible shape.

Agent training and reliability

FM-GwG requires operators to be reliable employees of the obliged entity or a properly contracted third party. “Reliable” is interpreted as background-checked, with documented initial training and recurring annual refresher training that covers identity fraud, document security features, deepfake awareness, and escalation procedures. Training records become part of the audit file. An operator without a current training certificate is treated by examiners as untrained, regardless of years on the job.

Secured premises

Operators must run sessions from secured rooms. Home offices, co-working desks, and customer-facing branches where third parties can observe are non-compliant. Premises controls include access logs, no recording devices outside the session system, and clean-desk policies. Recent FMA examination practice has included examiners requesting agent-room photos and access logs alongside session recordings during routine inspections.

Active monitoring of procedures

The FMA expects monitoring to be active rather than passive. In practice that means supervisors live-watch a defined percentage of sessions in real time, with sampling on top for the rest. Drift checks confirm that operators are following the script, performing security feature inspections rather than skipping them under time pressure, and applying termination rules consistently. QA findings feed back into operator training and into the evidence file as evidence of systemic improvement.

Where compliance teams trip up is documentation. The session itself can be flawless, but if training records, premises controls, and QA logs are not retrievable in a defensible structure, the FMA can still treat the verification as deficient at examination.

Evidence packs and retention under FM-GwG

The FMA reviews video identification through the evidence file. A complete file is the difference between a session that survives an audit and one that produces a finding the institution then has to remediate.

A defensible FM-GwG evidence pack contains the following artefacts.

  • Full audio and video recording of the entire session, from consent capture through to termination
  • The structured screenshots of user face, document front, and document back at the defined quality
  • Verbal challenge transcript and operator confirmation that the spoken sequence was correct
  • Typed numeric code entry confirmation, including timestamp and binding to the session ID
  • Hologram tilt and lamination inspection notes by the operator
  • Consent record with timestamp and the exact consent wording shown to the user
  • Operator identifier, training-status snapshot, and premises identifier
  • Decision rationale and, if applicable, escalation or termination note

Retention under FM-GwG runs at least five years after the business relationship ends. Certain record classes such as suspicious activity reports and cross-border high-risk classifications extend to ten years. Storage must be tamper-evident and retrievable on regulator request, typically within 24 to 48 hours of a formal information request.

Two recurring findings from FMA audits are worth flagging for any institution running FMA remote onboarding financial flows. One is missing or partial recordings, often caused by a network drop where the operator continued the session locally without a backup capture. The second is recordings without binding metadata. A video file with no link back to the session ID, the operator, the typed code, or the consent timestamp is treated by examiners as unretrievable evidence.

How Shufti helps Austrian institutions meet FMA Online-IDV requirements

Shufti’s VideoIdent is built for DACH compliance from day one. The Austria flow is configured to FMA Online-IDV requirements out of the box. Hologram tilt and lamination inspection, typed numeric code entry, structured screenshot capture, and the spoken verbal challenge are baked into the operator script and the session interface.

Three platform capabilities map directly to common audit gaps Austrian compliance teams flag during readiness reviews.

The first is a complete evidence pack. Every session produces a single audit-ready file containing synchronised audio and video, structured screenshots, MRZ validation output, hologram inspection notes, typed code confirmation, consent timestamp, and operator identifier. Examiners can pull a session by ID and review every load-bearing artefact in one place rather than reconciling outputs from multiple systems.

The second is operating model flexibility. Austrian institutions can route sessions through Shufti’s trained agents, bring their own in-house team using Shufti’s infrastructure and QA tooling, or run a hybrid where in-house agents handle business hours and Shufti covers nights, weekends, and overflow. All three models produce identical evidence packs under the same FMA standard. Agent coverage spans English, French, Spanish, and German natively rather than through a translation layer, which matters for Austrian institutions onboarding non-German-speaking customers.

The third is risk-based step-up. The platform routes routine, low-risk customers through automated identity verification and reserves attended video for FM-GwG-required scenarios such as high-value relationships, politically exposed person (PEP) hits, device anomalies, and tier upgrades. That keeps operator volume controlled without weakening the compliance baseline. The same single integration covers document checks, face verification with liveness, and AML screening, so Austrian institutions consolidate evidence rather than stitch outputs together. The platform is SOC 2 Type II and ISO 27001 certified, with EU data residency.

Austrian financial institutions piecing together remote onboarding for FM-GwG compliance keep hitting the same gap, where a flow built for BaFin falls short in Austria without typed-code binding and active monitoring of procedures. Shufti’s VideoIdent ships a configured Austria flow with the eight FM-GwG elements baked in, plus operating-model flexibility for in-house, outsourced, or hybrid agent coverage. Request a Shufti demo to see the FMA flow run end to end with a sample audit file modelled on a real FM-GwG session.

Frequently Asked Questions

What operator training does Austria's FM-GwG require for VideoIdent sessions?

The FMA expects documented initial and recurring annual training covering ID document security features, fraud and deepfake detection, escalation rules, and consent handling. Operators must be reliable employees with background checks. Training records form part of the audit file and must be available to examiners on request.

How long must Austrian firms retain VideoIdent recordings under FMA rules?

At least five years after the business relationship ends. Certain higher-risk record classes such as suspicious activity reports and cross-border high-risk classifications extend to ten years. Storage must be tamper-evident, time-stamped, and retrievable within 24 to 48 hours of a formal FMA request.

Can Austrian institutions outsource VideoIdent to third-party providers?

Yes. The FM-GwG permits outsourcing under § 23 to qualifying providers, but the obliged entity retains full responsibility. The contract must spell out training, premises, monitoring, evidence retention, and audit access. The FMA can audit the third-party provider directly when it considers it necessary.

What happens if a VideoIdent session is interrupted mid-call under FMA rules?

The session must be terminated and treated as incomplete. Operators cannot resume on a different connection or use partial evidence to confirm identity. The user restarts a fresh session. Partial recordings are stored as part of the audit trail along with the documented termination reason.

Related Posts

Shufti Blog

What is Biometric Verification: Meaning, Types, Technology & Tools

What is Biometric Verification: Meaning, Types, Technology & Tools

Explore More

Shufti Blog

What Is Transaction Screening? Definition, Process, and How It Works

What Is Transaction Screening? Definition, Process, and How It Works

Explore More

Shufti Blog

Florida SB1161 and Deepfake Platform Accountability: What the Law Requires (Updated October 2025)

Florida SB1161 and Deepfake Platform Accountability: What the Law Requires (Updated October 2025)

Explore More

Shufti Blog

VideoIdent for German Crypto Exchanges: MiCA, GwG and BaFin Compliance Guide for CASPs

VideoIdent for German Crypto Exchanges: MiCA, GwG and BaFin Compliance Guide for CASPs

Explore More

Shufti Blog

Video Identification in Switzerland: FINMA Compliance Guide for Banks, Insurance and Asset Managers

Video Identification in Switzerland: FINMA Compliance Guide for Banks, Insurance and Asset Managers

Explore More

Shufti Blog

FMA Video Identification in Austria: FM-GwG Compliance Guide for Financial Institutions

FMA Video Identification in Austria: FM-GwG Compliance Guide for Financial Institutions

Explore More

Shufti Blog

Qualified Electronic Signature (QES): Meaning, Requirements, and When You Need One

Qualified Electronic Signature (QES): Meaning, Requirements, and When You Need One

Explore More

Shufti Blog

What is Biometric Verification: Meaning, Types, Technology & Tools

What is Biometric Verification: Meaning, Types, Technology & Tools

Explore More

Shufti Blog

What Is Transaction Screening? Definition, Process, and How It Works

What Is Transaction Screening? Definition, Process, and How It Works

Explore More

Shufti Blog

Florida SB1161 and Deepfake Platform Accountability: What the Law Requires (Updated October 2025)

Florida SB1161 and Deepfake Platform Accountability: What the Law Requires (Updated October 2025)

Explore More

Shufti Blog

VideoIdent for German Crypto Exchanges: MiCA, GwG and BaFin Compliance Guide for CASPs

VideoIdent for German Crypto Exchanges: MiCA, GwG and BaFin Compliance Guide for CASPs

Explore More

Shufti Blog

Video Identification in Switzerland: FINMA Compliance Guide for Banks, Insurance and Asset Managers

Video Identification in Switzerland: FINMA Compliance Guide for Banks, Insurance and Asset Managers

Explore More

Shufti Blog

FMA Video Identification in Austria: FM-GwG Compliance Guide for Financial Institutions

FMA Video Identification in Austria: FM-GwG Compliance Guide for Financial Institutions

Explore More

Shufti Blog

Qualified Electronic Signature (QES): Meaning, Requirements, and When You Need One

Qualified Electronic Signature (QES): Meaning, Requirements, and When You Need One

Explore More

Take the next steps to better security.

Contact us

Get in touch with our experts. We'll help you find the perfect solution for your compliance and security needs.

Contact us

Request demo

Get free access to our platform and try our products today.

Get started