Response to consultation on draft Guidelines on the use of remote customer onboarding solutions
Go back
An informative note is requested on the main issues which affect electronic identification in the draft document EBA/CP (2021), dated December 10th, prepared by the European Banking Authority (hereinafter referred to as EBA Standard).
This document aims to put forward a strategic objective to offer benefits to consumers and businesses in the field of digital financial services and counteract the risks which may arise, mainly in the field of digital on-boarding.
From this perspective, and taking into consideration that Electronic Identification, S.L. is an entity which has been working in the field of technological and legal security of on-boarding processes and electronic identification for almost 10 years, we want to put forward our point of view in relation to the content of the Standard.
We must consider that the objective is to try to harmonize all areas of electronic identification, regardless of the specific sector in which it is developed, taking into account that we are currently in a process of harmonization of regulations affecting electronic identification at European level.
All of this is based on the obligations and risks which may arise as a result of the regulations in relation to money laundering and the prevention of the financing of terrorism (ML/FT).
Based on all of the above, we wish to highlight the following:
CONSIDERATIONS
FIRSTLY. - EBA DOCUMENT GUIDELINES: USE OF IMAGES AND COPIES OF DOCUMENTS.
As a preliminary, we must point out that the guidelines offered in the document reflect the point of view of the EBA within the scope of the European System of Financial Supervision or how the European regulations should be applied.
From this perspective, the document offers a series of interpretive guidelines for financial entities to consider when integrating their digital on-boarding processes. Although the query does not mention the ETSI TS 119 461 Standard (Policy and security requirements for trust service components providing identity proofing of trust service subjects), and, therefore, a problem with the proposed guidelines is that they can be said to be at a level lower than the requirements of the ETSI document. Although the ETSI TS 119 461 Standard refers specifically to trust services and therefore direct reference to the guidelines cannot be made, it would be beneficial to align identity verification requirements in all three areas: trust services, issuance of electronic identification and incorporation into financial services, given that otherwise, all the systems created in the financial sector where streaming video prevails instead of the lowest level to which these guidelines point would be contradictory.
In this spirit, we focus our analysis on those sections that we perceive an implied risk to the digital onboarding process:
• Use of images or copies of identity documents:
Sections 4.2 and 4.3 of the Standard establish the criteria for the identification procedure and the authenticity and integrity of the documents, introducing the possibility of using images and copies of scanned identity documents, eg. 4.3. (33).
These image-capturing systems compromise both the legal certainty of the process and technological security, since the requirements established in sections a) to e), are of very doubtful guaranteed standards when they are based on images or mere copies.
This situation has been shared by the European Regulator in the field of electronic identification, both eIDAS and eIDAS 2 -in the current drafting phase-; as well as by the different European organizations which have come to generate legal and technical certainty in relation to the identification process. Thus, for example, the ETSI regulation mentioned above, establishes remote identification mechanisms for the issuance of qualified certificates, abandoning the validity of mechanisms based on simple images. The aforementioned ETSI TS 119 461 regulation establishes four specimen use cases which offer different alternatives, which, in turn, offer accessibility to facilitate users, without the mere use of an image being a sufficient source to prove the identity of a natural or legal person.
In pursuit of this aim, we must also point out that the security of this image utilization system has been questioned by national AML regulators, in fact, all local legislation in the financial sector published to date has validated the video security model in streaming, in turn discarding these simply image-based systems.
Annex I "Existing regulation on digital onboarding" identifies the existing regulation in force that some countries have implemented for digital onboarding. They include regulations, procedures or authorizations which specifically contemplate the non-face-to-face or remote identification of clients in the financial sector, in other words, digital onboarding. All of them include a technical and good governance model so that regulated entities can implement them with the maximum guarantees of digital onboarding success.
Therefore, we understand that any EBA guide should explicitly avoid weak identification systems, and instead turn to systems which have been worked on for many years, and which allow a higher level of security to be established, and provide indisputable ease in respect of usability and implementation. These systems begin by establishing end-to-end streaming video in order to obtain proof of identity.
This system is mostly used in secure electronic identification environments, given that the entire industry has been collaborating with Electronic Trust Service Providers to generate this security environment which is subsequently reflected in the ETSI regulations.
Therefore, it does not seem reasonable that the EBA guidelines diverge from these standards and address the possibility of identifying a client through weak identification systems. Quite to the contrary, they should try to harmonize the safe processes that the industry has been accepting and that both European and national regulators consider appropriate. The opposite of this would entail doubts arising in the financial entities and a differentiating criterion regarding the implementation of their digital on-boarding systems, which, additionally would not have the same legal and technical security, nor with traces and sufficient evidence in relation to electronic identification processes for digital on-boarding.
Consequently, and in accordance with all of the above, we understand that it is necessary to remove any identification system from the EBA guide which is not in accordance with the provisions of Regulation 910/2014, as established in Section 4.5 of the guide itself, as well as establishing specific use cases in the remote identification process, taking as a reference point those established by the ETSI TS 119 461 Standard, given that they are robust identification systems. For this purpose, the references established in section 4.2 and 4.3 should eliminate any reference to images and copies of identity documents, in order to avoid interpretations by which it can be considered that an identification process for the on-boarding of a client, by electronic means, may be valid in cases where selfies or photo submissions or copies of identity documents are used.
APPENDIX I
1. Germany
Federal Financial Supervisory Authority (BaFIN). Notice 3/2017 (GW) which allows a video identification procedures-BaFin procedure (the entire document). March 2014.
Federal Office for Information Security (FOIS). Technical Guide TR-03147, Evaluation of the Assurance Level of the Procedures for Verifying the Identity of Natural Persons, all part of section 5 (pp.20-25). Version 1.0.4. (December 2018).
2. Argentina
Financial Intelligence Unit (FIU). Resolution 28/2018 (Arts. 21 and seq.) and 21/2018 (Chapter III), in consultation with the National Securities Commission (CNV): enabled the implementation of technological platforms for regulated entities in the insurance and market sectors of capital, respectively, which allow carrying out procedures remotely without personal presentation of the documentation, applying a risk-based approach. March 2018 (28/2018 and 21/2018).
3. Austria
Bundesgesetzblatt (Federal Law Sheet). Identification Ordinance, IVO, specifically point 5 on the use of technologies and security measures for identification. January 2019.
4. Colombia
External Notice 027 of September 2020 by the Financial Superintendence of Colombia that gives instructions regarding the management of the risk of money laundering and the financing of terrorism. It established which entities can carry out know-your-customer procedures in person or remotely through the use of digital or electronic channels. The standard allows entities to obtain the necessary information to carry out know-your-customer procedures using data and information from reliable and independent sources.
5. South Korea
Financial Services Commission (FSC): introduces a plan which allows digital onboarding in the context of a law to introduce fully online banks in the country. June 2015.
6. Spain
Servicio Ejecutivo de la Comisión de Prevención de Blanqueo de Capitales e Infracciones Monetarias (Executive Service of the Commission for the Prevention of Money Laundering and Monetary Offenses or SEPBLAC). There are two authorizations in Spain that allow digital onboarding:
- Authorization of remote identification procedure by videoconference. February 2016.
- Authorization of remote identification procedure by video identification. May 2017.
7. United States of America
Department of Commerce − National Institute of Standards and Technology (NIST). The document is a special publication 800-63.ª that provides the requirements for enrolment and proof of identity for applicants who want to obtain access to resources at each level of insurance of the identity. It refers specifically to the sections that are normative. June 2017.
8. Honk Kong
Hong Kong Monetary Authority (HKMA) Remote Onboarding Authorization of Individual Clients. Notice from the country's monetary authority. February 2019.
9. Italy
Public System for Digital Identity (SPID). The Italian Digital Agency defines the strict set of measures to obtain a digital identity via an online channel.
10. Japan
Japan Financial Services Agency (FSA). Legislation on eKYC that allows remote identity verification. 2007.
11. Lithuania
Law on the Prevention of Money Laundering and Terrorist Financing and amendments. As part of its AML laws, it allows non-face-to-face digital onboarding. December 2016.
12. Mexico
Comisión Nacional Bancaria y de Valores (National Banking and Securities Commission or CNBV). Resolution that modifies the general provisions applicable to credit institutions, and reinforces customer identification and allows digital onboarding through video-conferencing. August 2017
13. Portugal
Bank of Portugal (BoP). The procedure which allows the digital onboarding of clients is included in the updated PBCFT Standard. February 2018.
14. United Kingdom
Financial Conduct Authority (FCA). Establishes a base guide with regulations on the Proof of Identity and Verification of Persons for the financial sector, released by the Cabinet Office Government Digital Service. January 2016.
15. Singapore
Monetary Authority of Singapore (MAS). Regulates the use of technologies to improve the customer experience in relation to financial institutions and AML laws. January 201
16. Switzerland
Swiss Financial Market Supervisory Authority (FINMA). Notice 2016/7. It establishes the requirements for online identification by video and the requirements for customer onboarding through digital channels. July 2016.
1. Do you have any comments on the section ‘Subject matter, scope and definitions’? If you do not agree, please set out why you do not agree and if possible, provide evidence of the adverse impact provisions in this section would have.
PREMISEAn informative note is requested on the main issues which affect electronic identification in the draft document EBA/CP (2021), dated December 10th, prepared by the European Banking Authority (hereinafter referred to as EBA Standard).
This document aims to put forward a strategic objective to offer benefits to consumers and businesses in the field of digital financial services and counteract the risks which may arise, mainly in the field of digital on-boarding.
From this perspective, and taking into consideration that Electronic Identification, S.L. is an entity which has been working in the field of technological and legal security of on-boarding processes and electronic identification for almost 10 years, we want to put forward our point of view in relation to the content of the Standard.
We must consider that the objective is to try to harmonize all areas of electronic identification, regardless of the specific sector in which it is developed, taking into account that we are currently in a process of harmonization of regulations affecting electronic identification at European level.
All of this is based on the obligations and risks which may arise as a result of the regulations in relation to money laundering and the prevention of the financing of terrorism (ML/FT).
Based on all of the above, we wish to highlight the following:
CONSIDERATIONS
FIRSTLY. - EBA DOCUMENT GUIDELINES: USE OF IMAGES AND COPIES OF DOCUMENTS.
As a preliminary, we must point out that the guidelines offered in the document reflect the point of view of the EBA within the scope of the European System of Financial Supervision or how the European regulations should be applied.
From this perspective, the document offers a series of interpretive guidelines for financial entities to consider when integrating their digital on-boarding processes. Although the query does not mention the ETSI TS 119 461 Standard (Policy and security requirements for trust service components providing identity proofing of trust service subjects), and, therefore, a problem with the proposed guidelines is that they can be said to be at a level lower than the requirements of the ETSI document. Although the ETSI TS 119 461 Standard refers specifically to trust services and therefore direct reference to the guidelines cannot be made, it would be beneficial to align identity verification requirements in all three areas: trust services, issuance of electronic identification and incorporation into financial services, given that otherwise, all the systems created in the financial sector where streaming video prevails instead of the lowest level to which these guidelines point would be contradictory.
In this spirit, we focus our analysis on those sections that we perceive an implied risk to the digital onboarding process:
• Use of images or copies of identity documents:
Sections 4.2 and 4.3 of the Standard establish the criteria for the identification procedure and the authenticity and integrity of the documents, introducing the possibility of using images and copies of scanned identity documents, eg. 4.3. (33).
These image-capturing systems compromise both the legal certainty of the process and technological security, since the requirements established in sections a) to e), are of very doubtful guaranteed standards when they are based on images or mere copies.
This situation has been shared by the European Regulator in the field of electronic identification, both eIDAS and eIDAS 2 -in the current drafting phase-; as well as by the different European organizations which have come to generate legal and technical certainty in relation to the identification process. Thus, for example, the ETSI regulation mentioned above, establishes remote identification mechanisms for the issuance of qualified certificates, abandoning the validity of mechanisms based on simple images. The aforementioned ETSI TS 119 461 regulation establishes four specimen use cases which offer different alternatives, which, in turn, offer accessibility to facilitate users, without the mere use of an image being a sufficient source to prove the identity of a natural or legal person.
In pursuit of this aim, we must also point out that the security of this image utilization system has been questioned by national AML regulators, in fact, all local legislation in the financial sector published to date has validated the video security model in streaming, in turn discarding these simply image-based systems.
Annex I "Existing regulation on digital onboarding" identifies the existing regulation in force that some countries have implemented for digital onboarding. They include regulations, procedures or authorizations which specifically contemplate the non-face-to-face or remote identification of clients in the financial sector, in other words, digital onboarding. All of them include a technical and good governance model so that regulated entities can implement them with the maximum guarantees of digital onboarding success.
Therefore, we understand that any EBA guide should explicitly avoid weak identification systems, and instead turn to systems which have been worked on for many years, and which allow a higher level of security to be established, and provide indisputable ease in respect of usability and implementation. These systems begin by establishing end-to-end streaming video in order to obtain proof of identity.
This system is mostly used in secure electronic identification environments, given that the entire industry has been collaborating with Electronic Trust Service Providers to generate this security environment which is subsequently reflected in the ETSI regulations.
Therefore, it does not seem reasonable that the EBA guidelines diverge from these standards and address the possibility of identifying a client through weak identification systems. Quite to the contrary, they should try to harmonize the safe processes that the industry has been accepting and that both European and national regulators consider appropriate. The opposite of this would entail doubts arising in the financial entities and a differentiating criterion regarding the implementation of their digital on-boarding systems, which, additionally would not have the same legal and technical security, nor with traces and sufficient evidence in relation to electronic identification processes for digital on-boarding.
Consequently, and in accordance with all of the above, we understand that it is necessary to remove any identification system from the EBA guide which is not in accordance with the provisions of Regulation 910/2014, as established in Section 4.5 of the guide itself, as well as establishing specific use cases in the remote identification process, taking as a reference point those established by the ETSI TS 119 461 Standard, given that they are robust identification systems. For this purpose, the references established in section 4.2 and 4.3 should eliminate any reference to images and copies of identity documents, in order to avoid interpretations by which it can be considered that an identification process for the on-boarding of a client, by electronic means, may be valid in cases where selfies or photo submissions or copies of identity documents are used.
APPENDIX I
1. Germany
Federal Financial Supervisory Authority (BaFIN). Notice 3/2017 (GW) which allows a video identification procedures-BaFin procedure (the entire document). March 2014.
Federal Office for Information Security (FOIS). Technical Guide TR-03147, Evaluation of the Assurance Level of the Procedures for Verifying the Identity of Natural Persons, all part of section 5 (pp.20-25). Version 1.0.4. (December 2018).
2. Argentina
Financial Intelligence Unit (FIU). Resolution 28/2018 (Arts. 21 and seq.) and 21/2018 (Chapter III), in consultation with the National Securities Commission (CNV): enabled the implementation of technological platforms for regulated entities in the insurance and market sectors of capital, respectively, which allow carrying out procedures remotely without personal presentation of the documentation, applying a risk-based approach. March 2018 (28/2018 and 21/2018).
3. Austria
Bundesgesetzblatt (Federal Law Sheet). Identification Ordinance, IVO, specifically point 5 on the use of technologies and security measures for identification. January 2019.
4. Colombia
External Notice 027 of September 2020 by the Financial Superintendence of Colombia that gives instructions regarding the management of the risk of money laundering and the financing of terrorism. It established which entities can carry out know-your-customer procedures in person or remotely through the use of digital or electronic channels. The standard allows entities to obtain the necessary information to carry out know-your-customer procedures using data and information from reliable and independent sources.
5. South Korea
Financial Services Commission (FSC): introduces a plan which allows digital onboarding in the context of a law to introduce fully online banks in the country. June 2015.
6. Spain
Servicio Ejecutivo de la Comisión de Prevención de Blanqueo de Capitales e Infracciones Monetarias (Executive Service of the Commission for the Prevention of Money Laundering and Monetary Offenses or SEPBLAC). There are two authorizations in Spain that allow digital onboarding:
- Authorization of remote identification procedure by videoconference. February 2016.
- Authorization of remote identification procedure by video identification. May 2017.
7. United States of America
Department of Commerce − National Institute of Standards and Technology (NIST). The document is a special publication 800-63.ª that provides the requirements for enrolment and proof of identity for applicants who want to obtain access to resources at each level of insurance of the identity. It refers specifically to the sections that are normative. June 2017.
8. Honk Kong
Hong Kong Monetary Authority (HKMA) Remote Onboarding Authorization of Individual Clients. Notice from the country's monetary authority. February 2019.
9. Italy
Public System for Digital Identity (SPID). The Italian Digital Agency defines the strict set of measures to obtain a digital identity via an online channel.
10. Japan
Japan Financial Services Agency (FSA). Legislation on eKYC that allows remote identity verification. 2007.
11. Lithuania
Law on the Prevention of Money Laundering and Terrorist Financing and amendments. As part of its AML laws, it allows non-face-to-face digital onboarding. December 2016.
12. Mexico
Comisión Nacional Bancaria y de Valores (National Banking and Securities Commission or CNBV). Resolution that modifies the general provisions applicable to credit institutions, and reinforces customer identification and allows digital onboarding through video-conferencing. August 2017
13. Portugal
Bank of Portugal (BoP). The procedure which allows the digital onboarding of clients is included in the updated PBCFT Standard. February 2018.
14. United Kingdom
Financial Conduct Authority (FCA). Establishes a base guide with regulations on the Proof of Identity and Verification of Persons for the financial sector, released by the Cabinet Office Government Digital Service. January 2016.
15. Singapore
Monetary Authority of Singapore (MAS). Regulates the use of technologies to improve the customer experience in relation to financial institutions and AML laws. January 201
16. Switzerland
Swiss Financial Market Supervisory Authority (FINMA). Notice 2016/7. It establishes the requirements for online identification by video and the requirements for customer onboarding through digital channels. July 2016.