Response to consultation on draft Guidelines on the use of remote customer onboarding solutions
Go back
We welcome the publication of EBA’s guidelines on remote onboarding to financial services as an opportunity to firstly recognize remote customer onboarding as a viable alternative to physical presence, and secondly to harmonize requirements for remote customer onboarding across the single European market for financial services. However, we find that the requirements proposed by the current draft guidelines are not aligned with previous work, notably:
• ETSI TS 119 461 Electronic Signatures and Infrastructures (ESI); Policy and security requirements for trust service components providing identity proofing of trust service subjects (July 2021)
• ENISA report: Remote ID proofing – analysis of methods to carry out identity proofing remotely (March 2021)
• ENISA report: Remote identity proofing: Attacks & countermeasures (January 2022)
The ETSI standard proposes requirements for different use cases that all reach a ‘baseline’ level of identity proofing suitable for qualified and other trust services, notably for issuing of qualified certificates, which is on par with electronic identification at level ‘substantial’. The ‘baseline’ level is explicitly defined as corresponding to face to face identity proofing by a trained operator, which is also the benchmark for remote identity proofing as defined by the eIDAS Regulation (Regulation (EU) No 910/2014) Article 24.1.d.
The proposed EBA guidelines, as the ETSI standard, refer to electronic identification ‘substantial’ and qualified signature, but the requirements for onboarding by remote use of identity documents are not up to the level of assurance that should be expected for the finance industry, and not up to the requirements proposed by ETSI as necessary to reach the ‘baseline’ level by such means. The ENISA report from March 2021 surveys state of requirements across European countries. Our experience, as well as a comparison of ENISA’s survey towards the requirements of the proposed EBA guidelines, is that EBA’s proposed requirements also are below existing, national requirements for remote onboarding following the AML directive
We strongly suggest that EBA aligns the guideline requirements with the requirements of ETSI TS 119 461, whose development was funded by the European Commission. The standard is the result of a thorough consensus process by many experts, including national security authorities and supervisory bodies, actors in the trust services industry, and providers of identity proofing services. Aligning identity proofing requirements for qualified trust services and for onboarding to financial services (and even for issuing of digital identity) is beneficial for both regulatory and commercial reasons. Providers of identity proofing services would be able to offer uniform services across sectors, thus optimizing their investments. Onboarding for a financial service could be used directly for onboarding to a qualified trust service and/or for issuing a digital identity, and vice versa.
The proposal for revised eIDAS Regulation will result in harmonized requirements for identity proofing for trust services and for the European Digital Identity Wallet. ETSI TS 119 461 is expected to be a core building block in this harmonization. Using the upcoming revised eIDAS Regulation as the vehicle for harmonized identity proofing, even in the finance industry, can bring large benefits.
EBA promotes a risk based approach to requirements for remote onboarding. This is also the approach taken by the ETSI standard, building on the risk classification presented in ENISA’s March 2021 report. The requirements of the ETSI standard are targeted at mitigating these risks to the ‘baseline’ level.
We understand that EBA's objectives are to remain non-prescriptive regarding technologies and to allow fast implementation of the guidelines. ETSI TS 119 461 follows the same non-descriptive approach defining different use cases that all reach the ‘baseline’ level of identity proofing and being flexible regarding definition of new use cases that can be applied. Regarding fast implementation, all of the providers listed above, and several other actors, have technologies and/or services that by different means fulfil the requirements of the ETSI TS 119 461 standard. If EBA aligns with the ETSI standard, many providers across Europe are ready to supply compliant products and services.
to provide an internal management, operation, and risk assessment framework. It appears the guidelines aim to meet a similar level of management and risk assessment.
There exist many challenges to put in place and adequately assess potential risk profiles. A more detailed outline along the ETSI specifications could provide a more harmonized framework to meet AML requirements. For example, such a governance framework could include the means for conducting relevant and suitable internal and external audits. The commercial entity should be assessed by a recognized conformity assessment body or equivalent body and the solution should meet certification requirements (e.g., ETSI standards or ISO certification) to demonstrate that the capture and storage of user data meets requirements to proof an identity. The EBA may consider more specific details of the internal policies and procedure to clarify if such steps are included in its guidance. This could better ensure a means to attain the higher security requirements in AML identity proofing.
For IDnow Group to perform an identification, the user must provide a valid proof of identity, which can later be verified by the various ident systems and specialized agents. It is the identity verification provider’s responsibility to determine and state whether the ID document used is genuine or has been falsified. By accepting copies of the ID card, this would significantly lower our fraud detection capabilities and introduces challenges:
• ID document can be easily manipulated in any graphic tool
• Printed / scanned documents do not contain crucial security features (holograms, variable inks, perforations etc.)
• “Screens hosted or PC screen displayed” documents may not necessarily belong to the person who performs the identification. Example: First person obtains the ID card (scan) of person 2 and then tries to perform the legitimation.
Furthermore, national regulations, such as Germany’s application of remote video identification as outlined in BaFin’s Circular on Video Identification 03/2017, requires original copies of the ID document. “Only ID documents that have sufficiently forgery-proof security features that are sufficiently clearly recognizable visually in white light and when images are transmitted using available technology and can therefore be verified (see list under B.VI.) as well as a machine-readable area can be used for identity verification under money laundering law as part of a video identification procedure.” A copy of an ID document does not suffice to meet these requirements.
As one of Europe’s largest identity verification providers, between March and June 2020 – when many countries ordered the first Covid lockdown to “flatten the curve” of the pandemic – IDnow noticed a significant increase in different types of identity fraud attempts. Similarity Fraud increased by 231 percent, Fake ID Fraud increased by 180 percent, and Social Engineering – already one of the most dangerous fraud methods – increased by 75 percent.
IDnow’s system has caught and rejected a full range of fake IDs, from low-tech photocopies up to highly realistic, commercially produced fakes. Our research indicates that these are freely available on the dark web for as little as €50, and some of them are so realistic that they can often fool human passport agents. The most commonly faked documents are national ID cards, followed by passports in second place. Other documents, including residence permits and driving licenses, were also detected. (Data available upon request).
In addition, ETSI TS 119 461 expressly states that only original identity documents can be used; a copy is not acceptable. The TS 119 461 requires a video recording of a physical identity document to better capture security elements of the document remote identity proofing. IDnow support the consensus that a still / static photo is not sufficient to detect counterfeit or tampered documents in higher risk identity proofing applications.
IDnow supports ETSI TC ESI recommendation that EBA aligns by explicitly requiring original documents and use of video for remote document scanning.
The success of AML systems must rely on cooperation between the public and private sectors. The EBA may consider further evaluating the data and experience from the private sector, with additional consideration provided by identity verification and trust service providers on the subject of ID document authenticity. In the AML remote identity proofing ecosystem, the private industry has become the” frontline” in detecting fraud and transmitting such information to appropriate authorities. The capacity to perform fraud investigations is housed within the private sector. Effective collaboration in the fight against ML /CT is essential. The EBA may consider tightening its guidance on documents and video streaming requirements that are considered reliable for AML onboarding. IDnow can make available additional data on fraud.
Additionally, the proposed guidelines reference (in section 4.3, paragraph 35) “use of digital identity documents”, as in ICAO eMRTD documents read from the NFC chip of passports or national identity cards.
The ETSI TS 119 461 recognises that a digital identity document is a secure and simple verification method to proof the document is genuine and has not tampered with by validation of the digital signature of the document issuer. IDnow supports ETSI TC ESI recommendation that EBA explicitly include requirements on use of digital identity documents per 119 461.
Section 4.3, paragraph 37, refers to acceptance of “alternative documentation”.
Depending on the source and methods used to obtain collected data, an ID document’s authenticity must be validated against a set of security controls and against other collected evidence. This provides for a uniform way to either accept or reject ID documents.
ETSI TS 119 461 exclusively requires use of at least one of the following authoritative types of evidence: digital identity document, physical identity document, digital identity (eID, in practice level substantial), digital signature (in practice qualified signature). Other evidence can be used only as supplementary evidence. IDnow supports ETSI TC ESI recommendation that EBA consider the same practice regarding acceptable evidence.
For example, national regulations in Germany require a biometric system for governmental use to have a False Acceptance Rate (FAR) of below 0.1%. FAR is a specific key performance indicator that measures false acceptances with a biometric security system. It tracks and evaluates the precision of a biometric system. It therefore determines the rate at which unauthorised users are verified on the system. The lower the FAR is, the more advanced the technology is. In general, AI-powered solutions are able to outperform even these very high requirements. IDnow AutoIdent has a FAR of only 0.03%.
It is a fact that Automatic methods serve as an added security control and ought to be used as a hybrid solution for operator-based methods to collect evidence, perform biometric checks, and perform the authenticity validation in AML onboarding. For identity proofing that requires higher confidence – national AML requirements include automatic methods that are supported by a human operator / specialist who supervises the automatic process and gives final consent to issue the proof (see for example the French PVID standard).
Furthermore, a fully automated remote identity proofing process using biometrics is outlined in ETSI TS 119 461 only with a digital identity document. An eMRTD digital identity document yields a high-resolution reference facial photo for comparison to the face image of the applicant, as opposed to the low-quality reference photo obtained from a scan of a physical identity document. With remote use of a physical identity document, face biometrics is considered unreliable, requiring a manual step in the process instead of or in addition to the biometrics.
IDnow supports ETSI TS ESI recommendation that EBA outline requirements along the same lines for use of biometrics for remote onboarding to financial services.
Section 4.4, paragraph 43, allows still /static photos to be used to capture the image of the applicant. The EBA guideline does make reference that video is needed for liveness detection. IDnow maintains that a still photo to capture the image of an applicant does not provide sufficient security, a video recording is required.
As identity fraud becomes more sophisticated, national regulators require additional safeguards to the process. Innovation in identity verification is designed and implemented to reduce fraud risks. IDnow has collected significant data on fraud and fraudsters who apply fake selfies, pre-recorded videos, or use masks to fake the authenticity of the actual user or attempt to fool the software. (These extensive reports and data are available upon request). It is the liveness detection by video and / or movements that determines whether the selfie is genuine, and that the person / user is real and present.
Liveness detection protects against various spoofing attacks where a fraudster could use a face mask to impersonate someone else. The fraudster can use a static photo of someone else for comparison against the ID document. A video greatly reduces these risks and can verify the user’s identity securely by requiring the user to turn their head left or right, speak randomly generated numbers, or move the device to and away from their face. Additionally, liveness detection algorithms have higher accuracy to spot variations in expression, brightness, and background.
The consensus in ETSI TC ESI is that a still photo does not provide sufficient security, and that a video recording is required. IDnow supports this consensus.
1. Do you have any comments on the section ‘Subject matter, scope and definitions’? If you do not agree, please set out why you do not agree and if possible, provide evidence of the adverse impact provisions in this section would have.
The EBA’s proposal for guidelines on remote onboarding to financial services has been discussed thoroughly among some leading providers of identity proofing services in Europe. These providers are Ariadnext, ElectronicID, IDnow, Innovalor, Signicat, SK ID Solutions, Ubble. These providers agree on the following joint statement to EBA:We welcome the publication of EBA’s guidelines on remote onboarding to financial services as an opportunity to firstly recognize remote customer onboarding as a viable alternative to physical presence, and secondly to harmonize requirements for remote customer onboarding across the single European market for financial services. However, we find that the requirements proposed by the current draft guidelines are not aligned with previous work, notably:
• ETSI TS 119 461 Electronic Signatures and Infrastructures (ESI); Policy and security requirements for trust service components providing identity proofing of trust service subjects (July 2021)
• ENISA report: Remote ID proofing – analysis of methods to carry out identity proofing remotely (March 2021)
• ENISA report: Remote identity proofing: Attacks & countermeasures (January 2022)
The ETSI standard proposes requirements for different use cases that all reach a ‘baseline’ level of identity proofing suitable for qualified and other trust services, notably for issuing of qualified certificates, which is on par with electronic identification at level ‘substantial’. The ‘baseline’ level is explicitly defined as corresponding to face to face identity proofing by a trained operator, which is also the benchmark for remote identity proofing as defined by the eIDAS Regulation (Regulation (EU) No 910/2014) Article 24.1.d.
The proposed EBA guidelines, as the ETSI standard, refer to electronic identification ‘substantial’ and qualified signature, but the requirements for onboarding by remote use of identity documents are not up to the level of assurance that should be expected for the finance industry, and not up to the requirements proposed by ETSI as necessary to reach the ‘baseline’ level by such means. The ENISA report from March 2021 surveys state of requirements across European countries. Our experience, as well as a comparison of ENISA’s survey towards the requirements of the proposed EBA guidelines, is that EBA’s proposed requirements also are below existing, national requirements for remote onboarding following the AML directive
We strongly suggest that EBA aligns the guideline requirements with the requirements of ETSI TS 119 461, whose development was funded by the European Commission. The standard is the result of a thorough consensus process by many experts, including national security authorities and supervisory bodies, actors in the trust services industry, and providers of identity proofing services. Aligning identity proofing requirements for qualified trust services and for onboarding to financial services (and even for issuing of digital identity) is beneficial for both regulatory and commercial reasons. Providers of identity proofing services would be able to offer uniform services across sectors, thus optimizing their investments. Onboarding for a financial service could be used directly for onboarding to a qualified trust service and/or for issuing a digital identity, and vice versa.
The proposal for revised eIDAS Regulation will result in harmonized requirements for identity proofing for trust services and for the European Digital Identity Wallet. ETSI TS 119 461 is expected to be a core building block in this harmonization. Using the upcoming revised eIDAS Regulation as the vehicle for harmonized identity proofing, even in the finance industry, can bring large benefits.
EBA promotes a risk based approach to requirements for remote onboarding. This is also the approach taken by the ETSI standard, building on the risk classification presented in ENISA’s March 2021 report. The requirements of the ETSI standard are targeted at mitigating these risks to the ‘baseline’ level.
We understand that EBA's objectives are to remain non-prescriptive regarding technologies and to allow fast implementation of the guidelines. ETSI TS 119 461 follows the same non-descriptive approach defining different use cases that all reach the ‘baseline’ level of identity proofing and being flexible regarding definition of new use cases that can be applied. Regarding fast implementation, all of the providers listed above, and several other actors, have technologies and/or services that by different means fulfil the requirements of the ETSI TS 119 461 standard. If EBA aligns with the ETSI standard, many providers across Europe are ready to supply compliant products and services.
2. Do you have any comments on Guideline 4.1 ‘Internal policies and procedures’? If you do not agree, please set out why you do not agree and if possible, provide evidence of the adverse impact provisions in this section would have.
Section 4.1 draws on parallels from ETSI EN 319 401 General Policy Requirements for Trust Service Providers as well as ETSI TS 119 461 Electronic Signatures and Infrastructures (ESI) Policy and security requirements for trust service components providing identity proofing of trust service subjectsto provide an internal management, operation, and risk assessment framework. It appears the guidelines aim to meet a similar level of management and risk assessment.
There exist many challenges to put in place and adequately assess potential risk profiles. A more detailed outline along the ETSI specifications could provide a more harmonized framework to meet AML requirements. For example, such a governance framework could include the means for conducting relevant and suitable internal and external audits. The commercial entity should be assessed by a recognized conformity assessment body or equivalent body and the solution should meet certification requirements (e.g., ETSI standards or ISO certification) to demonstrate that the capture and storage of user data meets requirements to proof an identity. The EBA may consider more specific details of the internal policies and procedure to clarify if such steps are included in its guidance. This could better ensure a means to attain the higher security requirements in AML identity proofing.
4. Do you have any comments on the Guideline 4.3 ‘Document Authenticity & Integrity’? If you do not agree, please set out why you do not agree and if possible, provide evidence of the adverse impact provisions in this section would have.
IDnow Group considers accepting ID document copies could raise the risk of potential fraud attempts. It is difficult to securely confirm whether the document is genuine or fraudulent based on a copies.For IDnow Group to perform an identification, the user must provide a valid proof of identity, which can later be verified by the various ident systems and specialized agents. It is the identity verification provider’s responsibility to determine and state whether the ID document used is genuine or has been falsified. By accepting copies of the ID card, this would significantly lower our fraud detection capabilities and introduces challenges:
• ID document can be easily manipulated in any graphic tool
• Printed / scanned documents do not contain crucial security features (holograms, variable inks, perforations etc.)
• “Screens hosted or PC screen displayed” documents may not necessarily belong to the person who performs the identification. Example: First person obtains the ID card (scan) of person 2 and then tries to perform the legitimation.
Furthermore, national regulations, such as Germany’s application of remote video identification as outlined in BaFin’s Circular on Video Identification 03/2017, requires original copies of the ID document. “Only ID documents that have sufficiently forgery-proof security features that are sufficiently clearly recognizable visually in white light and when images are transmitted using available technology and can therefore be verified (see list under B.VI.) as well as a machine-readable area can be used for identity verification under money laundering law as part of a video identification procedure.” A copy of an ID document does not suffice to meet these requirements.
As one of Europe’s largest identity verification providers, between March and June 2020 – when many countries ordered the first Covid lockdown to “flatten the curve” of the pandemic – IDnow noticed a significant increase in different types of identity fraud attempts. Similarity Fraud increased by 231 percent, Fake ID Fraud increased by 180 percent, and Social Engineering – already one of the most dangerous fraud methods – increased by 75 percent.
IDnow’s system has caught and rejected a full range of fake IDs, from low-tech photocopies up to highly realistic, commercially produced fakes. Our research indicates that these are freely available on the dark web for as little as €50, and some of them are so realistic that they can often fool human passport agents. The most commonly faked documents are national ID cards, followed by passports in second place. Other documents, including residence permits and driving licenses, were also detected. (Data available upon request).
In addition, ETSI TS 119 461 expressly states that only original identity documents can be used; a copy is not acceptable. The TS 119 461 requires a video recording of a physical identity document to better capture security elements of the document remote identity proofing. IDnow support the consensus that a still / static photo is not sufficient to detect counterfeit or tampered documents in higher risk identity proofing applications.
IDnow supports ETSI TC ESI recommendation that EBA aligns by explicitly requiring original documents and use of video for remote document scanning.
The success of AML systems must rely on cooperation between the public and private sectors. The EBA may consider further evaluating the data and experience from the private sector, with additional consideration provided by identity verification and trust service providers on the subject of ID document authenticity. In the AML remote identity proofing ecosystem, the private industry has become the” frontline” in detecting fraud and transmitting such information to appropriate authorities. The capacity to perform fraud investigations is housed within the private sector. Effective collaboration in the fight against ML /CT is essential. The EBA may consider tightening its guidance on documents and video streaming requirements that are considered reliable for AML onboarding. IDnow can make available additional data on fraud.
Additionally, the proposed guidelines reference (in section 4.3, paragraph 35) “use of digital identity documents”, as in ICAO eMRTD documents read from the NFC chip of passports or national identity cards.
The ETSI TS 119 461 recognises that a digital identity document is a secure and simple verification method to proof the document is genuine and has not tampered with by validation of the digital signature of the document issuer. IDnow supports ETSI TC ESI recommendation that EBA explicitly include requirements on use of digital identity documents per 119 461.
Section 4.3, paragraph 37, refers to acceptance of “alternative documentation”.
Depending on the source and methods used to obtain collected data, an ID document’s authenticity must be validated against a set of security controls and against other collected evidence. This provides for a uniform way to either accept or reject ID documents.
ETSI TS 119 461 exclusively requires use of at least one of the following authoritative types of evidence: digital identity document, physical identity document, digital identity (eID, in practice level substantial), digital signature (in practice qualified signature). Other evidence can be used only as supplementary evidence. IDnow supports ETSI TC ESI recommendation that EBA consider the same practice regarding acceptable evidence.
5. Do you have any comments on the Guideline 4.4 ‘Authenticity Checks’? If you do not agree, please set out why you do not agree and if possible, provide evidence of the adverse impact provisions in this section would have.
In biometrics, Liveness Detection is an AI computer system’s ability to determine that it is interfacing with a physically present human being and not an inanimate spoof artifact., Fraudsters using stolen photos, Deep Fake videos, or masks to access or create online accounts will be uncovered and stopped with this added security step.For example, national regulations in Germany require a biometric system for governmental use to have a False Acceptance Rate (FAR) of below 0.1%. FAR is a specific key performance indicator that measures false acceptances with a biometric security system. It tracks and evaluates the precision of a biometric system. It therefore determines the rate at which unauthorised users are verified on the system. The lower the FAR is, the more advanced the technology is. In general, AI-powered solutions are able to outperform even these very high requirements. IDnow AutoIdent has a FAR of only 0.03%.
It is a fact that Automatic methods serve as an added security control and ought to be used as a hybrid solution for operator-based methods to collect evidence, perform biometric checks, and perform the authenticity validation in AML onboarding. For identity proofing that requires higher confidence – national AML requirements include automatic methods that are supported by a human operator / specialist who supervises the automatic process and gives final consent to issue the proof (see for example the French PVID standard).
Furthermore, a fully automated remote identity proofing process using biometrics is outlined in ETSI TS 119 461 only with a digital identity document. An eMRTD digital identity document yields a high-resolution reference facial photo for comparison to the face image of the applicant, as opposed to the low-quality reference photo obtained from a scan of a physical identity document. With remote use of a physical identity document, face biometrics is considered unreliable, requiring a manual step in the process instead of or in addition to the biometrics.
IDnow supports ETSI TS ESI recommendation that EBA outline requirements along the same lines for use of biometrics for remote onboarding to financial services.
Section 4.4, paragraph 43, allows still /static photos to be used to capture the image of the applicant. The EBA guideline does make reference that video is needed for liveness detection. IDnow maintains that a still photo to capture the image of an applicant does not provide sufficient security, a video recording is required.
As identity fraud becomes more sophisticated, national regulators require additional safeguards to the process. Innovation in identity verification is designed and implemented to reduce fraud risks. IDnow has collected significant data on fraud and fraudsters who apply fake selfies, pre-recorded videos, or use masks to fake the authenticity of the actual user or attempt to fool the software. (These extensive reports and data are available upon request). It is the liveness detection by video and / or movements that determines whether the selfie is genuine, and that the person / user is real and present.
Liveness detection protects against various spoofing attacks where a fraudster could use a face mask to impersonate someone else. The fraudster can use a static photo of someone else for comparison against the ID document. A video greatly reduces these risks and can verify the user’s identity securely by requiring the user to turn their head left or right, speak randomly generated numbers, or move the device to and away from their face. Additionally, liveness detection algorithms have higher accuracy to spot variations in expression, brightness, and background.
The consensus in ETSI TC ESI is that a still photo does not provide sufficient security, and that a video recording is required. IDnow supports this consensus.