Response to consultation on draft Guidelines on the use of remote customer onboarding solutions

Go back

1. Do you have any comments on the section ‘Subject matter, scope and definitions’? If you do not agree, please set out why you do not agree and if possible, provide evidence of the adverse impact provisions in this section would have.

EBA’s proposal for guidelines on remote onboarding to financial services has been discussed thoroughly among some leading providers of identity proofing services in Europe and services using identity solutions. These providers are Ariadnext, ElectronicID, IDnow, Innovalor, Signicat, SK ID Solutions, Ubble, ZealID and Universign. These providers agree on the following joint statement to EBA:

We welcome the publication of EBA’s guidelines on remote onboarding to financial services as an opportunity to firstly recognize remote customer onboarding as a viable alternative to physical presence, and secondly to harmonize requirements for remote customer onboarding across the single European market for financial services. However, we find that the requirements proposed by the current draft guidelines are not aligned with previous work, notably:
• ETSI TS 119 461 Electronic Signatures and Infrastructures (ESI); Policy and security requirements for trust service components providing identity proofing of trust service subjects (July 2021)
• ENISA report: Remote ID proofing – analysis of methods to carry out identity proofing remotely (March 2021)
• ENISA report: Remote identity proofing: Attacks & countermeasures (January 2022)

The ETSI standard proposes requirements for different use cases that all reach a ‘baseline’ level of identity proofing suitable for qualified and other trust services, notably for issuing of qualified certificates, which is on par with electronic identification at level ‘substantial’. The ‘baseline’ level is explicitly defined as corresponding to face to face identity proofing by a trained operator, which is also the benchmark for remote identity proofing as defined by the eIDAS Regulation (Regulation (EU) No 910/2014) Article 24.1.d.

The proposed EBA guidelines, as the ETSI standard, refer to electronic identification ‘substantial’ and qualified signature, but the requirements for onboarding by remote use of identity documents are not up to the level of assurance that should be expected for the finance industry, and not up to the requirements proposed by ETSI as necessary to reach the ‘baseline’ level by such means. The ENISA report from March 2021 surveys state of requirements across European countries. Our experience, as well as a comparison of ENISA’s survey towards the requirements of the proposed EBA guidelines, is that EBA’s proposed requirements also are below existing, national requirements for remote onboarding following the AML directive

We strongly suggest that EBA aligns the guideline requirements with the requirements of ETSI TS 119 461, whose development was funded by the European Commission. The standard is the result of a thorough consensus process by many experts, including national security authorities and supervisory bodies, actors in the trust services industry, and providers of identity proofing services. Aligning identity proofing requirements for qualified trust services and for onboarding to financial services (and even for issuing of digital identity) is beneficial for both regulatory and commercial reasons. Providers of identity proofing services would be able to offer uniform services across sectors, thus optimizing their investments. Onboarding for a financial service could be used directly for onboarding to a qualified trust service and/or for issuing a digital identity, and vice versa.

The proposal for revised eIDAS Regulation will result in harmonized requirements for identity proofing for trust services and for the European Digital Identity Wallet. ETSI TS 119 461 is expected to be a core building block in this harmonization. Using the upcoming revised eIDAS Regulation as the vehicle for harmonized identity proofing, even in the finance industry, can bring large benefits.

EBA promotes a risk based approach to requirements for remote onboarding. This is also the approach taken by the ETSI standard, building on the risk classification presented in ENISA’s March 2021 report. The requirements of the ETSI standard are targeted at mitigating these risks to the ‘baseline’ level.

We understand that EBA's objectives are to remain non-prescriptive regarding technologies and to allow fast implementation of the guidelines. ETSI TS 119 461 follows the same non-descriptive approach defining different use cases that all reach the ‘baseline’ level of identity proofing and being flexible regarding definition of new use cases that can be applied. Regarding fast implementation, all of the providers listed above, and several other actors, have technologies and/or services that by different means fulfil the requirements of the ETSI TS 119 461 standard. If EBA aligns with the ETSI standard, many providers across Europe are ready to supply compliant products and services.

2. Do you have any comments on Guideline 4.1 ‘Internal policies and procedures’? If you do not agree, please set out why you do not agree and if possible, provide evidence of the adverse impact provisions in this section would have.

It might be useful to mention that when assessing remote customer onboarding solution or monitoring existing ones, state of the art reports on remote identity proofing attacks and countermeasures like the one from ENISA https://www.enisa.europa.eu/publications/remote-identity-proofing-attacks-countermeasures should be taken into account

3. Do you have any comments on the Guideline 4.2 ‘Acquisition of Information’? If you do not agree, please set out why you do not agree and if possible, provide evidence of the adverse impact provisions in this section would have.

Nothing specific

4. Do you have any comments on the Guideline 4.3 ‘Document Authenticity & Integrity’? If you do not agree, please set out why you do not agree and if possible, provide evidence of the adverse impact provisions in this section would have.

We would suggest to follow ETSI TS 119 461 on the use of paper copies on ID cards (i.e not allowing it), usage of digital identity documents (ICA eMRTD) and usage of alternative documentation.

5. Do you have any comments on the Guideline 4.4 ‘Authenticity Checks’? If you do not agree, please set out why you do not agree and if possible, provide evidence of the adverse impact provisions in this section would have.

We would suggest to follow ETSI TS 119 461 on the usage of biometric data

6. Do you have any comments on the Guideline 4.5 ‘Digital Identities’? If you do not agree, please set out why you do not agree and if possible, provide evidence of the adverse impact provisions in this section would have.

Nothing specific

7. Do you have any comments on the Guideline 4.6 ‘Reliance on third parties and outsourcing’? If you do not agree, please set out why you do not agree and if possible, provide evidence of the adverse impact provisions in this section would have.

Nothing specific

8. Do you have any comments on the Guideline 4.7 ‘ICT and security risk management’? If you do not agree, please set out why you do not agree and if possible, provide evidence of the adverse impact provisions in this section would have.

Similar to the comment in 4.1 I think it would be useful to take the work of ENISA into account for accessing the security risk.

Name of the organization

Universign