ETSI TC ESI published in June 2021 the specification ETSI TS 119 461 Policy and security requirements for trust service components providing identity proofing of trust service subjects . The development of the specification was funded by the European Commission. It defines a “baseline” level of identity proofing, using a risk-based approach, with requirements for achieving this level by the following use cases: Physical presence, remote attended identity proofing, remote unattended identity proofing, use of eID (digital identity), use of digital signature with certificate. For the physical presence and remote attended/unattended use cases, the ETSI specification poses requirements on use of physical and digital identity documents as evidence and on human and/or biometric face recognition for verification of the applicant towards the identity document.
While ETSI TS 119 461 is currently aimed at identity proofing for (qualified) trust services as defined by Regulation (EU) No 910/2014 (the eIDAS Regulation), in developing the standard the requirements for financial system "know your customer" were considered. Therefore, ETSI TC ESI recommends that EBA considers the possible adaption of ETSI TS 119 461 to the needs of financial systems in its guidelines for remote customer onboarding according to Article 13(1) of Directive (EU) 2015/849.
Aligning identity proofing requirements for qualified trust services and for onboarding to financial services (possibly also for issuing of digital identity) can be beneficial for both regulatory and commercial reasons. Providers of identity proofing services would be able to offer uniform services across sectors. Onboarding for a financial service could be used directly for onboarding to a qualified trust service, and vice versa.
EBA’s proposed guidelines and ETSI TS 119 461 appear as reasonably aligned in many aspects, e.g., the requirements of section 4.1 of the proposed guidelines appear as specifying an adequate level of operational security, compared to ETSI TS 119 461 that requires the actor carrying out identity proofing to fulfil operational security requirements for a trust service provider as defined by ETSI EN 319 401.
Both ETSI TS 119 461 and EBA’s draft guidelines promote a risk-based approach. Nevertheless, ETSI TS 119 461 annexes a standard risk analysis on remote and physical identity proofing, including the latest threats identifies by EU cyber-security experts, and written by ENISA . The ETSI TS 119 461’s technical requirements mitigate baseline identity proofing risks.
Both ETSI TS 119 461 and EBA’s draft guidelines refer to use of digital identity at assurance level substantial and to use of qualified trust services. For these two identity proofing means, the two specifications are largely aligned. However, the requirements are not aligned regarding remote identity proofing using identity documents. EBA’s proposed guidelines allow mechanisms that during the thorough procedure leading to the ETSI standard were discarded as not sufficiently secure to mitigate against risks to achieving identity proofing at the “baseline” level as established in ETSI TS 119 461 for equivalence to physical presence.
The requirements in ETSI TS 119 461 for remote identity proofing using identity documents represent the consensus by many experts which include national security authorities and supervisory bodies, actors in the trust services industry, and providers of identity proofing services. The consensus among these actors is that the requirements of the ETSI standard are necessary to reach the “baseline” level, i.e., to provide the same level of identity proofing as use of eID substantial and qualified trust services. It is confirmed that technologies and services that fulfil these requirements are available in the market from several suppliers.
ETSI TC ESI proposes that ETSI and EBA work together to aim ETSI TS 119 461 to apply to remote customer onboarding requirements, particularly for remote identity proofing using identity documents. Thus, eIDAS trust service and banking requirements for identity proofing can be aligned and facilitate seamless use of eIDAS services in support of financial systems.
1. The proposed EBA guidelines, section 4.3, paragraph 33, starts by the sentence: Where the financial sector operators accept paper copies, photos or scans of paper-based documents in the course of remote customer onboarding without having the possibility to examine the original identification document, they should take steps to have sufficient assurance as to the reliability of the copy provided. In contrast, the consensus reached for ETSI TS 119 461 is that only original identity documents can be used; a copy is not acceptable. For remote identity proofing, ETSI TS 119 461 requires a video recording of a physical identity document to better capture security elements of the document; the consensus being that a still photo is not sufficient to detect counterfeit or tampered documents. ETSI TC ESI recommends that EBA aligns by explicitly requiring original documents and use of video for remote document scanning. Several AML national regulations have already clearly taken this position on video recording, as presented in the ENISA remote identity proofing report referenced above.
2. The proposed guidelines do only briefly mention (in section 4.3, paragraph 35) use of digital identity documents, meaning ICAO eMRTD documents read from the NFC chip of passports or national identity cards. ETSI TS 119 461 recognises that a digital identity document provides easy verification that the document is genuine and not tampered with by validation of the digital signature of the document issuer. ETSI TC ESI recommends that EBA explicitly includes requirements on use of digital identity documents.
3. Section 4.3, paragraph 37, refers to acceptance of alternative documentation. ETSI TS 119 461 exclusively requires use of at least one of the following authoritative types of evidence: digital identity document, physical identity document, digital identity (eID, in practice level substantial), digital signature (in practice qualified signature). Other evidence can be used only as supplementary evidence. ETSI TC ESI recommends that EBA considers the same practice regarding acceptable evidence.
4. Section 4.4, paragraph 39, has requirements on use of biometric data, but stated in a rather vague way. Section 4.4, paragraph 43, item d, allows automated face biometrics that “use strong and reliable algorithms”. ETSI TS 119 461 allows a fully automated remote identity proofing process using biometrics only with use of a digital identity document. An eMRTD digital identity document yields a high-resolution reference facial photo for comparison to the face image of the applicant, as opposed to the low-quality reference photo obtained from a scan of a physical identity document. With remote use of a physical identity document, face biometrics is considered unreliable, requiring a manual step in the process instead of or in addition to the biometrics. ETSI TS ESI recommends EBA to outline requirements along the same lines for use of biometrics for remote onboarding to financial services.
5. Section 4.4, paragraph 43, allows still photos to be used to capture the image of the applicant. The consensus in ETSI TC ESI is that this does not provide sufficient security, and that a video recording is required. One reason for the video requirement of ETSI TS 119 461 is that video is needed for liveness detection, which is required also by EBA in paragraph 40, item c.
6. Section 4.4, paragraph 46, proposes additional controls that should be used. While such controls are applicable with ETSI TS 119 461 as well, this standard suggests that if an actor follows the requirements for the specified use cases, additional controls are entirely optional, as the baseline security level would be reached. Additional controls may come at the expense of reduced user friendliness. ETSI TC ESI suggests that the identity proofing requirements of the EBA guidelines are strengthened in line with ETSI TS 119 461, and that the requirement for additional controls is made optional.