EBA’s proposal for guidelines on remote onboarding to financial services has been discussed thoroughly among some leading providers of identity proofing services in Europe. These providers are Ariadnext, ElectronicID, IDnow, Innovalor, Signicat, SK ID Solutions, Ubble, ZealID (+ likely more to be added). These providers agree on the following joint statement to EBA:
We welcome the publication of EBA’s guidelines on remote onboarding to financial services as an opportunity to firstly recognize remote customer onboarding as a viable alternative to physical presence, and secondly to harmonize requirements for remote customer onboarding across the single European market for financial services. However, we find that the requirements proposed by the current draft guidelines are not aligned with previous work, notably:
• ETSI TS 119 461 Electronic Signatures and Infrastructures (ESI); Policy and security requirements for trust service components providing identity proofing of trust service subjects (July 2021)
• ENISA report: Remote ID proofing – analysis of methods to carry out identity proofing remotely (March 2021)
• ENISA report: Remote identity proofing: Attacks & countermeasures (January 2022)
The ETSI standard proposes requirements for different use cases that all reach a ‘baseline’ level of identity proofing suitable for qualified and other trust services, notably for issuing of qualified certificates, which is on par with electronic identification at level ‘substantial’. The ‘baseline’ level is explicitly defined as corresponding to face to face identity proofing by a trained operator, which is also the benchmark for remote identity proofing as defined by the eIDAS Regulation (Regulation (EU) No 910/2014) Article 24.1.d.
The proposed EBA guidelines, as the ETSI standard, refer to electronic identification ‘substantial’ and qualified signature, but the requirements for onboarding by remote use of identity documents are not up to the level of assurance that should be expected for the finance industry, and not up to the requirements proposed by ETSI as necessary to reach the ‘baseline’ level by such means. The ENISA report from March 2021 surveys state of requirements across European countries. Our experience, as well as a comparison of ENISA’s survey towards the requirements of the proposed EBA guidelines, is that EBA’s proposed requirements also are below existing, national requirements for remote onboarding following the AML directive
We strongly suggest that EBA aligns the guideline requirements with the requirements of ETSI TS 119 461, whose development was funded by the European Commission. The standard is the result of a thorough consensus process by many experts, including national security authorities and supervisory bodies, actors in the trust services industry, and providers of identity proofing services. Aligning identity proofing requirements for qualified trust services and for onboarding to financial services (and even for issuing of digital identity) is beneficial for both regulatory and commercial reasons. Providers of identity proofing services would be able to offer uniform services across sectors, thus optimizing their investments. Onboarding for a financial service could be used directly for onboarding to a qualified trust service and/or for issuing a digital identity, and vice versa.
The proposal for revised eIDAS Regulation will result in harmonized requirements for identity proofing for trust services and for the European Digital Identity Wallet. ETSI TS 119 461 is expected to be a core building block in this harmonization. Using the upcoming revised eIDAS Regulation as the vehicle for harmonized identity proofing, even in the finance industry, can bring large benefits.
EBA promotes a risk based approach to requirements for remote onboarding. This is also the approach taken by the ETSI standard, building on the risk classification presented in ENISA’s March 2021 report. The requirements of the ETSI standard are targeted at mitigating these risks to the ‘baseline’ level.
We understand that EBA's objectives are to remain non-prescriptive regarding technologies and to allow fast implementation of the guidelines. ETSI TS 119 461 follows the same non-descriptive approach defining different use cases that all reach the ‘baseline’ level of identity proofing and being flexible regarding definition of new use cases that can be applied. Regarding fast implementation, all of the providers listed above, and several other actors, have technologies and/or services that by different means fulfil the requirements of the ETSI TS 119 461 standard. If EBA aligns with the ETSI standard, many providers across Europe are ready to supply compliant products and services.
As a further comment, the guideline almost exclusively uses 'should' to describe requirements. In usual terminology of standards, 'should' indicates a recommendation but not a mandatory requirement. Please consider replacing 'should' by 'shall' for most cases to indicate that requirements are mandatory.
Overall, part 4.1. of the proposed guideline is fine. In paragraph 16, consider if also notified eID means at eIDAS level 'substantial' or 'high' can be considered to meet the criteria of paragraph 15. Consider also to extended this to eID means that are not notified, but assessed by an independent conformity assessment body to meet the requirements for eIDAS level 'substantial' or 'high'.
No comments to part 4.2 of the guideline
In paragraph 33, paper copy, photo or scan of a physical identity document is accepted. This is contrary to state of the art in identity proofing, where only an original identity document can be accepted. It is impossible to ensure that a copy, photo or scan is not tampered with. All of paragraph 33 must be rewritten to require only use of original identity document, and to require that the "scan" of this document is done in a video sequence to be able to analyse security features in the best possible way. See ETSI TS 119 461 for requirements.
Use of digital identity document is only briefly mentioned in paragraph 35. Whenever possible, a digital identity document read from the NFC chip of a passport or national identity card should be preferred to a scan of the physical identity document. A digital identity document provides the following advantages: easy validation (genuine and not tampered with) by checking the issuer's digital signature on the document, no errors in optical character recognition as all information is digital, provides a high-resolution face photo as reference for biometric face verification. Note that ETSI TS 119 461 allows a fully automated procedure for remote onboarding only with use of digital identity document since this is considered as the only case today where face biometrics alone yields a sufficiently reliable result.
Paragraph 37 accepts "alternative documentation". This should not be allowed. In accordance with ETSI TS 119 461, only an official identity document (physical or digital), electronic identification of sufficient quality (level substantial), or a qualified signature should be accepted as main evidence. Other documentation can be used as supplementary evidence only.
For paragraph 39, please note the comment above concerning automated face biometrics and reliability with use of digital versus physical identity documents. From a remote scan of a physical identity document, one only obtains a low quality reference photo. With a reasonable value for false acceptance rate, one must be prepared to augment use of face biometrics with manual procedures in this case, wheras the high-resolution photo obtained from a digital identity document can yield a reliable, automated process. This comment also applies to paragraph 43.
Regarding paragraph 40, we strongly suggest that the guideline requires use of liveness detection for all remote onboarding cases involving a natural person (except eID and qualified signature). Reliable liveness detection requires use of video recording; use of merely a still photo, as suggested by paragraph 43, is not sufficient. This means that the guidelines must require video in real time (not recorded video) to obtain a sufficiently reliable remote onboarding result.
Paragraph 46 suggests additional controls that may be performed. While this can be possible, if the controls specified by ETSI TS 119 461 are applied, such additional controls can be entirely optional as the result of the identity proofing shall be of sufficient reliability without them.
Paragraph 47 mixes up the separate parts of eIDAS for digital identity and trust services. Digital identity issuers are not trust service providers according to eIDAS. Paragraph 47 needs to refer to both digital identity issuers and qualified trust service providers. (Same mistake also in paragraph 48, see below.)
Paragraphs 48 and 50 mix up digital identity providers and trust service providers, see comment to paragraph 47 above.
Paragraph 48 is too vague on requirements for digital identity level of assurance. Instead of "similar" to substantial or high, the requirement should be "notified as substantial or high, or supervised according to a national assurance level framework that is compatible with level substantial or high, or providing a conformity assessment report from an independent body attesting to fulfilment of requirements for level substantial or high".