Response to consultation on draft Guidelines on the use of remote customer onboarding solutions
Go back
The current definition of Digital Identity Issuer refers only to an identity service provider under eIDAS, like the Member States that issues eID card. The distinction between the Issuer of a Digital Identity and a business providing verification or authentication services for onboarding purposes should be mentioned to avoid any confusion.
It could be useful to add the definition of Identity Proofing Service Provider as defined by ETSI TS 119 461 technical standard, that is a specialized company providing the process of verifying with the required degree of reliability that the purported identity of an applicant is correct.
In point 10. letter j) it is specified that regular trainings should be described and carried out for the operators involved in the onboarding processes of remote customers. It is equally important and necessary to document the training, to gather evidence of the successful completion of it and to repeat it at least annually.
To guarantee that the rightful subjects are involved in the remote process, it is envisageable to define that the system used to carry out the remote identification process should be accessed by the operators through an eIDAS-compliant digital identity, enhanced by additional information that can allow to verify time per time role, powers, and the training certificates that demonstrate the quality, reliability and knowledge of the staff.
• 4.1.3 The pre-implementation assessment of the remote customer onboarding solution
15. In order to increase the degree of reliability, the pre-implementation assessment of the solution should prefer, the use of an eIDAS compliant identity verification method provided by a QTSP and declared compliant by a Conformity Assessment Body.
If not, the identity proofing solution should be certified against ETSI TS 119 461 technical standard, producing a Conformity Assessment Report.
Service providers having received equivalent certification under the eIDAS Regulation or the AML Directive (e.g. SEPBLAC Certification in Spain, PVID in France or the certifications granted by BSI in Germany as the BSI-K-TR-03128 for eID) uphold the same standards, and should therefore not have to prove their process requirements through yet another series of criteria.
• 4.1.4 Ongoing monitoring of the remote customer onboarding solution(s)
In the case of a solution provided by a Qualified Trust Service Provider, an ongoing monitoring is requested by the regulation, with an annual audit culminating with a Conformity Assessment Report (art. 20and 21 eIDAS).
In the other case, the monitoring of the solution should also include compliance with the requirements laid down in the eIDAS Regulation, as detailed by ETSI TS 119 461 technical standard.
26. To ensure a higher level of reliability and trust, the identification proofs collected during the process should be time stamped with a Qualified Timestamp service provided by a QTSP, and should also be digitally preserved into a Long Term digital preservation service.
Qualified Electronic Signature and Qualified Electronic Seal are also useful tools to preserve integrity of proofs. This approach is also envisaged by the proposed amendment to the Regulation (EU) No 910/2014 “eIDAS”, article 34 on “Qualified preservation service for qualified electronic signatures” and article 45g on “Qualified electronic archiving services”.
• 4.2.3 Identifying Legal Entities
30. To identify legal entities in a certain and unequivocally way, it is advisable to use the LEI code, which can have a big role in harmonizing the framework. In order to provide secure and trustworthy information to customers, the LEI code should be combined with the Qualified Certificate for Seal, the most useful tool that can be used to confirm that data is obtained from the relevant legal entity, already used into PSD2 processes.
35. To properly extract and collect data from the chip of a national identity card, it should be mandatory to verify the issuer’s electronic signature and collect a log of this activity, especially in the countries where a specific legislation on the access of the chipcard is not present. Having a log of the access can be in fact useful to further demonstrate the proper access, the validation of the signature, the extracted data. Please notice that in some Member States the access of the chipcard of the national identity card is forbidden by law.
40. In order to verify a person with the required degree of certainty, the authenticity checks process should follow the recent ETSI TS 119 461 (2021-07).
42. The guidelines should allow for repeated attempts of remote customer onboarding with other pieces of evidence as well as a face-to-face verification over videoconference. Only after repeated attempts and the virtual face-to-face prove unable to alleviate the ‘uncertainty and ambiguity’ should the customer be required to have a face-to-face in the same physical location.
43. a) We would suggest more precise language, such as “the required properties are captured with the necessary clarity to allow the proper verification of the customer’s identity.” as is the case in paragraph 44(a).
44. b) To provide greater reliability and security to the process, the staff involved in the video conference process should be identified with eIDAS tools, such as digital identities, Qualified Certificates, or verifiable credentials stored in a digital employee wallet. The related specific training shall be documented and repeated over time.
46. a) The payment option should also envisage a payment initiation service, as defined by the Directive (EU) 2015/2366 of 25 November 2015 ("PSD2") which allows third parties to make a payment through a Payments Initiation Service Provider (PISP) and transmits information to the relevant subject. We advice to consider the access to the account’s information using an Account Information Service Provider (AISP) equivalent to the payment option.
It should be clarified that such reliance on vigilated third parties should not be considered as outsourcing.
The inclusion of the LEI code in the QWAC could also provide more trust and certainty, giving to the customers a real and consistent view of the identity of the legal entity they are dealing to.
1. Do you have any comments on the section ‘Subject matter, scope and definitions’? If you do not agree, please set out why you do not agree and if possible, provide evidence of the adverse impact provisions in this section would have.
Paragraph 9The current definition of Digital Identity Issuer refers only to an identity service provider under eIDAS, like the Member States that issues eID card. The distinction between the Issuer of a Digital Identity and a business providing verification or authentication services for onboarding purposes should be mentioned to avoid any confusion.
It could be useful to add the definition of Identity Proofing Service Provider as defined by ETSI TS 119 461 technical standard, that is a specialized company providing the process of verifying with the required degree of reliability that the purported identity of an applicant is correct.
2. Do you have any comments on Guideline 4.1 ‘Internal policies and procedures’? If you do not agree, please set out why you do not agree and if possible, provide evidence of the adverse impact provisions in this section would have.
• 4.1.1 Policies and procedures relating to remote customer onboardingIn point 10. letter j) it is specified that regular trainings should be described and carried out for the operators involved in the onboarding processes of remote customers. It is equally important and necessary to document the training, to gather evidence of the successful completion of it and to repeat it at least annually.
To guarantee that the rightful subjects are involved in the remote process, it is envisageable to define that the system used to carry out the remote identification process should be accessed by the operators through an eIDAS-compliant digital identity, enhanced by additional information that can allow to verify time per time role, powers, and the training certificates that demonstrate the quality, reliability and knowledge of the staff.
• 4.1.3 The pre-implementation assessment of the remote customer onboarding solution
15. In order to increase the degree of reliability, the pre-implementation assessment of the solution should prefer, the use of an eIDAS compliant identity verification method provided by a QTSP and declared compliant by a Conformity Assessment Body.
If not, the identity proofing solution should be certified against ETSI TS 119 461 technical standard, producing a Conformity Assessment Report.
Service providers having received equivalent certification under the eIDAS Regulation or the AML Directive (e.g. SEPBLAC Certification in Spain, PVID in France or the certifications granted by BSI in Germany as the BSI-K-TR-03128 for eID) uphold the same standards, and should therefore not have to prove their process requirements through yet another series of criteria.
• 4.1.4 Ongoing monitoring of the remote customer onboarding solution(s)
In the case of a solution provided by a Qualified Trust Service Provider, an ongoing monitoring is requested by the regulation, with an annual audit culminating with a Conformity Assessment Report (art. 20and 21 eIDAS).
In the other case, the monitoring of the solution should also include compliance with the requirements laid down in the eIDAS Regulation, as detailed by ETSI TS 119 461 technical standard.
3. Do you have any comments on the Guideline 4.2 ‘Acquisition of Information’? If you do not agree, please set out why you do not agree and if possible, provide evidence of the adverse impact provisions in this section would have.
• 4.2.1 Identifying the customer26. To ensure a higher level of reliability and trust, the identification proofs collected during the process should be time stamped with a Qualified Timestamp service provided by a QTSP, and should also be digitally preserved into a Long Term digital preservation service.
Qualified Electronic Signature and Qualified Electronic Seal are also useful tools to preserve integrity of proofs. This approach is also envisaged by the proposed amendment to the Regulation (EU) No 910/2014 “eIDAS”, article 34 on “Qualified preservation service for qualified electronic signatures” and article 45g on “Qualified electronic archiving services”.
• 4.2.3 Identifying Legal Entities
30. To identify legal entities in a certain and unequivocally way, it is advisable to use the LEI code, which can have a big role in harmonizing the framework. In order to provide secure and trustworthy information to customers, the LEI code should be combined with the Qualified Certificate for Seal, the most useful tool that can be used to confirm that data is obtained from the relevant legal entity, already used into PSD2 processes.
4. Do you have any comments on the Guideline 4.3 ‘Document Authenticity & Integrity’? If you do not agree, please set out why you do not agree and if possible, provide evidence of the adverse impact provisions in this section would have.
33. In the course of the remote customer onboarding process, financial sector operators should also accept scans of card-based documents, not only paper-based ones.35. To properly extract and collect data from the chip of a national identity card, it should be mandatory to verify the issuer’s electronic signature and collect a log of this activity, especially in the countries where a specific legislation on the access of the chipcard is not present. Having a log of the access can be in fact useful to further demonstrate the proper access, the validation of the signature, the extracted data. Please notice that in some Member States the access of the chipcard of the national identity card is forbidden by law.
5. Do you have any comments on the Guideline 4.4 ‘Authenticity Checks’? If you do not agree, please set out why you do not agree and if possible, provide evidence of the adverse impact provisions in this section would have.
39. The document is not clear on when a fully automated process based on biometrics is allowed and where manual checks are going to be a requirement: “Financial sector operators should verify the unambiguous match between the biometric data indicated on the submitted identity document and the customer being onboarded”. It is advisable that the guidelines will specify that a fully automated identification process can be allowed when the technology used offers a level of confidence of the user’s identity adequate with the risk of the chosen product and the onboarding context.40. In order to verify a person with the required degree of certainty, the authenticity checks process should follow the recent ETSI TS 119 461 (2021-07).
42. The guidelines should allow for repeated attempts of remote customer onboarding with other pieces of evidence as well as a face-to-face verification over videoconference. Only after repeated attempts and the virtual face-to-face prove unable to alleviate the ‘uncertainty and ambiguity’ should the customer be required to have a face-to-face in the same physical location.
43. a) We would suggest more precise language, such as “the required properties are captured with the necessary clarity to allow the proper verification of the customer’s identity.” as is the case in paragraph 44(a).
44. b) To provide greater reliability and security to the process, the staff involved in the video conference process should be identified with eIDAS tools, such as digital identities, Qualified Certificates, or verifiable credentials stored in a digital employee wallet. The related specific training shall be documented and repeated over time.
46. a) The payment option should also envisage a payment initiation service, as defined by the Directive (EU) 2015/2366 of 25 November 2015 ("PSD2") which allows third parties to make a payment through a Payments Initiation Service Provider (PISP) and transmits information to the relevant subject. We advice to consider the access to the account’s information using an Account Information Service Provider (AISP) equivalent to the payment option.
6. Do you have any comments on the Guideline 4.5 ‘Digital Identities’? If you do not agree, please set out why you do not agree and if possible, provide evidence of the adverse impact provisions in this section would have.
53. To ensure a higher level of trust and reliability, the validation and check of electronic certificate should be performed by a Qualified Validation Service of Qualified Signature or Qualified Seals in accordance with the eIDAS and ESI legislative specifications.7. Do you have any comments on the Guideline 4.6 ‘Reliance on third parties and outsourcing’? If you do not agree, please set out why you do not agree and if possible, provide evidence of the adverse impact provisions in this section would have.
When relying on a Third Party, Qualified Trust Service Providers can guarantee a high level of reliability and provide assurance on the trustworthiness of the implemented process. Due to the annual audit performed by a Conformity Assessment Body the requirements laid down in the eIDAS Regulation are fulfilled, documented and provable.It should be clarified that such reliance on vigilated third parties should not be considered as outsourcing.
8. Do you have any comments on the Guideline 4.7 ‘ICT and security risk management’? If you do not agree, please set out why you do not agree and if possible, provide evidence of the adverse impact provisions in this section would have.
63. The use of a Qualified Website Authentication Certificate is definitely a useful and valuable tool for providing reliable information to customers. This is also consistent with the proposed amendment to Article 45 of Regulation (EU) No 910/2014 “eIDAS”.The inclusion of the LEI code in the QWAC could also provide more trust and certainty, giving to the customers a real and consistent view of the identity of the legal entity they are dealing to.