Response to consultation on draft Guidelines on the use of remote customer onboarding solutions
Go back
1. EBA initiative for addressing remote customer verification guidelines is highly welcome. Establishing adequate requirements is great challenge, and therefore acknowledging of existing and proved practices like ETSI TS 119 461 should be consulted and considered.
2. Incorporating into EBA framework or close observance of ETSI TS 119 461 would create beneficial synergy between financial institutions and eIDAS trust service and eID scheme providers. By following ETSI TS 119 461 EBA can establish uniformly deployable identity verification framework, which provides quality and assurance level expected for procedures of financial institutions.
3. Requirements shortfall the level of explicitness, that would allow financial institutions to evaluate the effectiveness and conformity of designed solutions. Sole usage of term ‘adequacy’ for describing various criteria for processes does not provide comprehensive requirements and will result in solutions with inconsistent and questionable quality.
4. Incorrect usage of Regulation (EU) No 910/2014 terms digital identity and trust service. Digital identity (eID scheme) and trust service are two different areas in eIDAS framework. eID scheme allows digital identification of persons, whereas trust services deal with issuance of certificates for qualified electronic signature (and seal). Nevertheless, eID means and certificates for qualified electronic signatures both can be used for digital identity verification.
Specific comments:
1. Paragraph 3 introduces reporting requirements for determining compliance or non-compliance to guidelines, but lacks the rules for handling the possible non-compliance situation.
3. Ensuring the reliability of the information is foreseen by Paragraph 28, but only for automatically captured data (p 27 (ii)). Information manually entered by the customer and information gathered using other internal or external sources must also be validated in terms of reliability.
5. MRZ data usage in verification process can only be handled as complimentary measure for NFC chip (Paragraph 34).
6. Primary source for personal and document data retrieval in remote identity verification process must be ICAO Doc 9303 compliant NFC chip of identity document. NFC chip provides easy verification that the document is genuine and not tampered with by validation of the digital signature of the document issuer. Usage of NFC chip should not be determined by capabilities of customer’s devices (paragraph 35), but presence of NFC chip in identity document used for the onboarding. In addition it is of utmost importance for data verification to deploy personal and document data integrity and authenticity checks, which are supported by NFC chips.
7. Verification of identity documents’ security features must happen in any case, where identity verification relies only on visual inspection of document (paragraph 36). Processes designed for visual verification of identity document are required to implement presentation attack detection mechanism for avoidance of unlawful activities (usage of falsified or counterfeit documents or deepfakes).
8. It should be stated, that alternative documentation can only be processed with the purpose to support reliability verification performed using identity documents or digital identities (paragraph 37).
10. Paragraph 39 sets requirements on use of biometric data, but stated in a rather vague way. Biometric data verification is always part of process, where usage of identity document is foreseen. Moreover, where biometric data is involved, then biometric matching process must be preceded by presentation attack detection step.
11. Paragraph 40 requires inclusion of liveness detection dependant of risk analysis. Suggestion is to replace term ‘liveness detection’ with ‘presentation attack detection’, which more adequately addresses the scope of associated risks. Presentation attack detection must be a integral part of biometric verification process.
12. The fall-back to face-to-face verification described in paragraph 42 is essential not only in cases of insufficient quality of evidence, but also when authenticity and integrity of presented evidences can not be verified.
13. In paragraph 43 use of photograph of customer as comparison element is defined. For trustworthiness purpose it is important to require, that the photo(s) must be retrieved from video stream recorded by customer in order to be able to deploy presentation attack detection.
14. Paragraph 43 d) suggests in the absence of human verification, use strong and reliable algorithms to perform biometric matching. Preferences for human vs algorithm should be in favour of algorithm solution, which provide more accurate results compared to human verification.
15. In paragraph 46 c) listed biometric verification measure can not be treated as complementary mechanism, but has to have primary role in remote identity verification process.
16. Trustworthiness of measures listed in paragraphs 46 d) and e) is questionable, and thus should not be listed as options for secondary controls.
17. Paragraph 47 and paragraphs in Section 4.5 use incorrectly Regulation (EU) No 910/2014 terms digital identity and trust services. Digital identity (eID scheme) and trust service are two different areas in eIDAS framework. eID scheme allows digital identification of persons, whereas trust services deal with issuance of certificates for qualified electronic signature (and seal). Nevertheless, eID means and certificates for qualified electronic signatures both can be used for digital identity verification.
18. Section 4.5 should limit usage of eID means to accept only eIDAS (Regulation (EU) No 910/2014) defined level of assurance ‘high’ (national eID scheme or EU notified eID scheme). This requirement will guarantee the trustworthiness expected from identity verification processes deployed by financial institutions.
19. Section 4.5 is encouraged to endorse usage of certificates for qualified electronic signatures as appropriate mean for digital identity verification. This requirement will guarantee the trustworthiness expected from identity verification processes deployed by financial institutions.
20. Paragraph 54 is duplicating content provided in paragraph 52.
1. Do you have any comments on the section ‘Subject matter, scope and definitions’? If you do not agree, please set out why you do not agree and if possible, provide evidence of the adverse impact provisions in this section would have.
General comments:1. EBA initiative for addressing remote customer verification guidelines is highly welcome. Establishing adequate requirements is great challenge, and therefore acknowledging of existing and proved practices like ETSI TS 119 461 should be consulted and considered.
2. Incorporating into EBA framework or close observance of ETSI TS 119 461 would create beneficial synergy between financial institutions and eIDAS trust service and eID scheme providers. By following ETSI TS 119 461 EBA can establish uniformly deployable identity verification framework, which provides quality and assurance level expected for procedures of financial institutions.
3. Requirements shortfall the level of explicitness, that would allow financial institutions to evaluate the effectiveness and conformity of designed solutions. Sole usage of term ‘adequacy’ for describing various criteria for processes does not provide comprehensive requirements and will result in solutions with inconsistent and questionable quality.
4. Incorrect usage of Regulation (EU) No 910/2014 terms digital identity and trust service. Digital identity (eID scheme) and trust service are two different areas in eIDAS framework. eID scheme allows digital identification of persons, whereas trust services deal with issuance of certificates for qualified electronic signature (and seal). Nevertheless, eID means and certificates for qualified electronic signatures both can be used for digital identity verification.
Specific comments:
1. Paragraph 3 introduces reporting requirements for determining compliance or non-compliance to guidelines, but lacks the rules for handling the possible non-compliance situation.
2. Do you have any comments on Guideline 4.1 ‘Internal policies and procedures’? If you do not agree, please set out why you do not agree and if possible, provide evidence of the adverse impact provisions in this section would have.
n/a3. Do you have any comments on the Guideline 4.2 ‘Acquisition of Information’? If you do not agree, please set out why you do not agree and if possible, provide evidence of the adverse impact provisions in this section would have.
2. Paragraph 25 b) defines quality requirements for customer verification. Same way the quality requirements for collected evidence material (e.g. identity documents) needs to be described.3. Ensuring the reliability of the information is foreseen by Paragraph 28, but only for automatically captured data (p 27 (ii)). Information manually entered by the customer and information gathered using other internal or external sources must also be validated in terms of reliability.
4. Do you have any comments on the Guideline 4.3 ‘Document Authenticity & Integrity’? If you do not agree, please set out why you do not agree and if possible, provide evidence of the adverse impact provisions in this section would have.
4. Usage of paper copies, photos or scans of paper-based documents following paragraph 33 must be prohibited, as only employment of original documents can provide necessary reliability required from any type of identity verification method.5. MRZ data usage in verification process can only be handled as complimentary measure for NFC chip (Paragraph 34).
6. Primary source for personal and document data retrieval in remote identity verification process must be ICAO Doc 9303 compliant NFC chip of identity document. NFC chip provides easy verification that the document is genuine and not tampered with by validation of the digital signature of the document issuer. Usage of NFC chip should not be determined by capabilities of customer’s devices (paragraph 35), but presence of NFC chip in identity document used for the onboarding. In addition it is of utmost importance for data verification to deploy personal and document data integrity and authenticity checks, which are supported by NFC chips.
7. Verification of identity documents’ security features must happen in any case, where identity verification relies only on visual inspection of document (paragraph 36). Processes designed for visual verification of identity document are required to implement presentation attack detection mechanism for avoidance of unlawful activities (usage of falsified or counterfeit documents or deepfakes).
8. It should be stated, that alternative documentation can only be processed with the purpose to support reliability verification performed using identity documents or digital identities (paragraph 37).
5. Do you have any comments on the Guideline 4.4 ‘Authenticity Checks’? If you do not agree, please set out why you do not agree and if possible, provide evidence of the adverse impact provisions in this section would have.
9. Solutions implemented for remote customer onboarding must not only enable verification of validity but also authenticity of official documents (paragraph 38). Furthermore, the solutions must ensure reliable binding of evidence with person for assurance of correct identity verification.10. Paragraph 39 sets requirements on use of biometric data, but stated in a rather vague way. Biometric data verification is always part of process, where usage of identity document is foreseen. Moreover, where biometric data is involved, then biometric matching process must be preceded by presentation attack detection step.
11. Paragraph 40 requires inclusion of liveness detection dependant of risk analysis. Suggestion is to replace term ‘liveness detection’ with ‘presentation attack detection’, which more adequately addresses the scope of associated risks. Presentation attack detection must be a integral part of biometric verification process.
12. The fall-back to face-to-face verification described in paragraph 42 is essential not only in cases of insufficient quality of evidence, but also when authenticity and integrity of presented evidences can not be verified.
13. In paragraph 43 use of photograph of customer as comparison element is defined. For trustworthiness purpose it is important to require, that the photo(s) must be retrieved from video stream recorded by customer in order to be able to deploy presentation attack detection.
14. Paragraph 43 d) suggests in the absence of human verification, use strong and reliable algorithms to perform biometric matching. Preferences for human vs algorithm should be in favour of algorithm solution, which provide more accurate results compared to human verification.
15. In paragraph 46 c) listed biometric verification measure can not be treated as complementary mechanism, but has to have primary role in remote identity verification process.
16. Trustworthiness of measures listed in paragraphs 46 d) and e) is questionable, and thus should not be listed as options for secondary controls.
17. Paragraph 47 and paragraphs in Section 4.5 use incorrectly Regulation (EU) No 910/2014 terms digital identity and trust services. Digital identity (eID scheme) and trust service are two different areas in eIDAS framework. eID scheme allows digital identification of persons, whereas trust services deal with issuance of certificates for qualified electronic signature (and seal). Nevertheless, eID means and certificates for qualified electronic signatures both can be used for digital identity verification.
6. Do you have any comments on the Guideline 4.5 ‘Digital Identities’? If you do not agree, please set out why you do not agree and if possible, provide evidence of the adverse impact provisions in this section would have.
17. Paragraph 47 and paragraphs in Section 4.5 use incorrectly Regulation (EU) No 910/2014 terms digital identity and trust services. Digital identity (eID scheme) and trust service are two different areas in eIDAS framework. eID scheme allows digital identification of persons, whereas trust services deal with issuance of certificates for qualified electronic signature (and seal). Nevertheless, eID means and certificates for qualified electronic signatures both can be used for digital identity verification.18. Section 4.5 should limit usage of eID means to accept only eIDAS (Regulation (EU) No 910/2014) defined level of assurance ‘high’ (national eID scheme or EU notified eID scheme). This requirement will guarantee the trustworthiness expected from identity verification processes deployed by financial institutions.
19. Section 4.5 is encouraged to endorse usage of certificates for qualified electronic signatures as appropriate mean for digital identity verification. This requirement will guarantee the trustworthiness expected from identity verification processes deployed by financial institutions.
20. Paragraph 54 is duplicating content provided in paragraph 52.