Primary tabs

Eurosmart

Eurosmart has comments on the proposed definitions.

First, the definition of “Digital Identity” is not accurate. According to ISO/IEC 24670-1/2019, identity is a “set of attributes related to an entity”. It seems that EBA’s definition of “digital identity” corresponds much better to the definition of “Digital Identity means”, aka “electronic identification means” as defined by the eIDAS Regulation 910/2014.

Therefore, in the first definition, the term “Digital Identity” should be replaced by “Digital Identity means”. The term should also be replaced throughout the whole document.

Secondly, the definition of “Digital Identity Issuer” is equally problematic because incomplete and unaligned with EU legislation and even international standards.

The definition “of Digital Identity Issuer” omits several key responsibilities. Eurosmart proposes to enhance it as follows:
“A third party trusted with (1) the assessment and verification of the authenticity of person identification data, (2) the assessment and verification of the quality and security of the Digital Identity means, and (3) ensuring a strong binding between the person identification data, the Digital Identity means, and the holder, making sure the holder receives the Digital Identity means containing person identification data only relating to him.”

Moreover, instead of referring to “Digital Identity Issuers”, the guidelines could refer to “Identity Providers” (abbreviated as IDP), a more widely used term in international standardisation. ISO/IEC 19286:2018 defines an “Identity Provider” as a “trusted actor that issues and/or manages credentials”. Eurosmart would recommend using “Identity Providers” instead of “Digital Identity Issuers”, and enhancing the overall definition (as described above).

Thirdly, the following terms are used throughout the document and would deserve clear definitions: “official document”, “identity document”, “identity documentation”, “identification document” and “document”. Could you please provide a clear definition for each of these terms?
On 4.1.1 “Policies and procedures relating to remote customer onboarding”:

Financial sector operators could also provide the standards and technical specification they rely on or intend to rely on. The EBA could give a list of standards that are relevant for this purpose. Eurosmart advises against including ETSI TS 119 461 on remote identity proofing in such a list as it contains too many shortcomings and security gaps. ETSI TS was initially designed for identity proofing of trust services subjects, hence its initial purpose is not customer onboarding.

In addition, another aspect of the policies should be added: (1) the place where data shall be stored, (2) the place where data shall be processed, and (3) the measures put in place to protect the data or natural and legal persons.

On 4.1.3 “The pre-implementation assessment of the remote customer onboarding solution”:

The text only considers pre-implementation assessment of the remote onboarding system performed by the financial sector operator itself. This is not sufficient to reach a high level of trust. An independent certification of the remote onboarding system should be carried out in order to limit the risks stemming from collusion, negligence or mistake on the financial sector operator side. (Self) assessment by the financial sector operator should not be allowed.

Such certification would rely on (1) an independent certification authority and (2) an assessment performed by an independent evaluator. This double-eye approach would help reaching a high level of trust and reliability of the remote onboarding system. In addition, paragraph 17 should be updated to take this new approach into account: the financial sector operator shall provide to its competent authority the certificate of the remote onboarding system. Paragraph 18 should also be updated accordingly so that a remote onboarding system could only be initiated under agreement of the competent authority based on a successful certification (and not under the sole financial sector operator’s decision – still to avoid risks of collusion, negligence or mistakes).

In addition, on 4.1.3 paragraph 15:

Eurosmart recommends enriching point d) as follows: “tests to assess fraud risks including impersonation fraud risks and other information and communications technology (“ICT”) and security risks, in accordance with the provision 43 of the EBA Guidelines on ICT and security risk management, including European cybersecurity certification of the critical components of the onboarding solution pursuant to Regulation 2019/881 (Cybersecurity Act).”

Moreover, 4.1.3 paragraph 16 seems unclear. It seems the paragraph refers to qualified signatures/seals rather than to qualified trust services (e.g. preservation or timestamping would not help here). Therefore “qualified trust services” should be replaced by “qualified signatures/seals”. Besides, Eurosmart does not fully agree with the fact that using qualified signatures or seals would entail compliance with the assessment criteria in paragraph 15. These criteria shall be met by the qualified trust service provider in the course of the enrolment leading to the delivery of the qualified certificate for signature or seal. The fulfilment of these criteria shall be met, and their fulfilment by the qualified trust service provider shall also be verified.

On 4.1.4 “Ongoing monitoring of the remote customer onboarding solution(s)”:

Eurosmart recommends adding the following point to paragraph 21:
vi) vulnerability monitoring

This new point on vulnerability monitoring is important to ensure that financial sector operators have in place a system whereby identified vulnerabilities are taken into account. These vulnerabilities can be found in the software used to perform the onboarding process or in the Digital Identity means used by the customer (e.g., flawed chip). For both situations, financial sector operators should keep an eye on the latest news in the field.
This section misses a paragraph that states that the favoured method to acquire information should be the use of Digital Identity means with Level of Assurance (LoA) “High” -pursuant to the eIDAS Regulation. These Digital Identity means could be an identity card equipped with a chip or a European Digital Identity Wallet (as foreseen in the eIDAS 2 proposal). These means are the most secure and trustworthy ways of acquiring information on the customer.

Therefore, financial sector operators should primarily offer these methods to their future customers, especially in Member States where Digital Identity means with Level of Assurance (LoA) “High” are already available. In such cases, financial sector operators should present the other onboarding methods only as a second option and/or on request.

In addition, in 4.2.1 paragraph 25 point c, it is of the utmost importance to require storage and processing of these data in the EU soil only, in a manner that protects these data from any access from an entity located outside of the EU (no extra-territorial interference). This requirement is instrumental to ensure a high level of protection of data, in particular for legal persons whose data do not benefit from the protection of the GDPR.

Moreover, a fifth criterion should be added in paragraph 25: “collected data shall not be tampered with from their acquisition down to their storage and processing and shall be genuine.”. It is needed to guarantee that data are not modified nor tampered with from their acquisition down to their storage and processing by the remote onboarding system.
On 4.3 overall:

Eurosmart has comment on the acceptance of paper copies, photos or scan of paper-based documents without having the possibility to examine the original document. This option is risky because the assessment of the security features of the paper-based document is difficult. Some security features cannot be assessed in such conditions.

Eurosmart recommends not allowing to present mere paper copies, photos or scans of paper-based documents, as it increases risks of frauds where an applicant presents copies of documents that are not his/hers –captured without the knowledge of the genuine holder, in order to try to impersonate someone else’s identity. Instead, it shall be required that only original identification document (and not paper copies, photos or scans) be presented with live capture processing. This approach provides a higher level of trust as it helps ascertaining the applicant effectively has the original identification document in hands (proof of possession). In order to meet this goal, it shall be required that the remote onboarding system verifies the liveness of the document being presented.

On 4.3 paragraph 34:

The statement also applies when reading data from the chip of the document. This case should also be quoted. Therefore, paragraph 34 should be amended as follows: “Where financial sector operators use features to automatically read information from documents, such as Optical Character Recognition (OCR) algorithms, Machine Readable Zone (MRZ) verifications or reading of a chip, those tools should be sufficient to ensure that information is captured in an accurate and consistent manner.”
On 4.4 paragraph 38:

Whenever possible, remote onboarding systems shall verify the revocation status of official documents (lost/stolen etc.), which entails that the entities that have issued such official documents give access to this information to remote onboarding systems. In addition, the list of official documents supported by the remote onboarding system should be declared. Such requirement seems to be missing.

On 4.4 paragraph 39:

The following statement seems unclear: “[…] financial sector operators should make sure that the biometric data have enough uniqueness to be unequivocally referable to a single natural person […]”. As the biometric data is indicated on the submitted identity document (pursuant to the last sentence of the criteria), it is deemed as providing enough uniqueness to be unequivocally referable to a single natural person by the identity document issuer. This requirement rather applies to the identity document issuer, not to the financial sector operator that uses what is available on the identity document.

On 4.4 paragraph 40:

Liveness detection should always be required to avoid any attempt to impersonate the legitimate holder. Those attempts may stem either from presentation attacks (e.g. where the attacker wears a mask, or present a photo of the genuine holder to the remote onboarding system) or video injection when transferring the acquired biometry to the remote onboarding system (e.g. the acquired image or video of the holder portrait is replaced by another one coming from another person or generated using deep fake). In the near future, these attacks will become more and more accessible and easy to achieve, in particular video injection combined with deep fake. Therefore, it is important to ensure that all remote onboarding systems are designed to detect these attacks, which justifies always requiring liveness detection.

Besides, for the very same reasons, liveness detection (of the documents) shall also apply to and be required for the acquisition of documents being presented to ascertain someone’s identity, unless its chip is exploited for that purpose (access to the reference portrait and identity information).

Overall, physical documents are involved, the methods envisaged in points 43 and 44 should be the norm. What kind of alternative to 43 and 44 does the EBA consider?

On 4.4 paragraph 43:

These requirements shall apply equally to the face of the applicant and to the acquisition of the official document where the reference portrait is printed, unless its chip is exploited to retrieve such portrait. Besides, as discussed above, liveness detection shall also be mandated both when capturing the portrait of the applicant and the official document (unless its chip is exploited to get access to the reference portrait and identity information).

On 4.4 paragraph 44:

The risk of impersonation remains true in the case of video conference. Deepfake combined with video injection or masks could also be used to deceive the remote operator. Therefore, liveness detection shall also be made mandatory in such cases. Indeed, it shall also apply both for the portrait of the applicant and the acquisition of the official document, unless its chip is exploited to retrieve the reference portrait.

On 4.4 paragraph 47:

It seems this statement refers to qualified signatures/seals rather than to qualified trust services (e.g. preservation or timestamping would not help here). Therefore “qualified trust services” should be replaced by “qualified signatures/seals”.

In addition, it seems the concepts of digital identity and qualified trust services are largely mixed up: “[…] to digital identity issuers to identify and verify the customer, which are qualified trust services in accordance with Regulation (EU) N° 910/2014.”. It results in a major confusion in the criteria as digital identity issuer and qualified trust services are two different concepts, which are not ruled by the same provisions in the eIDAS Regulation. These criteria should be reviewed accordingly.

Besides, Eurosmart does not fully agree with the fact that using qualified trust services (or qualified signatures or seals) would allow not to apply criteria 38 to 45. These criteria shall still be met by the qualified trust service provider in the course of the enrolment leading to the delivery to the user of the qualified certificate for signature or seal. The fulfilment of these criteria shall be met, and their fulfilment by the qualified trust service provider shall also be verified.

Regarding Digital Identity, the Level of Assurance (LoA) to be met shall be mentioned. Eurosmart recommends the Digital Identity means to meet the LoA “High”. Also, Eurosmart recommends only considering digital identity schemes (aka electronic identification schemes) that have been notified under the eIDAS Regulation.
On 4.5 overall:
First, as stated earlier, the terms “Digital Identities” should be replaced by “Digital Identity means”.
Secondly, section 4.5 could be much simpler, while ensuring a high level of trust in the process: section 4.5 should simply state that Digital Identity means for remote customer onboarding should be issued under a notified electronic identification (eID) scheme with a Level of Assurance “High” pursuant to the eIDAS Regulation. Notification implies that the eID means at stake have undergone a thorough evaluation, including a peer review by other Member States. Therefore, it is a guarantee of trust across borders.
Accepting other types of eID means (non-notified) will always imply that fragmentation remains; it limits the possibility for an EU citizen to use the (non-notified) eID means across borders and it limits the level of trust in the reliability of the (non-notified) eID means at stake.
It is true that not all Member States have notified an eID scheme with a Level of Assurance “High”. However, more and more Member States continue notifying eID schemes (see: https://ec.europa.eu/digital-building-blocks/wikis/display/EIDCOMMUNITY/Overview+of+pre-notified+and+notified+eID+schemes+under+eIDAS).
Moreover, with the ongoing revision of the eIDAS Regulation, every Member State will notify an eID scheme with a Level of Assurance “High” in a near future. With this revision, every citizen and business in the EU will also be able to use a European Digital Identity Wallet issued by Member States. Citizens and businesses could use this Wallet to identify and authenticate online and share additional attributes, including financial and company data. Therefore, the EBA’s guidelines should take this evolution into account.

The European Digital Identity Wallet will provide strong guarantees in terms of cybersecurity, reliability and privacy. This Wallet will be notified by every Member State as an eID means with Level of Assurance “High”. Therefore, ultimately, notified eID means with Level of Assurance “High” (e.g, the Wallet, electronic identity card with a reader or via NFC) should be the favoured way for remote customer onboarding -at least for EU citizens and businesses.
The ongoing revision of the AML rules, in particular the proposal for an AML Regulation, seems to take this evolution into account. The new AML Regulation (proposal) only considers “the use of electronic identification means and relevant trust services as set out in Regulation (EU) 910/2014” in Article 18(4).

In the transition period, before all Member States have notified an eID schemes with Level of Assurance “High”, alternative options should come with additional safeguards (video call, additional pictures etc.).

Overall, the guidelines should be future proof, so that they can easily be re-used for the future AMLR and eIDAS frameworks.

On 4.5 paragraph 48:
It seems this statement refers to qualified signatures/seals rather than to qualified trust services (e.g. preservation or timestamping would not help here). Therefore “qualified trust services” should be replaced by “qualified signatures/seals”.
In addition, it seems the concepts of digital identity and qualified trust services are largely mixed up. It results in a major confusion in the criteria. This statement is very confusing as digital identity issuer and qualified trust services are two different concepts, which are not ruled by the same provisions in the eIDAS Regulation. These criteria should be reviewed accordingly.
Moreover, Eurosmart recommends only considering digital identity schemes that have been notified under the eIDAS regulation with a Level of Assurance “High”.

On 4.5 paragraph 50:
It seems the concepts of digital identity and qualified trust services are largely mixed up. It results in a major confusion in the criteria. This statement is very confusing as digital identity issuer and qualified trust services are two different concepts, which are not ruled by the same provisions in the eIDAS regulation. These criteria should be reviewed accordingly.
Moreover, Eurosmart recommends only considering digital identity schemes that have been notified under the eIDAS regulation with the Level of Assurance “High”.

On 4.5 paragraph 51:
A clear definition of what is meant by “strong authentication” is missing. In addition, the usage of a strong authentication is only a recommendation while it should be a requirement in order to ensure consistency in the overall security. Eurosmart proposes to change the criteria as follows: “Financial sector operators should ensure that when the customer is onboarded using their digital identity this occurs in a secure environment. An authentication meeting the requirements of the Level of Assurance “High” pursuant to Regulation 2014/910 and Implementing Regulation 2015/1502 shall be applied when verifying their digital identity.”

On 4.5 paragraph 53:
The criterion is unclear. What is meant exactly by “electronic certificates”? Does it refer to electronic signature or seal? Does it refer to electronic identity scheme using authentication certificate? The second sentence seems to imply that here the criterion refers to electronic signature or seal.
Besides, when electronic certificates are used, the whole process that led to the delivery of these certificates to the user shall also be controlled as it has direct impact on the quality of the Digital Identity means and the binding of person identification data with the user. The criteria applicable to the trust service provider delivering these certificates shall be clearly identified, and compliancy with them shall also be clearly mandated.
On 4.6.1 paragraph 56:

Third party’s CDD remote customer onboarding processes and procedures should be “equivalent to” and not only “sufficient and consistent with” the financial sector operator’s own CDD policies and procedures. “Sufficient and consistent with” could be interpreted in a way that downgrades the overall security level of the customer onboarding process. The term “equivalent” already leaves some flexibility, as it means that third party’s CDD processes and procedures do not have to be exactly the same. Therefore, the terms “sufficient and consistent with” should be deleted from 56(a).

On 4.6.2 paragraph 58 point a:

Certification performed by an independent third party should be leveraged as a means for the outsourcing provider to demonstrate compliance with the outsourcing agreement. Therefore, the last sentence should be changed as follows: “This should be achieved through certification performed by third party, regular reporting, ongoing monitoring, on-site visits or sample testing;”

On 4.6.2 point 59:

Clear provisions regarding the territoriality of data should be set. It is of the utmost importance to require storage and processing of these data in the EU soil only, in a manner that protects these data from any access from an entity located outside of the EU (no extraterritorial interference). This requirement is instrumental to ensure a high level of protection of data, in particular for legal persons whose data do not benefit from the protection of the GDPR.
On 4.7 paragraph 63:

When referring to “qualified website authentication certificates” (QWACs), the guidelines should add “as defined by the eIDAS Regulation 910/2014”. Eurosmart strongly supports the use of QWACs (qualified website authentication certificates). Therefore, in order to promote their usage, as enacted in the proposal for eIDAS 2, the use of QWACs shall be made mandatory for financial sector operators or outsourcing providers when providing remote onboarding.
Eurosmart