This consultation of the EBA is part of an evolving European regulatory context, in particular due to the future revision of the eIDAS Regulation and a draft text was published by the European Commission on 3 June 2021, and which should be promulgated this year. This new version of IDAS will be the future European reference for standardising qualification and certification frameworks for digital identity services and trust services (signature, archiving, etc.), regardless of the technology used.
This text provides in particular for the establishment of a reliable and cross-border European identity solution. However, the guidelines currently proposed by the EBA do not incorporate the latest advances in e IDAS to limit the fragmentation of identity solutions in Europe and their uses.
The principle of the "Same level playing field" must be a prerequisite and a foundation of European law and these guidelines in particular. We therefore understand that the guidelines proposed by the EBA would be applicable in the transitional period, until the implementation of the eiDAS V2 regulation, by raising the question of the reference framework used during this transitional period.
Regarding the French regulatory context:
Among the additional vigilance measures proposed by the Monetary and Financial Code before entering into a remote relationship, French credit institutions can now use an identity verification service operated by a PVID (Remote Identity Verification Provider). Previously certified by ANSSI (Attached is the link to consult the PVID repository https://www.ssi.gouv.fr/actualite/publication-du-referentiel-dexigences-applicables-aux-prestataires-de-verification-didentite-a-distance-pvid/) (National Agency for the Security of Information Systems), the PVID must be able to meet the conditions of the standard established on the basis of the substantial guarantee level of the eIDAS regulation and and ANSSI published a first version in March 2021. Unprecedented until now in Europe, this first repository could, due to its high requirements, serve as a common basis for converging identity verification practices and increasing their reliability.
Indeed, the choice of an identity verification solution should not be the sole choice of the institutions but a solution accredited or certified or even distributed by the national authorities. If institutions must retain autonomy over the choice of their solutions, they must comply with specifications and a common reference system consistent with eiDAS, applicable in the 27 Member States.
Otherwise, we believe that level playing field will not be homogeneous within the European area and will leave the door open to the use of any solution, including those of GAFAM.
Response to question 1 :
The publication of these guide lines seems to us to be on a schedule out of step with the ongoing work on the eiDAS V2 revision presented in June 2021 and we hope that the EBA will be able to anticipate as much as possible the framework provided by this revision in the update of these guidelines.
We will welcome the EBA's initiative to formalize policies and procedures in this consultation, as we share some points, particularly on governance arrangements. On the other hand, we draw attention to the following points:
- It is important to consider the risk-based approach (e.g. what types of customers are concerned? legal entities? what about crossborders; politics part would need to be developed, with a focus on the Risk Based Approach.)This is especially important as the AML regulations identify risk factors, but on that basis each obliged entity has its own risk rating methodology, combining different criterias, with CDD measures depending on that rating.From that perspective we consider that Article 29 would better be positioned in 4.1.1 as it deals with a RBA policy for legal entities.
- In Article 10, it will be necessary to clarify, to specify what is the expected level of human intervention
- In general, we do not identify specificities specific to the Entry into a long-distance relationship as described for example in Articles 14, 15.
- Article 18 relating to the evaluation of the remote integration solution of customers by banks cannot be applicable in France, due to the fact that the choice of the operator is made on the basis of a solution certified EIDAD by a body independent of the State (ANSSI, National Agency for the Security of Information Systems). No clear distinction is therefore made between eiDAS solutions and others as in the CMF.
- Article 16 introduces a distinction between non eIDAS solutions and eIDAS ones, the latter being certified by a government body and as such not subject to assessment described in Article 15.
That distinction also applies to 4.1.1 Ongoing monitoring of the solution (Articles 19 to 24), and this should be emphasized in that subsection
For the article 25, we propose to refer to standards and metrics documents, in addition to designations such as "readable format and with sufficient quality". These documents should be reference bases for the metrics and the respect of the processes for qualification or certification. There are already existing libraries of standards on this subject at the level of ISO (e.g. JTC1/SC31), CEN (e.g. TC224), ETSI (e.g. TS 119 461) or even domestic documents (e.g. in France https://www.ssi.gouv.fr/uploads/2021/03/anssi-referentiel_exigences-pvid-v1.1.pdf).
As a reminder and information, the "Standard Document" is a document that is the subject of a consensus, within a community of interest. Today, the Standard is a vehicle for progress in the service of the human, the social and the societal. The Standard, which is in its essence voluntary, is not prejudicial to the market. On the opposite, the Standard establishes a space of trust and referencing to build the qualification of the service providers engaged in the process. The Standard is now directly linked to European Regulations and Directives at the stage of Delegated Acts and Implementing Acts. The EBA should complete this document with the equivalent of the Implementing Acts.
Concerning Article 25c and Article 26, the previous remarks also applies to the companionship by standards that must be respected. We would also highlight a point concerning the duration of the storage of biometric data. However, in France, if a service provider qualified by the ANSSI (the National Information System Security Agency) is used by the bank, the biometric data remains stored by the service provider and is erased as soon as the identification process is ended. The bank can only produce the identification token from the service provider but cannot return the biometric data.
Article 39 : We ask the EBA to verify the possibility for financial institutions to access biometric data on identity documents: a priori access to biometric identity data is not open to the private sector. Only the identity photo visually displayed on an identity document can be subject to possible processing.
Can the EBA confirm that the use of biometric data contained on an official identity document:
1. Can the natural person posing as the holder of the identity document be used to check the identity document?
2. That the identity check consists of a comparison between a photograph, taken at the time of the identity check, of the natural person presenting himself as the holder of the identity document, and the photograph of the holder of the identity document affixed to the physical medium of the identity document?
3. That the use of biometric data recorded in electronic form, in the chip of the identity document, including the photograph of the holder of the identity document, is often subject to local/national regulations prohibiting access to this data for the private sector, including the banking sector. In this case, the biometric data cannot be used when comparing with the photograph taken at the time of the identity check?
Article 43 : Can the EBA confirm that during an identity check initiated by a banking institution:
1. The only usable biometric data is the identity photograph of the holder of the identity document?
2. That this data, the photograph of the holder of the identity document, is exploitable because it is affixed visibly on the physical medium of the controlled identity document?
3. That access to biometric data recorded in electronic form, in the chip of the identity document, including the photograph of the holder of the identity document, is subject for the private sector to the national regulations in force in each EU country. This biometric data may therefore not be usable for a comparison of photographs.
Delete § d): the entry cannot be verified in relation only with algorithms. Hybrid mode must be systematized, via human verification as part of a remote identity verification that does not use eiDAS digital identity. In addition, it is not compliant with the GDPR
Article 44 :
Article 44 proposes a series of measures to be applied when using video conferencing to verify the identity of the customer.
It should be made clear from the outset that the use of video conferencing, even if secured by appropriate measures, is not sufficient to validate as such the verification of a person remotely. Indeed, the technological risks associated with the hijacking of increasingly sophisticated video streams (Deep Fake) require multi-factor verification and a combination of enhanced vigilance solutions to confirm the verification carried out via video conferencing.
As such, the EBA guidelines should be more explicit as to the means to be implemented and as to the combinations of factors or reinforced vigilance solutions that effectively make it possible to secure and make the use of a video conference more reliable.
For example, the French Monetary and Financial Code (CMF) has clearly positioned the procedures and Providers of Remote Identity Verification (PVID) in the category of solutions that necessarily require the combination of a complementary measure among a list of 6 solutions (Art. R561-5-2) and is based on an ad hoc certification framework by the National Agency for Security and Information Systems (ANSSI). Outside this framework, the use of video conferencing solutions is simply not in line with the CMF.
This PVID repository defines the practical modalities to be implemented to respond concretely to the points of vigilance included in these guidelines in terms of video streams (a), the competence of the personnel involved (b) or the procedure for detecting fraud or attempting fraud (c).
Overall, this PVID repository allows to have a precise framework in terms of:
1. Risk assessment and treatment (generics, identity theft, information systems, etc.),
2. Remote identity verification policy and practices (acquisition and verification of information, constitution of the evidence file, transmission of results, etc.),
3. Remote Identity Verification Service Activities
4. Protection of information
5. Provider organization and governance
6. Quality and level of service...
The use of certification and a regular cycle of re-certification makes it possible to guarantee the best level of reliability and security on uses that use highly scalable technology and whose risk exposure can go beyond banking skills alone.
Link to PVID repository: https://www.ssi.gouv.fr/actualite/publication-du-referentiel-dexigences-applicables-aux-prestataires-de-verification-didentite-a-distance-pvid/
Article 45 :
Article 45 recommends the use of random actions that must be carried out by customers and even by employees in charge of remote identity verification.
In the absence of precision or a common benchmark, these recommendations can again lead to significant differences in implementation between Member States and therefore significant differences in reliability and security in remote Identity verification.
Like our remarks on paragraph 44, the desire to guarantee an effective "level playing field" within the EU requires, for us, the establishment of a common reference framework on the adequacy of the random actions that must be implemented in the process of remote identity verification vis-à-vis the removal of doubts about the customer and possibly the employee.
If we refer again to the ANSSI PVID repository, the random actions performed by the customer during the remote verification process are effectively part of the certification process of the entire solution.
These solutions can be very diversified but they respond at least to the removal of doubt on the verification of the customer's lifetime during the video sequence.
As such, the verification of living organisms must be a systematic obligation for any remote identity verification process that uses a video stream regardless of the risk of the operation because the risk of video theft is systematic.
In any case, random actions must not allow identity verification by sampling. Even with a positive a priori control of automated processing, systematic human verification remains, to this day, mandatory in view of the technological risks embedded in remote identity verification processes.
On the other hand, since some identity theft can be carried out by technologies that cannot be detected by humans, it also seems necessary to maintain the principle that an identity a priori not validated by automated controls for reasons of suspicion of fraud (apart from technical reasons) cannot be forcibly validated by an employee.
Article 46 :
Article 46 introduces the concept of enhanced due diligence measures which should be conditional only on risk assessment.
Again, these measures do not refer to a specific reference system, nor to any certification or standard process. In this context, they may therefore be solutions that do not provide any particular guarantee a priori.
Similarly, the EBA, by indicating that "one or more" of these measures could be implemented according to the risk, considers that a single measure could be sufficient to comply with these guidelines without being applicable in a homogeneous way between the different Member States.
In this context, it is likely that French banks will have difficulties in applying them since these enhanced due diligence measures presented by the EBA in paragraph 46 do not coincide with those provided for in Article R561-5-2 of the French Monetary and Financial Code (CMF) or with the obligation to combine at least two of them.
Among the measures proposed by the EBA, c) refers to the use of biometric data with access to reliable sources. Here again the scope of application is far from easy to implement vis-à-vis the restrictions applicable to GDPR regulation. It would be useful for the EBA to specify the reference framework that banks could use in relation to this regulation.
Article 47 :
Article 47 introduces a principle of exemption from the measures to be implemented with regard to "authenticity checks" in Chapter 4.4 when financial institutions use eIDAS identity solutions.
In order to facilitate the reading and application of these guidelines, it would seem useful to us to preface a chapter dedicated to the use of these eIDAS identities and to present the exemptions that result from them a priori and not a posteriori from these guidelines.
Furthermore, with regard to Chapter 4.4, we do not understand why the exemption from these guidelines concerns only paragraphs 38 to 45 and not also paragraph 46.
For example, Article 461-5-1 of the French Monetary and Financial Code already considers the use of eiDAS identities of Substantial or High level or identities certified by the national authority under the Code of Electronic Posts and Telecommunications as equivalent to face-to-face and not requiring reinforced vigilance measures.
Article 52 :
To the extent that the bank uses electronic identities of a substantial level, these verifications do not have to be made by the bank but by the provider of the electronic identities, before they are issued. The principle of the use of eIDAS electronic identities is precisely that identity evidence is no longer presented, because they are underlying the electronic identity.
Article 60 :
Regards to eIDAS regulation, and also, regards to the identities that are equivalent in accordance with eiDAS regulation, the use of digital identities to perform the initial CDD process (in full or in parts) should not be considered as an essential outsourcing activity under this section, however, financial sector operators should apply, in particular, Section 4.5 of these guidelines.
It seems important to us to recall the FATF guides remind us of the risk-based approach to digital identity verification, in relation to the purpose of the banking transaction concerned.
When it comes to IT risks, banks are subject to IT security regulations (including the NIS directive). The provisions contained in these guidelines should not add to existing regulations.
On the other hand, for actors not subject to these regulations, they may be relevant to ensure a high level of consumer protection, and the security of their data.
Some provisions do not seem easy to implement, namely that individual customers check whether bank sites check website certificates.