ID Verification with AutoIdent – meeting European regulations

In Europe, the rapid trend toward digitalization in daily life and banking has maintained pace with the rest of the world. Remote verification services such as IDnow provide a primary entry point to remote account opening, online banking, robo-advising, InsurTechs, and other products and services. Such digital trends represent a natural and organic disruption of traditional market offerings and services.

Fintech research revealed that nearly 71% of users prefer digital financial products over traditional banking. Such trends show no sign of slowing. McKinsey consultancy suggests that the COVID-19 pandemic pushed us seven years ahead in digital transformation.

The European verification ecosystem has developed a distinct flavor that favors customer privacy, security/trust, and convenience. It is clear to all parties that new identification methods have the potential to increase risks of fraud as traditional processes are expanded. Knowing this, regulators mandate that electronic verification processes must be “at least or more secure than a traditional face-to-face procedure.”

This mandate has been the bedrock of IDnow’s work and actions.

As a top-tier software solution provider, IDnow offers identification products that surpass the highest levels of security and fraud detection requirements within strictly regulated digital markets in finance and banking, insurance, telecoms, mobility, and other sectors.

As such, we feel that we have set a benchmark for security and accuracy standards.

Through this benchmark in our industry, we feel that we have a unique ability to support new legislation. This includes our participation in setting new technical specifications such as our work on ETSI TS 119-461 and continual work on identity verification standards with ETSI, FIDO Alliance, the W3C and other global organizations. Our collaboration and exchanges further support robust regulations and smart growth, which leads us to say:

Blocking the Identity Fraud gates with state-of-the-art verification technologies

We have witnessed relentless growth in fraudulent activity and increasing sophistication around it. Our AI-powered ID verification solution AutoIdent is based on optical technology, using Artificial Intelligence (AI) and Machine Learning (ML) technology to ensure secure identity verification.

AutoIdent provides access to the person who was identified in a seamless process, and there is no separate “Issuance, delivery, and activation” process necessary.

The system verifies that the video stream of the ID document has not been manipulated and captures a photographic record of the user with a “selfie.” The biometric verification confirms the document’s rightful owner, comparing the user to the ID document picture, enabling subsequent face comparison and checking that a natural person is in front of the camera through a “liveness detection.” The option exists to include an identification specialist to verify and review the data and results gathered from the AutoIdent solution.

Evolution of Identity Verification and regulation

Identity verification techniques and regulatory requirements for the application of remote proofing have evolved a great deal over the past 6 to 7 years.

More automated solutions gradually replace or support traditional manual onboarding and verification processes. Generally, video-based solutions, which came first, are now shifting to more automated biometric-based solutions.

Take, for instance, France, Switzerland, and Austria. These countries have introduced new legislation this past year, permitting more automated processes using AI and ML to support digital Know Your Customer (KYC) applications for their Anti-Money Laundering (AML) laws.

Harmonizing regulations in the EU while closing technical and regulatory gaps

While the rapid evolution of digital applications in both the public and private sectors has taken off, the need for regulatory harmonization within this changing landscape is essential across the EU and the Member States.

The EU issued recent regulations that address digitization, including the EU Cybersecurity Act (EU 2019/881) and the EU NIS directive (EU 2016/1148), amongst other regulations.

The EU released two new draft proposals that further take these rules into account. These include the latest draft proposal for the EU regulation 910/2014 on electronic identification and trust services (eIDAS) and the draft proposal for a new European AML Regulation presented earlier this year.

While the existing eIDAS regulation provides groundbreaking rules on electronic identification and trust services, technical and regulatory gaps result in fewer notified electronic ID schemes and fragmented cross-border interoperability across Europe.

The new proposal (EU regulation 910/2014 + new European AML Regulation) aims to address these gaps:

• The regulation offers EU citizens the choice of a digital identity that can be stored in a digital wallet.
• A user will be able to select which attributes they want to present for access to a specific product or service with the ability to store new attested attributes like a university degree.
• The Commission is preparing the technical and regulatory framework so users are able to access online and offline services with the wallet option.

Additionally, AML Regulations are foreseen at the EU level in the future. The Commission aims to harmonize better national AML regulations and better address fraud and enforcement criteria. It is expected that there will be a European AML Authority, new EU regulations on customer due diligence and beneficial ownership, and new rules concerning national supervisors and Financial Intelligence Units. These regulations will go into effect in the next few years.

Looking ahead toward a European digital ecosystem

Many of these regulations are part of a longer-term goal, the evolution and implementation of a European digital ecosystem. They are elaborate and set several ambitious objectives in the realm of digital services, markets, and application.

At the same time, digital identity proofing for Know Your Customer (KYC) and AML onboarding, or account processes, is still a relatively new practice. Though so much seems to have happened in this sphere, we must remind ourselves that it was only 2014 when Germany’s Federal Financial Supervisory Authority (BaFin) permitted VideoIdent for KYC use.

As such, this industry hasn’t yet achieved the collective presence in our minds as it will in the coming years. Identity proofing remains a fragmented concept operating under different definitions of digital identity, variations to national regulations, and competing technologies.

Developing AutoIdent to meet changing regulations

Using a solution that meets and keeps up to date with changing regulations is vital.

IDnow has moved to develop and expand its platform, offering a wide range of products. The experience and expertise we gained from VideoIdent has allowed us to develop new solutions with increased functionality. This includes products that offer fully automated biometric identity verification, the use of NFC technology and electronic signatures, and in development of a digital wallet for KYC screening for AML and non-AML requirements.

Let’s look at the Financial Services Industry. We can confidently claim that our KYC platform offering with AutoIdent in its core can serve even the most highly regulated markets and industries.

AutoIdent meets EU regulations for these use cases in many ways. The key areas include:

• Fully automated onboarding, with video backup. AutoIdent offers fully automated biometric identification of users, but also offers a hybrid (manual) alternative. This can be handled by internal or third-party staff. Regulations differ between countries regarding whether they allow verification to be fully automated or to have manual involvement. AutoIdent allows both – and its solution meets regulations in many countries, including Germany, Austria, Spain, the UK, and the UAE.
• Meeting 5AMLD and 6AMLD regulations for Anti-Money Laundering. Improving AML regulations have brought many new requirements. 5AMLD added a new focus on sources of finance, including pre-paid cards and cryptocurrencies. Earlier regulations introduced the concept of beneficial ownership, where the ultimate owners of legal entities are recorded centrally. AutoIdent fully meets the KYC and data collection requirements for this.
• AML screening functionality. Many financial services use cases also require AML screening. AutoIdent can be expanded to add fully compliant AML Screening & Monitoring. This includes checking Politically Exposed Person (PEP) and Sanction Lists. The identification of PEPs and carrying out enhanced due diligence and monitoring was a feature of 5AMLD.
• Issuing QES (Qualified Electronic Signature) as part of document signing. AutoIdent is certified by a conformity assessment body and is approved by an EU Member State National Regulator for issuing QES according to eIDAS Regulation Article 24 (1)d. This is standard across Europe and regulations are similar in the UK.
• Use of NFC technology. AutoIdent has the functionality to read biometric data from NFC chips. This is currently used to read German identity cards, but the solution can be easily expanded as it fully meets the global ICAO 9303 standard.

Differing regulations across Europe

The use of a fully automated verification solution differs considerably across jurisdictions.

To meet this, AutoIdent provides various modules to the product. At IDnow, we are fully aware of different regulations in use across the EU and the UK. While some areas are set at the EU level, there are many country-specific differences.

As just one example, to meet German AML laws to verify the identity of customers, an automated solution must include a Qualified Electronic Signature (QES) and a one-cent-bank transfer for remote onboarding.

European regulators’ adoption of automated or hybrid identity verification has expanded significantly in past years.

There is growing evidence that automatic techniques are more secure than manual ones in some areas (especially facial recognition, for example). The Financial Action Task Force (FATF) recently issued digital identity guidelines that support the use of automated identity verification.

Some of the leading countries allowing automated solutions include the Netherlands, Austria, Spain (with an element of video review), and Sweden (with manual review).

Germany has long been the most regulated market and it has now accepted an element of automation combined with a manual review (and the use of qualified electronic signatures). France allows the use of QES for bank account opening and stand-alone use of AutoIdent for verification – IDnow is currently undergoing approval.

IDnow believes that such a trend will be for more countries to permit automated biometric verification and AutoIdent is ready to handle this.

Meeting UK regulations

Since the UK is no longer part of the EU, it has different regulations. AutoIdent maintains compliance with each set of regulations. The UK has always taken a more deregulated approach and generally supports automated solutions. It is also one of the only countries that allows the use of biometric processes without the end user’s consent.

After withdrawal from the EU, the EU eIDAS Regulation was adopted into UK law, with a few differences. The UK introduced The Electronic Identification and Trust Services for Electronic Transactions Regulations in 2019.

One significant difference in the UK is the lack of a national identity card. If any solution is offered in the future, private providers will be more likely to be used. The UK regulations guide states that these should follow ICAO 9303 NFC standards, which will allow adoption into the AutoIdent solution.

Moving to a digital future

As mentioned earlier, trends are moving to portable identity to be reused in other domains and even into a form of self-sovereign identity. Technology companies will seize these opportunities to develop sector-specific solutions, products, and relationships with customers that allow for greater ownership of a user’s identity and its reuse.

New amendments in regulation, such as eIDAS, present game-changing possibilities and lay the foundation for a truly portable identity.

It is now incumbent upon businesses to work more actively with the EU, its member states, and regulators to bring the advantages of eIDAS into the private sector. Our understanding of this can be summarized as follows:

The future of digital identity is based on trust, reliability, and security

As we move closer to a person-centric digital identity, safety and accessibility will require initial identity verification grounded in trust, reliability and the ability to meet a minimum level of security.

The Commission recognizes the complexities around one aspect of the digital identity, namely digital onboarding. Part of producing the regulatory and technical framework ahead addresses interoperability, security, and innovation. Rapidly, digital identity is evolving beyond digital national identity schemes and best practices in customer KYC regulations.

IDnow supports and prepares for future evolutions in digital identities stored in wallets and their verification and authentication. It is equally essential to IDnow that we best serve the market’s current requirements and user expectations.

AutoIdent has been developed alongside these regulation changes and remains ready to support all current and future shifts. IDnow strives to be the best, offering innovative, competitive, and secure platforms.

Ultimately, digital identities and automated verification make things safer for verifying institutions and individuals.

Alongside offering security, creating a user experience with less friction and challenges is very important for financial institutions to increase conversion rates and maintain their brand. IDnow is at the forefront of development.

For a more in-depth look at AutoIdent, how it has evolved, and how it offers a well-thought-out balance between security and user experience, take a look at IDnow’s recent webinar.

Additionally, we can help in discussions addressing interoperability, innovation, and, most importantly – security frameworks.

Employing the most robust practical security measures is a strategy through which we believe the growth of our market segment will be achieved. The achievement will be based on trust.

By

Rayissa Armata
Head of Regulatory Affairs at IDnow
Connect with Rayissa on LinkedIn