6 min read

Compliant eID Verification & Onboarding for Financial Institutions

Compliant eID Verification & Onboarding for Financial Institutions

This article discusses the benefits eIDs provide for both banks and customers in streamlining cross-border transactions and what is required under eIDAS for identity verification and client onboarding.

A Huge Potential of Efficiency Gain for Customers and the Bank

It can be difficult for many individuals or business owners to find time out of their already busy days to travel to their bank or other financial institutions. For many “bankers’ hours” are just that, hours that are mainly convenient for bankers. This makes it difficult, especially when customers need to sign important documents, including those for loans to purchase a home, vehicle, or to finance important capital purchases for their businesses.

New call-to-actionWhile limited banking hours are frustrating for customers who need to sign documents, it can be equally frustrating because it can disrupt the efficiency of the financial institution’s business flows.

Often the steps needed to complete various financial processes are delayed while awaiting signatures.

This is extremely inefficient and over the long run, costly for banks and other financial institutions that are in the business to make money.

Being able to conduct banking and financial transactions online is beneficial to customers, banks, and other financial institutions; especially for cross-border transactions within the borders of the EU’s single market. This eliminates the need for traveling to provide a signature for a financial document when it can be done online to avoid delays and increase efficiency for all parties.

However, such a system requires a secure and trusted signing process that protects both individuals and their financial institutions. It is imperative that the online identification process used ensures that individuals are who they say they are to prevent fraud and other financial crimes such as money laundering. This is where the requirements of eIDAS come into play.

What Does eIDAS Require?

Article 8(3) of Regulation (EU) No 910/2014 of the European Parliament and of the Council on electronic identification and trust services for electronic transactions in the internal market (eIDAS) came into effect on 1 July 2016. All Member States of the EU are required to adhere to this regulation to facilitate cross-border transactions. This regulation outlines the legal requirements and standards for procedures used to assure electronic identification through methods of authentication. Section 2.1.2 of eIDAS refers to the requirements for “Identity Proofing and Verification (natural person)” as applied to three levels of assurance: low, substantial and high.

1. Assurance Level Low:
  • The person is assumed to be recognized by his Member State as having applied for the electronic identity and is whom he claims to be.
  • The evidence of such is assumed to be genuine or exists and appears to be valid according to an authoritative source.
  • The authoritative source is aware that the claimed identity exists and assumes that the claimant is the same.
2. Assurance Level Substantial: where the requirements of Level Low must be met, in addition to one of the following alternatives:
  • The person has been verified by the Member State to be in possession of recognized evidence for the application and representation of the electronic identity, and that evidence has been checked to determine it is genuine and relates to a real person, and steps have been taken to minimize the risk in the event the person’s identity is not the claimed identity.
  • The person has presented an identity document during a registration process in the Member State in which it was issued that appears to relate to said person, and steps have been taken to minimize the risk in the event the person’s identity is not the claimed identity.
  • Procedures that were used previously by a public or private entity within the person’s Member State that provide the equivalent assurance to the issuance of electronic identification may be used when confirmed by a conformity assessment body or an equivalent body, e.g., trust provider.
  • Where a current valid notified electronic identification with an assurance level substantial or high already exists, an electronic identification may be issued without the need to repeat the identity proofing and verification processes. If the electronic identification has not been notified, a conformity assessment body or equivalent body, e.g., trust provider must confirm the assurance level substantial or high.
3. Assurance Level High: where the person must have a Level substantial identity as well as one of the following additions:

  • The person has been verified to be in possession of biometric or photo identification evidence that is recognized in the Member State where his/her application for an electronic identity means is made, and that evidence has been determined to be valid by an authority.
  • Procedures that were used previously by a public or private entity within the person’s Member State that provide the equivalent assurance to the issuance of electronic identification may be used when confirmed by a conformity assessment body or an equivalent body, e.g., trust provider.
  • Where a current valid notified electronic identification with an assurance level substantial or high already exists, an electronic identification may be issued without the need to repeat the identity proofing and verification processes. If the electronic identification has not been notified, a conformity assessment body or equivalent body, e.g., trust provider must confirm the assurance level substantial or high.

Bridging the Gap Between eIDAS and AML-Directives

In addition to complying with eIDAS to confirm the identity of their customers, banks and financial institutions are also required to comply with the European Commission’s efforts to combat the threats of money laundering and terror funding with the 4th Anti-Money Laundering Directive (4AMLD). With electronic documents qualifying as valid documents, it is now easier and faster for banks to complete their Know Your Customer (KYC) and other related checks to confirm customer identities. This is a time saver, not only for banks and financial institutions but also for customers. Because eIDAS allows for cross-border validity of e-Identification, banks and financial institutions will find it easier to sell their financial products across national borders within the EU.

A Simple Onboarding Workflow

For the substantial assurance level, the process of onboarding a banking customer and verifying his/her identity is relatively simple and can be accomplished right from the customer’s laptop or another Internet-capable device:

  • The customer initiates the enrollment procedure from the bank’s secure website
  • The customer sends the information that consists of a minimum data set, including:
    • Customer’s current last name
    • Customer’s current first name
    • Customer’s date of birth
    • Unique identifier
  • To reduce the risk of fraud, the customer may be required to provide additional customer attributes that may include:
    • First and family name at birth
    • Place of birth
    • Current address
    • Gender
  • For due diligence, additional information may be required depending on the bank’s applicable national e CDD (Customer Due Diligence) / KYC (Know Your Customer) rules
  • Notification of his/her eID under eIDAS takes place behind the scenes, which involves:
    • The customer’s eID being sent to the appropriate trust authority where it is then forwarded to his Member State’s eIDAS authority node
    • The Member State’s eIDAS authority node notifies the cross-border eIDAS authority node
    • The cross-border node requests the customer’s eID information
    • The information is received by the cross-border node that then sends it back to the originating Member State for verification
    • The customer’s information will be compared with the information already associated with his/her eID to determine whether (s)he is whom (s)he claims to be
  • If information is verified, the customer is enrolled, if not verified, fraud may be suspected, and additional actions may be taken by the bank according to its nation’s applicable CDD (Customer Due Diligence) / KYC (Know Your Customer) rules.

KYC-and-eIDAS-1

 

Infographic: onboarding process in compliance to eIDAS, KYC and AML

Onboarding Process: High Assurance Level Requirements for Qualified Trust Services?

With some transactions, a higher level of security may be required to ensure the exchange of confidential data or to sign financial documents electronically; such may be the case with eIDAS’ high-level assurance as provided by qualified trust services.

Adding a qualified certificate from a qualified authority enhances the eID trust services to the highest assurance level. To obtain a qualified certificate, the customer would go through an identification process with an approved Registration Authority or Delegated Agent. This typically requires an initial face-to-face identification, as it is currently difficult (depending on country of origin) to provide a fully remote online identification process.

Upon successful identity verification, an electronic certificate will be issued that confirms the customer’s identity and their qualified eID for use with a range of high assurance trust services.  

This means that while the security and legal assurances of qualified trust services, such as Qualified Electronic Signatures, are required for certain use cases, the initial on-boarding process is more time consuming and costly compared to trust services at the substantial assurance level (such as advanced electronic signatures). It is therefore important to explore the assurance requirements of customers and the business case before deciding upon a suitable technology to support these requirements.

In some cases, it is preferable to implement a trust service that can serve both substantial and high assurance levels from the same technology stack

 

Download white paper

References and Further Reading

  • Selected articles on eIDAS (2014-today), by Gaurav Sharma, Guillaume Forget, Jan Kjaersgaard, Dawn M. Turner, and more
  • Selected articles on Electronic Signing and Digital Signatures (2014-today), by Ashiq JA, Gaurav Sharma, Guillaume Forget, Jan Kjaersgaard , Peter Landrock, Torben Pedersen, Dawn M. Turner, and more
  • Selected articles on Authentication (2014-today), by Heather Walker, Luis Balbas, Guillaume Forget, Jan Kjaersgaard, Dawn M. Turner and more