E-IDENTIFICATION EBF POSITION & RECOMMENDATIONS

Transcription

1 10 November 2016 EBF_ E-IDENTIFICATION EBF POSITION & RECOMMENDATIONS More than 315 million Eropeans se the internet every day, yet less than 4% of online services are offered across national borders. Making the EU s single market fit for the digital age is a strategic priority and setting the right reglatory framework for this to happen is vital to enable Erope to se this opening and to foster the development of global digital players. In the financial sector, the change in expectations and behavior of cstomers in the digital era and the ptake of online and mobile services represent a new challenge, as well as an opportnity to reach ot digitally to millions of new cstomers. Boosting economic growth and removing the barriers to e-commerce and electronic banking by preserving trst and secrity shold be one of the main priorities of the Eropean Commission s Digital Single Market Strategy. Many positive opportnities are provided by the Reglation on electronic identification and trst services for electronic transactions in the internal market adopted on 23 Jly 2014 (eidas). It is an important enabler for secre cross-border electronic transactions, permitting citizens to se their own national electronic identification schemes (eids) to access pblic services in other EU contries in a seamless, faster, secre way, and creating a recognised legal framework for the sage of electronic trst services. For the Financial Sector, the eidas presents hge opportnities in terms of rapid onboarding of cstomers as well as the capacity to engage cross-border, contractally, with new cstomer markets in a secre environment and redce frad and operational costs. For banks and other players in the financial services, it is critical to improve the cstomer experience by developing innovative prodcts and services adapted to cstomers needs while preserving trst and secrity. Eropean Banking Federation aisbl Brssels / Avene des Arts 56, 1000 Brssels, Belgim / / info@ebf.e Frankfrt / Weißfraenstraße 12-16, Frankfrt, Germany EU Transparency Register / ID nmber:

2 However, even if the eidas Reglation creates an interoperability framework for the national eid systems to be recognised by pblic bodies across the EU, it remains p to Member States to define: a) the electronic identification schemes and embedded information established for citizens of their State and b) the terms of access to the online athentication of government eids by the private sector. We believe that sfficient ptake in the private sector is one of the critical elements in ensring the sccess of the eidas Reglation and both of these above-mentioned measres may lead to a lack of tre cross-border interoperability of national eids. Frther consideration shold be given to the following objectives to allow citizens and bsinesses to benefit from the Digital Single Market flly and to ensre eqal access to prodcts and services for all citizens. Crrently we observe inconsistencies between eidas, which promotes e-identification in order to access online prodcts and services and carry ot online transactions secrely, and the 4 th AML Directive, which favors face-to-face cstomer de diligence and considers non-face-to-face relationship as a "high risk" (ths reqiring Enhanced De Diligence). In view of this, we welcome the Eropean Commission s proposal amending the 4 th Anti-Money Landering Directive (AMLD) 1 which proposes the identification of cstomers and the verification of their identity on the basis of electronic identification means. The reference to Reglation (EU) 910/2014 (eidas) appears to be a step in the right direction. Nonetheless, certain legal ncertainties may remain and an neven playing field might occr in practice. As previosly mentioned, it is p to the Member States to define the electronic identification schemes which will be available at national level for their citizens. At present there is a lack of clarity arond the implementation of electronic identities in the Member States. This may contribte to the fact that on the one hand citizens in certain Member States can and will be able to access the digital single market flly, whilst, in other Members States they will not. For instance, in some Member States an eid soltion will be available, whilst in others it will not. This sitation will lead to an neven playing field for citizens and services providers. Other factors cold also sbstantially weaken the capacity of the EU banks to operate effectively cross-border. A clear example of this is the crrent divergence in the implementation of the AMLD across Member States. A more consistent approach wold enhance the secrity for the whole digital market, and at the same time help to ensre a level playing field for financial entities who wish to operate across Eropean Markets. For instance, in relation to remote onboarding of cstomers, some EU Member States allow the se of non-face-to-face identification by means of videoconference, while others do not permit this. As a reslt, financial instittions in these Member States can initiate distant banking relationships (inclding cross-border) whereas other financial instittions are prevented from doing so in their own jrisdictions de to face-to-face identification still being reqired. In terms of establishing best practice standards to be met in the identification of new cstomers of the individal bank, it is paramont to generate an environment in which national athorities and the financial sector can collaborate in an efficient way at a Eropean level in order to share best practices irrespective of national interpretations. 1 Proposal for a directive of the Eropean Parliament and of the Concil amending Directive (EU) 2015/849 on the prevention of the se of the financial system for the prposes of money landering or terrorist financing and amending Directive 2009/101/EC /0208 (COD) 2

3 Even thogh the eidas Reglation creates a coherent framework we believe that the impact will be seen later, in the longer term, as more and more electronic identification schemes will be notified and digital services promoted and adopted by Member States. The financial services sector needs to address cstomers digital expectations in the short term and therefore be able to employ other secre and robst processes approved by national competent athorities - otside of eidas - for remote identification of cstomers (digital onboarding). This potential shold also be contemplated in the amended AMLD. A trly Digital Agenda mst keep the door open to new technologies, standards and processes. With the obligation to acknowledge eidas-derived digital identities to access pblic services which will become mandatory for Member States in 2018, attention is increasingly focsed on making the digital onboarding a reality for retail banking cstomers. In this sense, and in order to boost the ptake of eidas, as well as the digitalisation of the Financial Sector, this working paper aims at presenting the challenges for the banking sector. The working paper proposes key recommendations on the following isses identified with the intention of facilitating cross-border access to online financial prodcts and services for EU citizens. This approach shold be spported by the adoption of these recommendations, developed frther in this paper with a focs on the three points: Identification papers provided by the cstomers and remote athentication/ validation processes; 2. Access to eidas schemes and the consistency between eidas and other legislation; and 3. E-ID lifecycle management. 1. KEY RECOMMENDATIONS 3 Actively encorage Member States to develop electronic identification schemes for their citizens and ensre fll access to these schemes by the private sector. Enlarge the basic eidas identity attribte-set to inclde additional attribtes as reqired for client identification in the Financial Sector (for example making the cstomer s address mandatory and allowing banks to validate ID docments digitally). It wold be of great vale and make the pblicly bilt soltion very attractive by redcing some of the effort and costs involved in data verification. Amend article 13 of the proposal amending the 4th AML Directive and other related articles to inclde, in the AML Directive, any other remote identification processes recognised and approved by the competent athority: Cstomer de diligence measres shall comprise: identifying the cstomer and verifying the cstomer's identity on the basis of docments, data or information obtained from a reliable and independent sorce; inclding, where available, electronic identification means, as set ot in Reglation (EU) No 910/2014 or any other remote identification processes recognised and approved by the competent athority

4 To promote cross-border interoperability in the banking sector and ensre a level playing field across Member States (and possibly beyond in EEA contries and Switzerland), we wold recommend leveraging the work carried ot nder the Connecting Erope Facility programme, by resing the eid Digital Service Infrastrctre (DSI) and setting p a financial sector specific DSI. This financial sector specific DSI cold investigate the needs of the sector regarding digital onboarding, with the objective of establishing good practices in contering money landering, and the elements/ attribtes which are reqired to potentially ensre the portability of Know-Yor-Cstomer (KYC). The work carriedot cold then possibly be sed by national athorities as a benchmark in their dealings, with the aim of promoting cross-border activity in the financial sector and garanteeing a common level playing field across Member States. In order to facilitate remote validation of identification docments, the issance of electronic identification docments sch as biometric passports shold be encoraged. 4

5 1. IDENTIFICATION PAPERS PROVIDED BY THE CUSTOMERS AND REMOTE AUTHENTICATION/ VALIDATION Know-Yor-Cstomer (KYC) reqirements, mandated by the existing Anti-Money- Landering (AML) rles, which aim at preventing money landering and financing terrorism, reqire banks to complete the following activities when onboarding a cstomer to the entity: Establish the identity of the cstomer; Understand the natre of the cstomer s activities (primary goal is to satisfy that the sorce of the cstomer s fnds is legitimate); and Assess money landering risks associated with the aforementioned cstomer for prposes of monitoring the cstomer s activities. The AML rles tend to assign a higher degree of accracy to face-to-face identifications and determine that non face-to-face interactions encompass a higher degree of risk. In practical terms, for identification prposes the cstomer needs to present the necessary docments to prove his/her identity. Since 2011, all Member States have introdced the se of biometric passports eqipped with enhanced secrity featres to verify the citizenship. A biometric passport has intricately designed passport pages, complex watermarks and a data chip. These have a Near-Field Commnication (NFC) chip incorporated inside, containing the details on the passport s holder identity sch as digital signatre data which the passport also shows visally. The contactless chip stores the same data, which is visible on the photo page of the passport. In addition, the chip also incldes a digital photo of the passport holder, which cold facilitate the process of biometric comparison by sing, for example, a facial recognition technology. The biometrics are considered more personal and reliable than a passport photo or a PIN, as it ses personal traits sch as facial or eye maps and fingerprints as primary identification featres. These biometric featres were accepted by the International Civil Aviation Organization (ICAO) after analysing mltiple other biometrics inclding retinal scan 2.The chip can be read with a proper device and cold help banks validate the details which the cstomer gives. The Radio-Freqency Identification (RFID) chip which is present in passports cold be considered as a good starting point for verifying whether the docment is genine and that information in the chip is consistent with the printed information. Today, many tools are available to check ID docments which may be mch more effective than a simple hman verification. Nonetheless, a critical point in the entire identification chain is the issing of machine-readable docments to facilitate the athentication process (valid for face-to-face bt especially remote sitations). In face-to-face identification it is possible for staff, with proper training, to identify falsified papers and to identify the cstomer throgh facial recognition techniqes, comparing visally the cstomer and the photograph on the docment. Yet, in a cross border onboarding context, or onboarding of nationals of other member states, when it comes to ID docments issed in other Member States the skills set reqired becomes more difficlt to master at a bank level

6 In the case of remote identification, parties are in different premises, engaged via an interface. Technological advances allow these interfaces to be sfficiently secred and have enogh definition to enable a hman to perform the visal recognition remotely. Video recording is already considered as an option in certain Member States sch as Germany and Spain. This said, by leveraging new technologies, it cold be arged that identification is also viable in a remote sitation, withot reqiring hman visal intervention. Crrent interfaces have enogh sensors and fields to gather sfficient data and together with morphological technologies can determine both the athenticity of the docment and associate the holder of the docment with the owner of the same docment. RECOMMENDATIONS In order to facilitate validation of identification docments: encorage the se of official electronic docment sch as biometric passports. In order to facilitate digital onboarding: recognise remote athentication methods of a docment sch as video recording. 6

7 2. CROSS-BORDER ACCEPTANCE AND ACCESS TO DIGITAL IDS FOR THE PRIVATE SECTOR The eidas Reglation clearly presents e-identification and e-signatre as a new opportnity to facilitate the establishment of non-face-to-face bsiness relationships. A digital identity issed nder a recognised national scheme that satisfies the verification reqirements of the Eropean AMLD cold be sed to make opening a bank accont easier, particlarly for the growing nmber of people that arrive in a Member State. Benefits might be achieved in terms of the cstomer jorney, and the ease in which a bank can meet its digital onboarding obligations. This is tre i) with the rese of home State national digital ID schemes across the pblic and private sector (already the case in a nmber of states). and ii) with the se of other Member States digital ID schemes developed and adhering to the secrity standards in the eidas Reglation for the opening of acconts at distance/ cross-border. This is mostly tre where cstomers do not have a biographical footprint becase they have recently arrived in the contry, where they want to have access to banking prodcts and services and it is nlikely that their identity can be verified locally. Divergent implementation and development of electronic identities across the Eropean Union will inevitably create ineqalities amongst its citizens and will sbstantially weaken the capacity of the EU to become a nited global reference in the digital era. Access to digital IDs Only electronic identifications schemes that have been notified by Member States to the Eropean Commission are considered acceptable throgh the gateway nder eidas. A contry is not obliged to establish a scheme, or to notify an existing one. Ths, an EU contry may decide to contine sing its national identification systems for access to its own pblic services and not notify it, thereby leaving its citizens withot a means to access pblic services in other contries. Conversely, a Member State may se its national identification system to access private sector services whether at home or abroad. This provides little certainty for the private sector in considering the se of digital ID and may case confsion amongst cstomers if coverage is only partial across the EU. For the eidas system to work smoothly at Eropean level each contry shold be reqired to notify the Eropean Commission of at least one of the scheme(s) it has established, and adhere to a minimm set of secrity standards. There shold be a possibility for cross-border acceptance of Digital IDs for the private sector and a complete access to any pblic eidas infrastrctre once a scheme has been developed to ensre that eidas-derived or other national digital identity schemes are made accessible for the private sector to rese, with no nnecessary barriers to access pt in place. The access to digital identities for consmers shold also be considered. The experience to date is that the Sbstantial Level of Assrance 2 (LoA2) bar may be set too high for many applicants to achieve it at present. In several Member States many applicants fail to meet the reqirements (for instance in the Verify ID scheme in the UK). This sbstantially limits the market opportnity, and may particlarly impact those already financially or otherwise exclded. 7

8 Cross-border liability / reliance isses The eidas Reglation incldes provisions on liability for notifying Member States, which private sector service providers cold take into accont when considering relying pon digital identities nder notified schemes, or that otherwise meet reqired levels of athentication. The key isses of liability and reliance, specifically for the private sector rese of digital ID schemes nder eidas, are not addressed to date. This is a potentially complex discssion which will need addressing before international application of digital IDs developed nder the eidas standards are resable for private sector firms. Frthermore, a technical protocol (as for instance based on the existing Stork) will be necessary, in order to ensre the technical interoperability of the electronic identities and signatres. Cost and commercialisation of eidas The qestion of commercial models in the rese of digital IDs nder eidas remains nclear. The identification and athentication are free to an online service provided by a pblic sector body, bt leaves Member States free to consider how they establish the regime applicable to the private sector. Ensre consistency of Eropean Union and national obligations with the promotion of cstomer digital onboarding Even thogh the eidas Reglation can bring a coherent framework for e-identification services in the long term, the recognition of notified electronic identification schemes nder eidas will only be mandatory as of September 2018 (notification and recognition of notified eid means by Member States started on a volntary basis in September 2015). This sitation may bring nacceptable delay from the cstomer onboarding perspective. Crrently there are widely sed, sfficiently secre and operable services which are not and might not be notified as eidas. A trly Digital Agenda mst keep the door open to frther progress. In the context of the revision of the 4th AMLD it shold be ensred that crrent and ftre processes and services otside the scope of eidas can be accepted nder the revised AMLD at least when they are approved by the competent athority. Conseqently, we wold like to ask the Eropean Commission to take an even bigger step forward on the Digital Agenda and incorporate this possibility into the crrent amendment of the 4 th AML Directive. The Anti-Money Landering Directive (AMLD) s implementation varies between Member States and Know-Yor-Cstomer (KYC) practices and approaches are not consistent across the EU when it comes to different prodcts and/or cstomer segments. A consistent transposition of the 4th AML Directive across the Eropean Union and a consistent approach regarding the Know-Yor-Cstomer reqirements is central to facilitating a fll deployment of retail financial services in the digital single market. As sch, it is not possible to determine flly the impact that the cross-border acceptance of digital identities will have on a financial services single market. Hence, there is a need to assess and perhaps address the lack of harmonisation in terms of how the 4 th AMLD is transposed, and in the provision of spporting gidance. This cold be 8

9 carried ot nder the Connecting Erope Facility programme, by resing the eid Digital Service Infrastrctre (DSI) and setting p a financial sector specific DSI. The financial sector specific DSI cold in particlar look into the needs of the sector with regards to digital onboarding, with the objective of establishing good practices in contering money landering, give practical gidance in the interpretation and implementation of AML directives and identifying what is reqired to ensre the portability of KYC. The gidance issed by the working grop wold have qasilegislative stats, in that it wold be sed by national athorities as a benchmark in their dealings, with the aim of promoting cross-border activity in the financial sector and ensring a common level playing field across Member States. In this context relevant data protection isses shold also be considered, as financial entities are not allowed to se nrestrainedly the AML data of a cstomer acqired in a company of its same grop located in another Member State. What is more, in some Member States, the exchange of data for AML prposes amongst independent banks operating in the same or different Member States is not allowed except nder specific circmstances, based on national laws and/or cstomer consent. Data provision matching digital ID attribtes and banks KYC/AML reqirements. EIDAS scheme-derived information provides only some of the information reqired by banks to flfil their AML and risk-based onboarding reqirements. Some information that is vital to banks KYC process has only been inclded as optional attribtes nder eidas. KYC processes reqire a nmber of frther data points and checks to be performed e.g. for AML Reglation, Politically Exposed Persons (PEPS) screening, and for the banking law credit worthiness. Therefore nder eidas, digital IDs will only provide a partial soltion to the overall KYC obligations. There is frther potential inconsistency between the General Data Protection Reglation (GDPR), which restricts the treatment and of the se of data analysis, and banking reglations on frad prevention and the sharing of frad data. Privacy isses also arise in Member State for sharing or processing cstomer data e.g. for video recording sessions, for cstomer identification (this cold have an impact if a common database is sed), for cstomer involvement in frad cases. It is highly important to ensre that the GDPR is implemented the same way in all Members States, otherwise it cold create concrrence discrepancies, especially in the se of data or biometrics. Some specific existing national laws (e.g. a reqirement for a face-to-face meeting to open a new accont) may impact the ability to accept non-faceto-face derived digital IDs (e.g. sch as those provided nder the Verify scheme in the UK where specific actions might not be allowed sch as video recording dring a non-face-to-face opening accont process). Other challenges For banks that rely on a risk-based approach to onboarding, the standards-led (black box) approach nder eidas standards will challenge the crrent obligations on banks to record the verification processes they have ndertaken (e.g. scans of passports kept as a record). In some states banks may not be aligned with reglations that nderpin the verification process. 9

10 Biometric techniqes (recognition of voice, facial recognition, digital fingerprint) together with the se of protocols based on Blockchain (distribted ledger systems) shold mainly contribte to the optimisation and niversalisation of the athentication, avoiding violations or encroachments of identity and, conseqently, high costs and bad experiences for the cstomers in these processes (AML, KYC). Progress mst be made in the legislative development of these violations. RECOMMENDATIONS Amend article 13 of the proposal amending the 4th AML Directive and other related articles to inclde in the AML Directive any other remote identification processes recognised and approved by the competent athority Article Cstomer de diligence measres shall comprise: (a) identifying the cstomer and verifying the cstomer's identity on the basis of docments, data or information obtained from a reliable and independent sorce; inclding, where available, electronic identification means, as set ot in Reglation (EU) No 910/2014* or any other remote identification processes recognised and approved by the competent athority * Reglation (EU) No 910/2014 of the Eropean Parliament and the Concil of 23 Jly 2014 on electronic identification and trst services for electronic transactions in the internal market and repealing Directive 1999/93/EC (OJ L 257, , p. 73) 10 To promote cross-border interoperability in the banking sector and ensre a level playing field across Member States, we wold recommend leveraging the work carried ot nder the Connecting Erope Facility programme, by resing the eid Digital Service Infrastrctre (DSI) and setting p a financial sector specific DSI which cold, in particlar, look into the needs of the banking sector regarding the digital onboarding. This financial sector specific DSI cold investigate the needs of the sector with regard to digital onboarding, with the objective of establishing good practices in contering money landering, and the elements/ attribtes which are potentially reqired to ensre the portability of the KYC. The work carried ot cold then possibly be sed by national athorities as a benchmark in their dealings, with the aim of promoting cross-border activity in the financial sector and garanteeing a common level playing field across Member States. In order to promote the adoption of eidas by banks, enlarging the basic eidas identity attribte-set to inclde additional attribtes as reqired for client identification in the Financial Sector wold be of great vale (for example making the cstomer address mandatory). EIDAS plays an important role in spporting economic growth in the EU by leveraging ease, secrity and interoperability of digital cross-border services. For this reason, it is important that eidas finds a fast and widespread take-p across indstries throghot the EU.

11 A good psh for leveraging eidas take-p is to facilitate smooth adoption of eidas by the financial sector, which has an enormos digital footprint to make se of. To facilitate the adoption of eidas by the financial sector, it is important that the identity attribte-set coming with eidas is in synch with the identity information-set banks need when onboarding a cstomer, according to the AML legislation. The more complete the eidas attribte-set, the more attractive the eidas soltion, as this takes away a large impediment and effort reqired today by banks in collecting and verifying extra data-attribtes. 11

12 3. ELECTRONIC IDENTIFICATION LIFE CYCLE MANAGEMENT Electronic Identity (eid) secre life cycle management is one of the key aspects for providing a trsted digital identity scheme, infrastrctre and service. It shold inclde processes and means for the issance, re-issance, delivery, sspension, reactivation and revocation of eids, which are secre, effective and ser friendly for the cstomers. The eidas Reglation does not create any obligations for the private sector, bt it defines three levels of eid assrance in the Commission s Implementing Reglation (EU) 2015/ Each level differ from the other on the reliability, secrity and qality of enrolment, electronic identification means management, athentication, management and organisation. It creates a set of Eropean Assrance levels (high, sbstantial and low) and it sets ot an interoperability framework. a) Enrolment This step is divided in several topics (point 2.1 of the Annex in the implementing Reglation cited above). Maybe the most important step is identity proofing, both for natral and legal persons. Enrolment also incldes a section abot the binding between the electronic identification means of natral and legal persons. b) Electronic identification means of management It covers the following points: - Characteristics and design (athentication and safekeeping of eid); - Issance, delivery and activation; - Sspension, revocation and reactivation; - Renewal and replacement. c) Athentication This section focses on the threats associated with the se of the athentication mechanism and lists the reqirements for each assrance level. d) Management and organisation This section provides elements needed in: - General provisions; - Pblished notices and ser information; - Information secrity management; - Record keeping; - Facilities and staff; - Technical controls; - Compliance and adit. 3 Commission Implementing Reglation (EU) 2015/1502 of 8 September 2015 on setting ot minimm technical specifications and procedres for assrance levels for electronic identification means prsant to Article 8(3) of Reglation (EU) No 910/2014 of the Eropean Parliament and of the Concil on electronic identification and trst services for electronic transactions in the internal market 12

13 RECOMMENDATIONS Electronic identity lifecycle management shold be considered from the perspective of the citizen and of the relying parties of the electronic identification: The ptake of eidas sage depends largely on the promotion of the same scheme in each Member State (services made available, etc.) and also on the sability of the scheme from the citizens perspective. The ser experience mst be a key focs in the establishment of the technical standards for the scheme. Regarding electronic identity lifecycle management, and, to ensre the reqired trst from the Financial Sector in the reliability of the eid for prposes of identification (fit for prpose), a clear mechanism shold be established to garantee that each node actively manages the fradlent se of the e-id, inclding capacity to receive information from sers as well as owners regarding identity theft and sspicios activity, effective sspension and reactivation of the e-id, revoking of the eid, issance, delivery and re-issance mechanisms, etc. It also applies to the effective termination of an e-id pon death or proactive sspension of the sage on behalf of the owner (e.g. commnication with official organisms that receive death certifications, etc.). 13

14 Abot EBF The Eropean Banking Federation is the voice of the Eropean banking sector, niting 32 national banking associations in Erope that together represent some 4,500 banks - large and small, wholesale and retail, local and international - employing abot 2.1 million people. EBF members represent banks that make available loans to the Eropean economy in excess of 20 trillion and that secrely handle more than 300 million payment transactions per day. Lanched in 1960, the EBF is committed to creating a single market for financial services in the Eropean Union and to spporting policies that foster economic For more information contact: Noémie Papp Senior Policy Advisor - Digital & Retail n.papp@ebf.e