Response to consultation on draft Guidelines on the use of remote customer onboarding solutions
Go back
Definitions
• Digital identity: rephrase proposal: personal identification data into Personal Identifiable Information or Personal Identification Data Attributes
• Digital identity Issuer: rephrase proposal: A third party trusted with reliable identity registration and proofing and secure verification of authenticity of credentials or attributes which enables issuance of trusted digital identities.
• Impersonation Fraud Risk: Note that there are more ML/TF risks associated to remote customer onboarding impersonation fraud risk such as misuse and or alteration of identity, synthetic identities (via deep fake technologies) etc.
• GL 10: In addition could EBA also propose a solution to treat FSO installed base of identities. e.g. Is or is it not required that installed base of ID’s must be reassessed against the compliant new and secure onboarding solutions?
• GL 10: Could EBA add a baseline provision with regard to safe and secure accessibility of remote onboarding implementations for people with disabilities. see GL 63 and see https://digital-strategy.ec.europa.eu/en/policies/web-accessibility
• GL 10: in d) the types of document that are admissible to identify the customer. In case of the use of a digital identity probably no ‘document’ is provided. Which identification proof should be provided in case of the use of an digital identity?
• GL 15: The guideline states that the pre-implementation assessment should include several aspects. For a) and e) it is unclear how this may or should be measured. Regarding completeness and accuracy mentioned in a) also the definition is lacking which makes it difficult to assess.
• GL 19: Completeness, Accuracy and, now also, Quality and Adequacy of data are mentioned. Usually completeness and accuracy are part of the definition of data quality (so not the same level). Adequacy depends on the purpose of use so might differ from (remote onboarding) use case to use case and should be seen as a construct apart from data quality. It would be helpful for assessment purposes if an overall definition of data quality in terms of completeness, accuracy and adequacy is made available. Within iDIN these quality aspects are defined in such a way that they can be measured.
• On GL 26: phrase should be available in a readable format and allow for ex-post verification. This indicates that encryption is not allowed to secure personal identifiable information as a privacy enhanced measure (see GL 62). This needs to be clarified.
• On GL 27: (iii) is gathered using other internal or external sources. This needs to be limited to external authoritative sources and internal sources which can be traced back to authoritative sources to ensure accuracy and authenticity of data.
• GL 51: Please define what is actually meant by strong customer authentication in this context? In our opinion -where possible- should be stroked through in this guideline because strong customer authentication is a current sound practice in the financial sector and also required by at least two main legislations namely PSD2 and eIDAS.
• GL 53: 1. Please clarify who is the party using the certificate? Consumer to identify itself or the FSO in relation to the consumer? If it is the latter, it should be obligatory for the FSO to use an electronic certificate in its online communications with the consumer. How else is the consumer to verify the FSO? 2. Please explain what is meant by ‘trusted source’. I’m assuming a CA is meant? Is it up to the FSO to determine which CA to trust? If so, please provide guidance on baseline criteria to determine a trusted source/CA. You might refer to EUTL/AATL and/or refer to certain certificate profiles 3. What is meant by signed certificate? All certificates are essentially signed either by oneself or by a CA. Why is there an obligation to sign any contract with the customer with the certificate used at the moment of initial onboarding? Different certificates have different certificate profiles so not all are allowed to be used for (legally binding) signing. 4. Also, this doesn’t seem logical since a certificate will expire at some moment in time after onboarding. This might very well be very shortly after onboarding. Please clarify.
• GL 54. 1. GL 54 is roughly the same text as GL52 except for -including, as appropriate, tools to detect and prevent the use of identity frauds. 2. Please add data quality provided by the digital identity as a risk that the customers identity is not the claimed identity.
• GL 55: Note that data gathering from alternative sources must be from demonstrably from authoritive sources.
• GL 60: What does this specific GL mean? Does this GL mean that a digital identity created at one FSO -and has been proven to meet eiDAS substantial or higher and therefore meet requirements of section 4.5- can be (re)used by any other FSO’s?
1. Do you have any comments on the section ‘Subject matter, scope and definitions’? If you do not agree, please set out why you do not agree and if possible, provide evidence of the adverse impact provisions in this section would have.
In section 1 (p.12) Financial institutions are addressed and in section 2 (p.13) Financial Sector Operators. Could you clarify the terms and their possible impact?Definitions
• Digital identity: rephrase proposal: personal identification data into Personal Identifiable Information or Personal Identification Data Attributes
• Digital identity Issuer: rephrase proposal: A third party trusted with reliable identity registration and proofing and secure verification of authenticity of credentials or attributes which enables issuance of trusted digital identities.
• Impersonation Fraud Risk: Note that there are more ML/TF risks associated to remote customer onboarding impersonation fraud risk such as misuse and or alteration of identity, synthetic identities (via deep fake technologies) etc.
2. Do you have any comments on Guideline 4.1 ‘Internal policies and procedures’? If you do not agree, please set out why you do not agree and if possible, provide evidence of the adverse impact provisions in this section would have.
• GL 10: Apparently there is no policy and procedure on periodical measurement of data quality on gathered credential and attribute data of the identities. Continuous monitoring of data quality is a basic requirement to ensure accuracy and completeness of data.• GL 10: In addition could EBA also propose a solution to treat FSO installed base of identities. e.g. Is or is it not required that installed base of ID’s must be reassessed against the compliant new and secure onboarding solutions?
• GL 10: Could EBA add a baseline provision with regard to safe and secure accessibility of remote onboarding implementations for people with disabilities. see GL 63 and see https://digital-strategy.ec.europa.eu/en/policies/web-accessibility
• GL 10: in d) the types of document that are admissible to identify the customer. In case of the use of a digital identity probably no ‘document’ is provided. Which identification proof should be provided in case of the use of an digital identity?
• GL 15: The guideline states that the pre-implementation assessment should include several aspects. For a) and e) it is unclear how this may or should be measured. Regarding completeness and accuracy mentioned in a) also the definition is lacking which makes it difficult to assess.
• GL 19: Completeness, Accuracy and, now also, Quality and Adequacy of data are mentioned. Usually completeness and accuracy are part of the definition of data quality (so not the same level). Adequacy depends on the purpose of use so might differ from (remote onboarding) use case to use case and should be seen as a construct apart from data quality. It would be helpful for assessment purposes if an overall definition of data quality in terms of completeness, accuracy and adequacy is made available. Within iDIN these quality aspects are defined in such a way that they can be measured.
3. Do you have any comments on the Guideline 4.2 ‘Acquisition of Information’? If you do not agree, please set out why you do not agree and if possible, provide evidence of the adverse impact provisions in this section would have.
• GL 25 On c) The guideline references the GDRP with regards to data retention of images, video, sound and other data. More guidance on when which data can be stored for how long, for which purpose and by which means would be helpful. In assessing this a comparison to a f2f situation might help.• On GL 26: phrase should be available in a readable format and allow for ex-post verification. This indicates that encryption is not allowed to secure personal identifiable information as a privacy enhanced measure (see GL 62). This needs to be clarified.
• On GL 27: (iii) is gathered using other internal or external sources. This needs to be limited to external authoritative sources and internal sources which can be traced back to authoritative sources to ensure accuracy and authenticity of data.
4. Do you have any comments on the Guideline 4.3 ‘Document Authenticity & Integrity’? If you do not agree, please set out why you do not agree and if possible, provide evidence of the adverse impact provisions in this section would have.
• GL 34: Where financial sector operators use features to automatically read information from documents, such as Optical Character Recognition (OCR) algorithms or Machine Readable Zone (MRZ) verifications, those tools should be sufficient to ensure that information is captured in an accurate and consistent manner. Does this mean that ligatures and diacritics and special characters are also included in this guideline? These are currently not part of the MRZ in the Netherlands. Please replace in this guideline in an accurate and consistent manner with according to data quality procedures.5. Do you have any comments on the Guideline 4.4 ‘Authenticity Checks’? If you do not agree, please set out why you do not agree and if possible, provide evidence of the adverse impact provisions in this section would have.
no comment6. Do you have any comments on the Guideline 4.5 ‘Digital Identities’? If you do not agree, please set out why you do not agree and if possible, provide evidence of the adverse impact provisions in this section would have.
• GL 48: For reasons of transparency in the market it would help to keep a register of Digital Identity Issuers who can demonstrably comply with eIDAS substantial or higher. Please also make clear which requirements are relevant for the claim that a certain Digital Identity Issuer achieves a LOA of substantial or higher? For instance; who can state the claim? With which assurance? Based on which scope: only legal or legal and technical?• GL 51: Please define what is actually meant by strong customer authentication in this context? In our opinion -where possible- should be stroked through in this guideline because strong customer authentication is a current sound practice in the financial sector and also required by at least two main legislations namely PSD2 and eIDAS.
• GL 53: 1. Please clarify who is the party using the certificate? Consumer to identify itself or the FSO in relation to the consumer? If it is the latter, it should be obligatory for the FSO to use an electronic certificate in its online communications with the consumer. How else is the consumer to verify the FSO? 2. Please explain what is meant by ‘trusted source’. I’m assuming a CA is meant? Is it up to the FSO to determine which CA to trust? If so, please provide guidance on baseline criteria to determine a trusted source/CA. You might refer to EUTL/AATL and/or refer to certain certificate profiles 3. What is meant by signed certificate? All certificates are essentially signed either by oneself or by a CA. Why is there an obligation to sign any contract with the customer with the certificate used at the moment of initial onboarding? Different certificates have different certificate profiles so not all are allowed to be used for (legally binding) signing. 4. Also, this doesn’t seem logical since a certificate will expire at some moment in time after onboarding. This might very well be very shortly after onboarding. Please clarify.
• GL 54. 1. GL 54 is roughly the same text as GL52 except for -including, as appropriate, tools to detect and prevent the use of identity frauds. 2. Please add data quality provided by the digital identity as a risk that the customers identity is not the claimed identity.
• GL 55: Note that data gathering from alternative sources must be from demonstrably from authoritive sources.
7. Do you have any comments on the Guideline 4.6 ‘Reliance on third parties and outsourcing’? If you do not agree, please set out why you do not agree and if possible, provide evidence of the adverse impact provisions in this section would have.
• GL 56: In addition a reference to EBA Guidelines on outsourcing arrangements can help to define clearly the modalities of outsourcing in context of remote customer onboarding• GL 60: What does this specific GL mean? Does this GL mean that a digital identity created at one FSO -and has been proven to meet eiDAS substantial or higher and therefore meet requirements of section 4.5- can be (re)used by any other FSO’s?