EU: a confused / fragmented regulatory context
In 2020, the 5th AML-CFT Directive considered market evolutions and new digital uses. It required all concerned businesses (banks, fintech, telecommunications, online gambling) to reinforce identity verification during their remote KYC process by specifying the measures to be implemented in this context, thus answering to increasingly digital uses.
However, because it’s a European Directive, each Member State interpreted this Directive and transposed it into national law. This led to a heterogeneity of transpositions and inevitably to a disparity in national regulators’ requirements. “Many reports have shown the discrepancies in the application of the Regulations between the different EU member states.” The different identification solutions available on the market, depending on the country and the regulator, reflect the divergent requirements. For example, BAFIN (Germany) and SEPBLAC (Spain) recommend hybrid verification while other countries have made the qualified electronic signature process mandatory. These interpretations have led to 4 families of solutions:
- The Qualified Electronic Signature
- 100% automatic verification solutions
- Hybrid verification solutions (automatic + video identity or manual verification)
- eIDAS digital identity solutions
To further complicate matters concerning verification solutions, no standardization framework defines the minimum requirements for an identification solution.
This is where a midway observation is necessary: the remote ID verification european landscape is fragmented, to say the least. Each actor is in an incovenient position: national regulators have little guidance from Europe, suppliers are free to sell solutions without any real framework, and regulated companies must choose, without any help or recommendation, the best solution among non-standardized offers, which are not always available.
A complex regulatory landscape, lack of certifications: a fertile ground for both risks and non-compliance exposure
Harmonization is on its way, France being precursor
European harmonization is pressing : Digitization is deeply changing societal practices and its inherent risks, such as fraud and identity theft, are growing at the same rate. In this context, and hoping to be ahead of the curve, France (ANSSI) published its PVID standard (remote identity verification service provider) in March 2021, in response to the French Treasury Directive. This standard details the minimum technical and organizational requirements for an identification solution required in the context of AML-CFT (measure n°5). This reference framework aims at granting verification solution providers a PVID certification and allows regulated companies to know which solution to use. However, this initiative is only valid in France.
What is the situation at the EU level? Europe wishes to standardize and simplify remote ID verification definition. So, the European Telecommunications Standards Institute (ETSI) launched a working group to standardize the definition and assessment of remote identity verification services and published the ETSI 119 461 standard in July 2021. In this document, remote identity verification is defined and presents minimum requirements in order to obtain a homogeneous level of service on EU territory. There’s only one drawback to this day: no regulatory text refers to this 119 461 standard…
At this point, lines are starting to move. Some countries, such as France, are taking the lead and laying the foundations of a reassuring and secure regulatory framework, which is eagerly awaited by solution providers, regulated companies and regulators. But the road to European harmonization is still long and disparities are still numerous.
What’s planned for tomorrow
By 2025, the AML-CFT Directive should be replaced by the European Anti Money Laundering Regulation (AML-R). Unlike a Directive, a Regulation implies Europe-wide application, without going through national transposition processes (like GDPR). All Member States will have to follow the requirements without any distinction, so national disparities and their resulting difficulties will disappear. In addition, the European Commission announces the “creation of a new EU Authority which will transform AML/CFT supervision in the EU”. AMLA for Anti Money Laundering Authority, will be responsible for coordinating national regulatory agencies, will enable a unified fight against fraud as well as compliance convergence to standards and requirements, ensuring that companies apply EU rules correctly and consistently.
Goal #1: A single Regulation for all Member States, a unique,
harmonized and organized coordination under a European level framework.
At the same time, Europe will publish the eIDAS 2.0 Regulation in 2022 which “aims to establish a mechanism for mutual recognition of Member States’ means of electronic identification for all online services“. This means that eIDAS 2.0 will provide a harmonized framework and definitions for digital identity schemes. The EU Wallet will be defined, certainly based on the EU ETSI 119 461 standard for remote identification. Thus, tomorrow, Europe will propose a single standardized framework for all Member States on the remote identification part.
On ARIADNEXT side, we will offer an electronic identity of substantial level recognized by eIDAS, defined under ETSI Standard and cited in the AML Regulation.
Goal #2: Standardised and proven remote identification solutions
In the meantime, what can be done?
To comply with AML/CFT requirements and while waiting for a unique, certified and substantial identification scheme, several solutions are available such as micro-payment, a certified solution such as the future PVID or the qualified electronic signature. But among these solutions, some can be difficult to integrate, some can be binding on the onboarding process, some can’t address all audiences, or simply aren’t available yet, like the PVID solution.
Right now, one solution is already available, widely required by European Regulators, including France’s: it’s the qualified electronic signature.
It offers a 100% digital journey with identity verification based on face-to-face or equivalent, and ARIADNEXT/IDNOW proposes it to its clients. Certified by an approved body, the AutoIdent+QES solution fully meets the ACPR requirements answering the vigilance measure no.6, namely, a electronic signature of qualified level. Easily integratable, it enables regulated companies to provide their services in full compliance, to all types of public (even non-banked) and delivers a complete, fluid and fast user experience, with an onboarding process of less than 10 minutes during which the user proves his identity. It is also worth mentioning that this solution is aligned with ETSI 119 461 standards and will therefore remain an accepted means of electronic identification in the future AML-R.