Recently, remote identification has become a huge challenge, both in France and in the rest of Europe. But what are the reasons behind this, though? The answer may be the massive digitization of the services, that has only strengthened with Covid-19 health crisis onset.
This context made ANSSI (The National Information Systems Security Agency) change the standard of requirements applicable to the Remote Identity Verification Service Providers (PVID) on March 1st this year.
How was the PVID baseline born?
In an identification process, whether the process takes place face-to-face or remote, the risks of fraud and, in particular, identity theft are significant. Extra risks also exist when the identification process is performed remotely. Of course, it is more complicated to check if the user truly is the person who he/she pretends to be, when the user is standing behind a screen.
In order to minimise the associated risks, it is necessary to establish reliable and strong identity verification services and thus to meet the needs of the users and sponsors, but also to comply with the regulations in force. This process involves subsequently the verification of the authenticity and validity of a user’s identity document, as well as checking if the user is legitimate.
This verification process, commonly known as KYC (Know Your Customer) derived from the
AML/CFT Directive (Anti-Money Laundering/Combating the Financing of Terrorism). Supported by the European Commission, it provides a series of provisions aimed to fight better against the financial crime and to ensure a better transparency of the financial transactions. Faced with the rise of fraud and illegal financial activities, the Directive continues to evolve and strengthen. While the 5th AML/CFT Directive came into force in May 2018, the 6th Directive has been adopted in December 2020.
The AML-CFT Directive has been implemented by all the member states of the European Union, and this is how the ANSSI has developed the PVID baseline for all the KYC providers from France.
What are the challenges of the PVID baseline?
The challenges of the PVID baseline are subsequently to fight against fraud and financial crime through remote identification, in the context of the current health crisis that has significantly boosted the digitalisation process.
The requirements of this baseline apply to the KYC service provider in France, as well as to the security of the information system that enables the service operation. Its goal is to create a strong and secure offer of remote identity verification services. What are the companies that are involved in this? Banks and financial institutions are in the spotlight, but the baseline also has an impact on the online gambling sector, as well as on the telecommunications sector.
ANSSI made the best out of the opportunity to extend the scope of this baseline of requirements for trust services governed by the eIDAS Regulation: electronic signatures for the issuance of qualified certificates providers, registered e-mail services providers and digital identity providers.
How to comply to the PVID baseline?
The PVID baseline consists of three major coordinates.
The first coordinate defines and describes what a remote verification service should consist of and also what its associated activities are:
- The identification data procurement;
- The identification data verification;
- The elaboration of an evidence file;
- The submission of the identity verification result.
The second coordinate specifies the evaluation methods and the goal of the qualification and certification of Remote Identity Verification Providers (PVID):
- The certification of remote business services;
- The compliance to the 910/2014 European Regulation (eIDAS) of the trust services that are using remote identity verification;
- Assessing the conformity of the electronic means of identification for the substantial and high levels of assurance, using remote identity verification.
And finally, the last coordinate specifies the requirements that the service provider has to meet:
- The risk evaluation;
- The remote identity verification policy and practice;
- The required data protection;
- The organisation and administration of the service provider;
- The quality and the required level of the service.
These requirements have a significant impact on the Remote Identity Verification Providers (PVID) and have to be met in order to receive the ANSSI certification.
What are the required steps to get certified by the ANSSI?
Last December, ANSSI published the first version of the PVID baseline for public comment request, before publishing the official version of the relevant baseline requirements and the appropriate decree, on the 1st of March, 2021.
At the end of March, ANSSI also spoke out about the PVID certification process, as well as about the certification application forms. Therefore, suppliers can send their certification sheet by early April. The certification process is patterned after the one that is applicable to the qualified trust service providers within the terms of the eIDAS Regulation.
The only notable innovation is the use of new evaluators for the facial recognition and for the false document detection. Regarding this last issue, ANSSI is planning to rely on the competencies of the Ministry of Internal Affairs, namely the Documentary Fraud Office of the DCPAF (Central Directorate of the Border Police) and the Documentary Fraud Department of the IRCGN (Forensic Science Department of the French National Gendarmerie).
So, what is the role of ARIADNEXT in all this?
Being aware of the probable future regulatory changes, we have long anticipated the arrival of the PVID baseline in order to better support all our customers and partners.
We have improved some of our product features, in order to merge the regulatory compliance with the customer experience in our KYC processes. Our identity verification process consists now of a service of dynamic document capture, an electronic documents chip reading service and also a hybrid document verification and facial recognition service.
These improvements aim to prepare us for the next ANSSI certification, so that our customers and partners can comply easier with the measure requiring the transposition of the 5th Directive, that asks the companies to have a technical solutions provider for the identity check.
Considering France one of the first countries to develop a guide on this matter, all the European states will soon follow this baseline. The aim is to provide standards of similar requirements for all the European identity verification providers.