Electronic identification: the future of KYC?

Remote identification is at the heart of the digital revolution that has radically changed the landscape of the banking and financial sector. With the emergence of online banks and neo-banks¹⁾Unlike an online bank, which is systematically backed by a so-called traditional bank, a neobank is an independent payment institution that generally offers exclusively mobile services. In the 2000s, traditional banks were quick to grasp the importance of modernizing in order to retain their most digital customers and attract new ones.

Today’s neobanks make it possible to open a bank account in just a few minutes using a smartphone or computer. As a result, more and more potential customers are turning to new technologies and dematerialized banks, which offer basic services at rock-bottom prices, often free of charge. Faced with this dematerialization of identity verification, electronic identification represents a major competitive challenge for all financial establishments enabling remote entry into relationships.

Electronic identification in the European Union

“A Europe fit for the digital age” is one of the European Commission’s six priorities for 2019-2024²⁾About the European Commission’s priorities: https://ec.europa.eu/info/priorities_fr. In fact, the European Union was one of the first to adopt the eIDAS Regulation in 2014.³⁾Regulation (EU) No 910/2014 of the European Parliament and of the Council of July 23, 2014 on electronic identification and trust services for electronic transactions in the internal market and repealing Directive 1999/93/EC.Regulation entirely devoted to the theme of electronic identification, in order to facilitate the emergence of the digital single market.

According to the article 3 1. of the eIDAS Regulation, electronic identification is “the process of using personal identification data in electronic form uniquely representing a natural or legal person, or a natural person representing a legal person”. Thus, an electronic means of identification is “a tangible and/or intangible element containing personal identification data and used to authenticate oneself for an online service” (article 3 2.), such as an electronic identity card or electronic signature.

The eIDAS Regulation seeks to establish an interoperability framework⁴⁾Interoperability refers to the ability of different systems to work together and share information. for the different systems set up within the European Union’s Member States. Mutual recognition of electronic means of identification between member states has thus been mandatory since September 29, 2018 (according to Article 52 2. c) of the Regulation). As a result, several member states have already notified electronic identification schemes.⁵⁾An electronic identification scheme is “a system for electronic identification under which means of electronic identification are issued to natural or legal persons, or to natural persons representing legal persons” (article 3 4. of the eIDAS Regulation). In more equivocal terms, this is the national framework within which electronic means of identification will be issued to companies.
Notified electronic identification schemes are listed at https://ec.europa.eu/cefdigital/wiki/display/ EIDCOMMUNITY/Overview+of+pre-notified+and+notified+eID+schemes+under+eIDAS.

The German eID based on Extended Access Control scheme was the first to be notified by a member state. The German identity card and residence permit are based on this scheme, and meet the high guarantee level set out in the eIDAS Regulation. To identify themselves, citizens insert their eID card into a card reader or place it near a compatible smartphone. Citizens enter their card’s PIN code into the eID application (installed on their computer or smartphone), which allows them to identify themselves to the website.

In Belgium, in addition to the electronic identity card, the Itsme application enables any citizen to create a secure digital identity and identify themselves with it. In January 2020, Luxtrust (which issues digital identity in Luxembourg) announced a partnership with Belgian company Itsme with the aim of creating a common digital identity accessible in both countries.

One country missing from the list is France, which is nonetheless beginning to prepare projects for identification schemes (notably “Mobile Connect et moi” and La Poste’s digital identity). In addition, Order no. 2020-115 and Decrees no. 2020-118 and no. 2020-119 of February 12, 2020, aimed at transposing the Fifth AML/CFT Directive, have relaxed and simplified the procedure for entering into a remote relationship, which now no longer presents a high risk of money laundering as defined under French law.

Nevertheless, one question remains: how can the eIDAS Regulation be reconciled with the rules on combating money laundering and the financing of terrorism? Although the fifth LCB-FT directive⁶⁾Directive (EU) 2018/843 of the European Parliament and of the Council of May 30, 2018 amending Directive (EU) 2015/849 on the prevention of the use of the financial system for the purpose of money laundering or terrorist financing and Directives 2009/138/EC and 2013/36/EU explicitly refers to the Regulation in its recital 22 or article 13, it remains very vague and leaves considerable room for manoeuvre to the member states, leading to a risk of disparities in legislation and also in the way relationships are entered into.⁷⁾On this subject, see: MOUY Stéphane, “Identité numérique et règles LCB-FT : une délicate conciliation”, Revue Banque, 2019, n°836, pp. 50-53..

Securing the start of a long-distance relationship

When integrated into a KYC (Know Your Customer) process, electronic identification offers a number of advantages, including compliance with LCB-FT measures, optimization of the time needed to exchange documents (for the bank and the customer), cost reduction and improved confidence in the origin of documents.

Above all, electronic identification would make it possible to mitigate the risks associated with remote identity verification. These risks include two major frauds known to LCB-FT: identity theft and document fraud. Remote fraud attempts are more numerous than face-to-face ones, due to the simplicity and speed of digital technology, but also to the barrier it creates.

As an example of this insecurity, the German business weekly WirtschaftsWoche revealed security flaws when opening an account with the neobank N26. Indeed, he revealed during an investigation that several people with ID cards, easily recognizable as forgeries, managed to open an account with N26⁸⁾BERGERMANN Melanie and LITTMANN Saskia, “Einladung zur Geldwäsche” [en ligne], WirtschaftsWoche, October 12, 2018.. The German Federal Financial Supervisory Authority (BaFin) even intervened last year to get the neobank to take specific action⁹⁾BAFIN, N26 Bank GmbH: Anordnung zur Prävention von Geldwäsche und Terrorismusfinanzierung [en ligne], on BaFin, May 22, 2019.. This proves that even the most secure IT systems can show weaknesses.

Security is a key concern for all players in the banking sector, especially neobanks. Indeed, in an October 2018 study¹⁰⁾ACPR, Study on the business models of online banks and neobanks, No. 96, October 2018.The French regulator, Autorité de Contrôle Prudentiel et de Résolution (ACPR), noted that “insofar as the relationship is entered into remotely, [les acteurs bancaires] must also be particularly vigilant in the fight against money laundering and the financing of terrorism. In this area, while new players are already using new technologies to secure the acquisition of new customers, they also expect to be able to rely on a high-level digital identity system in France”.

Nevertheless, electronic identification has its limits, and the e-ID card is a case in point: the e-ID card system can be subject to vulnerabilities that can be exploited by hackers, as demonstrated by a European consultancy in the case of Germany.¹¹⁾ETTLINGER Wolfgang, “My name is Johann Wolfgang Von Goethe – I can prove it”. [en ligne]SEC Consult, November 20, 2018.or reveal security flaws, such as the one that affected 750,000 identity cards in Estonia¹²⁾MCNAMEE Joe, “Estonian eID cryptography mess – 750 000 cards compromised” [en ligne], on European Digital Rights, November 15, 2017. (almost half the Estonian population).

What’s more, as the ACPR-AMF Fintech Forum emphasized this time around¹³⁾This working group, led by the ACPR’s Fintech-Innovation Unit to study the issues raised by new technologies in the financial sector, brings together representatives of financial institutions, technology providers specializing in identity verification, and the French public authorities concerned. in its September 2019 report¹⁴⁾Forum Fintech ACPR-AMF, Groupe de travail sur la vérification de l’identité à distance des personnes physiques, Compte-rendu des travaux, September 20, 2019.electronic identity verification systems are not accessible to financial establishments due to development costs and strong legal constraints. This means that only public authorities can create and develop substantial or high-level electronic identification systems that meet European standards. Back to the original postulate of the eIDAS Regulation.

Electronic identification is still a work in progress. If the foundations are in place, the structure needs to be completed. This is all the more true in the banking and financial sector, where identity verification through the digitization of identity documents is still the order of the day. However, there is no doubt that we will soon be able to open a bank account and identify ourselves by videoconference or with a simple electronic identity card.