ID images and selfie ID verification solutions are not KYC/AML compliant
From some time on, the online identification solutions that allow customer identification by taking ID images of their documents and selfies for verification and identification purposes no longer comply with the regulations about money laundering and terrorist financing (AML, Anti-Money Laundering), especially in the financial sector.
In this article, we will detail why this type of KYC selfie with ID images solution for user verification does not comply with the KYC procedures and AML regulations related to customer onboarding and authentication.
The 3 security levels for registration and identity proofing in KYC
To understand why ID selfie verification and selfie authentication are not accepted as secure solutions for high-risk operations, we must understand the three security levels for registration and identity proofing.
Given the multiple cases of fraud in KYC/AML processes, the US Department of Commerce, through the National Institute of Standards and Technology (NIST), defined a baseline on digital identity verification (NIST SP 800- 63A), which establishes three security levels for registration and proof of identity verification, which are classified as low (IAL1), medium (IAL2) and high (IAL3).
High level (IAL3) is equivalent to face-to-face identification and is suitable for online/remote account creation. This level requires human intervention and needs a high-resolution continuous video transmission. Therefore, selfie verification is not allowed.
Solutions that take ID images and/or selfies are included in the medium level of security (IAL2) as long as they are combined with other high-level evidence of the person's identity beyond the images taken from the identity document and the recording of the user's face. This other evidence is usually invoices, addresses, or background checks of information about the person's identity.
The second level is insecure, inefficient, and unreliable. In the European Union, for privacy and security reasons, these methods are not allowed for many reasons at any risk level. In addition, the difficulty in processing personal data, even of a public nature, is a problem for entities to process them with the express consent of the persons concerned.
To conclude, the lowest level (IAL1) does not require evidence collection, validation, verification, or biometric collection. This means that in IAL1, it is not necessary to link the user to a specific real-time identity, and the self-asserted attributes are neither validated nor verified. In other words, IAL1 does not require verification of claims and attributes the user provides to the credential service provider; hence only suitable for lowest-risk operations.
2 reasons that make ID images and selfies not compliant with identity verification and KYC standards
On the one hand, their low technical-security level, the weakness of the electronic proof provided at the KYC (Know Your Customer) process and the low-reliability verification selfie solutions performance, in relation to their lack of integrity, cause these types of solutions to not meet the requirements demanded by legislation and the various regulations.
On the other hand, the security level provided in identification and ID verification through selfie KYC solutions is insufficient, far from the required standards for formal customer identification according to the most demanding regulations in this area. Therefore, more technical requirements in KYC/AML processes are needed than in selfie-based solutions.
AML & eIDAS exclude KYC selfie identification as a solution for strong identity verification
As we have stated previously, no non-face identification procedures in Europe allow the use of selfie identification solutions for KYC, especially in industries highly regulated by the AML and eIDAS regulations.
The AML5 Directive and the eIDAS Regulation of Trust Services establish the regulatory framework for KYC/AML processes in Europe. The first one relies on the eIDAS security framework for remote customer identification.
The combination of both creates a unique regulatory framework that condemns selfies and allows the adoption of video identification solutions for processes of new contracting of services and opening accounts fully online and secure, thus homogenising the European Digital Single Market.
However, even before AML5 and eIDAS came into force, many European Union member states already had regulators about non-face-to-face identification authorisations allowing video-streaming technology.
At the same time, eIDAS establishes different levels of security (from low to substantial and high) in electronic identification and electronic signature, similar to the ones stated by the NIST.
In this regard, the European Commission has worked for more than twelve years in the qualification of proper solutions that comply with eIDAS and meet the correct levels of security in electronic identification and eSignature.
Similarly, it relies on local standardisation bodies and Conformity Assessment Body (CAB). The CABs perform an audit and issue a Conformity Assessment (CAR) report to ensure that a video identification solution is valid. For example, suppose you wish to adopt a KYC/AML solution. In that case, you must request a CAR from the software provider to confirm that your solution is audited, certified, and eIDAS/AML compliant.
In addition, some countries, such as Germany, have developed additional guidelines. For example, the first Technical Guideline called TR-03147. This German Technical Guide establishes security measures for the remote identification of clients exclusively by video and identity documents.
How to avoid selfie verification for KYC and implement a secure video identification solution
Video streaming is becoming a standard for online customer identification due to its security, flawless UX and digital automation. As a result, we can encounter two types of solutions:
- Synchronous solutions: these perform the identification through a video conference led by an agent who conducts the online client interview, identity verification and documentation checks.
- Asynchronous solutions: the entire identification process is performed through a video recording in streaming, automatic for the user and the company, guaranteeing the management and integrity of the video recording process by the obligated subject and subsequent offline verification by a qualified agent.
Both solutions can be combined depending on the need for their use. Usually, video-conferencing (synchronous) is used for a consultative sale in which a new customer is acquired. On the other hand, asynchronous video (video identification) is more common in customer acquisition processes that require agility and a fast and fluid experience but are just as safe as face-to-face identification (i.e. online bank account opening process). An example of a safe and straightforward solution is VideoID.
VideoID also allows the issuance of a Qualified Electronic Certificate. This permits the user and company to carry out all high-risk processes online, from signing a mortgage to opening a bank account, doing so with the same level of legal enforceability as the handwritten signature.